npm - strapi-plugin-oidc - Versions diffs - 1.8.0 → 1.8.1 - Mend

strapi-plugin-oidc 1.8.0 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +6 -12
package/dist/admin/{index-B-K4X_N9.mjs → index-Bb9-aYb4.mjs} +53 -11
package/dist/admin/{index-CgG_mHzZ.js → index-Bmg4eTYb.js} +113 -88
package/dist/admin/{index-8YTLPV3h.mjs → index-BqWd-Iiq.mjs} +72 -47
package/dist/admin/{index-BSgVStns.js → index-Dk6TYtio.js} +57 -13
package/dist/admin/index.js +3 -1
package/dist/admin/index.mjs +3 -1
package/dist/server/index.js +86 -51
package/dist/server/index.mjs +86 -51
package/package.json +1 -1

package/dist/server/index.mjs CHANGED Viewed

@@ -38,8 +38,44 @@ const getRoleService = () => strapi.plugin(PLUGIN_NAME).service("role");
 const getWhitelistService = () => strapi.plugin(PLUGIN_NAME).service("whitelist");
 const getAuditLogService = () => strapi.plugin(PLUGIN_NAME).service("auditLog");
 const getAdminUserService = () => strapi.service("admin::user");
+const DISCOVERY_TIMEOUT_MS = 5e3;
+const FIELD_MAP = [
+  ["issuer", "OIDC_ISSUER"],
+  ["authorization_endpoint", "OIDC_AUTHORIZATION_ENDPOINT"],
+  ["token_endpoint", "OIDC_TOKEN_ENDPOINT"],
+  ["userinfo_endpoint", "OIDC_USERINFO_ENDPOINT"],
+  ["end_session_endpoint", "OIDC_END_SESSION_ENDPOINT"],
+  ["jwks_uri", "OIDC_JWKS_URI"]
+];
+async function applyDiscovery(strapi2) {
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
+  const discoveryUrl = config2.OIDC_DISCOVERY_URL;
+  if (!discoveryUrl) return;
+  let doc;
+  try {
+    const res = await fetch(discoveryUrl, { signal: AbortSignal.timeout(DISCOVERY_TIMEOUT_MS) });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    doc = await res.json();
+  } catch (e) {
+    strapi2.log.error(
+      `[strapi-plugin-oidc] Failed to fetch OIDC discovery document from ${discoveryUrl}: ${e instanceof Error ? e.message : String(e)}`
+    );
+    return;
+  }
+  const updates = {};
+  for (const [docField, configKey] of FIELD_MAP) {
+    if (doc[docField]) {
+      updates[configKey] = doc[docField];
+    }
+  }
+  if (Object.keys(updates).length > 0) {
+    strapi2.config.set("plugin::strapi-plugin-oidc", { ...config2, ...updates });
+    strapi2.log.info(`[strapi-plugin-oidc] Discovery applied: ${Object.keys(updates).join(", ")}`);
+  }
+}
 const AUTH_ROUTES = ["login", "register", "register-admin", "forgot-password", "reset-password"];
 async function bootstrap({ strapi: strapi2 }) {
+  await applyDiscovery(strapi2);
   const adminUrl = strapi2.config.get("admin.url", "/admin");
   const tokenRefreshPath = `${adminUrl}/token/refresh`;
   const enforceOidcMiddleware = async (ctx, next) => {
@@ -151,17 +187,13 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
+    OIDC_DISCOVERY_URL: "",
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
     OIDC_SCOPE: "openid profile email",
-    OIDC_AUTHORIZATION_ENDPOINT: "",
-    OIDC_TOKEN_ENDPOINT: "",
-    OIDC_USERINFO_ENDPOINT: "",
-    OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_END_SESSION_ENDPOINT: "",
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null,
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
@@ -170,9 +202,14 @@ const config = {
     OIDC_GROUP_ROLE_MAP: "{}",
     OIDC_REQUIRE_EMAIL_VERIFIED: true,
     OIDC_TRUSTED_IP_HEADER: "",
+    OIDC_FORCE_SECURE_COOKIES: false,
+    // Populated at bootstrap from OIDC_DISCOVERY_URL — not user-configurable directly
+    OIDC_AUTHORIZATION_ENDPOINT: "",
+    OIDC_TOKEN_ENDPOINT: "",
+    OIDC_USERINFO_ENDPOINT: "",
+    OIDC_END_SESSION_ENDPOINT: "",
     OIDC_JWKS_URI: "",
-    OIDC_ISSUER: "",
-    OIDC_FORCE_SECURE_COOKIES: false
+    OIDC_ISSUER: ""
   },
   validator() {
   }
@@ -228,8 +265,7 @@ function shouldMarkSecure(strapi2, ctx) {
   if (config2.OIDC_FORCE_SECURE_COOKIES === true) return true;
   if (ctx.request.secure) return true;
   const proxyTrusted = ctx.app?.proxy === true;
-  if (proxyTrusted && typeof ctx.get === "function" && ctx.get("x-forwarded-proto") === "https")
-    return true;
+  if (proxyTrusted && ctx.get("x-forwarded-proto") === "https") return true;
