strapi-security-suite 0.3.1 → 0.3.3

package/dist/server/index.js

@@ -39,7 +39,9 @@ const COOKIES = {
   SESSION: "koa.sess",
   SESSION_SIG: "koa.sess.sig",
   /** Strapi v5 admin refresh-token cookie (managed by session manager). */
-  REFRESH_TOKEN: "strapi_admin_refresh"
+  REFRESH_TOKEN: "strapi_admin_refresh",
+  /** JWT access-token cookie set by Strapi EE SSO authentication flow. */
+  JWT_TOKEN: "jwtToken"
 };
 const HEADERS = {
   /** Header that signals the frontend to force-reload (session revoked). */
@@ -69,6 +71,52 @@ const DEFAULT_SETTINGS = {
   enablePasswordManagement: true
 };
 const VALID_SETTINGS_KEYS = new Set(Object.keys(DEFAULT_SETTINGS));
+class PluginError extends Error {
+  /**
+   * @param {string} message - Internal message (for logs)
+   * @param {string} sanitizedMessage - Safe message for the client
+   * @param {number} [statusCode=400] - HTTP status code
+   */
+  constructor(message, sanitizedMessage, statusCode = HTTP_STATUS.BAD_REQUEST) {
+    super(message);
+    this.name = "PluginError";
+    this.sanitizedMessage = sanitizedMessage;
+    this.statusCode = statusCode;
+  }
+}
+class ValidationError extends PluginError {
+  /**
+   * @param {string} message - Internal message
+   * @param {string} [sanitizedMessage='Validation failed.'] - Client-safe message
+   */
+  constructor(message, sanitizedMessage = "Validation failed.") {
+    super(message, sanitizedMessage, HTTP_STATUS.BAD_REQUEST);
+    this.name = "ValidationError";
+  }
+}
+function clearSessionCookies(ctx) {
+  if (ctx.session !== void 0) {
+    ctx.session = null;
+  }
+  const expireOpts = { expires: /* @__PURE__ */ new Date(0), path: "/", httpOnly: true };
+  ctx.cookies.set(COOKIES.SESSION, "", expireOpts);
+  ctx.cookies.set(COOKIES.SESSION_SIG, "", expireOpts);
+  ctx.cookies.set(COOKIES.REFRESH_TOKEN, "", {
+    expires: /* @__PURE__ */ new Date(0),
+    path: "/admin",
+    httpOnly: true
+  });
+  const configuredSecure = strapi.config.get("admin.auth.cookie.secure");
+  const isProduction = process.env.NODE_ENV === "production";
+  const jwtClearOpts = {
+    expires: /* @__PURE__ */ new Date(0),
+    httpOnly: false,
+    secure: typeof configuredSecure === "boolean" ? configuredSecure : isProduction,
+    domain: strapi.config.get("admin.auth.domain"),
+    overwrite: true
+  };
+  ctx.cookies.set(COOKIES.JWT_TOKEN, "", jwtClearOpts);
+}
 async function trackActivity(ctx, next) {
   const adminUser = ctx.state[CTX_ADMIN_USER];
   let key = adminUser?.id ? `${adminUser.id}:${adminUser.email}` : null;
@@ -85,9 +133,7 @@ async function trackActivity(ctx, next) {
     return;
   }
   if (ctx.path.includes(LOGOUT_PATH)) {
-    if (ctx.session !== void 0) {
-      ctx.session = null;
-    }
+    clearSessionCookies(ctx);
     key = null;
   }
   if (key) {
@@ -158,14 +204,7 @@ async function rejectRevokedTokens(ctx, next) {
     if (adminEmail && revokedTokenSet.has(adminEmail)) {
       ctx.set(HEADERS.ADMIN_TOKEN_SIGNAL, adminEmail);
       ctx.set(HEADERS.EXPOSE_HEADERS, HEADERS.ADMIN_TOKEN_SIGNAL);
-      if (ctx.session !== void 0) {
-        ctx.session = null;
-      }
-      ctx.cookies.set(COOKIES.REFRESH_TOKEN, "", {
-        expires: /* @__PURE__ */ new Date(0),
-        path: "/admin",
-        httpOnly: true
-      });
+      clearSessionCookies(ctx);
       const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
