strapi-plugin-oidc 1.5.2 → 1.6.0

package/dist/server/index.mjs

@@ -1,4 +1,4 @@
-import { randomUUID, randomBytes } from "node:crypto";
+import { randomUUID, randomBytes, createHash } from "node:crypto";
 import pkceChallenge from "pkce-challenge";
 import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
@@ -18,18 +18,31 @@ function resolveEnforceOIDC(strapi2, dbValue) {
   if (configValue !== null) return configValue;
   return dbValue ?? false;
 }
+const PLUGIN_UID = "plugin::strapi-plugin-oidc";
+const DEFAULT_RETENTION_DAYS = 90;
+function getPluginConfig() {
+  return strapi.config.get(PLUGIN_UID);
+}
+function getRetentionDays() {
+  const config2 = getPluginConfig();
+  return Number(config2.AUDIT_LOG_RETENTION_DAYS ?? DEFAULT_RETENTION_DAYS);
+}
+function isAuditLogEnabled() {
+  return getRetentionDays() !== 0;
+}
 async function bootstrap({ strapi: strapi2 }) {
+  const adminUrl = strapi2.config.get("admin.url", "/admin");
+  const authRoutes = [
+    `${adminUrl}/login`,
+    `${adminUrl}/register`,
+    `${adminUrl}/register-admin`,
+    `${adminUrl}/forgot-password`,
+    `${adminUrl}/reset-password`
+  ];
+  const tokenRefreshPath = `${adminUrl}/token/refresh`;
   const enforceOidcMiddleware = async (ctx, next) => {
-    const adminUrl = strapi2.config.get("admin.url", "/admin");
-    const authRoutes = [
-      `${adminUrl}/login`,
-      `${adminUrl}/register`,
-      `${adminUrl}/register-admin`,
-      `${adminUrl}/forgot-password`,
-      `${adminUrl}/reset-password`
-    ];
     const isPostAuth = authRoutes.includes(ctx.request.path) && ctx.request.method === "POST";
-    const isTokenRefresh = ctx.request.path === `${adminUrl}/token/refresh` && ctx.request.method === "POST";
+    const isTokenRefresh = ctx.request.path === tokenRefreshPath && ctx.request.method === "POST";
     if (isPostAuth || isTokenRefresh) {
       try {
         const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
@@ -110,14 +123,12 @@ async function bootstrap({ strapi: strapi2 }) {
       where: { oauth_type: "4" }
     });
     if (oidcRoleCount === 0) {
-      const editorRole = await strapi2.query("admin::role").findOne({
-        where: { code: "strapi-editor" }
-      });
-      if (editorRole) {
+      const defaultRole = await strapi2.query("admin::role").findOne({ where: { code: "strapi-editor" } }) ?? await strapi2.query("admin::role").findOne({});
+      if (defaultRole) {
         await strapi2.query("plugin::strapi-plugin-oidc.roles").create({
           data: {
             oauth_type: "4",
-            roles: [editorRole.id.toString()]
+            roles: [defaultRole.id.toString()]
           }
         });
       }
@@ -125,25 +136,18 @@ async function bootstrap({ strapi: strapi2 }) {
   } catch (err) {
     strapi2.log.warn("Could not initialize default OIDC role:", err.message);
   }
-  strapi2.db.lifecycles.subscribe({
-    models: ["admin::user"],
-    async afterUpdate(event) {
-      const { result } = event;
-      if (!result?.email) return;
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      const whitelistEntry = await query.findOne({ where: { email: result.email } });
-      if (!whitelistEntry) return;
-      const userWithRoles = await strapi2.query("admin::user").findOne({
-        where: { id: result.id },
-        populate: ["roles"]
-      });
-      if (userWithRoles?.roles) {
-        const roleIds = userWithRoles.roles.map((r) => r.id.toString());
-        await query.update({
-          where: { id: whitelistEntry.id },
-          data: { roles: roleIds }
-        });
-      }
+  strapi2.cron.add({
+    "strapi-plugin-oidc-audit-log-cleanup": {
+      task: async () => {
+        try {
+          const retentionDays = getRetentionDays();
+          await strapi2.plugin("strapi-plugin-oidc").service("auditLog").cleanup(retentionDays);
+        } catch (err) {
+          strapi2.log.warn("[strapi-plugin-oidc] Audit log cleanup failed:", err.message);
+        }
+      },
+      options: { rule: "0 0 * * *" }
+      // daily at midnight
     }
   });
 }
@@ -164,41 +168,58 @@ const config = {
     OIDC_GIVEN_NAME_FIELD: "given_name",
     OIDC_END_SESSION_ENDPOINT: "",
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
-    OIDC_ENFORCE: null
+    OIDC_ENFORCE: null,
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
+    AUDIT_LOG_RETENTION_DAYS: 90,
+    OIDC_GROUP_FIELD: "groups",
+    OIDC_GROUP_ROLE_MAP: "{}"
   },
   validator() {
   }
 };
-const info$2 = { "singularName": "roles", "pluralName": "oidc-roles", "collectionName": "oidc-roles", "displayName": "oidc-role", "description": "" };
+const info$3 = { "singularName": "roles", "pluralName": "oidc-roles", "collectionName": "oidc-roles", "displayName": "oidc-role", "description": "" };
+const options$2 = { "draftAndPublish": false };
+const pluginOptions$2 = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
+const attributes$2 = { "oauth_type": { "type": "string", "configurable": false, "required": true }, "roles": { "type": "json", "configurable": false } };
+const schema$2 = {
+  info: info$3,
+  options: options$2,
+  pluginOptions: pluginOptions$2,
+  attributes: attributes$2
+};
