npm - strapi-plugin-oidc - Versions diffs - 1.5.3 → 1.6.1 - Mend

strapi-plugin-oidc 1.5.3 → 1.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +147 -34
package/dist/admin/{index-DWm8oOJF.js → index-DTOcUHZi.js} +342 -177
package/dist/admin/{index-Dz3WlTpL.mjs → index-DmJadA2p.mjs} +344 -179
package/dist/admin/{index-Dzf0bJC1.mjs → index-P9HriRms.mjs} +31 -6
package/dist/admin/{index-CqgjBmJ5.js → index-f3cmU_tE.js} +31 -6
package/dist/admin/index.js +1 -1
package/dist/admin/index.mjs +1 -1
package/dist/server/index.js +628 -182
package/dist/server/index.mjs +629 -183
package/package.json +1 -1

package/dist/server/index.js CHANGED Viewed

@@ -24,18 +24,31 @@ function resolveEnforceOIDC(strapi2, dbValue) {
   if (configValue !== null) return configValue;
   return dbValue ?? false;
 }
+const PLUGIN_UID = "plugin::strapi-plugin-oidc";
+const DEFAULT_RETENTION_DAYS = 90;
+function getPluginConfig() {
+  return strapi.config.get(PLUGIN_UID);
+}
+function getRetentionDays() {
+  const config2 = getPluginConfig();
+  return Number(config2.AUDIT_LOG_RETENTION_DAYS ?? DEFAULT_RETENTION_DAYS);
+}
+function isAuditLogEnabled() {
+  return getRetentionDays() !== 0;
+}
 async function bootstrap({ strapi: strapi2 }) {
+  const adminUrl = strapi2.config.get("admin.url", "/admin");
+  const authRoutes = [
+    `${adminUrl}/login`,
+    `${adminUrl}/register`,
+    `${adminUrl}/register-admin`,
+    `${adminUrl}/forgot-password`,
+    `${adminUrl}/reset-password`
+  ];
+  const tokenRefreshPath = `${adminUrl}/token/refresh`;
   const enforceOidcMiddleware = async (ctx, next) => {
-    const adminUrl = strapi2.config.get("admin.url", "/admin");
-    const authRoutes = [
-      `${adminUrl}/login`,
-      `${adminUrl}/register`,
-      `${adminUrl}/register-admin`,
-      `${adminUrl}/forgot-password`,
-      `${adminUrl}/reset-password`
-    ];
     const isPostAuth = authRoutes.includes(ctx.request.path) && ctx.request.method === "POST";
-    const isTokenRefresh = ctx.request.path === `${adminUrl}/token/refresh` && ctx.request.method === "POST";
+    const isTokenRefresh = ctx.request.path === tokenRefreshPath && ctx.request.method === "POST";
     if (isPostAuth || isTokenRefresh) {
       try {
         const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
@@ -116,14 +129,12 @@ async function bootstrap({ strapi: strapi2 }) {
       where: { oauth_type: "4" }
     });
     if (oidcRoleCount === 0) {
-      const editorRole = await strapi2.query("admin::role").findOne({
-        where: { code: "strapi-editor" }
-      });
-      if (editorRole) {
+      const defaultRole = await strapi2.query("admin::role").findOne({ where: { code: "strapi-editor" } }) ?? await strapi2.query("admin::role").findOne({});
+      if (defaultRole) {
         await strapi2.query("plugin::strapi-plugin-oidc.roles").create({
           data: {
             oauth_type: "4",
-            roles: [editorRole.id.toString()]
+            roles: [defaultRole.id.toString()]
           }
         });
       }
@@ -131,25 +142,18 @@ async function bootstrap({ strapi: strapi2 }) {
   } catch (err) {
     strapi2.log.warn("Could not initialize default OIDC role:", err.message);
   }
-  strapi2.db.lifecycles.subscribe({
-    models: ["admin::user"],
-    async afterUpdate(event) {
-      const { result } = event;
-      if (!result?.email) return;
-      const query = strapi2.query("plugin::strapi-plugin-oidc.whitelists");
-      const whitelistEntry = await query.findOne({ where: { email: result.email } });
-      if (!whitelistEntry) return;
-      const userWithRoles = await strapi2.query("admin::user").findOne({
-        where: { id: result.id },
-        populate: ["roles"]
-      });
-      if (userWithRoles?.roles) {
-        const roleIds = userWithRoles.roles.map((r) => r.id.toString());
-        await query.update({
-          where: { id: whitelistEntry.id },
-          data: { roles: roleIds }
-        });
-      }
+  strapi2.cron.add({
+    "strapi-plugin-oidc-audit-log-cleanup": {
+      task: async () => {
+        try {
+          const retentionDays = getRetentionDays();
+          await strapi2.plugin("strapi-plugin-oidc").service("auditLog").cleanup(retentionDays);
+        } catch (err) {
+          strapi2.log.warn("[strapi-plugin-oidc] Audit log cleanup failed:", err.message);
+        }
+      },
+      options: { rule: "0 0 * * *" }
+      // daily at midnight
     }
   });
 }
@@ -170,41 +174,58 @@ const config = {
     OIDC_GIVEN_NAME_FIELD: "given_name",
     OIDC_END_SESSION_ENDPOINT: "",
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
-    OIDC_ENFORCE: null
+    OIDC_ENFORCE: null,
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
+    AUDIT_LOG_RETENTION_DAYS: 90,
+    OIDC_GROUP_FIELD: "groups",
+    OIDC_GROUP_ROLE_MAP: "{}"
   },
   validator() {
   }
 };
-const info$2 = { "singularName": "roles", "pluralName": "oidc-roles", "collectionName": "oidc-roles", "displayName": "oidc-role", "description": "" };
+const info$3 = { "singularName": "roles", "pluralName": "oidc-roles", "collectionName": "oidc-roles", "displayName": "oidc-role", "description": "" };
+const options$2 = { "draftAndPublish": false };
+const pluginOptions$2 = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
+const attributes$2 = { "oauth_type": { "type": "string", "configurable": false, "required": true }, "roles": { "type": "json", "configurable": false } };
