npm - strapi-plugin-oidc - Versions diffs - 1.8.3 → 1.8.5 - Mend

strapi-plugin-oidc 1.8.3 → 1.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +22 -3
package/dist/admin/{index-Bb9-aYb4.mjs → index-BlfNZYVU.mjs} +1 -1
package/dist/admin/{index-Dk6TYtio.js → index-C8nfr95D.js} +1 -1
package/dist/admin/{index-Bmg4eTYb.js → index-DDCcJt16.js} +183 -179
package/dist/admin/{index-BqWd-Iiq.mjs → index-DRFXk_MQ.mjs} +183 -179
package/dist/admin/index.js +1 -1
package/dist/admin/index.mjs +1 -1
package/dist/server/index.js +231 -219
package/dist/server/index.mjs +232 -220
package/package.json +1 -1

package/dist/server/index.js CHANGED Viewed

@@ -345,9 +345,149 @@ function clearAuthCookies(strapi2, ctx) {
     ctx.cookies.set(name, "", rootPathOptions);
   }
 }
-const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-function isValidEmail(email) {
-  return EMAIL_REGEX.test(email);
+class OidcError extends Error {
+  kind;
+  cause;
+  constructor(kind, message, cause) {
+    super(message);
+    this.name = "OidcError";
+    this.kind = kind;
+    this.cause = cause;
+  }
+}
+const OIDC_ERROR_DISPATCH = {
+  nonce_mismatch: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH },
+  token_exchange_failed: {
+    action: "token_exchange_failed",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED
+  },
+  id_token_parse_failed: {
+    action: "login_failure",
+    code: errorCodes.ID_TOKEN_PARSE_FAILED,
+    key: "id_token_parse_failed"
+  },
+  userinfo_fetch_failed: {
+    action: "login_failure",
+    code: errorCodes.USERINFO_FETCH_FAILED,
+    key: "userinfo_fetch_failed"
+  },
+  user_creation_failed: {
+    action: "login_failure",
+    code: errorCodes.USER_CREATION_FAILED,
+    key: "user_creation_failed"
+  },
+  whitelist_rejected: {
+    action: "whitelist_rejected",
+    code: errorCodes.WHITELIST_CHECK_FAILED,
+    key: "whitelist_rejected"
+  },
+  invalid_email: {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown"
+  },
+  email_not_verified: {
+    action: "email_not_verified",
+    code: errorCodes.EMAIL_NOT_VERIFIED,
+    key: "email_not_verified"
+  },
+  id_token_invalid: {
+    action: "id_token_invalid",
+    code: errorCodes.ID_TOKEN_INVALID,
+    key: "id_token_invalid"
+  },
+  unknown: {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown"
+  }
+};
+function toMessage(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+const REQUIRED_CONFIG_KEYS = [
+  "OIDC_DISCOVERY_URL",
+  "OIDC_CLIENT_ID",
+  "OIDC_CLIENT_SECRET",
+  "OIDC_REDIRECT_URI",
+  "OIDC_SCOPE",
+  "OIDC_FAMILY_NAME_FIELD",
+  "OIDC_GIVEN_NAME_FIELD",
+  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
+  "OIDC_TOKEN_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
+  "OIDC_AUTHORIZATION_ENDPOINT"
+];
+const jwksCache = /* @__PURE__ */ new Map();
+let jwksDisabledWarned = false;
+function getJwks(uri) {
+  let jwks = jwksCache.get(uri);
+  if (!jwks) {
+    jwks = jose.createRemoteJWKSet(new URL(uri));
+    jwksCache.set(uri, jwks);
+  }
+  return jwks;
+}
+async function verifyIdToken(idToken, config2) {
+  const jwksUri = config2.OIDC_JWKS_URI;
+  const issuer = config2.OIDC_ISSUER;
+  if (!jwksUri) {
+    if (!jwksDisabledWarned) {
+      jwksDisabledWarned = true;
+      strapi.log.warn(errorMessages.JWKS_URI_NOT_CONFIGURED);
+    }
+    return null;
+  }
+  try {
+    const jwks = getJwks(jwksUri);
+    const { payload } = await jose.jwtVerify(idToken, jwks, {
+      issuer: issuer || void 0,
+      audience: config2.OIDC_CLIENT_ID
+    });
+    return payload;
+  } catch (e) {
