strapi-plugin-oidc 1.7.6 → 1.8.1

package/README.md

@@ -31,32 +31,45 @@ module.exports = ({ env }) => ({
   'strapi-plugin-oidc': {
     enabled: true,
     config: {
-      // Required — find these in your provider's OIDC discovery document
+      // Required
+      OIDC_DISCOVERY_URL: env('OIDC_DISCOVERY_URL'), // https://your-provider/.well-known/openid-configuration
       OIDC_CLIENT_ID: env('OIDC_CLIENT_ID'),
       OIDC_CLIENT_SECRET: env('OIDC_CLIENT_SECRET'),
       OIDC_REDIRECT_URI: env('OIDC_REDIRECT_URI'), // https://your-strapi.com/strapi-plugin-oidc/oidc/callback
-      OIDC_AUTHORIZATION_ENDPOINT: env('OIDC_AUTHORIZATION_ENDPOINT'),
-      OIDC_TOKEN_ENDPOINT: env('OIDC_TOKEN_ENDPOINT'),
-      OIDC_USERINFO_ENDPOINT: env('OIDC_USERINFO_ENDPOINT'),
 
       // Optional — defaults shown
-      OIDC_SCOPE: 'openid profile email',
-      OIDC_GRANT_TYPE: 'authorization_code',
+      OIDC_SCOPE: 'openid profile email', // space-separated scopes
       OIDC_FAMILY_NAME_FIELD: 'family_name',
       OIDC_GIVEN_NAME_FIELD: 'given_name',
-      OIDC_END_SESSION_ENDPOINT: '', // Provider end-session URL for RP-initiated logout
       OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
       OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
       REMEMBER_ME: false, // Persist session across browser restarts
       AUDIT_LOG_RETENTION_DAYS: 90, // Set to 0 to disable audit logging; otherwise entries older than this many days are purged daily at midnight
       OIDC_GROUP_FIELD: 'groups', // OIDC claim field containing group membership
       OIDC_GROUP_ROLE_MAP: '{}', // JSON map of group names to Strapi role names
+      OIDC_REQUIRE_EMAIL_VERIFIED: true, // Reject logins when provider does not report email_verified=true (set false to disable)
+      OIDC_TRUSTED_IP_HEADER: '', // Optional: 'cf-connecting-ip' for Cloudflare; read only when Strapi trusts the proxy
+      OIDC_FORCE_SECURE_COOKIES: false, // Set true when behind a trusted HTTPS proxy that Strapi can't auto-detect
     },
   },
 });
 ```
 
-All required values come from your provider's OIDC discovery document, typically available at `https://your-provider/.well-known/openid-configuration`.
+`OIDC_DISCOVERY_URL` is the URL of your provider's OpenID Connect discovery document (`/.well-known/openid-configuration`). The plugin fetches it at startup and automatically configures all endpoints, JWKS URI, and issuer.
+
+### Security features
+
+- **ID token verification** — Enabled automatically when the discovery document includes a `jwks_uri`. Validates signature, issuer, audience, and expiry via [`jose`](https://github.com/panva/jose)
+- **Email verification** — `OIDC_REQUIRE_EMAIL_VERIFIED: true` (default) rejects unverified emails
+- **CSRF protection** — OIDC state/nonce and POST-only logout endpoint
+- **Rate limiting** — 1 000 req/min per IP+UA (in-process; use a reverse-proxy-level limiter for multi-node)
+- **Secure cookies** — `OIDC_FORCE_SECURE_COOKIES` ensures cookies are marked Secure
+
+### Client IP attribution and reverse proxies
+
+The plugin logs client IPs for rate-limit buckets and audit logs. When Strapi runs behind a reverse proxy, **set `server.proxy: true`** so Koa trusts `X-Forwarded-For`; otherwise all IPs will be the proxy's.
+
+Set `OIDC_TRUSTED_IP_HEADER: 'cf-connecting-ip'` when behind Cloudflare. The header is only honoured when `server.proxy: true` is set.
 
 ## Login
 
@@ -64,27 +77,27 @@ Navigate to `/strapi-plugin-oidc/oidc` to start the OIDC flow, or click the **Lo
 
 ## Logout
 
-When `OIDC_END_SESSION_ENDPOINT` is set, clicking logout in Strapi redirects the browser to the provider's end-session URL (RP-initiated logout). If the provider session has already expired, Strapi skips the redirect and goes straight to the login page.
+When the discovery document includes an `end_session_endpoint`, clicking logout redirects to the provider's end-session URL (RP-initiated logout). If the provider session has already expired, Strapi skips the redirect and goes straight to the login page.
+
+The logout endpoint is `POST /strapi-plugin-oidc/logout`. Using POST instead of GET prevents CSRF-forced-logout attacks.
