@strapi/plugin-users-permissions 0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b → 0.0.0-next.ee56af7ae29770097422de95c0d5500908dce15c

package/dist/_chunks/{th-WsknMEpq.mjs → th-DKyP7ueR.mjs}

@@ -57,4 +57,4 @@ const th = {
 export {
   th as default
 };
-//# sourceMappingURL=th-WsknMEpq.mjs.map
+//# sourceMappingURL=th-DKyP7ueR.mjs.map

package/dist/_chunks/th-DKyP7ueR.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"th-DKyP7ueR.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{th-cbppX21D.js → th-DgVhVLhL.js}

@@ -57,4 +57,4 @@ const th = {
   "popUpWarning.warning.cancel": "คุณแน่ใจว่าต้องการยกเลิกการแก้ไขของคุณหรือไม่?"
 };
 exports.default = th;
-//# sourceMappingURL=th-cbppX21D.js.map
+//# sourceMappingURL=th-DgVhVLhL.js.map

package/dist/_chunks/th-DgVhVLhL.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"th-DgVhVLhL.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{tr-6mm_Fmz7.js → tr-B_idhkEs.js}

@@ -82,4 +82,4 @@ const tr = {
   "popUpWarning.warning.cancel": "Değişiklikleri iptal etmek istediğinden emin misin?"
 };
 exports.default = tr;
-//# sourceMappingURL=tr-6mm_Fmz7.js.map
+//# sourceMappingURL=tr-B_idhkEs.js.map

package/dist/_chunks/tr-B_idhkEs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tr-B_idhkEs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{tr-_DB1F1GW.mjs → tr-qa1Q5UjC.mjs}

@@ -82,4 +82,4 @@ const tr = {
 export {
   tr as default
 };
-//# sourceMappingURL=tr-_DB1F1GW.mjs.map
+//# sourceMappingURL=tr-qa1Q5UjC.mjs.map

package/dist/_chunks/tr-qa1Q5UjC.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"tr-qa1Q5UjC.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{uk-yxMSQAwI.mjs → uk-BmRqbeQc.mjs}

@@ -46,4 +46,4 @@ const uk = {
 export {
   uk as default
 };
-//# sourceMappingURL=uk-yxMSQAwI.mjs.map
+//# sourceMappingURL=uk-BmRqbeQc.mjs.map

package/dist/_chunks/uk-BmRqbeQc.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"uk-BmRqbeQc.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{uk-sI2I1ogF.js → uk-LHOivnhP.js}

@@ -46,4 +46,4 @@ const uk = {
   "plugin.description.short": "Захистіть API за допомогою процесу аутентифікації на основі JWT"
 };
 exports.default = uk;
-//# sourceMappingURL=uk-sI2I1ogF.js.map
+//# sourceMappingURL=uk-LHOivnhP.js.map

package/dist/_chunks/uk-LHOivnhP.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"uk-LHOivnhP.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{vi-A3zJxaiI.js → vi-CdVRdKDw.js}

@@ -47,4 +47,4 @@ const vi = {
   "plugin.name": "Vai trò và Quyền"
 };
 exports.default = vi;
-//# sourceMappingURL=vi-A3zJxaiI.js.map
+//# sourceMappingURL=vi-CdVRdKDw.js.map

package/dist/_chunks/vi-CdVRdKDw.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vi-CdVRdKDw.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{vi-xY0zCW3d.mjs → vi-HW-EdMea.mjs}

@@ -47,4 +47,4 @@ const vi = {
 export {
   vi as default
 };
-//# sourceMappingURL=vi-xY0zCW3d.mjs.map
+//# sourceMappingURL=vi-HW-EdMea.mjs.map

package/dist/_chunks/vi-HW-EdMea.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"vi-HW-EdMea.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{zh-OFeldzbX.mjs → zh-5hKkVPA4.mjs}

@@ -83,4 +83,4 @@ const zh = {
 export {
   zh as default
 };
-//# sourceMappingURL=zh-OFeldzbX.mjs.map
+//# sourceMappingURL=zh-5hKkVPA4.mjs.map

package/dist/_chunks/zh-5hKkVPA4.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"zh-5hKkVPA4.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{zh-72SpmFXa.js → zh-Cuq8gMnF.js}

