strapi-plugin-oidc 1.3.2 → 1.4.1

package/README.md

@@ -11,80 +11,124 @@
   </p>
 </div>
 
-A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.
-
-This plugin allows your administrators to log in to the Strapi administration interface using external OIDC identity providers such as Zitadel, Keycloak, Auth0, AWS Cognito, and others.
+A Strapi plugin that provides OpenID Connect (OIDC) authentication for the Strapi Admin Panel. Supports Keycloak, Auth0, Okta, Azure AD, Authentik, Authelia, and any other OpenID Connect provider.
 
 ## Installation
 
-You can install the plugin via `npm` or `yarn`:
-
 ```bash
-# Using npm
 npm install strapi-plugin-oidc
-
-# Using yarn
-yarn add strapi-plugin-oidc
 ```
 
 ## Configuration
 
-To enable and configure the plugin, update your `config/plugins.js` (or `config/plugins.ts`) file with your OIDC provider's settings.
+Add the plugin to `config/plugins.js` (or `.ts`):
 
 ```javascript
 module.exports = ({ env }) => ({
-  // ...
   'strapi-plugin-oidc': {
     enabled: true,
     config: {
-      // --- Required ---
-      OIDC_CLIENT_ID: '[Client ID from OpenID Provider]',
-      OIDC_CLIENT_SECRET: '[Client Secret from OpenID Provider]',
-      OIDC_REDIRECT_URI: '[Your Strapi URL]/strapi-plugin-oidc/oidc/callback',
-      OIDC_AUTHORIZATION_ENDPOINT: '[Authorization Endpoint]',
-      OIDC_TOKEN_ENDPOINT: '[Token Endpoint]',
-      OIDC_USER_INFO_ENDPOINT: '[User Info Endpoint]',
-
-      // --- Defaults provided — only set if your provider differs ---
+      // Required
+      OIDC_CLIENT_ID: env('OIDC_CLIENT_ID'),
+      OIDC_CLIENT_SECRET: env('OIDC_CLIENT_SECRET'),
+      OIDC_REDIRECT_URI: env('OIDC_REDIRECT_URI'), // https://your-strapi.com/strapi-plugin-oidc/oidc/callback
+      OIDC_AUTHORIZATION_ENDPOINT: env('OIDC_AUTHORIZATION_ENDPOINT'),
+      OIDC_TOKEN_ENDPOINT: env('OIDC_TOKEN_ENDPOINT'),
+      OIDC_USER_INFO_ENDPOINT: env('OIDC_USER_INFO_ENDPOINT'),
+
+      // Optional — defaults shown
       OIDC_SCOPES: 'openid profile email',
       OIDC_GRANT_TYPE: 'authorization_code',
-      OIDC_FAMILY_NAME_FIELD: 'family_name', // OIDC claim for the user's surname
-      OIDC_GIVEN_NAME_FIELD: 'given_name', // OIDC claim for the user's first name
-
-      // --- Optional ---
-      OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false, // true = Bearer token header, false = query param
-      OIDC_LOGOUT_URL: '', // OIDC provider logout URL; omit to return to Strapi login instead
-      OIDC_SSO_BUTTON_TEXT: 'Login via SSO', // Text on the SSO button injected into the login page
-      OIDC_ENFORCE: null, // null = use Admin UI setting; true/false = override it in config
-      REMEMBER_ME: false, // true = persist session across browser restarts, using Strapi's built-in refresh token duration
+      OIDC_FAMILY_NAME_FIELD: 'family_name',
+      OIDC_GIVEN_NAME_FIELD: 'given_name',
+      OIDC_LOGOUT_URL: '', // Provider logout URL; omit to redirect to Strapi login
+      OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
+      OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
+      REMEMBER_ME: false, // Persist session across browser restarts
     },
   },
-  // ...
 });
 ```
 
-## How to Login
+## Login
 
-Once configured, you can initiate the OIDC login flow by navigating to:
-`http://<your-strapi-domain>/strapi-plugin-oidc/oidc`
+Navigate to `/strapi-plugin-oidc/oidc` to start the OIDC flow, or click the **Login via SSO** button that is always injected into the Strapi login page.
 