+const schema$2 = {
+  info: info$3,
+  options: options$2,
+  pluginOptions: pluginOptions$2,
+  attributes: attributes$2
+};
+const roles = {
+  schema: schema$2
+};
+const info$2 = { "singularName": "whitelists", "pluralName": "whitelists", "collectionName": "whitelists", "displayName": "whitelist", "description": "" };
 const options$1 = { "draftAndPublish": false };
 const pluginOptions$1 = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
-const attributes$1 = { "oauth_type": { "type": "string", "configurable": false, "required": true }, "roles": { "type": "json", "configurable": false } };
+const attributes$1 = { "email": { "type": "string", "configurable": false, "required": true, "unique": true } };
 const schema$1 = {
   info: info$2,
   options: options$1,
   pluginOptions: pluginOptions$1,
   attributes: attributes$1
 };
-const roles = {
+const whitelists = {
   schema: schema$1
 };
-const info$1 = { "singularName": "whitelists", "pluralName": "whitelists", "collectionName": "whitelists", "displayName": "whitelist", "description": "" };
+const info$1 = { "singularName": "audit-log", "pluralName": "audit-logs", "collectionName": "audit_logs", "displayName": "OIDC Audit Log" };
 const options = { "draftAndPublish": false };
 const pluginOptions = { "content-manager": { "visible": false }, "content-type-builder": { "visible": false } };
-const attributes = { "email": { "type": "string", "configurable": false, "required": true, "unique": true }, "roles": { "type": "json", "configurable": false } };
+const attributes = { "action": { "type": "string", "required": true }, "email": { "type": "string" }, "ip": { "type": "string" }, "detailsKey": { "type": "string" }, "detailsParams": { "type": "json" } };
 const schema = {
   info: info$1,
   options,
   pluginOptions,
   attributes
 };
-const whitelists = {
+const auditLog$1 = {
   schema
 };
 const contentTypes = {
   roles,
-  whitelists
+  whitelists,
+  "audit-log": auditLog$1
 };
 function getExpiredCookieOptions(strapi2, ctx) {
   const isProduction = strapi2.config.get("environment") === "production";
@@ -223,7 +244,130 @@ function clearAuthCookies(strapi2, ctx) {
   ctx.cookies.set("strapi_admin_refresh", "", options2);
   ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
   ctx.cookies.set("oidc_access_token", "", { ...options2, path: "/" });
+  ctx.cookies.set("oidc_user_email", "", { ...options2, path: "/" });
 }
+const errorCodes = {
+  TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
+  USERINFO_FETCH_FAILED: "USERINFO_FETCH_FAILED",
+  ID_TOKEN_PARSE_FAILED: "ID_TOKEN_PARSE_FAILED",
+  NONCE_MISMATCH: "NONCE_MISMATCH",
+  ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
+  USER_CREATION_FAILED: "USER_CREATION_FAILED",
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED"
+};
+function getErrorDetail(key, params) {
+  switch (key) {
+    case "token_exchange_failed":
+      return `Token exchange failed with HTTP status ${params?.status ?? "unknown"}`;
+    case "userinfo_fetch_failed":
+      return `UserInfo endpoint returned HTTP ${params?.status ?? "unknown"}`;
+    case "role_update_failed":
+      return `Role update failed for user ${params?.userId}: ${params?.error ?? "unknown"}`;
+    case "user_creation_failed":
+      return `User creation failed for ${params?.email}: ${params?.error ?? "unknown"}`;
+    case "id_token_parse_failed":
+      return `ID token parse failed: ${params?.error ?? "unknown"}`;
+    case "sign_in_unknown":
+      return `Unknown sign-in error: ${params?.error ?? "unknown"}`;
+    default:
+      return void 0;
+  }
+}
+const en = {
+  "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
+  "page.title": "Configure OIDC default role(s) and access controls.",
+  "roles.notes": "Select the default role(s) assigned to new users upon their first login. This setting does not affect existing users.",
+  "page.save": "Save Changes",
+  "page.save.success": "Updated settings",
+  "page.save.error": "Update failed.",
+  "page.add": "Add",
+  "page.cancel": "Cancel",
+  "page.ok": "OK",
+  "roles.title": "Default Role(s)",
+  "roles.placeholder": "Select default role(s)",
+  "whitelist.title": "Whitelist",
+  "whitelist.error.unique": "Already registered email address.",
+  "whitelist.description": "Restrict OIDC authentication to specific email addresses. Users receive roles from the default OIDC role mapping or their OIDC group.",
+  "alert.title.success": "Success",
+  "alert.title.error": "Error",
+  "alert.title.info": "Info",
+  "pagination.previous": "Go to previous page",
+  "pagination.page": "Go to page {page}",
+  "pagination.next": "Go to next page",
+  "whitelist.table.no": "No.",
+  "whitelist.table.email": "Email",
+  "whitelist.table.created": "Created At",
+  "whitelist.delete.title": "Confirmation",
+  "whitelist.delete.description": "Are you sure you want to delete:",
+  "whitelist.delete.note": "This will not delete the user account in Strapi.",
+  "whitelist.toggle.enabled": "Enabled",
+  "whitelist.toggle.disabled": "Disabled",
+  "whitelist.email.placeholder": "Email address",
+  "whitelist.roles.placeholder": "Select specific role(s)",
+  "whitelist.table.roles": "Role(s)",
+  "whitelist.table.empty": "No email addresses",
+  "whitelist.delete.label": "Delete",
