strapi-plugin-oidc 1.6.2 → 1.6.4

package/dist/server/index.js

@@ -36,52 +36,45 @@ function getRetentionDays() {
 function isAuditLogEnabled() {
   return getRetentionDays() !== 0;
 }
+const AUTH_ROUTES = ["login", "register", "register-admin", "forgot-password", "reset-password"];
 async function bootstrap({ strapi: strapi2 }) {
   const adminUrl = strapi2.config.get("admin.url", "/admin");
-  const authRoutes = [
-    `${adminUrl}/login`,
-    `${adminUrl}/register`,
-    `${adminUrl}/register-admin`,
-    `${adminUrl}/forgot-password`,
-    `${adminUrl}/reset-password`
-  ];
   const tokenRefreshPath = `${adminUrl}/token/refresh`;
   const enforceOidcMiddleware = async (ctx, next) => {
-    const isPostAuth = authRoutes.includes(ctx.request.path) && ctx.request.method === "POST";
-    const isTokenRefresh = ctx.request.path === tokenRefreshPath && ctx.request.method === "POST";
-    if (isPostAuth || isTokenRefresh) {
+    const path = ctx.request.path;
+    const isPost = ctx.request.method === "POST";
+    const isAuthRoute = AUTH_ROUTES.some((r) => path.includes(r));
+    const isTokenRefresh = path === tokenRefreshPath;
+    if (isAuthRoute && isPost || isTokenRefresh) {
       try {
         const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
         const settings = await whitelistService2.getSettings();
         const enforceOIDC = resolveEnforceOIDC(strapi2, settings?.enforceOIDC);
-        if (enforceOIDC) {
-          if (isPostAuth) {
-            ctx.status = 403;
-            ctx.body = {
-              data: null,
-              error: {
-                status: 403,
-                name: "ForbiddenError",
-                message: "Local login is disabled. Please use OIDC.",
-                details: {}
-              }
-            };
-            return;
-          }
-          const hasOidcSession = !!ctx.cookies.get("oidc_authenticated");
-          if (isTokenRefresh && !hasOidcSession) {
-            ctx.status = 401;
-            ctx.body = {
-              data: null,
-              error: {
-                status: 401,
-                name: "UnauthorizedError",
-                message: "Session was not created via OIDC. Please log in again.",
-                details: {}
-              }
-            };
-            return;
-          }
+        if (enforceOIDC && isAuthRoute && isPost) {
+          ctx.status = 403;
+          ctx.body = {
+            data: null,
+            error: {
+              status: 403,
+              name: "ForbiddenError",
+              message: "Local login is disabled. Please use OIDC.",
+              details: {}
+            }
+          };
+          return;
+        }
+        if (enforceOIDC && isTokenRefresh && !ctx.cookies.get("oidc_authenticated")) {
+          ctx.status = 401;
+          ctx.body = {
+            data: null,
+            error: {
+              status: 401,
+              name: "UnauthorizedError",
+              message: "Session was not created via OIDC. Please log in again.",
+              details: {}
+            }
+          };
+          return;
         }
       } catch (err) {
         strapi2.log.error("Error checking OIDC enforcement in middleware:", err);
@@ -95,18 +88,8 @@ async function bootstrap({ strapi: strapi2 }) {
     strapi2.server.use(enforceOidcMiddleware);
   }
   const actions = [
-    {
-      section: "plugins",
-      displayName: "Read",
-      uid: "read",
-      pluginName: "strapi-plugin-oidc"
-    },
-    {
-      section: "plugins",
-      displayName: "Update",
-      uid: "update",
-      pluginName: "strapi-plugin-oidc"
-    }
+    { section: "plugins", displayName: "Read", uid: "read", pluginName: "strapi-plugin-oidc" },
+    { section: "plugins", displayName: "Update", uid: "update", pluginName: "strapi-plugin-oidc" }
   ];
   await strapi2.admin.services.permission.actionProvider.registerMany(actions);
   const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
@@ -125,17 +108,12 @@ async function bootstrap({ strapi: strapi2 }) {
     }
   }
   try {
