strapi-identity 0.1.2 → 0.3.0

package/dist/server/index.mjs

@@ -3,12 +3,71 @@ import require$$3 from "stream";
 import require$$5 from "util";
 import require$$1 from "crypto";
 import { TOTP, Secret } from "otpauth";
+const defaultConfig$1 = {
+  enabled: false,
+  enforce: false,
+  issuer: "Strapi",
+  from_email: "",
+  from_name: "",
+  response_email: "",
+  subject: "Your One-Time Password",
+  text: "Your one-time password is: <%= OTP %>",
+  message: `<div style="margin: 0; padding: 0;">
+  <table border="0" cellpadding="0" cellspacing="0" width="100%" bgcolor="#f9f9f9">
+        <tr>
+            <td align="center" style="padding: 40px 10px;">
+                <table border="0" cellpadding="0" cellspacing="0" width="600" bgcolor="#ffffff" style="border: 1px solid #dddddd;">
+                    <tr>
+                        <td align="center" style="padding: 40px 40px 20px 40px;">
+                            <font face="Arial, sans-serif" size="5" color="#333333">
+                                <strong>Verify Your Account</strong>
+                            </font>
+                        </td>
+                    </tr>
+                    <tr>
+                        <td align="center" style="padding: 0 40px 20px 40px;">
+                            <font face="Arial, sans-serif" size="3" color="#555555" style="line-height: 24px;">
+                                Please use the following one-time password to complete your registration. This code will expire in 10 minutes.
+                            </font>
+                        </td>
+                    </tr>
+                    <tr>
+                        <td align="center" style="padding: 20px 40px;">
+                            <table border="0" cellpadding="0" cellspacing="0">
+                                <tr>
+                                    <td align="center" bgcolor="#f4f4f4" style="padding: 20px 30px; font-family: Courier, monospace; font-size: 36px; color: #2d3436;">
+                                        <strong><%= OTP %></strong>
+                                    </td>
+                                </tr>
+                            </table>
+                        </td>
+                    </tr>
+                    <tr>
+                        <td align="center" style="padding: 20px 40px 40px 40px;">
+                            <font face="Arial, sans-serif" size="2" color="#888888">
+                                If you did not request this code, please ignore this email.
+                            </font>
+                        </td>
+                    </tr>
+                </table>
+                <table border="0" cellpadding="0" cellspacing="0" width="600">
+                    <tr>
+                        <td align="center" style="padding: 20px;">
+                            <font face="Arial, sans-serif" size="1" color="#aaaaaa">
+                                &copy; <%= YEAR %> Your Company Name
+                            </font>
+                        </td>
+                    </tr>
+                </table>
+            </td>
+        </tr>
+    </table>
+</div>`
+};
 const bootstrap = async () => {
   const config2 = strapi.documents("plugin::strapi-identity.strapi-identity-config");
   const existingConfig = await config2.count({});
-  if (!existingConfig) {
-    await config2.create({ data: { enabled: false, enforce: false, issuer: "Strapi" } });
-  }
+  if (!existingConfig) await config2.create({ data: defaultConfig$1 });
   strapi.admin.services.permission.actionProvider.registerMany([
     {
       uid: "settings.read",
@@ -3821,7 +3880,7 @@ function requireLodash() {
   (function(module, exports$1) {
     (function() {
       var undefined$1;
-      var VERSION = "4.17.21";
+      var VERSION = "4.17.23";
       var LARGE_ARRAY_SIZE = 200;
       var CORE_ERROR_TEXT = "Unsupported core-js use. Try https://npms.io/search?q=ponyfill.", FUNC_ERROR_TEXT = "Expected a function", INVALID_TEMPL_VAR_ERROR_TEXT = "Invalid `variable` option passed into `_.template`";
