strapi-plugin-oidc 1.8.4 → 1.8.5

package/dist/server/index.js

@@ -345,9 +345,149 @@ function clearAuthCookies(strapi2, ctx) {
     ctx.cookies.set(name, "", rootPathOptions);
   }
 }
-const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-function isValidEmail(email) {
-  return EMAIL_REGEX.test(email);
+class OidcError extends Error {
+  kind;
+  cause;
+  constructor(kind, message, cause) {
+    super(message);
+    this.name = "OidcError";
+    this.kind = kind;
+    this.cause = cause;
+  }
+}
+const OIDC_ERROR_DISPATCH = {
+  nonce_mismatch: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH },
+  token_exchange_failed: {
+    action: "token_exchange_failed",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED
+  },
+  id_token_parse_failed: {
+    action: "login_failure",
+    code: errorCodes.ID_TOKEN_PARSE_FAILED,
+    key: "id_token_parse_failed"
+  },
+  userinfo_fetch_failed: {
+    action: "login_failure",
+    code: errorCodes.USERINFO_FETCH_FAILED,
+    key: "userinfo_fetch_failed"
+  },
+  user_creation_failed: {
+    action: "login_failure",
+    code: errorCodes.USER_CREATION_FAILED,
+    key: "user_creation_failed"
+  },
+  whitelist_rejected: {
+    action: "whitelist_rejected",
+    code: errorCodes.WHITELIST_CHECK_FAILED,
+    key: "whitelist_rejected"
+  },
+  invalid_email: {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown"
+  },
+  email_not_verified: {
+    action: "email_not_verified",
+    code: errorCodes.EMAIL_NOT_VERIFIED,
+    key: "email_not_verified"
+  },
+  id_token_invalid: {
+    action: "id_token_invalid",
+    code: errorCodes.ID_TOKEN_INVALID,
+    key: "id_token_invalid"
+  },
+  unknown: {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown"
+  }
+};
+function toMessage(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+const REQUIRED_CONFIG_KEYS = [
+  "OIDC_DISCOVERY_URL",
+  "OIDC_CLIENT_ID",
+  "OIDC_CLIENT_SECRET",
+  "OIDC_REDIRECT_URI",
+  "OIDC_SCOPE",
+  "OIDC_FAMILY_NAME_FIELD",
+  "OIDC_GIVEN_NAME_FIELD",
+  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
+  "OIDC_TOKEN_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
+  "OIDC_AUTHORIZATION_ENDPOINT"
+];
+const jwksCache = /* @__PURE__ */ new Map();
+let jwksDisabledWarned = false;
+function getJwks(uri) {
+  let jwks = jwksCache.get(uri);
+  if (!jwks) {
+    jwks = jose.createRemoteJWKSet(new URL(uri));
+    jwksCache.set(uri, jwks);
+  }
+  return jwks;
+}
+async function verifyIdToken(idToken, config2) {
+  const jwksUri = config2.OIDC_JWKS_URI;
+  const issuer = config2.OIDC_ISSUER;
+  if (!jwksUri) {
+    if (!jwksDisabledWarned) {
+      jwksDisabledWarned = true;
+      strapi.log.warn(errorMessages.JWKS_URI_NOT_CONFIGURED);
+    }
+    return null;
+  }
+  try {
+    const jwks = getJwks(jwksUri);
+    const { payload } = await jose.jwtVerify(idToken, jwks, {
+      issuer: issuer || void 0,
+      audience: config2.OIDC_CLIENT_ID
+    });
+    return payload;
+  } catch (e) {
+    if (e instanceof jose.errors.JWTClaimValidationFailed || e instanceof jose.errors.JWSSignatureVerificationFailed || e instanceof jose.errors.JWTExpired || e instanceof jose.errors.JWTInvalid || e instanceof jose.errors.JWSInvalid) {
+      const msg = toMessage(e);
+      throw new OidcError("id_token_invalid", msg, e);
+    }
+    throw e;
+  }
+}
+function configValidation() {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
+  if (missing.length === 0) {
+    return config2;
+  }
+  throw new Error(errorMessages.MISSING_CONFIG(missing.join(", ")));
+}
+async function oidcSignIn(ctx) {
+  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
+  const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
+  const state = node_crypto.randomBytes(32).toString("base64url");
+  const nonce = node_crypto.randomBytes(32).toString("base64url");
+  const cookieOptions = {
+    httpOnly: true,
+    maxAge: 6e5,
+    secure: shouldMarkSecure(strapi, ctx),
+    sameSite: "lax"
+  };
+  ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
+  ctx.cookies.set("oidc_state", state, cookieOptions);
+  ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: OIDC_CLIENT_ID,
+    redirect_uri: OIDC_REDIRECT_URI,
+    scope: OIDC_SCOPE,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    state,