-    const oidcRoleCount = await strapi2.query("plugin::strapi-plugin-oidc.roles").count({
-      where: { oauth_type: "4" }
-    });
+    const oidcRoleCount = await strapi2.query("plugin::strapi-plugin-oidc.roles").count({ where: { oauth_type: "4" } });
     if (oidcRoleCount === 0) {
       const defaultRole = await strapi2.query("admin::role").findOne({ where: { code: "strapi-editor" } }) ?? await strapi2.query("admin::role").findOne({});
       if (defaultRole) {
         await strapi2.query("plugin::strapi-plugin-oidc.roles").create({
-          data: {
-            oauth_type: "4",
-            roles: [defaultRole.id.toString()]
-          }
+          data: { oauth_type: "4", roles: [String(defaultRole.id)] }
         });
       }
     }
@@ -153,7 +131,6 @@ async function bootstrap({ strapi: strapi2 }) {
         }
       },
       options: { rule: "0 0 * * *" }
-      // daily at midnight
     }
   });
 }
@@ -255,24 +232,37 @@ const errorCodes = {
   USER_CREATION_FAILED: "USER_CREATION_FAILED",
   WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED"
 };
+const ERROR_DETAIL_TEMPLATES = {
+  token_exchange_failed: "Token exchange failed with HTTP status {status}",
+  userinfo_fetch_failed: "UserInfo endpoint returned HTTP {status}",
+  role_update_failed: "Role update failed for user {userId}: {error}",
+  user_creation_failed: "User creation failed for {email}: {error}",
+  id_token_parse_failed: "ID token parse failed: {error}",
+  sign_in_unknown: "Unknown sign-in error: {error}",
+  invalid_email: "Invalid email address received from OIDC provider",
+  whitelist_not_present: "Email not present in whitelist",
+  session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
+  missing_config: "Missing required config keys: {keys}"
+};
+function interpolate$1(template, params) {
+  if (!params) return template;
+  return template.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
+}
 function getErrorDetail(key, params) {
-  switch (key) {
-    case "token_exchange_failed":
-      return `Token exchange failed with HTTP status ${params?.status ?? "unknown"}`;
-    case "userinfo_fetch_failed":
-      return `UserInfo endpoint returned HTTP ${params?.status ?? "unknown"}`;
-    case "role_update_failed":
-      return `Role update failed for user ${params?.userId}: ${params?.error ?? "unknown"}`;
-    case "user_creation_failed":
-      return `User creation failed for ${params?.email}: ${params?.error ?? "unknown"}`;
-    case "id_token_parse_failed":
-      return `ID token parse failed: ${params?.error ?? "unknown"}`;
-    case "sign_in_unknown":
-      return `Unknown sign-in error: ${params?.error ?? "unknown"}`;
-    default:
-      return void 0;
-  }
+  const template = ERROR_DETAIL_TEMPLATES[key];
+  if (!template) return void 0;
+  return interpolate$1(template, params);
 }
+const errorMessages = {
+  TOKEN_EXCHANGE_FAILED: "Token exchange failed",
+  USERINFO_FETCH_FAILED: "Failed to fetch user info",
+  ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
+  NONCE_MISMATCH: "Nonce mismatch",
+  INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  WHITELIST_NOT_PRESENT: "Not present in whitelist",
+  SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
+  MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
+};
 const en = {
   "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
   "page.title": "Configure OIDC default role(s) and access controls.",
@@ -337,6 +327,7 @@ const en = {
   "auditlog.table.ip": "IP",
   "auditlog.table.details": "Details",
   "auditlog.table.empty": "No audit log entries",
+  "auditlog.loading": "Loading…",
   "auditlog.clear": "Clear Logs",
   "auditlog.clear.title": "Clear All Logs",
   "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
@@ -355,7 +346,9 @@ const en = {
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
   "user.missing_code": "Authorisation code was not received from the OIDC provider.",
   "user.invalid_state": "State parameter mismatch. Please restart the login flow.",
-  "user.signInError": "Authentication failed. Please try again."
