strapi-plugin-oidc 1.3.2 → 1.4.1

package/dist/server/index.js

@@ -164,7 +164,6 @@ const config = {
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
     OIDC_USER_INFO_ENDPOINT: "",
-    OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false,
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
@@ -223,45 +222,43 @@ function clearAuthCookies(strapi2, ctx) {
   ctx.cookies.set("strapi_admin_refresh", "", options2);
   ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
 }
+const REQUIRED_CONFIG_KEYS = [
+  "OIDC_CLIENT_ID",
+  "OIDC_CLIENT_SECRET",
+  "OIDC_REDIRECT_URI",
+  "OIDC_SCOPES",
+  "OIDC_TOKEN_ENDPOINT",
+  "OIDC_USER_INFO_ENDPOINT",
+  "OIDC_GRANT_TYPE",
+  "OIDC_FAMILY_NAME_FIELD",
+  "OIDC_GIVEN_NAME_FIELD",
+  "OIDC_AUTHORIZATION_ENDPOINT"
+];
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const requiredKeys = [
-    "OIDC_CLIENT_ID",
-    "OIDC_CLIENT_SECRET",
-    "OIDC_REDIRECT_URI",
-    "OIDC_SCOPES",
-    "OIDC_TOKEN_ENDPOINT",
-    "OIDC_USER_INFO_ENDPOINT",
-    "OIDC_GRANT_TYPE",
-    "OIDC_FAMILY_NAME_FIELD",
-    "OIDC_GIVEN_NAME_FIELD",
-    "OIDC_AUTHORIZATION_ENDPOINT"
-  ];
-  if (requiredKeys.every((key) => config2[key])) {
+  if (REQUIRED_CONFIG_KEYS.every((key) => config2[key])) {
     return config2;
   }
-  throw new Error(`The following configuration keys are required: ${requiredKeys.join(", ")}`);
+  throw new Error(
+    `The following configuration keys are required: ${REQUIRED_CONFIG_KEYS.join(", ")}`
+  );
 }
 async function oidcSignIn(ctx) {
-  let { state } = ctx.query;
   const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
-  if (!state) {
-    state = node_crypto.randomBytes(32).toString("base64url");
-  }
+  const state = node_crypto.randomBytes(32).toString("base64url");
+  const nonce = node_crypto.randomBytes(32).toString("base64url");
   const isProduction = strapi.config.get("environment") === "production";
-  ctx.cookies.set("oidc_code_verifier", codeVerifier, {
+  const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
+    // 10 minutes
     secure: isProduction && ctx.request.secure,
     sameSite: "lax"
-  });
-  ctx.cookies.set("oidc_state", state, {
-    httpOnly: true,
-    maxAge: 6e5,
-    secure: isProduction && ctx.request.secure,
-    sameSite: "lax"
-  });
+  };
+  ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
+  ctx.cookies.set("oidc_state", state, cookieOptions);
+  ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
   const params = new URLSearchParams();
   params.append("response_type", "code");
   params.append("client_id", OIDC_CLIENT_ID);
@@ -270,11 +267,12 @@ async function oidcSignIn(ctx) {
   params.append("code_challenge", codeChallenge);
   params.append("code_challenge_method", "S256");
   params.append("state", state);
+  params.append("nonce", nonce);
   const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
   ctx.set("Location", authorizationUrl);
   return ctx.send({}, 302);
 }
-async function exchangeTokenAndFetchUserInfo(config2, params) {
+async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   const response = await fetch(config2.OIDC_TOKEN_ENDPOINT, {
     method: "POST",
     body: params,
@@ -283,31 +281,28 @@ async function exchangeTokenAndFetchUserInfo(config2, params) {
     }
   });
   if (!response.ok) {
-    const errText = await response.text();
-    throw new Error(
-      `Failed to exchange token: ${response.status} ${response.statusText} - ${errText}`
-    );
+    throw new Error("Token exchange failed");
   }
   const tokenData = await response.json();
-  let userInfoEndpointHeaders = {};
-  let userInfoEndpointParameters = `?access_token=${tokenData.access_token}`;
-  if (config2.OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER) {
-    userInfoEndpointHeaders = {
-      Authorization: `Bearer ${tokenData.access_token}`
-    };
-    userInfoEndpointParameters = "";
+  if (tokenData.id_token) {
+    try {
+      const payloadB64 = tokenData.id_token.split(".")[1];
+      const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      if (idTokenPayload.nonce !== expectedNonce) {
+        throw new Error("Nonce mismatch");
+      }
+    } catch (e) {
+      if (e.message === "Nonce mismatch") throw e;
+      throw new Error("Failed to parse ID token");
+    }
   }
-  const userInfoEndpoint = `${config2.OIDC_USER_INFO_ENDPOINT}${userInfoEndpointParameters}`;
