strapi-plugin-oidc 1.0.0

package/dist/server/index.js

@@ -0,0 +1,746 @@
+"use strict";
+Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
+const axios = require("axios");
+const node_crypto = require("node:crypto");
+const pkceChallenge = require("pkce-challenge");
+const strapiUtils = require("@strapi/utils");
+const generator = require("generate-password");
+const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
+const axios__default = /* @__PURE__ */ _interopDefault(axios);
+const pkceChallenge__default = /* @__PURE__ */ _interopDefault(pkceChallenge);
+const strapiUtils__default = /* @__PURE__ */ _interopDefault(strapiUtils);
+const generator__default = /* @__PURE__ */ _interopDefault(generator);
+function register$1() {
+}
+async function bootstrap({ strapi: strapi2 }) {
+  const actions = [
+    {
+      section: "plugins",
+      displayName: "Read",
+      uid: "read",
+      pluginName: "strapi-plugin-oidc"
+    },
+    {
+      section: "plugins",
+      displayName: "Update",
+      uid: "update",
+      pluginName: "strapi-plugin-oidc"
+    }
+  ];
+  await strapi2.admin.services.permission.actionProvider.registerMany(actions);
+  try {
+    const oidcRoleCount = await strapi2.query("plugin::strapi-plugin-oidc.roles").count({
+      where: { oauth_type: "4" }
+    });
+    if (oidcRoleCount === 0) {
+      const editorRole = await strapi2.query("admin::role").findOne({
+        where: { code: "strapi-editor" }
+      });
+      if (editorRole) {
+        await strapi2.query("plugin::strapi-plugin-oidc.roles").create({
+          data: {
+            oauth_type: "4",
+            roles: [editorRole.id.toString()]
+          }
+        });
+      }
+    }
+  } catch (err) {
+    strapi2.log.warn("Could not initialize default OIDC role:", err.message);
+  }
+  strapi2.db.lifecycles.subscribe({
+    models: ["admin::user"],
+    async afterUpdate(event) {
+      const { result } = event;
+      if (!result?.email) return;
+      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
+      const whitelistEntry = await query.findOne({ where: { email: result.email } });
+      if (!whitelistEntry) return;
+      const userWithRoles = await strapi2.query("admin::user").findOne({
+        where: { id: result.id },
+        populate: ["roles"]
+      });
+      if (userWithRoles?.roles) {
+        const roleIds = userWithRoles.roles.map((r) => r.id.toString());
+        await query.update({
+          where: { id: whitelistEntry.id },
+          data: { roles: roleIds }
+        });
+      }
+    }
+  });
+}
+function destroy() {
+}
+const config = {
+  default: {
+    REMEMBER_ME: false,
+    OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
+    OIDC_CLIENT_ID: "",
+    OIDC_CLIENT_SECRET: "",
+    OIDC_SCOPES: "openid profile email",
+    OIDC_AUTHORIZATION_ENDPOINT: "",
+    OIDC_TOKEN_ENDPOINT: "",
+    OIDC_USER_INFO_ENDPOINT: "",
+    OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false,
+    OIDC_GRANT_TYPE: "authorization_code",
+    OIDC_FAMILY_NAME_FIELD: "family_name",
+    OIDC_GIVEN_NAME_FIELD: "given_name",
+    OIDC_LOGOUT_URL: ""
+  },
+  validator() {
+  }
+};
+const info$2 = { "singularName": "roles", "pluralName": "oidc-roles", "collectionName": "oidc-roles", "displayName": "oidc-role", "description": "" };
+const options$1 = { "draftAndPublish": false };
+const pluginOptions$1 = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
+const attributes$1 = { "oauth_type": { "type": "string", "configurable": false, "required": true }, "roles": { "type": "json", "configurable": false } };
+const schema$1 = {
+  info: info$2,
+  options: options$1,
+  pluginOptions: pluginOptions$1,
+  attributes: attributes$1
+};
+const roles = {
+  schema: schema$1
+};
+const info$1 = { "singularName": "whitelists", "pluralName": "whitelists", "collectionName": "whitelists", "displayName": "whitelist", "description": "" };
+const options = { "draftAndPublish": false };
+const pluginOptions = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