+const roles = {
+  schema: schema$2
+};
+const info$2 = { "singularName": "whitelists", "pluralName": "whitelists", "collectionName": "whitelists", "displayName": "whitelist", "description": "" };
 const options$1 = { "draftAndPublish": false };
 const pluginOptions$1 = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
-const attributes$1 = { "oauth_type": { "type": "string", "configurable": false, "required": true }, "roles": { "type": "json", "configurable": false } };
+const attributes$1 = { "email": { "type": "string", "configurable": false, "required": true, "unique": true } };
 const schema$1 = {
   info: info$2,
   options: options$1,
   pluginOptions: pluginOptions$1,
   attributes: attributes$1
 };
-const roles = {
+const whitelists = {
   schema: schema$1
 };
-const info$1 = { "singularName": "whitelists", "pluralName": "whitelists", "collectionName": "whitelists", "displayName": "whitelist", "description": "" };
+const info$1 = { "singularName": "audit-log", "pluralName": "audit-logs", "collectionName": "audit_logs", "displayName": "OIDC Audit Log" };
 const options = { "draftAndPublish": false };
 const pluginOptions = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
-const attributes = { "email": { "type": "string", "configurable": false, "required": true, "unique": true }, "roles": { "type": "json", "configurable": false } };
+const attributes = { "action": { "type": "string", "required": true }, "email": { "type": "string" }, "ip": { "type": "string" }, "detailsKey": { "type": "string" }, "detailsParams": { "type": "json" } };
 const schema = {
   info: info$1,
   options,
   pluginOptions,
   attributes
 };
-const whitelists = {
+const auditLog$1 = {
   schema
 };
 const contentTypes = {
   roles,
-  whitelists
+  whitelists,
+  "audit-log": auditLog$1
 };
 function getExpiredCookieOptions(strapi2, ctx) {
   const isProduction = strapi2.config.get("environment") === "production";
@@ -216,7 +237,131 @@ function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
   ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+  ctx.cookies.set("oidc_access_token", "", { ...options2, path: "/" });
+  ctx.cookies.set("oidc_user_email", "", { ...options2, path: "/" });
 }
+const errorCodes = {
+  TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
+  USERINFO_FETCH_FAILED: "USERINFO_FETCH_FAILED",
+  ID_TOKEN_PARSE_FAILED: "ID_TOKEN_PARSE_FAILED",
+  NONCE_MISMATCH: "NONCE_MISMATCH",
+  ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
+  USER_CREATION_FAILED: "USER_CREATION_FAILED",
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED"
+};
+function getErrorDetail(key, params) {
+  switch (key) {
+    case "token_exchange_failed":
+      return `Token exchange failed with HTTP status ${params?.status ?? "unknown"}`;
+    case "userinfo_fetch_failed":
+      return `UserInfo endpoint returned HTTP ${params?.status ?? "unknown"}`;
+    case "role_update_failed":
+      return `Role update failed for user ${params?.userId}: ${params?.error ?? "unknown"}`;
+    case "user_creation_failed":
+      return `User creation failed for ${params?.email}: ${params?.error ?? "unknown"}`;
+    case "id_token_parse_failed":
+      return `ID token parse failed: ${params?.error ?? "unknown"}`;
+    case "sign_in_unknown":
+      return `Unknown sign-in error: ${params?.error ?? "unknown"}`;
+    default:
+      return void 0;
+  }
+}
+const en = {
+  "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
+  "page.title": "Configure OIDC default role(s) and access controls.",
+  "roles.notes": "Select the default role(s) assigned to new users upon their first login. This setting does not affect existing users.",
+  "page.save": "Save Changes",
+  "page.save.success": "Updated settings",
+  "page.save.error": "Update failed.",
+  "page.add": "Add",
+  "page.cancel": "Cancel",
+  "page.ok": "OK",
+  "roles.title": "Default Role(s)",
+  "roles.placeholder": "Select default role(s)",
+  "whitelist.title": "Whitelist",
+  "whitelist.error.unique": "Already registered email address.",
+  "whitelist.description": "Restrict OIDC authentication to specific email addresses. Users receive roles from the default OIDC role mapping or their OIDC group.",
+  "alert.title.success": "Success",
+  "alert.title.error": "Error",
+  "alert.title.info": "Info",
+  "pagination.previous": "Go to previous page",
+  "pagination.page": "Go to page {page}",
+  "pagination.next": "Go to next page",
+  "whitelist.table.no": "No.",
+  "whitelist.table.email": "Email",
+  "whitelist.table.created": "Created At",
+  "whitelist.delete.title": "Confirmation",
+  "whitelist.delete.description": "Are you sure you want to delete:",
+  "whitelist.delete.note": "This will not delete the user account in Strapi.",
+  "whitelist.toggle.enabled": "Enabled",
+  "whitelist.toggle.disabled": "Disabled",
+  "whitelist.email.placeholder": "Email address",
+  "whitelist.roles.placeholder": "Select specific role(s)",
+  "whitelist.table.roles": "Role(s)",
+  "whitelist.table.empty": "No email addresses",
+  "whitelist.delete.label": "Delete",
+  "page.title.oidc": "OIDC",
+  "enforce.title": "Enforce OIDC Login",
+  "enforce.toggle.enabled": "Enabled",