-(e.g., `http://localhost:1337/strapi-plugin-oidc/oidc` for local development).
+## Admin Settings
 
-When the **Enforce OIDC Login** option is enabled in the Admin Settings, the standard login fields are removed from the login page and only the SSO button remains — click it to start the OIDC flow.
+Manage the plugin under **Settings → OIDC Plugin**.
 
-## Admin Settings
+**Default Roles** — Select which Strapi admin role(s) are assigned to new users on first login.
+
+**Whitelist** — Restrict access to specific email addresses. When the whitelist is enabled, only listed emails can log in. When empty, any successfully authenticated OIDC user gets an account. The whitelist supports:
+
+- Adding individual emails with optional role overrides
+- JSON import / export (see [format](#import-format) below)
+- Bulk delete with confirmation
+- Unsaved changes are held in the UI until **Save Changes** is clicked
+
+**Enforce OIDC Login** — Removes the standard email/password fields from the login page and blocks direct login API calls server-side. Automatically disabled when the whitelist is empty to prevent lockout.
+
+- The toggle is grayed out and locked when `OIDC_ENFORCE` is set in config.
+- **Lockout recovery**: set `OIDC_ENFORCE: false` in your plugin config and restart Strapi. This writes through to the database so removing the variable afterwards keeps the setting.
+
+## Whitelist API
 
-Once the plugin is installed and configured, you can manage the OIDC settings from the Strapi Admin Panel under **Settings** > **OIDC Plugin**.
+The whitelist can be managed programmatically using a Strapi **API token** (Settings → API Tokens → Full Access). All endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
 
-- **Whitelist Management**: Restrict login to specific users by adding their email addresses to the whitelist. You can also whitelist entire email domains (e.g., `*@company.com`). If the whitelist is empty, any user who successfully authenticates via your OIDC provider will be able to log in and an account will be automatically created for them.
-- **Default Role Assignment**: Select the default Strapi admin role that will be assigned to newly created users when they log in for the first time via OIDC.
-- **SSO Login Button**: A "Login via SSO" button is always injected into the Strapi login page, allowing users to authenticate via OIDC. The button text is configurable via the `OIDC_SSO_BUTTON_TEXT` config option.
-- **Enforce OIDC Login**: When enabled, the standard email/password fields, remember me checkbox, login button, and forgot-password link are removed from the login page, leaving only the SSO button. All direct login API calls are also blocked server-side. _(Note: This option is automatically disabled and grayed out if your whitelist is empty to prevent accidentally locking everyone out of the admin panel)._
-- **`OIDC_ENFORCE` config override**: Setting `OIDC_ENFORCE: true` or `OIDC_ENFORCE: false` in your plugin config takes priority over the Admin UI toggle and locks it. Set `OIDC_ENFORCE: false` in your config to regain access if you are ever locked out, then restart Strapi.
+| Method   | Path                                       | Description            |
+| -------- | ------------------------------------------ | ---------------------- |
+| `GET`    | `/api/strapi-plugin-oidc/whitelist`        | List all entries       |
+| `POST`   | `/api/strapi-plugin-oidc/whitelist`        | Add one or more emails |
+| `POST`   | `/api/strapi-plugin-oidc/whitelist/import` | Bulk import            |
+| `DELETE` | `/api/strapi-plugin-oidc/whitelist/:id`    | Remove by ID           |
+| `DELETE` | `/api/strapi-plugin-oidc/whitelist`        | Remove all entries     |
+
+API calls write directly to the database — there is no unsaved state.
+
+### Import format
+
+Accepted by both the API import endpoint and the Admin UI import button. `roles` is optional and accepts role **names** (recommended) or numeric IDs. If the email already exists as a Strapi admin user, their current roles are used automatically.
+
+```json
+[
+  { "email": "alice@example.com", "roles": ["Editor"] },
+  { "email": "bob@example.com", "roles": ["Editor", "Author"] },
+  { "email": "carol@example.com" }
+]
+```
+
+Duplicate emails within the payload and emails already in the whitelist are silently skipped.
+
+### Examples
+
+```bash
+# List
+curl -H "Authorization: Bearer <token>" \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+
+# Add
+curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
+  -d '{"email": "user@example.com", "roles": ["Editor"]}' \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+
+# Bulk import
+curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
+  -d '{"users": [{"email": "a@example.com", "roles": ["Editor"]}, {"email": "b@example.com"}]}' \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist/import
+
+# Delete one
+curl -X DELETE -H "Authorization: Bearer <token>" \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist/42
+
+# Delete all
+curl -X DELETE -H "Authorization: Bearer <token>" \
+  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+```
 