+  "page.title.oidc": "OIDC",
+  "enforce.title": "Enforce OIDC Login",
+  "enforce.toggle.enabled": "Enabled",
+  "enforce.toggle.disabled": "Disabled",
+  "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally.",
+  "enforce.config.info": "Enforcement is controlled by the OIDC_ENFORCE config variable and cannot be changed here.",
+  "login.settings.title": "Login Settings",
+  "login.sso": "Login via SSO",
+  "whitelist.count": "{count, plural, one {# entry} other {# entries}}",
+  "whitelist.import": "Import",
+  "whitelist.export": "Export",
+  "whitelist.delete.all.label": "Delete All",
+  "whitelist.delete.all.title": "Delete All Entries",
+  "whitelist.delete.all.description": "This will permanently remove all {count, plural, one {# entry} other {# entries}} from the whitelist. Unsaved changes will be lost.",
+  "whitelist.import.error": "Invalid file — expected a JSON array of objects with an email field.",
+  "whitelist.import.success": "Imported {count, plural, one {# new entry} other {# new entries}}.",
+  "whitelist.import.none": "No new entries — all emails are already in the whitelist.",
+  "unsaved.title": "Unsaved Changes",
+  "unsaved.description": "You have unsaved changes that will be lost if you leave. Do you want to continue?",
+  "unsaved.confirm": "Leave",
+  "unsaved.cancel": "Stay",
+  "whitelist.table.roles.default": "(Default)",
+  "auditlog.title": "Audit Logs",
+  "auditlog.export": "Download",
+  "auditlog.table.timestamp": "Timestamp",
+  "auditlog.table.action": "Action",
+  "auditlog.table.email": "Email",
+  "auditlog.table.ip": "IP",
+  "auditlog.table.details": "Details",
+  "auditlog.table.empty": "No audit log entries",
+  "auditlog.clear": "Clear Logs",
+  "auditlog.clear.title": "Clear All Logs",
+  "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
+  "auditlog.clear.success": "Audit logs cleared",
+  "auditlog.clear.error": "Failed to clear audit logs",
+  "auditlog.export.error": "Failed to export audit logs",
+  "auditlog.action.login_success": "User successfully authenticated via OIDC and was granted access.",
+  "auditlog.action.user_created": "A new Strapi admin account was created for this user on their first OIDC login.",
+  "auditlog.action.logout": "User logged out and their OIDC session was ended.",
+  "auditlog.action.session_expired": "The OIDC access token had expired by the time the user logged out, so the provider session could not be terminated remotely.",
+  "auditlog.action.login_failure": "An unexpected error occurred during the OIDC login flow.",
+  "auditlog.action.missing_code": "The OIDC callback was received without an authorisation code. This may indicate a misconfigured provider or a tampered request.",
+  "auditlog.action.state_mismatch": "The state parameter in the callback did not match the one stored in the session. This may indicate a CSRF attempt or an expired login session.",
+  "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
+  "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
+  "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "user.missing_code": "Authorisation code was not received from the OIDC provider.",
+  "user.invalid_state": "State parameter mismatch. Please restart the login flow.",
+  "user.signInError": "Authentication failed. Please try again."
+};
+const userFacingMessages = {
+  get missing_code() {
+    return en["user.missing_code"];
+  },
+  get invalid_state() {
+    return en["user.invalid_state"];
+  },
+  get signInError() {
+    return en["user.signInError"];
+  }
+};
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
@@ -261,15 +405,16 @@ async function oidcSignIn(ctx) {
   ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
   ctx.cookies.set("oidc_state", state, cookieOptions);
   ctx.cookies.set("oidc_nonce", nonce, cookieOptions);
-  const params = new URLSearchParams();
-  params.append("response_type", "code");
-  params.append("client_id", OIDC_CLIENT_ID);
-  params.append("redirect_uri", OIDC_REDIRECT_URI);
-  params.append("scope", OIDC_SCOPE);
-  params.append("code_challenge", codeChallenge);
-  params.append("code_challenge_method", "S256");
-  params.append("state", state);
-  params.append("nonce", nonce);
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: OIDC_CLIENT_ID,
+    redirect_uri: OIDC_REDIRECT_URI,
+    scope: OIDC_SCOPE,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    state,
+    nonce
+  });
   const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
   ctx.set("Location", authorizationUrl);
   return ctx.send({}, 302);
@@ -307,14 +452,35 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   const userInfo = await userResponse.json();
   return { userInfo, accessToken: tokenData.access_token };
 }
-async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
-  let roles2 = [];
-  if (whitelistUser?.roles?.length > 0) {
-    roles2 = whitelistUser.roles;
-  } else {
-    const oidcRoles = await roleService2.oidcRoles();
-    roles2 = oidcRoles?.roles || [];
+function resolveRolesFromGroups(userInfo, config2, availableRoles) {
+  const rawGroups = userInfo[config2.OIDC_GROUP_FIELD];
+  if (!Array.isArray(rawGroups) || rawGroups.length === 0) return [];
+  const groups = rawGroups.filter((g) => typeof g === "string");
+  const raw = config2.OIDC_GROUP_ROLE_MAP;
+  let groupRoleMap;