+    nonce
+  });
+  const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
+  ctx.set("Location", authorizationUrl);
+  return ctx.send({}, 302);
 }
 const en = {
   "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
@@ -510,63 +650,6 @@ const authPageMessages = (locale) => ({
   errorTitle: t(locale, "auth.page.error.title", "Authentication Failed"),
   returnToLogin: t(locale, "auth.page.error.returnToLogin", "Return to Login")
 });
-class OidcError extends Error {
-  kind;
-  cause;
-  constructor(kind, message, cause) {
-    super(message);
-    this.name = "OidcError";
-    this.kind = kind;
-    this.cause = cause;
-  }
-}
-const OIDC_ERROR_DISPATCH = {
-  nonce_mismatch: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH },
-  token_exchange_failed: {
-    action: "token_exchange_failed",
-    code: errorCodes.TOKEN_EXCHANGE_FAILED
-  },
-  id_token_parse_failed: {
-    action: "login_failure",
-    code: errorCodes.ID_TOKEN_PARSE_FAILED,
-    key: "id_token_parse_failed"
-  },
-  userinfo_fetch_failed: {
-    action: "login_failure",
-    code: errorCodes.USERINFO_FETCH_FAILED,
-    key: "userinfo_fetch_failed"
-  },
-  user_creation_failed: {
-    action: "login_failure",
-    code: errorCodes.USER_CREATION_FAILED,
-    key: "user_creation_failed"
-  },
-  whitelist_rejected: {
-    action: "whitelist_rejected",
-    code: errorCodes.WHITELIST_CHECK_FAILED,
-    key: "whitelist_rejected"
-  },
-  invalid_email: {
-    action: "login_failure",
-    code: errorCodes.TOKEN_EXCHANGE_FAILED,
-    key: "sign_in_unknown"
-  },
-  email_not_verified: {
-    action: "email_not_verified",
-    code: errorCodes.EMAIL_NOT_VERIFIED,
-    key: "email_not_verified"
-  },
-  id_token_invalid: {
-    action: "id_token_invalid",
-    code: errorCodes.ID_TOKEN_INVALID,
-    key: "id_token_invalid"
-  },
-  unknown: {
-    action: "login_failure",
-    code: errorCodes.TOKEN_EXCHANGE_FAILED,
-    key: "sign_in_unknown"
-  }
-};
 const TRUSTED_IP_HEADERS = /* @__PURE__ */ new Set([
   "cf-connecting-ip",
   "true-client-ip",
@@ -597,128 +680,9 @@ function getClientIp(ctx) {
   }
   return ctx.ip;
 }
-function toMessage(e) {
-  return e instanceof Error ? e.message : String(e);
-}
-const REQUIRED_CONFIG_KEYS = [
-  "OIDC_DISCOVERY_URL",
-  "OIDC_CLIENT_ID",
-  "OIDC_CLIENT_SECRET",
-  "OIDC_REDIRECT_URI",
-  "OIDC_SCOPE",
-  "OIDC_FAMILY_NAME_FIELD",
-  "OIDC_GIVEN_NAME_FIELD",
-  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
-  "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USERINFO_ENDPOINT",
-  "OIDC_AUTHORIZATION_ENDPOINT"
-];
-const LOGOUT_USERINFO_TIMEOUT_MS = 1500;
-const jwksCache = /* @__PURE__ */ new Map();
-let jwksDisabledWarned = false;
-function getJwks(uri) {
-  let jwks = jwksCache.get(uri);
-  if (!jwks) {
-    jwks = jose.createRemoteJWKSet(new URL(uri));
-    jwksCache.set(uri, jwks);
-  }
-  return jwks;
-}
-async function verifyIdToken(idToken, config2) {
-  const jwksUri = config2.OIDC_JWKS_URI;
-  const issuer = config2.OIDC_ISSUER;
-  if (!jwksUri) {
-    if (!jwksDisabledWarned) {
-      jwksDisabledWarned = true;
-      strapi.log.warn(errorMessages.JWKS_URI_NOT_CONFIGURED);
-    }
-    return null;
-  }
-  try {
-    const jwks = getJwks(jwksUri);
-    const { payload } = await jose.jwtVerify(idToken, jwks, {
-      issuer: issuer || void 0,
-      audience: config2.OIDC_CLIENT_ID
-    });
-    return payload;
-  } catch (e) {
-    if (e instanceof jose.errors.JWTClaimValidationFailed || e instanceof jose.errors.JWSSignatureVerificationFailed || e instanceof jose.errors.JWTExpired || e instanceof jose.errors.JWTInvalid || e instanceof jose.errors.JWSInvalid) {
-      const msg = toMessage(e);
-      throw new OidcError("id_token_invalid", msg, e);
-    }
-    throw e;
-  }
-}
-function configValidation() {
-  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
-  if (missing.length === 0) {
-    return config2;
-  }
-  throw new Error(errorMessages.MISSING_CONFIG(missing.join(", ")));
-}
-async function oidcSignIn(ctx) {
-  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
-  const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
-  const state = node_crypto.randomBytes(32).toString("base64url");