@@ -83,4 +83,4 @@ const zh = {
   "popUpWarning.warning.cancel": "您確定要取消變更嗎？"
 };
 exports.default = zh;
-//# sourceMappingURL=zh-72SpmFXa.js.map
+//# sourceMappingURL=zh-Cuq8gMnF.js.map

package/dist/_chunks/zh-Cuq8gMnF.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"zh-Cuq8gMnF.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{zh-Hans-E84cu4kP.mjs → zh-Hans-BHilK-yc.mjs}

@@ -83,4 +83,4 @@ const zhHans = {
 export {
   zhHans as default
 };
-//# sourceMappingURL=zh-Hans-E84cu4kP.mjs.map
+//# sourceMappingURL=zh-Hans-BHilK-yc.mjs.map

package/dist/_chunks/zh-Hans-BHilK-yc.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"zh-Hans-BHilK-yc.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/_chunks/{zh-Hans-ArWWtyP4.js → zh-Hans-GQDMKtY4.js}

@@ -83,4 +83,4 @@ const zhHans = {
   "popUpWarning.warning.cancel": "你确定你要取消你的修改？"
 };
 exports.default = zhHans;
-//# sourceMappingURL=zh-Hans-ArWWtyP4.js.map
+//# sourceMappingURL=zh-Hans-GQDMKtY4.js.map

package/dist/_chunks/zh-Hans-GQDMKtY4.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"zh-Hans-GQDMKtY4.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/admin/index.js

@@ -1,5 +1,4 @@
 "use strict";
-const index = require("../_chunks/index-f7pS9YU1.js");
-require("@strapi/helper-plugin");
+const index = require("../_chunks/index--y8LTL2j.js");
 module.exports = index.index;
 //# sourceMappingURL=index.js.map

package/dist/admin/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;"}
+{"version":3,"file":"index.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;"}

package/dist/admin/index.mjs

@@ -1,5 +1,4 @@
-import { i } from "../_chunks/index-M6VUX9Xe.mjs";
-import "@strapi/helper-plugin";
+import { i } from "../_chunks/index-DsXSu1tx.mjs";
 export {
   i as default
 };

package/dist/admin/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";;"}
+{"version":3,"file":"index.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b",
+  "version": "0.0.0-next.ee56af7ae29770097422de95c0d5500908dce15c",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,9 +27,9 @@
       "default": "./dist/admin/index.js"
     },
     "./strapi-server": {
-      "source": "./strapi-server.js",
-      "require": "./strapi-server.js",
-      "default": "./strapi-server.js"
+      "source": "./server/index.js",
+      "require": "./server/index.js",
+      "default": "./server/index.js"
     },
     "./package.json": "./package.json"
   },
@@ -46,48 +46,47 @@
     "watch": "pack-up watch"
   },
   "dependencies": {
-    "@strapi/design-system": "1.19.0",
-    "@strapi/helper-plugin": "0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b",
-    "@strapi/icons": "1.19.0",
-    "@strapi/utils": "0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b",
+    "@strapi/design-system": "2.0.0-rc.11",
+    "@strapi/icons": "2.0.0-rc.11",
+    "@strapi/utils": "0.0.0-next.ee56af7ae29770097422de95c0d5500908dce15c",
     "bcryptjs": "2.4.3",
-    "formik": "2.4.0",
+    "formik": "2.4.5",
     "grant-koa": "5.4.8",
-    "immer": "9.0.19",
+    "immer": "9.0.21",
     "jsonwebtoken": "9.0.0",
     "jwk-to-pem": "2.0.5",
-    "koa": "2.13.4",
-    "koa2-ratelimit": "^1.1.2",
+    "koa": "2.15.2",
+    "koa2-ratelimit": "^1.1.3",
     "lodash": "4.17.21",
     "prop-types": "^15.8.1",
     "purest": "4.0.2",
-    "react-intl": "6.4.1",
+    "react-intl": "6.6.2",
     "react-query": "3.39.3",
-    "react-redux": "8.1.1",
+    "react-redux": "8.1.3",
     "url-join": "4.0.1",
     "yup": "0.32.9"
   },
   "devDependencies": {
-    "@strapi/pack-up": "4.23.0",
-    "@strapi/strapi": "0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b",
-    "@testing-library/dom": "9.2.0",
-    "@testing-library/react": "14.0.0",
-    "@testing-library/user-event": "14.4.3",
+    "@strapi/pack-up": "5.0.0",
+    "@strapi/strapi": "0.0.0-next.ee56af7ae29770097422de95c0d5500908dce15c",
+    "@testing-library/dom": "10.1.0",
+    "@testing-library/react": "15.0.7",
+    "@testing-library/user-event": "14.5.2",
     "msw": "1.3.0",
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0",
-    "react-router-dom": "5.3.4",
-    "styled-components": "5.3.3"
+    "react": "18.3.1",
+    "react-dom": "18.3.1",
+    "react-router-dom": "6.22.3",
+    "styled-components": "6.1.8"
   },
   "peerDependencies": {
-    "@strapi/strapi": "^4.0.0",
+    "@strapi/strapi": "^5.0.0 || ^5.0.0-beta || ^5.0.0-alpha || ^5.0.0-rc",
     "react": "^17.0.0 || ^18.0.0",
     "react-dom": "^17.0.0 || ^18.0.0",
-    "react-router-dom": "^5.2.0",
-    "styled-components": "^5.2.1"
+    "react-router-dom": "^6.0.0",
+    "styled-components": "^6.0.0"
   },
   "engines": {
-    "node": ">=18.0.0 <=20.x.x",
+    "node": ">=18.0.0 <=22.x.x",
     "npm": ">=6.0.0"
   },
   "strapi": {
@@ -97,5 +96,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "e9b6852d1c05518ff6e37d599321f7aa7aa0683b"
+  "gitHead": "ee56af7ae29770097422de95c0d5500908dce15c"
 }

