strapi-plugin-oidc 1.8.0 → 1.8.2

package/dist/server/index.js

@@ -12,6 +12,58 @@ const strapiUtils__default = /* @__PURE__ */ _interopDefault(strapiUtils);
 const generator__default = /* @__PURE__ */ _interopDefault(generator);
 function register$1() {
 }
+const errorCodes = {
+  TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
+  USERINFO_FETCH_FAILED: "USERINFO_FETCH_FAILED",
+  ID_TOKEN_PARSE_FAILED: "ID_TOKEN_PARSE_FAILED",
+  NONCE_MISMATCH: "NONCE_MISMATCH",
+  ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
+  USER_CREATION_FAILED: "USER_CREATION_FAILED",
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
+  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
+  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
+};
+const ERROR_DETAIL_TEMPLATES = {
+  token_exchange_failed: "Token exchange failed with HTTP status {status}",
+  userinfo_fetch_failed: "UserInfo endpoint returned HTTP {status}",
+  role_update_failed: "Role update failed for user {userId}: {error}",
+  user_creation_failed: "User creation failed for {email}: {error}",
+  id_token_parse_failed: "ID token parse failed: {error}",
+  sign_in_unknown: "Unknown sign-in error: {error}",
+  invalid_email: "Invalid email address received from OIDC provider",
+  email_not_verified: "Email address has not been verified by the OIDC provider",
+  id_token_invalid: "ID token verification failed: {error}",
+  whitelist_not_present: "Email not present in whitelist",
+  session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later."
+};
+function interpolate$1(template, params) {
+  if (!params) return template;
+  return template.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
+}
+function getErrorDetail(key, params) {
+  const template = ERROR_DETAIL_TEMPLATES[key];
+  if (!template) return void 0;
+  return interpolate$1(template, params);
+}
+const errorMessages = {
+  TOKEN_EXCHANGE_FAILED: "Token exchange failed",
+  USERINFO_FETCH_FAILED: "Failed to fetch user info",
+  ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
+  NONCE_MISMATCH: "Nonce mismatch",
+  INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
+  ID_TOKEN_INVALID: "ID token verification failed",
+  WHITELIST_NOT_PRESENT: "Not present in whitelist",
+  SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
+  JWKS_URI_NOT_CONFIGURED: "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document.",
+  ENFORCE_MIDDLEWARE_ERROR: "Error checking OIDC enforcement in middleware:",
+  ENFORCE_SYNC_ERROR: "[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:",
+  DEFAULT_ROLE_INIT_ERROR: "Could not initialize default OIDC role:",
+  AUDIT_LOG_CLEANUP_ERROR: "[strapi-plugin-oidc] Audit log cleanup failed:",
+  AUDIT_LOG_EXPORT_ERROR: "NDJSON export stream failed",
+  DISCOVERY_FETCH_ERROR: (url, reason) => `[strapi-plugin-oidc] Failed to fetch OIDC discovery document from ${url}: ${reason}`,
+  MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
+};
 function getEnforceOIDCConfig(strapi2) {
   const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
   const val = config2.OIDC_ENFORCE;
@@ -44,8 +96,43 @@ const getRoleService = () => strapi.plugin(PLUGIN_NAME).service("role");
 const getWhitelistService = () => strapi.plugin(PLUGIN_NAME).service("whitelist");
 const getAuditLogService = () => strapi.plugin(PLUGIN_NAME).service("auditLog");
 const getAdminUserService = () => strapi.service("admin::user");
+const DISCOVERY_TIMEOUT_MS = 5e3;
+const FIELD_MAP = [
+  ["issuer", "OIDC_ISSUER"],
+  ["authorization_endpoint", "OIDC_AUTHORIZATION_ENDPOINT"],
+  ["token_endpoint", "OIDC_TOKEN_ENDPOINT"],
+  ["userinfo_endpoint", "OIDC_USERINFO_ENDPOINT"],
+  ["end_session_endpoint", "OIDC_END_SESSION_ENDPOINT"],
+  ["jwks_uri", "OIDC_JWKS_URI"]
+];
+async function applyDiscovery(strapi2) {
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