+    if (e instanceof jose.errors.JWTClaimValidationFailed || e instanceof jose.errors.JWSSignatureVerificationFailed || e instanceof jose.errors.JWTExpired || e instanceof jose.errors.JWTInvalid || e instanceof jose.errors.JWSInvalid) {
+      const msg = toMessage(e);
+      throw new OidcError("id_token_invalid", msg, e);
+    }
+    throw e;
+  }
+}
+function configValidation() {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
+  if (missing.length === 0) {
+    return config2;
+  }
+  throw new Error(errorMessages.MISSING_CONFIG(missing.join(", ")));
+}
+async function oidcSignIn(ctx) {
+  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
+  const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
+  const state = node_crypto.randomBytes(32).toString("base64url");
+  const nonce = node_crypto.randomBytes(32).toString("base64url");
+  const cookieOptions = {
+    httpOnly: true,
+    maxAge: 6e5,
+    secure: shouldMarkSecure(strapi, ctx),
+    sameSite: "lax"
+  };
+  ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
+  ctx.cookies.set("oidc_state", state, cookieOptions);
+  ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: OIDC_CLIENT_ID,
+    redirect_uri: OIDC_REDIRECT_URI,
+    scope: OIDC_SCOPE,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    state,
+    nonce
+  });
+  const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
+  ctx.set("Location", authorizationUrl);
+  return ctx.send({}, 302);
 }
 const en = {
   "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
@@ -510,70 +650,20 @@ const authPageMessages = (locale) => ({
   errorTitle: t(locale, "auth.page.error.title", "Authentication Failed"),
   returnToLogin: t(locale, "auth.page.error.returnToLogin", "Return to Login")
 });
-class OidcError extends Error {
-  kind;
-  cause;
-  constructor(kind, message, cause) {
-    super(message);
-    this.name = "OidcError";
-    this.kind = kind;
-    this.cause = cause;
-  }
-}
-const OIDC_ERROR_DISPATCH = {
-  nonce_mismatch: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH },
-  token_exchange_failed: {
-    action: "token_exchange_failed",
-    code: errorCodes.TOKEN_EXCHANGE_FAILED
-  },
-  id_token_parse_failed: {
-    action: "login_failure",
-    code: errorCodes.ID_TOKEN_PARSE_FAILED,
-    key: "id_token_parse_failed"
-  },
-  userinfo_fetch_failed: {
-    action: "login_failure",
-    code: errorCodes.USERINFO_FETCH_FAILED,
-    key: "userinfo_fetch_failed"
-  },
-  user_creation_failed: {
-    action: "login_failure",
-    code: errorCodes.USER_CREATION_FAILED,
-    key: "user_creation_failed"
-  },
-  whitelist_rejected: {
-    action: "whitelist_rejected",
-    code: errorCodes.WHITELIST_CHECK_FAILED,
-    key: "whitelist_rejected"
-  },
-  invalid_email: {
-    action: "login_failure",
-    code: errorCodes.TOKEN_EXCHANGE_FAILED,
-    key: "sign_in_unknown"
-  },
-  email_not_verified: {
-    action: "email_not_verified",
-    code: errorCodes.EMAIL_NOT_VERIFIED,
-    key: "email_not_verified"
-  },
-  id_token_invalid: {
-    action: "id_token_invalid",
-    code: errorCodes.ID_TOKEN_INVALID,
-    key: "id_token_invalid"
-  },
-  unknown: {
-    action: "login_failure",
-    code: errorCodes.TOKEN_EXCHANGE_FAILED,
-    key: "sign_in_unknown"
-  }
-};
-const TRUSTED_IP_HEADER = "cf-connecting-ip";
+const TRUSTED_IP_HEADERS = /* @__PURE__ */ new Set([
+  "cf-connecting-ip",
+  "true-client-ip",
+  "x-real-ip",
+  "fastly-client-ip",
+  "fly-client-ip",
+  "x-nf-client-connection-ip"
+]);
 function getTrustedHeaderName() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
   const raw = config2.OIDC_TRUSTED_IP_HEADER;
   if (typeof raw !== "string" || !raw) return void 0;