-  const nonce = node_crypto.randomBytes(32).toString("base64url");
-  const cookieOptions = {
-    httpOnly: true,
-    maxAge: 6e5,
-    secure: shouldMarkSecure(strapi, ctx),
-    sameSite: "lax"
-  };
-  ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
-  ctx.cookies.set("oidc_state", state, cookieOptions);
-  ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
-  const params = new URLSearchParams({
-    response_type: "code",
-    client_id: OIDC_CLIENT_ID,
-    redirect_uri: OIDC_REDIRECT_URI,
-    scope: OIDC_SCOPE,
-    code_challenge: codeChallenge,
-    code_challenge_method: "S256",
-    state,
-    nonce
-  });
-  const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
-  ctx.set("Location", authorizationUrl);
-  return ctx.send({}, 302);
-}
-async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
-  const response = await fetch(config2.OIDC_TOKEN_ENDPOINT, {
-    method: "POST",
-    body: params,
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded"
-    }
-  });
-  if (!response.ok) {
-    throw new OidcError("token_exchange_failed", errorMessages.TOKEN_EXCHANGE_FAILED);
-  }
-  const tokenData = await response.json();
-  if (tokenData.id_token) {
-    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
-    try {
-      const idTokenPayload = verifiedPayload ?? JSON.parse(
-        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
-      );
-      if (idTokenPayload.nonce !== expectedNonce) {
-        throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
-      }
-    } catch (e) {
-      if (e instanceof OidcError) throw e;
-      throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
-    }
-  }
-  const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
-    headers: { Authorization: `Bearer ${tokenData.access_token}` }
-  });
-  if (!userResponse.ok) {
-    throw new OidcError("userinfo_fetch_failed", errorMessages.USERINFO_FETCH_FAILED);
-  }
-  const userInfo = await userResponse.json();
-  return { userInfo, accessToken: tokenData.access_token };
+const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+function isValidEmail(email) {
+  return EMAIL_REGEX.test(email);
 }
 function collectGroupMapRoleNames(userInfo, config2) {
   const rawGroups = userInfo[config2.OIDC_GROUP_FIELD];
@@ -898,6 +862,61 @@ function classifyOidcError(e, userInfo) {
     params
   };
 }
+async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
+  const errorInfo = classifyOidcError(e, userInfo);
+  const message = toMessage(e);
+  await auditLog2.log({
+    action: errorInfo.action,
+    email: userInfo?.email,
+    ip: getClientIp(ctx),
+    detailsKey: errorInfo.action,
+    detailsParams: errorInfo.action === "login_failure" ? { message } : void 0
+  });
+  strapi.log.error({
+    code: errorInfo.code,
+    phase: "oidc_callback",
+    message: e instanceof Error ? e.message : "Unknown sign-in error",
+    detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
+    email: userInfo?.email
+  });
+  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
+  ctx.send(oauthService2.renderSignUpError(userFacingMessages(locale).signInError, locale));
+}
+async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
+  const response = await fetch(config2.OIDC_TOKEN_ENDPOINT, {
+    method: "POST",
+    body: params,
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    }
+  });
+  if (!response.ok) {
+    throw new OidcError("token_exchange_failed", errorMessages.TOKEN_EXCHANGE_FAILED);
+  }
+  const tokenData = await response.json();
+  if (tokenData.id_token) {
+    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
+    try {
+      const idTokenPayload = verifiedPayload ?? JSON.parse(
+        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
+      );
+      if (idTokenPayload.nonce !== expectedNonce) {
+        throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
+      }
+    } catch (e) {
+      if (e instanceof OidcError) throw e;
+      throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
+    }
+  }
+  const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
+    headers: { Authorization: `Bearer ${tokenData.access_token}` }
+  });
+  if (!userResponse.ok) {
+    throw new OidcError("userinfo_fetch_failed", errorMessages.USERINFO_FETCH_FAILED);