+const attributes = { "email": { "type": "string", "configurable": false, "required": true, "unique": true }, "roles": { "type": "json", "configurable": false } };
+const schema = {
+  info: info$1,
+  options,
+  pluginOptions,
+  attributes
+};
+const whitelists = {
+  schema
+};
+const contentTypes = {
+  roles,
+  whitelists
+};
+function configValidation() {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  if (config2["OIDC_CLIENT_ID"] && config2["OIDC_CLIENT_SECRET"] && config2["OIDC_REDIRECT_URI"] && config2["OIDC_SCOPES"] && config2["OIDC_TOKEN_ENDPOINT"] && config2["OIDC_USER_INFO_ENDPOINT"] && config2["OIDC_GRANT_TYPE"] && config2["OIDC_FAMILY_NAME_FIELD"] && config2["OIDC_GIVEN_NAME_FIELD"] && config2["OIDC_AUTHORIZATION_ENDPOINT"]) {
+    return config2;
+  }
+  throw new Error("OIDC_AUTHORIZATION_ENDPOINT,OIDC_TOKEN_ENDPOINT, OIDC_USER_INFO_ENDPOINT,OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_REDIRECT_URI, and OIDC_SCOPES are required");
+}
+async function oidcSignIn(ctx) {
+  let { state } = ctx.query;
+  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
+  const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
+  ctx.session.codeVerifier = codeVerifier;
+  if (!state) {
+    state = node_crypto.randomBytes(32).toString("base64url");
+  }
+  ctx.session.oidcState = state;
+  const params = new URLSearchParams();
+  params.append("response_type", "code");
+  params.append("client_id", OIDC_CLIENT_ID);
+  params.append("redirect_uri", OIDC_REDIRECT_URI);
+  params.append("scope", OIDC_SCOPES);
+  params.append("code_challenge", codeChallenge);
+  params.append("code_challenge_method", "S256");
+  params.append("state", state);
+  const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
+  ctx.set("Location", authorizationUrl);
+  return ctx.send({}, 302);
+}
+async function oidcSignInCallback(ctx) {
+  const config2 = configValidation();
+  const httpClient = axios__default.default.create();
+  const userService = strapi.service("admin::user");
+  const oauthService2 = strapi.plugin("strapi-plugin-oidc").service("oauth");
+  const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
+  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  if (!ctx.query.code) {
+    return ctx.send(oauthService2.renderSignUpError(`code Not Found`));
+  }
+  if (!ctx.query.state || ctx.query.state !== ctx.session.oidcState) {
+    return ctx.send(oauthService2.renderSignUpError(`Invalid state`));
+  }
+  const params = new URLSearchParams();
+  params.append("code", ctx.query.code);
+  params.append("client_id", config2["OIDC_CLIENT_ID"]);
+  params.append("client_secret", config2["OIDC_CLIENT_SECRET"]);
+  params.append("redirect_uri", config2["OIDC_REDIRECT_URI"]);
+  params.append("grant_type", config2["OIDC_GRANT_TYPE"]);
+  params.append("code_verifier", ctx.session.codeVerifier);
+  try {
+    const response = await httpClient.post(config2["OIDC_TOKEN_ENDPOINT"], params, {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      }
+    });
+    let userInfoEndpointHeaders = {};
+    let userInfoEndpointParameters = `?access_token=${response.data.access_token}`;
+    if (config2["OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER"]) {
+      userInfoEndpointHeaders = {
+        headers: { Authorization: `Bearer ${response.data.access_token}` }
+      };
+      userInfoEndpointParameters = "";
+    }
+    const userInfoEndpoint = `${config2["OIDC_USER_INFO_ENDPOINT"]}${userInfoEndpointParameters}`;
+    const userResponse = await httpClient.get(
+      userInfoEndpoint,
+      userInfoEndpointHeaders
+    );
+    const email = userResponse.data.email;
+    const whitelistUser = await whitelistService2.checkWhitelistForEmail(email);
+    const dbUser = await userService.findOneByEmail(email);
+    let activateUser;
+    let jwtToken;
+    if (dbUser) {
+      activateUser = dbUser;
+      jwtToken = await oauthService2.generateToken(dbUser, ctx);
+    } else {
+      let roles2 = [];
