strapi-plugin-oidc 1.4.0 → 1.4.1

package/README.md

@@ -41,7 +41,6 @@ module.exports = ({ env }) => ({
       OIDC_GRANT_TYPE: 'authorization_code',
       OIDC_FAMILY_NAME_FIELD: 'family_name',
       OIDC_GIVEN_NAME_FIELD: 'given_name',
-      OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false, // true = Bearer header, false = query param
       OIDC_LOGOUT_URL: '', // Provider logout URL; omit to redirect to Strapi login
       OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
       OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config

package/dist/admin/{index-QZkv75Xp.js → index-BnFRueNv.js}

@@ -7,7 +7,7 @@ const react = require("react");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
 const reactIntl = require("react-intl");
-const index = require("./index-CZDixCh4.js");
+const index = require("./index-RMgj1w0B.js");
 const styled = require("styled-components");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
@@ -39,7 +39,7 @@ const CustomTable = styled__default.default(designSystem.Table)`
     font-size: 1.3rem !important;
   }
 `;
-const LocalizedDate = ({ date }) => {
+function LocalizedDate({ date }) {
   const userLocale = navigator.language || "en-US";
   return new Intl.DateTimeFormat(userLocale, {
     year: "numeric",
@@ -48,7 +48,7 @@ const LocalizedDate = ({ date }) => {
     hour: "2-digit",
     minute: "2-digit"
   }).format(new Date(date));
-};
+}
 function Whitelist({
   users,
   roles,
@@ -70,7 +70,14 @@ function Whitelist({
   const PAGE_SIZE = 10;
   const pageCount = Math.ceil(users.length / PAGE_SIZE) || 1;
   const paginatedUsers = users.slice((page - 1) * PAGE_SIZE, page * PAGE_SIZE);
-  const onSaveEmail = react.useCallback(async () => {
+  const getRoleNames = (roleIds) => roleIds.map((roleId) => {
+    const r = roles.find((ro) => String(ro.id) === String(roleId));
+    return r ? r.name : roleId;
+  }).join(", ");
+  const defaultRoleNames = getRoleNames(oidcRoles.flatMap((oidc) => oidc.role ?? []));
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  const isValidEmail = emailRegex.test(email);
+  const onSaveEmail = react.useCallback(() => {
     const emailText = email.trim();
     if (users.some((user) => user.email === emailText)) {
       toggleNotification({
@@ -78,15 +85,11 @@ function Whitelist({
         message: formatMessage(index.getTrad("whitelist.error.unique"))
       });
     } else {
-      await onSave(emailText, selectedRoles);
+      onSave(emailText, selectedRoles);
       setEmail("");
       setSelectedRoles([]);
     }
   }, [email, selectedRoles, users, onSave, formatMessage, toggleNotification]);
-  const isValidEmail = react.useCallback(() => {
-    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-    return emailRegex.test(email);
-  }, [email]);
   const handleImport = react.useCallback(
     async (e) => {
       const file = e.target.files?.[0];
@@ -181,7 +184,7 @@ function Whitelist({
             type: "text",
             disabled: loading,
             value: email,
-            hasError: Boolean(email && !isValidEmail()),
+            hasError: Boolean(email && !isValidEmail),
             onChange: (e) => setEmail(e.currentTarget.value),
             placeholder: formatMessage(index.getTrad("whitelist.email.placeholder"))
           }
@@ -203,7 +206,7 @@ function Whitelist({
           {
             size: "L",
             startIcon: /* @__PURE__ */ jsxRuntime.jsx(icons.Plus, {}),
-            disabled: loading || email.trim() === "" || !isValidEmail(),
+            disabled: loading || email.trim() === "" || !isValidEmail,
             loading,
             onClick: onSaveEmail,
             children: formatMessage(index.getTrad("page.add"))
@@ -220,20 +223,9 @@ function Whitelist({
           /* @__PURE__ */ jsxRuntime.jsx(designSystem.Th, { style: { paddingRight: 0 }, children: " " })
         ] }) }),
         /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tbody, { children: users.length === 0 ? /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tr, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { colSpan: 5, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Flex, { justifyContent: "center", padding: 4, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textColor: "neutral600", children: formatMessage(index.getTrad("whitelist.table.empty")) }) }) }) }) : paginatedUsers.map((user, index$1) => {
-          const getRoleNames = (roleIds) => roleIds.map((roleId) => {
-            const r = roles.find((ro) => String(ro.id) === String(roleId));
-            return r ? r.name : roleId;
-          }).join(", ");
-          let userRolesNames = getRoleNames(user.roles || []);
-          let isDefault = false;
-          if (!userRolesNames) {
