strapi-plugin-oidc 1.0.5 → 1.0.6

package/README.md

@@ -2,8 +2,11 @@
   <img src="https://raw.githubusercontent.com/edmogeor/strapi-plugin-oidc/main/assets/icon.png" width="140" alt="OIDC Login for Strapi Logo"/>
   <h1>OIDC Login for Strapi</h1>
   <p>
+    <a href="https://www.npmjs.com/package/strapi-plugin-oidc">
+      <img src="https://img.shields.io/npm/v/strapi-plugin-oidc.svg" alt="npm version">
+    </a>
     <a href="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/test.yml">
-      <img src="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/test.yml/badge.svg" alt="Tests">
+      <img src="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/test.yml/badge.svg?branch=main" alt="Tests">
     </a>
   </p>
 </div>
@@ -67,13 +70,22 @@ module.exports = ({ env }) => ({
 
 Make sure to replace the placeholder values (e.g., `[Client ID from OpenID Provider]`) with the actual connection details from your chosen OIDC identity provider.
 
+## How to Login
+
+Once configured, you can initiate the OIDC login flow by navigating to:
+`http://<your-strapi-domain>/strapi-plugin-oidc/oidc`
+
+(e.g., `http://localhost:1337/strapi-plugin-oidc/oidc` for local development).
+
+When the **Enforce OIDC Login** option is enabled in the Admin Settings, the standard Strapi admin login page will be automatically redirected to this URL.
+
 ## Admin Settings
 
 Once the plugin is installed and configured, you can manage the OIDC settings from the Strapi Admin Panel under **Settings** > **OIDC Plugin**.
 
 - **Whitelist Management**: Restrict login to specific users by adding their email addresses to the whitelist. You can also whitelist entire email domains (e.g., `*@company.com`). If the whitelist is empty, any user who successfully authenticates via your OIDC provider will be able to log in and an account will be automatically created for them.
 - **Default Role Assignment**: Select the default Strapi admin role that will be assigned to newly created users when they log in for the first time via OIDC.
-- **Enforce OIDC Login**: When enabled, the default Strapi email and password login form will be disabled, forcing all administrators to log in using your OIDC provider. _(Note: This option is automatically disabled and grayed out if your whitelist is empty to prevent accidentally locking everyone out of the admin panel)._
+- **Enforce OIDC Login**: When enabled, the default Strapi email and password login form will be disabled and the standard login will be redirected to the OIDC login URL, forcing all administrators to log in using your OIDC provider. _(Note: This option is automatically disabled and grayed out if your whitelist is empty to prevent accidentally locking everyone out of the admin panel)._
 
 ## Credits & Changes
 
@@ -85,7 +97,9 @@ This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.
 - Redesigned the Whitelist and Role management UI (switched to native Strapi cards, added pagination, etc.).
 - Added an OIDC logout redirect URL.
 - Added an option to "Enforce OIDC login" with an admin toggle (automatically disabled if the whitelist is empty).
+- Added configurable "Remember Me" duration for sessions (`REMEMBER_ME_DAYS`).
 - Migrated the testing framework to Vitest and added comprehensive test coverage for controllers and services.
 - Cleaned up dead code and unused dependencies to improve maintainability.
 - Upgraded to use newer versions of Node.js.
+- Added styled success and error pages.
 - Added misc. quality of life improvements and bug fixes.

package/dist/admin/{index-B525UaV3.js → index-BITZIRCD.js}

@@ -55,7 +55,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await Promise.resolve().then(() => require("./index-DlQ8NUBY.js"));
+          return await Promise.resolve().then(() => require("./index-CLDWnBI9.js"));
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }

package/dist/admin/{index-DlQ8NUBY.js → index-CLDWnBI9.js}

@@ -7,7 +7,7 @@ const react = require("react");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
 const reactIntl = require("react-intl");
-const index = require("./index-B525UaV3.js");
+const index = require("./index-BITZIRCD.js");
 const en = require("./en-jFPbEFeK.js");
 const styled = require("styled-components");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
@@ -395,10 +395,18 @@ function useOidcSettings() {
     setUsers([...users, newUser]);
   };
   const onDeleteWhitelist = async (email) => {
-    setUsers(users.filter((u) => u.email !== email));
+    const updatedUsers = users.filter((u) => u.email !== email);
+    setUsers(updatedUsers);
+    if (useWhitelist && updatedUsers.length === 0) {
+      setEnforceOIDC(false);
+    }
   };
   const onToggleWhitelist = (e) => {
-    setUseWhitelist(e.target.checked);
+    const checked = e.target.checked;
+    setUseWhitelist(checked);
+    if (checked && users.length === 0) {
+      setEnforceOIDC(false);
+    }
   };
   const onToggleEnforce = (e) => {
     setEnforceOIDC(e.target.checked);
@@ -413,13 +421,13 @@ function useOidcSettings() {
           role: role.role
         }))
       });
+      const syncResponse = await put("/strapi-plugin-oidc/whitelist/sync", {
+        users: users.map((u) => ({ email: u.email, roles: u.roles }))
+      });
       await put("/strapi-plugin-oidc/whitelist/settings", {
         useWhitelist,
         enforceOIDC
       });
-      const syncResponse = await put("/strapi-plugin-oidc/whitelist/sync", {
-        users: users.map((u) => ({ email: u.email, roles: u.roles }))
-      });
       setInitialOIDCRoles(JSON.parse(JSON.stringify(oidcRoles)));
       setInitialUseWhitelist(useWhitelist);
       setInitialEnforceOIDC(enforceOIDC);

package/dist/admin/{index-D3AvxXlB.mjs → index-YOG9buUz.mjs}

@@ -54,7 +54,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await import("./index-BbD-7Z4N.mjs");
+          return await import("./index-p9ncVp1G.mjs");
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }

package/dist/admin/{index-BbD-7Z4N.mjs → index-p9ncVp1G.mjs}

@@ -5,7 +5,7 @@ import { useState, useCallback, useEffect, memo } from "react";
 import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Field, Button, Divider, Thead, Tr, Th, Tbody, Td, Dialog, IconButton, Pagination, PreviousLink, PageLink, NextLink, Table, Alert } from "@strapi/design-system";
 import { Plus, Trash, WarningCircle } from "@strapi/icons";
 import { useIntl } from "react-intl";
-import { p as pluginId } from "./index-D3AvxXlB.mjs";
+import { p as pluginId } from "./index-YOG9buUz.mjs";
 import en from "./en-f0TxVfx7.mjs";
 import styled from "styled-components";
 function getTrad(id) {
@@ -391,10 +391,18 @@ function useOidcSettings() {
     setUsers([...users, newUser]);
   };
   const onDeleteWhitelist = async (email) => {
-    setUsers(users.filter((u) => u.email !== email));
+    const updatedUsers = users.filter((u) => u.email !== email);
+    setUsers(updatedUsers);
+    if (useWhitelist && updatedUsers.length === 0) {
+      setEnforceOIDC(false);
+    }
   };
   const onToggleWhitelist = (e) => {
-    setUseWhitelist(e.target.checked);
+    const checked = e.target.checked;
+    setUseWhitelist(checked);
+    if (checked && users.length === 0) {
+      setEnforceOIDC(false);
+    }
   };
   const onToggleEnforce = (e) => {
     setEnforceOIDC(e.target.checked);
@@ -409,13 +417,13 @@ function useOidcSettings() {
           role: role.role
         }))
       });
+      const syncResponse = await put("/strapi-plugin-oidc/whitelist/sync", {
+        users: users.map((u) => ({ email: u.email, roles: u.roles }))
+      });
       await put("/strapi-plugin-oidc/whitelist/settings", {
         useWhitelist,
         enforceOIDC
       });
-      const syncResponse = await put("/strapi-plugin-oidc/whitelist/sync", {
-        users: users.map((u) => ({ email: u.email, roles: u.roles }))
-      });
       setInitialOIDCRoles(JSON.parse(JSON.stringify(oidcRoles)));
       setInitialUseWhitelist(useWhitelist);
       setInitialEnforceOIDC(enforceOIDC);

