strapi-plugin-oidc 1.6.0 → 1.6.2

package/README.md

@@ -121,7 +121,12 @@ Role names are the **display names** shown in **Settings → Roles** (e.g. `"Edi
 1. **User's OIDC groups match `OIDC_GROUP_ROLE_MAP`** → use the mapped Strapi roles
 2. **No group match or no mapping configured** → use the default OIDC roles
 
-> **Note:** Existing users' roles are updated on every login to reflect current group membership.
+### Role updates on subsequent logins
+
+- **New users** — OIDC roles are always assigned on first login.
+- **Existing users with manually unchanged roles** — If a user's current roles still match the roles assigned by OIDC on their previous login (i.e., an administrator has not manually changed their roles), their roles are updated to reflect the current group mapping. This ensures that when the group-to-role mapping changes, returning users pick up the new roles automatically.
+- **Existing users with manually changed roles** — If an administrator has manually assigned the user different roles since their last OIDC login, the user's roles are left unchanged. OIDC will not overwrite a manual role assignment.
+- **Mapping removed or user's groups don't map** — If the `OIDC_GROUP_ROLE_MAP` is removed, a user's groups no longer match any mapping, or there are no default OIDC roles configured, the user keeps their last known roles.
 
 ## Whitelist API
 
@@ -140,14 +145,10 @@ API calls write directly to the database — there is no unsaved state.
 
 ### Import format
 
-Accepted by both the API import endpoint and the Admin UI import button. `roles` is optional and accepts role **names** (recommended) or numeric IDs. If the email already exists as a Strapi admin user, their current roles are used automatically.
+Accepted by both the API import endpoint and the Admin UI import button. If the email already exists as a Strapi admin user, their current roles are used automatically.
 
 ```json
-[
-  { "email": "alice@example.com", "roles": ["Editor"] },
-  { "email": "bob@example.com", "roles": ["Editor", "Author"] },
-  { "email": "carol@example.com" }
-]
+[{ "email": "alice@example.com" }, { "email": "bob@example.com" }]
 ```
 
 Duplicate emails within the payload and emails already in the whitelist are silently skipped.
@@ -166,12 +167,12 @@ curl -H "Authorization: Bearer <token>" \
 
 # Add
 curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
-  -d '{"email": "user@example.com", "roles": ["Editor"]}' \
+  -d '{"email": "user@example.com"}' \
   http://localhost:1337/api/strapi-plugin-oidc/whitelist
 
 # Bulk import
 curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
-  -d '{"users": [{"email": "a@example.com", "roles": ["Editor"]}, {"email": "b@example.com"}]}' \
+  -d '{"users": [{"email": "a@example.com"}, {"email": "b@example.com"}]}' \
   http://localhost:1337/api/strapi-plugin-oidc/whitelist/import
 
