npm - strapi-security-suite - Versions diffs - 0.3.0 → 0.3.1 - Mend

strapi-security-suite 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/_chunks/{App-t96Cfein.mjs → App-CBOxzfqu.mjs} +1 -1
package/dist/_chunks/{App-CfPg1Thn.js → App-ConqHB2Q.js} +1 -1
package/dist/_chunks/{index-ub4Bl9QF.js → index-BGBd43He.js} +2 -3
package/dist/_chunks/{index-CAEB836L.mjs → index-ZKJuPZEH.mjs} +2 -3
package/dist/admin/index.js +1 -1
package/dist/admin/index.mjs +1 -1
package/dist/server/index.js +46 -37
package/dist/server/index.mjs +46 -37
package/package.json +1 -1

package/dist/_chunks/{App-t96Cfein.mjs → App-CBOxzfqu.mjs} RENAMED Viewed

@@ -3,7 +3,7 @@ import { useFetchClient, Page } from "@strapi/strapi/admin";
 import { Routes, Route } from "react-router-dom";
 import { useState, useEffect } from "react";
 import { Box, Typography, Alert, Flex, Divider, NumberInput, Switch, Button } from "@strapi/design-system";
-import { A as API_BASE_PATH, S as SUCCESS_ALERT_DURATION } from "./index-CAEB836L.mjs";
+import { A as API_BASE_PATH, S as SUCCESS_ALERT_DURATION } from "./index-ZKJuPZEH.mjs";
 const HomePage = () => {
   const client = useFetchClient();
   const [config, setConfig] = useState({

package/dist/_chunks/{App-CfPg1Thn.js → App-ConqHB2Q.js} RENAMED Viewed

@@ -5,7 +5,7 @@ const admin = require("@strapi/strapi/admin");
 const reactRouterDom = require("react-router-dom");
 const react = require("react");
 const designSystem = require("@strapi/design-system");
-const index = require("./index-ub4Bl9QF.js");
+const index = require("./index-BGBd43He.js");
 const HomePage = () => {
   const client = admin.useFetchClient();
   const [config, setConfig] = react.useState({

package/dist/_chunks/{index-ub4Bl9QF.js → index-BGBd43He.js} RENAMED Viewed

@@ -49,9 +49,8 @@ const index = {
         const response = await originalFetch(...args);
         const captured = response.headers.get(ADMIN_TOKEN_HEADER);
         if (captured) {
-          window.stop();
           window.location.reload();
-          return;
+          return new Response(null, { status: 401 });
         }
         return response;
       };
@@ -71,7 +70,7 @@ const index = {
         id: getTrad("settings.title"),
         defaultMessage: "Security Suite"
       },
-      Component: () => Promise.resolve().then(() => require("./App-CfPg1Thn.js")),
+      Component: () => Promise.resolve().then(() => require("./App-ConqHB2Q.js")),
       permissions: [
         {
           action: "plugin::strapi-security-suite.access",

package/dist/_chunks/{index-CAEB836L.mjs → index-ZKJuPZEH.mjs} RENAMED Viewed

@@ -48,9 +48,8 @@ const index = {
         const response = await originalFetch(...args);
         const captured = response.headers.get(ADMIN_TOKEN_HEADER);
         if (captured) {
-          window.stop();
           window.location.reload();
-          return;
+          return new Response(null, { status: 401 });
         }
         return response;
       };
@@ -70,7 +69,7 @@ const index = {
         id: getTrad("settings.title"),
         defaultMessage: "Security Suite"
       },
-      Component: () => import("./App-t96Cfein.mjs"),
+      Component: () => import("./App-CBOxzfqu.mjs"),
       permissions: [
         {
           action: "plugin::strapi-security-suite.access",

package/dist/admin/index.js CHANGED Viewed

@@ -1,3 +1,3 @@
 "use strict";
-const index = require("../_chunks/index-ub4Bl9QF.js");
+const index = require("../_chunks/index-BGBd43He.js");
 module.exports = index.index;