package/dist/admin/index.js

@@ -1,4 +1,4 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
-const index = require("./index-B525UaV3.js");
+const index = require("./index-BITZIRCD.js");
 exports.default = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "./index-D3AvxXlB.mjs";
+import { i } from "./index-YOG9buUz.mjs";
 export {
   i as default
 };

package/dist/server/index.js

@@ -201,7 +201,7 @@ async function registerNewUser(userService, oauthService2, roleService2, email,
   return activateUser;
 }
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
-  const email = userResponseData.email;
+  const email = String(userResponseData.email).toLowerCase();
   const whitelistUser = await whitelistService2.checkWhitelistForEmail(email);
   const dbUser = await userService.findOneByEmail(email);
   let activateUser;
@@ -316,8 +316,14 @@ async function info(ctx) {
   };
 }
 async function updateSettings(ctx) {
-  const { useWhitelist, enforceOIDC } = ctx.request.body;
+  let { useWhitelist, enforceOIDC } = ctx.request.body;
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  if (useWhitelist && enforceOIDC) {
+    const users = await whitelistService2.getUsers();
+    if (users.length === 0) {
+      enforceOIDC = false;
+    }
+  }
   await whitelistService2.setSettings({ useWhitelist, enforceOIDC });
   ctx.body = { useWhitelist, enforceOIDC };
 }
@@ -334,7 +340,8 @@ async function register(ctx) {
     ctx.body = { message: "Please enter a valid email address" };
     return;
   }
-  const emailList = Array.isArray(email) ? email : email.split(",").map((e) => e.trim()).filter(Boolean);
+  const rawEmails = Array.isArray(email) ? email : email.split(",");
+  const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
   const existingUsers = await strapi.query("admin::user").findMany({
     where: { email: { $in: emailList } },
     populate: ["roles"]
@@ -364,7 +371,8 @@ async function removeEmail(ctx) {
   ctx.body = {};
 }
 async function syncUsers(ctx) {
-  const { users } = ctx.request.body;
+  let { users } = ctx.request.body;
+  users = users.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
   const currentUsers = await whitelistService2.getUsers();
   let matchedExistingUsersCount = 0;
@@ -410,6 +418,23 @@ const controllers = {
   role,
   whitelist
 };
+const rateLimitMap = /* @__PURE__ */ new Map();
+const RATE_LIMIT_WINDOW = 6e4;
+const MAX_REQUESTS = 20;
+const rateLimitMiddleware = async (ctx, next) => {
+  const ip = ctx.request.ip;
+  const now = Date.now();
+  const windowStart = now - RATE_LIMIT_WINDOW;
+  const requestStamps = (rateLimitMap.get(ip) || []).filter((timestamp) => timestamp > windowStart);
+  if (requestStamps.length >= MAX_REQUESTS) {
+    ctx.status = 429;
+    ctx.body = "Too Many Requests";
+    return;
+  }
+  requestStamps.push(now);
+  rateLimitMap.set(ip, requestStamps);
+  await next();
+};
 const routes = [
   {
     method: "GET",
@@ -429,7 +454,10 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   },
@@ -438,7 +466,8 @@ const routes = [
     path: "/oidc",
     handler: "oidc.oidcSignIn",
     config: {
-      auth: false
+      auth: false,
+      middlewares: [rateLimitMiddleware]
     }
   },
   {
@@ -446,7 +475,8 @@ const routes = [
     path: "/oidc/callback",
     handler: "oidc.oidcSignInCallback",
     config: {
-      auth: false
+      auth: false,
+      middlewares: [rateLimitMiddleware]
     }
   },
   {
@@ -475,7 +505,10 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   },
@@ -494,7 +527,10 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   },
@@ -505,7 +541,10 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   },
@@ -516,12 +555,132 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   }
 ];
 const policies = {};
+function renderHtmlTemplate(title, content) {
+  return `