       if (bearerToken) {
         revokedConnectionTokens.set(bearerToken, Date.now());
@@ -199,9 +238,7 @@ async function interceptRenewToken(ctx, next) {
       if (bearerToken) {
         revokedConnectionTokens.set(bearerToken, Date.now());
       }
-      if (ctx.session !== void 0) {
-        ctx.session = null;
-      }
+      clearSessionCookies(ctx);
       sessionActivityMap.delete(`${adminUser.id}:${adminUser.email}`);
     }
     await next();
@@ -381,29 +418,6 @@ const securitySettings = {
 const contentTypes = {
   "security-settings": securitySettings
 };
-class PluginError extends Error {
-  /**
-   * @param {string} message - Internal message (for logs)
-   * @param {string} sanitizedMessage - Safe message for the client
-   * @param {number} [statusCode=400] - HTTP status code
-   */
-  constructor(message, sanitizedMessage, statusCode = HTTP_STATUS.BAD_REQUEST) {
-    super(message);
-    this.name = "PluginError";
-    this.sanitizedMessage = sanitizedMessage;
-    this.statusCode = statusCode;
-  }
-}
-class ValidationError extends PluginError {
-  /**
-   * @param {string} message - Internal message
-   * @param {string} [sanitizedMessage='Validation failed.'] - Client-safe message
-   */
-  constructor(message, sanitizedMessage = "Validation failed.") {
-    super(message, sanitizedMessage, HTTP_STATUS.BAD_REQUEST);
-    this.name = "ValidationError";
-  }
-}
 const validateSettingsPayload = (body) => {
   if (!body || typeof body !== "object" || Array.isArray(body)) {
     throw new ValidationError(

package/dist/server/index.mjs

@@ -36,7 +36,9 @@ const COOKIES = {
   SESSION: "koa.sess",
   SESSION_SIG: "koa.sess.sig",
   /** Strapi v5 admin refresh-token cookie (managed by session manager). */
-  REFRESH_TOKEN: "strapi_admin_refresh"
+  REFRESH_TOKEN: "strapi_admin_refresh",
+  /** JWT access-token cookie set by Strapi EE SSO authentication flow. */
+  JWT_TOKEN: "jwtToken"
 };
 const HEADERS = {
   /** Header that signals the frontend to force-reload (session revoked). */
@@ -66,6 +68,52 @@ const DEFAULT_SETTINGS = {
   enablePasswordManagement: true
 };
 const VALID_SETTINGS_KEYS = new Set(Object.keys(DEFAULT_SETTINGS));
+class PluginError extends Error {
+  /**
+   * @param {string} message - Internal message (for logs)
+   * @param {string} sanitizedMessage - Safe message for the client
+   * @param {number} [statusCode=400] - HTTP status code
+   */
+  constructor(message, sanitizedMessage, statusCode = HTTP_STATUS.BAD_REQUEST) {
+    super(message);
+    this.name = "PluginError";
+    this.sanitizedMessage = sanitizedMessage;
+    this.statusCode = statusCode;
+  }
+}
+class ValidationError extends PluginError {
+  /**
+   * @param {string} message - Internal message
+   * @param {string} [sanitizedMessage='Validation failed.'] - Client-safe message
+   */
+  constructor(message, sanitizedMessage = "Validation failed.") {
+    super(message, sanitizedMessage, HTTP_STATUS.BAD_REQUEST);
+    this.name = "ValidationError";
+  }
+}
+function clearSessionCookies(ctx) {
+  if (ctx.session !== void 0) {
+    ctx.session = null;
+  }
+  const expireOpts = { expires: /* @__PURE__ */ new Date(0), path: "/", httpOnly: true };
+  ctx.cookies.set(COOKIES.SESSION, "", expireOpts);
+  ctx.cookies.set(COOKIES.SESSION_SIG, "", expireOpts);
+  ctx.cookies.set(COOKIES.REFRESH_TOKEN, "", {