package/server/bootstrap/index.js

@@ -9,25 +9,26 @@
  */
 const crypto = require('crypto');
 const _ = require('lodash');
-const urljoin = require('url-join');
-const { isArray } = require('lodash/fp');
 const { getService } = require('../utils');
-const getGrantConfig = require('./grant-config');
-
 const usersPermissionsActions = require('./users-permissions-actions');
-const userSchema = require('../content-types/user');
 
 const initGrant = async (pluginStore) => {
-  const apiPrefix = strapi.config.get('api.rest.prefix');
-  const baseURL = urljoin(strapi.config.server.url, apiPrefix, 'auth');
+  const allProviders = getService('providers-registry').getAll();
+
+  const grantConfig = Object.entries(allProviders).reduce((acc, [name, provider]) => {
+    const { icon, enabled, grantConfig } = provider;
 
-  const grantConfig = getGrantConfig(baseURL);
+    acc[name] = {
+      icon,
+      enabled,
+      ...grantConfig,
+    };
+    return acc;
+  }, {});
 
   const prevGrantConfig = (await pluginStore.get({ key: 'grant' })) || {};
-  // store grant auth config to db
-  // when plugin_users-permissions_grant is not existed in db
-  // or we have added/deleted provider here.
-  if (!prevGrantConfig || !_.isEqual(_.keys(prevGrantConfig), _.keys(grantConfig))) {
+
+  if (!prevGrantConfig || !_.isEqual(prevGrantConfig, grantConfig)) {
     // merge with the previous provider config.
     _.keys(grantConfig).forEach((key) => {
       if (key in prevGrantConfig) {
@@ -99,27 +100,6 @@ const initAdvancedOptions = async (pluginStore) => {
   }
 };
 
-const userSchemaAdditions = () => {
-  const defaultSchema = Object.keys(userSchema.attributes);
-  const currentSchema = Object.keys(
-    strapi.contentTypes['plugin::users-permissions.user'].attributes
-  );
-
-  // Some dynamic fields may not have been initialized yet, so we need to ignore them
-  // TODO: we should have a global method for finding these
-  const ignoreDiffs = [
-    'createdBy',
-    'createdAt',
-    'updatedBy',
-    'updatedAt',
-    'publishedAt',
-    'strapi_stage',
-    'strapi_assignee',
-  ];
-
-  return currentSchema.filter((key) => !(ignoreDiffs.includes(key) || defaultSchema.includes(key)));
-};
-
 module.exports = async ({ strapi }) => {
   const pluginStore = strapi.store({ type: 'plugin', name: 'users-permissions' });
 
@@ -127,13 +107,13 @@ module.exports = async ({ strapi }) => {
   await initEmails(pluginStore);
   await initAdvancedOptions(pluginStore);
 
