strapi-plugin-oidc 1.6.5 → 1.7.0

package/dist/server/index.js

@@ -2,6 +2,7 @@
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
 const node_crypto = require("node:crypto");
 const pkceChallenge = require("pkce-challenge");
+const node_stream = require("node:stream");
 const strapiUtils = require("@strapi/utils");
 const generator = require("generate-password");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
@@ -36,6 +37,12 @@ function getRetentionDays() {
 function isAuditLogEnabled() {
   return getRetentionDays() !== 0;
 }
+const PLUGIN_NAME = "strapi-plugin-oidc";
+const getOauthService = () => strapi.plugin(PLUGIN_NAME).service("oauth");
+const getRoleService = () => strapi.plugin(PLUGIN_NAME).service("role");
+const getWhitelistService = () => strapi.plugin(PLUGIN_NAME).service("whitelist");
+const getAuditLogService = () => strapi.plugin(PLUGIN_NAME).service("auditLog");
+const getAdminUserService = () => strapi.service("admin::user");
 const AUTH_ROUTES = ["login", "register", "register-admin", "forgot-password", "reset-password"];
 async function bootstrap({ strapi: strapi2 }) {
   const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -47,7 +54,7 @@ async function bootstrap({ strapi: strapi2 }) {
     const isTokenRefresh = path === tokenRefreshPath;
     if (isAuthRoute && isPost || isTokenRefresh) {
       try {
-        const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
+        const whitelistService2 = getWhitelistService();
         const settings = await whitelistService2.getSettings();
         const enforceOIDC = resolveEnforceOIDC(strapi2, settings?.enforceOIDC);
         if (enforceOIDC && isAuthRoute && isPost) {
@@ -95,7 +102,7 @@ async function bootstrap({ strapi: strapi2 }) {
   const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
   if (enforceOIDCConfig !== null) {
     try {
-      const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
+      const whitelistService2 = getWhitelistService();
       const settings = await whitelistService2.getSettings();
       if (settings.enforceOIDC !== enforceOIDCConfig) {
         await whitelistService2.setSettings({ ...settings, enforceOIDC: enforceOIDCConfig });
@@ -125,7 +132,7 @@ async function bootstrap({ strapi: strapi2 }) {
       task: async () => {
         try {
           const retentionDays = getRetentionDays();
-          await strapi2.plugin("strapi-plugin-oidc").service("auditLog").cleanup(retentionDays);
+          await getAuditLogService().cleanup(retentionDays);
         } catch (err) {
           strapi2.log.warn("[strapi-plugin-oidc] Audit log cleanup failed:", err.message);
         }
@@ -219,9 +226,14 @@ function getExpiredCookieOptions(strapi2, ctx) {
 function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
-  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
-  ctx.cookies.set("oidc_access_token", "", { ...options2, path: "/" });
-  ctx.cookies.set("oidc_user_email", "", { ...options2, path: "/" });
+  const rootPathOptions = { ...options2, path: "/" };
+  for (const name of ["oidc_authenticated", "oidc_access_token", "oidc_user_email"]) {
+    ctx.cookies.set(name, "", rootPathOptions);
+  }
+}
+const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+function isValidEmail(email) {
+  return EMAIL_REGEX.test(email);
 }
 const errorCodes = {
   TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
@@ -272,6 +284,7 @@ const en = {
   "page.save.error": "Update failed.",
   "page.add": "Add",
   "page.cancel": "Cancel",
+  "common.remove": "Remove {label}",
   "page.ok": "OK",
   "roles.title": "Default Role(s)",
   "roles.placeholder": "Select default role(s)",
@@ -303,7 +316,7 @@ const en = {
   "enforce.config.info": "Enforcement is controlled by the OIDC_ENFORCE config variable and cannot be changed here.",
   "login.settings.title": "Login Settings",
   "login.sso": "Login via SSO",
-  "whitelist.count": "{count, plural, one {# entry} other {# entries}}",
+  "pagination.total": "{count, plural, one {# entry} other {# entries}}",
   "whitelist.import": "Import",
   "whitelist.export": "Export",
   "whitelist.delete.all.label": "Delete All",
@@ -331,6 +344,20 @@ const en = {
   "auditlog.clear.success": "Audit logs cleared",
   "auditlog.clear.error": "Failed to clear audit logs",
   "auditlog.export.error": "Failed to export audit logs",
+  "auditlog.filters": "Filters",
+  "auditlog.filters.action": "Action",
+  "auditlog.filters.email": "Email",
+  "auditlog.filters.ip": "IP address",
+  "auditlog.filters.createdAt": "Date",
+  "auditlog.filters.clear": "Clear filters",
+  "auditlog.filters.empty": "No entries match the current filters",
+  "auditlog.calendar.prevMonth": "Previous month",
+  "auditlog.calendar.nextMonth": "Next month",
+  "auditlog.calendar.state.today": "today",
+  "auditlog.calendar.state.selected": "selected",
+  "auditlog.calendar.state.alreadyAdded": "already added",
+  "auditlog.calendar.state.future": "unavailable, future date",
+  "auditlog.calendar.dayWithState": "{date}, {state}",
   "auditlog.action.login_success": "User successfully authenticated via OIDC and was granted access.",
   "auditlog.action.user_created": "A new Strapi admin account was created for this user on their first OIDC login.",
   "auditlog.action.logout": "User logged out and their OIDC session was ended.",
@@ -341,21 +368,119 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auth.page.authenticating.title": "Authenticating...",
+  "auth.page.authenticating.noscript.heading": "JavaScript Required",
+  "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
+  "auth.page.error.title": "Authentication Failed",
+  "auth.page.error.returnToLogin": "Return to Login",
   "user.missing_code": "Authorisation code was not received from the OIDC provider.",
   "user.invalid_state": "State parameter mismatch. Please restart the login flow.",
   "user.signInError": "Authentication failed. Please try again.",
   "settings.section": "OIDC",
   "settings.configuration": "Configuration"
 };
-const userFacingMessages = {
-  get missing_code() {
-    return en["user.missing_code"];
+const __vite_glob_0_0 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  default: en
+}, Symbol.toStringTag, { value: "Module" }));
+const modules = /* @__PURE__ */ Object.assign({ "../translations/locales/en.json": __vite_glob_0_0 });
+const locales = Object.fromEntries(
+  Object.entries(modules).map(([path, mod]) => {
+    const code = path.match(/\/([^/]+)\.json$/)?.[1];
+    return [code ?? "", mod.default];
+  })
+);
+Object.keys(locales).filter(Boolean);
+const DEFAULT_LOCALE = "en";
+function parseAcceptLanguage(header) {
+  return header.split(",").map((part) => {
+    const [tag, ...params] = part.trim().split(";");
+    const qParam = params.find((p) => p.trim().startsWith("q="));
+    const q = qParam ? parseFloat(qParam.trim().slice(2)) : 1;
+    return { tag: tag.toLowerCase(), q: Number.isFinite(q) ? q : 1 };
+  }).filter((entry) => entry.tag).sort((a, b) => b.q - a.q);
+}
+function negotiateLocale(acceptLanguage) {
+  if (!acceptLanguage) return DEFAULT_LOCALE;
+  for (const { tag } of parseAcceptLanguage(acceptLanguage)) {
+    if (locales[tag]) return tag;
+    const base = tag.split("-")[0];
+    if (locales[base]) return base;
+  }
+  return DEFAULT_LOCALE;
+}
+function t(locale, key, fallback) {
+  return locales[locale]?.[key] ?? locales[DEFAULT_LOCALE]?.[key] ?? fallback ?? key;
+}
+const userFacingMessages = (locale) => ({
+  missing_code: t(
+    locale,
+    "user.missing_code",
+    "Authorisation code was not received from the OIDC provider."
