strapi-plugin-oidc 1.2.4 → 1.3.1

package/dist/server/index.mjs

@@ -4,22 +4,19 @@ import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
 function register$1() {
 }
-function getExpiredCookieOptions(strapi2, ctx) {
-  const isProduction = strapi2.config.get("environment") === "production";
-  return {
-    httpOnly: true,
-    secure: isProduction && ctx.request.secure,
-    path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
-    domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
-    sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
-    maxAge: 0,
-    expires: /* @__PURE__ */ new Date(0)
-  };
+function getEnforceOIDCConfig(strapi2) {
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
+  const val = config2.OIDC_ENFORCE;
+  if (val === null || val === void 0) return null;
+  if (typeof val === "boolean") return val;
+  if (val === "true") return true;
+  if (val === "false") return false;
+  return null;
 }
-function clearAuthCookies(strapi2, ctx) {
-  const options2 = getExpiredCookieOptions(strapi2, ctx);
-  ctx.cookies.set("strapi_admin_refresh", "", options2);
-  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+function resolveEnforceOIDC(strapi2, dbValue) {
+  const configValue = getEnforceOIDCConfig(strapi2);
+  if (configValue !== null) return configValue;
+  return dbValue ?? false;
 }
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
@@ -32,13 +29,12 @@ async function bootstrap({ strapi: strapi2 }) {
     ];
     const isPostAuth = authRoutes.includes(ctx.request.path) && ctx.request.method === "POST";
     const isTokenRefresh = ctx.request.path === `${adminUrl}/token/refresh` && ctx.request.method === "POST";
-    const isHtmlRequest = ctx.request.accepts("html", "json") === "html" && !ctx.request.path.match(/\.[a-zA-Z0-9]+$/);
-    const isGetAdminHtml = ctx.request.method === "GET" && ctx.request.path.startsWith(adminUrl) && isHtmlRequest;
-    if (isPostAuth || isTokenRefresh || isGetAdminHtml) {
+    if (isPostAuth || isTokenRefresh) {
       try {
         const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
         const settings = await whitelistService2.getSettings();
-        if (settings?.enforceOIDC) {
+        const enforceOIDC = resolveEnforceOIDC(strapi2, settings?.enforceOIDC);
+        if (enforceOIDC) {
           if (isPostAuth) {
             ctx.status = 403;
             ctx.body = {
@@ -66,18 +62,6 @@ async function bootstrap({ strapi: strapi2 }) {
             };
             return;
           }
-          if (isGetAdminHtml) {
-            const hasRefreshCookie = !!ctx.cookies.get("strapi_admin_refresh");
-            if (hasRefreshCookie && !hasOidcSession) {
-              clearAuthCookies(strapi2, ctx);
-              ctx.redirect("/strapi-plugin-oidc/oidc");
-              return;
-            }
-            if (!hasRefreshCookie) {
-              ctx.redirect("/strapi-plugin-oidc/oidc");
-              return;
-            }
-          }
         }
       } catch (err) {
         strapi2.log.error("Error checking OIDC enforcement in middleware:", err);
@@ -152,8 +136,6 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
-    REMEMBER_ME_DAYS: 30,
-    // 30 days
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
@@ -165,7 +147,10 @@ const config = {
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_LOGOUT_URL: ""
+    OIDC_LOGOUT_URL: "",
+    OIDC_SSO_BUTTON_TEXT: "Login via SSO",
+    OIDC_ENFORCE: null
+    // null = use DB setting; true/false = override DB (useful for lockout recovery)
   },
   validator() {
   }
@@ -200,6 +185,23 @@ const contentTypes = {
   roles,
   whitelists
 };
+function getExpiredCookieOptions(strapi2, ctx) {
+  const isProduction = strapi2.config.get("environment") === "production";
+  return {
+    httpOnly: true,
+    secure: isProduction && ctx.request.secure,
+    path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
+    domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
+    sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
+    maxAge: 0,
+    expires: /* @__PURE__ */ new Date(0)
+  };
+}
+function clearAuthCookies(strapi2, ctx) {
+  const options2 = getExpiredCookieOptions(strapi2, ctx);
+  ctx.cookies.set("strapi_admin_refresh", "", options2);
+  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+}
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const requiredKeys = [
@@ -339,6 +341,8 @@ async function oidcSignInCallback(ctx) {