+      if (whitelistUser && whitelistUser.roles && whitelistUser.roles.length > 0) {
+        roles2 = whitelistUser.roles;
+      } else {
+        const oidcRoles = await roleService2.oidcRoles();
+        roles2 = oidcRoles && oidcRoles["roles"] ? oidcRoles["roles"] : [];
+      }
+      const defaultLocale = oauthService2.localeFindByHeader(ctx.request.headers);
+      activateUser = await oauthService2.createUser(
+        email,
+        userResponse.data[config2["OIDC_FAMILY_NAME_FIELD"]],
+        userResponse.data[config2["OIDC_GIVEN_NAME_FIELD"]],
+        defaultLocale,
+        roles2
+      );
+      jwtToken = await oauthService2.generateToken(activateUser, ctx);
+      await oauthService2.triggerWebHook(activateUser);
+    }
+    oauthService2.triggerSignInSuccess(activateUser);
+    const nonce = node_crypto.randomUUID();
+    const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
+    ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
+    ctx.send(html);
+  } catch (e) {
+    console.error(e);
+    ctx.send(oauthService2.renderSignUpError(e.message));
+  }
+}
+async function logout(ctx) {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const logoutUrl = config2["OIDC_LOGOUT_URL"];
+  if (logoutUrl) {
+    ctx.redirect(logoutUrl);
+  } else {
+    const adminPanelUrl = strapi.config.get("admin.url", "/admin");
+    ctx.redirect(`${adminPanelUrl}/auth/login`);
+  }
+}
+const oidc = {
+  oidcSignIn,
+  oidcSignInCallback,
+  logout
+};
+async function find(ctx) {
+  const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
+  const roles2 = await roleService2.find();
+  const oidcConstants = roleService2.getOidcRoles();
+  for (const oidc2 of oidcConstants) {
+    for (const role2 of roles2) {
+      if (role2["oauth_type"] === oidc2["oauth_type"]) {
+        oidc2["role"] = role2["roles"];
+      }
+    }
+  }
+  ctx.send(oidcConstants);
+}
+async function update(ctx) {
+  try {
+    const { roles: roles2 } = ctx.request.body;
+    const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
+    await roleService2.update(roles2);
+    ctx.send({}, 204);
+  } catch (e) {
+    console.log(e);
+    ctx.send({}, 400);
+  }
+}
+const role = {
+  find,
+  update
+};
+async function info(ctx) {
+  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const settings = await whitelistService2.getSettings();
+  const whitelistUsers = await whitelistService2.getUsers();
+  ctx.body = {
+    useWhitelist: settings.useWhitelist,
+    enforceOIDC: settings.enforceOIDC || false,
+    whitelistUsers
+  };
+}
+async function updateSettings(ctx) {
+  const { useWhitelist, enforceOIDC } = ctx.request.body;
+  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  await whitelistService2.setSettings({ useWhitelist, enforceOIDC });
+  ctx.body = { useWhitelist, enforceOIDC };
+}
+async function publicSettings(ctx) {
+  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const settings = await whitelistService2.getSettings();
+  ctx.body = {
+    enforceOIDC: settings.enforceOIDC || false
+  };
+}
+async function register(ctx) {
+  const { email, roles: roles2 } = ctx.request.body;
+  if (!email) {
+    ctx.body = {
+      message: "Please enter a valid email address"
+    };
+    return;
+  }
+  const emailList = Array.isArray(email) ? email : email.split(",").map((e) => e.trim()).filter((e) => e);
+  const existingUsers = await strapi.query("admin::user").findMany({
+    where: { email: { $in: emailList } },
+    populate: ["roles"]
+  });
+  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  let matchedExistingUsersCount = 0;
+  for (const singleEmail of emailList) {
+    const existingUser = existingUsers.find((u) => u.email === singleEmail);
+    let finalRoles = roles2;
+    if (existingUser && existingUser.roles) {
+      finalRoles = existingUser.roles.map((r) => r.id.toString());
+      matchedExistingUsersCount++;
+    }
+    const alreadyWhitelisted = await strapi.query("plugin::strapi-plugin-oidc.whitelists").findOne({