+  const discoveryUrl = config2.OIDC_DISCOVERY_URL;
+  if (!discoveryUrl) return;
+  let doc;
+  try {
+    const res = await fetch(discoveryUrl, { signal: AbortSignal.timeout(DISCOVERY_TIMEOUT_MS) });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    doc = await res.json();
+  } catch (e) {
+    throw new Error(
+      errorMessages.DISCOVERY_FETCH_ERROR(discoveryUrl, e instanceof Error ? e.message : String(e))
+    );
+  }
+  const updates = {};
+  for (const [docField, configKey] of FIELD_MAP) {
+    if (doc[docField]) {
+      updates[configKey] = doc[docField];
+    }
+  }
+  if (Object.keys(updates).length > 0) {
+    strapi2.config.set("plugin::strapi-plugin-oidc", { ...config2, ...updates });
+    strapi2.log.info(`[strapi-plugin-oidc] Discovery applied: ${Object.keys(updates).join(", ")}`);
+  }
+}
 const AUTH_ROUTES = ["login", "register", "register-admin", "forgot-password", "reset-password"];
 async function bootstrap({ strapi: strapi2 }) {
+  await applyDiscovery(strapi2);
   const adminUrl = strapi2.config.get("admin.url", "/admin");
   const tokenRefreshPath = `${adminUrl}/token/refresh`;
   const enforceOidcMiddleware = async (ctx, next) => {
@@ -85,7 +172,7 @@ async function bootstrap({ strapi: strapi2 }) {
           return;
         }
       } catch (err) {
-        strapi2.log.error("Error checking OIDC enforcement in middleware:", err);
+        strapi2.log.error(errorMessages.ENFORCE_MIDDLEWARE_ERROR, err);
       }
     }
     await next();
@@ -122,7 +209,7 @@ async function bootstrap({ strapi: strapi2 }) {
         );
       }
     } catch (err) {
-      strapi2.log.error("[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:", err);
+      strapi2.log.error(errorMessages.ENFORCE_SYNC_ERROR, err);
     }
   }
   try {
@@ -136,7 +223,7 @@ async function bootstrap({ strapi: strapi2 }) {
       }
     }
   } catch (err) {
-    strapi2.log.warn("Could not initialize default OIDC role:", err.message);
+    strapi2.log.warn(errorMessages.DEFAULT_ROLE_INIT_ERROR, err.message);
   }
   strapi2.cron.add({
     "strapi-plugin-oidc-audit-log-cleanup": {
@@ -145,7 +232,7 @@ async function bootstrap({ strapi: strapi2 }) {
           const retentionDays = getRetentionDays();
           await getAuditLogService().cleanup(retentionDays);
         } catch (err) {
-          strapi2.log.warn("[strapi-plugin-oidc] Audit log cleanup failed:", err.message);
+          strapi2.log.warn(errorMessages.AUDIT_LOG_CLEANUP_ERROR, err.message);
         }
       },
       options: { rule: "0 0 * * *" }
@@ -157,17 +244,13 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
+    OIDC_DISCOVERY_URL: "",
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
     OIDC_SCOPE: "openid profile email",
-    OIDC_AUTHORIZATION_ENDPOINT: "",
-    OIDC_TOKEN_ENDPOINT: "",
-    OIDC_USERINFO_ENDPOINT: "",
-    OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_END_SESSION_ENDPOINT: "",
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null,
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
@@ -176,9 +259,14 @@ const config = {
     OIDC_GROUP_ROLE_MAP: "{}",
     OIDC_REQUIRE_EMAIL_VERIFIED: true,
     OIDC_TRUSTED_IP_HEADER: "",
+    OIDC_FORCE_SECURE_COOKIES: false,
+    // Populated at bootstrap from OIDC_DISCOVERY_URL — not user-configurable directly
+    OIDC_AUTHORIZATION_ENDPOINT: "",
+    OIDC_TOKEN_ENDPOINT: "",
+    OIDC_USERINFO_ENDPOINT: "",
+    OIDC_END_SESSION_ENDPOINT: "",
     OIDC_JWKS_URI: "",
-    OIDC_ISSUER: "",
-    OIDC_FORCE_SECURE_COOKIES: false
+    OIDC_ISSUER: ""
   },
   validator() {
   }
@@ -234,8 +322,7 @@ function shouldMarkSecure(strapi2, ctx) {
   if (config2.OIDC_FORCE_SECURE_COOKIES === true) return true;
   if (ctx.request.secure) return true;
   const proxyTrusted = ctx.app?.proxy === true;