-            const defaultRolesIds = oidcRoles.reduce((acc, oidc) => {
-              if (oidc.role) acc.push(...oidc.role);
-              return acc;
-            }, []);
-            userRolesNames = getRoleNames(defaultRolesIds);
-            isDefault = Boolean(userRolesNames);
-          }
+          const explicitRoleNames = getRoleNames(user.roles || []);
+          const isDefault = !explicitRoleNames && Boolean(defaultRoleNames);
+          const userRolesNames = explicitRoleNames || defaultRoleNames;
           return /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Tr, { children: [
             /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: index$1 + 1 + (page - 1) * PAGE_SIZE }),
             /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: user.email }),
@@ -443,6 +435,9 @@ function CustomSwitch({ checked, onChange, label, disabled }) {
     label && /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { variant: "pi", fontWeight: "bold", textColor: disabled ? "neutral500" : "neutral800", children: label })
   ] });
 }
+function deepClone(value) {
+  return JSON.parse(JSON.stringify(value));
+}
 function useOidcSettings() {
   const { get, put, post } = admin.useFetchClient();
   const [loading, setLoading] = react.useState(false);
@@ -462,14 +457,14 @@ function useOidcSettings() {
   react.useEffect(() => {
     get(`/strapi-plugin-oidc/oidc-roles`).then((response) => {
       setOIDCRoles(response.data);
-      setInitialOIDCRoles(JSON.parse(JSON.stringify(response.data)));
+      setInitialOIDCRoles(deepClone(response.data));
     });
     get(`/admin/roles`).then((response) => {
       setRoles(response.data.data);
     });
     get("/strapi-plugin-oidc/whitelist").then((response) => {
       setUsers(response.data.whitelistUsers);
-      setInitialUsers(JSON.parse(JSON.stringify(response.data.whitelistUsers)));
+      setInitialUsers(deepClone(response.data.whitelistUsers));
       setUseWhitelist(response.data.useWhitelist);
       setInitialUseWhitelist(response.data.useWhitelist);
       setEnforceOIDC(response.data.enforceOIDC);
@@ -483,11 +478,11 @@ function useOidcSettings() {
     );
     setOIDCRoles(updatedRoles);
   };
-  const onRegisterWhitelist = async (email, selectedRoles) => {
+  const onRegisterWhitelist = (email, selectedRoles) => {
     const newUser = { email, roles: selectedRoles, createdAt: (/* @__PURE__ */ new Date()).toISOString() };
     setUsers([...users, newUser]);
   };
-  const onDeleteWhitelist = async (email) => {
+  const onDeleteWhitelist = (email) => {
     const updatedUsers = users.filter((u) => u.email !== email);
     setUsers(updatedUsers);
     if (useWhitelist && updatedUsers.length === 0) {
@@ -502,7 +497,7 @@ function useOidcSettings() {
     const response = await post("/strapi-plugin-oidc/whitelist/import", { users: entries });
     const refreshed = await get("/strapi-plugin-oidc/whitelist");
     setUsers(refreshed.data.whitelistUsers);
-    setInitialUsers(JSON.parse(JSON.stringify(refreshed.data.whitelistUsers)));
+    setInitialUsers(deepClone(refreshed.data.whitelistUsers));
     return response.data.importedCount;
   };
   const onExport = () => {
@@ -511,11 +506,13 @@ function useOidcSettings() {
       email,
       roles: (userRoles || []).map((id) => roleMap.get(String(id)) ?? id)
     }));
+    const now = /* @__PURE__ */ new Date();
+    const datetime = `${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, "0")}${String(now.getDate()).padStart(2, "0")}_${String(now.getHours()).padStart(2, "0")}${String(now.getMinutes()).padStart(2, "0")}${String(now.getSeconds()).padStart(2, "0")}`;
     const blob = new Blob([JSON.stringify(data, null, 2)], { type: "application/json" });
     const url = URL.createObjectURL(blob);
     const a = document.createElement("a");
     a.href = url;
-    a.download = "whitelist.json";
+    a.download = `strapi-oidc-whitelist-${datetime}.json`;
     a.click();
     URL.revokeObjectURL(url);
   };
@@ -546,12 +543,12 @@ function useOidcSettings() {
         useWhitelist,
         enforceOIDC
       });
-      setInitialOIDCRoles(JSON.parse(JSON.stringify(oidcRoles)));
+      setInitialOIDCRoles(deepClone(oidcRoles));
       setInitialUseWhitelist(useWhitelist);
       setInitialEnforceOIDC(enforceOIDC);
       get("/strapi-plugin-oidc/whitelist").then((getResponse) => {
         setUsers(getResponse.data.whitelistUsers);
-        setInitialUsers(JSON.parse(JSON.stringify(getResponse.data.whitelistUsers)));
+        setInitialUsers(deepClone(getResponse.data.whitelistUsers));
       });
       if (syncResponse.data?.matchedExistingUsersCount > 0) {
         setMatched(syncResponse.data.matchedExistingUsersCount);