-  const userResponse = await fetch(userInfoEndpoint, {
-    headers: userInfoEndpointHeaders
+  const userResponse = await fetch(config2.OIDC_USER_INFO_ENDPOINT, {
+    headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
-    const errText = await userResponse.text();
-    throw new Error(
-      `Failed to fetch user info: ${userResponse.status} ${userResponse.statusText} - ${errText}`
-    );
+    throw new Error("Failed to fetch user info");
   }
-  return await userResponse.json();
+  return userResponse.json();
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -331,22 +326,16 @@ async function registerNewUser(userService, oauthService2, roleService2, email,
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
   const email = String(userResponseData.email).toLowerCase();
   const whitelistUser = await whitelistService2.checkWhitelistForEmail(email);
-  const dbUser = await userService.findOneByEmail(email);
-  let activateUser;
-  if (dbUser) {
-    activateUser = dbUser;
-  } else {
-    activateUser = await registerNewUser(
-      userService,
-      oauthService2,
-      roleService2,
-      email,
-      userResponseData,
-      whitelistUser,
-      config2,
-      ctx
-    );
-  }
+  const activateUser = await userService.findOneByEmail(email) ?? await registerNewUser(
+    userService,
+    oauthService2,
+    roleService2,
+    email,
+    userResponseData,
+    whitelistUser,
+    config2,
+    ctx
+  );
   const jwtToken = await oauthService2.generateToken(activateUser, ctx);
   oauthService2.triggerSignInSuccess(activateUser);
   return { activateUser, jwtToken };
@@ -362,8 +351,10 @@ async function oidcSignInCallback(ctx) {
   }
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
+  const oidcNonce = ctx.cookies.get("oidc_nonce");
   ctx.cookies.set("oidc_state", null);
   ctx.cookies.set("oidc_code_verifier", null);
+  ctx.cookies.set("oidc_nonce", null);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
     return ctx.send(oauthService2.renderSignUpError("Invalid state"));
   }
@@ -375,7 +366,7 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier);
   try {
-    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params);
+    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce);
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -391,7 +382,7 @@ async function oidcSignInCallback(ctx) {
     ctx.send(html);
   } catch (e) {
     console.error("ERROR CAUGHT IN OIDC SIGNIN:", e);
-    ctx.send(oauthService2.renderSignUpError(e.message));
+    ctx.send(oauthService2.renderSignUpError("Authentication failed. Please try again."));
   }
 }
 async function logout(ctx) {
@@ -438,8 +429,11 @@ const role = {
   find,
   update
 };
+function getWhitelistService() {
+  return strapi.plugin("strapi-plugin-oidc").service("whitelist");
+}
 async function info(ctx) {
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   const settings = await whitelistService2.getSettings();
   const whitelistUsers = await whitelistService2.getUsers();
   ctx.body = {
@@ -450,8 +444,9 @@ async function info(ctx) {
   };
 }
 async function updateSettings(ctx) {
-  let { useWhitelist, enforceOIDC } = ctx.request.body;
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const { useWhitelist } = ctx.request.body;
+  let { enforceOIDC } = ctx.request.body;
+  const whitelistService2 = getWhitelistService();
   if (useWhitelist && enforceOIDC) {
     const users = await whitelistService2.getUsers();
     if (users.length === 0) {
@@ -462,7 +457,7 @@ async function updateSettings(ctx) {
   ctx.body = { useWhitelist, enforceOIDC };
 }
 async function publicSettings(ctx) {
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   const settings = await whitelistService2.getSettings();
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   ctx.body = {
@@ -482,10 +477,11 @@ async function register(ctx) {
     where: { email: { $in: emailList } },
     populate: ["roles"]
   });
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const existingUsersByEmail = new Map(existingUsers.map((u) => [u.email, u]));
+  const whitelistService2 = getWhitelistService();
   let matchedExistingUsersCount = 0;
   for (const singleEmail of emailList) {
-    const existingUser = existingUsers.find((u) => u.email === singleEmail);
+    const existingUser = existingUsersByEmail.get(singleEmail);
     let finalRoles = roles2;
     if (existingUser?.roles) {