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>${title}</title>
+  <style>
+    :root {
+      --bg-color: #f6f6f9;
+      --card-bg: #ffffff;
+      --text-color: #32324d;
+      --text-muted: #666687;
+      --btn-bg: #4945ff;
+      --btn-hover: #271fe0;
+      --btn-text: #ffffff;
+      --icon-bg: #fcecea;
+      --icon-color: #d02b20;
+      --success-bg: #eafbe7;
+      --success-color: #328048;
+      --shadow: 0 1px 4px rgba(33, 33, 52, 0.1);
+    }
+    @media (prefers-color-scheme: dark) {
+      :root {
+        --bg-color: #181826;
+        --card-bg: #212134;
+        --text-color: #ffffff;
+        --text-muted: #a5a5ba;
+        --btn-bg: #4945ff;
+        --btn-hover: #7b79ff;
+        --btn-text: #ffffff;
+        --icon-bg: #4a2123;
+        --icon-color: #f23628;
+        --success-bg: #1c3523;
+        --success-color: #55ca76;
+        --shadow: 0 1px 4px rgba(0, 0, 0, 0.5);
+      }
+    }
+    body {
+      margin: 0;
+      padding: 0;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      background-color: var(--bg-color);
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+      color: var(--text-color);
+    }
+    .card {
+      background: var(--card-bg);
+      padding: 32px 40px;
+      border-radius: 8px;
+      box-shadow: var(--shadow);
+      max-width: 400px;
+      width: 100%;
+      text-align: center;
+      box-sizing: border-box;
+    }
+    .icon {
+      width: 48px;
+      height: 48px;
+      background-color: var(--icon-bg);
+      color: var(--icon-color);
+      border-radius: 50%;
+      display: inline-flex;
+      justify-content: center;
+      align-items: center;
+      margin-bottom: 24px;
+    }
+    .icon.success {
+      background-color: var(--success-bg);
+      color: var(--success-color);
+    }
+    .icon svg {
+      width: 24px;
+      height: 24px;
+      stroke: currentColor;
+      stroke-width: 2;
+      stroke-linecap: round;
+      stroke-linejoin: round;
+      fill: none;
+    }
+    h1 {
+      margin: 0 0 12px 0;
+      font-size: 20px;
+      font-weight: 600;
+      color: var(--text-color);
+    }
+    p {
+      margin: 0 0 32px 0;
+      font-size: 14px;
+      line-height: 1.5;
+      color: var(--text-muted);
+    }
+    .btn {
+      display: inline-block;
+      background-color: var(--btn-bg);
+      color: var(--btn-text);
+      padding: 10px 16px;
+      border-radius: 4px;
+      text-decoration: none;
+      font-size: 14px;
+      font-weight: 500;
+      transition: background-color 0.2s;
+    }
+    .btn:hover {
+      background-color: var(--btn-hover);
+    }
+  </style>
+</head>
+<body>
+  ${content}
+</body>
+</html>`;
+}
 function oauthService({ strapi: strapi2 }) {
   return {
     async createUser(email, lastname, firstname, locale, roles2 = []) {
@@ -602,40 +761,48 @@ function oauthService({ strapi: strapi2 }) {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
       const REMEMBER_ME = config2["REMEMBER_ME"];
       const isRememberMe = !!REMEMBER_ME;
-      return `
-<!doctype html>
-<html>
-<head>
-<noscript>
-<h3>JavaScript must be enabled for authentication</h3>
-</noscript>
-<script nonce="${nonce}">
- window.addEventListener('load', function() {
-  if(${isRememberMe}){
-    localStorage.setItem('jwtToken', '"${jwtToken}"');
-  }else{
-    document.cookie = 'jwtToken=${encodeURIComponent(jwtToken)}; Path=/';
-  }
-  localStorage.setItem('isLoggedIn', 'true');
-  location.href = '${strapi2.config.admin.url}'
- })
-<\/script>
-</head>
-<body>
-</body>
-</html>`;
+      const content = `
+    <noscript>
+      <div class="card">
+        <div class="icon success">
+          <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-check">
+            <path d="M20 6 9 17l-5-5"/>
+          </svg>
+        </div>
+        <h1>JavaScript Required</h1>