 ## Credits & Changes
 
-This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.com/yasudacloud/strapi-plugin-sso) created by **yasudacloud**. Huge thanks to them for creating the foundation of this plugin!
+This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudacloud/strapi-plugin-sso) by **yasudacloud**. Huge thanks to them for creating the foundation of this plugin!
 
 ### Changes made to the original codebase:
 
@@ -92,10 +136,14 @@ This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.
 - Redesigned the Whitelist and Role management UI (switched to native Strapi cards, added pagination, etc.).
 - Added an OIDC logout redirect URL.
 - Added an option to "Enforce OIDC login" with an admin toggle (automatically disabled if the whitelist is empty).
-- Added "Remember Me" support for OIDC sessions, using Strapi's built-in refresh token duration and idle lifespan.
 - Migrated the testing framework to Vitest and added comprehensive test coverage for controllers and services.
 - Cleaned up dead code and unused dependencies to improve maintainability.
 - Upgraded to use newer versions of Node.js.
 - Added styled success and error pages.
 - Always injects a "Login via SSO" button on the Strapi login page. Button text is configurable via `OIDC_SSO_BUTTON_TEXT`. When enforcement is on, standard login fields are hidden so only the SSO button is visible.
+- Whitelist improvements:
+  - JSON import and export (uses human-readable role names).
+  - Bulk delete all entries with a confirmation dialog.
+  - Unsaved changes confirmation when navigating away from the settings page.
+  - Programmatic API for managing the whitelist via Strapi API tokens (list, register, import, delete, delete all).
 - Added misc. quality of life improvements and bug fixes.

