strapi-plugin-oidc 1.3.1 → 1.4.0

package/dist/server/index.mjs

@@ -89,6 +89,21 @@ async function bootstrap({ strapi: strapi2 }) {
     }
   ];
   await strapi2.admin.services.permission.actionProvider.registerMany(actions);
+  const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
+  if (enforceOIDCConfig !== null) {
+    try {
+      const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
+      const settings = await whitelistService2.getSettings();
+      if (settings.enforceOIDC !== enforceOIDCConfig) {
+        await whitelistService2.setSettings({ ...settings, enforceOIDC: enforceOIDCConfig });
+        strapi2.log.info(
+          `[strapi-plugin-oidc] OIDC_ENFORCE=${enforceOIDCConfig} written to database settings`
+        );
+      }
+    } catch (err) {
+      strapi2.log.error("[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:", err);
+    }
+  }
   try {
     const oidcRoleCount = await strapi2.query("plugin::strapi-plugin-oidc.roles").count({
       where: { oauth_type: "4" }
@@ -485,6 +500,48 @@ async function removeEmail(ctx) {
   await whitelistService2.removeUser(id);
   ctx.body = {};
 }
+async function deleteAll(ctx) {
+  await strapi.db.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
+  ctx.body = {};
+}
+async function importUsers(ctx) {
+  const { users } = ctx.request.body;
+  if (!Array.isArray(users)) {
+    ctx.status = 400;
+    ctx.body = { error: "Expected { users: [{email, roles}] }" };
+    return;
+  }
+  const allRoles = await strapi.query("admin::role").findMany({});
+  const roleNameToId = new Map(allRoles.map((r) => [r.name, String(r.id)]));
+  const resolveRole = (nameOrId) => roleNameToId.get(nameOrId) ?? nameOrId;
+  const normalized = users.filter((u) => u?.email).map((u) => ({
+    email: String(u.email).trim().toLowerCase(),
+    roles: (Array.isArray(u.roles) ? u.roles : []).map(resolveRole)
+  }));
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = normalized.filter((u) => {
+    if (seen.has(u.email)) return false;
+    seen.add(u.email);
+    return true;
+  });
+  const strapiUsers = await strapi.query("admin::user").findMany({
+    where: { email: { $in: deduped.map((u) => u.email) } },
+    populate: ["roles"]
+  });
+  const strapiUserMap = new Map(strapiUsers.map((u) => [u.email, u]));
+  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const existing = await whitelistService2.getUsers();
+  const existingEmails = new Set(existing.map((u) => u.email));
+  let importedCount = 0;
+  for (const user of deduped) {
+    if (existingEmails.has(user.email)) continue;
+    const strapiUser = strapiUserMap.get(user.email);
+    const finalRoles = strapiUser?.roles?.length ? strapiUser.roles.map((r) => String(r.id)) : user.roles;
+    await whitelistService2.registerUser(user.email, finalRoles);
+    importedCount++;
+  }
+  ctx.body = { importedCount };
+}
 async function syncUsers(ctx) {
   let { users } = ctx.request.body;
   users = users.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
@@ -526,7 +583,9 @@ const whitelist = {
   publicSettings,
   register,
   removeEmail,
-  syncUsers
+  deleteAll,
+  syncUsers,
+  importUsers
 };
 const controllers = {
   oidc,
@@ -550,134 +609,133 @@ const rateLimitMiddleware = async (ctx, next) => {
   rateLimitMap.set(ip, requestStamps);
   await next();
 };
-const routes = [
-  {
-    method: "GET",
-    path: "/oidc-roles",
-    handler: "role.find",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.read"] } }
-      ]
-    }
-  },
-  {
-    method: "PUT",
-    path: "/oidc-roles",
-    handler: "role.update",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
-    }
-  },
-  {
-    method: "GET",
-    path: "/oidc",
-    handler: "oidc.oidcSignIn",
-    config: {
-      auth: false,
-      middlewares: [rateLimitMiddleware]
-    }
-  },
-  {
-    method: "GET",
-    path: "/oidc/callback",
-    handler: "oidc.oidcSignInCallback",
-    config: {
-      auth: false,
-      middlewares: [rateLimitMiddleware]
-    }
-  },
-  {
-    method: "GET",
-    path: "/logout",
-    handler: "oidc.logout",
-    config: {
-      auth: false
-    }
-  },
-  {
-    method: "GET",
-    path: "/whitelist",
-    handler: "whitelist.info",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.read"] } }
-      ]
-    }
-  },
-  {
-    method: "PUT",
-    path: "/whitelist/settings",
