npm - strapi-plugin-oidc - Versions diffs - 1.6.5 → 1.7.0 - Mend

strapi-plugin-oidc 1.6.5 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +45 -15
package/dist/admin/index-C2KZ4QxC.js +4381 -0
package/dist/admin/{index-C2BnnDzh.js → index-DB7zjuHj.js} +23 -6
package/dist/admin/{index-DgUClS5s.mjs → index-D_ZKgByO.mjs} +23 -6
package/dist/admin/index-UvfJxIgI.mjs +4379 -0
package/dist/admin/index.js +1 -1
package/dist/admin/index.mjs +1 -1
package/dist/server/index.js +686 -272
package/dist/server/index.mjs +686 -272
package/package.json +3 -2
package/dist/admin/index-HQ2uuypE.mjs +0 -841
package/dist/admin/index-pWwCtdNu.js +0 -843

package/dist/server/index.mjs CHANGED Viewed

@@ -1,5 +1,6 @@
 import { randomUUID, randomBytes, createHash } from "node:crypto";
 import pkceChallenge from "pkce-challenge";
+import { Readable } from "node:stream";
 import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
 function register$1() {
@@ -30,6 +31,12 @@ function getRetentionDays() {
 function isAuditLogEnabled() {
   return getRetentionDays() !== 0;
 }
+const PLUGIN_NAME = "strapi-plugin-oidc";
+const getOauthService = () => strapi.plugin(PLUGIN_NAME).service("oauth");
+const getRoleService = () => strapi.plugin(PLUGIN_NAME).service("role");
+const getWhitelistService = () => strapi.plugin(PLUGIN_NAME).service("whitelist");
+const getAuditLogService = () => strapi.plugin(PLUGIN_NAME).service("auditLog");
+const getAdminUserService = () => strapi.service("admin::user");
 const AUTH_ROUTES = ["login", "register", "register-admin", "forgot-password", "reset-password"];
 async function bootstrap({ strapi: strapi2 }) {
   const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -41,7 +48,7 @@ async function bootstrap({ strapi: strapi2 }) {
     const isTokenRefresh = path === tokenRefreshPath;
     if (isAuthRoute && isPost || isTokenRefresh) {
       try {
-        const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
+        const whitelistService2 = getWhitelistService();
         const settings = await whitelistService2.getSettings();
         const enforceOIDC = resolveEnforceOIDC(strapi2, settings?.enforceOIDC);
         if (enforceOIDC && isAuthRoute && isPost) {
@@ -89,7 +96,7 @@ async function bootstrap({ strapi: strapi2 }) {
   const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
   if (enforceOIDCConfig !== null) {
     try {
-      const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
+      const whitelistService2 = getWhitelistService();
       const settings = await whitelistService2.getSettings();
       if (settings.enforceOIDC !== enforceOIDCConfig) {
         await whitelistService2.setSettings({ ...settings, enforceOIDC: enforceOIDCConfig });
@@ -119,7 +126,7 @@ async function bootstrap({ strapi: strapi2 }) {
       task: async () => {
         try {
           const retentionDays = getRetentionDays();
-          await strapi2.plugin("strapi-plugin-oidc").service("auditLog").cleanup(retentionDays);
+          await getAuditLogService().cleanup(retentionDays);
         } catch (err) {
           strapi2.log.warn("[strapi-plugin-oidc] Audit log cleanup failed:", err.message);
         }
@@ -213,9 +220,14 @@ function getExpiredCookieOptions(strapi2, ctx) {
 function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
-  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
-  ctx.cookies.set("oidc_access_token", "", { ...options2, path: "/" });
-  ctx.cookies.set("oidc_user_email", "", { ...options2, path: "/" });
+  const rootPathOptions = { ...options2, path: "/" };
+  for (const name of ["oidc_authenticated", "oidc_access_token", "oidc_user_email"]) {
+    ctx.cookies.set(name, "", rootPathOptions);
+  }
+}
+const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+function isValidEmail(email) {
+  return EMAIL_REGEX.test(email);
 }
 const errorCodes = {
   TOKEN_EXCHANGE_FAILED: "TOKEN_EXCHANGE_FAILED",
@@ -266,6 +278,7 @@ const en = {
   "page.save.error": "Update failed.",
   "page.add": "Add",
   "page.cancel": "Cancel",
+  "common.remove": "Remove {label}",
