strapi-plugin-oidc 1.3.1 → 1.4.0

package/README.md

@@ -11,80 +11,125 @@
   </p>
 </div>
 
-A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.
-
-This plugin allows your administrators to log in to the Strapi administration interface using external OIDC identity providers such as Zitadel, Keycloak, Auth0, AWS Cognito, and others.
+A Strapi plugin that provides OpenID Connect (OIDC) authentication for the Strapi Admin Panel. Supports Keycloak, Auth0, Okta, Azure AD, Authentik, Authelia, and any other OpenID Connect provider.
 
 ## Installation
 
-You can install the plugin via `npm` or `yarn`:
-
 ```bash
-# Using npm
 npm install strapi-plugin-oidc
-
-# Using yarn
-yarn add strapi-plugin-oidc
 ```
 
 ## Configuration
 
-To enable and configure the plugin, update your `config/plugins.js` (or `config/plugins.ts`) file with your OIDC provider's settings.
+Add the plugin to `config/plugins.js` (or `.ts`):
 
 ```javascript
 module.exports = ({ env }) => ({
-  // ...
   'strapi-plugin-oidc': {
     enabled: true,
     config: {
-      // --- Required ---
-      OIDC_CLIENT_ID: '[Client ID from OpenID Provider]',
-      OIDC_CLIENT_SECRET: '[Client Secret from OpenID Provider]',
-      OIDC_REDIRECT_URI: '[Your Strapi URL]/strapi-plugin-oidc/oidc/callback',
-      OIDC_AUTHORIZATION_ENDPOINT: '[Authorization Endpoint]',
-      OIDC_TOKEN_ENDPOINT: '[Token Endpoint]',
-      OIDC_USER_INFO_ENDPOINT: '[User Info Endpoint]',
-
-      // --- Defaults provided — only set if your provider differs ---
+      // Required
+      OIDC_CLIENT_ID: env('OIDC_CLIENT_ID'),
+      OIDC_CLIENT_SECRET: env('OIDC_CLIENT_SECRET'),
+      OIDC_REDIRECT_URI: env('OIDC_REDIRECT_URI'), // https://your-strapi.com/strapi-plugin-oidc/oidc/callback
+      OIDC_AUTHORIZATION_ENDPOINT: env('OIDC_AUTHORIZATION_ENDPOINT'),
+      OIDC_TOKEN_ENDPOINT: env('OIDC_TOKEN_ENDPOINT'),
+      OIDC_USER_INFO_ENDPOINT: env('OIDC_USER_INFO_ENDPOINT'),
+
+      // Optional — defaults shown
       OIDC_SCOPES: 'openid profile email',
       OIDC_GRANT_TYPE: 'authorization_code',
-      OIDC_FAMILY_NAME_FIELD: 'family_name', // OIDC claim for the user's surname
-      OIDC_GIVEN_NAME_FIELD: 'given_name', // OIDC claim for the user's first name
-
-      // --- Optional ---
-      OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false, // true = Bearer token header, false = query param
-      OIDC_LOGOUT_URL: '', // OIDC provider logout URL; omit to return to Strapi login instead
-      OIDC_SSO_BUTTON_TEXT: 'Login via SSO', // Text on the SSO button injected into the login page
-      OIDC_ENFORCE: null, // null = use Admin UI setting; true/false = override it in config
-      REMEMBER_ME: false, // true = persist session across browser restarts, using Strapi's built-in refresh token duration
+      OIDC_FAMILY_NAME_FIELD: 'family_name',
+      OIDC_GIVEN_NAME_FIELD: 'given_name',
+      OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false, // true = Bearer header, false = query param
+      OIDC_LOGOUT_URL: '', // Provider logout URL; omit to redirect to Strapi login
+      OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
+      OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
+      REMEMBER_ME: false, // Persist session across browser restarts
     },
   },
-  // ...
 });
 ```
 
-## How to Login
+## Login
 
-Once configured, you can initiate the OIDC login flow by navigating to:
-`http://<your-strapi-domain>/strapi-plugin-oidc/oidc`
+Navigate to `/strapi-plugin-oidc/oidc` to start the OIDC flow, or click the **Login via SSO** button that is always injected into the Strapi login page.
 
-(e.g., `http://localhost:1337/strapi-plugin-oidc/oidc` for local development).
+## Admin Settings
 
-When the **Enforce OIDC Login** option is enabled in the Admin Settings, the standard Strapi admin login page will be automatically redirected to this URL.
+Manage the plugin under **Settings → OIDC Plugin**.
 