+  "enforce.toggle.disabled": "Disabled",
+  "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally.",
+  "enforce.config.info": "Enforcement is controlled by the OIDC_ENFORCE config variable and cannot be changed here.",
+  "login.settings.title": "Login Settings",
+  "login.sso": "Login via SSO",
+  "whitelist.count": "{count, plural, one {# entry} other {# entries}}",
+  "whitelist.import": "Import",
+  "whitelist.export": "Export",
+  "whitelist.delete.all.label": "Delete All",
+  "whitelist.delete.all.title": "Delete All Entries",
+  "whitelist.delete.all.description": "This will permanently remove all {count, plural, one {# entry} other {# entries}} from the whitelist. Unsaved changes will be lost.",
+  "whitelist.import.error": "Invalid file — expected a JSON array of objects with an email field.",
+  "whitelist.import.success": "Imported {count, plural, one {# new entry} other {# new entries}}.",
+  "whitelist.import.none": "No new entries — all emails are already in the whitelist.",
+  "unsaved.title": "Unsaved Changes",
+  "unsaved.description": "You have unsaved changes that will be lost if you leave. Do you want to continue?",
+  "unsaved.confirm": "Leave",
+  "unsaved.cancel": "Stay",
+  "whitelist.table.roles.default": "(Default)",
+  "auditlog.title": "Audit Logs",
+  "auditlog.export": "Download",
+  "auditlog.table.timestamp": "Timestamp",
+  "auditlog.table.action": "Action",
+  "auditlog.table.email": "Email",
+  "auditlog.table.ip": "IP",
+  "auditlog.table.details": "Details",
+  "auditlog.table.empty": "No audit log entries",
+  "auditlog.clear": "Clear Logs",
+  "auditlog.clear.title": "Clear All Logs",
+  "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
+  "auditlog.clear.success": "Audit logs cleared",
+  "auditlog.clear.error": "Failed to clear audit logs",
+  "auditlog.export.error": "Failed to export audit logs",
+  "auditlog.action.login_success": "User successfully authenticated via OIDC and was granted access.",
+  "auditlog.action.user_created": "A new Strapi admin account was created for this user on their first OIDC login.",
+  "auditlog.action.logout": "User logged out and their OIDC session was ended.",
+  "auditlog.action.session_expired": "The OIDC access token had expired by the time the user logged out, so the provider session could not be terminated remotely.",
+  "auditlog.action.login_failure": "An unexpected error occurred during the OIDC login flow.",
+  "auditlog.action.missing_code": "The OIDC callback was received without an authorisation code. This may indicate a misconfigured provider or a tampered request.",
+  "auditlog.action.state_mismatch": "The state parameter in the callback did not match the one stored in the session. This may indicate a CSRF attempt or an expired login session.",
+  "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
+  "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
+  "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "user.missing_code": "Authorisation code was not received from the OIDC provider.",
+  "user.invalid_state": "State parameter mismatch. Please restart the login flow.",
+  "user.signInError": "Authentication failed. Please try again."
+};
+const userFacingMessages = {
+  get missing_code() {
+    return en["user.missing_code"];
+  },
+  get invalid_state() {
+    return en["user.invalid_state"];
+  },
+  get signInError() {
+    return en["user.signInError"];
+  }
+};
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
@@ -254,15 +399,16 @@ async function oidcSignIn(ctx) {
   ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
   ctx.cookies.set("oidc_state", state, cookieOptions);
   ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
-  const params = new URLSearchParams();
-  params.append("response_type", "code");
-  params.append("client_id", OIDC_CLIENT_ID);
-  params.append("redirect_uri", OIDC_REDIRECT_URI);
-  params.append("scope", OIDC_SCOPE);
-  params.append("code_challenge", codeChallenge);
-  params.append("code_challenge_method", "S256");
-  params.append("state", state);
-  params.append("nonce", nonce);
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: OIDC_CLIENT_ID,
+    redirect_uri: OIDC_REDIRECT_URI,
+    scope: OIDC_SCOPE,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    state,
+    nonce
+  });
   const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
   ctx.set("Location", authorizationUrl);
   return ctx.send({}, 302);
@@ -297,16 +443,38 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   if (!userResponse.ok) {
     throw new Error("Failed to fetch user info");
   }
-  return userResponse.json();
+  const userInfo = await userResponse.json();
+  return { userInfo, accessToken: tokenData.access_token };
 }
-async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
-  let roles2 = [];
-  if (whitelistUser?.roles?.length > 0) {
-    roles2 = whitelistUser.roles;
-  } else {
-    const oidcRoles = await roleService2.oidcRoles();
-    roles2 = oidcRoles?.roles || [];
+function resolveRolesFromGroups(userInfo, config2, availableRoles) {
+  const rawGroups = userInfo[config2.OIDC_GROUP_FIELD];
+  if (!Array.isArray(rawGroups) || rawGroups.length === 0) return [];
