strapi-plugin-oidc 1.9.7 → 1.10.0

package/README.md

@@ -6,7 +6,10 @@
       <img src="https://img.shields.io/npm/v/strapi-plugin-oidc.svg" alt="npm version">
     </a>
     <a href="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/ci.yml">
-      <img src="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/ci.yml/badge.svg" alt="CI"/>
+      <img src="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/ci.yml/badge.svg?branch=main" alt="CI"/>
+    </a>
+    <a href="https://github.com/fallow-rs/fallow">
+      <img src="https://raw.githubusercontent.com/edmogeor/strapi-plugin-oidc/badges/badge.svg" alt="fallow health"/>
     </a>
     <a href="./LICENSE">
       <img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License: MIT"/>
@@ -50,6 +53,7 @@ module.exports = ({ env }) => ({
       OIDC_REQUIRE_EMAIL_VERIFIED: true, // Reject logins when provider does not report email_verified=true (set false to disable)
       OIDC_TRUSTED_IP_HEADER: '', // Optional: header set by your CDN/proxy containing the real client IP (see note below); only honoured when Koa proxy mode is enabled (see below)
       OIDC_FORCE_SECURE_COOKIES: false, // Set true when behind a trusted HTTPS proxy that Strapi can't auto-detect
+      OIDC_SKIP_LOGIN_PAGE: false, // Skip the Strapi login page; redirects unauthenticated users straight to the OIDC provider
     },
   },
 });
@@ -94,6 +98,17 @@ Only headers that CDN/proxy vendors guarantee to strip from inbound client reque
 
 Navigate to `/strapi-plugin-oidc/oidc` to start the OIDC flow, or click the **Login via SSO** button injected into the Strapi login page.
 
+## Skip Login Page
+
+Set `OIDC_SKIP_LOGIN_PAGE: true` to prevent users from ever seeing the Strapi admin login page. Unauthenticated requests are redirected directly to the OIDC provider. This is typically used alongside `OIDC_ENFORCE: true`.
+
+Two independent mechanisms cover both entry points:
+
+- **Server-side** — A Koa middleware intercepts unauthenticated GET requests to `/admin` and redirects to `/strapi-plugin-oidc/oidc` before the SPA is served. Excluded from this redirect: API routes (`/admin/login`, `/admin/logout`, `/admin/init`, etc.), static assets (`.js`, `.css`, `.png`, etc.), and POST requests.
+- **Client-side** — A DOM `MutationObserver` watches for React Router navigations to `/auth/login` (triggered by session expiry or 401 responses) and redirects before the login form renders.
+
+After logout without a provider `end_session_endpoint`, the fallback URL becomes `/strapi-plugin-oidc/oidc` instead of `/admin/auth/login`, ensuring the user lands on the provider's own page.
+
 ## Logout
 
 When the discovery document includes an `end_session_endpoint`, clicking logout redirects to the provider's end-session URL (RP-initiated logout). If the provider session has already expired, Strapi skips the redirect and goes straight to the login page.

package/dist/admin/{index-F7EShzfg.js → index-8VB7hT1F.js}

@@ -7,7 +7,7 @@ const React = require("react");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
 const reactIntl = require("react-intl");
-const index = require("./index-BUuwz71P.js");
+const index = require("./index-CWvZ9OH0.js");
 const styled = require("styled-components");
 const lucideReact = require("lucide-react");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };

package/dist/admin/{index-BUuwz71P.js → index-CWvZ9OH0.js}

@@ -197,6 +197,7 @@ const PERMISSIONS = {
 const AUDIT_LOG_DEFAULTS = {
   ADMIN_PAGE_SIZE: 10
 };
+const OIDC_SIGN_IN_PATH = "/strapi-plugin-oidc/oidc";
 const UI_DEFAULTS = {
   MIN_SPINNER_MS: 400
 };
@@ -211,7 +212,7 @@ const index = {
         id: "settings.configuration",
         defaultMessage: "Configuration"
       },
-      Component: () => Promise.resolve().then(() => require("./index-F7EShzfg.js")),
+      Component: () => Promise.resolve().then(() => require("./index-8VB7hT1F.js")),
       permissions: [{ action: PERMISSIONS.READ, subject: null }]
     };
     app.addSettingsLink(
@@ -237,7 +238,7 @@ const index = {
     const defaultButtonText = t("login.sso");
     const isAuthRoute = (path) => /\/auth\/(login|register|forgot-password|reset-password)/.test(path);
     let ssoButtonInjected = false;
-    let loginObserver = null;
+    let domObserver = null;
     const injectSSOButton = (buttonText) => {
       if (ssoButtonInjected) return;
       if (!isAuthRoute(window.location.pathname)) return;
@@ -249,7 +250,7 @@ const index = {
       btn.type = "button";
       btn.className = submitButton.className;
       btn.onclick = () => {
-        window.location.href = "/strapi-plugin-oidc/oidc";
+        window.location.href = OIDC_SIGN_IN_PATH;
       };
       const innerSpan = submitButton.querySelector("span");
       const span = document.createElement("span");
@@ -287,23 +288,36 @@ const index = {
         (el.closest("div")?.parentElement ?? el).remove();
       });
     };
+    const startObserver = (tick) => {
+      if (domObserver) return;
+      tick();
+      domObserver = new MutationObserver(tick);
+      domObserver.observe(document.body, { childList: true, subtree: true });
+    };
     const startLoginObserver = (buttonText, enforced) => {
-      if (loginObserver) return;
-      const tick = () => {
+      startObserver(() => {
         if (!isAuthRoute(window.location.pathname)) return;
         injectSSOButton(buttonText);
         if (enforced) removeEnforcedElements();
-        if (ssoButtonInjected && !enforced) loginObserver?.disconnect();
-      };
-      tick();
-      loginObserver = new MutationObserver(tick);
-      loginObserver.observe(document.body, { childList: true, subtree: true });
+        if (ssoButtonInjected && !enforced) domObserver?.disconnect();
+      });
+    };
+    const startSkipLoginRedirect = () => {
+      startObserver(() => {
+        if (isAuthRoute(window.location.pathname)) {
+          window.location.href = OIDC_SIGN_IN_PATH;
+        }
+      });
     };
     const applySettings = async () => {
       try {
         const response = await window.fetch("/strapi-plugin-oidc/settings/public");
         if (response.ok) {
           const data = await response.json();
+          if (data.skipLoginPage) {
+            startSkipLoginRedirect();
+            return;
+          }
           startLoginObserver(data.ssoButtonText || defaultButtonText, !!data.enforceOIDC);
         } else {
           startLoginObserver(defaultButtonText, false);