   return false;
 }
 function getExpiredCookieOptions(strapi2, ctx) {
@@ -363,7 +399,6 @@ const en = {
   "auditlog.table.ip": "IP",
   "auditlog.table.details": "Details",
   "auditlog.table.empty": "No audit log entries",
-  "auditlog.loading": "Loading…",
   "auditlog.clear": "Clear Logs",
   "auditlog.clear.title": "Clear All Logs",
   "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
@@ -418,7 +453,6 @@ const locales = Object.fromEntries(
     return [code ?? "", mod.default];
   })
 );
-Object.keys(locales).filter(Boolean);
 const DEFAULT_LOCALE = "en";
 function parseAcceptLanguage(header) {
   return header.split(",").map((part) => {
@@ -521,13 +555,13 @@ const OIDC_ERROR_DISPATCH = {
     key: "sign_in_unknown"
   }
 };
-const TRUSTED_HEADER_WHITELIST = /* @__PURE__ */ new Set(["cf-connecting-ip"]);
+const TRUSTED_IP_HEADER = "cf-connecting-ip";
 function getTrustedHeaderName() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
   const raw = config2.OIDC_TRUSTED_IP_HEADER;
   if (typeof raw !== "string" || !raw) return void 0;
   const normalized = raw.trim().toLowerCase();
-  return TRUSTED_HEADER_WHITELIST.has(normalized) ? normalized : void 0;
+  return normalized === TRUSTED_IP_HEADER ? normalized : void 0;
 }
 function getClientIp(ctx) {
   const proxyTrusted = ctx.app?.proxy === true;
@@ -544,19 +578,23 @@ function getClientIp(ctx) {
   }
   return ctx.ip;
 }
+function toMessage(e) {
+  return e instanceof Error ? e.message : String(e);
+}
 const REQUIRED_CONFIG_KEYS = [
+  "OIDC_DISCOVERY_URL",
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
   "OIDC_SCOPE",
-  "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USERINFO_ENDPOINT",
-  "OIDC_GRANT_TYPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
+  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
+  "OIDC_TOKEN_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
-const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
+const LOGOUT_USERINFO_TIMEOUT_MS = 1500;
 const jwksCache = /* @__PURE__ */ new Map();
 let jwksDisabledWarned = false;
 function getJwks(uri) {
@@ -588,7 +626,7 @@ async function verifyIdToken(idToken, config2) {
     return payload;
   } catch (e) {
     if (e instanceof errors.JWTClaimValidationFailed || e instanceof errors.JWSSignatureVerificationFailed || e instanceof errors.JWTExpired || e instanceof errors.JWTInvalid || e instanceof errors.JWSInvalid) {
-      const msg = e instanceof Error ? e.message : String(e);
+      const msg = toMessage(e);
       throw new OidcError("id_token_invalid", msg, e);
     }
     throw e;
@@ -779,7 +817,7 @@ async function ensureUser(userService, oauthService2, email, userResponseData, c
       );
       return { user, userCreated: true, rolesUpdated: true };
     } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
+      const msg = toMessage(e);
       throw new OidcError("user_creation_failed", msg, e);
     }
   }
@@ -829,7 +867,7 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
 function classifyOidcError(e, userInfo) {
   const kind = e instanceof OidcError ? e.kind : "unknown";
   const dispatch = OIDC_ERROR_DISPATCH[kind];
-  const msg = e instanceof Error ? e.message : String(e);
+  const msg = toMessage(e);
   let params;
   if (kind === "id_token_parse_failed" || kind === "id_token_invalid" || kind === "unknown") {
     params = { error: msg };
@@ -878,7 +916,7 @@ async function logSuccessfulAuth(auditLog2, ctx, user, userCreated, rolesUpdated
 }
 async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
   const errorInfo = classifyOidcError(e, userInfo);
-  const message = e instanceof Error ? e.message : String(e);
+  const message = toMessage(e);
   await auditLog2.log({
     action: errorInfo.action,
     email: userInfo?.email,
@@ -919,7 +957,7 @@ async function oidcSignInCallback(ctx) {
     client_id: config2.OIDC_CLIENT_ID,
     client_secret: config2.OIDC_CLIENT_SECRET,
     redirect_uri: config2.OIDC_REDIRECT_URI,
-    grant_type: config2.OIDC_GRANT_TYPE,
+    grant_type: "authorization_code",
     code_verifier: codeVerifier ?? ""