       finalRoles = existingUser.roles.map((r) => String(r.id));
@@ -502,14 +498,56 @@ async function register(ctx) {
 }
 async function removeEmail(ctx) {
   const { id } = ctx.params;
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   await whitelistService2.removeUser(id);
   ctx.body = {};
 }
+async function deleteAll(ctx) {
+  await strapi.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
+  ctx.body = {};
+}
+async function importUsers(ctx) {
+  const { users } = ctx.request.body;
+  if (!Array.isArray(users)) {
+    ctx.status = 400;
+    ctx.body = { error: "Expected { users: [{email, roles}] }" };
+    return;
+  }
+  const allRoles = await strapi.query("admin::role").findMany({});
+  const roleNameToId = new Map(allRoles.map((r) => [r.name, String(r.id)]));
+  const resolveRole = (nameOrId) => roleNameToId.get(nameOrId) ?? nameOrId;
+  const normalized = users.filter((u) => u?.email).map((u) => ({
+    email: String(u.email).trim().toLowerCase(),
+    roles: (Array.isArray(u.roles) ? u.roles : []).map(resolveRole)
+  }));
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = normalized.filter((u) => {
+    if (seen.has(u.email)) return false;
+    seen.add(u.email);
+    return true;
+  });
+  const strapiUsers = await strapi.query("admin::user").findMany({
+    where: { email: { $in: deduped.map((u) => u.email) } },
+    populate: ["roles"]
+  });
+  const strapiUserMap = new Map(strapiUsers.map((u) => [u.email, u]));
+  const whitelistService2 = getWhitelistService();
+  const existing = await whitelistService2.getUsers();
+  const existingEmails = new Set(existing.map((u) => u.email));
+  let importedCount = 0;
+  for (const user of deduped) {
+    if (existingEmails.has(user.email)) continue;
+    const strapiUser = strapiUserMap.get(user.email);
+    const finalRoles = strapiUser?.roles?.length ? strapiUser.roles.map((r) => String(r.id)) : user.roles;
+    await whitelistService2.registerUser(user.email, finalRoles);
+    importedCount++;
+  }
+  ctx.body = { importedCount };
+}
 async function syncUsers(ctx) {
-  let { users } = ctx.request.body;
-  users = users.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const { users: rawUsers } = ctx.request.body;
+  const users = rawUsers.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
+  const whitelistService2 = getWhitelistService();
   const currentUsers = await whitelistService2.getUsers();
   let matchedExistingUsersCount = 0;
   const emailsToSync = users.map((u) => u.email);
@@ -517,26 +555,29 @@ async function syncUsers(ctx) {
     where: { email: { $in: emailsToSync } },
     populate: ["roles"]
   });
+  const syncEmailSet = new Set(emailsToSync);
+  const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
+  const strapiUsersByEmail = new Map(existingStrapiUsers.map((u) => [u.email, u]));
   for (const currUser of currentUsers) {
-    if (!users.find((u) => u.email === currUser.email)) {
+    if (!syncEmailSet.has(currUser.email)) {
       await whitelistService2.removeUser(currUser.id);
     }
   }
   for (const user of users) {
-    const existingStrapiUser = existingStrapiUsers.find((u) => u.email === user.email);
+    const currUser = currentUsersByEmail.get(user.email);
     let finalRoles = user.roles;
-    const currUser = currentUsers.find((u) => u.email === user.email);
-    if (!currUser && existingStrapiUser?.roles) {
-      finalRoles = existingStrapiUser.roles.map((r) => String(r.id));
-      matchedExistingUsersCount++;
-    }
-    if (currUser) {
+    if (!currUser) {
+      const existingStrapiUser = strapiUsersByEmail.get(user.email);
+      if (existingStrapiUser?.roles) {
+        finalRoles = existingStrapiUser.roles.map((r) => String(r.id));
+        matchedExistingUsersCount++;
+      }
+      await whitelistService2.registerUser(user.email, finalRoles);
+    } else {
       await strapi.query("plugin::strapi-plugin-oidc.whitelists").update({
         where: { id: currUser.id },
         data: { roles: finalRoles }
       });
-    } else {
-      await whitelistService2.registerUser(user.email, finalRoles);
     }
   }
   ctx.body = { matchedExistingUsersCount };
@@ -547,7 +588,9 @@ const whitelist = {
   publicSettings,
   register,
   removeEmail,
-  syncUsers
+  deleteAll,
+  syncUsers,
+  importUsers
 };
 const controllers = {
   oidc,
@@ -571,134 +614,133 @@ const rateLimitMiddleware = async (ctx, next) => {