 # Delete one (by email)

package/dist/server/index.js

@@ -494,6 +494,30 @@ async function registerNewUser(oauthService2, email, userResponseData, config2,
   await oauthService2.triggerWebHook(activateUser);
   return activateUser;
 }
+function rolesChanged(current, next) {
+  return current.size !== next.size || [...next].some((id) => !current.has(id));
+}
+async function updateUserRoles(user, currentRoleIds, newRoleIds) {
+  try {
+    strapi.log.info(
+      `[OIDC] Roles updated for user ${user.id}: [${[...currentRoleIds].join(",")}] -> [${newRoleIds.join(",")}]`
+    );
+    await strapi.db.query("admin::user").update({
+      where: { id: user.id },
+      data: { roles: newRoleIds }
+    });
+  } catch (updateErr) {
+    strapi.log.error({
+      code: errorCodes.ROLE_UPDATE_FAILED,
+      userId: user.id,
+      detail: getErrorDetail("role_update_failed", {
+        userId: user.id,
+        error: updateErr.message
+      })
+    });
+    throw updateErr;
+  }
+}
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
   const rawEmail = String(userResponseData.email ?? "");
   const email = rawEmail.toLowerCase();
@@ -506,40 +530,26 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
   let userCreated = false;
   let rolesUpdated = false;
-  let activateUser = await userService.findOneByEmail(email);
-  if (!activateUser) {
-    activateUser = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
+  let user = await userService.findOneByEmail(email, ["roles"]);
+  if (!user) {
+    user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
     userCreated = true;
+    rolesUpdated = true;
   } else if (roles2.length > 0) {
-    const currentRoleIds = new Set((activateUser.roles ?? []).map((r) => String(r.id)));
+    const defaultRoleIds = new Set(user.roles.map((r) => String(r.id)));
+    const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
     const newRoleIds = new Set(roles2);
-    const rolesChanged = currentRoleIds.size !== newRoleIds.size || [...newRoleIds].some((id) => !currentRoleIds.has(id));
-    if (rolesChanged) {
-      try {
-        strapi.log.info(
-          `[OIDC] Roles updated for user ${activateUser.id}: [${[...currentRoleIds].join(",")}] -> [${roles2.join(",")}]`
-        );
-        await strapi.db.query("admin::user").update({
-          where: { id: activateUser.id },
-          data: { roles: roles2 }
-        });
+    if (rolesChanged(currentRoleIds, newRoleIds)) {
+      const isOnDefaultRoles = currentRoleIds.size === defaultRoleIds.size && [...currentRoleIds].every((id) => defaultRoleIds.has(id));
+      if (isOnDefaultRoles) {
+        await updateUserRoles(user, currentRoleIds, roles2);
         rolesUpdated = true;
-      } catch (updateErr) {
-        strapi.log.error({
-          code: errorCodes.ROLE_UPDATE_FAILED,
-          userId: activateUser.id,
-          detail: getErrorDetail("role_update_failed", {
-            userId: activateUser.id,
-            error: updateErr.message
-          })
-        });
-        throw updateErr;
       }
     }
   }
-  const jwtToken = await oauthService2.generateToken(activateUser, ctx);
-  oauthService2.triggerSignInSuccess(activateUser);
-  return { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
+  const jwtToken = await oauthService2.generateToken(user, ctx);
+  oauthService2.triggerSignInSuccess(user);
+  return { activateUser: user, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
 }
 function classifyOidcError(msg, userInfo) {
   const errorMap = [
@@ -834,9 +844,9 @@ async function register(ctx) {
   ctx.body = { matchedExistingUsersCount };
 }
 async function removeEmail(ctx) {
-  const { id } = ctx.params;
+  const { email } = ctx.params;
   const whitelistService2 = getWhitelistService();
-  await whitelistService2.removeUser(id);
+  await whitelistService2.removeUser(email);
   ctx.body = {};
 }
 async function deleteAll(ctx) {
@@ -880,7 +890,7 @@ async function syncUsers(ctx) {
   const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
   for (const currUser of currentUsers) {
     if (!syncEmailSet.has(currUser.email)) {
-      await whitelistService2.removeUser(currUser.id);
+      await whitelistService2.removeUser(currUser.email);
     }
   }
   for (const email of emails) {
@@ -1063,7 +1073,7 @@ const routes = {
       },
       {
         method: "DELETE",
-        path: "/whitelist/:id",
+        path: "/whitelist/:email",
         handler: "whitelist.removeEmail",
         config: adminPolicies("update")
       },
@@ -1122,7 +1132,7 @@ const routes = {
       },
       {
         method: "DELETE",
-        path: "/whitelist/:id",
+        path: "/whitelist/:email",
         handler: "whitelist.removeEmail"
       },
       {
@@ -1524,9 +1534,9 @@ function whitelistService({ strapi: strapi2 }) {
         data: { email }
       });
     },
-    async removeUser(id) {
-      await getWhitelistQuery().delete({
-        where: { id }
+    async removeUser(email) {
+      await getWhitelistQuery().deleteMany({
+        where: { email }
       });
     },
     async checkWhitelistForEmail(email) {