-  if (proxyTrusted && typeof ctx.get === "function" && ctx.get("x-forwarded-proto") === "https")
-    return true;
+  if (proxyTrusted && ctx.get("x-forwarded-proto") === "https") return true;
   return false;
 }
 function getExpiredCookieOptions(strapi2, ctx) {
@@ -261,52 +348,6 @@ const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function isValidEmail(email) {
   return EMAIL_REGEX.test(email);
 }
-const errorCodes = {
-  TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
-  USERINFO_FETCH_FAILED: "USERINFO_FETCH_FAILED",
-  ID_TOKEN_PARSE_FAILED: "ID_TOKEN_PARSE_FAILED",
-  NONCE_MISMATCH: "NONCE_MISMATCH",
-  ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
-  USER_CREATION_FAILED: "USER_CREATION_FAILED",
-  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
-  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
-  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
-};
-const ERROR_DETAIL_TEMPLATES = {
-  token_exchange_failed: "Token exchange failed with HTTP status {status}",
-  userinfo_fetch_failed: "UserInfo endpoint returned HTTP {status}",
-  role_update_failed: "Role update failed for user {userId}: {error}",
-  user_creation_failed: "User creation failed for {email}: {error}",
-  id_token_parse_failed: "ID token parse failed: {error}",
-  sign_in_unknown: "Unknown sign-in error: {error}",
-  invalid_email: "Invalid email address received from OIDC provider",
-  email_not_verified: "Email address has not been verified by the OIDC provider",
-  id_token_invalid: "ID token verification failed: {error}",
-  whitelist_not_present: "Email not present in whitelist",
-  session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
-  missing_config: "Missing required config keys: {keys}"
-};
-function interpolate$1(template, params) {
-  if (!params) return template;
-  return template.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
-}
-function getErrorDetail(key, params) {
-  const template = ERROR_DETAIL_TEMPLATES[key];
-  if (!template) return void 0;
-  return interpolate$1(template, params);
-}
-const errorMessages = {
-  TOKEN_EXCHANGE_FAILED: "Token exchange failed",
-  USERINFO_FETCH_FAILED: "Failed to fetch user info",
-  ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
-  NONCE_MISMATCH: "Nonce mismatch",
-  INVALID_EMAIL: "Invalid email address received from OIDC provider",
-  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
-  ID_TOKEN_INVALID: "ID token verification failed",
-  WHITELIST_NOT_PRESENT: "Not present in whitelist",
-  SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
-  MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
-};
 const en = {
   "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
   "page.title": "Configure OIDC default role(s) and access controls.",
@@ -369,7 +410,6 @@ const en = {
   "auditlog.table.ip": "IP",
   "auditlog.table.details": "Details",
   "auditlog.table.empty": "No audit log entries",
-  "auditlog.loading": "Loading…",
   "auditlog.clear": "Clear Logs",
   "auditlog.clear.title": "Clear All Logs",
   "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
@@ -424,7 +464,6 @@ const locales = Object.fromEntries(
     return [code ?? "", mod.default];
   })
 );
-Object.keys(locales).filter(Boolean);
 const DEFAULT_LOCALE = "en";
 function parseAcceptLanguage(header) {
   return header.split(",").map((part) => {
@@ -527,13 +566,13 @@ const OIDC_ERROR_DISPATCH = {
     key: "sign_in_unknown"
   }
 };
-const TRUSTED_HEADER_WHITELIST = /* @__PURE__ */ new Set(["cf-connecting-ip"]);
+const TRUSTED_IP_HEADER = "cf-connecting-ip";
 function getTrustedHeaderName() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
   const raw = config2.OIDC_TRUSTED_IP_HEADER;
   if (typeof raw !== "string" || !raw) return void 0;
   const normalized = raw.trim().toLowerCase();
-  return TRUSTED_HEADER_WHITELIST.has(normalized) ? normalized : void 0;
