npm - strapi-plugin-oidc - Versions diffs - 1.7.5 → 1.8.0 - Mend

strapi-plugin-oidc 1.7.5 → 1.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +77 -41
package/dist/admin/{index-BjmTHbr9.mjs → index-8YTLPV3h.mjs} +113 -100
package/dist/admin/{index-BfX_taLq.mjs → index-B-K4X_N9.mjs} +8 -2
package/dist/admin/{index-CLUIKIK3.js → index-BSgVStns.js} +8 -2
package/dist/admin/{index-CacQfQ3a.js → index-CgG_mHzZ.js} +112 -99
package/dist/admin/index.js +1 -1
package/dist/admin/index.mjs +1 -1
package/dist/server/index.js +188 -49
package/dist/server/index.mjs +188 -49
package/package.json +2 -1

package/dist/server/index.js CHANGED Viewed

@@ -2,6 +2,7 @@
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
 const node_crypto = require("node:crypto");
 const pkceChallenge = require("pkce-challenge");
+const jose = require("jose");
 const node_stream = require("node:stream");
 const strapiUtils = require("@strapi/utils");
 const generator = require("generate-password");
@@ -99,6 +100,16 @@ async function bootstrap({ strapi: strapi2 }) {
     { section: "plugins", displayName: "Update", uid: "update", pluginName: "strapi-plugin-oidc" }
   ];
   await strapi2.admin.services.permission.actionProvider.registerMany(actions);
+  const contentApiScopeUids = [
+    "plugin::strapi-plugin-oidc.whitelist.read",
+    "plugin::strapi-plugin-oidc.whitelist.write",
+    "plugin::strapi-plugin-oidc.whitelist.delete",
+    "plugin::strapi-plugin-oidc.audit.read",
+    "plugin::strapi-plugin-oidc.audit.delete"
+  ];
+  for (const uid of contentApiScopeUids) {
+    strapi2.contentAPI.permissions.providers.action.register(uid, { uid });
+  }
   const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
   if (enforceOIDCConfig !== null) {
     try {
@@ -162,7 +173,12 @@ const config = {
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
     AUDIT_LOG_RETENTION_DAYS: 90,
     OIDC_GROUP_FIELD: "groups",
-    OIDC_GROUP_ROLE_MAP: "{}"
+    OIDC_GROUP_ROLE_MAP: "{}",
+    OIDC_REQUIRE_EMAIL_VERIFIED: true,
+    OIDC_TRUSTED_IP_HEADER: "",
+    OIDC_JWKS_URI: "",
+    OIDC_ISSUER: "",
+    OIDC_FORCE_SECURE_COOKIES: false
   },
   validator() {
   }
@@ -211,11 +227,21 @@ const contentTypes = {
   whitelists,
   "audit-log": auditLog$1
 };
-function getExpiredCookieOptions(strapi2, ctx) {
+function shouldMarkSecure(strapi2, ctx) {
   const isProduction = strapi2.config.get("environment") === "production";
+  if (!isProduction) return false;
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc") ?? {};
+  if (config2.OIDC_FORCE_SECURE_COOKIES === true) return true;
+  if (ctx.request.secure) return true;
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted && typeof ctx.get === "function" && ctx.get("x-forwarded-proto") === "https")
+    return true;
+  return false;
+}
+function getExpiredCookieOptions(strapi2, ctx) {
   return {
     httpOnly: true,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi2, ctx),
     path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
     domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
     sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
@@ -242,7 +268,9 @@ const errorCodes = {
   NONCE_MISMATCH: "NONCE_MISMATCH",
   ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
   USER_CREATION_FAILED: "USER_CREATION_FAILED",
-  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED"
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
+  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
+  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
 };
 const ERROR_DETAIL_TEMPLATES = {
   token_exchange_failed: "Token exchange failed with HTTP status {status}",
@@ -252,6 +280,8 @@ const ERROR_DETAIL_TEMPLATES = {
   id_token_parse_failed: "ID token parse failed: {error}",
   sign_in_unknown: "Unknown sign-in error: {error}",
   invalid_email: "Invalid email address received from OIDC provider",
+  email_not_verified: "Email address has not been verified by the OIDC provider",
+  id_token_invalid: "ID token verification failed: {error}",
   whitelist_not_present: "Email not present in whitelist",
   session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   missing_config: "Missing required config keys: {keys}"
@@ -271,6 +301,8 @@ const errorMessages = {
   ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
   NONCE_MISMATCH: "Nonce mismatch",
   INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
+  ID_TOKEN_INVALID: "ID token verification failed",
   WHITELIST_NOT_PRESENT: "Not present in whitelist",
   SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
@@ -368,6 +400,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -477,24 +511,42 @@ const OIDC_ERROR_DISPATCH = {
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   },
+  email_not_verified: {
+    action: "email_not_verified",
+    code: errorCodes.EMAIL_NOT_VERIFIED,
+    key: "email_not_verified"
+  },
+  id_token_invalid: {
+    action: "id_token_invalid",
+    code: errorCodes.ID_TOKEN_INVALID,
+    key: "id_token_invalid"
+  },
   unknown: {
     action: "login_failure",
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   }
 };
+const TRUSTED_HEADER_WHITELIST = /* @__PURE__ */ new Set(["cf-connecting-ip"]);
+function getTrustedHeaderName() {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
+  const raw = config2.OIDC_TRUSTED_IP_HEADER;
+  if (typeof raw !== "string" || !raw) return void 0;
+  const normalized = raw.trim().toLowerCase();
+  return TRUSTED_HEADER_WHITELIST.has(normalized) ? normalized : void 0;
+}
 function getClientIp(ctx) {
-  const cfConnectingIp = ctx.get("CF-Connecting-IP");
-  if (cfConnectingIp) {
-    return cfConnectingIp.split(",")[0].trim();
-  }
-  const forwardedFor = ctx.get("X-Forwarded-For");
-  if (forwardedFor) {
-    return forwardedFor.split(",")[0].trim();
-  }
-  const realIp = ctx.get("X-Real-IP");
-  if (realIp) {
-    return realIp.trim();
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted) {
+    const trustedHeader = getTrustedHeaderName();
+    if (trustedHeader) {
+      const value = ctx.get(trustedHeader);
+      if (value) return value.split(",")[0].trim();
+    }
+    const forwarded = ctx.request.ips;
+    if (forwarded && forwarded.length > 0) {
+      return forwarded[0];
+    }
   }
   return ctx.ip;
 }
@@ -511,6 +563,43 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
 const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
+const jwksCache = /* @__PURE__ */ new Map();
+let jwksDisabledWarned = false;
+function getJwks(uri) {
+  let jwks = jwksCache.get(uri);
+  if (!jwks) {
+    jwks = jose.createRemoteJWKSet(new URL(uri));
+    jwksCache.set(uri, jwks);
+  }
+  return jwks;
+}
+async function verifyIdToken(idToken, config2) {
+  const jwksUri = config2.OIDC_JWKS_URI;
+  const issuer = config2.OIDC_ISSUER;
+  if (!jwksUri) {
+    if (!jwksDisabledWarned) {
+      jwksDisabledWarned = true;
+      strapi.log.warn(
+        "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document."
+      );
+    }
+    return null;
+  }
+  try {
+    const jwks = getJwks(jwksUri);
+    const { payload } = await jose.jwtVerify(idToken, jwks, {
+      issuer: issuer || void 0,
+      audience: config2.OIDC_CLIENT_ID
+    });
+    return payload;
+  } catch (e) {
+    if (e instanceof jose.errors.JWTClaimValidationFailed || e instanceof jose.errors.JWSSignatureVerificationFailed || e instanceof jose.errors.JWTExpired || e instanceof jose.errors.JWTInvalid || e instanceof jose.errors.JWSInvalid) {
+      const msg = e instanceof Error ? e.message : String(e);
+      throw new OidcError("id_token_invalid", msg, e);
+    }
+    throw e;
+  }
+}
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
@@ -524,11 +613,10 @@ async function oidcSignIn(ctx) {
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
   const state = node_crypto.randomBytes(32).toString("base64url");
   const nonce = node_crypto.randomBytes(32).toString("base64url");
-  const isProduction = strapi.config.get("environment") === "production";
   const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi, ctx),
     sameSite: "lax"
   };
   ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
@@ -561,14 +649,16 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   }
   const tokenData = await response.json();
   if (tokenData.id_token) {
+    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
     try {
-      const payloadB64 = tokenData.id_token.split(".")[1];