+  try {
+    groupRoleMap = typeof raw === "string" ? JSON.parse(raw) : raw;
+  } catch {
+    return [];
   }
+  const roleIdSet = /* @__PURE__ */ new Set();
+  for (const group of groups) {
+    const roleNames = groupRoleMap[group];
+    if (!roleNames) continue;
+    for (const name of roleNames) {
+      const match = availableRoles.find((r) => r.name === name);
+      if (match) roleIdSet.add(String(match.id));
+    }
+  }
+  return [...roleIdSet];
+}
+async function resolveRoles(userInfo, config2, roleService2, availableRoles) {
+  const groupRoles = resolveRolesFromGroups(userInfo, config2, availableRoles);
+  if (groupRoles.length > 0) return groupRoles;
+  const oidcRoles = await roleService2.oidcRoles();
+  return oidcRoles?.roles || [];
+}
+async function registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2) {
   const defaultLocale = oauthService2.localeFindByHeader(
     ctx.request.headers
   );
@@ -329,21 +495,106 @@ async function registerNewUser(userService, oauthService2, roleService2, email,
   return activateUser;
 }
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
-  const email = String(userResponseData.email).toLowerCase();
-  const whitelistUser = await whitelistService2.checkWhitelistForEmail(email);
-  const activateUser = await userService.findOneByEmail(email) ?? await registerNewUser(
-    userService,
-    oauthService2,
-    roleService2,
-    email,
-    userResponseData,
-    whitelistUser,
-    config2,
-    ctx
-  );
+  const rawEmail = String(userResponseData.email ?? "");
+  const email = rawEmail.toLowerCase();
+  if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    throw new Error("Invalid email address received from OIDC provider");
+  }
+  await whitelistService2.checkWhitelistForEmail(email);
+  const allRoles = await strapi.db.query("admin::role").findMany();
+  const roles2 = await resolveRoles(userResponseData, config2, roleService2, allRoles);
+  const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
+  let userCreated = false;
+  let rolesUpdated = false;
+  let activateUser = await userService.findOneByEmail(email);
+  if (!activateUser) {
+    activateUser = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
+    userCreated = true;
+  } else if (roles2.length > 0) {
+    const currentRoleIds = new Set((activateUser.roles ?? []).map((r) => String(r.id)));
+    const newRoleIds = new Set(roles2);
+    const rolesChanged = currentRoleIds.size !== newRoleIds.size || [...newRoleIds].some((id) => !currentRoleIds.has(id));
+    if (rolesChanged) {
+      try {
+        strapi.log.info(
+          `[OIDC] Roles updated for user ${activateUser.id}: [${[...currentRoleIds].join(",")}] -> [${roles2.join(",")}]`
+        );
+        await strapi.db.query("admin::user").update({
+          where: { id: activateUser.id },
+          data: { roles: roles2 }
+        });
+        rolesUpdated = true;
+      } catch (updateErr) {
+        strapi.log.error({
+          code: errorCodes.ROLE_UPDATE_FAILED,
+          userId: activateUser.id,
+          detail: getErrorDetail("role_update_failed", {
+            userId: activateUser.id,
+            error: updateErr.message
+          })
+        });
+        throw updateErr;
+      }
+    }
+  }
   const jwtToken = await oauthService2.generateToken(activateUser, ctx);
   oauthService2.triggerSignInSuccess(activateUser);
-  return { activateUser, jwtToken };
+  return { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
+}
+function classifyOidcError(msg, userInfo) {
+  const errorMap = [
+    {
+      test: (m) => m.includes("whitelist"),
+      result: {
+        action: "whitelist_rejected",
+        code: errorCodes.WHITELIST_CHECK_FAILED,
+        key: "whitelist_rejected"
+      }
+    },
+    {
+      test: (m) => m === "Nonce mismatch",
+      result: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH }
+    },
+    {
+      test: (m) => m === "Token exchange failed",
+      result: { action: "token_exchange_failed", code: errorCodes.TOKEN_EXCHANGE_FAILED }
+    },
+    {
+      test: (m) => m === "Failed to fetch user info",
+      result: {
+        action: "login_failure",
+        code: errorCodes.USERINFO_FETCH_FAILED,
+        key: "userinfo_fetch_failed"
+      }
+    },
+    {
+      test: (m) => m === "Failed to parse ID token",
+      result: {
+        action: "login_failure",
+        code: errorCodes.ID_TOKEN_PARSE_FAILED,
+        key: "id_token_parse_failed",
+        params: { error: msg }
+      }
+    },
+    {
+      test: (m) => m === "User creation failed" || m.includes("createUser"),
+      result: {
+        action: "login_failure",
+        code: errorCodes.USER_CREATION_FAILED,
+        key: "user_creation_failed",
+        params: userInfo?.email ? { email: userInfo.email, error: msg } : void 0
+      }
+    }
+  ];
+  for (const { test, result } of errorMap) {
+    if (test(msg)) return result;
+  }
+  return {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown",
+    params: { error: msg || "unknown" }
+  };
 }
 async function oidcSignInCallback(ctx) {
   const config2 = configValidation();
@@ -351,8 +602,10 @@ async function oidcSignInCallback(ctx) {
   const oauthService2 = strapi.plugin("strapi-plugin-oidc").service("oauth");
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
