strapi-plugin-oidc 1.8.1 → 1.8.2

package/dist/server/index.js

@@ -12,6 +12,58 @@ const strapiUtils__default = /* @__PURE__ */ _interopDefault(strapiUtils);
 const generator__default = /* @__PURE__ */ _interopDefault(generator);
 function register$1() {
 }
+const errorCodes = {
+  TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
+  USERINFO_FETCH_FAILED: "USERINFO_FETCH_FAILED",
+  ID_TOKEN_PARSE_FAILED: "ID_TOKEN_PARSE_FAILED",
+  NONCE_MISMATCH: "NONCE_MISMATCH",
+  ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
+  USER_CREATION_FAILED: "USER_CREATION_FAILED",
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
+  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
+  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
+};
+const ERROR_DETAIL_TEMPLATES = {
+  token_exchange_failed: "Token exchange failed with HTTP status {status}",
+  userinfo_fetch_failed: "UserInfo endpoint returned HTTP {status}",
+  role_update_failed: "Role update failed for user {userId}: {error}",
+  user_creation_failed: "User creation failed for {email}: {error}",
+  id_token_parse_failed: "ID token parse failed: {error}",
+  sign_in_unknown: "Unknown sign-in error: {error}",
+  invalid_email: "Invalid email address received from OIDC provider",
+  email_not_verified: "Email address has not been verified by the OIDC provider",
+  id_token_invalid: "ID token verification failed: {error}",
+  whitelist_not_present: "Email not present in whitelist",
+  session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later."
+};
+function interpolate$1(template, params) {
+  if (!params) return template;
+  return template.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
+}
+function getErrorDetail(key, params) {
+  const template = ERROR_DETAIL_TEMPLATES[key];
+  if (!template) return void 0;
+  return interpolate$1(template, params);
+}
+const errorMessages = {
+  TOKEN_EXCHANGE_FAILED: "Token exchange failed",
+  USERINFO_FETCH_FAILED: "Failed to fetch user info",
+  ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
+  NONCE_MISMATCH: "Nonce mismatch",
+  INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
+  ID_TOKEN_INVALID: "ID token verification failed",
+  WHITELIST_NOT_PRESENT: "Not present in whitelist",
+  SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
+  JWKS_URI_NOT_CONFIGURED: "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document.",
+  ENFORCE_MIDDLEWARE_ERROR: "Error checking OIDC enforcement in middleware:",
+  ENFORCE_SYNC_ERROR: "[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:",
+  DEFAULT_ROLE_INIT_ERROR: "Could not initialize default OIDC role:",
+  AUDIT_LOG_CLEANUP_ERROR: "[strapi-plugin-oidc] Audit log cleanup failed:",
+  AUDIT_LOG_EXPORT_ERROR: "NDJSON export stream failed",
+  DISCOVERY_FETCH_ERROR: (url, reason) => `[strapi-plugin-oidc] Failed to fetch OIDC discovery document from ${url}: ${reason}`,
+  MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
+};
 function getEnforceOIDCConfig(strapi2) {
   const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
   const val = config2.OIDC_ENFORCE;
@@ -63,10 +115,9 @@ async function applyDiscovery(strapi2) {
     if (!res.ok) throw new Error(`HTTP ${res.status}`);
     doc = await res.json();
   } catch (e) {
-    strapi2.log.error(
-      `[strapi-plugin-oidc] Failed to fetch OIDC discovery document from ${discoveryUrl}: ${e instanceof Error ? e.message : String(e)}`
+    throw new Error(
+      errorMessages.DISCOVERY_FETCH_ERROR(discoveryUrl, e instanceof Error ? e.message : String(e))
     );
-    return;
   }
   const updates = {};
   for (const [docField, configKey] of FIELD_MAP) {
@@ -121,7 +172,7 @@ async function bootstrap({ strapi: strapi2 }) {
           return;
         }
       } catch (err) {
-        strapi2.log.error("Error checking OIDC enforcement in middleware:", err);
+        strapi2.log.error(errorMessages.ENFORCE_MIDDLEWARE_ERROR, err);