       var HASH_UNDEFINED = "__lodash_hash_undefined__";
@@ -5749,8 +5808,28 @@ function requireLodash() {
         }
         function baseUnset(object, path) {
           path = castPath(path, object);
-          object = parent(object, path);
-          return object == null || delete object[toKey(last(path))];
+          var index2 = -1, length = path.length;
+          if (!length) {
+            return true;
+          }
+          var isRootPrimitive = object == null || typeof object !== "object" && typeof object !== "function";
+          while (++index2 < length) {
+            var key = path[index2];
+            if (typeof key !== "string") {
+              continue;
+            }
+            if (key === "__proto__" && !hasOwnProperty.call(object, "__proto__")) {
+              return false;
+            }
+            if (key === "constructor" && index2 + 1 < length && typeof path[index2 + 1] === "string" && path[index2 + 1] === "prototype") {
+              if (isRootPrimitive && index2 === 0) {
+                continue;
+              }
+              return false;
+            }
+          }
+          var obj = parent(object, path);
+          return obj == null || delete obj[toKey(last(path))];
         }
         function baseUpdate(object, path, updater, customizer) {
           return baseSet(object, path, updater(baseGet(object, path)), customizer);
@@ -9533,14 +9612,14 @@ function requireJsonwebtoken() {
 var jsonwebtokenExports = requireJsonwebtoken();
 const jwt = /* @__PURE__ */ getDefaultExportFromCjs(jsonwebtokenExports);
 const register = ({ strapi: strapi2 }) => {
-  const adminPlugin = strapi2.admin;
-  const secret2 = strapi2.config.get("admin.auth.secret");
-  const domain = strapi2.config.get("admin.auth.domain");
-  const loginRoute = adminPlugin.routes.admin.routes.find(
+  const { admin: admin2, config: config2, server } = strapi2;
+  const secret2 = config2.get("admin.auth.secret");
+  const domain = config2.get("admin.auth.domain");
+  const loginRoute = admin2.routes.admin.routes.find(
     ({ method, path }) => method === "POST" && path === "/login"
   );
   if (loginRoute) replaceLogin(loginRoute, secret2, domain);
-  strapi2.server.use(async (ctx, next) => {
+  server.use(async (ctx, next) => {
     const mfaCookie = ctx.cookies.get("strapi_admin_mfa");
     if (mfaCookie && ctx.path.startsWith("/admin/auth")) {
       ctx.cookies.set("jwtToken", null, { expires: /* @__PURE__ */ new Date(0) });
@@ -9568,8 +9647,25 @@ const replaceLogin = (route2, secret2, domain) => {
       filters: { admin_user: { id: payload.userId }, enabled: true }
     });
     if (!exists) return;
+    if (exists.type === "email") {
+      try {
+        const adminUser = await strapi.db.query("admin::user").findOne({ where: { id: Number(payload.userId) }, select: ["email"] });
+        if (adminUser?.email) {
+          const otp = await strapi.service("plugin::strapi-identity.secret").generateEmailOTP(payload.userId, "login");
+          await strapi.service("plugin::strapi-identity.email").send(adminUser.email, otp);
+        }
+      } catch (err) {
+        console.log("Error sending login email OTP:", err);
+      }
+    }
     ctx.res.removeHeader("set-cookie");
-    const newPayload = { userId: payload.userId, deviceId, rememberMe, type: "mfa" };
+    const newPayload = {
+      userId: payload.userId,
+      deviceId,
+      rememberMe,
+      type: "mfa",
+      mfaType: exists.type
+    };
     const newToken = jwt.sign(newPayload, secret2, { expiresIn: "5m" });
     const expires = new Date(Date.now() + 5 * 60 * 1e3);
     const opt = { domain, httpOnly: false, overwrite: true, secure: ctx.request.secure, expires };
@@ -9582,12 +9678,27 @@ const config$4 = {
   validator() {
   }
 };
+const kind$3 = "collectionType";
+const collectionName$3 = "mfa-tokens";
+const info$3 = { "singularName": "mfa-token", "pluralName": "mfa-tokens", "displayName": "MFA Token" };