+  const auditLog2 = strapi.plugin("strapi-plugin-oidc").service("auditLog");
   if (!ctx.query.code) {
-    return ctx.send(oauthService2.renderSignUpError("code Not Found"));
+    await auditLog2.log({ action: "missing_code", ip: ctx.ip });
+    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.missing_code));
   }
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
@@ -361,21 +614,22 @@ async function oidcSignInCallback(ctx) {
   ctx.cookies.set("oidc_code_verifier", null);
   ctx.cookies.set("oidc_nonce", null);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
-    return ctx.send(oauthService2.renderSignUpError("Invalid state"));
+    await auditLog2.log({ action: "state_mismatch", ip: ctx.ip });
+    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.invalid_state));
   }
-  const params = new URLSearchParams();
-  params.append("code", ctx.query.code);
-  params.append("client_id", config2.OIDC_CLIENT_ID);
-  params.append("client_secret", config2.OIDC_CLIENT_SECRET);
-  params.append("redirect_uri", config2.OIDC_REDIRECT_URI);
-  params.append("grant_type", config2.OIDC_GRANT_TYPE);
-  params.append("code_verifier", codeVerifier ?? "");
+  const params = new URLSearchParams({
+    code: ctx.query.code,
+    client_id: config2.OIDC_CLIENT_ID,
+    client_secret: config2.OIDC_CLIENT_SECRET,
+    redirect_uri: config2.OIDC_REDIRECT_URI,
+    grant_type: config2.OIDC_GRANT_TYPE,
+    code_verifier: codeVerifier ?? ""
+  });
+  let userInfo;
   try {
-    const { userInfo, accessToken } = await exchangeTokenAndFetchUserInfo(
-      config2,
-      params,
-      oidcNonce ?? ""
-    );
+    const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
+    userInfo = exchangeResult.userInfo;
+    const accessToken = exchangeResult.accessToken;
     const isProduction = strapi.config.get("environment") === "production";
     ctx.cookies.set("oidc_access_token", accessToken, {
       httpOnly: true,
@@ -384,7 +638,7 @@ async function oidcSignInCallback(ctx) {
       secure: isProduction && ctx.request.secure,
       sameSite: "lax"
     });
-    const { activateUser, jwtToken } = await handleUserAuthentication(
+    const { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames } = await handleUserAuthentication(
       userService,
       oauthService2,
       roleService2,
@@ -393,21 +647,61 @@ async function oidcSignInCallback(ctx) {
       config2,
       ctx
     );
+    const identityCookieOptions = {
+      httpOnly: true,
+      path: "/",
+      secure: isProduction && ctx.request.secure,
+      sameSite: "lax"
+    };
+    ctx.cookies.set("oidc_user_email", activateUser.email, identityCookieOptions);
+    if (userCreated) {
+      await auditLog2.log({
+        action: "user_created",
+        email: activateUser.email,
+        ip: ctx.ip,
+        detailsKey: "user_created",
+        detailsParams: { roles: resolvedRoleNames.join(", ") }
+      });
+    }
+    await auditLog2.log({
+      action: "login_success",
+      email: activateUser.email,
+      ip: ctx.ip,
+      detailsKey: rolesUpdated ? "roles_updated" : void 0,
+      detailsParams: rolesUpdated ? { roles: resolvedRoleNames.join(", ") } : void 0
+    });
     const nonce = node_crypto.randomUUID();
     const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
     ctx.send(html);
   } catch (e) {
-    console.error("ERROR CAUGHT IN OIDC SIGNIN:", e);
-    ctx.send(oauthService2.renderSignUpError("Authentication failed. Please try again."));
+    const msg = e.message ?? "";
+    const errorInfo = classifyOidcError(msg, userInfo);
+    await auditLog2.log({
+      action: errorInfo.action,
+      email: userInfo?.email,
+      ip: ctx.ip,
+      detailsKey: errorInfo.action,
+      detailsParams: errorInfo.action === "login_failure" ? { message: msg } : void 0
+    });
+    strapi.log.error({
+      code: errorInfo.code,
+      phase: "oidc_callback",
+      message: msg || "Unknown sign-in error",
+      detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
+      email: userInfo?.email
+    });
+    ctx.send(oauthService2.renderSignUpError(userFacingMessages.signInError));
   }
 }
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const auditLog2 = strapi.plugin("strapi-plugin-oidc").service("auditLog");
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const adminPanelUrl = strapi.config.get("admin.url", "/admin");
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
   const accessToken = ctx.cookies.get("oidc_access_token");
+  const userEmail = ctx.cookies.get("oidc_user_email") ?? void 0;
   clearAuthCookies(strapi, ctx);
   if (logoutUrl && isOidcSession && accessToken) {
     try {
@@ -415,11 +709,22 @@ async function logout(ctx) {
         headers: { Authorization: `Bearer ${accessToken}` }
       });
       if (response.ok) {
+        if (userEmail)
+          auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip }).catch(() => {
+          });
         return ctx.redirect(logoutUrl);
       }
+      if (userEmail)
+        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
+      return ctx.redirect(`${adminPanelUrl}/auth/login`);
     } catch {
+      if (userEmail)
+        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
+      return ctx.redirect(`${adminPanelUrl}/auth/login`);
     }
-    return ctx.redirect(`${adminPanelUrl}/auth/login`);
+  }