+  ),
+  invalid_state: t(
+    locale,
+    "user.invalid_state",
+    "State parameter mismatch. Please restart the login flow."
+  ),
+  signInError: t(locale, "user.signInError", "Authentication failed. Please try again.")
+});
+const authPageMessages = (locale) => ({
+  authenticatingTitle: t(locale, "auth.page.authenticating.title", "Authenticating..."),
+  noscriptHeading: t(locale, "auth.page.authenticating.noscript.heading", "JavaScript Required"),
+  noscriptBody: t(
+    locale,
+    "auth.page.authenticating.noscript.body",
+    "JavaScript must be enabled for authentication to complete."
+  ),
+  errorTitle: t(locale, "auth.page.error.title", "Authentication Failed"),
+  returnToLogin: t(locale, "auth.page.error.returnToLogin", "Return to Login")
+});
+class OidcError extends Error {
+  kind;
+  cause;
+  constructor(kind, message, cause) {
+    super(message);
+    this.name = "OidcError";
+    this.kind = kind;
+    this.cause = cause;
+  }
+}
+const OIDC_ERROR_DISPATCH = {
+  nonce_mismatch: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH },
+  token_exchange_failed: {
+    action: "token_exchange_failed",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED
+  },
+  id_token_parse_failed: {
+    action: "login_failure",
+    code: errorCodes.ID_TOKEN_PARSE_FAILED,
+    key: "id_token_parse_failed"
   },
-  get invalid_state() {
-    return en["user.invalid_state"];
+  userinfo_fetch_failed: {
+    action: "login_failure",
+    code: errorCodes.USERINFO_FETCH_FAILED,
+    key: "userinfo_fetch_failed"
   },
-  get signInError() {
-    return en["user.signInError"];
+  user_creation_failed: {
+    action: "login_failure",
+    code: errorCodes.USER_CREATION_FAILED,
+    key: "user_creation_failed"
+  },
+  whitelist_rejected: {
+    action: "whitelist_rejected",
+    code: errorCodes.WHITELIST_CHECK_FAILED,
+    key: "whitelist_rejected"
+  },
+  invalid_email: {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown"
+  },
+  unknown: {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown"
   }
 };
 const REQUIRED_CONFIG_KEYS = [
@@ -370,6 +495,7 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_GIVEN_NAME_FIELD",
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
+const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
@@ -387,7 +513,6 @@ async function oidcSignIn(ctx) {
   const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
-    // 10 minutes
     secure: isProduction && ctx.request.secure,
     sameSite: "lax"
   };
@@ -417,7 +542,7 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
     }
   });
   if (!response.ok) {
-    throw new Error(errorMessages.TOKEN_EXCHANGE_FAILED);
+    throw new OidcError("token_exchange_failed", errorMessages.TOKEN_EXCHANGE_FAILED);
   }
   const tokenData = await response.json();
   if (tokenData.id_token) {
@@ -425,23 +550,23 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
       const payloadB64 = tokenData.id_token.split(".")[1];
       const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
       if (idTokenPayload.nonce !== expectedNonce) {
-        throw new Error(errorMessages.NONCE_MISMATCH);
+        throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
       }
     } catch (e) {
-      if (e.message === "Nonce mismatch") throw e;
-      throw new Error(errorMessages.ID_TOKEN_PARSE_FAILED);
+      if (e instanceof OidcError && e.kind === "nonce_mismatch") throw e;
+      throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
     }
   }
   const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
     headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
-    throw new Error(errorMessages.USERINFO_FETCH_FAILED);
+    throw new OidcError("userinfo_fetch_failed", errorMessages.USERINFO_FETCH_FAILED);
   }
   const userInfo = await userResponse.json();
   return { userInfo, accessToken: tokenData.access_token };
 }
-function resolveRolesFromGroups(userInfo, config2, availableRoles) {
+function collectGroupMapRoleNames(userInfo, config2) {
   const rawGroups = userInfo[config2.OIDC_GROUP_FIELD];
   if (!Array.isArray(rawGroups) || rawGroups.length === 0) return [];
   const groups = rawGroups.filter((g) => typeof g === "string");
@@ -452,22 +577,15 @@ function resolveRolesFromGroups(userInfo, config2, availableRoles) {
   } catch {
     return [];
   }
-  const roleIdSet = /* @__PURE__ */ new Set();
+  const roleNameSet = /* @__PURE__ */ new Set();
   for (const group of groups) {
     const roleNames = groupRoleMap[group];
     if (!roleNames) continue;
     for (const name of roleNames) {
-      const match = availableRoles.find((r) => r.name === name);
-      if (match) roleIdSet.add(String(match.id));
+      roleNameSet.add(name);
     }
   }
-  return [...roleIdSet];
-}
-async function resolveRoles(userInfo, config2, roleService2, availableRoles) {
-  const groupRoles = resolveRolesFromGroups(userInfo, config2, availableRoles);
-  if (groupRoles.length > 0) return { roles: groupRoles, fromGroupMapping: true };
-  const oidcRoles = await roleService2.oidcRoles();
-  return { roles: oidcRoles?.roles || [], fromGroupMapping: false };
+  return [...roleNameSet];
 }
 async function registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2) {
   const defaultLocale = oauthService2.localeFindByHeader(
@@ -485,10 +603,7 @@ async function registerNewUser(oauthService2, email, userResponseData, config2,
 }
 function rolesChanged(current, next) {
   if (current.size !== next.size) return true;
-  for (const id of next) {
-    if (!current.has(id)) return true;
-  }
-  return false;
+  return [...next].some((id) => !current.has(id));
 }
 async function updateUserRoles(user, currentRoleIds, newRoleIds) {
   try {
@@ -511,101 +626,187 @@ async function updateUserRoles(user, currentRoleIds, newRoleIds) {
     throw updateErr;
   }
 }
+async function resolveRolesFromGroups(candidateNames) {
+  const matchedRoles = await strapi.db.query("admin::role").findMany({
+    where: { name: { $in: candidateNames } },
+    select: ["id", "name"]
+  });
+  const nameToId = new Map(matchedRoles.map((r) => [r.name, String(r.id)]));
+  const roles2 = [];
+  for (const name of candidateNames) {
+    const id = nameToId.get(name);
+    if (id) roles2.push(id);
+  }
+  return {
+    roles: roles2,
+    fromGroupMapping: true,
+    resolvedRoleNames: matchedRoles.map((r) => r.name)
+  };
+}
+async function resolveRolesFromDefaults(roleService2) {