 
 ## Admin Settings
 
 Manage the plugin under **Settings → OIDC Plugin**.
 
-**Default Roles** — Select which Strapi admin role(s) are assigned to new users on first login.
+**Default Roles** — Strapi admin role(s) assigned to new users on first login.
 
-**Whitelist** — Restrict access to specific email addresses. When enabled, only listed emails can log in. When empty, any successfully authenticated OIDC user gets an account. The whitelist supports:
+**Whitelist** — Restrict access to specific email addresses. When empty, any authenticated OIDC user gets an account. Supports:
 
-- Adding individual emails with optional role overrides
-- JSON import / export (see [format](#import-format) below)
+- Individual emails with optional role overrides
+- JSON import / export
 - Bulk delete with confirmation
-- Unsaved changes are held in the UI until **Save Changes** is clicked
 
-**Audit Logs** — Every authentication event is recorded in the plugin's audit log table and visible in the **Audit Logs** section at the bottom of the settings page. Entries can be filtered by action, email, IP address, and date, and a **Download** button exports the current (filtered) view as NDJSON (newline-delimited JSON), compatible with SIEM tools and log processors. Setting `AUDIT_LOG_RETENTION_DAYS` to `0` disables audit logging entirely. Otherwise records older than the configured value (default: 90 days) are automatically purged by a daily cron job. The audit log is also accessible [via API](#audit-log-api).
+**Audit Logs** — Authentication events recorded and visible in the settings page. Filter by action, email, IP, and date. **Download** exports the current view as NDJSON. Set `AUDIT_LOG_RETENTION_DAYS` to `0` to disable. Records older than the configured value (default: 90 days) are purged daily.
 
-**Enforce OIDC Login** — Removes the standard email/password fields from the login page and blocks direct login API calls server-side. Automatically disabled when the whitelist is empty to prevent lockout.
+**Enforce OIDC Login** — Removes email/password fields from the login page and blocks direct login API calls. Automatically disabled when the whitelist is empty to prevent lockout.
 
-- The toggle is grayed out and locked when `OIDC_ENFORCE` is set in config.
-- **Lockout recovery**: set `OIDC_ENFORCE: false` in your plugin config and restart Strapi. This writes through to the database so removing the variable afterwards keeps the setting.
+The toggle is grayed out when `OIDC_ENFORCE` is set in config. **Lockout recovery**: set `OIDC_ENFORCE: false` in your plugin config and restart Strapi.
 
 ## Group-to-Role Mapping
 
@@ -118,18 +131,26 @@ Role names are the **display names** shown in **Settings → Roles** (e.g. `"Edi
 
 ### Role assignment precedence
 
-1. **User's OIDC groups match `OIDC_GROUP_ROLE_MAP`** → use the mapped Strapi roles
-2. **No group match or no mapping configured** → use the default OIDC roles (new users only — see below)
+1. **OIDC groups match `OIDC_GROUP_ROLE_MAP`** → mapped Strapi roles
+2. **No match or no mapping** → default OIDC roles (new users only)
 
 ### Role updates on subsequent logins
 
-- **New users** — Roles are always assigned on first login: group-mapped roles if a match is found, otherwise the configured default OIDC roles.
-- **Existing users with a group mapping match** — Roles are updated to reflect the current mapping. If a user's groups change between logins, their Strapi roles are updated accordingly.
-- **Existing users with no group mapping match** — Roles are left unchanged, regardless of what the default OIDC roles are set to. Manually-assigned roles are never overwritten by a default fallback.
+- **New users** — Roles assigned on first login (group-mapped or default).
+- **Existing users with group match** — Roles updated to reflect current mapping.
+- **Existing users without group match** — Roles left unchanged. Manually-assigned roles are never overwritten.