+  if (isOidcSession && userEmail) {
+    await auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip });
   }
   if (logoutUrl && isOidcSession) {
     return ctx.redirect(logoutUrl);
@@ -431,7 +736,7 @@ const oidc = {
   oidcSignInCallback,
   logout
 };
-async function find(ctx) {
+async function find$1(ctx) {
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
   const roles2 = await roleService2.find();
   const oidcConstants = roleService2.getOidcRoles();
@@ -450,14 +755,23 @@ async function update(ctx) {
     await roleService2.update(roles2);
     ctx.send({}, 204);
   } catch (e) {
-    console.error(e);
+    strapi.log.error(e);
     ctx.send({}, 400);
   }
 }
 const role = {
-  find,
+  find: find$1,
   update
 };
+function formatDatetimeForFilename(date) {
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, "0");
+  const day = String(date.getDate()).padStart(2, "0");
+  const hours = String(date.getHours()).padStart(2, "0");
+  const minutes = String(date.getMinutes()).padStart(2, "0");
+  const seconds = String(date.getSeconds()).padStart(2, "0");
+  return `${year}${month}${day}_${hours}${minutes}${seconds}`;
+}
 function getWhitelistService() {
   return strapi.plugin("strapi-plugin-oidc").service("whitelist");
 }
@@ -469,7 +783,8 @@ async function info(ctx) {
     useWhitelist: settings.useWhitelist,
     enforceOIDC: resolveEnforceOIDC(strapi, settings.enforceOIDC),
     enforceOIDCConfig: getEnforceOIDCConfig(strapi),
-    whitelistUsers
+    whitelistUsers,
+    auditLogEnabled: isAuditLogEnabled()
   };
 }
 async function updateSettings(ctx) {
@@ -495,121 +810,85 @@ async function publicSettings(ctx) {
   };
 }
 async function register(ctx) {
-  const { email, roles: roles2 } = ctx.request.body;
+  const { email } = ctx.request.body;
   if (!email) {
     ctx.body = { message: "Please enter a valid email address" };
     return;
   }
   const rawEmails = Array.isArray(email) ? email : email.split(",");
   const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
-  const existingUsers = await strapi.query("admin::user").findMany({
-    where: { email: { $in: emailList } },
-    populate: ["roles"]
-  });
-  const existingUsersByEmail = new Map(existingUsers.map((u) => [u.email, u]));
   const whitelistService2 = getWhitelistService();
   let matchedExistingUsersCount = 0;
   for (const singleEmail of emailList) {
-    const existingUser = existingUsersByEmail.get(singleEmail);
-    let finalRoles = roles2;
-    if (existingUser?.roles) {
-      finalRoles = existingUser.roles.map((r) => String(r.id));
-      matchedExistingUsersCount++;
-    }
+    const existingUser = await strapi.query("admin::user").findOne({
+      where: { email: singleEmail }
+    });
+    if (existingUser) matchedExistingUsersCount++;
     const alreadyWhitelisted = await strapi.query("plugin::strapi-plugin-oidc.whitelists").findOne({
       where: { email: singleEmail }
     });
     if (!alreadyWhitelisted) {
-      await whitelistService2.registerUser(singleEmail, finalRoles);
+      await whitelistService2.registerUser(singleEmail);
     }
   }
   ctx.body = { matchedExistingUsersCount };
 }
 async function removeEmail(ctx) {
-  const { id } = ctx.params;
+  const { email } = ctx.params;
   const whitelistService2 = getWhitelistService();
-  await whitelistService2.removeUser(id);
+  await whitelistService2.removeUser(email);
   ctx.body = {};
 }
 async function deleteAll(ctx) {
   await strapi.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
   ctx.body = {};
 }
+async function exportWhitelist(ctx) {
+  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
+  ctx.set("Content-Type", "application/json");
+  ctx.set("Content-Disposition", `attachment; filename="strapi-oidc-whitelist-${datetime}.json"`);
+  const whitelistService2 = getWhitelistService();
+  const users = await whitelistService2.getUsers();
+  ctx.body = users.map((u) => ({ email: u.email }));
+}
 async function importUsers(ctx) {
   const { users } = ctx.request.body;
   if (!Array.isArray(users)) {
     ctx.status = 400;
-    ctx.body = { error: "Expected { users: [{email, roles}] }" };
+    ctx.body = { error: "Expected { users: [{email}] }" };
     return;
   }
-  const allRoles = await strapi.query("admin::role").findMany({});
-  const roleNameToId = new Map(allRoles.map((r) => [r.name, String(r.id)]));
-  const resolveRole = (nameOrId) => roleNameToId.get(nameOrId) ?? nameOrId;
-  const normalized = users.filter((u) => u?.email).map((u) => ({
-    email: String(u.email).trim().toLowerCase(),
-    roles: (Array.isArray(u.roles) ? u.roles : []).map(resolveRole)
-  }));
-  const seen = /* @__PURE__ */ new Set();
-  const deduped = normalized.filter((u) => {
-    if (seen.has(u.email)) return false;
-    seen.add(u.email);
-    return true;
-  });
-  const strapiUsers = await strapi.query("admin::user").findMany({
-    where: { email: { $in: deduped.map((u) => u.email) } },
-    populate: ["roles"]
-  });
-  const strapiUserMap = new Map(strapiUsers.map((u) => [u.email, u]));
+  const normalized = users.filter((u) => u?.email).map((u) => String(u.email).trim().toLowerCase()).filter((email) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email));
+  const deduped = [...new Set(normalized)];
   const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
   const existingEmails = new Set(existing.map((u) => u.email));