       }
     }
     await next();
@@ -158,7 +209,7 @@ async function bootstrap({ strapi: strapi2 }) {
         );
       }
     } catch (err) {
-      strapi2.log.error("[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:", err);
+      strapi2.log.error(errorMessages.ENFORCE_SYNC_ERROR, err);
     }
   }
   try {
@@ -172,7 +223,7 @@ async function bootstrap({ strapi: strapi2 }) {
       }
     }
   } catch (err) {
-    strapi2.log.warn("Could not initialize default OIDC role:", err.message);
+    strapi2.log.warn(errorMessages.DEFAULT_ROLE_INIT_ERROR, err.message);
   }
   strapi2.cron.add({
     "strapi-plugin-oidc-audit-log-cleanup": {
@@ -181,7 +232,7 @@ async function bootstrap({ strapi: strapi2 }) {
           const retentionDays = getRetentionDays();
           await getAuditLogService().cleanup(retentionDays);
         } catch (err) {
-          strapi2.log.warn("[strapi-plugin-oidc] Audit log cleanup failed:", err.message);
+          strapi2.log.warn(errorMessages.AUDIT_LOG_CLEANUP_ERROR, err.message);
         }
       },
       options: { rule: "0 0 * * *" }
@@ -297,52 +348,6 @@ const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function isValidEmail(email) {
   return EMAIL_REGEX.test(email);
 }
-const errorCodes = {
-  TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
-  USERINFO_FETCH_FAILED: "USERINFO_FETCH_FAILED",
-  ID_TOKEN_PARSE_FAILED: "ID_TOKEN_PARSE_FAILED",
-  NONCE_MISMATCH: "NONCE_MISMATCH",
-  ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
-  USER_CREATION_FAILED: "USER_CREATION_FAILED",
-  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
-  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
-  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
-};
-const ERROR_DETAIL_TEMPLATES = {
-  token_exchange_failed: "Token exchange failed with HTTP status {status}",
-  userinfo_fetch_failed: "UserInfo endpoint returned HTTP {status}",
-  role_update_failed: "Role update failed for user {userId}: {error}",
-  user_creation_failed: "User creation failed for {email}: {error}",
-  id_token_parse_failed: "ID token parse failed: {error}",
-  sign_in_unknown: "Unknown sign-in error: {error}",
-  invalid_email: "Invalid email address received from OIDC provider",
-  email_not_verified: "Email address has not been verified by the OIDC provider",
-  id_token_invalid: "ID token verification failed: {error}",
-  whitelist_not_present: "Email not present in whitelist",
-  session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
-  missing_config: "Missing required config keys: {keys}"
-};
-function interpolate$1(template, params) {
-  if (!params) return template;
-  return template.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
-}
-function getErrorDetail(key, params) {
-  const template = ERROR_DETAIL_TEMPLATES[key];
-  if (!template) return void 0;
-  return interpolate$1(template, params);
-}
-const errorMessages = {
-  TOKEN_EXCHANGE_FAILED: "Token exchange failed",
-  USERINFO_FETCH_FAILED: "Failed to fetch user info",
-  ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
-  NONCE_MISMATCH: "Nonce mismatch",
-  INVALID_EMAIL: "Invalid email address received from OIDC provider",
-  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
-  ID_TOKEN_INVALID: "ID token verification failed",
-  WHITELIST_NOT_PRESENT: "Not present in whitelist",
-  SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
-  MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
-};
 const en = {
   "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
   "page.title": "Configure OIDC default role(s) and access controls.",
@@ -617,9 +622,7 @@ async function verifyIdToken(idToken, config2) {
   if (!jwksUri) {
     if (!jwksDisabledWarned) {
       jwksDisabledWarned = true;
-      strapi.log.warn(
-        "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document."
