npm - strapi-plugin-oidc - Versions diffs - 1.8.3 → 1.8.4 - Mend

strapi-plugin-oidc 1.8.3 → 1.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -48,7 +48,7 @@ module.exports = ({ env }) => ({
       OIDC_GROUP_FIELD: 'groups', // OIDC claim field containing group membership
       OIDC_GROUP_ROLE_MAP: '{}', // JSON map of group names to Strapi role names
       OIDC_REQUIRE_EMAIL_VERIFIED: true, // Reject logins when provider does not report email_verified=true (set false to disable)
-      OIDC_TRUSTED_IP_HEADER: '', // Optional: 'cf-connecting-ip' for Cloudflare; read only when Strapi trusts the proxy
+      OIDC_TRUSTED_IP_HEADER: '', // Optional: header set by your CDN/proxy containing the real client IP (see note below); only honoured when server.proxy: true
       OIDC_FORCE_SECURE_COOKIES: false, // Set true when behind a trusted HTTPS proxy that Strapi can't auto-detect
     },
   },
@@ -69,7 +69,18 @@ module.exports = ({ env }) => ({
 The plugin logs client IPs for rate-limit buckets and audit logs. When Strapi runs behind a reverse proxy, **set `server.proxy: true`** so Koa trusts `X-Forwarded-For`; otherwise all IPs will be the proxy's.
-Set `OIDC_TRUSTED_IP_HEADER: 'cf-connecting-ip'` when behind Cloudflare. The header is only honoured when `server.proxy: true` is set.
+Set `OIDC_TRUSTED_IP_HEADER` to the header your CDN or proxy uses to forward the real client IP. The header is only honoured when `server.proxy: true` is set. Accepted values (all others are silently ignored):
+| Header                      | Provider                                          |
+| --------------------------- | ------------------------------------------------- |
+| `cf-connecting-ip`          | Cloudflare                                        |
+| `true-client-ip`            | Cloudflare Enterprise, Akamai                     |
+| `fastly-client-ip`          | Fastly                                            |
+| `fly-client-ip`             | Fly.io                                            |
+| `x-nf-client-connection-ip` | Netlify                                           |
+| `x-real-ip`                 | nginx (`proxy_set_header X-Real-IP $remote_addr`) |
+Only headers that CDN/proxy vendors guarantee to strip from inbound client requests are accepted, preventing IP spoofing via forged headers.
 ## Login

package/dist/server/index.js CHANGED Viewed

@@ -567,13 +567,20 @@ const OIDC_ERROR_DISPATCH = {
     key: "sign_in_unknown"
   }
 };
-const TRUSTED_IP_HEADER = "cf-connecting-ip";
+const TRUSTED_IP_HEADERS = /* @__PURE__ */ new Set([
+  "cf-connecting-ip",
+  "true-client-ip",
+  "x-real-ip",
+  "fastly-client-ip",
+  "fly-client-ip",
+  "x-nf-client-connection-ip"
+]);
 function getTrustedHeaderName() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
   const raw = config2.OIDC_TRUSTED_IP_HEADER;
   if (typeof raw !== "string" || !raw) return void 0;
   const normalized = raw.trim().toLowerCase();
-  return normalized === TRUSTED_IP_HEADER ? normalized : void 0;
+  return TRUSTED_IP_HEADERS.has(normalized) ? normalized : void 0;
 }
 function getClientIp(ctx) {
   const proxyTrusted = ctx.app?.proxy === true;

package/dist/server/index.mjs CHANGED Viewed

@@ -561,13 +561,20 @@ const OIDC_ERROR_DISPATCH = {
     key: "sign_in_unknown"
   }
 };
-const TRUSTED_IP_HEADER = "cf-connecting-ip";
+const TRUSTED_IP_HEADERS = /* @__PURE__ */ new Set([
+  "cf-connecting-ip",
+  "true-client-ip",
+  "x-real-ip",
+  "fastly-client-ip",
+  "fly-client-ip",
+  "x-nf-client-connection-ip"
+]);
 function getTrustedHeaderName() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
   const raw = config2.OIDC_TRUSTED_IP_HEADER;
   if (typeof raw !== "string" || !raw) return void 0;
   const normalized = raw.trim().toLowerCase();
-  return normalized === TRUSTED_IP_HEADER ? normalized : void 0;
+  return TRUSTED_IP_HEADERS.has(normalized) ? normalized : void 0;
 }
 function getClientIp(ctx) {
   const proxyTrusted = ctx.app?.proxy === true;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.8.3",
+  "version": "1.8.4",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",