+  }
+  const userInfo = await userResponse.json();
+  return { userInfo, accessToken: tokenData.access_token };
+}
 function readAndClearPkceCookies(ctx) {
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
@@ -931,26 +950,6 @@ async function logSuccessfulAuth(auditLog2, ctx, user, userCreated, rolesUpdated
   }
   await Promise.all(entries);
 }
-async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
-  const errorInfo = classifyOidcError(e, userInfo);
-  const message = toMessage(e);
-  await auditLog2.log({
-    action: errorInfo.action,
-    email: userInfo?.email,
-    ip: getClientIp(ctx),
-    detailsKey: errorInfo.action,
-    detailsParams: errorInfo.action === "login_failure" ? { message } : void 0
-  });
-  strapi.log.error({
-    code: errorInfo.code,
-    phase: "oidc_callback",
-    message: e instanceof Error ? e.message : "Unknown sign-in error",
-    detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
-    email: userInfo?.email
-  });
-  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
-  ctx.send(oauthService2.renderSignUpError(userFacingMessages(locale).signInError, locale));
-}
 async function oidcSignInCallback(ctx) {
   const config2 = configValidation();
   const oauthService2 = getOauthService();
@@ -1018,6 +1017,7 @@ async function oidcSignInCallback(ctx) {
     await handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx);
   }
 }
+const LOGOUT_USERINFO_TIMEOUT_MS = 1500;
 async function isProviderSessionExpired(userinfoEndpoint, accessToken) {
   try {
     const response = await fetch(userinfoEndpoint, {
@@ -2061,6 +2061,7 @@ function translateDetails(key, params) {
   if (!translation) return null;
   return interpolate(translation, params);
 }
+const DAY_MS = 864e5;
 const STRING_OP_MAP = {
   $eq: (v) => v,
   $contains: (v) => ({ $containsi: v }),
@@ -2073,9 +2074,11 @@ const DATE_OP_MAP = {
   $lt: (v) => ({ $lt: v }),
   $lte: (v) => ({ $lte: v }),
   $between: (v) => ({ $between: v })
-  // $in is handled separately: each ISO day-start is expanded to a [day, day+1) range.
 };
-const DAY_MS = 864e5;
+const ACTION_OP_MAP = {
+  $eq: (v) => v,
+  $in: (v) => ({ $in: v })
+};
 function nextDayIso(iso) {
   return new Date(new Date(iso).getTime() + DAY_MS).toISOString();
 }
@@ -2083,10 +2086,6 @@ function expandCreatedAtInToDayRanges(days) {
   const ranges = days.map((d) => ({ createdAt: { $gte: d, $lt: nextDayIso(d) } }));
   return ranges.length === 1 ? ranges[0] : { $or: ranges };
 }
-const ACTION_OP_MAP = {
-  $eq: (v) => v,
-  $in: (v) => ({ $in: v })
-};
 function mapFieldFilter(conditions, field, filter, opMap) {
   for (const [op, value] of Object.entries(filter)) {
     const transform = opMap[op];
@@ -2095,20 +2094,26 @@ function mapFieldFilter(conditions, field, filter, opMap) {
     if (result !== void 0) conditions.push({ [field]: result });
   }
 }
+function buildDateConditions(conditions, createdAt) {
+  if (!createdAt) return;
+  const { $in: inDays, ...rest } = createdAt;
+  if (Array.isArray(inDays) && inDays.length > 0) {
+    conditions.push(expandCreatedAtInToDayRanges(inDays));
+  }
+  for (const [op, value] of Object.entries(rest)) {
+    const transform = DATE_OP_MAP[op];
+    if (transform) {
+      const result = transform(value);
+      if (result !== void 0) conditions.push({ createdAt: result });
+    }
+  }
+}
 function buildWhereClause(filters) {
   const conditions = [];
   if (filters.action) mapFieldFilter(conditions, "action", filters.action, ACTION_OP_MAP);
   if (filters.email) mapFieldFilter(conditions, "email", filters.email, STRING_OP_MAP);
   if (filters.ip) mapFieldFilter(conditions, "ip", filters.ip, STRING_OP_MAP);
-  if (filters.createdAt) {
-    const { $in: inDays, ...rest } = filters.createdAt;
-    if (Array.isArray(inDays) && inDays.length > 0) {
-      conditions.push(expandCreatedAtInToDayRanges(inDays));
-    }
-    if (Object.keys(rest).length > 0) {
-      mapFieldFilter(conditions, "createdAt", rest, DATE_OP_MAP);
-    }
-  }
+  if (filters.createdAt) buildDateConditions(conditions, filters.createdAt);
   if (conditions.length === 0) return {};
   if (conditions.length === 1) return conditions[0];
   return { $and: conditions };