+        <p>JavaScript must be enabled for authentication to complete.</p>
+      </div>
+    </noscript>
+    <script nonce="${nonce}">
+     window.addEventListener('load', function() {
+      if(${isRememberMe}){
+        localStorage.setItem('jwtToken', '"${jwtToken}"');
+      }else{
+        document.cookie = 'jwtToken=${encodeURIComponent(jwtToken)}; Path=/';
+      }
+      localStorage.setItem('isLoggedIn', 'true');
+      location.href = '${strapi2.config.admin.url}'
+     })
+    <\/script>`;
+      return renderHtmlTemplate("Authenticating...", content);
     },
     // Sign In Error
     renderSignUpError(message) {
-      return `
-<!doctype html>
-<html>
-<head></head>
-<body>
-<h3>Authentication failed</h3>
-<p>${message}</p>
-</body>
-</html>`;
+      const safeMessage = String(message).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+      const content = `
+  <div class="card">
+    <div class="icon">
+      <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-triangle-alert">
+        <path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3"/>
+        <path d="M12 9v4"/>
+        <path d="M12 17h.01"/>
+      </svg>
+    </div>
+    <h1>Authentication Failed</h1>
+    <p>${safeMessage}</p>
+    <a href="${strapi2.config.admin.url}" class="btn">Return to Login</a>
+  </div>`;
+      return renderHtmlTemplate("Authentication Failed", content);
     },
     async generateToken(user, ctx) {
       const sessionManager = strapi2.sessionManager;
@@ -729,39 +896,35 @@ function roleService({ strapi: strapi2 }) {
   };
 }
 function whitelistService({ strapi: strapi2 }) {
+  const getPluginStore = () => strapi2.store({
+    environment: "",
+    type: "plugin",
+    name: "strapi-plugin-oidc"
+  });
+  const getWhitelistQuery = () => strapi2.query("plugin::strapi-plugin-oidc.whitelists");
   return {
     async getSettings() {
-      const pluginStore = strapi2.store({ type: "plugin", name: "strapi-plugin-oidc" });
-      let settings = await pluginStore.get({ key: "settings" });
+      let settings = await getPluginStore().get({ key: "settings" });
       if (!settings) {
         settings = { useWhitelist: true, enforceOIDC: false };
-        await pluginStore.set({ key: "settings", value: settings });
+        await getPluginStore().set({ key: "settings", value: settings });
       }
       return settings;
     },
     async setSettings(settings) {
-      const pluginStore = strapi2.store({ type: "plugin", name: "strapi-plugin-oidc" });
-      await pluginStore.set({ key: "settings", value: settings });
+      await getPluginStore().set({ key: "settings", value: settings });
     },
     async getUsers() {
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      return query.findMany();
+      return getWhitelistQuery().findMany();
     },
     async registerUser(email, roles2) {
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      await query.create({
-        data: {
-          email,
-          roles: roles2
-        }
+      await getWhitelistQuery().create({
+        data: { email, roles: roles2 }
       });
     },
     async removeUser(id) {
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      await query.delete({
-        where: {
-          id
-        }
+      await getWhitelistQuery().delete({
+        where: { id }
       });
     },
     async checkWhitelistForEmail(email) {
@@ -770,11 +933,8 @@ function whitelistService({ strapi: strapi2 }) {
       if (!settings.useWhitelist) {
         return null;
       }
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      const result = await query.findOne({
-        where: {
-          email
-        }
+      const result = await getWhitelistQuery().findOne({
+        where: { email }
       });
       console.log("checkWhitelistForEmail result:", result);
       if (!result) {