   let importedCount = 0;
-  for (const user of deduped) {
-    if (existingEmails.has(user.email)) continue;
-    const strapiUser = strapiUserMap.get(user.email);
-    const finalRoles = strapiUser?.roles?.length ? strapiUser.roles.map((r) => String(r.id)) : user.roles;
-    await whitelistService2.registerUser(user.email, finalRoles);
+  for (const email of deduped) {
+    if (existingEmails.has(email)) continue;
+    await whitelistService2.registerUser(email);
     importedCount++;
   }
   ctx.body = { importedCount };
 }
 async function syncUsers(ctx) {
   const { users: rawUsers } = ctx.request.body;
-  const users = rawUsers.map((u) => ({ ...u, email: String(u.email).toLowerCase() }));
+  const emails = rawUsers.map((u) => String(u.email).toLowerCase()).filter((e) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e));
   const whitelistService2 = getWhitelistService();
   const currentUsers = await whitelistService2.getUsers();
-  let matchedExistingUsersCount = 0;
-  const emailsToSync = users.map((u) => u.email);
-  const existingStrapiUsers = await strapi.query("admin::user").findMany({
-    where: { email: { $in: emailsToSync } },
-    populate: ["roles"]
-  });
-  const syncEmailSet = new Set(emailsToSync);
+  const syncEmailSet = new Set(emails);
   const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
-  const strapiUsersByEmail = new Map(existingStrapiUsers.map((u) => [u.email, u]));
   for (const currUser of currentUsers) {
     if (!syncEmailSet.has(currUser.email)) {
-      await whitelistService2.removeUser(currUser.id);
+      await whitelistService2.removeUser(currUser.email);
     }
   }
-  for (const user of users) {
-    const currUser = currentUsersByEmail.get(user.email);
-    let finalRoles = user.roles;
-    if (!currUser) {
-      const existingStrapiUser = strapiUsersByEmail.get(user.email);
-      if (existingStrapiUser?.roles) {
-        finalRoles = existingStrapiUser.roles.map((r) => String(r.id));
-        matchedExistingUsersCount++;
-      }
-      await whitelistService2.registerUser(user.email, finalRoles);
-    } else {
-      await strapi.query("plugin::strapi-plugin-oidc.whitelists").update({
-        where: { id: currUser.id },
-        data: { roles: finalRoles }
-      });
+  for (const email of emails) {
+    if (!currentUsersByEmail.has(email)) {
+      await whitelistService2.registerUser(email);
     }
   }
-  ctx.body = { matchedExistingUsersCount };
+  ctx.body = { matchedExistingUsersCount: 0 };
 }
 const whitelist = {
   info,
@@ -619,39 +898,99 @@ const whitelist = {
   removeEmail,
   deleteAll,
   syncUsers,
-  importUsers
+  importUsers,
+  exportWhitelist
+};
+function getAuditLogService() {
+  return strapi.plugin("strapi-plugin-oidc").service("auditLog");
+}
+async function find(ctx) {
+  const page = Math.max(1, Number(ctx.query.page) || 1);
+  const pageSize = Math.min(100, Math.max(1, Number(ctx.query.pageSize) || 25));
+  ctx.body = await getAuditLogService().find({ page, pageSize });
+}
+async function exportLogs(ctx) {
+  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
+  ctx.set("Content-Type", "application/json");
+  ctx.set("Content-Disposition", `attachment; filename="strapi-oidc-audit-log-${datetime}.json"`);
+  const service = getAuditLogService();
+  const PAGE_SIZE = 1e3;
+  const allRows = [];
+  let page = 1;
+  while (true) {
+    const { results } = await service.find({ page, pageSize: PAGE_SIZE });
+    for (const row of results) {
+      allRows.push({
+        id: row.id,
+        createdAt: row.createdAt,
+        action: row.action,
+        email: row.email ?? null,
+        ip: row.ip ?? null,
+        details: row.details
+      });
+    }
+    if (results.length < PAGE_SIZE) break;
+    page++;
+  }
+  ctx.body = allRows.map((row) => ({
+    datetime: row.createdAt,
+    action: row.action,
+    email: row.email,
+    ip: row.ip,
+    details: row.details
+  }));
+}
+async function clearAll(ctx) {
+  await getAuditLogService().clearAll();
+  ctx.status = 204;
+}
+const auditLog = {
+  find,
+  export: exportLogs,
+  clearAll
 };
 const controllers = {
   oidc,
   role,
-  whitelist
+  whitelist,
+  auditLog
 };
 const rateLimitMap = /* @__PURE__ */ new Map();
 const RATE_LIMIT_WINDOW = 6e4;
-const MAX_REQUESTS = 20;
-const rateLimitMiddleware = async (ctx, next) => {
+const MAX_REQUESTS = 1e3;
+function getRateLimitKey(ctx) {
   const ip = ctx.request.ip;
+  const ua = ctx.request.header["user-agent"] ?? "";
+  const uaHash = node_crypto.createHash("sha256").update(ua).digest("hex").slice(0, 16);
+  return `${ip}:${uaHash}`;
+}
+function rateLimitMiddleware(ctx, next) {
+  const key = getRateLimitKey(ctx);
   const now = Date.now();
   const windowStart = now - RATE_LIMIT_WINDOW;
-  const requestStamps = (rateLimitMap.get(ip) || []).filter((timestamp) => timestamp > windowStart);
+  const requestStamps = (rateLimitMap.get(key) || []).filter(
+    (timestamp) => timestamp > windowStart
+  );
   if (requestStamps.length >= MAX_REQUESTS) {
     ctx.status = 429;
     ctx.body = "Too Many Requests";
     return;
   }
   requestStamps.push(now);
-  rateLimitMap.set(ip, requestStamps);
-  await next();
-};
-const adminPolicies = (action) => ({
-  policies: [
-    "admin::isAuthenticatedAdmin",
-    {
-      name: "admin::hasPermissions",