package/dist/admin/{index-CUVEK5GT.mjs → index-CbB2ZVt6.mjs}

@@ -194,6 +194,7 @@ const PERMISSIONS = {
 const AUDIT_LOG_DEFAULTS = {
   ADMIN_PAGE_SIZE: 10
 };
+const OIDC_SIGN_IN_PATH = "/strapi-plugin-oidc/oidc";
 const UI_DEFAULTS = {
   MIN_SPINNER_MS: 400
 };
@@ -208,7 +209,7 @@ const index = {
         id: "settings.configuration",
         defaultMessage: "Configuration"
       },
-      Component: () => import("./index-vkwBXPXn.mjs"),
+      Component: () => import("./index-DMJjpSUm.mjs"),
       permissions: [{ action: PERMISSIONS.READ, subject: null }]
     };
     app.addSettingsLink(
@@ -234,7 +235,7 @@ const index = {
     const defaultButtonText = t("login.sso");
     const isAuthRoute = (path) => /\/auth\/(login|register|forgot-password|reset-password)/.test(path);
     let ssoButtonInjected = false;
-    let loginObserver = null;
+    let domObserver = null;
     const injectSSOButton = (buttonText) => {
       if (ssoButtonInjected) return;
       if (!isAuthRoute(window.location.pathname)) return;
@@ -246,7 +247,7 @@ const index = {
       btn.type = "button";
       btn.className = submitButton.className;
       btn.onclick = () => {
-        window.location.href = "/strapi-plugin-oidc/oidc";
+        window.location.href = OIDC_SIGN_IN_PATH;
       };
       const innerSpan = submitButton.querySelector("span");
       const span = document.createElement("span");
@@ -284,23 +285,36 @@ const index = {
         (el.closest("div")?.parentElement ?? el).remove();
       });
     };
+    const startObserver = (tick) => {
+      if (domObserver) return;
+      tick();
+      domObserver = new MutationObserver(tick);
+      domObserver.observe(document.body, { childList: true, subtree: true });
+    };
     const startLoginObserver = (buttonText, enforced) => {
-      if (loginObserver) return;
-      const tick = () => {
+      startObserver(() => {
         if (!isAuthRoute(window.location.pathname)) return;
         injectSSOButton(buttonText);
         if (enforced) removeEnforcedElements();
-        if (ssoButtonInjected && !enforced) loginObserver?.disconnect();
-      };
-      tick();
-      loginObserver = new MutationObserver(tick);
-      loginObserver.observe(document.body, { childList: true, subtree: true });
+        if (ssoButtonInjected && !enforced) domObserver?.disconnect();
+      });
+    };
+    const startSkipLoginRedirect = () => {
+      startObserver(() => {
+        if (isAuthRoute(window.location.pathname)) {
+          window.location.href = OIDC_SIGN_IN_PATH;
+        }
+      });
     };
     const applySettings = async () => {
       try {
         const response = await window.fetch("/strapi-plugin-oidc/settings/public");
         if (response.ok) {
           const data = await response.json();
+          if (data.skipLoginPage) {
+            startSkipLoginRedirect();
+            return;
+          }
           startLoginObserver(data.ssoButtonText || defaultButtonText, !!data.enforceOIDC);
         } else {
           startLoginObserver(defaultButtonText, false);

package/dist/admin/{index-vkwBXPXn.mjs → index-DMJjpSUm.mjs}

@@ -5,7 +5,7 @@ import { useState, useRef, useId, useEffect, useCallback, useReducer, useMemo, m
 import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Button, Dialog, Table, Pagination, PreviousLink, NextLink, PageLink, Field, Divider, Thead, Tr, Th, Tbody, Td, IconButton, Loader, Tooltip, Alert } from "@strapi/design-system";
 import { Cross, WarningCircle, Plus, Download, Upload, Trash, Calendar, Mail, Information } from "@strapi/icons";
 import { useIntl } from "react-intl";
-import { g as getTrad, E as EMAIL_REGEX, e as en, A as AUDIT_LOG_DEFAULTS, U as UI_DEFAULTS } from "./index-CUVEK5GT.mjs";
+import { g as getTrad, E as EMAIL_REGEX, e as en, A as AUDIT_LOG_DEFAULTS, U as UI_DEFAULTS } from "./index-CbB2ZVt6.mjs";
 import styled from "styled-components";
 import { Filter, ClipboardList, Server } from "lucide-react";
 function Role({ oidcRoles, roles, onChangeRole }) {

package/dist/admin/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
-const index = require("./index-BUuwz71P.js");
+const index = require("./index-CWvZ9OH0.js");
 require("react");
 require("react-dom/client");
 exports.default = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "./index-CUVEK5GT.mjs";
+import { i } from "./index-CbB2ZVt6.mjs";
 import "react";
 import "react-dom/client";
 export {