package/dist/admin/{index-BqyGGX8X.js → index-BnFRueNv.js}

@@ -7,7 +7,7 @@ const react = require("react");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
 const reactIntl = require("react-intl");
-const index = require("./index-Cse9ex24.js");
+const index = require("./index-RMgj1w0B.js");
 const styled = require("styled-components");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
@@ -39,7 +39,7 @@ const CustomTable = styled__default.default(designSystem.Table)`
     font-size: 1.3rem !important;
   }
 `;
-const LocalizedDate = ({ date }) => {
+function LocalizedDate({ date }) {
   const userLocale = navigator.language || "en-US";
   return new Intl.DateTimeFormat(userLocale, {
     year: "numeric",
@@ -48,7 +48,7 @@ const LocalizedDate = ({ date }) => {
     hour: "2-digit",
     minute: "2-digit"
   }).format(new Date(date));
-};
+}
 function Whitelist({
   users,
   roles,
@@ -56,17 +56,28 @@ function Whitelist({
   useWhitelist,
   loading,
   onSave,
-  onDelete
+  onDelete,
+  onDeleteAll,
+  onImport,
+  onExport
 }) {
   const [email, setEmail] = react.useState("");
   const [selectedRoles, setSelectedRoles] = react.useState([]);
   const [page, setPage] = react.useState(1);
   const { formatMessage } = reactIntl.useIntl();
   const { toggleNotification } = admin.useNotification();
+  const fileInputRef = react.useRef(null);
   const PAGE_SIZE = 10;
   const pageCount = Math.ceil(users.length / PAGE_SIZE) || 1;
   const paginatedUsers = users.slice((page - 1) * PAGE_SIZE, page * PAGE_SIZE);
-  const onSaveEmail = react.useCallback(async () => {
+  const getRoleNames = (roleIds) => roleIds.map((roleId) => {
+    const r = roles.find((ro) => String(ro.id) === String(roleId));
+    return r ? r.name : roleId;
+  }).join(", ");
+  const defaultRoleNames = getRoleNames(oidcRoles.flatMap((oidc) => oidc.role ?? []));
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  const isValidEmail = emailRegex.test(email);
+  const onSaveEmail = react.useCallback(() => {
     const emailText = email.trim();
     if (users.some((user) => user.email === emailText)) {
       toggleNotification({
@@ -74,18 +85,98 @@ function Whitelist({
         message: formatMessage(index.getTrad("whitelist.error.unique"))
       });
     } else {
-      await onSave(emailText, selectedRoles);
+      onSave(emailText, selectedRoles);
       setEmail("");
       setSelectedRoles([]);
     }
   }, [email, selectedRoles, users, onSave, formatMessage, toggleNotification]);
-  const isValidEmail = react.useCallback(() => {
-    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-    return emailRegex.test(email);
-  }, [email]);
+  const handleImport = react.useCallback(
+    async (e) => {
+      const file = e.target.files?.[0];
+      if (!fileInputRef.current) return;
+      fileInputRef.current.value = "";
+      if (!file) return;
+      try {
+        const text = await file.text();
+        const parsed = JSON.parse(text);
+        if (!Array.isArray(parsed)) throw new Error();
+        const entries = parsed.filter((item) => item?.email).map((item) => ({
+          email: String(item.email),
+          roles: Array.isArray(item.roles) ? item.roles : []
+        }));
+        const count = await onImport(entries);
+        if (count === 0) {
+          toggleNotification({
+            type: "info",
+            message: formatMessage(index.getTrad("whitelist.import.none"))
+          });
+        } else {
+          toggleNotification({
+            type: "success",
+            message: formatMessage(index.getTrad("whitelist.import.success"), { count })
+          });
+        }
+      } catch {
+        toggleNotification({
+          type: "warning",
+          message: formatMessage(index.getTrad("whitelist.import.error"))
+        });
+      }
+    },
+    [onImport, formatMessage, toggleNotification]
+  );
   return /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Box, { children: [
     /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { tag: "p", variant: "omega", textColor: "neutral600", marginBottom: 4, children: formatMessage(index.getTrad("whitelist.description")) }),
     useWhitelist && /* @__PURE__ */ jsxRuntime.jsxs(jsxRuntime.Fragment, { children: [
+      /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Flex, { justifyContent: "space-between", alignItems: "center", marginBottom: 4, children: [
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { variant: "pi", textColor: "neutral600", children: formatMessage(index.getTrad("whitelist.count"), { count: users.length }) }),