+  const groups = rawGroups.filter((g) => typeof g === "string");
+  const raw = config2.OIDC_GROUP_ROLE_MAP;
+  let groupRoleMap;
+  try {
+    groupRoleMap = typeof raw === "string" ? JSON.parse(raw) : raw;
+  } catch {
+    return [];
   }
+  const roleIdSet = /* @__PURE__ */ new Set();
+  for (const group of groups) {
+    const roleNames = groupRoleMap[group];
+    if (!roleNames) continue;
+    for (const name of roleNames) {
+      const match = availableRoles.find((r) => r.name === name);
+      if (match) roleIdSet.add(String(match.id));
+    }
+  }
+  return [...roleIdSet];
+}
+async function resolveRoles(userInfo, config2, roleService2, availableRoles) {
+  const groupRoles = resolveRolesFromGroups(userInfo, config2, availableRoles);
+  if (groupRoles.length > 0) return groupRoles;
+  const oidcRoles = await roleService2.oidcRoles();
+  return oidcRoles?.roles || [];
+}
+async function registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2) {
   const defaultLocale = oauthService2.localeFindByHeader(
     ctx.request.headers
   );
@@ -321,21 +489,106 @@ async function registerNewUser(userService, oauthService2, roleService2, email,
   return activateUser;
 }
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
-  const email = String(userResponseData.email).toLowerCase();
-  const whitelistUser = await whitelistService2.checkWhitelistForEmail(email);
-  const activateUser = await userService.findOneByEmail(email) ?? await registerNewUser(
-    userService,
-    oauthService2,
-    roleService2,
-    email,
-    userResponseData,
-    whitelistUser,
-    config2,
-    ctx
-  );
+  const rawEmail = String(userResponseData.email ?? "");
+  const email = rawEmail.toLowerCase();
+  if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    throw new Error("Invalid email address received from OIDC provider");
+  }
+  await whitelistService2.checkWhitelistForEmail(email);
+  const allRoles = await strapi.db.query("admin::role").findMany();
+  const roles2 = await resolveRoles(userResponseData, config2, roleService2, allRoles);
+  const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
+  let userCreated = false;
+  let rolesUpdated = false;
+  let activateUser = await userService.findOneByEmail(email);
+  if (!activateUser) {
+    activateUser = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
+    userCreated = true;
+  } else if (roles2.length > 0) {
+    const currentRoleIds = new Set((activateUser.roles ?? []).map((r) => String(r.id)));
+    const newRoleIds = new Set(roles2);
+    const rolesChanged = currentRoleIds.size !== newRoleIds.size || [...newRoleIds].some((id) => !currentRoleIds.has(id));
+    if (rolesChanged) {
+      try {
+        strapi.log.info(
+          `[OIDC] Roles updated for user ${activateUser.id}: [${[...currentRoleIds].join(",")}] -> [${roles2.join(",")}]`
+        );
+        await strapi.db.query("admin::user").update({
+          where: { id: activateUser.id },
+          data: { roles: roles2 }
+        });
+        rolesUpdated = true;
+      } catch (updateErr) {
+        strapi.log.error({
+          code: errorCodes.ROLE_UPDATE_FAILED,
+          userId: activateUser.id,
+          detail: getErrorDetail("role_update_failed", {
+            userId: activateUser.id,
+            error: updateErr.message
+          })
+        });
+        throw updateErr;
+      }
+    }
+  }
   const jwtToken = await oauthService2.generateToken(activateUser, ctx);
   oauthService2.triggerSignInSuccess(activateUser);
-  return { activateUser, jwtToken };
+  return { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
+}
+function classifyOidcError(msg, userInfo) {
+  const errorMap = [
+    {
+      test: (m) => m.includes("whitelist"),
+      result: {
+        action: "whitelist_rejected",
+        code: errorCodes.WHITELIST_CHECK_FAILED,
+        key: "whitelist_rejected"
+      }
+    },
+    {
+      test: (m) => m === "Nonce mismatch",
+      result: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH }
+    },
+    {
+      test: (m) => m === "Token exchange failed",
+      result: { action: "token_exchange_failed", code: errorCodes.TOKEN_EXCHANGE_FAILED }
+    },
+    {
+      test: (m) => m === "Failed to fetch user info",
+      result: {
+        action: "login_failure",
+        code: errorCodes.USERINFO_FETCH_FAILED,
+        key: "userinfo_fetch_failed"
+      }
+    },
+    {
+      test: (m) => m === "Failed to parse ID token",
+      result: {
+        action: "login_failure",
+        code: errorCodes.ID_TOKEN_PARSE_FAILED,
+        key: "id_token_parse_failed",
+        params: { error: msg }
+      }
+    },
+    {
+      test: (m) => m === "User creation failed" || m.includes("createUser"),
+      result: {
+        action: "login_failure",
+        code: errorCodes.USER_CREATION_FAILED,
+        key: "user_creation_failed",
+        params: userInfo?.email ? { email: userInfo.email, error: msg } : void 0
+      }
+    }
+  ];
+  for (const { test, result } of errorMap) {
+    if (test(msg)) return result;
+  }
+  return {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown",
+    params: { error: msg || "unknown" }