package/dist/server/index.mjs

@@ -194,7 +194,7 @@ async function registerNewUser(userService, oauthService2, roleService2, email,
   return activateUser;
 }
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
-  const email = userResponseData.email;
+  const email = String(userResponseData.email).toLowerCase();
   const whitelistUser = await whitelistService2.checkWhitelistForEmail(email);
   const dbUser = await userService.findOneByEmail(email);
   let activateUser;
@@ -309,8 +309,14 @@ async function info(ctx) {
   };
 }
 async function updateSettings(ctx) {
-  const { useWhitelist, enforceOIDC } = ctx.request.body;
+  let { useWhitelist, enforceOIDC } = ctx.request.body;
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  if (useWhitelist && enforceOIDC) {
+    const users = await whitelistService2.getUsers();
+    if (users.length === 0) {
+      enforceOIDC = false;
+    }
+  }
   await whitelistService2.setSettings({ useWhitelist, enforceOIDC });
   ctx.body = { useWhitelist, enforceOIDC };
 }
@@ -327,7 +333,8 @@ async function register(ctx) {
     ctx.body = { message: "Please enter a valid email address" };
     return;
   }
-  const emailList = Array.isArray(email) ? email : email.split(",").map((e) => e.trim()).filter(Boolean);
+  const rawEmails = Array.isArray(email) ? email : email.split(",");
+  const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
   const existingUsers = await strapi.query("admin::user").findMany({
     where: { email: { $in: emailList } },
     populate: ["roles"]
@@ -357,7 +364,8 @@ async function removeEmail(ctx) {
   ctx.body = {};
 }
 async function syncUsers(ctx) {
-  const { users } = ctx.request.body;
+  let { users } = ctx.request.body;
+  users = users.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
   const currentUsers = await whitelistService2.getUsers();
   let matchedExistingUsersCount = 0;
@@ -403,6 +411,23 @@ const controllers = {
   role,
   whitelist
 };
+const rateLimitMap = /* @__PURE__ */ new Map();
+const RATE_LIMIT_WINDOW = 6e4;
+const MAX_REQUESTS = 20;
+const rateLimitMiddleware = async (ctx, next) => {
+  const ip = ctx.request.ip;
+  const now = Date.now();
+  const windowStart = now - RATE_LIMIT_WINDOW;
+  const requestStamps = (rateLimitMap.get(ip) || []).filter((timestamp) => timestamp > windowStart);
+  if (requestStamps.length >= MAX_REQUESTS) {
+    ctx.status = 429;
+    ctx.body = "Too Many Requests";
+    return;
+  }
+  requestStamps.push(now);
+  rateLimitMap.set(ip, requestStamps);
+  await next();
+};
 const routes = [
   {
     method: "GET",
@@ -422,7 +447,10 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   },
@@ -431,7 +459,8 @@ const routes = [
     path: "/oidc",
     handler: "oidc.oidcSignIn",
     config: {
-      auth: false
+      auth: false,
+      middlewares: [rateLimitMiddleware]
     }
   },
   {
@@ -439,7 +468,8 @@ const routes = [
     path: "/oidc/callback",
     handler: "oidc.oidcSignInCallback",
     config: {
-      auth: false
+      auth: false,
+      middlewares: [rateLimitMiddleware]
     }
   },
   {
@@ -468,7 +498,10 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   },
@@ -487,7 +520,10 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   },
@@ -498,7 +534,10 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   },
@@ -509,12 +548,132 @@ const routes = [
     config: {
       policies: [
         "admin::isAuthenticatedAdmin",
-        { name: "admin::hasPermissions", config: { actions: ["plugin::strapi-plugin-oidc.update"] } }
+        {
+          name: "admin::hasPermissions",
+          config: { actions: ["plugin::strapi-plugin-oidc.update"] }
+        }
       ]
     }
   }
 ];
 const policies = {};
+function renderHtmlTemplate(title, content) {
+  return `
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>${title}</title>