package/dist/server/index.mjs

@@ -488,6 +488,30 @@ async function registerNewUser(oauthService2, email, userResponseData, config2,
   await oauthService2.triggerWebHook(activateUser);
   return activateUser;
 }
+function rolesChanged(current, next) {
+  return current.size !== next.size || [...next].some((id) => !current.has(id));
+}
+async function updateUserRoles(user, currentRoleIds, newRoleIds) {
+  try {
+    strapi.log.info(
+      `[OIDC] Roles updated for user ${user.id}: [${[...currentRoleIds].join(",")}] -> [${newRoleIds.join(",")}]`
+    );
+    await strapi.db.query("admin::user").update({
+      where: { id: user.id },
+      data: { roles: newRoleIds }
+    });
+  } catch (updateErr) {
+    strapi.log.error({
+      code: errorCodes.ROLE_UPDATE_FAILED,
+      userId: user.id,
+      detail: getErrorDetail("role_update_failed", {
+        userId: user.id,
+        error: updateErr.message
+      })
+    });
+    throw updateErr;
+  }
+}
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
   const rawEmail = String(userResponseData.email ?? "");
   const email = rawEmail.toLowerCase();
@@ -500,40 +524,26 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
   let userCreated = false;
   let rolesUpdated = false;
-  let activateUser = await userService.findOneByEmail(email);
-  if (!activateUser) {
-    activateUser = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
+  let user = await userService.findOneByEmail(email, ["roles"]);
+  if (!user) {
+    user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
     userCreated = true;
+    rolesUpdated = true;
   } else if (roles2.length > 0) {
-    const currentRoleIds = new Set((activateUser.roles ?? []).map((r) => String(r.id)));
+    const defaultRoleIds = new Set(user.roles.map((r) => String(r.id)));
+    const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
     const newRoleIds = new Set(roles2);
-    const rolesChanged = currentRoleIds.size !== newRoleIds.size || [...newRoleIds].some((id) => !currentRoleIds.has(id));
-    if (rolesChanged) {
-      try {
-        strapi.log.info(
-          `[OIDC] Roles updated for user ${activateUser.id}: [${[...currentRoleIds].join(",")}] -> [${roles2.join(",")}]`
-        );
-        await strapi.db.query("admin::user").update({
-          where: { id: activateUser.id },
-          data: { roles: roles2 }
-        });
+    if (rolesChanged(currentRoleIds, newRoleIds)) {
+      const isOnDefaultRoles = currentRoleIds.size === defaultRoleIds.size && [...currentRoleIds].every((id) => defaultRoleIds.has(id));
+      if (isOnDefaultRoles) {
+        await updateUserRoles(user, currentRoleIds, roles2);
         rolesUpdated = true;
-      } catch (updateErr) {
-        strapi.log.error({
-          code: errorCodes.ROLE_UPDATE_FAILED,
-          userId: activateUser.id,
-          detail: getErrorDetail("role_update_failed", {
-            userId: activateUser.id,
-            error: updateErr.message
-          })
-        });
-        throw updateErr;
       }
     }
   }
-  const jwtToken = await oauthService2.generateToken(activateUser, ctx);
-  oauthService2.triggerSignInSuccess(activateUser);
-  return { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
+  const jwtToken = await oauthService2.generateToken(user, ctx);
+  oauthService2.triggerSignInSuccess(user);
+  return { activateUser: user, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
 }
 function classifyOidcError(msg, userInfo) {
   const errorMap = [
@@ -828,9 +838,9 @@ async function register(ctx) {
   ctx.body = { matchedExistingUsersCount };
 }
 async function removeEmail(ctx) {
-  const { id } = ctx.params;
+  const { email } = ctx.params;
   const whitelistService2 = getWhitelistService();
-  await whitelistService2.removeUser(id);
+  await whitelistService2.removeUser(email);
   ctx.body = {};
 }
 async function deleteAll(ctx) {
@@ -874,7 +884,7 @@ async function syncUsers(ctx) {
   const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
   for (const currUser of currentUsers) {
     if (!syncEmailSet.has(currUser.email)) {
-      await whitelistService2.removeUser(currUser.id);
+      await whitelistService2.removeUser(currUser.email);
     }
   }
   for (const email of emails) {
@@ -1057,7 +1067,7 @@ const routes = {
       },
       {
         method: "DELETE",
-        path: "/whitelist/:id",
+        path: "/whitelist/:email",
         handler: "whitelist.removeEmail",
         config: adminPolicies("update")
       },
@@ -1116,7 +1126,7 @@ const routes = {
       },
       {
         method: "DELETE",
-        path: "/whitelist/:id",
+        path: "/whitelist/:email",
         handler: "whitelist.removeEmail"
       },
       {
@@ -1518,9 +1528,9 @@ function whitelistService({ strapi: strapi2 }) {
         data: { email }
       });
     },
-    async removeUser(id) {
-      await getWhitelistQuery().delete({
-        where: { id }
+    async removeUser(email) {
+      await getWhitelistQuery().deleteMany({
+        where: { email }
       });
     },
     async checkWhitelistForEmail(email) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.6.0",
+  "version": "1.6.2",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",