+        /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Flex, { gap: 2, children: [
+          /* @__PURE__ */ jsxRuntime.jsx(
+            designSystem.Button,
+            {
+              size: "S",
+              variant: "tertiary",
+              startIcon: /* @__PURE__ */ jsxRuntime.jsx(icons.Download, {}),
+              onClick: onExport,
+              disabled: users.length === 0,
+              children: formatMessage(index.getTrad("whitelist.export"))
+            }
+          ),
+          /* @__PURE__ */ jsxRuntime.jsx(
+            designSystem.Button,
+            {
+              size: "S",
+              variant: "tertiary",
+              startIcon: /* @__PURE__ */ jsxRuntime.jsx(icons.Upload, {}),
+              onClick: () => fileInputRef.current?.click(),
+              children: formatMessage(index.getTrad("whitelist.import"))
+            }
+          ),
+          /* @__PURE__ */ jsxRuntime.jsx(
+            "input",
+            {
+              ref: fileInputRef,
+              type: "file",
+              accept: ".json,application/json",
+              style: { display: "none" },
+              onChange: handleImport
+            }
+          ),
+          users.length > 0 && /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Dialog.Root, { children: [
+            /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Trigger, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { size: "S", variant: "danger-light", startIcon: /* @__PURE__ */ jsxRuntime.jsx(icons.Trash, {}), children: formatMessage(index.getTrad("whitelist.delete.all.label")) }) }),
+            /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Dialog.Content, { children: [
+              /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Header, { children: formatMessage(index.getTrad("whitelist.delete.all.title")) }),
+              /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Body, { icon: /* @__PURE__ */ jsxRuntime.jsx(icons.WarningCircle, { fill: "danger600" }), children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Flex, { justifyContent: "center", children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textColor: "neutral800", textAlign: "center", children: formatMessage(index.getTrad("whitelist.delete.all.description"), {
+                count: users.length
+              }) }) }) }),
+              /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Dialog.Footer, { children: [
+                /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Cancel, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { fullWidth: true, variant: "tertiary", children: formatMessage(index.getTrad("page.cancel")) }) }),
+                /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Action, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { fullWidth: true, variant: "danger", onClick: onDeleteAll, children: formatMessage(index.getTrad("whitelist.delete.all.label")) }) })
+              ] })
+            ] })
+          ] })
+        ] })
+      ] }),
       /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Flex, { gap: 4, marginTop: 5, marginBottom: 5, alignItems: "flex-start", children: [
         /* @__PURE__ */ jsxRuntime.jsx(designSystem.Box, { style: { flex: 1 }, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Field.Root, { children: /* @__PURE__ */ jsxRuntime.jsx(
           designSystem.Field.Input,
@@ -93,7 +184,7 @@ function Whitelist({
             type: "text",
             disabled: loading,
             value: email,
-            hasError: Boolean(email && !isValidEmail()),
+            hasError: Boolean(email && !isValidEmail),
             onChange: (e) => setEmail(e.currentTarget.value),
             placeholder: formatMessage(index.getTrad("whitelist.email.placeholder"))
           }
@@ -115,7 +206,7 @@ function Whitelist({
           {
             size: "L",
             startIcon: /* @__PURE__ */ jsxRuntime.jsx(icons.Plus, {}),
-            disabled: loading || email.trim() === "" || !isValidEmail(),
+            disabled: loading || email.trim() === "" || !isValidEmail,
             loading,
             onClick: onSaveEmail,
             children: formatMessage(index.getTrad("page.add"))
@@ -132,22 +223,16 @@ function Whitelist({
           /* @__PURE__ */ jsxRuntime.jsx(designSystem.Th, { style: { paddingRight: 0 }, children: " " })
         ] }) }),