package/dist/admin/{index-BTTGSnuQ.mjs → index-CY4s-vtv.mjs}

@@ -5,7 +5,7 @@ import { useState, useRef, useCallback, useEffect, memo } from "react";
 import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Button, Dialog, Field, Divider, Thead, Tr, Th, Tbody, Td, IconButton, Pagination, PreviousLink, PageLink, NextLink, Table, Alert } from "@strapi/design-system";
 import { Download, Upload, Trash, WarningCircle, Plus, Information } from "@strapi/icons";
 import { useIntl } from "react-intl";
-import { g as getTrad } from "./index-8hB6LKml.mjs";
+import { g as getTrad } from "./index-ZRaWWFUL.mjs";
 import styled from "styled-components";
 function Role({ oidcRoles, roles, onChangeRole }) {
   const { formatMessage } = useIntl();
@@ -35,7 +35,7 @@ const CustomTable = styled(Table)`
     font-size: 1.3rem !important;
   }
 `;
-const LocalizedDate = ({ date }) => {
+function LocalizedDate({ date }) {
   const userLocale = navigator.language || "en-US";
   return new Intl.DateTimeFormat(userLocale, {
     year: "numeric",
@@ -44,7 +44,7 @@ const LocalizedDate = ({ date }) => {
     hour: "2-digit",
     minute: "2-digit"
   }).format(new Date(date));
-};
+}
 function Whitelist({
   users,
   roles,
@@ -66,7 +66,14 @@ function Whitelist({
   const PAGE_SIZE = 10;
   const pageCount = Math.ceil(users.length / PAGE_SIZE) || 1;
   const paginatedUsers = users.slice((page - 1) * PAGE_SIZE, page * PAGE_SIZE);
-  const onSaveEmail = useCallback(async () => {
+  const getRoleNames = (roleIds) => roleIds.map((roleId) => {
+    const r = roles.find((ro) => String(ro.id) === String(roleId));
+    return r ? r.name : roleId;
+  }).join(", ");
+  const defaultRoleNames = getRoleNames(oidcRoles.flatMap((oidc) => oidc.role ?? []));
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  const isValidEmail = emailRegex.test(email);
+  const onSaveEmail = useCallback(() => {
     const emailText = email.trim();
     if (users.some((user) => user.email === emailText)) {
       toggleNotification({
@@ -74,15 +81,11 @@ function Whitelist({
         message: formatMessage(getTrad("whitelist.error.unique"))
       });
     } else {
-      await onSave(emailText, selectedRoles);
+      onSave(emailText, selectedRoles);
       setEmail("");
       setSelectedRoles([]);
     }
   }, [email, selectedRoles, users, onSave, formatMessage, toggleNotification]);
-  const isValidEmail = useCallback(() => {
-    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-    return emailRegex.test(email);
-  }, [email]);
   const handleImport = useCallback(
     async (e) => {
       const file = e.target.files?.[0];
@@ -177,7 +180,7 @@ function Whitelist({
             type: "text",
             disabled: loading,
             value: email,
-            hasError: Boolean(email && !isValidEmail()),
+            hasError: Boolean(email && !isValidEmail),
             onChange: (e) => setEmail(e.currentTarget.value),
             placeholder: formatMessage(getTrad("whitelist.email.placeholder"))
           }
@@ -199,7 +202,7 @@ function Whitelist({
           {
             size: "L",
             startIcon: /* @__PURE__ */ jsx(Plus, {}),
-            disabled: loading || email.trim() === "" || !isValidEmail(),
+            disabled: loading || email.trim() === "" || !isValidEmail,
             loading,
             onClick: onSaveEmail,
             children: formatMessage(getTrad("page.add"))
@@ -216,20 +219,9 @@ function Whitelist({
           /* @__PURE__ */ jsx(Th, { style: { paddingRight: 0 }, children: " " })
         ] }) }),
         /* @__PURE__ */ jsx(Tbody, { children: users.length === 0 ? /* @__PURE__ */ jsx(Tr, { children: /* @__PURE__ */ jsx(Td, { colSpan: 5, children: /* @__PURE__ */ jsx(Flex, { justifyContent: "center", padding: 4, children: /* @__PURE__ */ jsx(Typography, { textColor: "neutral600", children: formatMessage(getTrad("whitelist.table.empty")) }) }) }) }) : paginatedUsers.map((user, index) => {
-          const getRoleNames = (roleIds) => roleIds.map((roleId) => {
-            const r = roles.find((ro) => String(ro.id) === String(roleId));
-            return r ? r.name : roleId;
-          }).join(", ");
-          let userRolesNames = getRoleNames(user.roles || []);
-          let isDefault = false;
-          if (!userRolesNames) {
-            const defaultRolesIds = oidcRoles.reduce((acc, oidc) => {
-              if (oidc.role) acc.push(...oidc.role);
-              return acc;