-      const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      const idTokenPayload = verifiedPayload ?? JSON.parse(
+        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
+      );
       if (idTokenPayload.nonce !== expectedNonce) {
         throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
       }
     } catch (e) {
-      if (e instanceof OidcError && e.kind === "nonce_mismatch") throw e;
+      if (e instanceof OidcError) throw e;
       throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
     }
   }
@@ -714,6 +804,13 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   if (!email || !isValidEmail(email)) {
     throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
   }
+  if (config2.OIDC_REQUIRE_EMAIL_VERIFIED !== false) {
+    const emailVerified = userResponseData.email_verified;
+    const isVerified = emailVerified === true || emailVerified === "true";
+    if (!isVerified) {
+      throw new OidcError("email_not_verified", errorMessages.EMAIL_NOT_VERIFIED);
+    }
+  }
   await whitelistService2.checkWhitelistForEmail(email);
   const resolved = await resolveRoles(userResponseData, config2, roleService2);
   const { user, userCreated, rolesUpdated } = await ensureUser(
@@ -740,7 +837,7 @@ function classifyOidcError(e, userInfo) {
   const dispatch = OIDC_ERROR_DISPATCH[kind];
   const msg = e instanceof Error ? e.message : String(e);
   let params;
-  if (kind === "id_token_parse_failed" || kind === "unknown") {
+  if (kind === "id_token_parse_failed" || kind === "id_token_invalid" || kind === "unknown") {
     params = { error: msg };
   } else if (kind === "user_creation_failed" && userInfo?.email) {
     params = { email: userInfo.email, error: msg };
@@ -835,8 +932,7 @@ async function oidcSignInCallback(ctx) {
   try {
     const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     userInfo = exchangeResult.userInfo;
-    const isProduction = strapi.config.get("environment") === "production";
-    const secureFlag = isProduction && ctx.request.secure;
+    const secureFlag = shouldMarkSecure(strapi, ctx);
     ctx.cookies.set("oidc_access_token", exchangeResult.accessToken, {
       httpOnly: true,
       maxAge: 3e5,
@@ -1006,16 +1102,34 @@ async function register(ctx) {
     return;
   }
   const rawEmails = Array.isArray(email) ? email : email.split(",");
-  const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const normalized = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const rejectedEmails = [];
+  const validEmails = [];
+  for (const e of normalized) {
+    if (isValidEmail(e)) {
+      validEmails.push(e);
+    } else {
+      rejectedEmails.push(e);
+    }
+  }
+  if (validEmails.length === 0) {
+    ctx.status = 400;
+    ctx.body = { error: "No valid email addresses supplied", rejectedEmails };
+    return;
+  }
   const whitelistService2 = getWhitelistService();
-  const matchedExistingUsersCount = await whitelistService2.countAdminUsersByEmails(emailList);
-  for (const singleEmail of emailList) {
+  let acceptedCount = 0;
+  let alreadyWhitelistedCount = 0;
+  for (const singleEmail of validEmails) {
     const alreadyWhitelisted = await whitelistService2.hasUser(singleEmail);
-    if (!alreadyWhitelisted) {
+    if (alreadyWhitelisted) {
+      alreadyWhitelistedCount++;
+    } else {
       await whitelistService2.registerUser(singleEmail);
+      acceptedCount++;
     }
   }
-  ctx.body = { matchedExistingUsersCount };
+  ctx.body = { acceptedCount, alreadyWhitelistedCount, rejectedEmails };
 }
 async function removeEmail(ctx) {
   const { email } = ctx.params;
@@ -1071,7 +1185,7 @@ async function syncUsers(ctx) {
       await whitelistService2.registerUser(email);
     }
   }
-  ctx.body = { matchedExistingUsersCount: 0 };
+  ctx.body = {};
 }
 const whitelist = {
   info,
@@ -1092,6 +1206,8 @@ const AUDIT_ACTIONS = [
   "nonce_mismatch",
   "token_exchange_failed",
   "whitelist_rejected",
+  "email_not_verified",
+  "id_token_invalid",
   "logout",
   "session_expired",
   "user_created"
@@ -1291,6 +1407,22 @@ const controllers = {
 const rateLimitMap = /* @__PURE__ */ new Map();
 const RATE_LIMIT_WINDOW = 6e4;
 const MAX_REQUESTS = 1e3;
+const MAX_MAP_SIZE = 1e4;
+const PRUNE_THRESHOLD = 1e3;
+function pruneExpiredEntries(now) {