 
 ## Whitelist API
 
-The whitelist can be managed programmatically using a Strapi **API token** (Settings → API Tokens → Full Access). All endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+The whitelist can be managed programmatically using a Strapi **API token**. All endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+
+**Full-access tokens** can call all routes. **Custom tokens** must be granted one of the following scopes (Settings → API Tokens → Custom → plugin permissions):
+
+| Scope                                         | Routes                                          |
+| --------------------------------------------- | ----------------------------------------------- |
+| `plugin::strapi-plugin-oidc.whitelist.read`   | `GET /whitelist`, `GET /whitelist/export`       |
+| `plugin::strapi-plugin-oidc.whitelist.write`  | `POST /whitelist`, `POST /whitelist/import`     |
+| `plugin::strapi-plugin-oidc.whitelist.delete` | `DELETE /whitelist`, `DELETE /whitelist/:email` |
 
 | Method   | Path                                       | Description            |
 | -------- | ------------------------------------------ | ---------------------- |
@@ -185,7 +206,14 @@ curl -X DELETE -H "Authorization: Bearer <token>" \
 
 ## Audit Log API
 
-Audit log entries can be fetched programmatically using a Strapi **API token** (Settings → API Tokens → Full Access). Endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+Audit log entries can be fetched programmatically using a Strapi **API token**. Endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+
+**Full-access tokens** can call all routes. **Custom tokens** must be granted one of the following scopes:
+
+| Scope                                     | Routes                                      |
+| ----------------------------------------- | ------------------------------------------- |
+| `plugin::strapi-plugin-oidc.audit.read`   | `GET /audit-logs`, `GET /audit-logs/export` |
+| `plugin::strapi-plugin-oidc.audit.delete` | `DELETE /audit-logs`                        |
 
 | Method   | Path                                        | Description                         |
 | -------- | ------------------------------------------- | ----------------------------------- |
@@ -246,18 +274,20 @@ curl -H "Authorization: Bearer <token>" -G \
 
 ### Recorded actions
 
-| Action                  | Trigger                                             |
-| ----------------------- | --------------------------------------------------- |
-| `login_success`         | Successful OIDC authentication                      |
-| `user_created`          | New Strapi admin user created during login          |
-| `login_failure`         | Unexpected error during the OIDC login flow         |
-| `missing_code`          | Callback received without an authorisation code     |
-| `state_mismatch`        | CSRF state cookie does not match callback parameter |
-| `nonce_mismatch`        | ID token nonce does not match the session nonce     |
-| `token_exchange_failed` | Provider returned an error during token exchange    |
-| `whitelist_rejected`    | Email not present in the active whitelist           |
-| `logout`                | User logged out via `/logout`                       |
-| `session_expired`       | Logout attempted but provider session already stale |
+| Action                  | Trigger                                                           |
+| ----------------------- | ----------------------------------------------------------------- |
+| `login_success`         | Successful OIDC authentication                                    |
+| `user_created`          | New Strapi admin user created during login                        |
+| `login_failure`         | Unexpected error during the OIDC login flow                       |
+| `missing_code`          | Callback received without an authorisation code                   |
+| `state_mismatch`        | CSRF state cookie does not match callback parameter               |
+| `nonce_mismatch`        | ID token nonce does not match the session nonce                   |
+| `token_exchange_failed` | Provider returned an error during token exchange                  |
+| `whitelist_rejected`    | Email not present in the active whitelist                         |
+| `email_not_verified`    | Provider did not report `email_verified=true`                     |
+| `id_token_invalid`      | ID token failed signature, issuer, audience, or expiry validation |
+| `logout`                | User logged out via `/logout`                                     |
+| `session_expired`       | Logout attempted but provider session already stale               |
 
 Each event is also emitted on Strapi's internal eventHub as `strapi-plugin-oidc::auth.<action>`, which Enterprise audit log listeners pick up automatically.
 
@@ -280,16 +310,16 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
 
 ### Changes from the original:
 
-- Removed alternative SSO methods to focus solely on OIDC.
-- Redesigned the Whitelist and Role management UI using native Strapi components.
-- Added OIDC enforcement with an admin toggle and config override (`OIDC_ENFORCE`).
-- Added RP-initiated logout with smart session detection — skips the provider redirect if the session is already expired.
-- Migrated to Vitest with comprehensive e2e test coverage.
-- Config variable names aligned with OIDC discovery document field names (`OIDC_SCOPE`, `OIDC_USERINFO_ENDPOINT`, `OIDC_END_SESSION_ENDPOINT`).
-- Always injects a **Login via SSO** button on the Strapi login page. Button text is configurable via `OIDC_SSO_BUTTON_TEXT`.
-- Whitelist: programmatic REST API with JSON import/export, bulk delete, delete by email, and unsaved changes guard.
-- Hardened OIDC flow: server-generated state and nonce, PKCE, Bearer token auth for userinfo, and generic error messages on failure.
-- Audit log: records all auth events to a queryable table with Admin UI, JSON export, and REST API. API responses use a single `datetime` field and omit framework metadata (id, documentId, locale, publishedAt, etc.). A separate `user_created` event is emitted when a Strapi admin is provisioned during login.