-            }, []);
-            userRolesNames = getRoleNames(defaultRolesIds);
-            isDefault = Boolean(userRolesNames);
-          }
+          const explicitRoleNames = getRoleNames(user.roles || []);
+          const isDefault = !explicitRoleNames && Boolean(defaultRoleNames);
+          const userRolesNames = explicitRoleNames || defaultRoleNames;
           return /* @__PURE__ */ jsxs(Tr, { children: [
             /* @__PURE__ */ jsx(Td, { children: index + 1 + (page - 1) * PAGE_SIZE }),
             /* @__PURE__ */ jsx(Td, { children: user.email }),
@@ -439,6 +431,9 @@ function CustomSwitch({ checked, onChange, label, disabled }) {
     label && /* @__PURE__ */ jsx(Typography, { variant: "pi", fontWeight: "bold", textColor: disabled ? "neutral500" : "neutral800", children: label })
   ] });
 }
+function deepClone(value) {
+  return JSON.parse(JSON.stringify(value));
+}
 function useOidcSettings() {
   const { get, put, post } = useFetchClient();
   const [loading, setLoading] = useState(false);
@@ -458,14 +453,14 @@ function useOidcSettings() {
   useEffect(() => {
     get(`/strapi-plugin-oidc/oidc-roles`).then((response) => {
       setOIDCRoles(response.data);
-      setInitialOIDCRoles(JSON.parse(JSON.stringify(response.data)));
+      setInitialOIDCRoles(deepClone(response.data));
     });
     get(`/admin/roles`).then((response) => {
       setRoles(response.data.data);
     });
     get("/strapi-plugin-oidc/whitelist").then((response) => {
       setUsers(response.data.whitelistUsers);
-      setInitialUsers(JSON.parse(JSON.stringify(response.data.whitelistUsers)));
+      setInitialUsers(deepClone(response.data.whitelistUsers));
       setUseWhitelist(response.data.useWhitelist);
       setInitialUseWhitelist(response.data.useWhitelist);
       setEnforceOIDC(response.data.enforceOIDC);
@@ -479,11 +474,11 @@ function useOidcSettings() {
     );
     setOIDCRoles(updatedRoles);
   };
-  const onRegisterWhitelist = async (email, selectedRoles) => {
+  const onRegisterWhitelist = (email, selectedRoles) => {
     const newUser = { email, roles: selectedRoles, createdAt: (/* @__PURE__ */ new Date()).toISOString() };
     setUsers([...users, newUser]);
   };
-  const onDeleteWhitelist = async (email) => {
+  const onDeleteWhitelist = (email) => {
     const updatedUsers = users.filter((u) => u.email !== email);
     setUsers(updatedUsers);
     if (useWhitelist && updatedUsers.length === 0) {
@@ -498,7 +493,7 @@ function useOidcSettings() {
     const response = await post("/strapi-plugin-oidc/whitelist/import", { users: entries });
     const refreshed = await get("/strapi-plugin-oidc/whitelist");
     setUsers(refreshed.data.whitelistUsers);
-    setInitialUsers(JSON.parse(JSON.stringify(refreshed.data.whitelistUsers)));
+    setInitialUsers(deepClone(refreshed.data.whitelistUsers));
     return response.data.importedCount;
   };
   const onExport = () => {
@@ -507,11 +502,13 @@ function useOidcSettings() {
       email,
       roles: (userRoles || []).map((id) => roleMap.get(String(id)) ?? id)
     }));
+    const now = /* @__PURE__ */ new Date();
+    const datetime = `${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, "0")}${String(now.getDate()).padStart(2, "0")}_${String(now.getHours()).padStart(2, "0")}${String(now.getMinutes()).padStart(2, "0")}${String(now.getSeconds()).padStart(2, "0")}`;
     const blob = new Blob([JSON.stringify(data, null, 2)], { type: "application/json" });
     const url = URL.createObjectURL(blob);
     const a = document.createElement("a");
     a.href = url;
-    a.download = "whitelist.json";
+    a.download = `strapi-oidc-whitelist-${datetime}.json`;
     a.click();
     URL.revokeObjectURL(url);
   };
@@ -542,12 +539,12 @@ function useOidcSettings() {
         useWhitelist,
         enforceOIDC
       });
-      setInitialOIDCRoles(JSON.parse(JSON.stringify(oidcRoles)));
+      setInitialOIDCRoles(deepClone(oidcRoles));
       setInitialUseWhitelist(useWhitelist);
       setInitialEnforceOIDC(enforceOIDC);
       get("/strapi-plugin-oidc/whitelist").then((getResponse) => {
         setUsers(getResponse.data.whitelistUsers);
-        setInitialUsers(JSON.parse(JSON.stringify(getResponse.data.whitelistUsers)));
+        setInitialUsers(deepClone(getResponse.data.whitelistUsers));
       });
       if (syncResponse.data?.matchedExistingUsersCount > 0) {
         setMatched(syncResponse.data.matchedExistingUsersCount);