   "page.ok": "OK",
   "roles.title": "Default Role(s)",
   "roles.placeholder": "Select default role(s)",
@@ -297,7 +310,7 @@ const en = {
   "enforce.config.info": "Enforcement is controlled by the OIDC_ENFORCE config variable and cannot be changed here.",
   "login.settings.title": "Login Settings",
   "login.sso": "Login via SSO",
-  "whitelist.count": "{count, plural, one {# entry} other {# entries}}",
+  "pagination.total": "{count, plural, one {# entry} other {# entries}}",
   "whitelist.import": "Import",
   "whitelist.export": "Export",
   "whitelist.delete.all.label": "Delete All",
@@ -325,6 +338,20 @@ const en = {
   "auditlog.clear.success": "Audit logs cleared",
   "auditlog.clear.error": "Failed to clear audit logs",
   "auditlog.export.error": "Failed to export audit logs",
+  "auditlog.filters": "Filters",
+  "auditlog.filters.action": "Action",
+  "auditlog.filters.email": "Email",
+  "auditlog.filters.ip": "IP address",
+  "auditlog.filters.createdAt": "Date",
+  "auditlog.filters.clear": "Clear filters",
+  "auditlog.filters.empty": "No entries match the current filters",
+  "auditlog.calendar.prevMonth": "Previous month",
+  "auditlog.calendar.nextMonth": "Next month",
+  "auditlog.calendar.state.today": "today",
+  "auditlog.calendar.state.selected": "selected",
+  "auditlog.calendar.state.alreadyAdded": "already added",
+  "auditlog.calendar.state.future": "unavailable, future date",
+  "auditlog.calendar.dayWithState": "{date}, {state}",
   "auditlog.action.login_success": "User successfully authenticated via OIDC and was granted access.",
   "auditlog.action.user_created": "A new Strapi admin account was created for this user on their first OIDC login.",
   "auditlog.action.logout": "User logged out and their OIDC session was ended.",
@@ -335,21 +362,119 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auth.page.authenticating.title": "Authenticating...",
+  "auth.page.authenticating.noscript.heading": "JavaScript Required",
+  "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
+  "auth.page.error.title": "Authentication Failed",
+  "auth.page.error.returnToLogin": "Return to Login",
   "user.missing_code": "Authorisation code was not received from the OIDC provider.",
   "user.invalid_state": "State parameter mismatch. Please restart the login flow.",
   "user.signInError": "Authentication failed. Please try again.",
   "settings.section": "OIDC",
   "settings.configuration": "Configuration"
 };
-const userFacingMessages = {
-  get missing_code() {
-    return en["user.missing_code"];
+const __vite_glob_0_0 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  default: en
+}, Symbol.toStringTag, { value: "Module" }));
+const modules = /* @__PURE__ */ Object.assign({ "../translations/locales/en.json": __vite_glob_0_0 });
+const locales = Object.fromEntries(
+  Object.entries(modules).map(([path, mod]) => {
+    const code = path.match(/\/([^/]+)\.json$/)?.[1];
+    return [code ?? "", mod.default];
+  })
+);
+Object.keys(locales).filter(Boolean);
+const DEFAULT_LOCALE = "en";
+function parseAcceptLanguage(header) {
+  return header.split(",").map((part) => {
+    const [tag, ...params] = part.trim().split(";");
+    const qParam = params.find((p) => p.trim().startsWith("q="));
+    const q = qParam ? parseFloat(qParam.trim().slice(2)) : 1;
+    return { tag: tag.toLowerCase(), q: Number.isFinite(q) ? q : 1 };
+  }).filter((entry) => entry.tag).sort((a, b) => b.q - a.q);
+}
+function negotiateLocale(acceptLanguage) {
+  if (!acceptLanguage) return DEFAULT_LOCALE;
+  for (const { tag } of parseAcceptLanguage(acceptLanguage)) {
+    if (locales[tag]) return tag;
+    const base = tag.split("-")[0];
+    if (locales[base]) return base;
+  }
+  return DEFAULT_LOCALE;
+}
+function t(locale, key, fallback) {
+  return locales[locale]?.[key] ?? locales[DEFAULT_LOCALE]?.[key] ?? fallback ?? key;
+}
+const userFacingMessages = (locale) => ({
+  missing_code: t(
+    locale,
+    "user.missing_code",
+    "Authorisation code was not received from the OIDC provider."