   }
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
+  ctx.cookies.set("oidc_state", null);
+  ctx.cookies.set("oidc_code_verifier", null);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
     return ctx.send(oauthService2.renderSignUpError("Invalid state"));
   }
@@ -419,14 +423,13 @@ async function info(ctx) {
   const whitelistUsers = await whitelistService2.getUsers();
   ctx.body = {
     useWhitelist: settings.useWhitelist,
-    enforceOIDC: settings.enforceOIDC || false,
-    showSSOButton: settings.showSSOButton !== false,
-    ssoButtonText: settings.ssoButtonText || "Login via SSO",
+    enforceOIDC: resolveEnforceOIDC(strapi, settings.enforceOIDC),
+    enforceOIDCConfig: getEnforceOIDCConfig(strapi),
     whitelistUsers
   };
 }
 async function updateSettings(ctx) {
-  let { useWhitelist, enforceOIDC, showSSOButton, ssoButtonText } = ctx.request.body;
+  let { useWhitelist, enforceOIDC } = ctx.request.body;
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
   if (useWhitelist && enforceOIDC) {
     const users = await whitelistService2.getUsers();
@@ -434,16 +437,16 @@ async function updateSettings(ctx) {
       enforceOIDC = false;
     }
   }
-  await whitelistService2.setSettings({ useWhitelist, enforceOIDC, showSSOButton, ssoButtonText });
-  ctx.body = { useWhitelist, enforceOIDC, showSSOButton, ssoButtonText };
+  await whitelistService2.setSettings({ useWhitelist, enforceOIDC });
+  ctx.body = { useWhitelist, enforceOIDC };
 }
 async function publicSettings(ctx) {
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
   const settings = await whitelistService2.getSettings();
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   ctx.body = {
-    enforceOIDC: settings.enforceOIDC || false,
-    showSSOButton: settings.showSSOButton !== false,
-    ssoButtonText: settings.ssoButtonText || "Login via SSO"
+    enforceOIDC: resolveEnforceOIDC(strapi, settings.enforceOIDC),
+    ssoButtonText: config2.OIDC_SSO_BUTTON_TEXT
   };
 }
 async function register(ctx) {
@@ -928,13 +931,11 @@ function oauthService({ strapi: strapi2 }) {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
       const REMEMBER_ME = config2["REMEMBER_ME"];
       const rememberMe = !!REMEMBER_ME;
-      const { token: refreshToken } = await sessionManager("admin").generateRefreshToken(
-        userId,
-        deviceId,
-        {
-          type: rememberMe ? "refresh" : "session"
-        }
-      );
+      const { token: refreshToken, absoluteExpiresAt } = await sessionManager(
+        "admin"
+      ).generateRefreshToken(userId, deviceId, {
+        type: rememberMe ? "refresh" : "session"
+      });
       const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
@@ -948,10 +949,16 @@ function oauthService({ strapi: strapi2 }) {
         sameSite
       };
       if (rememberMe) {
-        const REMEMBER_ME_DAYS = config2["REMEMBER_ME_DAYS"] || 30;
-        const durationInMs = REMEMBER_ME_DAYS * 24 * 60 * 60 * 1e3;
-        cookieOptions.maxAge = durationInMs;
-        cookieOptions.expires = new Date(Date.now() + durationInMs);
+        const idleLifespanSec = strapi2.config.get(
+          "admin.auth.sessions.idleRefreshTokenLifespan",
+          1209600
+          // 14 days — Strapi default
+        );
+        const idleMs = idleLifespanSec * 1e3;
+        const absoluteMs = new Date(absoluteExpiresAt).getTime() - Date.now();
+        const ms = Math.min(idleMs, absoluteMs);
+        cookieOptions.maxAge = ms;
+        cookieOptions.expires = new Date(Date.now() + ms);
       }
       ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
       ctx.cookies.set("oidc_authenticated", "1", { ...cookieOptions, path: "/" });
@@ -1027,9 +1034,7 @@ function whitelistService({ strapi: strapi2 }) {
       if (!settings) {
         settings = {
           useWhitelist: true,
-          enforceOIDC: false,
-          showSSOButton: true,
-          ssoButtonText: "Login via SSO"
+          enforceOIDC: false
         };
         await getPluginStore().set({ key: "settings", value: settings });
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.2.4",
+  "version": "1.3.1",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",
@@ -86,7 +86,6 @@
     "msw": "^2.13.0",
     "prettier": "^3.8.1",
     "react": "^18.3.1",
-    "react-dom": "^18.3.1",
     "react-router-dom": "^6.30.3",
     "styled-components": "^6.3.12",
     "supertest": "^7.2.2",