+const options$3 = { "draftAndPublish": false };
+const pluginOptions$3 = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
+const attributes$3 = { "admin_user": { "type": "relation", "relation": "oneToOne", "target": "admin::user" }, "enabled": { "type": "boolean", "default": false }, "type": { "type": "enumeration", "enum": ["totp", "hotp", "email"], "default": "totp" }, "secret": { "type": "string", "private": true }, "counter": { "type": "biginteger", "default": "0" }, "digits": { "type": "integer", "default": 6 }, "recovery_codes": { "type": "json", "private": true } };
+const schema$3 = {
+  kind: kind$3,
+  collectionName: collectionName$3,
+  info: info$3,
+  options: options$3,
+  pluginOptions: pluginOptions$3,
+  attributes: attributes$3
+};
+const mfaToken = { schema: schema$3 };
 const kind$2 = "collectionType";
-const collectionName$2 = "mfa-tokens";
-const info$2 = { "singularName": "mfa-token", "pluralName": "mfa-tokens", "displayName": "MFA Token" };
+const collectionName$2 = "mfa-temps";
+const info$2 = { "singularName": "mfa-temp", "pluralName": "mfa-temps", "displayName": "MFA Temp" };
 const options$2 = { "draftAndPublish": false };
 const pluginOptions$2 = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
-const attributes$2 = { "admin_user": { "type": "relation", "relation": "oneToOne", "target": "admin::user" }, "enabled": { "type": "boolean", "default": false }, "type": { "type": "enumeration", "enum": ["totp", "hotp"], "default": "totp" }, "secret": { "type": "string", "required": true, "private": true }, "counter": { "type": "biginteger", "default": "0" }, "digits": { "type": "integer", "default": 6 }, "recovery_codes": { "type": "json", "private": true } };
+const attributes$2 = { "admin_user": { "type": "relation", "relation": "oneToOne", "target": "admin::user" }, "secret": { "type": "string", "required": false, "private": true } };
 const schema$2 = {
   kind: kind$2,
   collectionName: collectionName$2,
@@ -9596,13 +9707,13 @@ const schema$2 = {
   pluginOptions: pluginOptions$2,
   attributes: attributes$2
 };
-const mfaToken = { schema: schema$2 };
-const kind$1 = "collectionType";
-const collectionName$1 = "mfa-temps";
-const info$1 = { "singularName": "mfa-temp", "pluralName": "mfa-temps", "displayName": "MFA Temp" };
+const mfaTemp = { schema: schema$2 };
+const kind$1 = "singleType";
+const collectionName$1 = "strapi-identity-config";
+const info$1 = { "singularName": "strapi-identity-config", "pluralName": "strapi-identity-configs", "displayName": "Strapi Identity Config" };
 const options$1 = { "draftAndPublish": false };
 const pluginOptions$1 = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
-const attributes$1 = { "admin_user": { "type": "relation", "relation": "oneToOne", "target": "admin::user" }, "secret": { "type": "string", "required": false, "private": true } };
+const attributes$1 = { "enabled": { "type": "boolean", "default": false }, "enforce": { "type": "boolean", "default": false }, "issuer": { "type": "string", "required": false, "default": "Strapi" }, "email_enabled": { "type": "boolean", "default": false }, "from_email": { "type": "string", "required": false, "default": "" }, "from_name": { "type": "string", "required": false, "default": "" }, "response_email": { "type": "string", "required": false, "default": "" }, "subject": { "type": "string", "required": false, "default": "" }, "text": { "type": "text", "required": false, "default": "" }, "message": { "type": "text", "required": false, "default": "" } };
 const schema$1 = {
   kind: kind$1,
   collectionName: collectionName$1,
@@ -9611,13 +9722,13 @@ const schema$1 = {
   pluginOptions: pluginOptions$1,
   attributes: attributes$1
 };
-const mfaTemp = { schema: schema$1 };
-const kind = "singleType";
-const collectionName = "strapi-identity-config";
-const info = { "singularName": "strapi-identity-config", "pluralName": "strapi-identity-configs", "displayName": "Strapi Identity Config" };
+const config$3 = { schema: schema$1 };