+  const oidcRolesResult = await roleService2.oidcRoles();
+  const roles2 = oidcRolesResult?.roles || [];
+  if (roles2.length === 0) {
+    return { roles: roles2, fromGroupMapping: false, resolvedRoleNames: [] };
+  }
+  const records = await strapi.db.query("admin::role").findMany({
+    where: { id: { $in: roles2.map(Number) } },
+    select: ["id", "name"]
+  });
+  return {
+    roles: roles2,
+    fromGroupMapping: false,
+    resolvedRoleNames: records.map((r) => r.name)
+  };
+}
+async function resolveRoles(userResponseData, config2, roleService2) {
+  const candidateNames = collectGroupMapRoleNames(userResponseData, config2);
+  if (candidateNames.length > 0) {
+    return resolveRolesFromGroups(candidateNames);
+  }
+  return resolveRolesFromDefaults(roleService2);
+}
+async function ensureUser(userService, oauthService2, email, userResponseData, config2, ctx, resolved) {
+  const existing = await userService.findOneByEmail(email, ["roles"]);
+  if (!existing) {
+    try {
+      const user = await registerNewUser(
+        oauthService2,
+        email,
+        userResponseData,
+        config2,
+        ctx,
+        resolved.roles
+      );
+      return { user, userCreated: true, rolesUpdated: true };
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      throw new OidcError("user_creation_failed", msg, e);
+    }
+  }
+  if (!resolved.fromGroupMapping || resolved.roles.length === 0) {
+    return { user: existing, userCreated: false, rolesUpdated: false };
+  }
+  const currentRoleIds = new Set((existing.roles ?? []).map((r) => String(r.id)));
+  if (!rolesChanged(currentRoleIds, new Set(resolved.roles))) {
+    return { user: existing, userCreated: false, rolesUpdated: false };
+  }
+  await updateUserRoles(existing, currentRoleIds, resolved.roles);
+  return { user: existing, userCreated: false, rolesUpdated: true };
+}
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
-  const rawEmail = String(userResponseData.email ?? "");
-  const email = rawEmail.toLowerCase();
-  if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
-    throw new Error(errorMessages.INVALID_EMAIL);
+  const email = String(userResponseData.email ?? "").toLowerCase();
+  if (!email || !isValidEmail(email)) {
+    throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
   }
   await whitelistService2.checkWhitelistForEmail(email);
-  const allRoles = await strapi.db.query("admin::role").findMany();
-  const { roles: roles2, fromGroupMapping } = await resolveRoles(
+  const resolved = await resolveRoles(userResponseData, config2, roleService2);
+  const { user, userCreated, rolesUpdated } = await ensureUser(
+    userService,
+    oauthService2,
+    email,
     userResponseData,
     config2,
-    roleService2,
-    allRoles
+    ctx,
+    resolved
   );
-  const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
-  let userCreated = false;
-  let rolesUpdated = false;
-  let user = await userService.findOneByEmail(email, ["roles"]);
-  if (!user) {
-    user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
-    userCreated = true;
-    rolesUpdated = true;
-  } else if (fromGroupMapping && roles2.length > 0) {
-    const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
-    if (rolesChanged(currentRoleIds, new Set(roles2))) {
-      await updateUserRoles(user, currentRoleIds, roles2);
-      rolesUpdated = true;
-    }
-  }
   const jwtToken = await oauthService2.generateToken(user, ctx);
   oauthService2.triggerSignInSuccess(user);
-  return { activateUser: user, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
-}
-function classifyOidcError(msg, userInfo) {
-  if (msg.includes("whitelist")) {
-    return {
-      action: "whitelist_rejected",
-      code: errorCodes.WHITELIST_CHECK_FAILED,
-      key: "whitelist_rejected"
-    };
-  }
-  if (msg === "Nonce mismatch")
-    return { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH };
-  if (msg === "Token exchange failed")
-    return { action: "token_exchange_failed", code: errorCodes.TOKEN_EXCHANGE_FAILED };
-  if (msg === "Failed to fetch user info") {
-    return {
-      action: "login_failure",
-      code: errorCodes.USERINFO_FETCH_FAILED,
-      key: "userinfo_fetch_failed"
-    };
-  }
-  if (msg === "Failed to parse ID token") {
-    return {
-      action: "login_failure",
-      code: errorCodes.ID_TOKEN_PARSE_FAILED,
-      key: "id_token_parse_failed",
-      params: { error: msg }
-    };
-  }
-  if (msg === "User creation failed" || msg.includes("createUser")) {
-    return {
-      action: "login_failure",
-      code: errorCodes.USER_CREATION_FAILED,
-      key: "user_creation_failed",
-      params: userInfo?.email ? { email: userInfo.email, error: msg } : void 0
-    };
-  }
   return {
-    action: "login_failure",
-    code: errorCodes.TOKEN_EXCHANGE_FAILED,
-    key: "sign_in_unknown",
-    params: { error: msg || "unknown" }
+    activateUser: user,
+    jwtToken,
+    userCreated,
+    rolesUpdated,
+    resolvedRoleNames: resolved.resolvedRoleNames
   };
 }
-async function oidcSignInCallback(ctx) {
-  const config2 = configValidation();
-  const userService = strapi.service("admin::user");
-  const oauthService2 = strapi.plugin("strapi-plugin-oidc").service("oauth");
-  const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
-  const auditLog2 = strapi.plugin("strapi-plugin-oidc").service("auditLog");
-  if (!ctx.query.code) {
-    await auditLog2.log({ action: "missing_code", ip: ctx.ip });
-    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.missing_code));
+function classifyOidcError(e, userInfo) {
+  const kind = e instanceof OidcError ? e.kind : "unknown";
+  const dispatch = OIDC_ERROR_DISPATCH[kind];
+  const msg = e instanceof Error ? e.message : String(e);
+  let params;
+  if (kind === "id_token_parse_failed" || kind === "unknown") {
+    params = { error: msg };
+  } else if (kind === "user_creation_failed" && userInfo?.email) {
+    params = { email: userInfo.email, error: msg };
   }
+  return {
+    action: dispatch.action,
+    code: dispatch.code,
+    key: dispatch.key,
+    params
+  };
+}
+function readAndClearPkceCookies(ctx) {
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
   const oidcNonce = ctx.cookies.get("oidc_nonce");
   ctx.cookies.set("oidc_state", null);
   ctx.cookies.set("oidc_code_verifier", null);
   ctx.cookies.set("oidc_nonce", null);
+  return { oidcState, codeVerifier, oidcNonce };
+}
+async function logSuccessfulAuth(auditLog2, ctx, user, userCreated, rolesUpdated, resolvedRoleNames) {
+  const roles2 = resolvedRoleNames.join(", ");
+  const entries = [
+    auditLog2.log({
+      action: "login_success",
+      email: user.email,
+      ip: ctx.ip,
+      detailsKey: rolesUpdated ? "roles_updated" : void 0,
+      detailsParams: rolesUpdated ? { roles: roles2 } : void 0
+    })
+  ];
+  if (userCreated) {
+    entries.push(
+      auditLog2.log({
+        action: "user_created",
+        email: user.email,
+        ip: ctx.ip,
+        detailsKey: "user_created",
+        detailsParams: { roles: roles2 }
+      })
+    );
+  }
+  await Promise.all(entries);
+}
+async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
+  const errorInfo = classifyOidcError(e, userInfo);
+  const message = e instanceof Error ? e.message : String(e);
+  await auditLog2.log({
+    action: errorInfo.action,
+    email: userInfo?.email,
+    ip: ctx.ip,
+    detailsKey: errorInfo.action,
+    detailsParams: errorInfo.action === "login_failure" ? { message } : void 0
+  });
+  strapi.log.error({
+    code: errorInfo.code,
+    phase: "oidc_callback",
+    message: e instanceof Error ? e.message : "Unknown sign-in error",
+    detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
+    email: userInfo?.email
+  });
+  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
+  ctx.send(oauthService2.renderSignUpError(userFacingMessages(locale).signInError, locale));
+}
+async function oidcSignInCallback(ctx) {
+  const config2 = configValidation();
+  const oauthService2 = getOauthService();
+  const auditLog2 = getAuditLogService();
+  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
+  if (!ctx.query.code) {
+    await auditLog2.log({ action: "missing_code", ip: ctx.ip });
+    return ctx.send(
+      oauthService2.renderSignUpError(userFacingMessages(locale).missing_code, locale)
+    );
+  }
+  const { oidcState, codeVerifier, oidcNonce } = readAndClearPkceCookies(ctx);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
     await auditLog2.log({ action: "state_mismatch", ip: ctx.ip });
-    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.invalid_state));
+    return ctx.send(
+      oauthService2.renderSignUpError(userFacingMessages(locale).invalid_state, locale)
+    );
   }
   const params = new URLSearchParams({
     code: ctx.query.code,
@@ -619,107 +820,81 @@ async function oidcSignInCallback(ctx) {
   try {
     const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     userInfo = exchangeResult.userInfo;
-    const accessToken = exchangeResult.accessToken;
     const isProduction = strapi.config.get("environment") === "production";
-    ctx.cookies.set("oidc_access_token", accessToken, {
+    const secureFlag = isProduction && ctx.request.secure;
+    ctx.cookies.set("oidc_access_token", exchangeResult.accessToken, {
       httpOnly: true,
       maxAge: 3e5,
-      // 5 minutes — matches typical provider access token lifetime
-      secure: isProduction && ctx.request.secure,
+      secure: secureFlag,
       sameSite: "lax"
     });
     const { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames } = await handleUserAuthentication(
-      userService,
+      getAdminUserService(),
       oauthService2,
-      roleService2,
-      whitelistService2,
+      getRoleService(),
+      getWhitelistService(),
       userInfo,
       config2,
       ctx
     );
-    const identityCookieOptions = {
+    ctx.cookies.set("oidc_user_email", activateUser.email, {
       httpOnly: true,
       path: "/",
-      secure: isProduction && ctx.request.secure,
+      secure: secureFlag,
       sameSite: "lax"
-    };
-    ctx.cookies.set("oidc_user_email", activateUser.email, identityCookieOptions);
-    if (userCreated) {
-      await auditLog2.log({
-        action: "user_created",
-        email: activateUser.email,
-        ip: ctx.ip,
-        detailsKey: "user_created",
-        detailsParams: { roles: resolvedRoleNames.join(", ") }
-      });
-    }
-    await auditLog2.log({
-      action: "login_success",
-      email: activateUser.email,
-      ip: ctx.ip,
-      detailsKey: rolesUpdated ? "roles_updated" : void 0,
-      detailsParams: rolesUpdated ? { roles: resolvedRoleNames.join(", ") } : void 0
     });
+    await logSuccessfulAuth(
+      auditLog2,
+      ctx,
+      activateUser,
+      userCreated,
+      rolesUpdated,
+      resolvedRoleNames
+    );
     const nonce = node_crypto.randomUUID();
-    const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
-    ctx.send(html);
+    ctx.send(oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce, locale));
   } catch (e) {
-    const msg = e.message ?? "";
-    const errorInfo = classifyOidcError(msg, userInfo);
-    await auditLog2.log({
-      action: errorInfo.action,
-      email: userInfo?.email,
-      ip: ctx.ip,
-      detailsKey: errorInfo.action,
-      detailsParams: errorInfo.action === "login_failure" ? { message: msg } : void 0
-    });
-    strapi.log.error({
-      code: errorInfo.code,
-      phase: "oidc_callback",
-      message: msg || "Unknown sign-in error",
-      detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
-      email: userInfo?.email
+    await handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx);
+  }
+}
+async function isProviderSessionActive(userinfoEndpoint, accessToken) {
+  try {
+    const response = await fetch(userinfoEndpoint, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+      signal: AbortSignal.timeout(LOGOUT_USERINFO_TIMEOUT_MS)
     });
-    ctx.send(oauthService2.renderSignUpError(userFacingMessages.signInError));
+    return response.ok;
+  } catch {
+    return false;
   }
 }
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const auditLog2 = strapi.plugin("strapi-plugin-oidc").service("auditLog");
+  const auditLog2 = getAuditLogService();
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const adminPanelUrl = strapi.config.get("admin.url", "/admin");
+  const loginUrl = `${adminPanelUrl}/auth/login`;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
   const accessToken = ctx.cookies.get("oidc_access_token");
   const userEmail = ctx.cookies.get("oidc_user_email") ?? void 0;
   clearAuthCookies(strapi, ctx);
-  if (logoutUrl && isOidcSession && accessToken) {
-    try {
-      const response = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
-        headers: { Authorization: `Bearer ${accessToken}` }
+  if (!isOidcSession) {
+    return ctx.redirect(loginUrl);
+  }
+  const logAudit = (action) => userEmail ? auditLog2.log({ action, email: userEmail, ip: ctx.ip }) : Promise.resolve();
+  if (logoutUrl && accessToken) {
+    const active = await isProviderSessionActive(config2.OIDC_USERINFO_ENDPOINT, accessToken);
+    if (active) {
+      logAudit("logout").catch(() => {
       });
-      if (response.ok) {
-        if (userEmail)
-          auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip }).catch(() => {
-          });
-        return ctx.redirect(logoutUrl);
-      }
-      if (userEmail)
-        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
-      return ctx.redirect(`${adminPanelUrl}/auth/login`);
-    } catch {
-      if (userEmail)
-        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
-      return ctx.redirect(`${adminPanelUrl}/auth/login`);
+      return ctx.redirect(logoutUrl);
     }
+    await logAudit("session_expired");
+    return ctx.redirect(loginUrl);
   }
-  if (isOidcSession && userEmail) {
-    await auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip });
-  }
-  if (logoutUrl && isOidcSession) {
-    return ctx.redirect(logoutUrl);
-  }
-  ctx.redirect(`${adminPanelUrl}/auth/login`);
+  await logAudit("logout");
+  ctx.redirect(logoutUrl || loginUrl);
 }
 const oidc = {
   oidcSignIn,
@@ -727,7 +902,7 @@ const oidc = {
   logout
 };
 async function find$1(ctx) {
-  const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
+  const roleService2 = getRoleService();
   const roles2 = await roleService2.find();
   const oidcConstants = roleService2.getOidcRoles();
   for (const oidc2 of oidcConstants) {
@@ -741,7 +916,7 @@ async function find$1(ctx) {
 async function update(ctx) {
   try {
     const { roles: roles2 } = ctx.request.body;
-    const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
+    const roleService2 = getRoleService();
     await roleService2.update(roles2);
     ctx.send({}, 204);
   } catch (e) {
@@ -762,8 +937,17 @@ function formatDatetimeForFilename(date) {
   const seconds = String(date.getSeconds()).padStart(2, "0");
   return `${year}${month}${day}_${hours}${minutes}${seconds}`;
 }
-function getWhitelistService() {
-  return strapi.plugin("strapi-plugin-oidc").service("whitelist");
+function setJsonAttachmentHeaders(ctx, basename) {
+  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
+  ctx.set("Content-Type", "application/json");
+  ctx.set("Content-Disposition", `attachment; filename="${basename}-${datetime}.json"`);
+}
+function setNdjsonAttachmentHeaders(ctx, basename) {
+  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
+  ctx.set("Content-Type", "application/x-ndjson; charset=utf-8");
+  ctx.set("Content-Disposition", `attachment; filename="${basename}-${datetime}.ndjson"`);
+  ctx.set("Cache-Control", "no-store");
+  ctx.set("X-Content-Type-Options", "nosniff");
 }
 async function info(ctx) {
   const whitelistService2 = getWhitelistService();
@@ -778,8 +962,9 @@ async function info(ctx) {
   };
 }
 async function updateSettings(ctx) {
-  const { useWhitelist } = ctx.request.body;
-  let { enforceOIDC } = ctx.request.body;
+  const body = ctx.request.body;
+  const { useWhitelist } = body;
+  let { enforceOIDC } = body;
   const whitelistService2 = getWhitelistService();
   if (useWhitelist && enforceOIDC) {
     const users = await whitelistService2.getUsers();
@@ -808,11 +993,9 @@ async function register(ctx) {
   const rawEmails = Array.isArray(email) ? email : email.split(",");
   const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
   const whitelistService2 = getWhitelistService();
-  let matchedExistingUsersCount = 0;
+  const matchedExistingUsersCount = await whitelistService2.countAdminUsersByEmails(emailList);
   for (const singleEmail of emailList) {
-    const existingUser = await strapi.query("admin::user").findOne({ where: { email: singleEmail } });
-    if (existingUser) matchedExistingUsersCount++;
-    const alreadyWhitelisted = await strapi.query("plugin::strapi-plugin-oidc.whitelists").findOne({ where: { email: singleEmail } });
+    const alreadyWhitelisted = await whitelistService2.hasUser(singleEmail);
     if (!alreadyWhitelisted) {
       await whitelistService2.registerUser(singleEmail);
     }
@@ -826,13 +1009,12 @@ async function removeEmail(ctx) {
   ctx.body = {};
 }
 async function deleteAll(ctx) {
-  await strapi.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
+  const whitelistService2 = getWhitelistService();
+  await whitelistService2.deleteAllUsers();
   ctx.body = {};
 }
 async function exportWhitelist(ctx) {
-  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
-  ctx.set("Content-Type", "application/json");
-  ctx.set("Content-Disposition", `attachment; filename="strapi-oidc-whitelist-${datetime}.json"`);
+  setJsonAttachmentHeaders(ctx, "strapi-oidc-whitelist");
   const whitelistService2 = getWhitelistService();
   const users = await whitelistService2.getUsers();
   ctx.body = users.map((u) => ({ email: u.email }));
@@ -844,7 +1026,7 @@ async function importUsers(ctx) {
     ctx.body = { error: "Expected { users: [{email}] }" };
     return;
   }
-  const normalized = users.filter((u) => u?.email).map((u) => String(u.email).trim().toLowerCase()).filter((email) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email));
+  const normalized = users.filter((u) => u?.email).map((u) => String(u.email).trim().toLowerCase()).filter(isValidEmail);
   const deduped = [...new Set(normalized)];
   const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
@@ -859,7 +1041,7 @@ async function importUsers(ctx) {
 }
 async function syncUsers(ctx) {
   const { users: rawUsers } = ctx.request.body;
-  const emails = rawUsers.map((u) => String(u.email).toLowerCase()).filter((e) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e));
+  const emails = rawUsers.map((u) => String(u.email).toLowerCase()).filter(isValidEmail);
   const whitelistService2 = getWhitelistService();
   const currentUsers = await whitelistService2.getUsers();
   const syncEmailSet = new Set(emails);
@@ -887,44 +1069,194 @@ const whitelist = {
   importUsers,
   exportWhitelist
 };
-function getAuditLogService() {
-  return strapi.plugin("strapi-plugin-oidc").service("auditLog");
+const AUDIT_ACTIONS = [
+  "login_success",
+  "login_failure",
+  "missing_code",
+  "state_mismatch",
+  "nonce_mismatch",
+  "token_exchange_failed",
+  "whitelist_rejected",
+  "logout",
+  "session_expired",
+  "user_created"
+];
+const ISO_UTC_DATETIME = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
+function isIsoUtcDatetime(value) {
+  return typeof value === "string" && ISO_UTC_DATETIME.test(value);
 }
-async function find(ctx) {
-  const page = Math.max(1, Number(ctx.query.page) || 1);
-  const pageSize = Math.min(100, Math.max(1, Number(ctx.query.pageSize) || 25));
-  ctx.body = await getAuditLogService().find({ page, pageSize });
+const ALLOWED_FIELDS = /* @__PURE__ */ new Set(["action", "email", "ip", "createdAt"]);
+const STRING_OPERATORS = /* @__PURE__ */ new Set([
+  "$eq",
+  "$contains",
+  "$endsWith",
+  "$null",
+  "$notNull"
+]);
+const DATE_OPERATORS = /* @__PURE__ */ new Set(["$gte", "$lt", "$lte", "$between", "$in"]);
+const ENUM_OPERATORS = /* @__PURE__ */ new Set(["$eq", "$in"]);
+function isPlainObject(value) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return false;
+  const proto = Object.getPrototypeOf(value);
+  return proto === Object.prototype || proto === null;
 }
-async function exportLogs(ctx) {
-  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
-  ctx.set("Content-Type", "application/json");
-  ctx.set("Content-Disposition", `attachment; filename="strapi-oidc-audit-log-${datetime}.json"`);
-  const service = getAuditLogService();
-  const PAGE_SIZE = 1e3;
-  const allRows = [];
+function isStringOperator(op) {
+  return STRING_OPERATORS.has(op);
+}
+function isDateOperator(op) {
+  return DATE_OPERATORS.has(op);
+}
+function isEnumOperator(op) {
+  return ENUM_OPERATORS.has(op);
+}
+function isAuditAction(value) {
+  return AUDIT_ACTIONS.includes(value);
+}
+class ValidationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ValidationError";
+  }
+}
+function requireType(field, op, value, check, expected) {
+  if (!check) {
+    throw new ValidationError(`Operator "${op}" for field "${field}" requires ${expected}`);
+  }
+  return value;
+}
+function parseActionOperator(op, opValue) {
+  if (!isEnumOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "action"`);
+  }
+  if (op === "$in") {
+    requireType("action", op, opValue, Array.isArray(opValue), "an array value");
+    for (const v of opValue) {
+      if (!isAuditAction(v)) {
+        throw new ValidationError(
+          `Invalid action value "${v}" — must be one of: ${AUDIT_ACTIONS.join(", ")}`
+        );
+      }
+    }
+    return opValue;
+  }
+  if (!isAuditAction(opValue)) {
+    throw new ValidationError(
+      `Invalid action value "${opValue}" — must be one of: ${AUDIT_ACTIONS.join(", ")}`
+    );
+  }
+  return opValue;
+}
+function parseCreatedAtOperator(op, opValue) {
+  if (!isDateOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "createdAt"`);
+  }
+  const expected = 'an ISO-8601 UTC datetime string (e.g. "2024-01-15T00:00:00.000Z")';
+  if (op === "$between") {
+    const isTuple = Array.isArray(opValue) && opValue.length === 2;
+    requireType("createdAt", op, opValue, isTuple, "a tuple [start, end]");
+    const [a, b] = opValue;
+    requireType("createdAt", op, opValue, isIsoUtcDatetime(a) && isIsoUtcDatetime(b), expected);
+    return opValue;
+  }
+  if (op === "$in") {
+    requireType("createdAt", op, opValue, Array.isArray(opValue), "an array value");
+    for (const v of opValue) {
+      requireType("createdAt", op, v, isIsoUtcDatetime(v), expected);
+    }
+    return opValue;
+  }
+  return requireType("createdAt", op, opValue, isIsoUtcDatetime(opValue), expected);
+}
+function parseStringFieldOperator(field, op, opValue) {
+  if (!isStringOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "${field}"`);
+  }
+  if (op === "$null" || op === "$notNull") {
+    return requireType(field, op, opValue, typeof opValue === "boolean", "a boolean value");
+  }
+  return requireType(field, op, opValue, typeof opValue === "string", "a string value");
+}
+function parseFieldOperators(field, fieldValue) {
+  if (!isPlainObject(fieldValue)) {
+    throw new ValidationError(
+      `Filter field "${field}" must be an object of operators, got ${typeof fieldValue}`
+    );
+  }
+  const parsed = {};
+  for (const [op, opValue] of Object.entries(fieldValue)) {
+    if (field === "action") parsed[op] = parseActionOperator(op, opValue);
+    else if (field === "createdAt") parsed[op] = parseCreatedAtOperator(op, opValue);
+    else parsed[op] = parseStringFieldOperator(field, op, opValue);
+  }
+  return Object.keys(parsed).length > 0 ? parsed : null;
+}
+function parseAuditLogFilters(query) {
+  if (!isPlainObject(query)) return {};
+  const result = {};
+  const filters = query.filters;
+  if (filters === void 0) return result;
+  if (!isPlainObject(filters)) {
+    throw new ValidationError(`"filters" must be an object, got ${typeof filters}`);
+  }
+  for (const [field, fieldValue] of Object.entries(filters)) {
+    if (!ALLOWED_FIELDS.has(field)) {
+      throw new ValidationError(`Unknown filter field: "${field}"`);
+    }
+    const parsed = parseFieldOperators(field, fieldValue);
+    if (parsed) result[field] = parsed;
+  }
+  return result;
+}
+const EXPORT_PAGE_SIZE = 500;
+async function* ndjsonRowStream(service, filters) {
   let page = 1;
   while (true) {
-    const { results } = await service.find({ page, pageSize: PAGE_SIZE });
+    const { results } = await service.find({ page, pageSize: EXPORT_PAGE_SIZE, filters });
+    if (results.length === 0) return;
+    let chunk = "";
     for (const row of results) {
-      allRows.push({
-        id: row.id,
-        createdAt: row.createdAt,
+      chunk += JSON.stringify({
+        datetime: row.createdAt,
         action: row.action,
         email: row.email ?? null,
         ip: row.ip ?? null,
         details: row.details
-      });
+      }) + "\n";
     }
-    if (results.length < PAGE_SIZE) break;
+    yield Buffer.from(chunk, "utf8");
+    if (results.length < EXPORT_PAGE_SIZE) return;
     page++;
   }
-  ctx.body = allRows.map((row) => ({
-    datetime: row.createdAt,
-    action: row.action,
-    email: row.email,
-    ip: row.ip,
-    details: row.details
-  }));
+}
+function errorAwareNdjsonStream(strapi2, service, filters) {
+  const gen = ndjsonRowStream(service, filters);
+  const readable = node_stream.Readable.from(gen);
+  readable.on("error", (err) => {
+    strapi2.log.error({ phase: "audit_log_export", err }, "NDJSON export stream failed");
+  });
+  return readable;
+}
+function parseFiltersOr400(ctx) {
+  try {
+    return parseAuditLogFilters(ctx.query);
+  } catch (err) {
+    ctx.status = 400;
+    ctx.body = { message: err instanceof ValidationError ? err.message : "Invalid filters" };
+    return null;
+  }
+}
+async function find(ctx) {
+  const filters = parseFiltersOr400(ctx);
+  if (!filters) return;
+  const page = Math.max(1, Number(ctx.query.page) || 1);
+  const pageSize = Math.min(100, Math.max(1, Number(ctx.query.pageSize) || 25));
+  ctx.body = await getAuditLogService().find({ page, pageSize, filters });
+}
+async function exportLogs(ctx) {
+  const filters = parseFiltersOr400(ctx);
+  if (!filters) return;
+  setNdjsonAttachmentHeaders(ctx, "strapi-oidc-audit-log");
+  ctx.body = errorAwareNdjsonStream(ctx.strapi, getAuditLogService(), filters);
 }
 async function clearAll(ctx) {
   await getAuditLogService().clearAll();
@@ -1138,10 +1470,10 @@ const routes = {
   }
 };
 const policies = {};
-function renderHtmlTemplate(title, content) {
+function renderHtmlTemplate(title, content, locale = "en") {
   return `
 <!doctype html>
-<html lang="en">
+<html lang="${locale}">
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -1159,7 +1491,7 @@ function renderHtmlTemplate(title, content) {
       --icon-color: #d02b20;
       --success-bg: #eafbe7;
       --success-color: #328048;
-      --shadow: 0 1px 4px rgba(33, 33, 52, 0.1);
+      --shadow: 0 1px 4 rgba(33, 33, 52, 0.1);
     }
     @media (prefers-color-scheme: dark) {
       :root {
@@ -1174,7 +1506,7 @@ function renderHtmlTemplate(title, content) {
         --icon-color: #f23628;
         --success-bg: #1c3523;
         --success-color: #55ca76;
-        --shadow: 0 1px 4px rgba(0, 0, 0, 0.5);
+        --shadow: 0 1px 4 rgba(0, 0, 0, 0.5);
       }
     }
     body {
@@ -1259,14 +1591,11 @@ function oauthService({ strapi: strapi2 }) {
   return {
     async createUser(email, lastname, firstname, locale, roles2 = []) {
       const userService = strapi2.service("admin::user");
-      if (/[A-Z]/.test(email)) {
-        const dbUser = await userService.findOneByEmail(email.toLocaleLowerCase());
-        if (dbUser) return dbUser;
-      }
+      const normalizedEmail = email.toLowerCase();
       const createdUser = await userService.create({
         firstname: firstname || "unset",
         lastname: lastname || "",
-        email: email.toLocaleLowerCase(),
+        email: normalizedEmail,
         roles: roles2,
         preferedLanguage: locale
       });
@@ -1297,35 +1626,36 @@ function oauthService({ strapi: strapi2 }) {
     },
     async triggerWebHook(user) {
       let ENTRY_CREATE;
-      const webhookStore = strapi2.serviceMap.get("webhookStore");
-      const eventHub = strapi2.serviceMap.get("eventHub");
+      const webhookStore = strapi2.serviceMap?.get("webhookStore");
+      const eventHub = strapi2.serviceMap?.get("eventHub");
       if (webhookStore) {
         ENTRY_CREATE = webhookStore.allowedEvents.get("ENTRY_CREATE");
       }
       const modelDef = strapi2.getModel("admin::user");
       const sanitizedEntity = await strapiUtils__default.default.sanitize.sanitizers.defaultSanitizeOutput(
-        {
-          schema: modelDef,
-          getModel: (uid2) => strapi2.getModel(uid2)
-        },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        { schema: modelDef, getModel: (uid2) => strapi2.getModel(uid2) },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
         user
       );
-      eventHub.emit(ENTRY_CREATE, {
+      eventHub?.emit(ENTRY_CREATE ?? "entry.create", {
         model: modelDef.modelName,
         entry: sanitizedEntity
       });
     },
     triggerSignInSuccess(user) {
-      delete user.password;
-      const eventHub = strapi2.serviceMap.get("eventHub");
-      eventHub.emit("admin.auth.success", {
-        user,
+      const userCopy = { ...user };
+      delete userCopy.password;
+      const eventHub = strapi2.serviceMap?.get("eventHub");
+      eventHub?.emit("admin.auth.success", {
+        user: userCopy,
         provider: "strapi-plugin-oidc"
       });
     },
-    renderSignUpSuccess(jwtToken, user, nonce) {
+    renderSignUpSuccess(jwtToken, user, nonce, locale = "en") {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const isRememberMe = !!config2["REMEMBER_ME"];
+      const isRememberMe = !!config2?.REMEMBER_ME;
+      const messages = authPageMessages(locale);
       const content = `
     <noscript>
       <div class="card">
@@ -1334,8 +1664,8 @@ function oauthService({ strapi: strapi2 }) {
             <path d="M20 6 9 17l-5-5"/>
           </svg>
         </div>
-        <h1>JavaScript Required</h1>
-        <p>JavaScript must be enabled for authentication to complete.</p>
+        <h1>${messages.noscriptHeading}</h1>
+        <p>${messages.noscriptBody}</p>
       </div>
     </noscript>
     <script nonce="${nonce}">
@@ -1349,9 +1679,10 @@ function oauthService({ strapi: strapi2 }) {
       location.href = '${strapi2.config.admin.url}'
      })
     <\/script>`;
-      return renderHtmlTemplate("Authenticating...", content);
+      return renderHtmlTemplate(messages.authenticatingTitle, content, locale);
     },
-    renderSignUpError(message) {
+    renderSignUpError(message, locale = "en") {
+      const messages = authPageMessages(locale);
       const safeMessage = String(message).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
       const content = `
   <div class="card">
@@ -1362,11 +1693,11 @@ function oauthService({ strapi: strapi2 }) {
         <path d="M12 17h.01"/>
       </svg>
     </div>
-    <h1>Authentication Failed</h1>
+    <h1>${messages.errorTitle}</h1>
     <p>${safeMessage}</p>
-    <a href="${strapi2.config.admin.url}" class="btn">Return to Login</a>
+    <a href="${strapi2.config.admin.url}" class="btn">${messages.returnToLogin}</a>
   </div>`;
-      return renderHtmlTemplate("Authentication Failed", content);
+      return renderHtmlTemplate(messages.errorTitle, content, locale);
     },
     async generateToken(user, ctx) {
       const sessionManager = strapi2.sessionManager;
@@ -1376,12 +1707,15 @@ function oauthService({ strapi: strapi2 }) {
       const userId = String(user.id);
       const deviceId = node_crypto.randomUUID();