-      );
+      strapi.log.warn(errorMessages.JWKS_URI_NOT_CONFIGURED);
     }
     return null;
   }
@@ -1391,7 +1394,7 @@ function errorAwareNdjsonStream(strapi2, service, filters) {
   const gen = ndjsonRowStream(service, filters);
   const readable = node_stream.Readable.from(gen);
   readable.on("error", (err) => {
-    strapi2.log.error({ phase: "audit_log_export", err }, "NDJSON export stream failed");
+    strapi2.log.error({ phase: "audit_log_export", err }, errorMessages.AUDIT_LOG_EXPORT_ERROR);
   });
   return readable;
 }

package/dist/server/index.mjs

@@ -6,6 +6,58 @@ import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
 function register$1() {
 }
+const errorCodes = {
+  TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
+  USERINFO_FETCH_FAILED: "USERINFO_FETCH_FAILED",
+  ID_TOKEN_PARSE_FAILED: "ID_TOKEN_PARSE_FAILED",
+  NONCE_MISMATCH: "NONCE_MISMATCH",
+  ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
+  USER_CREATION_FAILED: "USER_CREATION_FAILED",
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
+  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
+  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
+};
+const ERROR_DETAIL_TEMPLATES = {
+  token_exchange_failed: "Token exchange failed with HTTP status {status}",
+  userinfo_fetch_failed: "UserInfo endpoint returned HTTP {status}",
+  role_update_failed: "Role update failed for user {userId}: {error}",
+  user_creation_failed: "User creation failed for {email}: {error}",
+  id_token_parse_failed: "ID token parse failed: {error}",
+  sign_in_unknown: "Unknown sign-in error: {error}",
+  invalid_email: "Invalid email address received from OIDC provider",
+  email_not_verified: "Email address has not been verified by the OIDC provider",
+  id_token_invalid: "ID token verification failed: {error}",
+  whitelist_not_present: "Email not present in whitelist",
+  session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later."
+};
+function interpolate$1(template, params) {
+  if (!params) return template;
+  return template.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
+}
+function getErrorDetail(key, params) {
+  const template = ERROR_DETAIL_TEMPLATES[key];
+  if (!template) return void 0;
+  return interpolate$1(template, params);
+}
+const errorMessages = {
+  TOKEN_EXCHANGE_FAILED: "Token exchange failed",
+  USERINFO_FETCH_FAILED: "Failed to fetch user info",
+  ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
+  NONCE_MISMATCH: "Nonce mismatch",
+  INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
+  ID_TOKEN_INVALID: "ID token verification failed",
+  WHITELIST_NOT_PRESENT: "Not present in whitelist",
+  SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
+  JWKS_URI_NOT_CONFIGURED: "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document.",
+  ENFORCE_MIDDLEWARE_ERROR: "Error checking OIDC enforcement in middleware:",
+  ENFORCE_SYNC_ERROR: "[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:",
+  DEFAULT_ROLE_INIT_ERROR: "Could not initialize default OIDC role:",
+  AUDIT_LOG_CLEANUP_ERROR: "[strapi-plugin-oidc] Audit log cleanup failed:",
+  AUDIT_LOG_EXPORT_ERROR: "NDJSON export stream failed",
+  DISCOVERY_FETCH_ERROR: (url, reason) => `[strapi-plugin-oidc] Failed to fetch OIDC discovery document from ${url}: ${reason}`,
+  MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
+};
 function getEnforceOIDCConfig(strapi2) {
   const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
   const val = config2.OIDC_ENFORCE;
@@ -57,10 +109,9 @@ async function applyDiscovery(strapi2) {
     if (!res.ok) throw new Error(`HTTP ${res.status}`);
     doc = await res.json();
   } catch (e) {
-    strapi2.log.error(
-      `[strapi-plugin-oidc] Failed to fetch OIDC discovery document from ${discoveryUrl}: ${e instanceof Error ? e.message : String(e)}`
+    throw new Error(
+      errorMessages.DISCOVERY_FETCH_ERROR(discoveryUrl, e instanceof Error ? e.message : String(e))
     );
-    return;
   }
   const updates = {};
   for (const [docField, configKey] of FIELD_MAP) {
@@ -115,7 +166,7 @@ async function bootstrap({ strapi: strapi2 }) {
           return;
         }
       } catch (err) {
-        strapi2.log.error("Error checking OIDC enforcement in middleware:", err);
+        strapi2.log.error(errorMessages.ENFORCE_MIDDLEWARE_ERROR, err);
       }
     }
     await next();
@@ -152,7 +203,7 @@ async function bootstrap({ strapi: strapi2 }) {