+const kind = "collectionType";
+const collectionName = "email-otps";
+const info = { "singularName": "email-otp", "pluralName": "email-otps", "displayName": "Email OTP" };
 const options = { "draftAndPublish": false };
 const pluginOptions = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
-const attributes = { "enabled": { "type": "boolean", "default": false }, "enforce": { "type": "boolean", "default": false }, "issuer": { "type": "string", "required": false, "default": "Strapi" } };
+const attributes = { "admin_user": { "type": "relation", "relation": "oneToOne", "target": "admin::user" }, "code_hash": { "type": "string", "required": true, "private": true }, "expires_at": { "type": "string", "required": true }, "attempts": { "type": "integer", "default": 0 }, "purpose": { "type": "enumeration", "enum": ["login", "setup", "disable"], "default": "login" } };
 const schema = {
   kind,
   collectionName,
@@ -9626,11 +9737,12 @@ const schema = {
   pluginOptions,
   attributes
 };
-const config$3 = { schema };
+const emailOtp = { schema };
 const contentTypes = {
   "mfa-token": mfaToken,
   "mfa-temp": mfaTemp,
-  "strapi-identity-config": config$3
+  "strapi-identity-config": config$3,
+  "email-otp": emailOtp
 };
 const admin$2 = ({ strapi: strapi2 }) => ({
   async isEnabled(ctx) {
@@ -9691,6 +9803,17 @@ const config$2 = ({ strapi: strapi2 }) => ({
       ctx.body = { data: null, error: "Server Error" };
     }
   },
+  async getEmailStatus(ctx) {
+    try {
+      const emailService = strapi2.config.get("plugin::email");
+      ctx.status = 200;
+      ctx.body = { data: emailService, error: null };
+    } catch (error) {
+      console.log("Error getting email status:", error);
+      ctx.status = 500;
+      ctx.body = { data: null, error: "Server Error" };
+    }
+  },
   async updateConfig(ctx) {
     const body = ctx.request.body;
     try {
@@ -9757,7 +9880,13 @@ const controller = ({ strapi: strapi2 }) => ({
     const payload = jwt.verify(token, secret2);
     const body = ctx.request.body;
     try {
-      const valid2 = await strapi2.service("plugin::strapi-identity.secret").validateTokenOrRecoveryCode(payload.userId, body.code);
+      const mfaRecord = await strapi2.documents("plugin::strapi-identity.mfa-token").findFirst({ filters: { admin_user: { id: payload.userId }, enabled: true } });
+      let valid2;
+      if (mfaRecord?.type === "email") {
+        valid2 = await strapi2.service("plugin::strapi-identity.secret").validateEmailOTP(payload.userId, body.code, "login");
+      } else {
+        valid2 = await strapi2.service("plugin::strapi-identity.secret").validateTokenOrRecoveryCode(payload.userId, body.code);
+      }
       if (!valid2) {
         ctx.status = 400;
         ctx.body = { data: null, error: "Invalid MFA code" };
@@ -9840,9 +9969,9 @@ const controller = ({ strapi: strapi2 }) => ({
     const user = ctx.state.user;
     const secretService = strapi2.service("plugin::strapi-identity.secret");
     try {
-      const isEnabled2 = await secretService.isMFAEnabled(user.id);
+      const info2 = await secretService.getMFAInfo(user.id);
       ctx.status = 200;
-      ctx.body = { data: { status: isEnabled2 }, error: null };
+      ctx.body = { data: { status: info2?.status || null, type: info2?.type || null }, error: null };
     } catch (error) {
       ctx.status = 500;
       ctx.body = { data: null, error: "Failed to check MFA status" };
@@ -9861,6 +9990,103 @@ const controller = ({ strapi: strapi2 }) => ({
       ctx.status = 500;
       ctx.body = { data: null, error: "Failed to disable MFA" };
     }
+  },
+  async enableEmail(ctx) {
+    const user = ctx.state.user;
+    const secretService = strapi2.service("plugin::strapi-identity.secret");
+    const emailService = strapi2.service("plugin::strapi-identity.email");
+    const configService = strapi2.service("plugin::strapi-identity.config");
+    try {
+      const config2 = await configService.getConfig();
+      if (!config2.email_enabled) {