-      config: { actions: [`plugin::strapi-plugin-oidc.${action}`] }
-    }
-  ]
-});
+  rateLimitMap.set(key, requestStamps);
+  return next();
+}
+function adminPolicies(action) {
+  return {
+    policies: [
+      "admin::isAuthenticatedAdmin",
+      {
+        name: "admin::hasPermissions",
+        config: { actions: [`plugin::strapi-plugin-oidc.${action}`] }
+      }
+    ]
+  };
+}
 const routes = {
   admin: {
     type: "admin",
@@ -724,7 +1063,7 @@ const routes = {
       },
       {
         method: "DELETE",
-        path: "/whitelist/:id",
+        path: "/whitelist/:email",
         handler: "whitelist.removeEmail",
         config: adminPolicies("update")
       },
@@ -733,6 +1072,30 @@ const routes = {
         path: "/whitelist",
         handler: "whitelist.deleteAll",
         config: adminPolicies("update")
+      },
+      {
+        method: "GET",
+        path: "/whitelist/export",
+        handler: "whitelist.exportWhitelist",
+        config: adminPolicies("read")
+      },
+      {
+        method: "GET",
+        path: "/audit-logs",
+        handler: "auditLog.find",
+        config: { policies: ["admin::isAuthenticatedAdmin"] }
+      },
+      {
+        method: "GET",
+        path: "/audit-logs/export",
+        handler: "auditLog.export",
+        config: { policies: ["admin::isAuthenticatedAdmin"] }
+      },
+      {
+        method: "DELETE",
+        path: "/audit-logs",
+        handler: "auditLog.clearAll",
+        config: { policies: ["admin::isAuthenticatedAdmin"] }
       }
     ]
   },
@@ -759,13 +1122,33 @@ const routes = {
       },
       {
         method: "DELETE",
-        path: "/whitelist/:id",
+        path: "/whitelist/:email",
         handler: "whitelist.removeEmail"
       },
       {
         method: "DELETE",
         path: "/whitelist",
         handler: "whitelist.deleteAll"
+      },
+      {
+        method: "GET",
+        path: "/whitelist/export",
+        handler: "whitelist.exportWhitelist"
+      },
+      {
+        method: "GET",
+        path: "/audit-logs",
+        handler: "auditLog.find"
+      },
+      {
+        method: "GET",
+        path: "/audit-logs/export",
+        handler: "auditLog.export"
+      },
+      {
+        method: "DELETE",
+        path: "/audit-logs",
+        handler: "auditLog.clearAll"
       }
     ]
   }
@@ -1136,14 +1519,14 @@ function whitelistService({ strapi: strapi2 }) {
     async getUsers() {
       return getWhitelistQuery().findMany();
     },
-    async registerUser(email, roles2) {
+    async registerUser(email) {
       await getWhitelistQuery().create({
-        data: { email, roles: roles2 }
+        data: { email }
       });
     },
-    async removeUser(id) {
-      await getWhitelistQuery().delete({
-        where: { id }
+    async removeUser(email) {
+      await strapi2.db.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({
+        where: { email }
       });
     },
     async checkWhitelistForEmail(email) {
@@ -1161,10 +1544,73 @@ function whitelistService({ strapi: strapi2 }) {
     }
   };
 }
+function interpolate(str, params) {
+  if (!params) return str;
+  return str.replace(/\{(\w+)\}/g, (_, key) => String(params[key] ?? `{${key}}`));
+}
+function translateDetails(key, params) {
+  const translation = en[`audit.${key}`];
+  if (!translation) return null;
+  return interpolate(translation, params);
+}
+function auditLogService({ strapi: strapi2 }) {
+  return {
+    async log({ action, email, ip, detailsKey, detailsParams }) {
+      if (!isAuditLogEnabled()) return;
+      await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").create({
+        data: {
+          action,
+          email: email ?? null,
+          ip: ip ?? null,
+          detailsKey: detailsKey ?? null,
+          detailsParams: detailsParams ?? null
+        }
+      });
+      const eventHub = strapi2.serviceMap?.get?.("eventHub") ?? strapi2.eventHub;
+      if (eventHub) {
+        eventHub.emit(`strapi-plugin-oidc::auth.${action}`, {
+          email,
+          ip,
+          provider: "strapi-plugin-oidc"
+        });
+      }
+    },
+    async find({ page = 1, pageSize = 25 } = {}) {
+      const result = await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").findPage({
+        sort: { createdAt: "desc" },
+        page,
+        pageSize
+      });
+      const results = result.results.map((row) => ({
+        ...row,
+        details: row.detailsKey ? translateDetails(row.detailsKey, row.detailsParams) : null
+      }));
+      return {
+        results,
+        pagination: result.pagination
+      };
+    },
+    async clearAll() {
+      const BATCH_SIZE = 1e3;
+      let deletedCount;
+      do {
+        const result = await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({ limit: BATCH_SIZE });
+        deletedCount = result.count;
+      } while (deletedCount === BATCH_SIZE);
+    },
+    async cleanup(retentionDays) {
+      const cutoff = new Date(Date.now() - retentionDays * 864e5);
+      await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({
+        where: { createdAt: { $lt: cutoff } }
+      });
+    }
+  };
+}
 const services = {
   oauth: oauthService,
   role: roleService,
-  whitelist: whitelistService
+  whitelist: whitelistService,
+  auditLog: auditLogService
 };
 const index = {
   register: register$1,