+      where: { email: singleEmail }
+    });
+    if (!alreadyWhitelisted) {
+      await whitelistService2.registerUser(singleEmail, finalRoles);
+    }
+  }
+  ctx.body = { matchedExistingUsersCount };
+}
+async function removeEmail(ctx) {
+  const { id } = ctx.params;
+  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  await whitelistService2.removeUser(id);
+  ctx.body = {};
+}
+async function syncUsers(ctx) {
+  const { users } = ctx.request.body;
+  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const currentUsers = await whitelistService2.getUsers();
+  let matchedExistingUsersCount = 0;
+  const emailsToSync = users.map((u) => u.email);
+  const existingStrapiUsers = await strapi.query("admin::user").findMany({
+    where: { email: { $in: emailsToSync } },
+    populate: ["roles"]
+  });
+  for (const currUser of currentUsers) {
+    if (!users.find((u) => u.email === currUser.email)) {
+      await whitelistService2.removeUser(currUser.id);
+    }
+  }
+  for (const user of users) {
+    const existingStrapiUser = existingStrapiUsers.find((u) => u.email === user.email);
+    let finalRoles = user.roles;
+    const currUser = currentUsers.find((u) => u.email === user.email);
+    if (!currUser && existingStrapiUser && existingStrapiUser.roles) {
+      finalRoles = existingStrapiUser.roles.map((r) => r.id.toString());
+      matchedExistingUsersCount++;
+    }
+    if (currUser) {
+      await strapi.query("plugin::strapi-plugin-oidc.whitelists").update({
+        where: { id: currUser.id },
+        data: { roles: finalRoles }
+      });
+    } else {
+      await whitelistService2.registerUser(user.email, finalRoles);
+    }
+  }
+  ctx.body = { matchedExistingUsersCount };
+}
+const whitelist = {
+  info,
+  updateSettings,
+  publicSettings,
+  register,
+  removeEmail,
+  syncUsers
+};
+const controllers = {
+  oidc,
+  role,
+  whitelist
+};
+const routes = [
+  {
+    method: "GET",
+    path: "/oidc-roles",
+    handler: "role.find",
+    config: {
+      policies: [
+        "admin::isAuthenticatedAdmin",
+        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.read"] } }
+      ]
+    }
+  },
+  {
+    method: "PUT",
+    path: "/oidc-roles",
+    handler: "role.update",
+    config: {
+      policies: [
+        "admin::isAuthenticatedAdmin",
+        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+      ]
+    }
+  },
+  {
+    method: "GET",
+    path: "/oidc",
+    handler: "oidc.oidcSignIn",
+    config: {
+      auth: false
+    }
+  },
+  {
+    method: "GET",
+    path: "/oidc/callback",
+    handler: "oidc.oidcSignInCallback",
+    config: {
+      auth: false
+    }
+  },
+  {
+    method: "GET",
+    path: "/logout",
+    handler: "oidc.logout",
+    config: {
+      auth: false
+    }
+  },
+  {
+    method: "GET",
+    path: "/whitelist",
+    handler: "whitelist.info",
+    config: {
+      policies: [
+        "admin::isAuthenticatedAdmin",
+        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.read"] } }
+      ]
+    }
+  },
+  {
+    method: "PUT",
+    path: "/whitelist/settings",
+    handler: "whitelist.updateSettings",
+    config: {
+      policies: [
+        "admin::isAuthenticatedAdmin",
+        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+      ]
+    }
+  },
+  {
+    method: "GET",
+    path: "/settings/public",
+    handler: "whitelist.publicSettings",
+    config: {
+      auth: false
+    }
+  },
+  {
+    method: "PUT",
+    path: "/whitelist/sync",
+    handler: "whitelist.syncUsers",
+    config: {
+      policies: [
+        "admin::isAuthenticatedAdmin",
+        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+      ]
+    }
+  },
+  {
+    method: "POST",
+    path: "/whitelist",
+    handler: "whitelist.register",
+    config: {
+      policies: [
+        "admin::isAuthenticatedAdmin",
+        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+      ]
+    }
+  },
+  {
+    method: "DELETE",
+    path: "/whitelist/:id",
+    handler: "whitelist.removeEmail",