-## Admin Settings
+**Default Roles** — Select which Strapi admin role(s) are assigned to new users on first login.
+
+**Whitelist** — Restrict access to specific email addresses. When the whitelist is enabled, only listed emails can log in. When empty, any successfully authenticated OIDC user gets an account. The whitelist supports:
+
+- Adding individual emails with optional role overrides
+- JSON import / export (see [format](#import-format) below)
+- Bulk delete with confirmation
+- Unsaved changes are held in the UI until **Save Changes** is clicked
+
+**Enforce OIDC Login** — Removes the standard email/password fields from the login page and blocks direct login API calls server-side. Automatically disabled when the whitelist is empty to prevent lockout.
+
+- The toggle is grayed out and locked when `OIDC_ENFORCE` is set in config.
+- **Lockout recovery**: set `OIDC_ENFORCE: false` in your plugin config and restart Strapi. This writes through to the database so removing the variable afterwards keeps the setting.
+
+## Whitelist API
 
-Once the plugin is installed and configured, you can manage the OIDC settings from the Strapi Admin Panel under **Settings** > **OIDC Plugin**.
+The whitelist can be managed programmatically using a Strapi **API token** (Settings → API Tokens → Full Access). All endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
 
-- **Whitelist Management**: Restrict login to specific users by adding their email addresses to the whitelist. You can also whitelist entire email domains (e.g., `*@company.com`). If the whitelist is empty, any user who successfully authenticates via your OIDC provider will be able to log in and an account will be automatically created for them.
-- **Default Role Assignment**: Select the default Strapi admin role that will be assigned to newly created users when they log in for the first time via OIDC.
-- **SSO Login Button**: A "Login via SSO" button is always injected into the Strapi login page, allowing users to authenticate via OIDC. The button text is configurable via the `OIDC_SSO_BUTTON_TEXT` config option.
-- **Enforce OIDC Login**: When enabled, the standard email/password fields, remember me checkbox, and login button are hidden on the login page, leaving only the SSO button. All direct login API calls are also blocked server-side. _(Note: This option is automatically disabled and grayed out if your whitelist is empty to prevent accidentally locking everyone out of the admin panel)._
-- **`OIDC_ENFORCE` config override**: Setting `OIDC_ENFORCE: true` or `OIDC_ENFORCE: false` in your plugin config takes priority over the Admin UI toggle and locks it. Set `OIDC_ENFORCE: false` in your config to regain access if you are ever locked out, then restart Strapi.
+| Method   | Path                                       | Description            |
+| -------- | ------------------------------------------ | ---------------------- |
+| `GET`    | `/api/strapi-plugin-oidc/whitelist`        | List all entries       |
+| `POST`   | `/api/strapi-plugin-oidc/whitelist`        | Add one or more emails |
+| `POST`   | `/api/strapi-plugin-oidc/whitelist/import` | Bulk import            |
+| `DELETE` | `/api/strapi-plugin-oidc/whitelist/:id`    | Remove by ID           |
+| `DELETE` | `/api/strapi-plugin-oidc/whitelist`        | Remove all entries     |
+
+API calls write directly to the database — there is no unsaved state.
+
+### Import format
+
+Accepted by both the API import endpoint and the Admin UI import button. `roles` is optional and accepts role **names** (recommended) or numeric IDs. If the email already exists as a Strapi admin user, their current roles are used automatically.
+
+```json
+[
+  { "email": "alice@example.com", "roles": ["Editor"] },
+  { "email": "bob@example.com", "roles": ["Editor", "Author"] },
+  { "email": "carol@example.com" }
+]
+```
+
+Duplicate emails within the payload and emails already in the whitelist are silently skipped.
+
+### Examples
+
+```bash
+# List
+curl -H "Authorization: Bearer <token>" \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+
+# Add
+curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
+  -d '{"email": "user@example.com", "roles": ["Editor"]}' \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+
+# Bulk import
+curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
+  -d '{"users": [{"email": "a@example.com", "roles": ["Editor"]}, {"email": "b@example.com"}]}' \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist/import
+
+# Delete one
+curl -X DELETE -H "Authorization: Bearer <token>" \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist/42
+
+# Delete all
+curl -X DELETE -H "Authorization: Bearer <token>" \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+```
 
 ## Credits & Changes
 
-This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.com/yasudacloud/strapi-plugin-sso) created by **yasudacloud**. Huge thanks to them for creating the foundation of this plugin!
+This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudacloud/strapi-plugin-sso) by **yasudacloud**. Huge thanks to them for creating the foundation of this plugin!
 
