npm - strapi-security-suite - Versions diffs - 0.1.6 → 0.1.8 - Mend

strapi-security-suite 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/server/index.js CHANGED Viewed

@@ -2,6 +2,8 @@
 const jwt = require("jsonwebtoken");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const jwt__default = /* @__PURE__ */ _interopDefault(jwt);
+const revokedTokenSet = /* @__PURE__ */ new Set();
+const revokedConnectionTokens = /* @__PURE__ */ new Set();
 const CHECK_INTERVAL = 5e3;
 const LOGIN_PATH = "/admin/login";
 const LOGOUT_PATH = "/admin/logout";
@@ -9,6 +11,11 @@ const sessionActivityMap = /* @__PURE__ */ new Map();
 async function trackActivity(ctx, next) {
   const adminUser = ctx.session?.user;
   let key = adminUser?.id ? `${adminUser.id}:${adminUser.email}` : null;
+  const auth = ctx.request.headers?.authorization;
+  if (auth && revokedConnectionTokens.has(auth.split(" ")[1]) || revokedConnectionTokens.has(ctx.cookies.get("jwtToken"))) {
+    ctx.cookies.set("jwtToken", "", { expires: /* @__PURE__ */ new Date(0), path: "/" });
+    ctx.status = 403;
+  }
   if (ctx.path.includes(LOGOUT_PATH)) {
     ctx.session = null;
     key = null;
@@ -87,7 +94,6 @@ const checkAdminPermission = (requiredPermission) => async (ctx, next) => {
     return ctx.internalServerError("Failed to verify permissions.");
   }
 };
-const revokedTokenSet = /* @__PURE__ */ new Set();
 const forceExpireAdmin = async (ctx, userId) => {
   const ADMIN_SECRET = strapi.config.get("admin.auth.secret");
   const token = jwt__default.default.sign(
@@ -121,6 +127,7 @@ async function rejectRevokedTokens(ctx, next) {
       ctx.cookies.set("koa.sess.sig", "", { expires: /* @__PURE__ */ new Date(0), path: "/" });
       sessionActivityMap.delete(key);
       revokedTokenSet.delete(adminEmail);
+      revokedConnectionTokens.add(ctx.cookies.get("jwtToken"));
       strapi.service("plugin::strapi-security-suite.autoLogoutChecker").clearSessionActivity(id, adminEmail);
       forceExpireAdmin(ctx, id);
       strapi.log.info(`🔒 Session revoked: ${adminEmail} app.admin.logout`);
@@ -140,12 +147,13 @@ async function interceptRenewToken(ctx, next) {
     ctx.cookies.set("koa.sess.sig", "", { expires: /* @__PURE__ */ new Date(0), path: "/" });
     if (adminUser?.id) {
       strapi.service("plugin::strapi-security-suite.autoLogoutChecker").clearSessionActivity(adminUser?.id, adminUser?.email);
+      revokedConnectionTokens.add(ctx.cookies.get("jwtToken"));
       ctx.session = null;
       sessionActivityMap.delete(`${adminUser?.id}:${adminUser?.email}`);
       return;
     }
   }
-  if (ctx.path === "/admin/renew-token" || ctx.path.includes("/content")) {
+  if (ctx.path.includes("/renew-token") || ctx.path.includes("/content")) {
     const { email } = ctx.session?.user || {};
     if (!email) {
       ctx.set("app.admin.tk", "email.admin");

package/dist/server/index.mjs CHANGED Viewed

@@ -1,4 +1,6 @@
 import jwt from "jsonwebtoken";
+const revokedTokenSet = /* @__PURE__ */ new Set();
+const revokedConnectionTokens = /* @__PURE__ */ new Set();
 const CHECK_INTERVAL = 5e3;
 const LOGIN_PATH = "/admin/login";
 const LOGOUT_PATH = "/admin/logout";
@@ -6,6 +8,11 @@ const sessionActivityMap = /* @__PURE__ */ new Map();
 async function trackActivity(ctx, next) {
   const adminUser = ctx.session?.user;
   let key = adminUser?.id ? `${adminUser.id}:${adminUser.email}` : null;
+  const auth = ctx.request.headers?.authorization;
+  if (auth && revokedConnectionTokens.has(auth.split(" ")[1]) || revokedConnectionTokens.has(ctx.cookies.get("jwtToken"))) {
+    ctx.cookies.set("jwtToken", "", { expires: /* @__PURE__ */ new Date(0), path: "/" });
+    ctx.status = 403;
+  }
   if (ctx.path.includes(LOGOUT_PATH)) {
     ctx.session = null;
     key = null;
@@ -84,7 +91,6 @@ const checkAdminPermission = (requiredPermission) => async (ctx, next) => {
     return ctx.internalServerError("Failed to verify permissions.");
   }
 };
-const revokedTokenSet = /* @__PURE__ */ new Set();
 const forceExpireAdmin = async (ctx, userId) => {
   const ADMIN_SECRET = strapi.config.get("admin.auth.secret");
   const token = jwt.sign(
@@ -118,6 +124,7 @@ async function rejectRevokedTokens(ctx, next) {
       ctx.cookies.set("koa.sess.sig", "", { expires: /* @__PURE__ */ new Date(0), path: "/" });
       sessionActivityMap.delete(key);
       revokedTokenSet.delete(adminEmail);
+      revokedConnectionTokens.add(ctx.cookies.get("jwtToken"));
       strapi.service("plugin::strapi-security-suite.autoLogoutChecker").clearSessionActivity(id, adminEmail);
       forceExpireAdmin(ctx, id);
       strapi.log.info(`🔒 Session revoked: ${adminEmail} app.admin.logout`);
@@ -137,12 +144,13 @@ async function interceptRenewToken(ctx, next) {
     ctx.cookies.set("koa.sess.sig", "", { expires: /* @__PURE__ */ new Date(0), path: "/" });
     if (adminUser?.id) {
       strapi.service("plugin::strapi-security-suite.autoLogoutChecker").clearSessionActivity(adminUser?.id, adminUser?.email);
+      revokedConnectionTokens.add(ctx.cookies.get("jwtToken"));
       ctx.session = null;
       sessionActivityMap.delete(`${adminUser?.id}:${adminUser?.email}`);
       return;
     }
   }
-  if (ctx.path === "/admin/renew-token" || ctx.path.includes("/content")) {
+  if (ctx.path.includes("/renew-token") || ctx.path.includes("/content")) {
     const { email } = ctx.session?.user || {};
     if (!email) {
       ctx.set("app.admin.tk", "email.admin");

package/package.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "version": "0.1.6",
+  "version": "0.1.8",
   "keywords": [
     "strapi",
     "plugin",