   rateLimitMap.set(ip, requestStamps);
   await next();
 };
-const routes = [
-  {
-    method: "GET",
-    path: "/oidc-roles",
-    handler: "role.find",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.read"] } }
-      ]
-    }
-  },
-  {
-    method: "PUT",
-    path: "/oidc-roles",
-    handler: "role.update",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
-    }
-  },
-  {
-    method: "GET",
-    path: "/oidc",
-    handler: "oidc.oidcSignIn",
-    config: {
-      auth: false,
-      middlewares: [rateLimitMiddleware]
-    }
-  },
-  {
-    method: "GET",
-    path: "/oidc/callback",
-    handler: "oidc.oidcSignInCallback",
-    config: {
-      auth: false,
-      middlewares: [rateLimitMiddleware]
-    }
-  },
-  {
-    method: "GET",
-    path: "/logout",
-    handler: "oidc.logout",
-    config: {
-      auth: false
-    }
-  },
-  {
-    method: "GET",
-    path: "/whitelist",
-    handler: "whitelist.info",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.read"] } }
-      ]
-    }
-  },
-  {
-    method: "PUT",
-    path: "/whitelist/settings",
-    handler: "whitelist.updateSettings",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
-    }
-  },
-  {
-    method: "GET",
-    path: "/settings/public",
-    handler: "whitelist.publicSettings",
-    config: {
-      auth: false
-    }
-  },
-  {
-    method: "PUT",
-    path: "/whitelist/sync",
-    handler: "whitelist.syncUsers",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
-    }
-  },
-  {
-    method: "POST",
-    path: "/whitelist",
-    handler: "whitelist.register",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
+const adminPolicies = (action) => ({
+  policies: [
+    "admin::isAuthenticatedAdmin",
+    {
+      name: "admin::hasPermissions",
+      config: { actions: [`plugin::strapi-plugin-oidc.${action}`] }
     }
+  ]
+});
+const routes = {
+  admin: {
+    type: "admin",
+    routes: [
+      {
+        method: "GET",
+        path: "/oidc-roles",
+        handler: "role.find",
+        config: adminPolicies("read")
+      },
+      {
+        method: "PUT",
+        path: "/oidc-roles",
+        handler: "role.update",
+        config: adminPolicies("update")
+      },
+      {
+        method: "GET",
+        path: "/oidc",
+        handler: "oidc.oidcSignIn",
+        config: { auth: false, middlewares: [rateLimitMiddleware] }
+      },
+      {
+        method: "GET",
+        path: "/oidc/callback",
+        handler: "oidc.oidcSignInCallback",
+        config: { auth: false, middlewares: [rateLimitMiddleware] }
+      },
+      {
+        method: "GET",
+        path: "/logout",
+        handler: "oidc.logout",
+        config: { auth: false }
+      },
+      {
+        method: "GET",
+        path: "/whitelist",
+        handler: "whitelist.info",
+        config: adminPolicies("read")
+      },
+      {
+        method: "PUT",
+        path: "/whitelist/settings",
+        handler: "whitelist.updateSettings",
+        config: adminPolicies("update")
+      },
+      {
+        method: "GET",
+        path: "/settings/public",
+        handler: "whitelist.publicSettings",
+        config: { auth: false }
+      },
+      {
+        method: "PUT",
+        path: "/whitelist/sync",
+        handler: "whitelist.syncUsers",
+        config: adminPolicies("update")
+      },
+      {
+        method: "POST",
+        path: "/whitelist/import",
+        handler: "whitelist.importUsers",
+        config: adminPolicies("update")
+      },
+      {
+        method: "POST",
+        path: "/whitelist",
+        handler: "whitelist.register",
+        config: adminPolicies("update")
+      },
+      {
+        method: "DELETE",
+        path: "/whitelist/:id",
+        handler: "whitelist.removeEmail",
+        config: adminPolicies("update")
+      },
+      {
+        method: "DELETE",
+        path: "/whitelist",
+        handler: "whitelist.deleteAll",
+        config: adminPolicies("update")
+      }
+    ]
   },
-  {
-    method: "DELETE",
-    path: "/whitelist/:id",
-    handler: "whitelist.removeEmail",
-    config: {
-      policies: [
-        "admin::isAuthenticatedAdmin",
-        {
-          name: "admin::hasPermissions",
-          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
-        }
-      ]
-    }
+  // API-token-authenticated routes for programmatic whitelist management.