-    handler: "whitelist.updateSettings",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
-    }
-  },
-  {
-    method: "GET",
-    path: "/settings/public",
-    handler: "whitelist.publicSettings",
-    config: {
-      auth: false
-    }
-  },
-  {
-    method: "PUT",
-    path: "/whitelist/sync",
-    handler: "whitelist.syncUsers",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
-    }
-  },
-  {
-    method: "POST",
-    path: "/whitelist",
-    handler: "whitelist.register",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
+const adminPolicies = (action) => ({
+  policies: [
+    "admin::isAuthenticatedAdmin",
+    {
+      name: "admin::hasPermissions",
+      config: { actions: [`plugin::strapi-plugin-oidc.${action}`] }
     }
+  ]
+});
+const routes = {
+  admin: {
+    type: "admin",
+    routes: [
+      {
+        method: "GET",
+        path: "/oidc-roles",
+        handler: "role.find",
+        config: adminPolicies("read")
+      },
+      {
+        method: "PUT",
+        path: "/oidc-roles",
+        handler: "role.update",
+        config: adminPolicies("update")
+      },
+      {
+        method: "GET",
+        path: "/oidc",
+        handler: "oidc.oidcSignIn",
+        config: { auth: false, middlewares: [rateLimitMiddleware] }
+      },
+      {
+        method: "GET",
+        path: "/oidc/callback",
+        handler: "oidc.oidcSignInCallback",
+        config: { auth: false, middlewares: [rateLimitMiddleware] }
+      },
+      {
+        method: "GET",
+        path: "/logout",
+        handler: "oidc.logout",
+        config: { auth: false }
+      },
+      {
+        method: "GET",
+        path: "/whitelist",
+        handler: "whitelist.info",
+        config: adminPolicies("read")
+      },
+      {
+        method: "PUT",
+        path: "/whitelist/settings",
+        handler: "whitelist.updateSettings",
+        config: adminPolicies("update")
+      },
+      {
+        method: "GET",
+        path: "/settings/public",
+        handler: "whitelist.publicSettings",
+        config: { auth: false }
+      },
+      {
+        method: "PUT",
+        path: "/whitelist/sync",
+        handler: "whitelist.syncUsers",
+        config: adminPolicies("update")
+      },
+      {
+        method: "POST",
+        path: "/whitelist/import",
+        handler: "whitelist.importUsers",
+        config: adminPolicies("update")
+      },
+      {
+        method: "POST",
+        path: "/whitelist",
+        handler: "whitelist.register",
+        config: adminPolicies("update")
+      },
+      {
+        method: "DELETE",
+        path: "/whitelist/:id",
+        handler: "whitelist.removeEmail",
+        config: adminPolicies("update")
+      },
+      {
+        method: "DELETE",
+        path: "/whitelist",
+        handler: "whitelist.deleteAll",
+        config: adminPolicies("update")
+      }
+    ]
   },
-  {
-    method: "DELETE",
-    path: "/whitelist/:id",
-    handler: "whitelist.removeEmail",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
-    }
+  // API-token-authenticated routes for programmatic whitelist management.
+  // Accessible at /strapi-plugin-oidc/... using a Strapi API token
+  // (full-access or custom) in the Authorization: Bearer <token> header.
+  "content-api": {
+    type: "content-api",
+    routes: [
+      {
+        method: "GET",
+        path: "/whitelist",
+        handler: "whitelist.info"
+      },
+      {
+        method: "POST",
+        path: "/whitelist",
+        handler: "whitelist.register"
+      },
+      {
+        method: "POST",
+        path: "/whitelist/import",
+        handler: "whitelist.importUsers"
+      },
+      {
+        method: "DELETE",
+        path: "/whitelist/:id",
+        handler: "whitelist.removeEmail"
+      },
+      {
+        method: "DELETE",
+        path: "/whitelist",
+        handler: "whitelist.deleteAll"
+      }
+    ]
   }
-];
+};
 const policies = {};
 function renderHtmlTemplate(title, content) {
   return `

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",
@@ -26,10 +26,17 @@
   },
   "keywords": [
     "strapi",
-    "plugin",
+    "strapi-plugin",
+    "oidc",
     "oauth",
-    "OIDC",
-    "Zitadel"
+    "sso",
+    "authentication",
+    "keycloak",
+    "auth0",
+    "okta",
+    "azure-ad",
+    "authentik",
+    "authelia"
   ],
   "peerDependencies": {
     "@strapi/strapi": "^5.24.1",