   const normalized = raw.trim().toLowerCase();
-  return normalized === TRUSTED_IP_HEADER ? normalized : void 0;
+  return TRUSTED_IP_HEADERS.has(normalized) ? normalized : void 0;
 }
 function getClientIp(ctx) {
   const proxyTrusted = ctx.app?.proxy === true;
@@ -590,128 +680,9 @@ function getClientIp(ctx) {
   }
   return ctx.ip;
 }
-function toMessage(e) {
-  return e instanceof Error ? e.message : String(e);
-}
-const REQUIRED_CONFIG_KEYS = [
-  "OIDC_DISCOVERY_URL",
-  "OIDC_CLIENT_ID",
-  "OIDC_CLIENT_SECRET",
-  "OIDC_REDIRECT_URI",
-  "OIDC_SCOPE",
-  "OIDC_FAMILY_NAME_FIELD",
-  "OIDC_GIVEN_NAME_FIELD",
-  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
-  "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USERINFO_ENDPOINT",
-  "OIDC_AUTHORIZATION_ENDPOINT"
-];
-const LOGOUT_USERINFO_TIMEOUT_MS = 1500;
-const jwksCache = /* @__PURE__ */ new Map();
-let jwksDisabledWarned = false;
-function getJwks(uri) {
-  let jwks = jwksCache.get(uri);
-  if (!jwks) {
-    jwks = jose.createRemoteJWKSet(new URL(uri));
-    jwksCache.set(uri, jwks);
-  }
-  return jwks;
-}
-async function verifyIdToken(idToken, config2) {
-  const jwksUri = config2.OIDC_JWKS_URI;
-  const issuer = config2.OIDC_ISSUER;
-  if (!jwksUri) {
-    if (!jwksDisabledWarned) {
-      jwksDisabledWarned = true;
-      strapi.log.warn(errorMessages.JWKS_URI_NOT_CONFIGURED);
-    }
-    return null;
-  }
-  try {
-    const jwks = getJwks(jwksUri);
-    const { payload } = await jose.jwtVerify(idToken, jwks, {
-      issuer: issuer || void 0,
-      audience: config2.OIDC_CLIENT_ID
-    });
-    return payload;
-  } catch (e) {
-    if (e instanceof jose.errors.JWTClaimValidationFailed || e instanceof jose.errors.JWSSignatureVerificationFailed || e instanceof jose.errors.JWTExpired || e instanceof jose.errors.JWTInvalid || e instanceof jose.errors.JWSInvalid) {
-      const msg = toMessage(e);
-      throw new OidcError("id_token_invalid", msg, e);
-    }
-    throw e;
-  }
-}
-function configValidation() {
-  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
-  if (missing.length === 0) {
-    return config2;
-  }
-  throw new Error(errorMessages.MISSING_CONFIG(missing.join(", ")));
-}
-async function oidcSignIn(ctx) {
-  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
-  const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
-  const state = node_crypto.randomBytes(32).toString("base64url");
-  const nonce = node_crypto.randomBytes(32).toString("base64url");
-  const cookieOptions = {
-    httpOnly: true,
-    maxAge: 6e5,
-    secure: shouldMarkSecure(strapi, ctx),
-    sameSite: "lax"
-  };
-  ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
-  ctx.cookies.set("oidc_state", state, cookieOptions);
-  ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
-  const params = new URLSearchParams({
-    response_type: "code",
-    client_id: OIDC_CLIENT_ID,
-    redirect_uri: OIDC_REDIRECT_URI,
-    scope: OIDC_SCOPE,
-    code_challenge: codeChallenge,
-    code_challenge_method: "S256",
-    state,
-    nonce
-  });
-  const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
-  ctx.set("Location", authorizationUrl);
-  return ctx.send({}, 302);
-}
-async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
-  const response = await fetch(config2.OIDC_TOKEN_ENDPOINT, {
-    method: "POST",
-    body: params,
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded"
-    }
-  });
-  if (!response.ok) {
-    throw new OidcError("token_exchange_failed", errorMessages.TOKEN_EXCHANGE_FAILED);
-  }
-  const tokenData = await response.json();
-  if (tokenData.id_token) {
