strapi-plugin-oidc 1.7.5 → 1.8.0

package/dist/server/index.mjs

@@ -1,5 +1,6 @@
 import { randomUUID, randomBytes, createHash } from "node:crypto";
 import pkceChallenge from "pkce-challenge";
+import { jwtVerify, errors, createRemoteJWKSet } from "jose";
 import { Readable } from "node:stream";
 import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
@@ -93,6 +94,16 @@ async function bootstrap({ strapi: strapi2 }) {
     { section: "plugins", displayName: "Update", uid: "update", pluginName: "strapi-plugin-oidc" }
   ];
   await strapi2.admin.services.permission.actionProvider.registerMany(actions);
+  const contentApiScopeUids = [
+    "plugin::strapi-plugin-oidc.whitelist.read",
+    "plugin::strapi-plugin-oidc.whitelist.write",
+    "plugin::strapi-plugin-oidc.whitelist.delete",
+    "plugin::strapi-plugin-oidc.audit.read",
+    "plugin::strapi-plugin-oidc.audit.delete"
+  ];
+  for (const uid of contentApiScopeUids) {
+    strapi2.contentAPI.permissions.providers.action.register(uid, { uid });
+  }
   const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
   if (enforceOIDCConfig !== null) {
     try {
@@ -156,7 +167,12 @@ const config = {
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
     AUDIT_LOG_RETENTION_DAYS: 90,
     OIDC_GROUP_FIELD: "groups",
-    OIDC_GROUP_ROLE_MAP: "{}"
+    OIDC_GROUP_ROLE_MAP: "{}",
+    OIDC_REQUIRE_EMAIL_VERIFIED: true,
+    OIDC_TRUSTED_IP_HEADER: "",
+    OIDC_JWKS_URI: "",
+    OIDC_ISSUER: "",
+    OIDC_FORCE_SECURE_COOKIES: false
   },
   validator() {
   }
@@ -205,11 +221,21 @@ const contentTypes = {
   whitelists,
   "audit-log": auditLog$1
 };
-function getExpiredCookieOptions(strapi2, ctx) {
+function shouldMarkSecure(strapi2, ctx) {
   const isProduction = strapi2.config.get("environment") === "production";
+  if (!isProduction) return false;
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc") ?? {};
+  if (config2.OIDC_FORCE_SECURE_COOKIES === true) return true;
+  if (ctx.request.secure) return true;
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted && typeof ctx.get === "function" && ctx.get("x-forwarded-proto") === "https")
+    return true;
+  return false;
+}
+function getExpiredCookieOptions(strapi2, ctx) {
   return {
     httpOnly: true,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi2, ctx),
     path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
     domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
     sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
@@ -236,7 +262,9 @@ const errorCodes = {
   NONCE_MISMATCH: "NONCE_MISMATCH",
   ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
   USER_CREATION_FAILED: "USER_CREATION_FAILED",
-  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED"
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
+  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
+  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
 };
 const ERROR_DETAIL_TEMPLATES = {
   token_exchange_failed: "Token exchange failed with HTTP status {status}",
@@ -246,6 +274,8 @@ const ERROR_DETAIL_TEMPLATES = {
   id_token_parse_failed: "ID token parse failed: {error}",
   sign_in_unknown: "Unknown sign-in error: {error}",
   invalid_email: "Invalid email address received from OIDC provider",
+  email_not_verified: "Email address has not been verified by the OIDC provider",
+  id_token_invalid: "ID token verification failed: {error}",
   whitelist_not_present: "Email not present in whitelist",
   session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   missing_config: "Missing required config keys: {keys}"
@@ -265,6 +295,8 @@ const errorMessages = {
   ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
   NONCE_MISMATCH: "Nonce mismatch",
   INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
+  ID_TOKEN_INVALID: "ID token verification failed",
   WHITELIST_NOT_PRESENT: "Not present in whitelist",
   SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
@@ -362,6 +394,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -471,24 +505,42 @@ const OIDC_ERROR_DISPATCH = {
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   },
+  email_not_verified: {