package/dist/admin/index.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { i } from "../_chunks/index-CAEB836L.mjs";
+import { i } from "../_chunks/index-ZKJuPZEH.mjs";
 export {
   i as default
 };

package/dist/server/index.js CHANGED Viewed

@@ -3,7 +3,16 @@ const jwt = require("jsonwebtoken");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const jwt__default = /* @__PURE__ */ _interopDefault(jwt);
 const revokedTokenSet = /* @__PURE__ */ new Set();
-const revokedConnectionTokens = /* @__PURE__ */ new Set();
+const revokedConnectionTokens = /* @__PURE__ */ new Map();
+const TOKEN_TTL = 30 * 60 * 1e3;
+function pruneExpiredTokens() {
+  const cutoff = Date.now() - TOKEN_TTL;
+  for (const [token, revokedAt] of revokedConnectionTokens) {
+    if (revokedAt < cutoff) {
+      revokedConnectionTokens.delete(token);
+    }
+  }
+}
 const sessionActivityMap = /* @__PURE__ */ new Map();
 const PLUGIN_ID = "strapi-security-suite";
 const CONTENT_TYPES = {
@@ -12,6 +21,7 @@ const CONTENT_TYPES = {
 const SERVICES = {
   AUTO_LOGOUT_CHECKER: "autoLogoutChecker"
 };
+const CTX_ADMIN_USER = Symbol.for("security-suite:adminUser");
 const CHECK_INTERVAL = 5e3;
 const DEFAULT_AUTOLOGOUT_TIME = 30;
 const MS_PER_MINUTE = 6e4;
@@ -37,7 +47,6 @@ const HEADERS = {
   /** Required so the browser exposes custom headers in fetch responses. */
   EXPOSE_HEADERS: "Access-Control-Expose-Headers"
 };
-const ADMIN_TOKEN_FALLBACK = "email.admin";
 const ERROR_MESSAGES = {
   SETTINGS_NOT_FOUND: "Security settings not found.",
   INSUFFICIENT_PERMISSIONS: "Insufficient permissions.",
@@ -61,7 +70,7 @@ const DEFAULT_SETTINGS = {
 };
 const VALID_SETTINGS_KEYS = new Set(Object.keys(DEFAULT_SETTINGS));
 async function trackActivity(ctx, next) {
-  const adminUser = ctx.session?.user;
+  const adminUser = ctx.state[CTX_ADMIN_USER];
   let key = adminUser?.id ? `${adminUser.id}:${adminUser.email}` : null;
   const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
   if (bearerToken && revokedConnectionTokens.has(bearerToken)) {
@@ -76,7 +85,9 @@ async function trackActivity(ctx, next) {
     return;
   }
   if (ctx.path.includes(LOGOUT_PATH)) {
-    ctx.session = null;
+    if (ctx.session !== void 0) {
+      ctx.session = null;
+    }
     key = null;
   }
   if (key) {
@@ -86,14 +97,22 @@ async function trackActivity(ctx, next) {
   await next();
 }
 const loginLocks = /* @__PURE__ */ new Set();
+function cleanupLoginState(ctx) {
+  const email = ctx.request.body?.email;
+  loginLocks.delete(email);
+  if (email && ctx.status < 400) {
+    revokedTokenSet.delete(email);
+  }
+}
 async function preventMultipleSessions(ctx, next) {
   const isLoginPost = ctx.path === LOGIN_PATH && ctx.method === "POST";