 ### Changes made to the original codebase:
 
@@ -92,10 +137,14 @@ This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.
 - Redesigned the Whitelist and Role management UI (switched to native Strapi cards, added pagination, etc.).
 - Added an OIDC logout redirect URL.
 - Added an option to "Enforce OIDC login" with an admin toggle (automatically disabled if the whitelist is empty).
-- Added "Remember Me" support for OIDC sessions, using Strapi's built-in refresh token duration and idle lifespan.
 - Migrated the testing framework to Vitest and added comprehensive test coverage for controllers and services.
 - Cleaned up dead code and unused dependencies to improve maintainability.
 - Upgraded to use newer versions of Node.js.
 - Added styled success and error pages.
 - Always injects a "Login via SSO" button on the Strapi login page. Button text is configurable via `OIDC_SSO_BUTTON_TEXT`. When enforcement is on, standard login fields are hidden so only the SSO button is visible.
+- Whitelist improvements:
+  - JSON import and export (uses human-readable role names).
+  - Bulk delete all entries with a confirmation dialog.
+  - Unsaved changes confirmation when navigating away from the settings page.
+  - Programmatic API for managing the whitelist via Strapi API tokens (list, register, import, delete, delete all).
 - Added misc. quality of life improvements and bug fixes.

package/dist/admin/{index-D1ypRUlq.mjs → index-8hB6LKml.mjs}

@@ -78,7 +78,20 @@ const en = {
   "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally.",
   "enforce.config.info": "Enforcement is controlled by the OIDC_ENFORCE config variable and cannot be changed here.",
   "login.settings.title": "Login Settings",
-  "login.sso": "Login via SSO"
+  "login.sso": "Login via SSO",
+  "whitelist.count": "{count, plural, one {# entry} other {# entries}}",
+  "whitelist.import": "Import",
+  "whitelist.export": "Export",
+  "whitelist.delete.all.label": "Delete All",
+  "whitelist.delete.all.title": "Delete All Entries",
+  "whitelist.delete.all.description": "This will permanently remove all {count, plural, one {# entry} other {# entries}} from the whitelist. Unsaved changes will be lost.",
+  "whitelist.import.error": "Invalid file — expected a JSON array of objects with an email field.",
+  "whitelist.import.success": "Imported {count, plural, one {# new entry} other {# new entries}}.",
+  "whitelist.import.none": "No new entries — all emails are already in the whitelist.",
+  "unsaved.title": "Unsaved Changes",
+  "unsaved.description": "You have unsaved changes that will be lost if you leave. Do you want to continue?",
+  "unsaved.confirm": "Leave",
+  "unsaved.cancel": "Stay"
 };
 function getTrad(id) {
   const pluginIdWithId = `${pluginId}.${id}`;
@@ -109,7 +122,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await import("./index-CFmg9Kxl.mjs");
+          return await import("./index-BTTGSnuQ.mjs");
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }

package/dist/admin/{index-CFmg9Kxl.mjs → index-BTTGSnuQ.mjs}

@@ -1,11 +1,11 @@
 import { jsxs, Fragment, jsx } from "react/jsx-runtime";
-import { Routes, Route } from "react-router-dom";
+import { useBlocker, Routes, Route } from "react-router-dom";
 import { useNotification, useFetchClient, Page, Layouts } from "@strapi/strapi/admin";
-import { useState, useCallback, useEffect, memo } from "react";
-import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Field, Button, Divider, Thead, Tr, Th, Tbody, Td, Dialog, IconButton, Pagination, PreviousLink, PageLink, NextLink, Table, Alert } from "@strapi/design-system";
-import { Plus, Trash, WarningCircle, Information } from "@strapi/icons";
+import { useState, useRef, useCallback, useEffect, memo } from "react";
+import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Button, Dialog, Field, Divider, Thead, Tr, Th, Tbody, Td, IconButton, Pagination, PreviousLink, PageLink, NextLink, Table, Alert } from "@strapi/design-system";
+import { Download, Upload, Trash, WarningCircle, Plus, Information } from "@strapi/icons";
 import { useIntl } from "react-intl";
-import { g as getTrad } from "./index-D1ypRUlq.mjs";
+import { g as getTrad } from "./index-8hB6LKml.mjs";
 import styled from "styled-components";
 function Role({ oidcRoles, roles, onChangeRole }) {
   const { formatMessage } = useIntl();
@@ -52,13 +52,17 @@ function Whitelist({
   useWhitelist,
   loading,
   onSave,
-  onDelete
+  onDelete,
+  onDeleteAll,
+  onImport,
+  onExport
 }) {
   const [email, setEmail] = useState("");
   const [selectedRoles, setSelectedRoles] = useState([]);
   const [page, setPage] = useState(1);
   const { formatMessage } = useIntl();
   const { toggleNotification } = useNotification();
+  const fileInputRef = useRef(null);
   const PAGE_SIZE = 10;
   const pageCount = Math.ceil(users.length / PAGE_SIZE) || 1;
   const paginatedUsers = users.slice((page - 1) * PAGE_SIZE, page * PAGE_SIZE);
@@ -79,9 +83,93 @@ function Whitelist({
     const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
     return emailRegex.test(email);
   }, [email]);
+  const handleImport = useCallback(
+    async (e) => {
+      const file = e.target.files?.[0];
+      if (!fileInputRef.current) return;
+      fileInputRef.current.value = "";
+      if (!file) return;
+      try {
+        const text = await file.text();
+        const parsed = JSON.parse(text);
+        if (!Array.isArray(parsed)) throw new Error();
+        const entries = parsed.filter((item) => item?.email).map((item) => ({
+          email: String(item.email),
+          roles: Array.isArray(item.roles) ? item.roles : []
+        }));
+        const count = await onImport(entries);
+        if (count === 0) {
+          toggleNotification({
+            type: "info",
+            message: formatMessage(getTrad("whitelist.import.none"))
+          });
+        } else {
+          toggleNotification({
+            type: "success",
+            message: formatMessage(getTrad("whitelist.import.success"), { count })
+          });
+        }
+      } catch {
+        toggleNotification({
+          type: "warning",
+          message: formatMessage(getTrad("whitelist.import.error"))
+        });
+      }
+    },
+    [onImport, formatMessage, toggleNotification]
+  );
   return /* @__PURE__ */ jsxs(Box, { children: [
     /* @__PURE__ */ jsx(Typography, { tag: "p", variant: "omega", textColor: "neutral600", marginBottom: 4, children: formatMessage(getTrad("whitelist.description")) }),
     useWhitelist && /* @__PURE__ */ jsxs(Fragment, { children: [
+      /* @__PURE__ */ jsxs(Flex, { justifyContent: "space-between", alignItems: "center", marginBottom: 4, children: [
+        /* @__PURE__ */ jsx(Typography, { variant: "pi", textColor: "neutral600", children: formatMessage(getTrad("whitelist.count"), { count: users.length }) }),
+        /* @__PURE__ */ jsxs(Flex, { gap: 2, children: [
+          /* @__PURE__ */ jsx(
+            Button,
+            {
+              size: "S",
+              variant: "tertiary",
+              startIcon: /* @__PURE__ */ jsx(Download, {}),
+              onClick: onExport,
+              disabled: users.length === 0,
+              children: formatMessage(getTrad("whitelist.export"))
+            }
+          ),
+          /* @__PURE__ */ jsx(
+            Button,
+            {
+              size: "S",
+              variant: "tertiary",
+              startIcon: /* @__PURE__ */ jsx(Upload, {}),
+              onClick: () => fileInputRef.current?.click(),
+              children: formatMessage(getTrad("whitelist.import"))
+            }
+          ),
+          /* @__PURE__ */ jsx(
+            "input",
+            {
+              ref: fileInputRef,
+              type: "file",
+              accept: ".json,application/json",
+              style: { display: "none" },
+              onChange: handleImport
+            }
+          ),
+          users.length > 0 && /* @__PURE__ */ jsxs(Dialog.Root, { children: [
+            /* @__PURE__ */ jsx(Dialog.Trigger, { children: /* @__PURE__ */ jsx(Button, { size: "S", variant: "danger-light", startIcon: /* @__PURE__ */ jsx(Trash, {}), children: formatMessage(getTrad("whitelist.delete.all.label")) }) }),
+            /* @__PURE__ */ jsxs(Dialog.Content, { children: [
+              /* @__PURE__ */ jsx(Dialog.Header, { children: formatMessage(getTrad("whitelist.delete.all.title")) }),
+              /* @__PURE__ */ jsx(Dialog.Body, { icon: /* @__PURE__ */ jsx(WarningCircle, { fill: "danger600" }), children: /* @__PURE__ */ jsx(Flex, { justifyContent: "center", children: /* @__PURE__ */ jsx(Typography, { textColor: "neutral800", textAlign: "center", children: formatMessage(getTrad("whitelist.delete.all.description"), {
+                count: users.length
+              }) }) }) }),