package/dist/admin/{index-CZDixCh4.js → index-RMgj1w0B.js}

@@ -123,7 +123,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await Promise.resolve().then(() => require("./index-QZkv75Xp.js"));
+          return await Promise.resolve().then(() => require("./index-BnFRueNv.js"));
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }

package/dist/admin/{index-8hB6LKml.mjs → index-ZRaWWFUL.mjs}

@@ -122,7 +122,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await import("./index-BTTGSnuQ.mjs");
+          return await import("./index-CY4s-vtv.mjs");
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }

package/dist/admin/index.js

@@ -1,4 +1,4 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
-const index = require("./index-CZDixCh4.js");
+const index = require("./index-RMgj1w0B.js");
 exports.default = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "./index-8hB6LKml.mjs";
+import { i } from "./index-ZRaWWFUL.mjs";
 export {
   i as default
 };

package/dist/server/index.js

@@ -164,7 +164,6 @@ const config = {
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
     OIDC_USER_INFO_ENDPOINT: "",
-    OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false,
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
@@ -223,45 +222,43 @@ function clearAuthCookies(strapi2, ctx) {
   ctx.cookies.set("strapi_admin_refresh", "", options2);
   ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
 }
+const REQUIRED_CONFIG_KEYS = [
+  "OIDC_CLIENT_ID",
+  "OIDC_CLIENT_SECRET",
+  "OIDC_REDIRECT_URI",
+  "OIDC_SCOPES",
+  "OIDC_TOKEN_ENDPOINT",
+  "OIDC_USER_INFO_ENDPOINT",
+  "OIDC_GRANT_TYPE",
+  "OIDC_FAMILY_NAME_FIELD",
+  "OIDC_GIVEN_NAME_FIELD",
+  "OIDC_AUTHORIZATION_ENDPOINT"
+];
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const requiredKeys = [
-    "OIDC_CLIENT_ID",
-    "OIDC_CLIENT_SECRET",
-    "OIDC_REDIRECT_URI",
-    "OIDC_SCOPES",
-    "OIDC_TOKEN_ENDPOINT",
-    "OIDC_USER_INFO_ENDPOINT",
-    "OIDC_GRANT_TYPE",
-    "OIDC_FAMILY_NAME_FIELD",
-    "OIDC_GIVEN_NAME_FIELD",
-    "OIDC_AUTHORIZATION_ENDPOINT"
-  ];
-  if (requiredKeys.every((key) => config2[key])) {
+  if (REQUIRED_CONFIG_KEYS.every((key) => config2[key])) {
     return config2;
   }
-  throw new Error(`The following configuration keys are required: ${requiredKeys.join(", ")}`);
+  throw new Error(
+    `The following configuration keys are required: ${REQUIRED_CONFIG_KEYS.join(", ")}`
+  );
 }
 async function oidcSignIn(ctx) {
-  let { state } = ctx.query;
   const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
-  if (!state) {
-    state = node_crypto.randomBytes(32).toString("base64url");
-  }
+  const state = node_crypto.randomBytes(32).toString("base64url");
+  const nonce = node_crypto.randomBytes(32).toString("base64url");
   const isProduction = strapi.config.get("environment") === "production";
-  ctx.cookies.set("oidc_code_verifier", codeVerifier, {
+  const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
+    // 10 minutes
     secure: isProduction && ctx.request.secure,
     sameSite: "lax"
-  });
-  ctx.cookies.set("oidc_state", state, {
-    httpOnly: true,
-    maxAge: 6e5,
-    secure: isProduction && ctx.request.secure,
-    sameSite: "lax"
-  });
+  };
+  ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
+  ctx.cookies.set("oidc_state", state, cookieOptions);
+  ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
   const params = new URLSearchParams();
   params.append("response_type", "code");
   params.append("client_id", OIDC_CLIENT_ID);
@@ -270,11 +267,12 @@ async function oidcSignIn(ctx) {
   params.append("code_challenge", codeChallenge);
   params.append("code_challenge_method", "S256");
   params.append("state", state);
+  params.append("nonce", nonce);
   const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
   ctx.set("Location", authorizationUrl);
   return ctx.send({}, 302);
 }
-async function exchangeTokenAndFetchUserInfo(config2, params) {
+async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   const response = await fetch(config2.OIDC_TOKEN_ENDPOINT, {
     method: "POST",
     body: params,
@@ -283,31 +281,28 @@ async function exchangeTokenAndFetchUserInfo(config2, params) {
     }
   });
   if (!response.ok) {
-    const errText = await response.text();
-    throw new Error(
-      `Failed to exchange token: ${response.status} ${response.statusText} - ${errText}`
-    );
+    throw new Error("Token exchange failed");
   }
   const tokenData = await response.json();
-  let userInfoEndpointHeaders = {};
-  let userInfoEndpointParameters = `?access_token=${tokenData.access_token}`;
-  if (config2.OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER) {
-    userInfoEndpointHeaders = {
-      Authorization: `Bearer ${tokenData.access_token}`
-    };
-    userInfoEndpointParameters = "";
+  if (tokenData.id_token) {
+    try {
+      const payloadB64 = tokenData.id_token.split(".")[1];
+      const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      if (idTokenPayload.nonce !== expectedNonce) {
+        throw new Error("Nonce mismatch");
+      }
+    } catch (e) {
+      if (e.message === "Nonce mismatch") throw e;
+      throw new Error("Failed to parse ID token");
+    }
   }
-  const userInfoEndpoint = `${config2.OIDC_USER_INFO_ENDPOINT}${userInfoEndpointParameters}`;
-  const userResponse = await fetch(userInfoEndpoint, {
-    headers: userInfoEndpointHeaders
+  const userResponse = await fetch(config2.OIDC_USER_INFO_ENDPOINT, {
+    headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
-    const errText = await userResponse.text();
-    throw new Error(
-      `Failed to fetch user info: ${userResponse.status} ${userResponse.statusText} - ${errText}`
-    );
+    throw new Error("Failed to fetch user info");
   }
-  return await userResponse.json();
+  return userResponse.json();
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -331,22 +326,16 @@ async function registerNewUser(userService, oauthService2, roleService2, email,
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
   const email = String(userResponseData.email).toLowerCase();
   const whitelistUser = await whitelistService2.checkWhitelistForEmail(email);
-  const dbUser = await userService.findOneByEmail(email);
-  let activateUser;
-  if (dbUser) {
-    activateUser = dbUser;
-  } else {
-    activateUser = await registerNewUser(
-      userService,
-      oauthService2,
-      roleService2,
-      email,
-      userResponseData,
-      whitelistUser,
-      config2,
-      ctx
-    );
-  }
+  const activateUser = await userService.findOneByEmail(email) ?? await registerNewUser(
+    userService,
+    oauthService2,
+    roleService2,
+    email,
+    userResponseData,
+    whitelistUser,
+    config2,
+    ctx
+  );
   const jwtToken = await oauthService2.generateToken(activateUser, ctx);
   oauthService2.triggerSignInSuccess(activateUser);
   return { activateUser, jwtToken };
@@ -362,8 +351,10 @@ async function oidcSignInCallback(ctx) {
   }
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
+  const oidcNonce = ctx.cookies.get("oidc_nonce");
   ctx.cookies.set("oidc_state", null);
   ctx.cookies.set("oidc_code_verifier", null);
+  ctx.cookies.set("oidc_nonce", null);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
     return ctx.send(oauthService2.renderSignUpError("Invalid state"));
   }