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const rememberMe = !!config2["REMEMBER_ME"];
-      const { token: refreshToken, absoluteExpiresAt } = await sessionManager(
-        "admin"
-      ).generateRefreshToken(userId, deviceId, {
-        type: rememberMe ? "refresh" : "session"
-      });
+      const rememberMe = !!config2?.REMEMBER_ME;
+      const smAdmin = sessionManager("admin");
+      const { token: refreshToken, absoluteExpiresAt } = await smAdmin.generateRefreshToken(
+        userId,
+        deviceId,
+        {
+          type: rememberMe ? "refresh" : "session"
+        }
+      );
       const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
@@ -1398,7 +1732,6 @@ function oauthService({ strapi: strapi2 }) {
         const idleLifespanSec = strapi2.config.get(
           "admin.auth.sessions.idleRefreshTokenLifespan",
           1209600
-          // 14 days — Strapi default
         );
         const idleMs = idleLifespanSec * 1e3;
         const absoluteMs = new Date(absoluteExpiresAt).getTime() - Date.now();
@@ -1408,7 +1741,7 @@ function oauthService({ strapi: strapi2 }) {
       }
       ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
       ctx.cookies.set("oidc_authenticated", "1", { ...cookieOptions, path: "/" });
-      const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
+      const accessResult = await smAdmin.generateAccessToken(refreshToken);
       if ("error" in accessResult) {
         throw new Error(accessResult.error);
       }
@@ -1499,8 +1832,23 @@ function whitelistService({ strapi: strapi2 }) {
       const result = await getWhitelistQuery().findOne({
         where: { email }
       });
-      if (!result) throw new Error(errorMessages.WHITELIST_NOT_PRESENT);
+      if (!result) throw new OidcError("whitelist_rejected", errorMessages.WHITELIST_NOT_PRESENT);
       return result;
+    },
+    async hasUser(email) {
+      const row = await getWhitelistQuery().findOne({ where: { email }, select: ["id"] });
+      return !!row;
+    },
+    async deleteAllUsers() {
+      await getWhitelistQuery().deleteMany({});
+    },
+    async countAdminUsersByEmails(emails) {
+      if (emails.length === 0) return 0;
+      const rows = await strapi2.query("admin::user").findMany({
+        where: { email: { $in: emails } },
+        select: ["id"]
+      });
+      return rows.length;
     }
   };
 }
@@ -1513,6 +1861,58 @@ function translateDetails(key, params) {
   if (!translation) return null;
   return interpolate(translation, params);
 }
+const STRING_OP_MAP = {
+  $eq: (v) => v,
+  $contains: (v) => ({ $containsi: v }),
+  $endsWith: (v) => ({ $endsWith: v }),
+  $null: (v) => v === true ? null : void 0,
+  $notNull: (v) => v === true ? { $notNull: true } : void 0
+};
+const DATE_OP_MAP = {
+  $gte: (v) => ({ $gte: v }),
+  $lt: (v) => ({ $lt: v }),
+  $lte: (v) => ({ $lte: v }),
+  $between: (v) => ({ $between: v })
+  // $in is handled separately: each ISO day-start is expanded to a [day, day+1) range.
+};
+const DAY_MS = 864e5;
+function nextDayIso(iso) {
+  return new Date(new Date(iso).getTime() + DAY_MS).toISOString();
+}
+function expandCreatedAtInToDayRanges(days) {
+  const ranges = days.map((d) => ({ createdAt: { $gte: d, $lt: nextDayIso(d) } }));
+  return ranges.length === 1 ? ranges[0] : { $or: ranges };
+}
+const ACTION_OP_MAP = {
+  $eq: (v) => v,
+  $in: (v) => ({ $in: v })
+};
+function mapFieldFilter(conditions, field, filter, opMap) {
+  for (const [op, value] of Object.entries(filter)) {
+    const transform = opMap[op];
+    if (!transform) continue;
+    const result = transform(value);
+    if (result !== void 0) conditions.push({ [field]: result });
+  }
+}
+function buildWhereClause(filters) {
+  const conditions = [];
+  if (filters.action) mapFieldFilter(conditions, "action", filters.action, ACTION_OP_MAP);
+  if (filters.email) mapFieldFilter(conditions, "email", filters.email, STRING_OP_MAP);
+  if (filters.ip) mapFieldFilter(conditions, "ip", filters.ip, STRING_OP_MAP);
+  if (filters.createdAt) {
+    const { $in: inDays, ...rest } = filters.createdAt;
+    if (Array.isArray(inDays) && inDays.length > 0) {
+      conditions.push(expandCreatedAtInToDayRanges(inDays));
+    }
+    if (Object.keys(rest).length > 0) {
+      mapFieldFilter(conditions, "createdAt", rest, DATE_OP_MAP);
+    }
+  }
+  if (conditions.length === 0) return {};
+  if (conditions.length === 1) return conditions[0];
+  return { $and: conditions };
+}
 function auditLogService({ strapi: strapi2 }) {
   return {
     async log({ action, email, ip, detailsKey, detailsParams }) {
@@ -1535,19 +1935,33 @@ function auditLogService({ strapi: strapi2 }) {
         });
       }
     },
-    async find({ page = 1, pageSize = 25 } = {}) {
-      const result = await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").findPage({
-        sort: { createdAt: "desc" },
-        page,
-        pageSize
-      });
-      const results = result.results.map((row) => ({
-        ...row,
-        details: row.detailsKey ? translateDetails(row.detailsKey, row.detailsParams) : null
-      }));
+    async find({
+      page = 1,
+      pageSize = 25,
+      filters
+    } = {}) {
+      const where = filters ? buildWhereClause(filters) : {};
+      const dbQuery = strapi2.db.query("plugin::strapi-plugin-oidc.audit-log");
+      const [rows, total] = await Promise.all([
+        dbQuery.findMany({
+          where,
+          orderBy: [{ createdAt: "desc" }],
+          limit: pageSize,
+          offset: (page - 1) * pageSize
+        }),
+        dbQuery.count({ where })
+      ]);
       return {
-        results,
-        pagination: result.pagination
+        results: rows.map((row) => ({
+          ...row,
+          details: row.detailsKey ? translateDetails(row.detailsKey, row.detailsParams) : null
+        })),
+        pagination: {
+          page,
+          pageSize,
+          total,
+          pageCount: Math.ceil(total / pageSize)
+        }
       };
     },
     async clearAll() {
@@ -1559,7 +1973,7 @@ function auditLogService({ strapi: strapi2 }) {
       } while (deletedCount === BATCH_SIZE);
     },
     async cleanup(retentionDays) {
-      const cutoff = new Date(Date.now() - retentionDays * 864e5);
+      const cutoff = new Date(Date.now() - retentionDays * DAY_MS);
       await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({ where: { createdAt: { $lt: cutoff } } });
     }
   };