+              /* @__PURE__ */ jsxs(Dialog.Footer, { children: [
+                /* @__PURE__ */ jsx(Dialog.Cancel, { children: /* @__PURE__ */ jsx(Button, { fullWidth: true, variant: "tertiary", children: formatMessage(getTrad("page.cancel")) }) }),
+                /* @__PURE__ */ jsx(Dialog.Action, { children: /* @__PURE__ */ jsx(Button, { fullWidth: true, variant: "danger", onClick: onDeleteAll, children: formatMessage(getTrad("whitelist.delete.all.label")) }) })
+              ] })
+            ] })
+          ] })
+        ] })
+      ] }),
       /* @__PURE__ */ jsxs(Flex, { gap: 4, marginTop: 5, marginBottom: 5, alignItems: "flex-start", children: [
         /* @__PURE__ */ jsx(Box, { style: { flex: 1 }, children: /* @__PURE__ */ jsx(Field.Root, { children: /* @__PURE__ */ jsx(
           Field.Input,
@@ -133,17 +221,22 @@ function Whitelist({
             return r ? r.name : roleId;
           }).join(", ");
           let userRolesNames = getRoleNames(user.roles || []);
+          let isDefault = false;
           if (!userRolesNames) {
             const defaultRolesIds = oidcRoles.reduce((acc, oidc) => {
               if (oidc.role) acc.push(...oidc.role);
               return acc;
             }, []);
             userRolesNames = getRoleNames(defaultRolesIds);
+            isDefault = Boolean(userRolesNames);
           }
           return /* @__PURE__ */ jsxs(Tr, { children: [
             /* @__PURE__ */ jsx(Td, { children: index + 1 + (page - 1) * PAGE_SIZE }),
             /* @__PURE__ */ jsx(Td, { children: user.email }),
-            /* @__PURE__ */ jsx(Td, { children: userRolesNames || "-" }),
+            /* @__PURE__ */ jsx(Td, { children: userRolesNames ? /* @__PURE__ */ jsxs(Flex, { gap: 2, alignItems: "center", children: [
+              /* @__PURE__ */ jsx("span", { children: userRolesNames }),
+              isDefault && /* @__PURE__ */ jsx(Typography, { variant: "pi", textColor: "neutral500", children: "(Default)" })
+            ] }) : "-" }),
             /* @__PURE__ */ jsx(Td, { children: /* @__PURE__ */ jsx(LocalizedDate, { date: user.createdAt }) }),
             /* @__PURE__ */ jsx(Td, { style: { paddingRight: 0 }, children: /* @__PURE__ */ jsx(
               Flex,
@@ -347,7 +440,7 @@ function CustomSwitch({ checked, onChange, label, disabled }) {
   ] });
 }
 function useOidcSettings() {
-  const { get, put } = useFetchClient();
+  const { get, put, post } = useFetchClient();
   const [loading, setLoading] = useState(false);
   const [showSuccess, setSuccess] = useState(false);
   const [showError, setError] = useState(false);
@@ -397,6 +490,31 @@ function useOidcSettings() {
       setEnforceOIDC(false);
     }
   };
+  const onDeleteAll = () => {
+    setUsers([]);
+    if (useWhitelist) setEnforceOIDC(false);
+  };
+  const onImport = async (entries) => {
+    const response = await post("/strapi-plugin-oidc/whitelist/import", { users: entries });
+    const refreshed = await get("/strapi-plugin-oidc/whitelist");
+    setUsers(refreshed.data.whitelistUsers);
+    setInitialUsers(JSON.parse(JSON.stringify(refreshed.data.whitelistUsers)));
+    return response.data.importedCount;
+  };
+  const onExport = () => {
+    const roleMap = new Map(roles.map((r) => [String(r.id), r.name]));
+    const data = users.map(({ email, roles: userRoles }) => ({
+      email,
+      roles: (userRoles || []).map((id) => roleMap.get(String(id)) ?? id)
+    }));
+    const blob = new Blob([JSON.stringify(data, null, 2)], { type: "application/json" });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement("a");
+    a.href = url;
+    a.download = "whitelist.json";
+    a.click();
+    URL.revokeObjectURL(url);
+  };
   const onToggleWhitelist = (e) => {
     const checked = e.target.checked;
     setUseWhitelist(checked);
@@ -468,6 +586,9 @@ function useOidcSettings() {
       onChangeRole,
       onRegisterWhitelist,
       onDeleteWhitelist,
+      onDeleteAll,
+      onImport,
+      onExport,
       onToggleWhitelist,
       onToggleEnforce,
       onSaveAll
@@ -477,6 +598,7 @@ function useOidcSettings() {
 function HomePage() {
   const { formatMessage } = useIntl();
   const { state, actions } = useOidcSettings();
+  const blocker = useBlocker(state.isDirty);
   return /* @__PURE__ */ jsxs(Page.Protect, { permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }], children: [
     /* @__PURE__ */ jsx(
       Layouts.Header,
@@ -521,7 +643,10 @@ function HomePage() {
             oidcRoles: state.oidcRoles,
             useWhitelist: state.useWhitelist,
             onSave: actions.onRegisterWhitelist,
-            onDelete: actions.onDeleteWhitelist
+            onDelete: actions.onDeleteWhitelist,
+            onDeleteAll: actions.onDeleteAll,
+            onImport: actions.onImport,
+            onExport: actions.onExport
           }
         )
       ] }),
@@ -560,6 +685,14 @@ function HomePage() {
           children: formatMessage(getTrad("page.save"))
         }
       ) })
+    ] }) }),
+    /* @__PURE__ */ jsx(Dialog.Root, { open: blocker.state === "blocked", children: /* @__PURE__ */ jsxs(Dialog.Content, { children: [
+      /* @__PURE__ */ jsx(Dialog.Header, { children: formatMessage(getTrad("unsaved.title")) }),
+      /* @__PURE__ */ jsx(Dialog.Body, { children: formatMessage(getTrad("unsaved.description")) }),
+      /* @__PURE__ */ jsxs(Dialog.Footer, { children: [
+        /* @__PURE__ */ jsx(Dialog.Cancel, { children: /* @__PURE__ */ jsx(Button, { variant: "tertiary", onClick: () => blocker.reset?.(), children: formatMessage(getTrad("unsaved.cancel")) }) }),
+        /* @__PURE__ */ jsx(Dialog.Action, { children: /* @__PURE__ */ jsx(Button, { variant: "danger", onClick: () => blocker.proceed?.(), children: formatMessage(getTrad("unsaved.confirm")) }) })
+      ] })
     ] }) })
   ] });
 }