package/dist/server/index.js

@@ -122,7 +122,8 @@ const pluginConfigSchema = zod.z.object({
   OIDC_TRUSTED_IP_HEADER: zod.z.string().default(""),
   OIDC_JWKS_URI: zod.z.string().default(""),
   OIDC_ISSUER: zod.z.string().default(""),
-  OIDC_FORCE_SECURE_COOKIES: coerceBool(false)
+  OIDC_FORCE_SECURE_COOKIES: coerceBool(false),
+  OIDC_SKIP_LOGIN_PAGE: coerceBool(false)
 });
 function parseGroupRoleMap(raw) {
   if (typeof raw !== "string") {
@@ -173,6 +174,7 @@ const DEFAULT_RETENTION_DAYS = 90;
 const DAY_MS = 864e5;
 const DISCOVERY_TIMEOUT_MS = 5e3;
 const OIDC_DISCOVERY_PATH = "/.well-known/openid-configuration";
+const OIDC_SIGN_IN_PATH = "/strapi-plugin-oidc/oidc";
 const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function getPluginConfig() {
   return pluginConfigSchema.parse(strapi.config.get("plugin::strapi-plugin-oidc") ?? {});
@@ -284,15 +286,31 @@ function clearAuthCookies(strapi2, ctx) {
   ctx.cookies.set(COOKIE_NAMES.userEmail, "", rootPathOptions);
 }
 const AUTH_ROUTES = ["login", "register", "register-admin", "forgot-password", "reset-password"];
+const STATIC_EXTENSIONS = [".js", ".css", ".png", ".svg", ".ico", ".woff2", ".json", ".map"];
 async function bootstrap({ strapi: strapi2 }) {
   await applyDiscovery(strapi2);
   const adminUrl = strapi2.config.get("admin.url", "/admin");
   const tokenRefreshPath = `${adminUrl}/token/refresh`;
+  const EXCLUDED_ADMIN_PATHS = [
+    `${adminUrl}/login`,
+    `${adminUrl}/access-token`,
+    `${adminUrl}/logout`,
+    `${adminUrl}/init`,
+    `${adminUrl}/register`,
+    `${adminUrl}/register-admin`,
+    `${adminUrl}/forgot-password`,
+    `${adminUrl}/reset-password`
+  ];
   const enforceOidcMiddleware = async (ctx, next) => {
     const path = ctx.request.path;
     const isPost = ctx.request.method === "POST";
     const isAuthRoute = AUTH_ROUTES.some((r) => path.includes(r));
     const isTokenRefresh = path === tokenRefreshPath;
+    const config2 = getPluginConfig();
+    if (config2.OIDC_SKIP_LOGIN_PAGE && ctx.request.method === "GET" && (path === adminUrl || path.startsWith(`${adminUrl}/`)) && !EXCLUDED_ADMIN_PATHS.includes(path) && !STATIC_EXTENSIONS.some((ext) => path.endsWith(ext)) && !ctx.cookies.get(COOKIE_NAMES.adminRefresh)) {
+      ctx.redirect(OIDC_SIGN_IN_PATH);
+      return;
+    }
     if (isAuthRoute && isPost || isTokenRefresh) {
       try {
         const whitelistService2 = getWhitelistService();
@@ -412,6 +430,7 @@ const config = {
     OIDC_REQUIRE_EMAIL_VERIFIED: true,
     OIDC_TRUSTED_IP_HEADER: "",
     OIDC_FORCE_SECURE_COOKIES: false,
+    OIDC_SKIP_LOGIN_PAGE: false,
     // Populated at bootstrap from OIDC_ISSUER — not user-configurable directly
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
@@ -4011,12 +4030,13 @@ async function logout(ctx) {
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const adminPanelUrl = strapi.config.get("admin.url", "/admin");
   const loginUrl = `${adminPanelUrl}/auth/login`;
+  const fallbackUrl = config2.OIDC_SKIP_LOGIN_PAGE ? OIDC_SIGN_IN_PATH : loginUrl;
   const isOidcSession = !!ctx.cookies.get(COOKIE_NAMES.authenticated);
   const accessToken = ctx.cookies.get(COOKIE_NAMES.accessToken);
   const userEmail = ctx.cookies.get(COOKIE_NAMES.userEmail) ?? void 0;
   clearAuthCookies(strapi, ctx);
   if (!isOidcSession) {
-    return ctx.redirect(loginUrl);
+    return ctx.redirect(fallbackUrl);
   }
   const logAudit = (action) => userEmail ? auditLog2.log({ action, email: userEmail, ip: getClientIp(ctx) }) : Promise.resolve();
   if (logoutUrl && accessToken) {
@@ -4025,7 +4045,7 @@ async function logout(ctx) {
       await logAudit("session_expired").catch((err) => {
         strapi.log.error("[strapi-plugin-oidc] Audit log failed on session expiry:", err);
       });
-      return ctx.redirect(loginUrl);
+      return ctx.redirect(fallbackUrl);
     }
     logAudit("logout").catch((err) => {
       strapi.log.error("[strapi-plugin-oidc] Audit log failed on logout:", err);
@@ -4035,7 +4055,7 @@ async function logout(ctx) {
   await logAudit("logout").catch((err) => {
     strapi.log.error("[strapi-plugin-oidc] Audit log failed on logout:", err);
   });
-  ctx.redirect(logoutUrl || loginUrl);
+  ctx.redirect(logoutUrl || fallbackUrl);
 }
 const oidc = {
   oidcSignIn,
@@ -4157,7 +4177,8 @@ async function publicSettings(ctx) {
   const config2 = getPluginConfig();
   ctx.body = {
     enforceOIDC: resolveEnforceOIDC(strapi, settings.enforceOIDC),
-    ssoButtonText: config2.OIDC_SSO_BUTTON_TEXT
+    ssoButtonText: config2.OIDC_SSO_BUTTON_TEXT,
+    skipLoginPage: config2.OIDC_SKIP_LOGIN_PAGE
   };
 }
 async function register(ctx) {