+    action: "email_not_verified",
+    code: errorCodes.EMAIL_NOT_VERIFIED,
+    key: "email_not_verified"
+  },
+  id_token_invalid: {
+    action: "id_token_invalid",
+    code: errorCodes.ID_TOKEN_INVALID,
+    key: "id_token_invalid"
+  },
   unknown: {
     action: "login_failure",
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   }
 };
+const TRUSTED_HEADER_WHITELIST = /* @__PURE__ */ new Set(["cf-connecting-ip"]);
+function getTrustedHeaderName() {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
+  const raw = config2.OIDC_TRUSTED_IP_HEADER;
+  if (typeof raw !== "string" || !raw) return void 0;
+  const normalized = raw.trim().toLowerCase();
+  return TRUSTED_HEADER_WHITELIST.has(normalized) ? normalized : void 0;
+}
 function getClientIp(ctx) {
-  const cfConnectingIp = ctx.get("CF-Connecting-IP");
-  if (cfConnectingIp) {
-    return cfConnectingIp.split(",")[0].trim();
-  }
-  const forwardedFor = ctx.get("X-Forwarded-For");
-  if (forwardedFor) {
-    return forwardedFor.split(",")[0].trim();
-  }
-  const realIp = ctx.get("X-Real-IP");
-  if (realIp) {
-    return realIp.trim();
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted) {
+    const trustedHeader = getTrustedHeaderName();
+    if (trustedHeader) {
+      const value = ctx.get(trustedHeader);
+      if (value) return value.split(",")[0].trim();
+    }
+    const forwarded = ctx.request.ips;
+    if (forwarded && forwarded.length > 0) {
+      return forwarded[0];
+    }
   }
   return ctx.ip;
 }
@@ -505,6 +557,43 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
 const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
+const jwksCache = /* @__PURE__ */ new Map();
+let jwksDisabledWarned = false;
+function getJwks(uri) {
+  let jwks = jwksCache.get(uri);
+  if (!jwks) {
+    jwks = createRemoteJWKSet(new URL(uri));
+    jwksCache.set(uri, jwks);
+  }
+  return jwks;
+}
+async function verifyIdToken(idToken, config2) {
+  const jwksUri = config2.OIDC_JWKS_URI;
+  const issuer = config2.OIDC_ISSUER;
+  if (!jwksUri) {
+    if (!jwksDisabledWarned) {
+      jwksDisabledWarned = true;
+      strapi.log.warn(
+        "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document."
+      );
+    }
+    return null;
+  }
+  try {
+    const jwks = getJwks(jwksUri);
+    const { payload } = await jwtVerify(idToken, jwks, {
+      issuer: issuer || void 0,
+      audience: config2.OIDC_CLIENT_ID
+    });
+    return payload;
+  } catch (e) {
+    if (e instanceof errors.JWTClaimValidationFailed || e instanceof errors.JWSSignatureVerificationFailed || e instanceof errors.JWTExpired || e instanceof errors.JWTInvalid || e instanceof errors.JWSInvalid) {
+      const msg = e instanceof Error ? e.message : String(e);
+      throw new OidcError("id_token_invalid", msg, e);
+    }
+    throw e;
+  }
+}
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
@@ -518,11 +607,10 @@ async function oidcSignIn(ctx) {
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
   const state = randomBytes(32).toString("base64url");
   const nonce = randomBytes(32).toString("base64url");
-  const isProduction = strapi.config.get("environment") === "production";
   const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi, ctx),
     sameSite: "lax"
   };
   ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
@@ -555,14 +643,16 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   }
   const tokenData = await response.json();
   if (tokenData.id_token) {
+    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
     try {
-      const payloadB64 = tokenData.id_token.split(".")[1];
-      const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      const idTokenPayload = verifiedPayload ?? JSON.parse(
+        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
+      );
       if (idTokenPayload.nonce !== expectedNonce) {
         throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
       }
     } catch (e) {
-      if (e instanceof OidcError && e.kind === "nonce_mismatch") throw e;
+      if (e instanceof OidcError) throw e;
       throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
     }
   }