+  <style>
+    :root {
+      --bg-color: #f6f6f9;
+      --card-bg: #ffffff;
+      --text-color: #32324d;
+      --text-muted: #666687;
+      --btn-bg: #4945ff;
+      --btn-hover: #271fe0;
+      --btn-text: #ffffff;
+      --icon-bg: #fcecea;
+      --icon-color: #d02b20;
+      --success-bg: #eafbe7;
+      --success-color: #328048;
+      --shadow: 0 1px 4px rgba(33, 33, 52, 0.1);
+    }
+    @media (prefers-color-scheme: dark) {
+      :root {
+        --bg-color: #181826;
+        --card-bg: #212134;
+        --text-color: #ffffff;
+        --text-muted: #a5a5ba;
+        --btn-bg: #4945ff;
+        --btn-hover: #7b79ff;
+        --btn-text: #ffffff;
+        --icon-bg: #4a2123;
+        --icon-color: #f23628;
+        --success-bg: #1c3523;
+        --success-color: #55ca76;
+        --shadow: 0 1px 4px rgba(0, 0, 0, 0.5);
+      }
+    }
+    body {
+      margin: 0;
+      padding: 0;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      background-color: var(--bg-color);
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+      color: var(--text-color);
+    }
+    .card {
+      background: var(--card-bg);
+      padding: 32px 40px;
+      border-radius: 8px;
+      box-shadow: var(--shadow);
+      max-width: 400px;
+      width: 100%;
+      text-align: center;
+      box-sizing: border-box;
+    }
+    .icon {
+      width: 48px;
+      height: 48px;
+      background-color: var(--icon-bg);
+      color: var(--icon-color);
+      border-radius: 50%;
+      display: inline-flex;
+      justify-content: center;
+      align-items: center;
+      margin-bottom: 24px;
+    }
+    .icon.success {
+      background-color: var(--success-bg);
+      color: var(--success-color);
+    }
+    .icon svg {
+      width: 24px;
+      height: 24px;
+      stroke: currentColor;
+      stroke-width: 2;
+      stroke-linecap: round;
+      stroke-linejoin: round;
+      fill: none;
+    }
+    h1 {
+      margin: 0 0 12px 0;
+      font-size: 20px;
+      font-weight: 600;
+      color: var(--text-color);
+    }
+    p {
+      margin: 0 0 32px 0;
+      font-size: 14px;
+      line-height: 1.5;
+      color: var(--text-muted);
+    }
+    .btn {
+      display: inline-block;
+      background-color: var(--btn-bg);
+      color: var(--btn-text);
+      padding: 10px 16px;
+      border-radius: 4px;
+      text-decoration: none;
+      font-size: 14px;
+      font-weight: 500;
+      transition: background-color 0.2s;
+    }
+    .btn:hover {
+      background-color: var(--btn-hover);
+    }
+  </style>
+</head>
+<body>
+  ${content}
+</body>
+</html>`;
+}
 function oauthService({ strapi: strapi2 }) {
   return {
     async createUser(email, lastname, firstname, locale, roles2 = []) {
@@ -595,40 +754,48 @@ function oauthService({ strapi: strapi2 }) {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
       const REMEMBER_ME = config2["REMEMBER_ME"];
       const isRememberMe = !!REMEMBER_ME;
-      return `
-<!doctype html>
-<html>
-<head>
-<noscript>
-<h3>JavaScript must be enabled for authentication</h3>
-</noscript>
-<script nonce="${nonce}">
- window.addEventListener('load', function() {
-  if(${isRememberMe}){
-    localStorage.setItem('jwtToken', '"${jwtToken}"');
-  }else{
-    document.cookie = 'jwtToken=${encodeURIComponent(jwtToken)}; Path=/';
-  }
-  localStorage.setItem('isLoggedIn', 'true');
-  location.href = '${strapi2.config.admin.url}'
- })
-<\/script>
-</head>
-<body>
-</body>
-</html>`;
+      const content = `
+    <noscript>
+      <div class="card">
+        <div class="icon success">
+          <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-check">
+            <path d="M20 6 9 17l-5-5"/>
+          </svg>
+        </div>
+        <h1>JavaScript Required</h1>
+        <p>JavaScript must be enabled for authentication to complete.</p>