+        ctx.status = 400;
+        ctx.body = { data: null, error: "Email OTP is not configured" };
+        return;
+      }
+      const existing = await strapi2.documents("plugin::strapi-identity.mfa-token").findFirst({ filters: { admin_user: { id: user.id }, enabled: true } });
+      if (existing) {
+        ctx.status = 400;
+        ctx.body = { data: null, error: "MFA is already enabled. Disable it first." };
+        return;
+      }
+      const otp = await secretService.generateEmailOTP(user.id, "setup");
+      await emailService.send(user.email, otp);
+      ctx.status = 200;
+      ctx.body = { data: { message: "Verification email sent" }, error: null };
+    } catch (error) {
+      console.log("Error initiating email MFA setup:", error);
+      ctx.status = 500;
+      ctx.body = { data: null, error: "Failed to initiate email MFA setup" };
+    }
+  },
+  async setupEmail(ctx) {
+    const user = ctx.state.user;
+    const body = ctx.request.body;
+    const secretService = strapi2.service("plugin::strapi-identity.secret");
+    try {
+      const valid2 = await secretService.validateEmailOTP(user.id, body.code, "setup");
+      if (!valid2) {
+        ctx.status = 400;
+        ctx.body = { data: null, error: "Invalid or expired verification code" };
+        return;
+      }
+      await secretService.enableEmailMFA(user.id);
+      ctx.status = 200;
+      ctx.body = { data: { message: "Email OTP enabled" }, error: null };
+    } catch (error) {
+      console.log("Error completing email MFA setup:", error);
+      ctx.status = 500;
+      ctx.body = { data: null, error: "Failed to enable email MFA" };
+    }
+  },
+  async requestDisableEmailOTP(ctx) {
+    const user = ctx.state.user;
+    const secretService = strapi2.service("plugin::strapi-identity.secret");
+    const emailService = strapi2.service("plugin::strapi-identity.email");
+    try {
+      const info2 = await secretService.getMFAInfo(user.id);
+      if (!info2 || info2.type !== "email") {
+        ctx.status = 400;
+        ctx.body = { data: null, error: "Email OTP is not enabled" };
+        return;
+      }
+      const otp = await secretService.generateEmailOTP(user.id, "disable");
+      await emailService.send(user.email, otp);
+      ctx.status = 200;
+      ctx.body = { data: { message: "Verification email sent" }, error: null };
+    } catch (error) {
+      console.log("Error sending disable email OTP:", error);
+      ctx.status = 500;
+      ctx.body = { data: null, error: "Failed to send verification email" };
+    }
+  },
+  async resendVerifyOTP(ctx) {
+    const secret2 = strapi2.config.get("admin.auth.secret");
+    const token = ctx.cookies.get("strapi_admin_mfa");
+    try {
+      const payload = jwt.verify(token, secret2);
+      if (payload.mfaType !== "email") {
+        ctx.status = 400;
+        ctx.body = { data: null, error: "Resend is only available for email OTP" };
+        return;
+      }
+      const adminUser = await strapi2.db.query("admin::user").findOne({ where: { id: Number(payload.userId) }, select: ["email"] });
+      if (!adminUser?.email) {
+        ctx.status = 400;
+        ctx.body = { data: null, error: "No email address found for this user" };
+        return;
+      }
+      const secretService = strapi2.service("plugin::strapi-identity.secret");
+      const emailService = strapi2.service("plugin::strapi-identity.email");
+      const otp = await secretService.generateEmailOTP(payload.userId, "login");
+      await emailService.send(adminUser.email, otp);
+      ctx.status = 200;
+      ctx.body = { data: { message: "Verification email resent" }, error: null };
+    } catch (error) {
+      console.log("Error resending login email OTP:", error);
+      ctx.status = 500;
+      ctx.body = { data: null, error: "Failed to resend verification email" };
+    }
   }
 });
 const controllers = {
@@ -9960,6 +10186,21 @@ const config$1 = [
       ]
     }
   },
+  {
+    method: "GET",
+    path: "/config/email",