@@ -708,6 +798,13 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   if (!email || !isValidEmail(email)) {
     throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
   }
+  if (config2.OIDC_REQUIRE_EMAIL_VERIFIED !== false) {
+    const emailVerified = userResponseData.email_verified;
+    const isVerified = emailVerified === true || emailVerified === "true";
+    if (!isVerified) {
+      throw new OidcError("email_not_verified", errorMessages.EMAIL_NOT_VERIFIED);
+    }
+  }
   await whitelistService2.checkWhitelistForEmail(email);
   const resolved = await resolveRoles(userResponseData, config2, roleService2);
   const { user, userCreated, rolesUpdated } = await ensureUser(
@@ -734,7 +831,7 @@ function classifyOidcError(e, userInfo) {
   const dispatch = OIDC_ERROR_DISPATCH[kind];
   const msg = e instanceof Error ? e.message : String(e);
   let params;
-  if (kind === "id_token_parse_failed" || kind === "unknown") {
+  if (kind === "id_token_parse_failed" || kind === "id_token_invalid" || kind === "unknown") {
     params = { error: msg };
   } else if (kind === "user_creation_failed" && userInfo?.email) {
     params = { email: userInfo.email, error: msg };
@@ -829,8 +926,7 @@ async function oidcSignInCallback(ctx) {
   try {
     const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     userInfo = exchangeResult.userInfo;
-    const isProduction = strapi.config.get("environment") === "production";
-    const secureFlag = isProduction && ctx.request.secure;
+    const secureFlag = shouldMarkSecure(strapi, ctx);
     ctx.cookies.set("oidc_access_token", exchangeResult.accessToken, {
       httpOnly: true,
       maxAge: 3e5,
@@ -1000,16 +1096,34 @@ async function register(ctx) {
     return;
   }
   const rawEmails = Array.isArray(email) ? email : email.split(",");
-  const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const normalized = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const rejectedEmails = [];
+  const validEmails = [];
+  for (const e of normalized) {
+    if (isValidEmail(e)) {
+      validEmails.push(e);
+    } else {
+      rejectedEmails.push(e);
+    }
+  }
+  if (validEmails.length === 0) {
+    ctx.status = 400;
+    ctx.body = { error: "No valid email addresses supplied", rejectedEmails };
+    return;
+  }
   const whitelistService2 = getWhitelistService();
-  const matchedExistingUsersCount = await whitelistService2.countAdminUsersByEmails(emailList);
-  for (const singleEmail of emailList) {
+  let acceptedCount = 0;
+  let alreadyWhitelistedCount = 0;
+  for (const singleEmail of validEmails) {
     const alreadyWhitelisted = await whitelistService2.hasUser(singleEmail);
-    if (!alreadyWhitelisted) {
+    if (alreadyWhitelisted) {
+      alreadyWhitelistedCount++;
+    } else {
       await whitelistService2.registerUser(singleEmail);
+      acceptedCount++;
     }
   }
-  ctx.body = { matchedExistingUsersCount };
+  ctx.body = { acceptedCount, alreadyWhitelistedCount, rejectedEmails };
 }
 async function removeEmail(ctx) {
   const { email } = ctx.params;
@@ -1065,7 +1179,7 @@ async function syncUsers(ctx) {
       await whitelistService2.registerUser(email);
     }
   }
-  ctx.body = { matchedExistingUsersCount: 0 };
+  ctx.body = {};
 }
 const whitelist = {
   info,
@@ -1086,6 +1200,8 @@ const AUDIT_ACTIONS = [
   "nonce_mismatch",
   "token_exchange_failed",
   "whitelist_rejected",
+  "email_not_verified",
+  "id_token_invalid",
   "logout",
   "session_expired",
   "user_created"
@@ -1285,6 +1401,22 @@ const controllers = {
 const rateLimitMap = /* @__PURE__ */ new Map();
 const RATE_LIMIT_WINDOW = 6e4;
 const MAX_REQUESTS = 1e3;
+const MAX_MAP_SIZE = 1e4;
+const PRUNE_THRESHOLD = 1e3;
+function pruneExpiredEntries(now) {
+  const windowStart = now - RATE_LIMIT_WINDOW;
+  for (const [key, stamps] of rateLimitMap) {
+    if (stamps.length === 0 || stamps[stamps.length - 1] <= windowStart) {
+      rateLimitMap.delete(key);
+    }
+  }
+}
+function evictOldestEntry() {
+  const oldest = rateLimitMap.keys().next().value;
+  if (oldest !== void 0) {
+    rateLimitMap.delete(oldest);
+  }
+}
 function getRateLimitKey(ctx) {
   const ip = getClientIp(ctx);