         );
       }
     } catch (err) {
-      strapi2.log.error("[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:", err);
+      strapi2.log.error(errorMessages.ENFORCE_SYNC_ERROR, err);
     }
   }
   try {
@@ -166,7 +217,7 @@ async function bootstrap({ strapi: strapi2 }) {
       }
     }
   } catch (err) {
-    strapi2.log.warn("Could not initialize default OIDC role:", err.message);
+    strapi2.log.warn(errorMessages.DEFAULT_ROLE_INIT_ERROR, err.message);
   }
   strapi2.cron.add({
     "strapi-plugin-oidc-audit-log-cleanup": {
@@ -175,7 +226,7 @@ async function bootstrap({ strapi: strapi2 }) {
           const retentionDays = getRetentionDays();
           await getAuditLogService().cleanup(retentionDays);
         } catch (err) {
-          strapi2.log.warn("[strapi-plugin-oidc] Audit log cleanup failed:", err.message);
+          strapi2.log.warn(errorMessages.AUDIT_LOG_CLEANUP_ERROR, err.message);
         }
       },
       options: { rule: "0 0 * * *" }
@@ -291,52 +342,6 @@ const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function isValidEmail(email) {
   return EMAIL_REGEX.test(email);
 }
-const errorCodes = {
-  TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
-  USERINFO_FETCH_FAILED: "USERINFO_FETCH_FAILED",
-  ID_TOKEN_PARSE_FAILED: "ID_TOKEN_PARSE_FAILED",
-  NONCE_MISMATCH: "NONCE_MISMATCH",
-  ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
-  USER_CREATION_FAILED: "USER_CREATION_FAILED",
-  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
-  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
-  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
-};
-const ERROR_DETAIL_TEMPLATES = {
-  token_exchange_failed: "Token exchange failed with HTTP status {status}",
-  userinfo_fetch_failed: "UserInfo endpoint returned HTTP {status}",
-  role_update_failed: "Role update failed for user {userId}: {error}",
-  user_creation_failed: "User creation failed for {email}: {error}",
-  id_token_parse_failed: "ID token parse failed: {error}",
-  sign_in_unknown: "Unknown sign-in error: {error}",
-  invalid_email: "Invalid email address received from OIDC provider",
-  email_not_verified: "Email address has not been verified by the OIDC provider",
-  id_token_invalid: "ID token verification failed: {error}",
-  whitelist_not_present: "Email not present in whitelist",
-  session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
-  missing_config: "Missing required config keys: {keys}"
-};
-function interpolate$1(template, params) {
-  if (!params) return template;
-  return template.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
-}
-function getErrorDetail(key, params) {
-  const template = ERROR_DETAIL_TEMPLATES[key];
-  if (!template) return void 0;
-  return interpolate$1(template, params);
-}
-const errorMessages = {
-  TOKEN_EXCHANGE_FAILED: "Token exchange failed",
-  USERINFO_FETCH_FAILED: "Failed to fetch user info",
-  ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
-  NONCE_MISMATCH: "Nonce mismatch",
-  INVALID_EMAIL: "Invalid email address received from OIDC provider",
-  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
-  ID_TOKEN_INVALID: "ID token verification failed",
-  WHITELIST_NOT_PRESENT: "Not present in whitelist",
-  SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
-  MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
-};
 const en = {
   "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
   "page.title": "Configure OIDC default role(s) and access controls.",
@@ -611,9 +616,7 @@ async function verifyIdToken(idToken, config2) {
   if (!jwksUri) {
     if (!jwksDisabledWarned) {
       jwksDisabledWarned = true;
-      strapi.log.warn(
-        "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document."
-      );
+      strapi.log.warn(errorMessages.JWKS_URI_NOT_CONFIGURED);
     }
     return null;
   }
@@ -1385,7 +1388,7 @@ function errorAwareNdjsonStream(strapi2, service, filters) {
   const gen = ndjsonRowStream(service, filters);
   const readable = Readable.from(gen);
   readable.on("error", (err) => {
-    strapi2.log.error({ phase: "audit_log_export", err }, "NDJSON export stream failed");
+    strapi2.log.error({ phase: "audit_log_export", err }, errorMessages.AUDIT_LOG_EXPORT_ERROR);
   });
   return readable;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.8.1",
+  "version": "1.8.2",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",