+- OIDC-only (removed other SSO methods)
+- Redesigned whitelist and role management UI using native Strapi components
+- OIDC enforcement via admin toggle or `OIDC_ENFORCE` config
+- RP-initiated logout with smart session detection
+- Migrated to Vitest with e2e coverage
+- Config variable names aligned with OIDC discovery document field names
+- **Login via SSO** button always injected; text configurable via `OIDC_SSO_BUTTON_TEXT`
+- Whitelist REST API with JSON import/export, bulk delete, delete by email
+- Hardened OIDC flow: server-generated state and nonce, PKCE, Bearer token auth for userinfo, generic error messages on failure
+- Audit log: records all auth events to a queryable table with UI, JSON/NDJSON export, and REST API
 
 ## License
 

package/dist/admin/{index-DRJ6Ty2J.mjs → index-Bb9-aYb4.mjs}

@@ -1,4 +1,7 @@
-import { useRef, useEffect } from "react";
+import React, { useRef, useEffect, useState } from "react";
+import { createRoot } from "react-dom/client";
+import { jsx } from "react/jsx-runtime";
+import { DesignSystemProvider, darkTheme, lightTheme, Loader } from "@strapi/design-system";
 const __variableDynamicImportRuntimeHelper = (glob, path, segs) => {
   const v = glob[path];
   if (v) {
@@ -32,6 +35,42 @@ function Initializer({ setPlugin }) {
   }, []);
   return null;
 }
+const LOGOUT_EVENT = "strapi-oidc:logout";
+function Overlay({ bg }) {
+  const [active, setActive] = useState(false);
+  useEffect(() => {
+    const handler = () => setActive(true);
+    window.addEventListener(LOGOUT_EVENT, handler);
+    return () => window.removeEventListener(LOGOUT_EVENT, handler);
+  }, []);
+  if (!active) return null;
+  return /* @__PURE__ */ jsx(
+    "div",
+    {
+      style: {
+        position: "fixed",
+        inset: 0,
+        zIndex: 1e4,
+        display: "flex",
+        alignItems: "center",
+        justifyContent: "center",
+        background: bg,
+        backdropFilter: "blur(2px)"
+      },
+      children: /* @__PURE__ */ jsx(Loader, {})
+    }
+  );
+}
+function resolveTheme() {
+  const stored = window.localStorage.getItem("STRAPI_THEME") ?? "system";
+  const isDark = stored === "dark" || stored === "system" && (window.matchMedia?.("(prefers-color-scheme: dark)").matches ?? false);
+  return isDark ? darkTheme : lightTheme;
+}
+function LogoutOverlay() {
+  const theme = resolveTheme();
+  const bg = theme === darkTheme ? "rgba(24, 24, 38, 0.85)" : "rgba(255, 255, 255, 0.85)";
+  return /* @__PURE__ */ jsx(DesignSystemProvider, { theme, children: /* @__PURE__ */ jsx(Overlay, { bg }) });
+}
 const en = {
   "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
   "page.title": "Configure OIDC default role(s) and access controls.",
@@ -94,7 +133,6 @@ const en = {
   "auditlog.table.ip": "IP",
   "auditlog.table.details": "Details",
   "auditlog.table.empty": "No audit log entries",
-  "auditlog.loading": "Loading…",
   "auditlog.clear": "Clear Logs",
   "auditlog.clear.title": "Clear All Logs",
   "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
@@ -125,6 +163,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -165,7 +205,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await import("./index-pieFAsgM.mjs");
+          return await import("./index-BqWd-Iiq.mjs");
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }
@@ -177,6 +217,9 @@ const index = {
     });
   },
   bootstrap() {
+    const overlayContainer = document.createElement("div");
+    document.body.appendChild(overlayContainer);
+    createRoot(overlayContainer).render(React.createElement(LogoutOverlay));
     const defaultButtonText = t("login.sso");
     const isAuthRoute = (path) => /\/auth\/(login|register|forgot-password|reset-password)/.test(path);
     let ssoButtonInjected = false;
@@ -236,6 +279,7 @@ const index = {
         if (!isAuthRoute(window.location.pathname)) return;
         injectSSOButton(buttonText);
         if (enforced) removeEnforcedElements();
+        if (ssoButtonInjected && !enforced) loginObserver?.disconnect();
       };
       tick();
       loginObserver = new MutationObserver(tick);
@@ -256,23 +300,27 @@ const index = {
       }
     };
     applySettings();
+    if (window.__strapiOidcFetchPatched) return;
+    window.__strapiOidcFetchPatched = true;
     const originalFetch = window.fetch;
     window.fetch = async (...args) => {
       const url = typeof args[0] === "string" ? args[0] : args[0].url;
       const isLogout = url?.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
-      const response = await originalFetch(...args);
-      if (isLogout && response.ok) {
+      if (isLogout) {
+        window.dispatchEvent(new CustomEvent(LOGOUT_EVENT));
         window.localStorage.removeItem("jwtToken");
         window.localStorage.removeItem("isLoggedIn");
         window.sessionStorage.removeItem("jwtToken");
         window.sessionStorage.removeItem("isLoggedIn");
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
+        originalFetch(...args).catch(() => {
+        });
         window.location.href = "/strapi-plugin-oidc/logout";
         return new Promise(() => {
         });
       }
-      return response;
+      return originalFetch(...args);
     };
   },
   async registerTrads({ locales }) {