+      </div>
+    </noscript>
+    <script nonce="${nonce}">
+     window.addEventListener('load', function() {
+      if(${isRememberMe}){
+        localStorage.setItem('jwtToken', '"${jwtToken}"');
+      }else{
+        document.cookie = 'jwtToken=${encodeURIComponent(jwtToken)}; Path=/';
+      }
+      localStorage.setItem('isLoggedIn', 'true');
+      location.href = '${strapi2.config.admin.url}'
+     })
+    <\/script>`;
+      return renderHtmlTemplate("Authenticating...", content);
     },
     // Sign In Error
     renderSignUpError(message) {
-      return `
-<!doctype html>
-<html>
-<head></head>
-<body>
-<h3>Authentication failed</h3>
-<p>${message}</p>
-</body>
-</html>`;
+      const safeMessage = String(message).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+      const content = `
+  <div class="card">
+    <div class="icon">
+      <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-triangle-alert">
+        <path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3"/>
+        <path d="M12 9v4"/>
+        <path d="M12 17h.01"/>
+      </svg>
+    </div>
+    <h1>Authentication Failed</h1>
+    <p>${safeMessage}</p>
+    <a href="${strapi2.config.admin.url}" class="btn">Return to Login</a>
+  </div>`;
+      return renderHtmlTemplate("Authentication Failed", content);
     },
     async generateToken(user, ctx) {
       const sessionManager = strapi2.sessionManager;
@@ -722,39 +889,35 @@ function roleService({ strapi: strapi2 }) {
   };
 }
 function whitelistService({ strapi: strapi2 }) {
+  const getPluginStore = () => strapi2.store({
+    environment: "",
+    type: "plugin",
+    name: "strapi-plugin-oidc"
+  });
+  const getWhitelistQuery = () => strapi2.query("plugin::strapi-plugin-oidc.whitelists");
   return {
     async getSettings() {
-      const pluginStore = strapi2.store({ type: "plugin", name: "strapi-plugin-oidc" });
-      let settings = await pluginStore.get({ key: "settings" });
+      let settings = await getPluginStore().get({ key: "settings" });
       if (!settings) {
         settings = { useWhitelist: true, enforceOIDC: false };
-        await pluginStore.set({ key: "settings", value: settings });
+        await getPluginStore().set({ key: "settings", value: settings });
       }
       return settings;
     },
     async setSettings(settings) {
-      const pluginStore = strapi2.store({ type: "plugin", name: "strapi-plugin-oidc" });
-      await pluginStore.set({ key: "settings", value: settings });
+      await getPluginStore().set({ key: "settings", value: settings });
     },
     async getUsers() {
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      return query.findMany();
+      return getWhitelistQuery().findMany();
     },
     async registerUser(email, roles2) {
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      await query.create({
-        data: {
-          email,
-          roles: roles2
-        }
+      await getWhitelistQuery().create({
+        data: { email, roles: roles2 }
       });
     },
     async removeUser(id) {
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      await query.delete({
-        where: {
-          id
-        }
+      await getWhitelistQuery().delete({
+        where: { id }
       });
     },
     async checkWhitelistForEmail(email) {
@@ -763,11 +926,8 @@ function whitelistService({ strapi: strapi2 }) {
       if (!settings.useWhitelist) {
         return null;
       }
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      const result = await query.findOne({
-        where: {
-          email
-        }
+      const result = await getWhitelistQuery().findOne({
+        where: { email }
       });
       console.log("checkWhitelistForEmail result:", result);
       if (!result) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",