   const ua = ctx.request.header["user-agent"] ?? "";
@@ -1295,6 +1427,9 @@ function rateLimitMiddleware(ctx, next) {
   const key = getRateLimitKey(ctx);
   const now = Date.now();
   const windowStart = now - RATE_LIMIT_WINDOW;
+  if (rateLimitMap.size > PRUNE_THRESHOLD) {
+    pruneExpiredEntries(now);
+  }
   const requestStamps = (rateLimitMap.get(key) ?? []).filter((ts) => ts > windowStart);
   if (requestStamps.length >= MAX_REQUESTS) {
     ctx.status = 429;
@@ -1302,6 +1437,9 @@ function rateLimitMiddleware(ctx, next) {
     return;
   }
   requestStamps.push(now);
+  if (!rateLimitMap.has(key) && rateLimitMap.size >= MAX_MAP_SIZE) {
+    evictOldestEntry();
+  }
   rateLimitMap.set(key, requestStamps);
   return next();
 }
@@ -1345,7 +1483,7 @@ const routes = {
         config: { auth: false, middlewares: [rateLimitMiddleware] }
       },
       {
-        method: "GET",
+        method: "POST",
         path: "/logout",
         handler: "oidc.logout",
         config: { auth: false }
@@ -1427,53 +1565,63 @@ const routes = {
   // API-token-authenticated routes for programmatic whitelist management.
   // Accessible at /strapi-plugin-oidc/... using a Strapi API token
   // (full-access or custom) in the Authorization: Bearer <token> header.
+  // Custom tokens must be granted one or more of the semantic scopes below.
   "content-api": {
     type: "content-api",
     routes: [
       {
         method: "GET",
         path: "/whitelist",
-        handler: "whitelist.info"
+        handler: "whitelist.info",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "POST",
         path: "/whitelist",
-        handler: "whitelist.register"
+        handler: "whitelist.register",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "POST",
         path: "/whitelist/import",
-        handler: "whitelist.importUsers"
+        handler: "whitelist.importUsers",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist/:email",
-        handler: "whitelist.removeEmail"
+        handler: "whitelist.removeEmail",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist",
-        handler: "whitelist.deleteAll"
+        handler: "whitelist.deleteAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "GET",
         path: "/whitelist/export",
-        handler: "whitelist.exportWhitelist"
+        handler: "whitelist.exportWhitelist",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs",
-        handler: "auditLog.find"
+        handler: "auditLog.find",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs/export",
-        handler: "auditLog.export"
+        handler: "auditLog.export",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "DELETE",
         path: "/audit-logs",
-        handler: "auditLog.clearAll"
+        handler: "auditLog.clearAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.delete"] } }
       }
     ]
   }
@@ -1725,13 +1873,12 @@ function oauthService({ strapi: strapi2 }) {
           type: rememberMe ? "refresh" : "session"
         }
       );
-      const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
       const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
       const cookieOptions = {
         httpOnly: true,
-        secure: isProduction && ctx.request.secure,
+        secure: shouldMarkSecure(strapi2, ctx),
         overwrite: true,
         domain,
         path,
@@ -1850,14 +1997,6 @@ function whitelistService({ strapi: strapi2 }) {
     },
     async deleteAllUsers() {
       await getWhitelistQuery().deleteMany({});
-    },
-    async countAdminUsersByEmails(emails) {
-      if (emails.length === 0) return 0;
-      const rows = await strapi2.query("admin::user").findMany({
-        where: { email: { $in: emails } },
-        select: ["id"]
-      });
-      return rows.length;
     }
   };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.7.5",
+  "version": "1.8.0",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",
@@ -50,6 +50,7 @@
     "@strapi/icons": "^2.2.0",
     "@strapi/utils": "^5.41.1",
     "generate-password": "^1.7.1",
+    "jose": "^6.2.2",
     "lucide-react": "^1.8.0",
     "pkce-challenge": "^6.0.0",
     "react-intl": "^6.8.9"