+    expires: /* @__PURE__ */ new Date(0),
+    path: "/admin",
+    httpOnly: true
+  });
+  const configuredSecure = strapi.config.get("admin.auth.cookie.secure");
+  const isProduction = process.env.NODE_ENV === "production";
+  const jwtClearOpts = {
+    expires: /* @__PURE__ */ new Date(0),
+    httpOnly: false,
+    secure: typeof configuredSecure === "boolean" ? configuredSecure : isProduction,
+    domain: strapi.config.get("admin.auth.domain"),
+    overwrite: true
+  };
+  ctx.cookies.set(COOKIES.JWT_TOKEN, "", jwtClearOpts);
+}
 async function trackActivity(ctx, next) {
   const adminUser = ctx.state[CTX_ADMIN_USER];
   let key = adminUser?.id ? `${adminUser.id}:${adminUser.email}` : null;
@@ -82,9 +130,7 @@ async function trackActivity(ctx, next) {
     return;
   }
   if (ctx.path.includes(LOGOUT_PATH)) {
-    if (ctx.session !== void 0) {
-      ctx.session = null;
-    }
+    clearSessionCookies(ctx);
     key = null;
   }
   if (key) {
@@ -155,14 +201,7 @@ async function rejectRevokedTokens(ctx, next) {
     if (adminEmail && revokedTokenSet.has(adminEmail)) {
       ctx.set(HEADERS.ADMIN_TOKEN_SIGNAL, adminEmail);
       ctx.set(HEADERS.EXPOSE_HEADERS, HEADERS.ADMIN_TOKEN_SIGNAL);
-      if (ctx.session !== void 0) {
-        ctx.session = null;
-      }
-      ctx.cookies.set(COOKIES.REFRESH_TOKEN, "", {
-        expires: /* @__PURE__ */ new Date(0),
-        path: "/admin",
-        httpOnly: true
-      });
+      clearSessionCookies(ctx);
       const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
       if (bearerToken) {
         revokedConnectionTokens.set(bearerToken, Date.now());
@@ -196,9 +235,7 @@ async function interceptRenewToken(ctx, next) {
       if (bearerToken) {
         revokedConnectionTokens.set(bearerToken, Date.now());
       }
-      if (ctx.session !== void 0) {
-        ctx.session = null;
-      }
+      clearSessionCookies(ctx);
       sessionActivityMap.delete(`${adminUser.id}:${adminUser.email}`);
     }
     await next();
@@ -378,29 +415,6 @@ const securitySettings = {
 const contentTypes = {
   "security-settings": securitySettings
 };
-class PluginError extends Error {
-  /**
-   * @param {string} message - Internal message (for logs)
-   * @param {string} sanitizedMessage - Safe message for the client
-   * @param {number} [statusCode=400] - HTTP status code
-   */
-  constructor(message, sanitizedMessage, statusCode = HTTP_STATUS.BAD_REQUEST) {
-    super(message);
-    this.name = "PluginError";
-    this.sanitizedMessage = sanitizedMessage;
-    this.statusCode = statusCode;
-  }
-}
-class ValidationError extends PluginError {
-  /**
-   * @param {string} message - Internal message
-   * @param {string} [sanitizedMessage='Validation failed.'] - Client-safe message
-   */
-  constructor(message, sanitizedMessage = "Validation failed.") {
-    super(message, sanitizedMessage, HTTP_STATUS.BAD_REQUEST);
-    this.name = "ValidationError";
-  }
-}
 const validateSettingsPayload = (body) => {
   if (!body || typeof body !== "object" || Array.isArray(body)) {
     throw new ValidationError(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-security-suite",
-  "version": "0.3.1",
+  "version": "0.3.3",
   "description": "All-in-one authentication and session security plugin for Strapi v5",
   "license": "MIT",
   "author": "(LPIX-11) <mohamed.johnson@orange-sonatel.com>",