   });
   let userInfo;
@@ -963,13 +1001,13 @@ async function oidcSignInCallback(ctx) {
     await handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx);
   }
 }
-async function isProviderSessionActive(userinfoEndpoint, accessToken) {
+async function isProviderSessionExpired(userinfoEndpoint, accessToken) {
   try {
     const response = await fetch(userinfoEndpoint, {
       headers: { Authorization: `Bearer ${accessToken}` },
       signal: AbortSignal.timeout(LOGOUT_USERINFO_TIMEOUT_MS)
     });
-    return response.ok;
+    return !response.ok;
   } catch {
     return false;
   }
@@ -989,14 +1027,14 @@ async function logout(ctx) {
   }
   const logAudit = (action) => userEmail ? auditLog2.log({ action, email: userEmail, ip: getClientIp(ctx) }) : Promise.resolve();
   if (logoutUrl && accessToken) {
-    const active = await isProviderSessionActive(config2.OIDC_USERINFO_ENDPOINT, accessToken);
-    if (active) {
-      logAudit("logout").catch(() => {
-      });
-      return ctx.redirect(logoutUrl);
+    const expired = await isProviderSessionExpired(config2.OIDC_USERINFO_ENDPOINT, accessToken);
+    if (expired) {
+      await logAudit("session_expired");
+      return ctx.redirect(loginUrl);
     }
-    await logAudit("session_expired");
-    return ctx.redirect(loginUrl);
+    logAudit("logout").catch(() => {
+    });
+    return ctx.redirect(logoutUrl);
   }
   await logAudit("logout");
   ctx.redirect(logoutUrl || loginUrl);
@@ -1154,13 +1192,9 @@ async function importUsers(ctx) {
   const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
   const existingEmails = new Set(existing.map((u) => u.email));
-  let importedCount = 0;
-  for (const email of deduped) {
-    if (existingEmails.has(email)) continue;
-    await whitelistService2.registerUser(email);
-    importedCount++;
-  }
-  ctx.body = { importedCount };
+  const toImport = deduped.filter((email) => !existingEmails.has(email));
+  await Promise.all(toImport.map((email) => whitelistService2.registerUser(email)));
+  ctx.body = { importedCount: toImport.length };
 }
 async function syncUsers(ctx) {
   const { users: rawUsers } = ctx.request.body;
@@ -1169,16 +1203,10 @@ async function syncUsers(ctx) {
   const currentUsers = await whitelistService2.getUsers();
   const syncEmailSet = new Set(emails);
   const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
-  for (const currUser of currentUsers) {
-    if (!syncEmailSet.has(currUser.email)) {
-      await whitelistService2.removeUser(currUser.email);
-    }
-  }
-  for (const email of emails) {
-    if (!currentUsersByEmail.has(email)) {
-      await whitelistService2.registerUser(email);
-    }
-  }
+  await Promise.all([
+    ...currentUsers.filter((u) => !syncEmailSet.has(u.email)).map((u) => whitelistService2.removeUser(u.email)),
+    ...emails.filter((email) => !currentUsersByEmail.has(email)).map((email) => whitelistService2.registerUser(email))
+  ]);
   ctx.body = {};
 }
 const whitelist = {
@@ -1482,6 +1510,12 @@ const routes = {
         handler: "oidc.oidcSignInCallback",
         config: { auth: false, middlewares: [rateLimitMiddleware] }
       },
+      {
+        method: "GET",
+        path: "/logout",
+        handler: "oidc.logout",
+        config: { auth: false }
+      },
       {
         method: "POST",
         path: "/logout",
@@ -1790,9 +1824,10 @@ function oauthService({ strapi: strapi2 }) {
       }
       const modelDef = strapi2.getModel("admin::user");
       const sanitizedEntity = await strapiUtils.sanitize.sanitizers.defaultSanitizeOutput(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        { schema: modelDef, getModel: (uid2) => strapi2.getModel(uid2) },
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        {
+          schema: modelDef,
+          getModel: (uid2) => strapi2.getModel(uid2)
+        },
         user
       );
       eventHub?.emit(ENTRY_CREATE ?? "entry.create", {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.8.0",
+  "version": "1.8.1",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",