+  };
 }
 async function oidcSignInCallback(ctx) {
   const config2 = configValidation();
@@ -343,8 +596,10 @@ async function oidcSignInCallback(ctx) {
   const oauthService2 = strapi.plugin("strapi-plugin-oidc").service("oauth");
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const auditLog2 = strapi.plugin("strapi-plugin-oidc").service("auditLog");
   if (!ctx.query.code) {
-    return ctx.send(oauthService2.renderSignUpError("code Not Found"));
+    await auditLog2.log({ action: "missing_code", ip: ctx.ip });
+    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.missing_code));
   }
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
@@ -353,53 +608,129 @@ async function oidcSignInCallback(ctx) {
   ctx.cookies.set("oidc_code_verifier", null);
   ctx.cookies.set("oidc_nonce", null);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
-    return ctx.send(oauthService2.renderSignUpError("Invalid state"));
+    await auditLog2.log({ action: "state_mismatch", ip: ctx.ip });
+    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.invalid_state));
   }
-  const params = new URLSearchParams();
-  params.append("code", ctx.query.code);
-  params.append("client_id", config2.OIDC_CLIENT_ID);
-  params.append("client_secret", config2.OIDC_CLIENT_SECRET);
-  params.append("redirect_uri", config2.OIDC_REDIRECT_URI);
-  params.append("grant_type", config2.OIDC_GRANT_TYPE);
-  params.append("code_verifier", codeVerifier ?? "");
+  const params = new URLSearchParams({
+    code: ctx.query.code,
+    client_id: config2.OIDC_CLIENT_ID,
+    client_secret: config2.OIDC_CLIENT_SECRET,
+    redirect_uri: config2.OIDC_REDIRECT_URI,
+    grant_type: config2.OIDC_GRANT_TYPE,
+    code_verifier: codeVerifier ?? ""
+  });
+  let userInfo;
   try {
-    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
-    const { activateUser, jwtToken } = await handleUserAuthentication(
+    const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
+    userInfo = exchangeResult.userInfo;
+    const accessToken = exchangeResult.accessToken;
+    const isProduction = strapi.config.get("environment") === "production";
+    ctx.cookies.set("oidc_access_token", accessToken, {
+      httpOnly: true,
+      maxAge: 3e5,
+      // 5 minutes — matches typical provider access token lifetime
+      secure: isProduction && ctx.request.secure,
+      sameSite: "lax"
+    });
+    const { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames } = await handleUserAuthentication(
       userService,
       oauthService2,
       roleService2,
       whitelistService2,
-      userResponseData,
+      userInfo,
       config2,
       ctx
     );
+    const identityCookieOptions = {
+      httpOnly: true,
+      path: "/",
+      secure: isProduction && ctx.request.secure,
+      sameSite: "lax"
+    };
+    ctx.cookies.set("oidc_user_email", activateUser.email, identityCookieOptions);
+    if (userCreated) {
+      await auditLog2.log({
+        action: "user_created",
+        email: activateUser.email,
+        ip: ctx.ip,
+        detailsKey: "user_created",
+        detailsParams: { roles: resolvedRoleNames.join(", ") }
+      });
+    }
+    await auditLog2.log({
+      action: "login_success",
+      email: activateUser.email,
+      ip: ctx.ip,
+      detailsKey: rolesUpdated ? "roles_updated" : void 0,
+      detailsParams: rolesUpdated ? { roles: resolvedRoleNames.join(", ") } : void 0
+    });
     const nonce = randomUUID();
     const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
     ctx.send(html);
   } catch (e) {
-    console.error("ERROR CAUGHT IN OIDC SIGNIN:", e);
-    ctx.send(oauthService2.renderSignUpError("Authentication failed. Please try again."));
+    const msg = e.message ?? "";
+    const errorInfo = classifyOidcError(msg, userInfo);
+    await auditLog2.log({
+      action: errorInfo.action,
+      email: userInfo?.email,
+      ip: ctx.ip,
+      detailsKey: errorInfo.action,
+      detailsParams: errorInfo.action === "login_failure" ? { message: msg } : void 0
+    });
+    strapi.log.error({
+      code: errorInfo.code,
+      phase: "oidc_callback",
+      message: msg || "Unknown sign-in error",
+      detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
+      email: userInfo?.email
+    });
+    ctx.send(oauthService2.renderSignUpError(userFacingMessages.signInError));
   }
 }
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const auditLog2 = strapi.plugin("strapi-plugin-oidc").service("auditLog");
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
+  const adminPanelUrl = strapi.config.get("admin.url", "/admin");
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
+  const accessToken = ctx.cookies.get("oidc_access_token");
+  const userEmail = ctx.cookies.get("oidc_user_email") ?? void 0;
   clearAuthCookies(strapi, ctx);
+  if (logoutUrl && isOidcSession && accessToken) {
+    try {
+      const response = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      });
+      if (response.ok) {
+        if (userEmail)
+          auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip }).catch(() => {
+          });
+        return ctx.redirect(logoutUrl);
+      }