package/dist/server/index.mjs

@@ -116,7 +116,8 @@ const pluginConfigSchema = z.object({
   OIDC_TRUSTED_IP_HEADER: z.string().default(""),
   OIDC_JWKS_URI: z.string().default(""),
   OIDC_ISSUER: z.string().default(""),
-  OIDC_FORCE_SECURE_COOKIES: coerceBool(false)
+  OIDC_FORCE_SECURE_COOKIES: coerceBool(false),
+  OIDC_SKIP_LOGIN_PAGE: coerceBool(false)
 });
 function parseGroupRoleMap(raw) {
   if (typeof raw !== "string") {
@@ -167,6 +168,7 @@ const DEFAULT_RETENTION_DAYS = 90;
 const DAY_MS = 864e5;
 const DISCOVERY_TIMEOUT_MS = 5e3;
 const OIDC_DISCOVERY_PATH = "/.well-known/openid-configuration";
+const OIDC_SIGN_IN_PATH = "/strapi-plugin-oidc/oidc";
 const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function getPluginConfig() {
   return pluginConfigSchema.parse(strapi.config.get("plugin::strapi-plugin-oidc") ?? {});
@@ -278,15 +280,31 @@ function clearAuthCookies(strapi2, ctx) {
   ctx.cookies.set(COOKIE_NAMES.userEmail, "", rootPathOptions);
 }
 const AUTH_ROUTES = ["login", "register", "register-admin", "forgot-password", "reset-password"];
+const STATIC_EXTENSIONS = [".js", ".css", ".png", ".svg", ".ico", ".woff2", ".json", ".map"];
 async function bootstrap({ strapi: strapi2 }) {
   await applyDiscovery(strapi2);
   const adminUrl = strapi2.config.get("admin.url", "/admin");
   const tokenRefreshPath = `${adminUrl}/token/refresh`;
+  const EXCLUDED_ADMIN_PATHS = [
+    `${adminUrl}/login`,
+    `${adminUrl}/access-token`,
+    `${adminUrl}/logout`,
+    `${adminUrl}/init`,
+    `${adminUrl}/register`,
+    `${adminUrl}/register-admin`,
+    `${adminUrl}/forgot-password`,
+    `${adminUrl}/reset-password`
+  ];
   const enforceOidcMiddleware = async (ctx, next) => {
     const path = ctx.request.path;
     const isPost = ctx.request.method === "POST";
     const isAuthRoute = AUTH_ROUTES.some((r) => path.includes(r));
     const isTokenRefresh = path === tokenRefreshPath;
+    const config2 = getPluginConfig();
+    if (config2.OIDC_SKIP_LOGIN_PAGE && ctx.request.method === "GET" && (path === adminUrl || path.startsWith(`${adminUrl}/`)) && !EXCLUDED_ADMIN_PATHS.includes(path) && !STATIC_EXTENSIONS.some((ext) => path.endsWith(ext)) && !ctx.cookies.get(COOKIE_NAMES.adminRefresh)) {
+      ctx.redirect(OIDC_SIGN_IN_PATH);
+      return;
+    }
     if (isAuthRoute && isPost || isTokenRefresh) {
       try {