         /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tbody, { children: users.length === 0 ? /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tr, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { colSpan: 5, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Flex, { justifyContent: "center", padding: 4, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textColor: "neutral600", children: formatMessage(index.getTrad("whitelist.table.empty")) }) }) }) }) : paginatedUsers.map((user, index$1) => {
-          const getRoleNames = (roleIds) => roleIds.map((roleId) => {
-            const r = roles.find((ro) => String(ro.id) === String(roleId));
-            return r ? r.name : roleId;
-          }).join(", ");
-          let userRolesNames = getRoleNames(user.roles || []);
-          if (!userRolesNames) {
-            const defaultRolesIds = oidcRoles.reduce((acc, oidc) => {
-              if (oidc.role) acc.push(...oidc.role);
-              return acc;
-            }, []);
-            userRolesNames = getRoleNames(defaultRolesIds);
-          }
+          const explicitRoleNames = getRoleNames(user.roles || []);
+          const isDefault = !explicitRoleNames && Boolean(defaultRoleNames);
+          const userRolesNames = explicitRoleNames || defaultRoleNames;
           return /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Tr, { children: [
             /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: index$1 + 1 + (page - 1) * PAGE_SIZE }),
             /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: user.email }),
-            /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: userRolesNames || "-" }),
+            /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: userRolesNames ? /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Flex, { gap: 2, alignItems: "center", children: [
+              /* @__PURE__ */ jsxRuntime.jsx("span", { children: userRolesNames }),
+              isDefault && /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { variant: "pi", textColor: "neutral500", children: "(Default)" })
+            ] }) : "-" }),
             /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: /* @__PURE__ */ jsxRuntime.jsx(LocalizedDate, { date: user.createdAt }) }),
             /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { style: { paddingRight: 0 }, children: /* @__PURE__ */ jsxRuntime.jsx(
               designSystem.Flex,
@@ -350,8 +435,11 @@ function CustomSwitch({ checked, onChange, label, disabled }) {
     label && /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { variant: "pi", fontWeight: "bold", textColor: disabled ? "neutral500" : "neutral800", children: label })
   ] });
 }
+function deepClone(value) {
+  return JSON.parse(JSON.stringify(value));
+}
 function useOidcSettings() {
-  const { get, put } = admin.useFetchClient();
+  const { get, put, post } = admin.useFetchClient();
   const [loading, setLoading] = react.useState(false);
   const [showSuccess, setSuccess] = react.useState(false);
   const [showError, setError] = react.useState(false);
@@ -369,14 +457,14 @@ function useOidcSettings() {
   react.useEffect(() => {
     get(`/strapi-plugin-oidc/oidc-roles`).then((response) => {
       setOIDCRoles(response.data);
-      setInitialOIDCRoles(JSON.parse(JSON.stringify(response.data)));
+      setInitialOIDCRoles(deepClone(response.data));
     });
     get(`/admin/roles`).then((response) => {
       setRoles(response.data.data);
     });
     get("/strapi-plugin-oidc/whitelist").then((response) => {
       setUsers(response.data.whitelistUsers);
-      setInitialUsers(JSON.parse(JSON.stringify(response.data.whitelistUsers)));
+      setInitialUsers(deepClone(response.data.whitelistUsers));
       setUseWhitelist(response.data.useWhitelist);
       setInitialUseWhitelist(response.data.useWhitelist);
       setEnforceOIDC(response.data.enforceOIDC);
@@ -390,17 +478,44 @@ function useOidcSettings() {
     );
     setOIDCRoles(updatedRoles);
   };
-  const onRegisterWhitelist = async (email, selectedRoles) => {
+  const onRegisterWhitelist = (email, selectedRoles) => {
     const newUser = { email, roles: selectedRoles, createdAt: (/* @__PURE__ */ new Date()).toISOString() };
     setUsers([...users, newUser]);
   };
-  const onDeleteWhitelist = async (email) => {
+  const onDeleteWhitelist = (email) => {
     const updatedUsers = users.filter((u) => u.email !== email);
     setUsers(updatedUsers);
     if (useWhitelist && updatedUsers.length === 0) {
       setEnforceOIDC(false);