+  ),
+  invalid_state: t(
+    locale,
+    "user.invalid_state",
+    "State parameter mismatch. Please restart the login flow."
+  ),
+  signInError: t(locale, "user.signInError", "Authentication failed. Please try again.")
+});
+const authPageMessages = (locale) => ({
+  authenticatingTitle: t(locale, "auth.page.authenticating.title", "Authenticating..."),
+  noscriptHeading: t(locale, "auth.page.authenticating.noscript.heading", "JavaScript Required"),
+  noscriptBody: t(
+    locale,
+    "auth.page.authenticating.noscript.body",
+    "JavaScript must be enabled for authentication to complete."
+  ),
+  errorTitle: t(locale, "auth.page.error.title", "Authentication Failed"),
+  returnToLogin: t(locale, "auth.page.error.returnToLogin", "Return to Login")
+});
+class OidcError extends Error {
+  kind;
+  cause;
+  constructor(kind, message, cause) {
+    super(message);
+    this.name = "OidcError";
+    this.kind = kind;
+    this.cause = cause;
+  }
+}
+const OIDC_ERROR_DISPATCH = {
+  nonce_mismatch: { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH },
+  token_exchange_failed: {
+    action: "token_exchange_failed",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED
+  },
+  id_token_parse_failed: {
+    action: "login_failure",
+    code: errorCodes.ID_TOKEN_PARSE_FAILED,
+    key: "id_token_parse_failed"
   },
-  get invalid_state() {
-    return en["user.invalid_state"];
+  userinfo_fetch_failed: {
+    action: "login_failure",
+    code: errorCodes.USERINFO_FETCH_FAILED,
+    key: "userinfo_fetch_failed"
   },
-  get signInError() {
-    return en["user.signInError"];
+  user_creation_failed: {
+    action: "login_failure",
+    code: errorCodes.USER_CREATION_FAILED,
+    key: "user_creation_failed"
+  },
+  whitelist_rejected: {
+    action: "whitelist_rejected",
+    code: errorCodes.WHITELIST_CHECK_FAILED,
+    key: "whitelist_rejected"
+  },
+  invalid_email: {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown"
+  },
+  unknown: {
+    action: "login_failure",
+    code: errorCodes.TOKEN_EXCHANGE_FAILED,
+    key: "sign_in_unknown"
   }
 };
 const REQUIRED_CONFIG_KEYS = [
@@ -364,6 +489,7 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_GIVEN_NAME_FIELD",
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
+const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
@@ -381,7 +507,6 @@ async function oidcSignIn(ctx) {
   const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
-    // 10 minutes
     secure: isProduction && ctx.request.secure,
     sameSite: "lax"
   };
@@ -411,7 +536,7 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
     }
   });
   if (!response.ok) {
-    throw new Error(errorMessages.TOKEN_EXCHANGE_FAILED);
+    throw new OidcError("token_exchange_failed", errorMessages.TOKEN_EXCHANGE_FAILED);
   }
   const tokenData = await response.json();
   if (tokenData.id_token) {
@@ -419,23 +544,23 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
       const payloadB64 = tokenData.id_token.split(".")[1];
       const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
       if (idTokenPayload.nonce !== expectedNonce) {
-        throw new Error(errorMessages.NONCE_MISMATCH);
+        throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
       }
     } catch (e) {
-      if (e.message === "Nonce mismatch") throw e;
-      throw new Error(errorMessages.ID_TOKEN_PARSE_FAILED);
+      if (e instanceof OidcError && e.kind === "nonce_mismatch") throw e;
+      throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
     }
   }
   const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
     headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
-    throw new Error(errorMessages.USERINFO_FETCH_FAILED);
+    throw new OidcError("userinfo_fetch_failed", errorMessages.USERINFO_FETCH_FAILED);
   }
   const userInfo = await userResponse.json();
   return { userInfo, accessToken: tokenData.access_token };
 }
-function resolveRolesFromGroups(userInfo, config2, availableRoles) {
+function collectGroupMapRoleNames(userInfo, config2) {
   const rawGroups = userInfo[config2.OIDC_GROUP_FIELD];
   if (!Array.isArray(rawGroups) || rawGroups.length === 0) return [];
   const groups = rawGroups.filter((g) => typeof g === "string");