package/dist/admin/{index-Cse9ex24.js → index-CZDixCh4.js}

@@ -79,7 +79,20 @@ const en = {
   "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally.",
   "enforce.config.info": "Enforcement is controlled by the OIDC_ENFORCE config variable and cannot be changed here.",
   "login.settings.title": "Login Settings",
-  "login.sso": "Login via SSO"
+  "login.sso": "Login via SSO",
+  "whitelist.count": "{count, plural, one {# entry} other {# entries}}",
+  "whitelist.import": "Import",
+  "whitelist.export": "Export",
+  "whitelist.delete.all.label": "Delete All",
+  "whitelist.delete.all.title": "Delete All Entries",
+  "whitelist.delete.all.description": "This will permanently remove all {count, plural, one {# entry} other {# entries}} from the whitelist. Unsaved changes will be lost.",
+  "whitelist.import.error": "Invalid file — expected a JSON array of objects with an email field.",
+  "whitelist.import.success": "Imported {count, plural, one {# new entry} other {# new entries}}.",
+  "whitelist.import.none": "No new entries — all emails are already in the whitelist.",
+  "unsaved.title": "Unsaved Changes",
+  "unsaved.description": "You have unsaved changes that will be lost if you leave. Do you want to continue?",
+  "unsaved.confirm": "Leave",
+  "unsaved.cancel": "Stay"
 };
 function getTrad(id) {
   const pluginIdWithId = `${pluginId}.${id}`;
@@ -110,7 +123,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await Promise.resolve().then(() => require("./index-BqyGGX8X.js"));
+          return await Promise.resolve().then(() => require("./index-QZkv75Xp.js"));
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }