strapi-plugin-oidc 1.6.2 → 1.6.4

package/README.md

@@ -119,14 +119,13 @@ Role names are the **display names** shown in **Settings → Roles** (e.g. `"Edi
 ### Role assignment precedence
 
 1. **User's OIDC groups match `OIDC_GROUP_ROLE_MAP`** → use the mapped Strapi roles
-2. **No group match or no mapping configured** → use the default OIDC roles
+2. **No group match or no mapping configured** → use the default OIDC roles (new users only — see below)
 
 ### Role updates on subsequent logins
 
-- **New users** — OIDC roles are always assigned on first login.
-- **Existing users with manually unchanged roles** — If a user's current roles still match the roles assigned by OIDC on their previous login (i.e., an administrator has not manually changed their roles), their roles are updated to reflect the current group mapping. This ensures that when the group-to-role mapping changes, returning users pick up the new roles automatically.
-- **Existing users with manually changed roles** — If an administrator has manually assigned the user different roles since their last OIDC login, the user's roles are left unchanged. OIDC will not overwrite a manual role assignment.
-- **Mapping removed or user's groups don't map** — If the `OIDC_GROUP_ROLE_MAP` is removed, a user's groups no longer match any mapping, or there are no default OIDC roles configured, the user keeps their last known roles.
+- **New users** — Roles are always assigned on first login: group-mapped roles if a match is found, otherwise the configured default OIDC roles.
+- **Existing users with a group mapping match** — Roles are updated to reflect the current mapping. If a user's groups change between logins, their Strapi roles are updated accordingly.
+- **Existing users with no group mapping match** — Roles are left unchanged, regardless of what the default OIDC roles are set to. Manually-assigned roles are never overwritten by a default fallback.
 
 ## Whitelist API
 

package/dist/admin/{index-P9HriRms.mjs → index-AxBC5YLT.mjs}

@@ -99,6 +99,7 @@ const en = {
   "auditlog.table.ip": "IP",
   "auditlog.table.details": "Details",
   "auditlog.table.empty": "No audit log entries",
+  "auditlog.loading": "Loading…",
   "auditlog.clear": "Clear Logs",
   "auditlog.clear.title": "Clear All Logs",
   "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
@@ -117,7 +118,9 @@ const en = {
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
   "user.missing_code": "Authorisation code was not received from the OIDC provider.",
   "user.invalid_state": "State parameter mismatch. Please restart the login flow.",
-  "user.signInError": "Authentication failed. Please try again."
+  "user.signInError": "Authentication failed. Please try again.",
+  "settings.section": "OIDC",
+  "settings.configuration": "Configuration"
 };
 function getTrad(id) {
   const pluginIdWithId = `${pluginId}.${id}`;
@@ -136,7 +139,7 @@ const index = {
       {
         id: "oidc",
         intlLabel: {
-          id: `${pluginId}.settings.section`,
+          id: "settings.section",
           defaultMessage: "OIDC"
         }
       },
@@ -144,11 +147,11 @@ const index = {
         id: "configuration",
         to: `/settings/${pluginId}`,
         intlLabel: {
-          id: `${pluginId}.settings.configuration`,
+          id: "settings.configuration",
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await import("./index-DmJadA2p.mjs");
+          return await import("./index-MnV7H8G6.mjs");
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }
@@ -242,7 +245,7 @@ const index = {
     const originalFetch = window.fetch;
     window.fetch = async (...args) => {
       const url = typeof args[0] === "string" ? args[0] : args[0].url;
-      const isLogout = url && url.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
+      const isLogout = url?.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
       const response = await originalFetch(...args);
       if (isLogout && response.ok) {
         window.localStorage.removeItem("jwtToken");

package/dist/admin/{index-DTOcUHZi.js → index-DowwUs07.js}

@@ -7,7 +7,7 @@ const react = require("react");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
 const reactIntl = require("react-intl");
-const index = require("./index-f3cmU_tE.js");
+const index = require("./index-EAfqxfV4.js");
 const styled = require("styled-components");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
@@ -22,9 +22,7 @@ function Role({ oidcRoles, roles, onChangeRole }) {
         placeholder: formatMessage(index.getTrad("roles.placeholder")),
         value: oidcRole.role ? oidcRole.role.map((r) => String(r)) : [],
         onChange: (value) => {
-          if (value && value.length > 0) {
-            onChangeRole(value, oidcRole.oauth_type);
-          }
+          if (value && value.length > 0) onChangeRole(value, oidcRole.oauth_type);
         },
         children: roles.map((role) => /* @__PURE__ */ jsxRuntime.jsx(designSystem.MultiSelectOption, { value: String(role.id), children: role.name }, role.id))
       }
@@ -77,19 +75,11 @@ function ConfirmDialog({
 function TablePagination({ page, pageCount, onPageChange }) {
   const { formatMessage } = reactIntl.useIntl();
   if (pageCount <= 1) return null;
-  const pageLink = (num) => /* @__PURE__ */ jsxRuntime.jsx(
-    designSystem.PageLink,
-    {
-      number: num,
-      href: "#",
-      onClick: (e) => {
-        e.preventDefault();
-        onPageChange(num);
-      },
-      children: formatMessage(index.getTrad("pagination.page"), { page: num })
-    },
-    num
-  );
+  const handleClick = (e, num) => {
+    e.preventDefault();
+    onPageChange(num);
+  };
+  const pageLink = (num) => /* @__PURE__ */ jsxRuntime.jsx(designSystem.PageLink, { number: num, href: "#", onClick: (e) => handleClick(e, num), children: formatMessage(index.getTrad("pagination.page"), { page: num }) }, num);
   const Ellipsis = () => /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textColor: "neutral600", paddingLeft: 2, paddingRight: 2, children: "…" });
   let pages;
   if (pageCount <= 10) {
@@ -116,31 +106,13 @@ function TablePagination({ page, pageCount, onPageChange }) {
     ] });
   }
   return /* @__PURE__ */ jsxRuntime.jsx(designSystem.Box, { paddingTop: 4, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Flex, { justifyContent: "flex-end", children: /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Pagination, { activePage: page, pageCount, children: [
-    /* @__PURE__ */ jsxRuntime.jsx(
-      designSystem.PreviousLink,
-      {
-        href: "#",
-        onClick: (e) => {
-          e.preventDefault();
-          onPageChange(Math.max(1, page - 1));
-        },
-        children: formatMessage(index.getTrad("pagination.previous"))
-      }
-    ),
+    /* @__PURE__ */ jsxRuntime.jsx(designSystem.PreviousLink, { href: "#", onClick: (e) => handleClick(e, Math.max(1, page - 1)), children: formatMessage(index.getTrad("pagination.previous")) }),
     pages,
-    /* @__PURE__ */ jsxRuntime.jsx(
-      designSystem.NextLink,
-      {
-        href: "#",
-        onClick: (e) => {
-          e.preventDefault();
-          onPageChange(Math.min(pageCount, page + 1));
-        },
-        children: formatMessage(index.getTrad("pagination.next"))
-      }
-    )
+    /* @__PURE__ */ jsxRuntime.jsx(designSystem.NextLink, { href: "#", onClick: (e) => handleClick(e, Math.min(pageCount, page + 1)), children: formatMessage(index.getTrad("pagination.next")) })
   ] }) }) });
 }
+const PAGE_SIZE$1 = 10;
+const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function Whitelist({
   users,
   useWhitelist,
@@ -156,11 +128,8 @@ function Whitelist({
   const { formatMessage } = reactIntl.useIntl();
   const { toggleNotification } = admin.useNotification();
   const fileInputRef = react.useRef(null);
-  const PAGE_SIZE2 = 10;
-  const pageCount = Math.ceil(users.length / PAGE_SIZE2) || 1;
-  const paginatedUsers = users.slice((page - 1) * PAGE_SIZE2, page * PAGE_SIZE2);
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-  const isValidEmail = emailRegex.test(email);
+  const pageCount = Math.ceil(users.length / PAGE_SIZE$1) || 1;
+  const paginatedUsers = users.slice((page - 1) * PAGE_SIZE$1, page * PAGE_SIZE$1);
   const onSaveEmail = react.useCallback(() => {
     const emailText = email.trim();
     if (users.some((user) => user.email === emailText)) {
@@ -176,14 +145,15 @@ function Whitelist({
   const handleImport = react.useCallback(
     async (e) => {
       const file = e.target.files?.[0];
-      if (!fileInputRef.current) return;
+      if (!fileInputRef.current || !file) return;
       fileInputRef.current.value = "";
-      if (!file) return;
       try {
         const text = await file.text();
         const parsed = JSON.parse(text);
         if (!Array.isArray(parsed)) throw new Error();
-        const emails = parsed.filter((item) => item?.email).map((item) => String(item.email).trim().toLowerCase()).filter((email2) => emailRegex.test(email2));
+        const emails = parsed.filter((item) => item?.email).map(
+          (item) => String(item.email).trim().toLowerCase()