-  await strapi.admin.services.permission.actionProvider.registerMany(
-    usersPermissionsActions.actions
-  );
+  await strapi
+    .service('admin::permission')
+    .actionProvider.registerMany(usersPermissionsActions.actions);
 
   await getService('users-permissions').initialize();
 
-  if (!strapi.config.get('plugin.users-permissions.jwtSecret')) {
+  if (!strapi.config.get('plugin::users-permissions.jwtSecret')) {
     if (process.env.NODE_ENV !== 'development') {
       throw new Error(
         `Missing jwtSecret. Please, set configuration variable "jwtSecret" for the users-permissions plugin in config/plugins.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
@@ -143,7 +123,7 @@ For security reasons, prefer storing the secret in an environment variable and r
 
     const jwtSecret = crypto.randomBytes(16).toString('base64');
 
-    strapi.config.set('plugin.users-permissions.jwtSecret', jwtSecret);
+    strapi.config.set('plugin::users-permissions.jwtSecret', jwtSecret);
 
     if (!process.env.JWT_SECRET) {
       const envPath = process.env.ENV_PATH || '.env';
@@ -153,17 +133,4 @@ For security reasons, prefer storing the secret in an environment variable and r
       );
     }
   }
-
-  // TODO v5: Remove this block of code and default allowedFields to empty array
-  if (!isArray(strapi.config.get('plugin.users-permissions.register.allowedFields'))) {
-    const modifications = userSchemaAdditions();
-    if (modifications.length > 0) {
-      // if there is a potential vulnerability, show a warning
-      strapi.log.warn(
-        `Users-permissions registration has defaulted to accepting the following additional user fields during registration: ${modifications.join(
-          ','
-        )}`
-      );
-    }
-  }
 };

package/server/content-types/user/index.js

@@ -12,7 +12,6 @@ module.exports = {
     displayName: 'User',
   },
   options: {
-    draftAndPublish: false,
     timestamps: true,
   },
   attributes: {

package/server/controllers/auth.js

@@ -11,9 +11,6 @@ const crypto = require('crypto');
 const _ = require('lodash');
 const { concat, compact, isArray } = require('lodash/fp');
 const utils = require('@strapi/utils');
-const {
-  contentTypes: { getNonWritableAttributes },
-} = require('@strapi/utils');
 const { getService } = require('../utils');
 const {
   validateCallbackBody,
@@ -25,17 +22,16 @@ const {
   validateChangePasswordBody,
 } = require('./validation/auth');
 
-const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
 const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;
 
 const sanitizeUser = (user, ctx) => {
   const { auth } = ctx.state;
   const userSchema = strapi.getModel('plugin::users-permissions.user');
 
-  return sanitize.contentAPI.output(user, userSchema, { auth });
+  return strapi.contentAPI.sanitize.output(user, userSchema, { auth });
 };
 
-module.exports = {
+module.exports = ({ strapi }) => ({
   async callback(ctx) {
     const provider = ctx.params.provider || 'local';
     const params = ctx.request.body;
@@ -55,7 +51,7 @@ module.exports = {
       const { identifier } = params;
 
       // Check if the user exists.
-      const user = await strapi.query('plugin::users-permissions.user').findOne({
+      const user = await strapi.db.query('plugin::users-permissions.user').findOne({
         where: {
           provider,
           $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
@@ -118,13 +114,17 @@ module.exports = {
       throw new ApplicationError('You must be authenticated to reset your password');
     }
 
-    const { currentPassword, password } = await validateChangePasswordBody(ctx.request.body);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
 
-    const user = await strapi.entityService.findOne(
-      'plugin::users-permissions.user',
-      ctx.state.user.id
+    const { currentPassword, password } = await validateChangePasswordBody(
+      ctx.request.body,
+      validations
     );
 
+    const user = await strapi.db
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { id: ctx.state.user.id } });
+
     const validPassword = await getService('user').validatePassword(currentPassword, user.password);
 
     if (!validPassword) {
@@ -144,15 +144,18 @@ module.exports = {
   },
 
   async resetPassword(ctx) {
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
+
     const { password, passwordConfirmation, code } = await validateResetPasswordBody(
-      ctx.request.body
+      ctx.request.body,
+      validations
     );
 
     if (password !== passwordConfirmation) {
       throw new ValidationError('Passwords do not match');
     }
 
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { resetPasswordToken: code } });
 
@@ -237,7 +240,7 @@ module.exports = {
     const advancedSettings = await pluginStore.get({ key: 'advanced' });
 