-    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
-    try {
-      const idTokenPayload = verifiedPayload ?? JSON.parse(
-        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
-      );
-      if (idTokenPayload.nonce !== expectedNonce) {
-        throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
-      }
-    } catch (e) {
-      if (e instanceof OidcError) throw e;
-      throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
-    }
-  }
-  const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
-    headers: { Authorization: `Bearer ${tokenData.access_token}` }
-  });
-  if (!userResponse.ok) {
-    throw new OidcError("userinfo_fetch_failed", errorMessages.USERINFO_FETCH_FAILED);
-  }
-  const userInfo = await userResponse.json();
-  return { userInfo, accessToken: tokenData.access_token };
+const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+function isValidEmail(email) {
+  return EMAIL_REGEX.test(email);
 }
 function collectGroupMapRoleNames(userInfo, config2) {
   const rawGroups = userInfo[config2.OIDC_GROUP_FIELD];
@@ -891,6 +862,61 @@ function classifyOidcError(e, userInfo) {
     params
   };
 }
+async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
+  const errorInfo = classifyOidcError(e, userInfo);
+  const message = toMessage(e);
+  await auditLog2.log({
+    action: errorInfo.action,
+    email: userInfo?.email,
+    ip: getClientIp(ctx),
+    detailsKey: errorInfo.action,
+    detailsParams: errorInfo.action === "login_failure" ? { message } : void 0
+  });
+  strapi.log.error({
+    code: errorInfo.code,
+    phase: "oidc_callback",
+    message: e instanceof Error ? e.message : "Unknown sign-in error",
+    detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
+    email: userInfo?.email
+  });
+  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
+  ctx.send(oauthService2.renderSignUpError(userFacingMessages(locale).signInError, locale));
+}
+async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
+  const response = await fetch(config2.OIDC_TOKEN_ENDPOINT, {
+    method: "POST",
+    body: params,
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    }
+  });
+  if (!response.ok) {
+    throw new OidcError("token_exchange_failed", errorMessages.TOKEN_EXCHANGE_FAILED);
+  }
+  const tokenData = await response.json();
+  if (tokenData.id_token) {
+    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
+    try {
+      const idTokenPayload = verifiedPayload ?? JSON.parse(
+        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
+      );
+      if (idTokenPayload.nonce !== expectedNonce) {
+        throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
+      }
+    } catch (e) {
+      if (e instanceof OidcError) throw e;
+      throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
+    }
+  }
+  const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
+    headers: { Authorization: `Bearer ${tokenData.access_token}` }
+  });
+  if (!userResponse.ok) {
+    throw new OidcError("userinfo_fetch_failed", errorMessages.USERINFO_FETCH_FAILED);
+  }
+  const userInfo = await userResponse.json();
+  return { userInfo, accessToken: tokenData.access_token };
+}
 function readAndClearPkceCookies(ctx) {
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
@@ -924,26 +950,6 @@ async function logSuccessfulAuth(auditLog2, ctx, user, userCreated, rolesUpdated
   }
   await Promise.all(entries);
 }
-async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
-  const errorInfo = classifyOidcError(e, userInfo);
-  const message = toMessage(e);
-  await auditLog2.log({
-    action: errorInfo.action,
-    email: userInfo?.email,