+    config: {
+      policies: [
+        "admin::isAuthenticatedAdmin",
+        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+      ]
+    }
+  }
+];
+const policies = {};
+function oauthService({ strapi: strapi2 }) {
+  return {
+    async createUser(email, lastname, firstname, locale, roles2 = []) {
+      const userService = strapi2.service("admin::user");
+      if (/[A-Z]/.test(email)) {
+        const dbUser = await userService.findOneByEmail(email.toLocaleLowerCase());
+        if (dbUser) {
+          return dbUser;
+        }
+      }
+      const createdUser = await userService.create({
+        firstname: firstname ? firstname : "unset",
+        lastname: lastname ? lastname : "",
+        email: email.toLocaleLowerCase(),
+        roles: roles2,
+        preferedLanguage: locale
+      });
+      return await userService.register({
+        registrationToken: createdUser.registrationToken,
+        userInfo: {
+          firstname: firstname ? firstname : "unset",
+          lastname: lastname ? lastname : "user",
+          password: generator__default.default.generate({
+            length: 43,
+            // 256 bits (https://en.wikipedia.org/wiki/Password_strength#Random_passwords)
+            numbers: true,
+            lowercase: true,
+            uppercase: true,
+            exclude: '()+_-=}{[]|:;"/?.><,`~',
+            strict: true
+          })
+        }
+      });
+    },
+    addGmailAlias(baseEmail, baseAlias) {
+      if (!baseAlias) {
+        return baseEmail;
+      }
+      const alias = baseAlias.replace("/+/g", "");
+      const beforePosition = baseEmail.indexOf("@");
+      const origin = baseEmail.substring(0, beforePosition);
+      const domain = baseEmail.substring(beforePosition);
+      return `${origin}+${alias}${domain}`;
+    },
+    localeFindByHeader(headers) {
+      if (headers["accept-language"] && headers["accept-language"].includes("ja")) {
+        return "ja";
+      } else {
+        return "en";
+      }
+    },
+    async triggerWebHook(user) {
+      let ENTRY_CREATE;
+      const webhookStore = strapi2.serviceMap.get("webhookStore");
+      const eventHub = strapi2.serviceMap.get("eventHub");
+      if (webhookStore) {
+        ENTRY_CREATE = webhookStore.allowedEvents.get("ENTRY_CREATE");
+      }
+      const modelDef = strapi2.getModel("admin::user");
+      const sanitizedEntity = await strapiUtils__default.default.sanitize.sanitizers.defaultSanitizeOutput({
+        schema: modelDef,
+        getModel: (uid2) => strapi2.getModel(uid2)
+      }, user);
+      eventHub.emit(ENTRY_CREATE, {
+        model: modelDef.modelName,
+        entry: sanitizedEntity
+      });
+    },
+    triggerSignInSuccess(user) {
+      delete user["password"];
+      const eventHub = strapi2.serviceMap.get("eventHub");
+      eventHub.emit("admin.auth.success", {
+        user,
+        provider: "strapi-plugin-oidc"
+      });
+    },
+    // Sign In Success
+    renderSignUpSuccess(jwtToken, user, nonce) {
+      const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
+      const REMEMBER_ME = config2["REMEMBER_ME"];
+      const isRememberMe = !!REMEMBER_ME;
+      return `
+<!doctype html>
+<html>
+<head>
+<noscript>
+<h3>JavaScript must be enabled for authentication</h3>
+</noscript>
+<script nonce="${nonce}">
+ window.addEventListener('load', function() {
+  if(${isRememberMe}){
+    localStorage.setItem('jwtToken', '"${jwtToken}"');
+  }else{
+    document.cookie = 'jwtToken=${encodeURIComponent(jwtToken)}; Path=/';
+  }
+  localStorage.setItem('isLoggedIn', 'true');
+  location.href = '${strapi2.config.admin.url}'
+ })
+<\/script>
+</head>
+<body>
+</body>
+</html>`;
+    },
+    // Sign In Error
+    renderSignUpError(message) {
+      return `
+<!doctype html>
+<html>
+<head></head>
+<body>
+<h3>Authentication failed</h3>
+<p>${message}</p>
+</body>
+</html>`;
+    },
+    async generateToken(user, ctx) {
+      const sessionManager = strapi2.sessionManager;