+  "user.signInError": "Authentication failed. Please try again.",
+  "settings.section": "OIDC",
+  "settings.configuration": "Configuration"
 };
 const userFacingMessages = {
   get missing_code() {
@@ -382,12 +375,11 @@ const REQUIRED_CONFIG_KEYS = [
 ];
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  if (REQUIRED_CONFIG_KEYS.every((key) => config2[key])) {
+  const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
+  if (missing.length === 0) {
     return config2;
   }
-  throw new Error(
-    `The following configuration keys are required: ${REQUIRED_CONFIG_KEYS.join(", ")}`
-  );
+  throw new Error(errorMessages.MISSING_CONFIG(missing.join(", ")));
 }
 async function oidcSignIn(ctx) {
   const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
@@ -428,7 +420,7 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
     }
   });
   if (!response.ok) {
-    throw new Error("Token exchange failed");
+    throw new Error(errorMessages.TOKEN_EXCHANGE_FAILED);
   }
   const tokenData = await response.json();
   if (tokenData.id_token) {
@@ -436,18 +428,18 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
       const payloadB64 = tokenData.id_token.split(".")[1];
       const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
       if (idTokenPayload.nonce !== expectedNonce) {
-        throw new Error("Nonce mismatch");
+        throw new Error(errorMessages.NONCE_MISMATCH);
       }
     } catch (e) {
       if (e.message === "Nonce mismatch") throw e;
-      throw new Error("Failed to parse ID token");
+      throw new Error(errorMessages.ID_TOKEN_PARSE_FAILED);
     }
   }
   const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
     headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
-    throw new Error("Failed to fetch user info");
+    throw new Error(errorMessages.USERINFO_FETCH_FAILED);
   }
   const userInfo = await userResponse.json();
   return { userInfo, accessToken: tokenData.access_token };
@@ -476,9 +468,9 @@ function resolveRolesFromGroups(userInfo, config2, availableRoles) {
 }
 async function resolveRoles(userInfo, config2, roleService2, availableRoles) {
   const groupRoles = resolveRolesFromGroups(userInfo, config2, availableRoles);
-  if (groupRoles.length > 0) return groupRoles;
+  if (groupRoles.length > 0) return { roles: groupRoles, fromGroupMapping: true };
   const oidcRoles = await roleService2.oidcRoles();
-  return oidcRoles?.roles || [];
+  return { roles: oidcRoles?.roles || [], fromGroupMapping: false };
 }
 async function registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2) {
   const defaultLocale = oauthService2.localeFindByHeader(
@@ -495,7 +487,11 @@ async function registerNewUser(oauthService2, email, userResponseData, config2,
   return activateUser;
 }
 function rolesChanged(current, next) {
-  return current.size !== next.size || [...next].some((id) => !current.has(id));
+  if (current.size !== next.size) return true;
+  for (const id of next) {
+    if (!current.has(id)) return true;
+  }
+  return false;
 }
 async function updateUserRoles(user, currentRoleIds, newRoleIds) {
   try {
@@ -522,11 +518,16 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   const rawEmail = String(userResponseData.email ?? "");
   const email = rawEmail.toLowerCase();
   if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
-    throw new Error("Invalid email address received from OIDC provider");
+    throw new Error(errorMessages.INVALID_EMAIL);
   }
   await whitelistService2.checkWhitelistForEmail(email);
   const allRoles = await strapi.db.query("admin::role").findMany();
-  const roles2 = await resolveRoles(userResponseData, config2, roleService2, allRoles);
+  const { roles: roles2, fromGroupMapping } = await resolveRoles(
+    userResponseData,
+    config2,
+    roleService2,
+    allRoles
+  );
   const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
   let userCreated = false;
   let rolesUpdated = false;
@@ -535,16 +536,11 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
     user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
     userCreated = true;
     rolesUpdated = true;
-  } else if (roles2.length > 0) {
-    const defaultRoleIds = new Set(user.roles.map((r) => String(r.id)));
+  } else if (fromGroupMapping && roles2.length > 0) {
     const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
-    const newRoleIds = new Set(roles2);
-    if (rolesChanged(currentRoleIds, newRoleIds)) {
-      const isOnDefaultRoles = currentRoleIds.size === defaultRoleIds.size && [...currentRoleIds].every((id) => defaultRoleIds.has(id));