     // Find the user by email.
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { email: email.toLowerCase() } });
 
@@ -255,8 +258,8 @@ module.exports = {
       resetPasswordSettings.message,
       {
         URL: advancedSettings.email_reset_password,
-        SERVER_URL: getAbsoluteServerUrl(strapi.config),
-        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        SERVER_URL: strapi.config.get('server.absoluteUrl'),
+        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),
         USER: userInfo,
         TOKEN: resetPasswordToken,
       }
@@ -299,55 +302,32 @@ module.exports = {
       throw new ApplicationError('Register action is currently disabled');
     }
 
-    const { register } = strapi.config.get('plugin.users-permissions');
+    const { register } = strapi.config.get('plugin::users-permissions');
     const alwaysAllowedKeys = ['username', 'password', 'email'];
-    const userModel = strapi.contentTypes['plugin::users-permissions.user'];
-    const { attributes } = userModel;
-
-    const nonWritable = getNonWritableAttributes(userModel);
 
+    // Note that we intentionally do not filter allowedFields to allow a project to explicitly accept private or other Strapi field on registration
     const allowedKeys = compact(
-      concat(
-        alwaysAllowedKeys,
-        isArray(register?.allowedFields)
-          ? // Note that we do not filter allowedFields in case a user explicitly chooses to allow a private or otherwise omitted field on registration
-            register.allowedFields // if null or undefined, compact will remove it
-          : // to prevent breaking changes, if allowedFields is not set in config, we only remove private and known dangerous user schema fields
-            // TODO V5: allowedFields defaults to [] when undefined and remove this case
-            Object.keys(attributes).filter(
-              (key) =>
-                !nonWritable.includes(key) &&
-                !attributes[key].private &&
-                ![
-                  // many of these are included in nonWritable, but we'll list them again to be safe and since we're removing this code in v5 anyway
-                  // Strapi user schema fields
-                  'confirmed',
-                  'blocked',
-                  'confirmationToken',
-                  'resetPasswordToken',
-                  'provider',
-                  'id',
-                  'role',
-                  // other Strapi fields that might be added
-                  'createdAt',
-                  'updatedAt',
-                  'createdBy',
-                  'updatedBy',
-                  'publishedAt', // d&p
-                  'strapi_reviewWorkflows_stage', // review workflows
-                ].includes(key)
-            )
-      )
+      concat(alwaysAllowedKeys, isArray(register?.allowedFields) ? register.allowedFields : [])
     );
 
+    // Check if there are any keys in requestBody that are not in allowedKeys
+    const invalidKeys = Object.keys(ctx.request.body).filter((key) => !allowedKeys.includes(key));
+
+    if (invalidKeys.length > 0) {
+      // If there are invalid keys, throw an error
+      throw new ValidationError(`Invalid parameters: ${invalidKeys.join(', ')}`);
+    }
+
     const params = {
       ..._.pick(ctx.request.body, allowedKeys),
       provider: 'local',
     };
 
-    await validateRegisterBody(params);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
 
-    const role = await strapi
+    await validateRegisterBody(params, validations);
+
+    const role = await strapi.db
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: settings.default_role } });
 
@@ -366,7 +346,7 @@ module.exports = {
       ],
     };
 
-    const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+    const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
       where: { ...identifierFilter, provider },
     });
 
@@ -375,7 +355,7 @@ module.exports = {
     }
 
     if (settings.unique_email) {
-      const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+      const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
         where: { ...identifierFilter },
       });
 
@@ -400,7 +380,8 @@ module.exports = {
       try {
         await getService('user').sendConfirmationEmail(sanitizedUser);
       } catch (err) {
-        throw new ApplicationError(err.message);
+        strapi.log.error(err);
+        throw new ApplicationError('Error sending confirmation email');
       }
 
       return ctx.send({ user: sanitizedUser });
@@ -445,7 +426,7 @@ module.exports = {
   async sendEmailConfirmation(ctx) {
     const { email } = await validateSendEmailConfirmationBody(ctx.request.body);
 
-    const user = await strapi.query('plugin::users-permissions.user').findOne({
+    const user = await strapi.db.query('plugin::users-permissions.user').findOne({
       where: { email: email.toLowerCase() },
     });
 
@@ -468,4 +449,4 @@ module.exports = {
       sent: true,
     });
   },
-};
+});