@@ -375,7 +366,7 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier);
   try {
-    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params);
+    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce);
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -391,7 +382,7 @@ async function oidcSignInCallback(ctx) {
     ctx.send(html);
   } catch (e) {
     console.error("ERROR CAUGHT IN OIDC SIGNIN:", e);
-    ctx.send(oauthService2.renderSignUpError(e.message));
+    ctx.send(oauthService2.renderSignUpError("Authentication failed. Please try again."));
   }
 }
 async function logout(ctx) {
@@ -438,8 +429,11 @@ const role = {
   find,
   update
 };
+function getWhitelistService() {
+  return strapi.plugin("strapi-plugin-oidc").service("whitelist");
+}
 async function info(ctx) {
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   const settings = await whitelistService2.getSettings();
   const whitelistUsers = await whitelistService2.getUsers();
   ctx.body = {
@@ -450,8 +444,9 @@ async function info(ctx) {
   };
 }
 async function updateSettings(ctx) {
-  let { useWhitelist, enforceOIDC } = ctx.request.body;
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const { useWhitelist } = ctx.request.body;
+  let { enforceOIDC } = ctx.request.body;
+  const whitelistService2 = getWhitelistService();
   if (useWhitelist && enforceOIDC) {
     const users = await whitelistService2.getUsers();
     if (users.length === 0) {
@@ -462,7 +457,7 @@ async function updateSettings(ctx) {
   ctx.body = { useWhitelist, enforceOIDC };
 }
 async function publicSettings(ctx) {
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   const settings = await whitelistService2.getSettings();
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   ctx.body = {
@@ -482,10 +477,11 @@ async function register(ctx) {
     where: { email: { $in: emailList } },
     populate: ["roles"]
   });
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const existingUsersByEmail = new Map(existingUsers.map((u) => [u.email, u]));
+  const whitelistService2 = getWhitelistService();
   let matchedExistingUsersCount = 0;
   for (const singleEmail of emailList) {
-    const existingUser = existingUsers.find((u) => u.email === singleEmail);
+    const existingUser = existingUsersByEmail.get(singleEmail);
     let finalRoles = roles2;
     if (existingUser?.roles) {
       finalRoles = existingUser.roles.map((r) => String(r.id));
@@ -502,12 +498,12 @@ async function register(ctx) {
 }
 async function removeEmail(ctx) {
   const { id } = ctx.params;
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   await whitelistService2.removeUser(id);
   ctx.body = {};
 }
 async function deleteAll(ctx) {
-  await strapi.db.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
+  await strapi.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
   ctx.body = {};
 }
 async function importUsers(ctx) {
@@ -535,7 +531,7 @@ async function importUsers(ctx) {
     populate: ["roles"]
   });
   const strapiUserMap = new Map(strapiUsers.map((u) => [u.email, u]));
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
   const existingEmails = new Set(existing.map((u) => u.email));
   let importedCount = 0;
@@ -549,9 +545,9 @@ async function importUsers(ctx) {
   ctx.body = { importedCount };
 }
 async function syncUsers(ctx) {
-  let { users } = ctx.request.body;
-  users = users.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const { users: rawUsers } = ctx.request.body;
+  const users = rawUsers.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
+  const whitelistService2 = getWhitelistService();
   const currentUsers = await whitelistService2.getUsers();
   let matchedExistingUsersCount = 0;
   const emailsToSync = users.map((u) => u.email);
@@ -559,26 +555,29 @@ async function syncUsers(ctx) {
     where: { email: { $in: emailsToSync } },
     populate: ["roles"]
   });
+  const syncEmailSet = new Set(emailsToSync);
+  const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
+  const strapiUsersByEmail = new Map(existingStrapiUsers.map((u) => [u.email, u]));
   for (const currUser of currentUsers) {
-    if (!users.find((u) => u.email === currUser.email)) {
+    if (!syncEmailSet.has(currUser.email)) {
       await whitelistService2.removeUser(currUser.id);
     }
   }
   for (const user of users) {
-    const existingStrapiUser = existingStrapiUsers.find((u) => u.email === user.email);
+    const currUser = currentUsersByEmail.get(user.email);
     let finalRoles = user.roles;
-    const currUser = currentUsers.find((u) => u.email === user.email);
-    if (!currUser && existingStrapiUser?.roles) {
-      finalRoles = existingStrapiUser.roles.map((r) => String(r.id));
-      matchedExistingUsersCount++;
-    }
-    if (currUser) {
+    if (!currUser) {
+      const existingStrapiUser = strapiUsersByEmail.get(user.email);
+      if (existingStrapiUser?.roles) {
+        finalRoles = existingStrapiUser.roles.map((r) => String(r.id));
+        matchedExistingUsersCount++;
+      }
+      await whitelistService2.registerUser(user.email, finalRoles);
+    } else {
       await strapi.query("plugin::strapi-plugin-oidc.whitelists").update({
         where: { id: currUser.id },
         data: { roles: finalRoles }
       });
-    } else {
-      await whitelistService2.registerUser(user.email, finalRoles);
     }
   }
   ctx.body = { matchedExistingUsersCount };
@@ -877,7 +876,7 @@ function oauthService({ strapi: strapi2 }) {
         roles: roles2,
         preferedLanguage: locale
       });
-      return await userService.register({
+      return userService.register({
         registrationToken: createdUser.registrationToken,
         userInfo: {
           firstname: firstname || "unset",
@@ -898,7 +897,7 @@ function oauthService({ strapi: strapi2 }) {
       if (!baseAlias) {
         return baseEmail;
       }
-      const alias = baseAlias.replace("/+/g", "");
+      const alias = baseAlias.replace(/\+/g, "");
       const beforePosition = baseEmail.indexOf("@");
       const origin = baseEmail.substring(0, beforePosition);
       const domain = baseEmail.substring(beforePosition);
@@ -935,11 +934,9 @@ function oauthService({ strapi: strapi2 }) {
         provider: "strapi-plugin-oidc"
       });
     },
-    // Sign In Success
     renderSignUpSuccess(jwtToken, user, nonce) {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const REMEMBER_ME = config2["REMEMBER_ME"];
-      const isRememberMe = !!REMEMBER_ME;
+      const isRememberMe = !!config2["REMEMBER_ME"];
       const content = `
     <noscript>
       <div class="card">
@@ -965,7 +962,6 @@ function oauthService({ strapi: strapi2 }) {
     <\/script>`;
       return renderHtmlTemplate("Authenticating...", content);
     },
-    // Sign In Error
     renderSignUpError(message) {
       const safeMessage = String(message).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
       const content = `
@@ -993,8 +989,7 @@ function oauthService({ strapi: strapi2 }) {
       const userId = String(user.id);
       const deviceId = node_crypto.randomUUID();
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const REMEMBER_ME = config2["REMEMBER_ME"];
-      const rememberMe = !!REMEMBER_ME;
+      const rememberMe = !!config2["REMEMBER_ME"];
       const { token: refreshToken, absoluteExpiresAt } = await sessionManager(
         "admin"
       ).generateRefreshToken(userId, deviceId, {