-  const alreadyAdmin = ctx.session?.user;
   if (!isLoginPost) {
     return await next();
   }
-  if (alreadyAdmin) {
-    strapi.log.debug(`[${PLUGIN_ID}] Skipping session lock. ${JSON.stringify(alreadyAdmin)}`);
+  if (ctx.state[CTX_ADMIN_USER]) {
+    strapi.log.debug(
+      `[${PLUGIN_ID}] Skipping session lock. ${JSON.stringify(ctx.state[CTX_ADMIN_USER])}`
+    );
     return await next();
   }
   try {
@@ -127,22 +146,21 @@ async function preventMultipleSessions(ctx, next) {
   try {
     await next();
   } finally {
-    if (ctx.path === LOGIN_PATH && ctx.method === "POST") {
-      const email = ctx.request.body?.email;
-      loginLocks.delete(email);
-    }
+    cleanupLoginState(ctx);
   }
 }
 async function rejectRevokedTokens(ctx, next) {
-  const sessionUser = ctx.session?.user;
-  if (!sessionUser?.email) return await next();
-  const { id, email: adminEmail } = sessionUser;
+  const adminUser = ctx.state[CTX_ADMIN_USER];
+  if (!adminUser?.email) return await next();
+  const { id, email: adminEmail } = adminUser;
   const key = id && adminEmail ? `${id}:${adminEmail}` : null;
   try {
     if (adminEmail && revokedTokenSet.has(adminEmail)) {
       ctx.set(HEADERS.ADMIN_TOKEN_SIGNAL, adminEmail);
       ctx.set(HEADERS.EXPOSE_HEADERS, HEADERS.ADMIN_TOKEN_SIGNAL);
-      ctx.session = null;
+      if (ctx.session !== void 0) {
+        ctx.session = null;
+      }
       ctx.cookies.set(COOKIES.REFRESH_TOKEN, "", {
         expires: /* @__PURE__ */ new Date(0),
         path: "/admin",
@@ -150,7 +168,7 @@ async function rejectRevokedTokens(ctx, next) {
       });
       const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
       if (bearerToken) {
-        revokedConnectionTokens.add(bearerToken);
+        revokedConnectionTokens.set(bearerToken, Date.now());
       }
       sessionActivityMap.delete(key);
       revokedTokenSet.delete(adminEmail);
@@ -173,29 +191,27 @@ async function rejectRevokedTokens(ctx, next) {
 }
 async function interceptRenewToken(ctx, next) {
   if (ctx.path.includes(LOGOUT_PATH)) {
-    const adminUser = ctx.session?.user;
+    const adminUser = ctx.state[CTX_ADMIN_USER];
     strapi.log.debug(`[${PLUGIN_ID}] Logout captured: ${JSON.stringify(adminUser)}`);
     if (adminUser?.id) {
       strapi.plugin(PLUGIN_ID).service(SERVICES.AUTO_LOGOUT_CHECKER).clearSessionActivity(adminUser.id, adminUser.email);
       const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
       if (bearerToken) {
-        revokedConnectionTokens.add(bearerToken);
+        revokedConnectionTokens.set(bearerToken, Date.now());
+      }
+      if (ctx.session !== void 0) {
+        ctx.session = null;
       }
-      ctx.session = null;