+  const windowStart = now - RATE_LIMIT_WINDOW;
+  for (const [key, stamps] of rateLimitMap) {
+    if (stamps.length === 0 || stamps[stamps.length - 1] <= windowStart) {
+      rateLimitMap.delete(key);
+    }
+  }
+}
+function evictOldestEntry() {
+  const oldest = rateLimitMap.keys().next().value;
+  if (oldest !== void 0) {
+    rateLimitMap.delete(oldest);
+  }
+}
 function getRateLimitKey(ctx) {
   const ip = getClientIp(ctx);
   const ua = ctx.request.header["user-agent"] ?? "";
@@ -1301,6 +1433,9 @@ function rateLimitMiddleware(ctx, next) {
   const key = getRateLimitKey(ctx);
   const now = Date.now();
   const windowStart = now - RATE_LIMIT_WINDOW;
+  if (rateLimitMap.size > PRUNE_THRESHOLD) {
+    pruneExpiredEntries(now);
+  }
   const requestStamps = (rateLimitMap.get(key) ?? []).filter((ts) => ts > windowStart);
   if (requestStamps.length >= MAX_REQUESTS) {
     ctx.status = 429;
@@ -1308,6 +1443,9 @@ function rateLimitMiddleware(ctx, next) {
     return;
   }
   requestStamps.push(now);
+  if (!rateLimitMap.has(key) && rateLimitMap.size >= MAX_MAP_SIZE) {
+    evictOldestEntry();
+  }
   rateLimitMap.set(key, requestStamps);
   return next();
 }
@@ -1351,7 +1489,7 @@ const routes = {
         config: { auth: false, middlewares: [rateLimitMiddleware] }
       },
       {
-        method: "GET",
+        method: "POST",
         path: "/logout",
         handler: "oidc.logout",
         config: { auth: false }
@@ -1433,53 +1571,63 @@ const routes = {
   // API-token-authenticated routes for programmatic whitelist management.
   // Accessible at /strapi-plugin-oidc/... using a Strapi API token
   // (full-access or custom) in the Authorization: Bearer <token> header.
+  // Custom tokens must be granted one or more of the semantic scopes below.
   "content-api": {
     type: "content-api",
     routes: [
       {
         method: "GET",
         path: "/whitelist",
-        handler: "whitelist.info"
+        handler: "whitelist.info",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "POST",
         path: "/whitelist",
-        handler: "whitelist.register"
+        handler: "whitelist.register",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "POST",
         path: "/whitelist/import",
-        handler: "whitelist.importUsers"
+        handler: "whitelist.importUsers",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist/:email",
-        handler: "whitelist.removeEmail"
+        handler: "whitelist.removeEmail",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist",
-        handler: "whitelist.deleteAll"
+        handler: "whitelist.deleteAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "GET",
         path: "/whitelist/export",
-        handler: "whitelist.exportWhitelist"
+        handler: "whitelist.exportWhitelist",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs",
-        handler: "auditLog.find"
+        handler: "auditLog.find",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs/export",
-        handler: "auditLog.export"
+        handler: "auditLog.export",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "DELETE",
         path: "/audit-logs",
-        handler: "auditLog.clearAll"
+        handler: "auditLog.clearAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.delete"] } }
       }
     ]
   }
@@ -1731,13 +1879,12 @@ function oauthService({ strapi: strapi2 }) {
           type: rememberMe ? "refresh" : "session"
         }
       );
-      const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
       const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
       const cookieOptions = {
         httpOnly: true,
-        secure: isProduction && ctx.request.secure,
+        secure: shouldMarkSecure(strapi2, ctx),
         overwrite: true,
         domain,
         path,
@@ -1856,14 +2003,6 @@ function whitelistService({ strapi: strapi2 }) {
     },
     async deleteAllUsers() {
       await getWhitelistQuery().deleteMany({});
-    },
-    async countAdminUsersByEmails(emails) {
-      if (emails.length === 0) return 0;
-      const rows = await strapi2.query("admin::user").findMany({
-        where: { email: { $in: emails } },
-        select: ["id"]
-      });
-      return rows.length;
     }
   };
 }