+  return normalized === TRUSTED_IP_HEADER ? normalized : void 0;
 }
 function getClientIp(ctx) {
   const proxyTrusted = ctx.app?.proxy === true;
@@ -550,19 +589,23 @@ function getClientIp(ctx) {
   }
   return ctx.ip;
 }
+function toMessage(e) {
+  return e instanceof Error ? e.message : String(e);
+}
 const REQUIRED_CONFIG_KEYS = [
+  "OIDC_DISCOVERY_URL",
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
   "OIDC_SCOPE",
-  "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USERINFO_ENDPOINT",
-  "OIDC_GRANT_TYPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
+  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
+  "OIDC_TOKEN_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
-const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
+const LOGOUT_USERINFO_TIMEOUT_MS = 1500;
 const jwksCache = /* @__PURE__ */ new Map();
 let jwksDisabledWarned = false;
 function getJwks(uri) {
@@ -579,9 +622,7 @@ async function verifyIdToken(idToken, config2) {
   if (!jwksUri) {
     if (!jwksDisabledWarned) {
       jwksDisabledWarned = true;
-      strapi.log.warn(
-        "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document."
-      );
+      strapi.log.warn(errorMessages.JWKS_URI_NOT_CONFIGURED);
     }
     return null;
   }
@@ -594,7 +635,7 @@ async function verifyIdToken(idToken, config2) {
     return payload;
   } catch (e) {
     if (e instanceof jose.errors.JWTClaimValidationFailed || e instanceof jose.errors.JWSSignatureVerificationFailed || e instanceof jose.errors.JWTExpired || e instanceof jose.errors.JWTInvalid || e instanceof jose.errors.JWSInvalid) {
-      const msg = e instanceof Error ? e.message : String(e);
+      const msg = toMessage(e);
       throw new OidcError("id_token_invalid", msg, e);
     }
     throw e;
@@ -785,7 +826,7 @@ async function ensureUser(userService, oauthService2, email, userResponseData, c
       );
       return { user, userCreated: true, rolesUpdated: true };
     } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
+      const msg = toMessage(e);
       throw new OidcError("user_creation_failed", msg, e);
     }
   }
@@ -835,7 +876,7 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
 function classifyOidcError(e, userInfo) {
   const kind = e instanceof OidcError ? e.kind : "unknown";
   const dispatch = OIDC_ERROR_DISPATCH[kind];
-  const msg = e instanceof Error ? e.message : String(e);
+  const msg = toMessage(e);
   let params;
   if (kind === "id_token_parse_failed" || kind === "id_token_invalid" || kind === "unknown") {
     params = { error: msg };
@@ -884,7 +925,7 @@ async function logSuccessfulAuth(auditLog2, ctx, user, userCreated, rolesUpdated
 }
 async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
   const errorInfo = classifyOidcError(e, userInfo);
-  const message = e instanceof Error ? e.message : String(e);
+  const message = toMessage(e);
   await auditLog2.log({
     action: errorInfo.action,
     email: userInfo?.email,
@@ -925,7 +966,7 @@ async function oidcSignInCallback(ctx) {
     client_id: config2.OIDC_CLIENT_ID,
     client_secret: config2.OIDC_CLIENT_SECRET,
     redirect_uri: config2.OIDC_REDIRECT_URI,
-    grant_type: config2.OIDC_GRANT_TYPE,
+    grant_type: "authorization_code",
     code_verifier: codeVerifier ?? ""
   });
   let userInfo;
@@ -969,13 +1010,13 @@ async function oidcSignInCallback(ctx) {
     await handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx);
   }
 }
-async function isProviderSessionActive(userinfoEndpoint, accessToken) {
+async function isProviderSessionExpired(userinfoEndpoint, accessToken) {
   try {
     const response = await fetch(userinfoEndpoint, {
       headers: { Authorization: `Bearer ${accessToken}` },
       signal: AbortSignal.timeout(LOGOUT_USERINFO_TIMEOUT_MS)
     });
-    return response.ok;