-    ip: getClientIp(ctx),
-    detailsKey: errorInfo.action,
-    detailsParams: errorInfo.action === "login_failure" ? { message } : void 0
-  });
-  strapi.log.error({
-    code: errorInfo.code,
-    phase: "oidc_callback",
-    message: e instanceof Error ? e.message : "Unknown sign-in error",
-    detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
-    email: userInfo?.email
-  });
-  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
-  ctx.send(oauthService2.renderSignUpError(userFacingMessages(locale).signInError, locale));
-}
 async function oidcSignInCallback(ctx) {
   const config2 = configValidation();
   const oauthService2 = getOauthService();
@@ -1011,6 +1017,7 @@ async function oidcSignInCallback(ctx) {
     await handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx);
   }
 }
+const LOGOUT_USERINFO_TIMEOUT_MS = 1500;
 async function isProviderSessionExpired(userinfoEndpoint, accessToken) {
   try {
     const response = await fetch(userinfoEndpoint, {
@@ -2054,6 +2061,7 @@ function translateDetails(key, params) {
   if (!translation) return null;
   return interpolate(translation, params);
 }
+const DAY_MS = 864e5;
 const STRING_OP_MAP = {
   $eq: (v) => v,
   $contains: (v) => ({ $containsi: v }),
@@ -2066,9 +2074,11 @@ const DATE_OP_MAP = {
   $lt: (v) => ({ $lt: v }),
   $lte: (v) => ({ $lte: v }),
   $between: (v) => ({ $between: v })
-  // $in is handled separately: each ISO day-start is expanded to a [day, day+1) range.
 };
-const DAY_MS = 864e5;
+const ACTION_OP_MAP = {
+  $eq: (v) => v,
+  $in: (v) => ({ $in: v })
+};
 function nextDayIso(iso) {
   return new Date(new Date(iso).getTime() + DAY_MS).toISOString();
 }
@@ -2076,10 +2086,6 @@ function expandCreatedAtInToDayRanges(days) {
   const ranges = days.map((d) => ({ createdAt: { $gte: d, $lt: nextDayIso(d) } }));
   return ranges.length === 1 ? ranges[0] : { $or: ranges };
 }
-const ACTION_OP_MAP = {
-  $eq: (v) => v,
-  $in: (v) => ({ $in: v })
-};
 function mapFieldFilter(conditions, field, filter, opMap) {
   for (const [op, value] of Object.entries(filter)) {
     const transform = opMap[op];
@@ -2088,20 +2094,26 @@ function mapFieldFilter(conditions, field, filter, opMap) {
     if (result !== void 0) conditions.push({ [field]: result });
   }
 }
+function buildDateConditions(conditions, createdAt) {
+  if (!createdAt) return;
+  const { $in: inDays, ...rest } = createdAt;
+  if (Array.isArray(inDays) && inDays.length > 0) {
+    conditions.push(expandCreatedAtInToDayRanges(inDays));
+  }
+  for (const [op, value] of Object.entries(rest)) {
+    const transform = DATE_OP_MAP[op];
+    if (transform) {
+      const result = transform(value);
+      if (result !== void 0) conditions.push({ createdAt: result });
+    }
+  }
+}
 function buildWhereClause(filters) {
   const conditions = [];
   if (filters.action) mapFieldFilter(conditions, "action", filters.action, ACTION_OP_MAP);
   if (filters.email) mapFieldFilter(conditions, "email", filters.email, STRING_OP_MAP);
   if (filters.ip) mapFieldFilter(conditions, "ip", filters.ip, STRING_OP_MAP);
-  if (filters.createdAt) {
-    const { $in: inDays, ...rest } = filters.createdAt;
-    if (Array.isArray(inDays) && inDays.length > 0) {
-      conditions.push(expandCreatedAtInToDayRanges(inDays));
-    }
-    if (Object.keys(rest).length > 0) {
-      mapFieldFilter(conditions, "createdAt", rest, DATE_OP_MAP);
-    }
-  }
+  if (filters.createdAt) buildDateConditions(conditions, filters.createdAt);
   if (conditions.length === 0) return {};
   if (conditions.length === 1) return conditions[0];
   return { $and: conditions };