       sessionActivityMap.delete(`${adminUser.id}:${adminUser.email}`);
     }
     await next();
     return;
   }
   if (ctx.path.includes(ACCESS_TOKEN_PATH) || ctx.path.includes(CONTENT_PATH)) {
-    const { email } = ctx.session?.user || {};
-    if (!email) {
-      ctx.set(HEADERS.ADMIN_TOKEN_SIGNAL, ADMIN_TOKEN_FALLBACK);
-      ctx.set(HEADERS.EXPOSE_HEADERS, HEADERS.ADMIN_TOKEN_SIGNAL);
-      await next();
-      return;
+    const adminUser = ctx.state[CTX_ADMIN_USER];
+    if (adminUser?.email) {
+      strapi.log.debug(`[${PLUGIN_ID}] Token renewal intercepted for ${adminUser.email}`);
     }
-    strapi.log.debug(`[${PLUGIN_ID}] Token renewal intercepted for ${email}`);
   }
   await next();
 }
@@ -208,9 +224,8 @@ async function seedUserInfos(ctx, next) {
     const token = authHeader.split("Bearer ")[1];
     if (!token) return await next();
     const decodedToken = jwt__default.default.decode(token);
-    const session = ctx.session?.user ?? null;
     const adminId = decodedToken?.userId;
-    if (!adminId || session?.id) {
+    if (!adminId || ctx.state[CTX_ADMIN_USER]?.id) {
       return await next();
     }
     const adminUser = await strapi.db.query("admin::user").findOne({
@@ -221,25 +236,18 @@ async function seedUserInfos(ctx, next) {
       strapi.log.debug(`[${PLUGIN_ID}] No admin user found with ID ${adminId}`);
       return await next();
     }
-    if (revokedTokenSet.has(adminUser.email)) {
-      strapi.log.debug(
-        `[${PLUGIN_ID}] Admin ${adminUser.email} is in revoked set — skipping hydration`
-      );
-      return await next();
-    }
-    const userInfos = {
+    ctx.state[CTX_ADMIN_USER] = {
       id: adminUser.id,
       email: adminUser.email,
       firstname: adminUser.firstname,
       lastname: adminUser.lastname,
       roles: adminUser.roles
     };
-    ctx.session.user = userInfos;
     const key = `${adminUser.id}:${adminUser.email}`;
     if (!sessionActivityMap.has(key)) {
       sessionActivityMap.set(key, Date.now());
     }
-    strapi.log.debug(`[${PLUGIN_ID}] Session hydrated for admin ${adminUser.email}`);
+    strapi.log.debug(`[${PLUGIN_ID}] Admin identified: ${adminUser.email}`);
     return await next();
   } catch (error) {
     strapi.log.error(`[${PLUGIN_ID}] Failed to decode or hydrate admin token:`, error);
@@ -557,6 +565,7 @@ const autoLogoutChecker = ({ strapi: strapi2 }) => ({
     }
     interval = setInterval(async () => {
       try {
+        pruneExpiredTokens();
         const settings = await strapi2.documents(CONTENT_TYPES.SECURITY_SETTINGS).findFirst({});
         const autoLogoutTime = (settings?.autoLogoutTime ?? DEFAULT_AUTOLOGOUT_TIME) * MS_PER_MINUTE;
         const now = Date.now();