+    handler: "config.getEmailStatus",
+    info: {
+      apiName: "getEmailStatus",
+      pluginName: "strapi-identity",
+      type: "content-api"
+    },
+    config: {
+      policies: [
+        "admin::isAuthenticatedAdmin"
+      ]
+    }
+  },
   {
     method: "PUT",
     path: "/config",
@@ -10044,6 +10285,55 @@ const mfa = [
       type: "content-api"
     },
     config: {}
+  },
+  {
+    method: "POST",
+    path: "/verify/resend",
+    handler: "controller.resendVerifyOTP",
+    info: {
+      apiName: "resendVerifyOTP",
+      pluginName: "strapi-identity",
+      type: "content-api"
+    },
+    config: {
+      auth: false,
+      policies: [
+        "has-mfa"
+      ]
+    }
+  },
+  {
+    method: "POST",
+    path: "/enable-email",
+    handler: "controller.enableEmail",
+    info: {
+      apiName: "enableEmail",
+      pluginName: "strapi-identity",
+      type: "content-api"
+    },
+    config: {}
+  },
+  {
+    method: "POST",
+    path: "/setup-email",
+    handler: "controller.setupEmail",
+    info: {
+      apiName: "setupEmail",
+      pluginName: "strapi-identity",
+      type: "content-api"
+    },
+    config: {}
+  },
+  {
+    method: "POST",
+    path: "/disable-email/request",
+    handler: "controller.requestDisableEmailOTP",
+    info: {
+      apiName: "requestDisableEmailOTP",
+      pluginName: "strapi-identity",
+      type: "content-api"
+    },
+    config: {}
   }
 ];
 const route = () => ({
@@ -10084,35 +10374,63 @@ const admin = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.definePropert
   isEnabled: isEnabled$1,
   reset
 }, Symbol.toStringTag, { value: "Module" }));
+const defaultConfig = {
+  email_enabled: false,
+  enabled: false,
+  enforce: false,
+  from_email: "",
+  from_name: "",
+  issuer: "",
+  message: "",
+  response_email: "",
+  subject: "",
+  text: ""
+};
 const _config = (options2) => {
-  return {
-    enabled: options2?.enabled || false,
-    enforce: options2?.enforce || false,
-    issuer: options2?.issuer || ""
-  };
+  return Object.assign({}, defaultConfig, options2);
 };
+const fields = Object.keys(defaultConfig);
 const isEnabled = async () => {
   const config2 = await getConfig();
   return config2?.enabled || false;
 };
 const getConfig = async () => {
   const configDocument = strapi.documents("plugin::strapi-identity.strapi-identity-config");
-  return configDocument.findFirst({ fields: ["enabled", "enforce", "issuer"] }).then((config2) => _config(config2));
+  return configDocument.findFirst({ fields }).then((config2) => _config(config2));
 };
 const updateConfig = async (data) => {
   const configDocument = strapi.documents("plugin::strapi-identity.strapi-identity-config");
   const existingConfig = await configDocument.findFirst();
   if (!existingConfig) {
-    return configDocument.create({ data, fields: ["enabled", "enforce", "issuer"] }).then((created) => _config(created));
+    return configDocument.create({ data, fields }).then((created) => _config(created));
   }
-  if (existingConfig.enabled && !data.enabled) {
-    await disableMFAForAllUsers();
+  if (existingConfig.enabled && !data.enabled) await disableMFAForAllUsers();
+  if (existingConfig.email_enabled && data.email_enabled === false)
+    await disableEmailMFAForAllUsers();
+  return configDocument.update({ documentId: existingConfig.documentId, data: { ...existingConfig, ...data }, fields }).then((updated) => _config(updated));
+};
+const disableEmailMFAForAllUsers = async () => {
+  const tokenDocument = strapi.documents("plugin::strapi-identity.mfa-token");
+  const otpDocument = strapi.documents("plugin::strapi-identity.email-otp");
+  try {
+    const emailTokens = await tokenDocument.findMany({
+      filters: { type: "email", enabled: true }
+    });
+    await Promise.all([
+      ...emailTokens.map(
+        (token) => tokenDocument.update({
+          documentId: token.documentId,
+          data: { ...token, enabled: false }
+        })
+      ),
+      // Clean up any pending email OTPs