-      if (isOnDefaultRoles) {
-        await updateUserRoles(user, currentRoleIds, roles2);
-        rolesUpdated = true;
-      }
+    if (rolesChanged(currentRoleIds, new Set(roles2))) {
+      await updateUserRoles(user, currentRoleIds, roles2);
+      rolesUpdated = true;
     }
   }
   const jwtToken = await oauthService2.generateToken(user, ctx);
@@ -552,52 +548,39 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   return { activateUser: user, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
 }
 function classifyOidcError(msg, userInfo) {
-  const errorMap = [
-    {
-      test: (m) => m.includes("whitelist"),
-      result: {
-        action: "whitelist_rejected",
-        code: errorCodes.WHITELIST_CHECK_FAILED,
-        key: "whitelist_rejected"
-      }
-    },
-    {
-      test: (m) => m === "Nonce mismatch",
-      result: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH }
-    },
-    {
-      test: (m) => m === "Token exchange failed",
-      result: { action: "token_exchange_failed", code: errorCodes.TOKEN_EXCHANGE_FAILED }
-    },
-    {
-      test: (m) => m === "Failed to fetch user info",
-      result: {
-        action: "login_failure",
-        code: errorCodes.USERINFO_FETCH_FAILED,
-        key: "userinfo_fetch_failed"
-      }
-    },
-    {
-      test: (m) => m === "Failed to parse ID token",
-      result: {
-        action: "login_failure",
-        code: errorCodes.ID_TOKEN_PARSE_FAILED,
-        key: "id_token_parse_failed",
-        params: { error: msg }
-      }
-    },
-    {
-      test: (m) => m === "User creation failed" || m.includes("createUser"),
-      result: {
-        action: "login_failure",
-        code: errorCodes.USER_CREATION_FAILED,
-        key: "user_creation_failed",
-        params: userInfo?.email ? { email: userInfo.email, error: msg } : void 0
-      }
-    }
-  ];
-  for (const { test, result } of errorMap) {
-    if (test(msg)) return result;
+  if (msg.includes("whitelist")) {
+    return {
+      action: "whitelist_rejected",
+      code: errorCodes.WHITELIST_CHECK_FAILED,
+      key: "whitelist_rejected"
+    };
+  }
+  if (msg === "Nonce mismatch")
+    return { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH };
+  if (msg === "Token exchange failed")
+    return { action: "token_exchange_failed", code: errorCodes.TOKEN_EXCHANGE_FAILED };
+  if (msg === "Failed to fetch user info") {
+    return {
+      action: "login_failure",
+      code: errorCodes.USERINFO_FETCH_FAILED,
+      key: "userinfo_fetch_failed"
+    };
+  }
+  if (msg === "Failed to parse ID token") {
+    return {
+      action: "login_failure",
+      code: errorCodes.ID_TOKEN_PARSE_FAILED,
+      key: "id_token_parse_failed",
+      params: { error: msg }
+    };
+  }
+  if (msg === "User creation failed" || msg.includes("createUser")) {
+    return {
+      action: "login_failure",
+      code: errorCodes.USER_CREATION_FAILED,
+      key: "user_creation_failed",
+      params: userInfo?.email ? { email: userInfo.email, error: msg } : void 0
+    };
   }
   return {
     action: "login_failure",
@@ -830,13 +813,9 @@ async function register(ctx) {
   const whitelistService2 = getWhitelistService();
   let matchedExistingUsersCount = 0;
   for (const singleEmail of emailList) {
-    const existingUser = await strapi.query("admin::user").findOne({
-      where: { email: singleEmail }
-    });
+    const existingUser = await strapi.query("admin::user").findOne({ where: { email: singleEmail } });
     if (existingUser) matchedExistingUsersCount++;
-    const alreadyWhitelisted = await strapi.query("plugin::strapi-plugin-oidc.whitelists").findOne({
-      where: { email: singleEmail }
-    });
+    const alreadyWhitelisted = await strapi.query("plugin::strapi-plugin-oidc.whitelists").findOne({ where: { email: singleEmail } });
     if (!alreadyWhitelisted) {
       await whitelistService2.registerUser(singleEmail);
     }
@@ -978,9 +957,7 @@ function rateLimitMiddleware(ctx, next) {
   const key = getRateLimitKey(ctx);
   const now = Date.now();
   const windowStart = now - RATE_LIMIT_WINDOW;
-  const requestStamps = (rateLimitMap.get(key) || []).filter(
-    (timestamp) => timestamp > windowStart
-  );
+  const requestStamps = (rateLimitMap.get(key) ?? []).filter((ts) => ts > windowStart);
   if (requestStamps.length >= MAX_REQUESTS) {
     ctx.status = 429;
     ctx.body = "Too Many Requests";
@@ -1287,9 +1264,7 @@ function oauthService({ strapi: strapi2 }) {
       const userService = strapi2.service("admin::user");