package/dist/server/index.mjs CHANGED Viewed

@@ -1,6 +1,15 @@
 import jwt from "jsonwebtoken";
 const revokedTokenSet = /* @__PURE__ */ new Set();
-const revokedConnectionTokens = /* @__PURE__ */ new Set();
+const revokedConnectionTokens = /* @__PURE__ */ new Map();
+const TOKEN_TTL = 30 * 60 * 1e3;
+function pruneExpiredTokens() {
+  const cutoff = Date.now() - TOKEN_TTL;
+  for (const [token, revokedAt] of revokedConnectionTokens) {
+    if (revokedAt < cutoff) {
+      revokedConnectionTokens.delete(token);
+    }
+  }
+}
 const sessionActivityMap = /* @__PURE__ */ new Map();
 const PLUGIN_ID = "strapi-security-suite";
 const CONTENT_TYPES = {
@@ -9,6 +18,7 @@ const CONTENT_TYPES = {
 const SERVICES = {
   AUTO_LOGOUT_CHECKER: "autoLogoutChecker"
 };
+const CTX_ADMIN_USER = Symbol.for("security-suite:adminUser");
 const CHECK_INTERVAL = 5e3;
 const DEFAULT_AUTOLOGOUT_TIME = 30;
 const MS_PER_MINUTE = 6e4;
@@ -34,7 +44,6 @@ const HEADERS = {
   /** Required so the browser exposes custom headers in fetch responses. */
   EXPOSE_HEADERS: "Access-Control-Expose-Headers"
 };
-const ADMIN_TOKEN_FALLBACK = "email.admin";
 const ERROR_MESSAGES = {
   SETTINGS_NOT_FOUND: "Security settings not found.",
   INSUFFICIENT_PERMISSIONS: "Insufficient permissions.",
@@ -58,7 +67,7 @@ const DEFAULT_SETTINGS = {
 };
 const VALID_SETTINGS_KEYS = new Set(Object.keys(DEFAULT_SETTINGS));
 async function trackActivity(ctx, next) {
-  const adminUser = ctx.session?.user;
+  const adminUser = ctx.state[CTX_ADMIN_USER];
   let key = adminUser?.id ? `${adminUser.id}:${adminUser.email}` : null;
   const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
   if (bearerToken && revokedConnectionTokens.has(bearerToken)) {
@@ -73,7 +82,9 @@ async function trackActivity(ctx, next) {
     return;
   }
   if (ctx.path.includes(LOGOUT_PATH)) {
-    ctx.session = null;
+    if (ctx.session !== void 0) {
+      ctx.session = null;
+    }
     key = null;
   }
   if (key) {
@@ -83,14 +94,22 @@ async function trackActivity(ctx, next) {
   await next();
 }
 const loginLocks = /* @__PURE__ */ new Set();
+function cleanupLoginState(ctx) {
+  const email = ctx.request.body?.email;
+  loginLocks.delete(email);
+  if (email && ctx.status < 400) {
+    revokedTokenSet.delete(email);
+  }
+}
 async function preventMultipleSessions(ctx, next) {
   const isLoginPost = ctx.path === LOGIN_PATH && ctx.method === "POST";
-  const alreadyAdmin = ctx.session?.user;
   if (!isLoginPost) {
     return await next();
   }
-  if (alreadyAdmin) {
-    strapi.log.debug(`[${PLUGIN_ID}] Skipping session lock. ${JSON.stringify(alreadyAdmin)}`);
+  if (ctx.state[CTX_ADMIN_USER]) {
+    strapi.log.debug(
+      `[${PLUGIN_ID}] Skipping session lock. ${JSON.stringify(ctx.state[CTX_ADMIN_USER])}`
+    );
     return await next();
   }
   try {
@@ -124,22 +143,21 @@ async function preventMultipleSessions(ctx, next) {
   try {
     await next();
   } finally {
-    if (ctx.path === LOGIN_PATH && ctx.method === "POST") {
-      const email = ctx.request.body?.email;
-      loginLocks.delete(email);
-    }
+    cleanupLoginState(ctx);
   }
 }
 async function rejectRevokedTokens(ctx, next) {
-  const sessionUser = ctx.session?.user;
-  if (!sessionUser?.email) return await next();
-  const { id, email: adminEmail } = sessionUser;
+  const adminUser = ctx.state[CTX_ADMIN_USER];
+  if (!adminUser?.email) return await next();
+  const { id, email: adminEmail } = adminUser;
   const key = id && adminEmail ? `${id}:${adminEmail}` : null;
   try {
     if (adminEmail && revokedTokenSet.has(adminEmail)) {
       ctx.set(HEADERS.ADMIN_TOKEN_SIGNAL, adminEmail);
       ctx.set(HEADERS.EXPOSE_HEADERS, HEADERS.ADMIN_TOKEN_SIGNAL);
-      ctx.session = null;
+      if (ctx.session !== void 0) {
+        ctx.session = null;
+      }
       ctx.cookies.set(COOKIES.REFRESH_TOKEN, "", {
         expires: /* @__PURE__ */ new Date(0),
         path: "/admin",
@@ -147,7 +165,7 @@ async function rejectRevokedTokens(ctx, next) {
       });
       const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