+        ).filter((email2) => EMAIL_REGEX.test(email2));
         const count = await onImport(emails);
         if (count === 0) {
           toggleNotification({
@@ -263,7 +233,7 @@ function Whitelist({
             type: "text",
             disabled: loading,
             value: email,
-            hasError: Boolean(email && !isValidEmail),
+            hasError: Boolean(email && !EMAIL_REGEX.test(email)),
             onChange: (e) => setEmail(e.currentTarget.value),
             placeholder: formatMessage(index.getTrad("whitelist.email.placeholder"))
           }
@@ -273,7 +243,7 @@ function Whitelist({
           {
             size: "L",
             startIcon: /* @__PURE__ */ jsxRuntime.jsx(icons.Plus, {}),
-            disabled: loading || email.trim() === "" || !isValidEmail,
+            disabled: loading || email.trim() === "" || !EMAIL_REGEX.test(email),
             loading,
             onClick: onSaveEmail,
             children: formatMessage(index.getTrad("page.add"))
@@ -289,7 +259,7 @@ function Whitelist({
           /* @__PURE__ */ jsxRuntime.jsx(designSystem.Th, { style: { paddingRight: 0 }, children: " " })
         ] }) }),
         /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tbody, { children: users.length === 0 ? /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tr, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { colSpan: 4, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Flex, { justifyContent: "center", padding: 4, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textColor: "neutral600", children: formatMessage(index.getTrad("whitelist.table.empty")) }) }) }) }) : paginatedUsers.map((user, index$1) => /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Tr, { children: [
-          /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: index$1 + 1 + (page - 1) * PAGE_SIZE2 }),
+          /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: index$1 + 1 + (page - 1) * PAGE_SIZE$1 }),
           /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: user.email }),
           /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: /* @__PURE__ */ jsxRuntime.jsx(LocalizedDate, { date: user.createdAt, options: { month: "long" } }) }),
           /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { style: { paddingRight: 0 }, children: /* @__PURE__ */ jsxRuntime.jsx(
@@ -467,7 +437,7 @@ function AuditLog() {
         /* @__PURE__ */ jsxRuntime.jsx(designSystem.Th, { children: formatMessage(index.getTrad("auditlog.table.details")) })
       ] }) }),
       /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Tbody, { children: [
-        loading && /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tr, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { colSpan: 5, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Flex, { justifyContent: "center", padding: 4, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textColor: "neutral600", children: "Loading…" }) }) }) }),
+        loading && /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tr, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { colSpan: 5, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Flex, { justifyContent: "center", padding: 4, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textColor: "neutral600", children: formatMessage(index.getTrad("auditlog.loading")) }) }) }) }),
         !loading && records.length === 0 && /* @__PURE__ */ jsxRuntime.jsx(designSystem.Tr, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { colSpan: 5, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Flex, { justifyContent: "center", padding: 4, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textColor: "neutral600", children: formatMessage(index.getTrad("auditlog.table.empty")) }) }) }) }),
         !loading && records.map((record) => /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Tr, { children: [
           /* @__PURE__ */ jsxRuntime.jsx(designSystem.Td, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { variant: "omega", children: /* @__PURE__ */ jsxRuntime.jsx(LocalizedDate, { date: record.createdAt, options: { second: "2-digit" } }) }) }),
@@ -633,47 +603,52 @@ function useOidcSettings() {
       setRoles(response.data.data);
     });
     get("/strapi-plugin-oidc/whitelist").then((response) => {
-      setWhitelistResponse(response.data);
-      setUsers(response.data.whitelistUsers);
-      setInitialUsers(deepClone(response.data.whitelistUsers));
-      setUseWhitelist(response.data.useWhitelist);
-      setInitialUseWhitelist(response.data.useWhitelist);
-      setEnforceOIDC(response.data.enforceOIDC);
-      setInitialEnforceOIDC(response.data.enforceOIDC);
-      setEnforceOIDCConfig(response.data.enforceOIDCConfig ?? null);
+      const data = response.data;
+      setWhitelistResponse(data);
+      setUsers(data.whitelistUsers);
+      setInitialUsers(deepClone(data.whitelistUsers));
+      setUseWhitelist(data.useWhitelist);
+      setInitialUseWhitelist(data.useWhitelist);
+      setEnforceOIDC(data.enforceOIDC);
+      setInitialEnforceOIDC(data.enforceOIDC);
+      setEnforceOIDCConfig(data.enforceOIDCConfig ?? null);
     });
   }, [get]);
-  const onChangeRole = (values, oidcId) => {
-    const updatedRoles = oidcRoles.map(
-      (role) => role.oauth_type === oidcId ? { ...role, role: values } : role
+  const onChangeRole = react.useCallback((values, oidcId) => {
+    setOIDCRoles(
+      (prev) => prev.map((role) => role.oauth_type === oidcId ? { ...role, role: values } : role)
     );
-    setOIDCRoles(updatedRoles);
-  };
-  const onRegisterWhitelist = (email) => {
-    const newUser = { email, createdAt: (/* @__PURE__ */ new Date()).toISOString() };
-    setUsers([...users, newUser]);
-  };
-  const onDeleteWhitelist = (email) => {
-    const updatedUsers = users.filter((u) => u.email !== email);
-    setUsers(updatedUsers);
-    if (useWhitelist && updatedUsers.length === 0) {
-      setEnforceOIDC(false);
-    }
-  };
-  const onDeleteAll = () => {
+  }, []);
+  const onRegisterWhitelist = react.useCallback((email) => {
+    setUsers((prev) => [...prev, { email, createdAt: (/* @__PURE__ */ new Date()).toISOString() }]);
+  }, []);
+  const onDeleteWhitelist = react.useCallback(
+    (email) => {
+      setUsers((prev) => {
+        const updated = prev.filter((u) => u.email !== email);
+        if (useWhitelist && updated.length === 0) setEnforceOIDC(false);
+        return updated;
+      });
+    },
+    [useWhitelist]
+  );
+  const onDeleteAll = react.useCallback(() => {
     setUsers([]);
     if (useWhitelist) setEnforceOIDC(false);
-  };
-  const onImport = async (emails) => {
-    const response = await post("/strapi-plugin-oidc/whitelist/import", {
-      users: emails.map((e) => ({ email: e }))
-    });
-    const refreshed = await get("/strapi-plugin-oidc/whitelist");
-    setUsers(refreshed.data.whitelistUsers);
-    setInitialUsers(deepClone(refreshed.data.whitelistUsers));
-    return response.data.importedCount;
-  };
-  const onExport = async () => {
+  }, [useWhitelist]);
+  const onImport = react.useCallback(
+    async (emails) => {
+      const response = await post("/strapi-plugin-oidc/whitelist/import", {
+        users: emails.map((e) => ({ email: e }))
+      });
+      const refreshed = await get("/strapi-plugin-oidc/whitelist");
+      setUsers(refreshed.data.whitelistUsers);
+      setInitialUsers(deepClone(refreshed.data.whitelistUsers));
+      return response.data.importedCount;
+    },
+    [post, get]
+  );
+  const onExport = react.useCallback(async () => {
     const response = await get("/strapi-plugin-oidc/whitelist/export");
     const data = response.data;
     const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
@@ -684,41 +659,37 @@ function useOidcSettings() {
     a.download = `strapi-oidc-whitelist-${datetime}.json`;
     a.click();
     URL.revokeObjectURL(url);
-  };
-  const onToggleWhitelist = (e) => {
-    const checked = e.target.checked;
-    setUseWhitelist(checked);
-    if (checked && users.length === 0) {
-      setEnforceOIDC(false);
-    }
-  };
-  const onToggleEnforce = (e) => {
+  }, [get]);
+  const onToggleWhitelist = react.useCallback(
+    (e) => {
+      const checked = e.target.checked;
+      setUseWhitelist(checked);
+      if (checked && users.length === 0) setEnforceOIDC(false);
+    },
+    [users.length]
+  );
+  const onToggleEnforce = react.useCallback((e) => {
     setEnforceOIDC(e.target.checked);
-  };
+  }, []);
   const isDirty = useWhitelist !== initialUseWhitelist || enforceOIDC !== initialEnforceOIDC || JSON.stringify(oidcRoles) !== JSON.stringify(initialOidcRoles) || JSON.stringify(users) !== JSON.stringify(initialUsers);
-  const onSaveAll = async () => {
+  const onSaveAll = react.useCallback(async () => {
     setLoading(true);
     try {
       await put("/strapi-plugin-oidc/oidc-roles", {
-        roles: oidcRoles.map((role) => ({
-          oauth_type: role.oauth_type,
-          role: role.role
-        }))
+        roles: oidcRoles.map((role) => ({ oauth_type: role.oauth_type, role: role.role }))
       });
       await put("/strapi-plugin-oidc/whitelist/sync", {
         users: users.map((u) => ({ email: u.email }))
       });
-      await put("/strapi-plugin-oidc/whitelist/settings", {
-        useWhitelist,
-        enforceOIDC
-      });
+      await put("/strapi-plugin-oidc/whitelist/settings", { useWhitelist, enforceOIDC });
       setInitialOIDCRoles(deepClone(oidcRoles));
       setInitialUseWhitelist(useWhitelist);
       setInitialEnforceOIDC(enforceOIDC);
       get("/strapi-plugin-oidc/whitelist").then((getResponse) => {
-        setWhitelistResponse(getResponse.data);
-        setUsers(getResponse.data.whitelistUsers);
-        setInitialUsers(deepClone(getResponse.data.whitelistUsers));
+        const data = getResponse.data;
+        setWhitelistResponse(data);
+        setUsers(data.whitelistUsers);
+        setInitialUsers(deepClone(data.whitelistUsers));
       });
       setSuccess(true);
       setTimeout(() => setSuccess(false), 3e3);
@@ -729,7 +700,7 @@ function useOidcSettings() {
     } finally {
       setLoading(false);
     }
-  };
+  }, [put, get, oidcRoles, users, useWhitelist, enforceOIDC]);
   return {
     state: {
       loading,

package/dist/admin/{index-f3cmU_tE.js → index-EAfqxfV4.js}

@@ -100,6 +100,7 @@ const en = {
   "auditlog.table.ip": "IP",
   "auditlog.table.details": "Details",
   "auditlog.table.empty": "No audit log entries",
+  "auditlog.loading": "Loading…",
   "auditlog.clear": "Clear Logs",
   "auditlog.clear.title": "Clear All Logs",
   "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
@@ -118,7 +119,9 @@ const en = {
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
   "user.missing_code": "Authorisation code was not received from the OIDC provider.",
   "user.invalid_state": "State parameter mismatch. Please restart the login flow.",
-  "user.signInError": "Authentication failed. Please try again."
+  "user.signInError": "Authentication failed. Please try again.",
+  "settings.section": "OIDC",
+  "settings.configuration": "Configuration"
 };
 function getTrad(id) {
   const pluginIdWithId = `${pluginId}.${id}`;
@@ -137,7 +140,7 @@ const index = {
       {
         id: "oidc",
         intlLabel: {
-          id: `${pluginId}.settings.section`,
+          id: "settings.section",
           defaultMessage: "OIDC"
         }
       },
@@ -145,11 +148,11 @@ const index = {
         id: "configuration",
         to: `/settings/${pluginId}`,
         intlLabel: {
-          id: `${pluginId}.settings.configuration`,
+          id: "settings.configuration",
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await Promise.resolve().then(() => require("./index-DTOcUHZi.js"));
+          return await Promise.resolve().then(() => require("./index-DowwUs07.js"));
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }
@@ -243,7 +246,7 @@ const index = {
     const originalFetch = window.fetch;
     window.fetch = async (...args) => {
       const url = typeof args[0] === "string" ? args[0] : args[0].url;
-      const isLogout = url && url.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
+      const isLogout = url?.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
       const response = await originalFetch(...args);
       if (isLogout && response.ok) {
         window.localStorage.removeItem("jwtToken");