+      otpDocument.findMany({}).then(
+        (otps) => Promise.all(otps.map((otp) => otpDocument.delete({ documentId: otp.documentId })))
+      )
+    ]);
+  } catch (err) {
+    console.log("Error disabling email MFA for all users:", err);
   }
-  return configDocument.update({
-    documentId: existingConfig.documentId,
-    data: { ...existingConfig, ...data },
-    fields: ["enabled", "enforce", "issuer"]
-  }).then((updated) => _config(updated));
 };
 const disableMFAForAllUsers = async () => {
   const tokenDocument = strapi.documents("plugin::strapi-identity.mfa-token");
@@ -10136,6 +10454,39 @@ const config = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProper
   isEnabled,
   updateConfig
 }, Symbol.toStringTag, { value: "Module" }));
+const send = async (to, otp) => {
+  const emailService = strapi.plugin("email").service("email");
+  if (!emailService) return;
+  if (!to) return;
+  const config2 = await strapi.service("plugin::strapi-identity.config").getConfig();
+  if (!config2.email_enabled) return;
+  const sendConfig = {
+    to,
+    subject: config2.subject,
+    text: replaceTemplateVariables(config2.text, { OTP: otp }),
+    html: replaceTemplateVariables(config2.message, {
+      OTP: otp,
+      YEAR: (/* @__PURE__ */ new Date()).getFullYear().toString()
+    })
+  };
+  if (config2.from_email) {
+    sendConfig.from = config2.from_name ? `${config2.from_name} <${config2.from_email}>` : config2.from_email;
+  }
+  if (config2.response_email && config2.response_email !== config2.from_email) {
+    sendConfig.replyTo = config2.response_email;
+  }
+  return emailService.send(sendConfig).catch((error) => {
+    console.log("Error sending email:", error);
+  });
+};
+const replaceTemplateVariables = (template, variables) => {
+  return template.replace(/<%= (\w+) %>/g, (_, key) => variables[key] || "");
+};
+const email = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  replaceTemplateVariables,
+  send
+}, Symbol.toStringTag, { value: "Module" }));
 function commonjsRequire(path) {
   throw new Error('Could not dynamically require "' + path + '". Please configure the dynamicRequireTargets or/and ignoreDynamicRequires option of @rollup/plugin-commonjs appropriately for this require call to work.');
 }
@@ -11989,8 +12340,11 @@ const checkRecoveryCode = async (userId, code) => {
 };
 const validateLiveToken = async (userId, token) => {
   const tokenDocument = strapi.documents("plugin::strapi-identity.mfa-token");
-  const record = await tokenDocument.findFirst({ filters: { admin_user: { id: userId } } });
-  if (!record || !record.enabled) return false;
+  const record = await tokenDocument.findFirst({
+    filters: { admin_user: { id: userId }, enabled: true }
+  });
+  if (!record) return false;
+  if (record.type === "email") return false;
   return validateToken(token, record.secret);
 };
 const validateTempToken = async (userId, token) => {
@@ -12036,12 +12390,13 @@ const setupFullSecret = async (userId) => {
   if (existing) {
     await tokenDocument.update({
       documentId: existing.documentId,
-      data: { ...existing, secret: tempField.secret, enabled: true, recovery_codes }
+      data: { ...existing, type: "totp", secret: tempField.secret, enabled: true, recovery_codes }
     });
   } else {
     await tokenDocument.create({
       data: {
         admin_user: { id: userId },
+        type: "totp",
         secret: tempField.secret,
         enabled: true,
         recovery_codes
@@ -12051,14 +12406,92 @@ const setupFullSecret = async (userId) => {
   await tempDocument.delete({ documentId: tempField.documentId });
   return codes;
 };
+const EMAIL_OTP_EXPIRY_MINUTES = 10;
+const EMAIL_OTP_MAX_ATTEMPTS = 5;
+const generateNumericOTP = (length) => {
+  const digits = "0123456789";
+  const max = 256 - 256 % digits.length;
+  const randomValues = new Uint8Array(length * 2);
+  let result = "";
+  while (result.length < length) {
+    crypto.getRandomValues(randomValues);