+    return !response.ok;
   } catch {
     return false;
   }
@@ -995,14 +1036,14 @@ async function logout(ctx) {
   }
   const logAudit = (action) => userEmail ? auditLog2.log({ action, email: userEmail, ip: getClientIp(ctx) }) : Promise.resolve();
   if (logoutUrl && accessToken) {
-    const active = await isProviderSessionActive(config2.OIDC_USERINFO_ENDPOINT, accessToken);
-    if (active) {
-      logAudit("logout").catch(() => {
-      });
-      return ctx.redirect(logoutUrl);
+    const expired = await isProviderSessionExpired(config2.OIDC_USERINFO_ENDPOINT, accessToken);
+    if (expired) {
+      await logAudit("session_expired");
+      return ctx.redirect(loginUrl);
     }
-    await logAudit("session_expired");
-    return ctx.redirect(loginUrl);
+    logAudit("logout").catch(() => {
+    });
+    return ctx.redirect(logoutUrl);
   }
   await logAudit("logout");
   ctx.redirect(logoutUrl || loginUrl);
@@ -1160,13 +1201,9 @@ async function importUsers(ctx) {
   const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
   const existingEmails = new Set(existing.map((u) => u.email));
-  let importedCount = 0;
-  for (const email of deduped) {
-    if (existingEmails.has(email)) continue;
-    await whitelistService2.registerUser(email);
-    importedCount++;
-  }
-  ctx.body = { importedCount };
+  const toImport = deduped.filter((email) => !existingEmails.has(email));
+  await Promise.all(toImport.map((email) => whitelistService2.registerUser(email)));
+  ctx.body = { importedCount: toImport.length };
 }
 async function syncUsers(ctx) {
   const { users: rawUsers } = ctx.request.body;
@@ -1175,16 +1212,10 @@ async function syncUsers(ctx) {
   const currentUsers = await whitelistService2.getUsers();
   const syncEmailSet = new Set(emails);
   const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
-  for (const currUser of currentUsers) {
-    if (!syncEmailSet.has(currUser.email)) {
-      await whitelistService2.removeUser(currUser.email);
-    }
-  }
-  for (const email of emails) {
-    if (!currentUsersByEmail.has(email)) {
-      await whitelistService2.registerUser(email);
-    }
-  }
+  await Promise.all([
+    ...currentUsers.filter((u) => !syncEmailSet.has(u.email)).map((u) => whitelistService2.removeUser(u.email)),
+    ...emails.filter((email) => !currentUsersByEmail.has(email)).map((email) => whitelistService2.registerUser(email))
+  ]);
   ctx.body = {};
 }
 const whitelist = {
@@ -1363,7 +1394,7 @@ function errorAwareNdjsonStream(strapi2, service, filters) {
   const gen = ndjsonRowStream(service, filters);
   const readable = node_stream.Readable.from(gen);
   readable.on("error", (err) => {
-    strapi2.log.error({ phase: "audit_log_export", err }, "NDJSON export stream failed");
+    strapi2.log.error({ phase: "audit_log_export", err }, errorMessages.AUDIT_LOG_EXPORT_ERROR);
   });
   return readable;
 }
@@ -1488,6 +1519,12 @@ const routes = {
         handler: "oidc.oidcSignInCallback",
         config: { auth: false, middlewares: [rateLimitMiddleware] }
       },
+      {
+        method: "GET",
+        path: "/logout",
+        handler: "oidc.logout",
+        config: { auth: false }
+      },
       {
         method: "POST",
         path: "/logout",
@@ -1796,9 +1833,10 @@ function oauthService({ strapi: strapi2 }) {
       }
       const modelDef = strapi2.getModel("admin::user");
       const sanitizedEntity = await strapiUtils__default.default.sanitize.sanitizers.defaultSanitizeOutput(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        { schema: modelDef, getModel: (uid2) => strapi2.getModel(uid2) },
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        {
+          schema: modelDef,
+          getModel: (uid2) => strapi2.getModel(uid2)
+        },
         user
       );
       eventHub?.emit(ENTRY_CREATE ?? "entry.create", {