+      if (userEmail)
+        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
+      return ctx.redirect(`${adminPanelUrl}/auth/login`);
+    } catch {
+      if (userEmail)
+        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
+      return ctx.redirect(`${adminPanelUrl}/auth/login`);
+    }
+  }
+  if (isOidcSession && userEmail) {
+    await auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip });
+  }
   if (logoutUrl && isOidcSession) {
-    ctx.redirect(logoutUrl);
-  } else {
-    const adminPanelUrl = strapi.config.get("admin.url", "/admin");
-    ctx.redirect(`${adminPanelUrl}/auth/login`);
+    return ctx.redirect(logoutUrl);
   }
+  ctx.redirect(`${adminPanelUrl}/auth/login`);
 }
 const oidc = {
   oidcSignIn,
   oidcSignInCallback,
   logout
 };
-async function find(ctx) {
+async function find$1(ctx) {
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
   const roles2 = await roleService2.find();
   const oidcConstants = roleService2.getOidcRoles();
@@ -418,14 +749,23 @@ async function update(ctx) {
     await roleService2.update(roles2);
     ctx.send({}, 204);
   } catch (e) {
-    console.error(e);
+    strapi.log.error(e);
     ctx.send({}, 400);
   }
 }
 const role = {
-  find,
+  find: find$1,
   update
 };
+function formatDatetimeForFilename(date) {
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, "0");
+  const day = String(date.getDate()).padStart(2, "0");
+  const hours = String(date.getHours()).padStart(2, "0");
+  const minutes = String(date.getMinutes()).padStart(2, "0");
+  const seconds = String(date.getSeconds()).padStart(2, "0");
+  return `${year}${month}${day}_${hours}${minutes}${seconds}`;
+}
 function getWhitelistService() {
   return strapi.plugin("strapi-plugin-oidc").service("whitelist");
 }
@@ -437,7 +777,8 @@ async function info(ctx) {
     useWhitelist: settings.useWhitelist,
     enforceOIDC: resolveEnforceOIDC(strapi, settings.enforceOIDC),
     enforceOIDCConfig: getEnforceOIDCConfig(strapi),
-    whitelistUsers
+    whitelistUsers,
+    auditLogEnabled: isAuditLogEnabled()
   };
 }
 async function updateSettings(ctx) {
@@ -463,32 +804,25 @@ async function publicSettings(ctx) {
   };
 }
 async function register(ctx) {
-  const { email, roles: roles2 } = ctx.request.body;
+  const { email } = ctx.request.body;
   if (!email) {
     ctx.body = { message: "Please enter a valid email address" };
     return;
   }
   const rawEmails = Array.isArray(email) ? email : email.split(",");
   const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
-  const existingUsers = await strapi.query("admin::user").findMany({
-    where: { email: { $in: emailList } },
-    populate: ["roles"]
-  });
-  const existingUsersByEmail = new Map(existingUsers.map((u) => [u.email, u]));
   const whitelistService2 = getWhitelistService();
   let matchedExistingUsersCount = 0;
   for (const singleEmail of emailList) {
-    const existingUser = existingUsersByEmail.get(singleEmail);
-    let finalRoles = roles2;
-    if (existingUser?.roles) {
-      finalRoles = existingUser.roles.map((r) => String(r.id));
-      matchedExistingUsersCount++;
-    }
+    const existingUser = await strapi.query("admin::user").findOne({
+      where: { email: singleEmail }
+    });
+    if (existingUser) matchedExistingUsersCount++;
     const alreadyWhitelisted = await strapi.query("plugin::strapi-plugin-oidc.whitelists").findOne({
       where: { email: singleEmail }
     });
     if (!alreadyWhitelisted) {
-      await whitelistService2.registerUser(singleEmail, finalRoles);
+      await whitelistService2.registerUser(singleEmail);
     }
   }
   ctx.body = { matchedExistingUsersCount };
@@ -503,81 +837,52 @@ async function deleteAll(ctx) {
   await strapi.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
   ctx.body = {};
 }
+async function exportWhitelist(ctx) {
+  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
+  ctx.set("Content-Type", "application/json");
+  ctx.set("Content-Disposition", `attachment; filename="strapi-oidc-whitelist-${datetime}.json"`);
+  const whitelistService2 = getWhitelistService();
+  const users = await whitelistService2.getUsers();
+  ctx.body = users.map((u) => ({ email: u.email }));
+}
 async function importUsers(ctx) {
   const { users } = ctx.request.body;
   if (!Array.isArray(users)) {
     ctx.status = 400;
-    ctx.body = { error: "Expected { users: [{email, roles}] }" };
+    ctx.body = { error: "Expected { users: [{email}] }" };
     return;
   }
-  const allRoles = await strapi.query("admin::role").findMany({});
-  const roleNameToId = new Map(allRoles.map((r) => [r.name, String(r.id)]));
-  const resolveRole = (nameOrId) => roleNameToId.get(nameOrId) ?? nameOrId;
-  const normalized = users.filter((u) => u?.email).map((u) => ({
-    email: String(u.email).trim().toLowerCase(),
-    roles: (Array.isArray(u.roles) ? u.roles : []).map(resolveRole)
-  }));
-  const seen = /* @__PURE__ */ new Set();
-  const deduped = normalized.filter((u) => {
-    if (seen.has(u.email)) return false;
-    seen.add(u.email);
-    return true;
-  });
-  const strapiUsers = await strapi.query("admin::user").findMany({
-    where: { email: { $in: deduped.map((u) => u.email) } },