+    for (let i = 0; i < randomValues.length && result.length < length; i++) {
+      if (randomValues[i] >= max) continue;
+      result += digits[randomValues[i] % digits.length];
+    }
+  }
+  return result;
+};
+const generateEmailOTP = async (userId, purpose = "login") => {
+  const otpDocument = strapi.documents("plugin::strapi-identity.email-otp");
+  const otp = generateNumericOTP(6);
+  const code_hash = await bcrypt.hash(otp, 10);
+  const expires_at = new Date(Date.now() + EMAIL_OTP_EXPIRY_MINUTES * 60 * 1e3).toISOString();
+  const existing = await otpDocument.findFirst({
+    filters: { admin_user: { id: userId }, purpose }
+  });
+  if (existing) await otpDocument.delete({ documentId: existing.documentId });
+  await otpDocument.create({
+    data: { admin_user: { id: userId }, code_hash, expires_at, purpose, attempts: 0 }
+  });
+  return otp;
+};
+const validateEmailOTP = async (userId, code, purpose = "login") => {
+  const otpDocument = strapi.documents("plugin::strapi-identity.email-otp");
+  const record = await otpDocument.findFirst({ filters: { admin_user: { id: userId }, purpose } });
+  if (!record) return false;
+  if (new Date(record.expires_at) < /* @__PURE__ */ new Date()) {
+    await otpDocument.delete({ documentId: record.documentId });
+    return false;
+  }
+  const attempts = record.attempts || 0;
+  if (attempts >= EMAIL_OTP_MAX_ATTEMPTS) {
+    await otpDocument.delete({ documentId: record.documentId });
+    return false;
+  }
+  await otpDocument.update({
+    documentId: record.documentId,
+    data: { ...record, attempts: attempts + 1 }
+  });
+  const isValid = await bcrypt.compare(code, record.code_hash);
+  if (isValid) await otpDocument.delete({ documentId: record.documentId });
+  return isValid;
+};
+const enableEmailMFA = async (userId) => {
+  const tokenDocument = strapi.documents("plugin::strapi-identity.mfa-token");
+  const existing = await tokenDocument.findFirst({ filters: { admin_user: { id: userId } } });
+  if (existing) {
+    await tokenDocument.update({
+      documentId: existing.documentId,
+      data: { ...existing, type: "email", enabled: true, secret: "" }
+    });
+  } else {
+    await tokenDocument.create({
+      data: { admin_user: { id: userId }, type: "email", enabled: true, secret: "" }
+    });
+  }
+};
+const getMFAInfo = async (userId) => {
+  const tokenDocument = strapi.documents("plugin::strapi-identity.mfa-token");
+  const record = await tokenDocument.findFirst({
+    filters: { admin_user: { id: userId }, enabled: true }
+  });
+  if (!record) return null;
+  return { status: "full", type: record.type };
+};
 const disableSecret = async (userId, code) => {
-  const validToken = await validateTokenOrRecoveryCode(userId, code);
-  if (!validToken) throw new Error("Invalid token or recovery code");
   const tokenDocument = strapi.documents("plugin::strapi-identity.mfa-token");
   const record = await tokenDocument.findFirst({
     filters: { admin_user: { id: userId }, enabled: true }
   });
   if (!record) throw new Error("MFA is not enabled for this user");
+  let valid2;
+  if (record.type === "email") {
+    valid2 = await validateEmailOTP(userId, code, "disable");
+  } else {
+    valid2 = await validateTokenOrRecoveryCode(userId, code);
+  }
+  if (!valid2) throw new Error("Invalid token or recovery code");
   await tokenDocument.update({
     documentId: record.documentId,
     data: { ...record, enabled: false }
@@ -12101,14 +12534,18 @@ const secret = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProper
   __proto__: null,
   disableSecret,
   disableTempSecret,
+  enableEmailMFA,
+  generateEmailOTP,
   generateRecoveryCode,
+  getMFAInfo,
   isMFAEnabled,
   setupFullSecret,
   setupTemporarySecret,
+  validateEmailOTP,
   validateTempToken,
   validateTokenOrRecoveryCode
 }, Symbol.toStringTag, { value: "Module" }));
-const services = { admin, config, secret };
+const services = { admin, config, email, secret };
 const index = {
   register,
   bootstrap,