package/dist/server/index.mjs

@@ -158,7 +158,6 @@ const config = {
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
     OIDC_USER_INFO_ENDPOINT: "",
-    OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false,
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
@@ -217,45 +216,43 @@ function clearAuthCookies(strapi2, ctx) {
   ctx.cookies.set("strapi_admin_refresh", "", options2);
   ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
 }
+const REQUIRED_CONFIG_KEYS = [
+  "OIDC_CLIENT_ID",
+  "OIDC_CLIENT_SECRET",
+  "OIDC_REDIRECT_URI",
+  "OIDC_SCOPES",
+  "OIDC_TOKEN_ENDPOINT",
+  "OIDC_USER_INFO_ENDPOINT",
+  "OIDC_GRANT_TYPE",
+  "OIDC_FAMILY_NAME_FIELD",
+  "OIDC_GIVEN_NAME_FIELD",
+  "OIDC_AUTHORIZATION_ENDPOINT"
+];
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const requiredKeys = [
-    "OIDC_CLIENT_ID",
-    "OIDC_CLIENT_SECRET",
-    "OIDC_REDIRECT_URI",
-    "OIDC_SCOPES",
-    "OIDC_TOKEN_ENDPOINT",
-    "OIDC_USER_INFO_ENDPOINT",
-    "OIDC_GRANT_TYPE",
-    "OIDC_FAMILY_NAME_FIELD",
-    "OIDC_GIVEN_NAME_FIELD",
-    "OIDC_AUTHORIZATION_ENDPOINT"
-  ];
-  if (requiredKeys.every((key) => config2[key])) {
+  if (REQUIRED_CONFIG_KEYS.every((key) => config2[key])) {
     return config2;
   }
-  throw new Error(`The following configuration keys are required: ${requiredKeys.join(", ")}`);
+  throw new Error(
+    `The following configuration keys are required: ${REQUIRED_CONFIG_KEYS.join(", ")}`
+  );
 }
 async function oidcSignIn(ctx) {
-  let { state } = ctx.query;
   const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
-  if (!state) {
-    state = randomBytes(32).toString("base64url");
-  }
+  const state = randomBytes(32).toString("base64url");
+  const nonce = randomBytes(32).toString("base64url");
   const isProduction = strapi.config.get("environment") === "production";
-  ctx.cookies.set("oidc_code_verifier", codeVerifier, {
+  const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
+    // 10 minutes
     secure: isProduction && ctx.request.secure,
     sameSite: "lax"
-  });
-  ctx.cookies.set("oidc_state", state, {
-    httpOnly: true,
-    maxAge: 6e5,
-    secure: isProduction && ctx.request.secure,
-    sameSite: "lax"
-  });
+  };
+  ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
+  ctx.cookies.set("oidc_state", state, cookieOptions);
+  ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
   const params = new URLSearchParams();
   params.append("response_type", "code");
   params.append("client_id", OIDC_CLIENT_ID);
@@ -264,11 +261,12 @@ async function oidcSignIn(ctx) {
   params.append("code_challenge", codeChallenge);
   params.append("code_challenge_method", "S256");
   params.append("state", state);
+  params.append("nonce", nonce);
   const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
   ctx.set("Location", authorizationUrl);
   return ctx.send({}, 302);
 }
-async function exchangeTokenAndFetchUserInfo(config2, params) {
+async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   const response = await fetch(config2.OIDC_TOKEN_ENDPOINT, {
     method: "POST",
     body: params,
@@ -277,31 +275,28 @@ async function exchangeTokenAndFetchUserInfo(config2, params) {
     }
   });
   if (!response.ok) {
-    const errText = await response.text();
-    throw new Error(
-      `Failed to exchange token: ${response.status} ${response.statusText} - ${errText}`
-    );
+    throw new Error("Token exchange failed");
   }
   const tokenData = await response.json();
-  let userInfoEndpointHeaders = {};
-  let userInfoEndpointParameters = `?access_token=${tokenData.access_token}`;
-  if (config2.OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER) {
-    userInfoEndpointHeaders = {
-      Authorization: `Bearer ${tokenData.access_token}`
-    };
-    userInfoEndpointParameters = "";
+  if (tokenData.id_token) {
+    try {
+      const payloadB64 = tokenData.id_token.split(".")[1];
+      const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      if (idTokenPayload.nonce !== expectedNonce) {
+        throw new Error("Nonce mismatch");
+      }
+    } catch (e) {
+      if (e.message === "Nonce mismatch") throw e;
+      throw new Error("Failed to parse ID token");
+    }
   }
-  const userInfoEndpoint = `${config2.OIDC_USER_INFO_ENDPOINT}${userInfoEndpointParameters}`;
-  const userResponse = await fetch(userInfoEndpoint, {
-    headers: userInfoEndpointHeaders
+  const userResponse = await fetch(config2.OIDC_USER_INFO_ENDPOINT, {
+    headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
-    const errText = await userResponse.text();
-    throw new Error(
-      `Failed to fetch user info: ${userResponse.status} ${userResponse.statusText} - ${errText}`
-    );
+    throw new Error("Failed to fetch user info");
   }
-  return await userResponse.json();
+  return userResponse.json();
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -325,22 +320,16 @@ async function registerNewUser(userService, oauthService2, roleService2, email,
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
   const email = String(userResponseData.email).toLowerCase();
   const whitelistUser = await whitelistService2.checkWhitelistForEmail(email);
-  const dbUser = await userService.findOneByEmail(email);
-  let activateUser;
-  if (dbUser) {
-    activateUser = dbUser;
-  } else {
-    activateUser = await registerNewUser(
-      userService,
-      oauthService2,
-      roleService2,
-      email,
-      userResponseData,
-      whitelistUser,
-      config2,
-      ctx
-    );
-  }
+  const activateUser = await userService.findOneByEmail(email) ?? await registerNewUser(
+    userService,
+    oauthService2,
+    roleService2,
+    email,
+    userResponseData,
+    whitelistUser,
+    config2,
+    ctx
+  );
   const jwtToken = await oauthService2.generateToken(activateUser, ctx);
   oauthService2.triggerSignInSuccess(activateUser);
   return { activateUser, jwtToken };
@@ -356,8 +345,10 @@ async function oidcSignInCallback(ctx) {
   }
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
+  const oidcNonce = ctx.cookies.get("oidc_nonce");
   ctx.cookies.set("oidc_state", null);
   ctx.cookies.set("oidc_code_verifier", null);
+  ctx.cookies.set("oidc_nonce", null);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
     return ctx.send(oauthService2.renderSignUpError("Invalid state"));
   }
@@ -369,7 +360,7 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier);
   try {
-    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params);
+    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce);
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -385,7 +376,7 @@ async function oidcSignInCallback(ctx) {
     ctx.send(html);
   } catch (e) {
     console.error("ERROR CAUGHT IN OIDC SIGNIN:", e);
-    ctx.send(oauthService2.renderSignUpError(e.message));
+    ctx.send(oauthService2.renderSignUpError("Authentication failed. Please try again."));
   }
 }
 async function logout(ctx) {
@@ -432,8 +423,11 @@ const role = {
   find,
   update
 };
+function getWhitelistService() {
+  return strapi.plugin("strapi-plugin-oidc").service("whitelist");
+}
 async function info(ctx) {
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   const settings = await whitelistService2.getSettings();
   const whitelistUsers = await whitelistService2.getUsers();
   ctx.body = {
@@ -444,8 +438,9 @@ async function info(ctx) {
   };
 }
 async function updateSettings(ctx) {
-  let { useWhitelist, enforceOIDC } = ctx.request.body;
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const { useWhitelist } = ctx.request.body;
+  let { enforceOIDC } = ctx.request.body;
+  const whitelistService2 = getWhitelistService();
   if (useWhitelist && enforceOIDC) {
     const users = await whitelistService2.getUsers();
     if (users.length === 0) {
@@ -456,7 +451,7 @@ async function updateSettings(ctx) {
   ctx.body = { useWhitelist, enforceOIDC };
 }
 async function publicSettings(ctx) {
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   const settings = await whitelistService2.getSettings();
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   ctx.body = {
@@ -476,10 +471,11 @@ async function register(ctx) {
     where: { email: { $in: emailList } },
     populate: ["roles"]
   });
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const existingUsersByEmail = new Map(existingUsers.map((u) => [u.email, u]));
+  const whitelistService2 = getWhitelistService();
   let matchedExistingUsersCount = 0;
   for (const singleEmail of emailList) {
-    const existingUser = existingUsers.find((u) => u.email === singleEmail);
+    const existingUser = existingUsersByEmail.get(singleEmail);
     let finalRoles = roles2;
     if (existingUser?.roles) {
       finalRoles = existingUser.roles.map((r) => String(r.id));
@@ -496,12 +492,12 @@ async function register(ctx) {
 }
 async function removeEmail(ctx) {
   const { id } = ctx.params;
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   await whitelistService2.removeUser(id);
   ctx.body = {};
 }
 async function deleteAll(ctx) {
-  await strapi.db.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
+  await strapi.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
   ctx.body = {};
 }
 async function importUsers(ctx) {
@@ -529,7 +525,7 @@ async function importUsers(ctx) {
     populate: ["roles"]
   });
   const strapiUserMap = new Map(strapiUsers.map((u) => [u.email, u]));
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
   const existingEmails = new Set(existing.map((u) => u.email));
   let importedCount = 0;
@@ -543,9 +539,9 @@ async function importUsers(ctx) {
   ctx.body = { importedCount };
 }
 async function syncUsers(ctx) {
-  let { users } = ctx.request.body;
-  users = users.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const { users: rawUsers } = ctx.request.body;
+  const users = rawUsers.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
+  const whitelistService2 = getWhitelistService();
   const currentUsers = await whitelistService2.getUsers();
   let matchedExistingUsersCount = 0;
   const emailsToSync = users.map((u) => u.email);
@@ -553,26 +549,29 @@ async function syncUsers(ctx) {
     where: { email: { $in: emailsToSync } },
     populate: ["roles"]
   });
+  const syncEmailSet = new Set(emailsToSync);
+  const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
+  const strapiUsersByEmail = new Map(existingStrapiUsers.map((u) => [u.email, u]));
   for (const currUser of currentUsers) {
-    if (!users.find((u) => u.email === currUser.email)) {
+    if (!syncEmailSet.has(currUser.email)) {
       await whitelistService2.removeUser(currUser.id);
     }
   }
   for (const user of users) {
-    const existingStrapiUser = existingStrapiUsers.find((u) => u.email === user.email);
+    const currUser = currentUsersByEmail.get(user.email);
     let finalRoles = user.roles;
-    const currUser = currentUsers.find((u) => u.email === user.email);
-    if (!currUser && existingStrapiUser?.roles) {
-      finalRoles = existingStrapiUser.roles.map((r) => String(r.id));
-      matchedExistingUsersCount++;
-    }
-    if (currUser) {
+    if (!currUser) {
+      const existingStrapiUser = strapiUsersByEmail.get(user.email);
+      if (existingStrapiUser?.roles) {
+        finalRoles = existingStrapiUser.roles.map((r) => String(r.id));
+        matchedExistingUsersCount++;
+      }
+      await whitelistService2.registerUser(user.email, finalRoles);
+    } else {
       await strapi.query("plugin::strapi-plugin-oidc.whitelists").update({
         where: { id: currUser.id },
         data: { roles: finalRoles }
       });
-    } else {
-      await whitelistService2.registerUser(user.email, finalRoles);
     }
   }
   ctx.body = { matchedExistingUsersCount };
@@ -871,7 +870,7 @@ function oauthService({ strapi: strapi2 }) {
         roles: roles2,
         preferedLanguage: locale
       });
-      return await userService.register({
+      return userService.register({
         registrationToken: createdUser.registrationToken,
         userInfo: {
           firstname: firstname || "unset",
@@ -892,7 +891,7 @@ function oauthService({ strapi: strapi2 }) {
       if (!baseAlias) {
         return baseEmail;
       }
-      const alias = baseAlias.replace("/+/g", "");
+      const alias = baseAlias.replace(/\+/g, "");
       const beforePosition = baseEmail.indexOf("@");
       const origin = baseEmail.substring(0, beforePosition);
       const domain = baseEmail.substring(beforePosition);
@@ -929,11 +928,9 @@ function oauthService({ strapi: strapi2 }) {
         provider: "strapi-plugin-oidc"
       });
     },
-    // Sign In Success
     renderSignUpSuccess(jwtToken, user, nonce) {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const REMEMBER_ME = config2["REMEMBER_ME"];
-      const isRememberMe = !!REMEMBER_ME;
+      const isRememberMe = !!config2["REMEMBER_ME"];
       const content = `
     <noscript>
       <div class="card">
@@ -959,7 +956,6 @@ function oauthService({ strapi: strapi2 }) {
     <\/script>`;
       return renderHtmlTemplate("Authenticating...", content);
     },
-    // Sign In Error
     renderSignUpError(message) {
       const safeMessage = String(message).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
       const content = `
@@ -987,8 +983,7 @@ function oauthService({ strapi: strapi2 }) {
       const userId = String(user.id);
       const deviceId = randomUUID();
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const REMEMBER_ME = config2["REMEMBER_ME"];
-      const rememberMe = !!REMEMBER_ME;
+      const rememberMe = !!config2["REMEMBER_ME"];
       const { token: refreshToken, absoluteExpiresAt } = await sessionManager(
         "admin"
       ).generateRefreshToken(userId, deviceId, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",