+      if (!sessionManager) {
+        throw new Error("sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.");
+      }
+      const userId = String(user.id);
+      const deviceId = node_crypto.randomUUID();
+      const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
+      const REMEMBER_ME = config2["REMEMBER_ME"];
+      const rememberMe = !!REMEMBER_ME;
+      const { token: refreshToken } = await sessionManager(
+        "admin"
+      ).generateRefreshToken(userId, deviceId, {
+        type: rememberMe ? "refresh" : "session"
+      });
+      const cookieOptions = {};
+      ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
+      const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
+      if ("error" in accessResult) {
+        throw new Error(accessResult.error);
+      }
+      const { token: accessToken } = accessResult;
+      return accessToken;
+    }
+  };
+}
+function roleService({ strapi: strapi2 }) {
+  return {
+    OIDC_TYPE: "4",
+    getOidcRoles() {
+      return [
+        {
+          "oauth_type": this.OIDC_TYPE,
+          name: "OIDC"
+        }
+      ];
+    },
+    async oidcRoles() {
+      return await strapi2.query("plugin::strapi-plugin-oidc.roles").findOne({
+        where: {
+          "oauth_type": this.OIDC_TYPE
+        }
+      });
+    },
+    async find() {
+      return await strapi2.query("plugin::strapi-plugin-oidc.roles").findMany();
+    },
+    async update(roles2) {
+      const query = strapi2.query("plugin::strapi-plugin-oidc.roles");
+      await Promise.all(
+        roles2.map(async (role2) => {
+          const oidcRole = await query.findOne({ where: { "oauth_type": role2["oauth_type"] } });
+          if (oidcRole) {
+            await query.update({
+              where: { "oauth_type": role2["oauth_type"] },
+              data: { roles: role2.role }
+            });
+          } else {
+            await query.create({
+              data: {
+                "oauth_type": role2["oauth_type"],
+                roles: role2.role
+              }
+            });
+          }
+        })
+      );
+    }
+  };
+}
+function whitelistService({ strapi: strapi2 }) {
+  return {
+    async getSettings() {
+      const pluginStore = strapi2.store({ type: "plugin", name: "strapi-plugin-oidc" });
+      let settings = await pluginStore.get({ key: "settings" });
+      if (!settings) {
+        settings = { useWhitelist: true, enforceOIDC: false };
+        await pluginStore.set({ key: "settings", value: settings });
+      }
+      return settings;
+    },
+    async setSettings(settings) {
+      const pluginStore = strapi2.store({ type: "plugin", name: "strapi-plugin-oidc" });
+      await pluginStore.set({ key: "settings", value: settings });
+    },
+    async getUsers() {
+      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
+      return await query.findMany();
+    },
+    async registerUser(email, roles2) {
+      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
+      await query.create({
+        data: {
+          email,
+          roles: roles2
+        }
+      });
+    },
+    async removeUser(id) {
+      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
+      await query.delete({
+        where: {
+          id
+        }
+      });
+    },
+    async checkWhitelistForEmail(email) {
+      const settings = await this.getSettings();
+      if (!settings.useWhitelist) {
+        return null;
+      }
+      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
+      const result = await query.findOne({
+        where: {
+          email
+        }
+      });
+      if (result === null) {
+        throw new Error("Not present in whitelist");
+      }
+      return result;
+    }
+  };
+}
+const services = {
+  oauth: oauthService,
+  role: roleService,
+  whitelist: whitelistService
+};
+const index = {
+  register: register$1,
+  bootstrap,
+  destroy,
+  config,
+  controllers,
+  routes,
+  services,
+  contentTypes,
+  policies
+};
+exports.default = index;