+  // Accessible at /strapi-plugin-oidc/... using a Strapi API token
+  // (full-access or custom) in the Authorization: Bearer <token> header.
+  "content-api": {
+    type: "content-api",
+    routes: [
+      {
+        method: "GET",
+        path: "/whitelist",
+        handler: "whitelist.info"
+      },
+      {
+        method: "POST",
+        path: "/whitelist",
+        handler: "whitelist.register"
+      },
+      {
+        method: "POST",
+        path: "/whitelist/import",
+        handler: "whitelist.importUsers"
+      },
+      {
+        method: "DELETE",
+        path: "/whitelist/:id",
+        handler: "whitelist.removeEmail"
+      },
+      {
+        method: "DELETE",
+        path: "/whitelist",
+        handler: "whitelist.deleteAll"
+      }
+    ]
   }
-];
+};
 const policies = {};
 function renderHtmlTemplate(title, content) {
   return `
@@ -834,7 +876,7 @@ function oauthService({ strapi: strapi2 }) {
         roles: roles2,
         preferedLanguage: locale
       });
-      return await userService.register({
+      return userService.register({
         registrationToken: createdUser.registrationToken,
         userInfo: {
           firstname: firstname || "unset",
@@ -855,7 +897,7 @@ function oauthService({ strapi: strapi2 }) {
       if (!baseAlias) {
         return baseEmail;
       }
-      const alias = baseAlias.replace("/+/g", "");
+      const alias = baseAlias.replace(/\+/g, "");
       const beforePosition = baseEmail.indexOf("@");
       const origin = baseEmail.substring(0, beforePosition);
       const domain = baseEmail.substring(beforePosition);
@@ -892,11 +934,9 @@ function oauthService({ strapi: strapi2 }) {
         provider: "strapi-plugin-oidc"
       });
     },
-    // Sign In Success
     renderSignUpSuccess(jwtToken, user, nonce) {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const REMEMBER_ME = config2["REMEMBER_ME"];
-      const isRememberMe = !!REMEMBER_ME;
+      const isRememberMe = !!config2["REMEMBER_ME"];
       const content = `
     <noscript>
       <div class="card">
@@ -922,7 +962,6 @@ function oauthService({ strapi: strapi2 }) {
     <\/script>`;
       return renderHtmlTemplate("Authenticating...", content);
     },
-    // Sign In Error
     renderSignUpError(message) {
       const safeMessage = String(message).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
       const content = `
@@ -950,8 +989,7 @@ function oauthService({ strapi: strapi2 }) {
       const userId = String(user.id);
       const deviceId = node_crypto.randomUUID();
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const REMEMBER_ME = config2["REMEMBER_ME"];
-      const rememberMe = !!REMEMBER_ME;
+      const rememberMe = !!config2["REMEMBER_ME"];
       const { token: refreshToken, absoluteExpiresAt } = await sessionManager(
         "admin"
       ).generateRefreshToken(userId, deviceId, {