-    populate: ["roles"]
-  });
-  const strapiUserMap = new Map(strapiUsers.map((u) => [u.email, u]));
+  const normalized = users.filter((u) => u?.email).map((u) => String(u.email).trim().toLowerCase()).filter((email) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email));
+  const deduped = [...new Set(normalized)];
   const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
   const existingEmails = new Set(existing.map((u) => u.email));
   let importedCount = 0;
-  for (const user of deduped) {
-    if (existingEmails.has(user.email)) continue;
-    const strapiUser = strapiUserMap.get(user.email);
-    const finalRoles = strapiUser?.roles?.length ? strapiUser.roles.map((r) => String(r.id)) : user.roles;
-    await whitelistService2.registerUser(user.email, finalRoles);
+  for (const email of deduped) {
+    if (existingEmails.has(email)) continue;
+    await whitelistService2.registerUser(email);
     importedCount++;
   }
   ctx.body = { importedCount };
 }
 async function syncUsers(ctx) {
   const { users: rawUsers } = ctx.request.body;
-  const users = rawUsers.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
+  const emails = rawUsers.map((u) => String(u.email).toLowerCase()).filter((e) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e));
   const whitelistService2 = getWhitelistService();
   const currentUsers = await whitelistService2.getUsers();
-  let matchedExistingUsersCount = 0;
-  const emailsToSync = users.map((u) => u.email);
-  const existingStrapiUsers = await strapi.query("admin::user").findMany({
-    where: { email: { $in: emailsToSync } },
-    populate: ["roles"]
-  });
-  const syncEmailSet = new Set(emailsToSync);
+  const syncEmailSet = new Set(emails);
   const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
-  const strapiUsersByEmail = new Map(existingStrapiUsers.map((u) => [u.email, u]));
   for (const currUser of currentUsers) {
     if (!syncEmailSet.has(currUser.email)) {
       await whitelistService2.removeUser(currUser.id);
     }
   }
-  for (const user of users) {
-    const currUser = currentUsersByEmail.get(user.email);
-    let finalRoles = user.roles;
-    if (!currUser) {
-      const existingStrapiUser = strapiUsersByEmail.get(user.email);
-      if (existingStrapiUser?.roles) {
-        finalRoles = existingStrapiUser.roles.map((r) => String(r.id));
-        matchedExistingUsersCount++;
-      }
-      await whitelistService2.registerUser(user.email, finalRoles);
-    } else {
-      await strapi.query("plugin::strapi-plugin-oidc.whitelists").update({
-        where: { id: currUser.id },
-        data: { roles: finalRoles }
-      });
+  for (const email of emails) {
+    if (!currentUsersByEmail.has(email)) {
+      await whitelistService2.registerUser(email);
     }
   }
-  ctx.body = { matchedExistingUsersCount };
+  ctx.body = { matchedExistingUsersCount: 0 };
 }
 const whitelist = {
   info,
@@ -587,39 +892,99 @@ const whitelist = {
   removeEmail,
   deleteAll,
   syncUsers,
-  importUsers
+  importUsers,
+  exportWhitelist
+};
+function getAuditLogService() {
+  return strapi.plugin("strapi-plugin-oidc").service("auditLog");
+}
+async function find(ctx) {
+  const page = Math.max(1, Number(ctx.query.page) || 1);
+  const pageSize = Math.min(100, Math.max(1, Number(ctx.query.pageSize) || 25));
+  ctx.body = await getAuditLogService().find({ page, pageSize });
+}
+async function exportLogs(ctx) {
+  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
+  ctx.set("Content-Type", "application/json");
+  ctx.set("Content-Disposition", `attachment; filename="strapi-oidc-audit-log-${datetime}.json"`);
+  const service = getAuditLogService();
+  const PAGE_SIZE = 1e3;
+  const allRows = [];
+  let page = 1;
+  while (true) {
+    const { results } = await service.find({ page, pageSize: PAGE_SIZE });
+    for (const row of results) {
+      allRows.push({
+        id: row.id,
+        createdAt: row.createdAt,
+        action: row.action,
+        email: row.email ?? null,
+        ip: row.ip ?? null,
+        details: row.details
+      });
+    }
+    if (results.length < PAGE_SIZE) break;
+    page++;
+  }
+  ctx.body = allRows.map((row) => ({
+    datetime: row.createdAt,
+    action: row.action,
+    email: row.email,
+    ip: row.ip,
+    details: row.details
+  }));
+}
+async function clearAll(ctx) {
+  await getAuditLogService().clearAll();
+  ctx.status = 204;
+}
+const auditLog = {
+  find,
+  export: exportLogs,
+  clearAll
 };
 const controllers = {
   oidc,
   role,
-  whitelist
+  whitelist,
+  auditLog
 };
 const rateLimitMap = /* @__PURE__ */ new Map();
 const RATE_LIMIT_WINDOW = 6e4;
-const MAX_REQUESTS = 20;
-const rateLimitMiddleware = async (ctx, next) => {
+const MAX_REQUESTS = 1e3;
+function getRateLimitKey(ctx) {
   const ip = ctx.request.ip;
+  const ua = ctx.request.header["user-agent"] ?? "";
+  const uaHash = createHash("sha256").update(ua).digest("hex").slice(0, 16);
+  return `${ip}:${uaHash}`;
+}
+function rateLimitMiddleware(ctx, next) {
+  const key = getRateLimitKey(ctx);
   const now = Date.now();
   const windowStart = now - RATE_LIMIT_WINDOW;