       if (/[A-Z]/.test(email)) {
         const dbUser = await userService.findOneByEmail(email.toLocaleLowerCase());
-        if (dbUser) {
-          return dbUser;
-        }
+        if (dbUser) return dbUser;
       }
       const createdUser = await userService.create({
         firstname: firstname || "unset",
@@ -1305,7 +1280,6 @@ function oauthService({ strapi: strapi2 }) {
           lastname: lastname || "user",
           password: generator__default.default.generate({
             length: 43,
-            // 256 bits (https://en.wikipedia.org/wiki/Password_strength#Random_passwords)
             numbers: true,
             lowercase: true,
             uppercase: true,
@@ -1316,14 +1290,10 @@ function oauthService({ strapi: strapi2 }) {
       });
     },
     addGmailAlias(baseEmail, baseAlias) {
-      if (!baseAlias) {
-        return baseEmail;
-      }
+      if (!baseAlias) return baseEmail;
       const alias = baseAlias.replace(/\+/g, "");
-      const beforePosition = baseEmail.indexOf("@");
-      const origin = baseEmail.substring(0, beforePosition);
-      const domain = baseEmail.substring(beforePosition);
-      return `${origin}+${alias}${domain}`;
+      const atIndex = baseEmail.indexOf("@");
+      return `${baseEmail.slice(0, atIndex)}+${alias}${baseEmail.slice(atIndex)}`;
     },
     localeFindByHeader(headers) {
       return headers["accept-language"]?.includes("ja") ? "ja" : "en";
@@ -1404,9 +1374,7 @@ function oauthService({ strapi: strapi2 }) {
     async generateToken(user, ctx) {
       const sessionManager = strapi2.sessionManager;
       if (!sessionManager) {
-        throw new Error(
-          "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later."
-        );
+        throw new Error(errorMessages.SESSION_MANAGER_UNSUPPORTED);
       }
       const userId = String(user.id);
       const deviceId = node_crypto.randomUUID();
@@ -1496,15 +1464,11 @@ function roleService({ strapi: strapi2 }) {
     }
   };
 }
+const SETTINGS_CACHE_TTL_MS = 5 * 60 * 1e3;
 function whitelistService({ strapi: strapi2 }) {
-  const getPluginStore = () => strapi2.store({
-    environment: "",
-    type: "plugin",
-    name: "strapi-plugin-oidc"
-  });
-  const getWhitelistQuery = () => strapi2.query("plugin::strapi-plugin-oidc.whitelists");
   let settingsCache = null;
-  const SETTINGS_CACHE_TTL_MS = 5 * 60 * 1e3;
+  const getPluginStore = () => strapi2.store({ environment: "", type: "plugin", name: "strapi-plugin-oidc" });
+  const getWhitelistQuery = () => strapi2.query("plugin::strapi-plugin-oidc.whitelists");
   return {
     async getSettings() {
       const now = Date.now();
@@ -1513,10 +1477,7 @@ function whitelistService({ strapi: strapi2 }) {
       }
       let settings = await getPluginStore().get({ key: "settings" });
       if (!settings) {
-        settings = {
-          useWhitelist: true,
-          enforceOIDC: false
-        };
+        settings = { useWhitelist: true, enforceOIDC: false };
         await getPluginStore().set({ key: "settings", value: settings });
       }
       settingsCache = { value: settings, ts: now };
@@ -1530,26 +1491,18 @@ function whitelistService({ strapi: strapi2 }) {
       return getWhitelistQuery().findMany();
     },
     async registerUser(email) {
-      await getWhitelistQuery().create({
-        data: { email }
-      });
+      await getWhitelistQuery().create({ data: { email } });
     },
     async removeUser(email) {
-      await getWhitelistQuery().deleteMany({
-        where: { email }
-      });
+      await getWhitelistQuery().deleteMany({ where: { email } });
     },
     async checkWhitelistForEmail(email) {
       const settings = await this.getSettings();
-      if (!settings.useWhitelist) {
-        return null;
-      }
+      if (!settings.useWhitelist) return null;
       const result = await getWhitelistQuery().findOne({
         where: { email }
       });
-      if (!result) {
-        throw new Error("Not present in whitelist");
-      }
+      if (!result) throw new Error(errorMessages.WHITELIST_NOT_PRESENT);
       return result;
     }
   };
@@ -1610,9 +1563,7 @@ function auditLogService({ strapi: strapi2 }) {
     },
     async cleanup(retentionDays) {
       const cutoff = new Date(Date.now() - retentionDays * 864e5);
-      await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({
-        where: { createdAt: { $lt: cutoff } }
-      });
+      await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({ where: { createdAt: { $lt: cutoff } } });
     }
   };
 }