     }
   };
+  const onDeleteAll = () => {
+    setUsers([]);
+    if (useWhitelist) setEnforceOIDC(false);
+  };
+  const onImport = async (entries) => {
+    const response = await post("/strapi-plugin-oidc/whitelist/import", { users: entries });
+    const refreshed = await get("/strapi-plugin-oidc/whitelist");
+    setUsers(refreshed.data.whitelistUsers);
+    setInitialUsers(deepClone(refreshed.data.whitelistUsers));
+    return response.data.importedCount;
+  };
+  const onExport = () => {
+    const roleMap = new Map(roles.map((r) => [String(r.id), r.name]));
+    const data = users.map(({ email, roles: userRoles }) => ({
+      email,
+      roles: (userRoles || []).map((id) => roleMap.get(String(id)) ?? id)
+    }));
+    const now = /* @__PURE__ */ new Date();
+    const datetime = `${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, "0")}${String(now.getDate()).padStart(2, "0")}_${String(now.getHours()).padStart(2, "0")}${String(now.getMinutes()).padStart(2, "0")}${String(now.getSeconds()).padStart(2, "0")}`;
+    const blob = new Blob([JSON.stringify(data, null, 2)], { type: "application/json" });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement("a");
+    a.href = url;
+    a.download = `strapi-oidc-whitelist-${datetime}.json`;
+    a.click();
+    URL.revokeObjectURL(url);
+  };
   const onToggleWhitelist = (e) => {
     const checked = e.target.checked;
     setUseWhitelist(checked);
@@ -428,12 +543,12 @@ function useOidcSettings() {
         useWhitelist,
         enforceOIDC
       });
-      setInitialOIDCRoles(JSON.parse(JSON.stringify(oidcRoles)));
+      setInitialOIDCRoles(deepClone(oidcRoles));
       setInitialUseWhitelist(useWhitelist);
       setInitialEnforceOIDC(enforceOIDC);
       get("/strapi-plugin-oidc/whitelist").then((getResponse) => {
         setUsers(getResponse.data.whitelistUsers);
-        setInitialUsers(JSON.parse(JSON.stringify(getResponse.data.whitelistUsers)));
+        setInitialUsers(deepClone(getResponse.data.whitelistUsers));
       });
       if (syncResponse.data?.matchedExistingUsersCount > 0) {
         setMatched(syncResponse.data.matchedExistingUsersCount);
@@ -472,6 +587,9 @@ function useOidcSettings() {
       onChangeRole,
       onRegisterWhitelist,
       onDeleteWhitelist,
+      onDeleteAll,
+      onImport,
+      onExport,
       onToggleWhitelist,
       onToggleEnforce,
       onSaveAll
@@ -481,6 +599,7 @@ function useOidcSettings() {
 function HomePage$1() {
   const { formatMessage } = reactIntl.useIntl();
   const { state, actions } = useOidcSettings();
+  const blocker = reactRouterDom.useBlocker(state.isDirty);
   return /* @__PURE__ */ jsxRuntime.jsxs(admin.Page.Protect, { permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }], children: [
     /* @__PURE__ */ jsxRuntime.jsx(
       admin.Layouts.Header,
@@ -525,7 +644,10 @@ function HomePage$1() {
             oidcRoles: state.oidcRoles,
             useWhitelist: state.useWhitelist,
             onSave: actions.onRegisterWhitelist,
-            onDelete: actions.onDeleteWhitelist
+            onDelete: actions.onDeleteWhitelist,
+            onDeleteAll: actions.onDeleteAll,
+            onImport: actions.onImport,
+            onExport: actions.onExport
           }
         )
       ] }),
@@ -564,6 +686,14 @@ function HomePage$1() {
           children: formatMessage(index.getTrad("page.save"))
         }
       ) })
+    ] }) }),
+    /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Root, { open: blocker.state === "blocked", children: /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Dialog.Content, { children: [
+      /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Header, { children: formatMessage(index.getTrad("unsaved.title")) }),
+      /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Body, { children: formatMessage(index.getTrad("unsaved.description")) }),
+      /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Dialog.Footer, { children: [
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Cancel, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { variant: "tertiary", onClick: () => blocker.reset?.(), children: formatMessage(index.getTrad("unsaved.cancel")) }) }),
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Dialog.Action, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { variant: "danger", onClick: () => blocker.proceed?.(), children: formatMessage(index.getTrad("unsaved.confirm")) }) })
+      ] })
     ] }) })
   ] });
 }