-  const requestStamps = (rateLimitMap.get(ip) || []).filter((timestamp) => timestamp > windowStart);
+  const requestStamps = (rateLimitMap.get(key) || []).filter(
+    (timestamp) => timestamp > windowStart
+  );
   if (requestStamps.length >= MAX_REQUESTS) {
     ctx.status = 429;
     ctx.body = "Too Many Requests";
     return;
   }
   requestStamps.push(now);
-  rateLimitMap.set(ip, requestStamps);
-  await next();
-};
-const adminPolicies = (action) => ({
-  policies: [
-    "admin::isAuthenticatedAdmin",
-    {
-      name: "admin::hasPermissions",
-      config: { actions: [`plugin::strapi-plugin-oidc.${action}`] }
-    }
-  ]
-});
+  rateLimitMap.set(key, requestStamps);
+  return next();
+}
+function adminPolicies(action) {
+  return {
+    policies: [
+      "admin::isAuthenticatedAdmin",
+      {
+        name: "admin::hasPermissions",
+        config: { actions: [`plugin::strapi-plugin-oidc.${action}`] }
+      }
+    ]
+  };
+}
 const routes = {
   admin: {
     type: "admin",
@@ -701,6 +1066,30 @@ const routes = {
         path: "/whitelist",
         handler: "whitelist.deleteAll",
         config: adminPolicies("update")
+      },
+      {
+        method: "GET",
+        path: "/whitelist/export",
+        handler: "whitelist.exportWhitelist",
+        config: adminPolicies("read")
+      },
+      {
+        method: "GET",
+        path: "/audit-logs",
+        handler: "auditLog.find",
+        config: { policies: ["admin::isAuthenticatedAdmin"] }
+      },
+      {
+        method: "GET",
+        path: "/audit-logs/export",
+        handler: "auditLog.export",
+        config: { policies: ["admin::isAuthenticatedAdmin"] }
+      },
+      {
+        method: "DELETE",
+        path: "/audit-logs",
+        handler: "auditLog.clearAll",
+        config: { policies: ["admin::isAuthenticatedAdmin"] }
       }
     ]
   },
@@ -734,6 +1123,26 @@ const routes = {
         method: "DELETE",
         path: "/whitelist",
         handler: "whitelist.deleteAll"
+      },
+      {
+        method: "GET",
+        path: "/whitelist/export",
+        handler: "whitelist.exportWhitelist"
+      },
+      {
+        method: "GET",
+        path: "/audit-logs",
+        handler: "auditLog.find"
+      },
+      {
+        method: "GET",
+        path: "/audit-logs/export",
+        handler: "auditLog.export"
+      },
+      {
+        method: "DELETE",
+        path: "/audit-logs",
+        handler: "auditLog.clearAll"
       }
     ]
   }
@@ -1104,9 +1513,9 @@ function whitelistService({ strapi: strapi2 }) {
     async getUsers() {
       return getWhitelistQuery().findMany();
     },
-    async registerUser(email, roles2) {
+    async registerUser(email) {
       await getWhitelistQuery().create({
-        data: { email, roles: roles2 }
+        data: { email }
       });
     },
     async removeUser(id) {
@@ -1129,10 +1538,73 @@ function whitelistService({ strapi: strapi2 }) {
     }
   };
 }
+function interpolate(str, params) {
+  if (!params) return str;
+  return str.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
+}
+function translateDetails(key, params) {
+  const translation = en[`audit.${key}`];
+  if (!translation) return null;
+  return interpolate(translation, params);
+}
+function auditLogService({ strapi: strapi2 }) {
+  return {
+    async log({ action, email, ip, detailsKey, detailsParams }) {
+      if (!isAuditLogEnabled()) return;
+      await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").create({
+        data: {
+          action,
+          email: email ?? null,
+          ip: ip ?? null,
+          detailsKey: detailsKey ?? null,
+          detailsParams: detailsParams ?? null
+        }
+      });
+      const eventHub = strapi2.serviceMap?.get?.("eventHub") ?? strapi2.eventHub;
+      if (eventHub) {
+        eventHub.emit(`strapi-plugin-oidc::auth.${action}`, {
+          email,
+          ip,
+          provider: "strapi-plugin-oidc"
+        });
+      }
+    },
+    async find({ page = 1, pageSize = 25 } = {}) {
+      const result = await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").findPage({
+        sort: { createdAt: "desc" },
+        page,
+        pageSize
+      });
+      const results = result.results.map((row) => ({
+        ...row,
+        details: row.detailsKey ? translateDetails(row.detailsKey, row.detailsParams) : null
+      }));
+      return {
+        results,
+        pagination: result.pagination
+      };
+    },
+    async clearAll() {
+      const BATCH_SIZE = 1e3;
+      let deletedCount;
+      do {
+        const result = await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({ limit: BATCH_SIZE });
+        deletedCount = result.count;
+      } while (deletedCount === BATCH_SIZE);
+    },
+    async cleanup(retentionDays) {
+      const cutoff = new Date(Date.now() - retentionDays * 864e5);
+      await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({
+        where: { createdAt: { $lt: cutoff } }
+      });
+    }
+  };
+}
 const services = {
   oauth: oauthService,
   role: roleService,
-  whitelist: whitelistService
+  whitelist: whitelistService,
+  auditLog: auditLogService
 };
 const index = {
   register: register$1,