         const whitelistService2 = getWhitelistService();
@@ -406,6 +424,7 @@ const config = {
     OIDC_REQUIRE_EMAIL_VERIFIED: true,
     OIDC_TRUSTED_IP_HEADER: "",
     OIDC_FORCE_SECURE_COOKIES: false,
+    OIDC_SKIP_LOGIN_PAGE: false,
     // Populated at bootstrap from OIDC_ISSUER — not user-configurable directly
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
@@ -4005,12 +4024,13 @@ async function logout(ctx) {
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const adminPanelUrl = strapi.config.get("admin.url", "/admin");
   const loginUrl = `${adminPanelUrl}/auth/login`;
+  const fallbackUrl = config2.OIDC_SKIP_LOGIN_PAGE ? OIDC_SIGN_IN_PATH : loginUrl;
   const isOidcSession = !!ctx.cookies.get(COOKIE_NAMES.authenticated);
   const accessToken = ctx.cookies.get(COOKIE_NAMES.accessToken);
   const userEmail = ctx.cookies.get(COOKIE_NAMES.userEmail) ?? void 0;
   clearAuthCookies(strapi, ctx);
   if (!isOidcSession) {
-    return ctx.redirect(loginUrl);
+    return ctx.redirect(fallbackUrl);
   }
   const logAudit = (action) => userEmail ? auditLog2.log({ action, email: userEmail, ip: getClientIp(ctx) }) : Promise.resolve();
   if (logoutUrl && accessToken) {
@@ -4019,7 +4039,7 @@ async function logout(ctx) {
       await logAudit("session_expired").catch((err) => {
         strapi.log.error("[strapi-plugin-oidc] Audit log failed on session expiry:", err);
       });
-      return ctx.redirect(loginUrl);
+      return ctx.redirect(fallbackUrl);
     }
     logAudit("logout").catch((err) => {
       strapi.log.error("[strapi-plugin-oidc] Audit log failed on logout:", err);
@@ -4029,7 +4049,7 @@ async function logout(ctx) {
   await logAudit("logout").catch((err) => {
     strapi.log.error("[strapi-plugin-oidc] Audit log failed on logout:", err);
   });
-  ctx.redirect(logoutUrl || loginUrl);
+  ctx.redirect(logoutUrl || fallbackUrl);
 }
 const oidc = {
   oidcSignIn,
@@ -4151,7 +4171,8 @@ async function publicSettings(ctx) {
   const config2 = getPluginConfig();
   ctx.body = {
     enforceOIDC: resolveEnforceOIDC(strapi, settings.enforceOIDC),
-    ssoButtonText: config2.OIDC_SSO_BUTTON_TEXT
+    ssoButtonText: config2.OIDC_SSO_BUTTON_TEXT,
+    skipLoginPage: config2.OIDC_SKIP_LOGIN_PAGE
   };
 }
 async function register(ctx) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.9.7",
+  "version": "1.10.0",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",