strapi-plugin-oidc 1.8.2 → 1.8.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +13 -2
- package/dist/server/index.js +11 -3
- package/dist/server/index.mjs +11 -3
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -48,7 +48,7 @@ module.exports = ({ env }) => ({
|
|
|
48
48
|
OIDC_GROUP_FIELD: 'groups', // OIDC claim field containing group membership
|
|
49
49
|
OIDC_GROUP_ROLE_MAP: '{}', // JSON map of group names to Strapi role names
|
|
50
50
|
OIDC_REQUIRE_EMAIL_VERIFIED: true, // Reject logins when provider does not report email_verified=true (set false to disable)
|
|
51
|
-
OIDC_TRUSTED_IP_HEADER: '', // Optional:
|
|
51
|
+
OIDC_TRUSTED_IP_HEADER: '', // Optional: header set by your CDN/proxy containing the real client IP (see note below); only honoured when server.proxy: true
|
|
52
52
|
OIDC_FORCE_SECURE_COOKIES: false, // Set true when behind a trusted HTTPS proxy that Strapi can't auto-detect
|
|
53
53
|
},
|
|
54
54
|
},
|
|
@@ -69,7 +69,18 @@ module.exports = ({ env }) => ({
|
|
|
69
69
|
|
|
70
70
|
The plugin logs client IPs for rate-limit buckets and audit logs. When Strapi runs behind a reverse proxy, **set `server.proxy: true`** so Koa trusts `X-Forwarded-For`; otherwise all IPs will be the proxy's.
|
|
71
71
|
|
|
72
|
-
Set `OIDC_TRUSTED_IP_HEADER
|
|
72
|
+
Set `OIDC_TRUSTED_IP_HEADER` to the header your CDN or proxy uses to forward the real client IP. The header is only honoured when `server.proxy: true` is set. Accepted values (all others are silently ignored):
|
|
73
|
+
|
|
74
|
+
| Header | Provider |
|
|
75
|
+
| --------------------------- | ------------------------------------------------- |
|
|
76
|
+
| `cf-connecting-ip` | Cloudflare |
|
|
77
|
+
| `true-client-ip` | Cloudflare Enterprise, Akamai |
|
|
78
|
+
| `fastly-client-ip` | Fastly |
|
|
79
|
+
| `fly-client-ip` | Fly.io |
|
|
80
|
+
| `x-nf-client-connection-ip` | Netlify |
|
|
81
|
+
| `x-real-ip` | nginx (`proxy_set_header X-Real-IP $remote_addr`) |
|
|
82
|
+
|
|
83
|
+
Only headers that CDN/proxy vendors guarantee to strip from inbound client requests are accepted, preventing IP spoofing via forged headers.
|
|
73
84
|
|
|
74
85
|
## Login
|
|
75
86
|
|
package/dist/server/index.js
CHANGED
|
@@ -115,9 +115,10 @@ async function applyDiscovery(strapi2) {
|
|
|
115
115
|
if (!res.ok) throw new Error(`HTTP ${res.status}`);
|
|
116
116
|
doc = await res.json();
|
|
117
117
|
} catch (e) {
|
|
118
|
-
|
|
118
|
+
strapi2.log.error(
|
|
119
119
|
errorMessages.DISCOVERY_FETCH_ERROR(discoveryUrl, e instanceof Error ? e.message : String(e))
|
|
120
120
|
);
|
|
121
|
+
return;
|
|
121
122
|
}
|
|
122
123
|
const updates = {};
|
|
123
124
|
for (const [docField, configKey] of FIELD_MAP) {
|
|
@@ -566,13 +567,20 @@ const OIDC_ERROR_DISPATCH = {
|
|
|
566
567
|
key: "sign_in_unknown"
|
|
567
568
|
}
|
|
568
569
|
};
|
|
569
|
-
const
|
|
570
|
+
const TRUSTED_IP_HEADERS = /* @__PURE__ */ new Set([
|
|
571
|
+
"cf-connecting-ip",
|
|
572
|
+
"true-client-ip",
|
|
573
|
+
"x-real-ip",
|
|
574
|
+
"fastly-client-ip",
|
|
575
|
+
"fly-client-ip",
|
|
576
|
+
"x-nf-client-connection-ip"
|
|
577
|
+
]);
|
|
570
578
|
function getTrustedHeaderName() {
|
|
571
579
|
const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
|
|
572
580
|
const raw = config2.OIDC_TRUSTED_IP_HEADER;
|
|
573
581
|
if (typeof raw !== "string" || !raw) return void 0;
|
|
574
582
|
const normalized = raw.trim().toLowerCase();
|
|
575
|
-
return normalized
|
|
583
|
+
return TRUSTED_IP_HEADERS.has(normalized) ? normalized : void 0;
|
|
576
584
|
}
|
|
577
585
|
function getClientIp(ctx) {
|
|
578
586
|
const proxyTrusted = ctx.app?.proxy === true;
|
package/dist/server/index.mjs
CHANGED
|
@@ -109,9 +109,10 @@ async function applyDiscovery(strapi2) {
|
|
|
109
109
|
if (!res.ok) throw new Error(`HTTP ${res.status}`);
|
|
110
110
|
doc = await res.json();
|
|
111
111
|
} catch (e) {
|
|
112
|
-
|
|
112
|
+
strapi2.log.error(
|
|
113
113
|
errorMessages.DISCOVERY_FETCH_ERROR(discoveryUrl, e instanceof Error ? e.message : String(e))
|
|
114
114
|
);
|
|
115
|
+
return;
|
|
115
116
|
}
|
|
116
117
|
const updates = {};
|
|
117
118
|
for (const [docField, configKey] of FIELD_MAP) {
|
|
@@ -560,13 +561,20 @@ const OIDC_ERROR_DISPATCH = {
|
|
|
560
561
|
key: "sign_in_unknown"
|
|
561
562
|
}
|
|
562
563
|
};
|
|
563
|
-
const
|
|
564
|
+
const TRUSTED_IP_HEADERS = /* @__PURE__ */ new Set([
|
|
565
|
+
"cf-connecting-ip",
|
|
566
|
+
"true-client-ip",
|
|
567
|
+
"x-real-ip",
|
|
568
|
+
"fastly-client-ip",
|
|
569
|
+
"fly-client-ip",
|
|
570
|
+
"x-nf-client-connection-ip"
|
|
571
|
+
]);
|
|
564
572
|
function getTrustedHeaderName() {
|
|
565
573
|
const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
|
|
566
574
|
const raw = config2.OIDC_TRUSTED_IP_HEADER;
|
|
567
575
|
if (typeof raw !== "string" || !raw) return void 0;
|
|
568
576
|
const normalized = raw.trim().toLowerCase();
|
|
569
|
-
return normalized
|
|
577
|
+
return TRUSTED_IP_HEADERS.has(normalized) ? normalized : void 0;
|
|
570
578
|
}
|
|
571
579
|
function getClientIp(ctx) {
|
|
572
580
|
const proxyTrusted = ctx.app?.proxy === true;
|
package/package.json
CHANGED