       if (bearerToken) {
-        revokedConnectionTokens.add(bearerToken);
+        revokedConnectionTokens.set(bearerToken, Date.now());
       }
       sessionActivityMap.delete(key);
       revokedTokenSet.delete(adminEmail);
@@ -170,29 +188,27 @@ async function rejectRevokedTokens(ctx, next) {
 }
 async function interceptRenewToken(ctx, next) {
   if (ctx.path.includes(LOGOUT_PATH)) {
-    const adminUser = ctx.session?.user;
+    const adminUser = ctx.state[CTX_ADMIN_USER];
     strapi.log.debug(`[${PLUGIN_ID}] Logout captured: ${JSON.stringify(adminUser)}`);
     if (adminUser?.id) {
       strapi.plugin(PLUGIN_ID).service(SERVICES.AUTO_LOGOUT_CHECKER).clearSessionActivity(adminUser.id, adminUser.email);
       const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
       if (bearerToken) {
-        revokedConnectionTokens.add(bearerToken);
+        revokedConnectionTokens.set(bearerToken, Date.now());
+      }
+      if (ctx.session !== void 0) {
+        ctx.session = null;
       }
-      ctx.session = null;
       sessionActivityMap.delete(`${adminUser.id}:${adminUser.email}`);
     }
     await next();
     return;
   }
   if (ctx.path.includes(ACCESS_TOKEN_PATH) || ctx.path.includes(CONTENT_PATH)) {
-    const { email } = ctx.session?.user || {};
-    if (!email) {
-      ctx.set(HEADERS.ADMIN_TOKEN_SIGNAL, ADMIN_TOKEN_FALLBACK);
-      ctx.set(HEADERS.EXPOSE_HEADERS, HEADERS.ADMIN_TOKEN_SIGNAL);
-      await next();
-      return;
+    const adminUser = ctx.state[CTX_ADMIN_USER];
+    if (adminUser?.email) {
+      strapi.log.debug(`[${PLUGIN_ID}] Token renewal intercepted for ${adminUser.email}`);
     }
-    strapi.log.debug(`[${PLUGIN_ID}] Token renewal intercepted for ${email}`);
   }
   await next();
 }
@@ -205,9 +221,8 @@ async function seedUserInfos(ctx, next) {
     const token = authHeader.split("Bearer ")[1];
     if (!token) return await next();
     const decodedToken = jwt.decode(token);
-    const session = ctx.session?.user ?? null;
     const adminId = decodedToken?.userId;
-    if (!adminId || session?.id) {
+    if (!adminId || ctx.state[CTX_ADMIN_USER]?.id) {
       return await next();
     }
     const adminUser = await strapi.db.query("admin::user").findOne({
@@ -218,25 +233,18 @@ async function seedUserInfos(ctx, next) {
       strapi.log.debug(`[${PLUGIN_ID}] No admin user found with ID ${adminId}`);
       return await next();
     }
-    if (revokedTokenSet.has(adminUser.email)) {
-      strapi.log.debug(
-        `[${PLUGIN_ID}] Admin ${adminUser.email} is in revoked set — skipping hydration`
-      );
-      return await next();
-    }
-    const userInfos = {
+    ctx.state[CTX_ADMIN_USER] = {
       id: adminUser.id,
       email: adminUser.email,
       firstname: adminUser.firstname,
       lastname: adminUser.lastname,
       roles: adminUser.roles
     };
-    ctx.session.user = userInfos;
     const key = `${adminUser.id}:${adminUser.email}`;
     if (!sessionActivityMap.has(key)) {
       sessionActivityMap.set(key, Date.now());
     }
-    strapi.log.debug(`[${PLUGIN_ID}] Session hydrated for admin ${adminUser.email}`);
+    strapi.log.debug(`[${PLUGIN_ID}] Admin identified: ${adminUser.email}`);
     return await next();
   } catch (error) {
     strapi.log.error(`[${PLUGIN_ID}] Failed to decode or hydrate admin token:`, error);
@@ -554,6 +562,7 @@ const autoLogoutChecker = ({ strapi: strapi2 }) => ({
     }
     interval = setInterval(async () => {
       try {
+        pruneExpiredTokens();
         const settings = await strapi2.documents(CONTENT_TYPES.SECURITY_SETTINGS).findFirst({});
         const autoLogoutTime = (settings?.autoLogoutTime ?? DEFAULT_AUTOLOGOUT_TIME) * MS_PER_MINUTE;
         const now = Date.now();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "strapi-security-suite",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "All-in-one authentication and session security plugin for Strapi v5",
   "license": "MIT",
   "author": "(LPIX-11) <mohamed.johnson@orange-sonatel.com>",