@@ -446,22 +571,15 @@ function resolveRolesFromGroups(userInfo, config2, availableRoles) {
   } catch {
     return [];
   }
-  const roleIdSet = /* @__PURE__ */ new Set();
+  const roleNameSet = /* @__PURE__ */ new Set();
   for (const group of groups) {
     const roleNames = groupRoleMap[group];
     if (!roleNames) continue;
     for (const name of roleNames) {
-      const match = availableRoles.find((r) => r.name === name);
-      if (match) roleIdSet.add(String(match.id));
+      roleNameSet.add(name);
     }
   }
-  return [...roleIdSet];
-}
-async function resolveRoles(userInfo, config2, roleService2, availableRoles) {
-  const groupRoles = resolveRolesFromGroups(userInfo, config2, availableRoles);
-  if (groupRoles.length > 0) return { roles: groupRoles, fromGroupMapping: true };
-  const oidcRoles = await roleService2.oidcRoles();
-  return { roles: oidcRoles?.roles || [], fromGroupMapping: false };
+  return [...roleNameSet];
 }
 async function registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2) {
   const defaultLocale = oauthService2.localeFindByHeader(
@@ -479,10 +597,7 @@ async function registerNewUser(oauthService2, email, userResponseData, config2,
 }
 function rolesChanged(current, next) {
   if (current.size !== next.size) return true;
-  for (const id of next) {
-    if (!current.has(id)) return true;
-  }
-  return false;
+  return [...next].some((id) => !current.has(id));
 }
 async function updateUserRoles(user, currentRoleIds, newRoleIds) {
   try {
@@ -505,101 +620,187 @@ async function updateUserRoles(user, currentRoleIds, newRoleIds) {
     throw updateErr;
   }
 }
+async function resolveRolesFromGroups(candidateNames) {
+  const matchedRoles = await strapi.db.query("admin::role").findMany({
+    where: { name: { $in: candidateNames } },
+    select: ["id", "name"]
+  });
+  const nameToId = new Map(matchedRoles.map((r) => [r.name, String(r.id)]));
+  const roles2 = [];
+  for (const name of candidateNames) {
+    const id = nameToId.get(name);
+    if (id) roles2.push(id);
+  }
+  return {
+    roles: roles2,
+    fromGroupMapping: true,
+    resolvedRoleNames: matchedRoles.map((r) => r.name)
+  };
+}
+async function resolveRolesFromDefaults(roleService2) {
+  const oidcRolesResult = await roleService2.oidcRoles();
+  const roles2 = oidcRolesResult?.roles || [];
+  if (roles2.length === 0) {
+    return { roles: roles2, fromGroupMapping: false, resolvedRoleNames: [] };
+  }
+  const records = await strapi.db.query("admin::role").findMany({
+    where: { id: { $in: roles2.map(Number) } },
+    select: ["id", "name"]
+  });
+  return {
+    roles: roles2,
+    fromGroupMapping: false,
+    resolvedRoleNames: records.map((r) => r.name)
+  };
+}
+async function resolveRoles(userResponseData, config2, roleService2) {
+  const candidateNames = collectGroupMapRoleNames(userResponseData, config2);
+  if (candidateNames.length > 0) {
+    return resolveRolesFromGroups(candidateNames);
+  }
+  return resolveRolesFromDefaults(roleService2);
+}
+async function ensureUser(userService, oauthService2, email, userResponseData, config2, ctx, resolved) {
+  const existing = await userService.findOneByEmail(email, ["roles"]);
+  if (!existing) {
+    try {
+      const user = await registerNewUser(
+        oauthService2,
+        email,
+        userResponseData,
+        config2,
+        ctx,
+        resolved.roles
+      );
+      return { user, userCreated: true, rolesUpdated: true };
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      throw new OidcError("user_creation_failed", msg, e);
+    }
+  }
+  if (!resolved.fromGroupMapping || resolved.roles.length === 0) {
+    return { user: existing, userCreated: false, rolesUpdated: false };
+  }
+  const currentRoleIds = new Set((existing.roles ?? []).map((r) => String(r.id)));
+  if (!rolesChanged(currentRoleIds, new Set(resolved.roles))) {
+    return { user: existing, userCreated: false, rolesUpdated: false };
+  }
+  await updateUserRoles(existing, currentRoleIds, resolved.roles);
+  return { user: existing, userCreated: false, rolesUpdated: true };
+}
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
-  const rawEmail = String(userResponseData.email ?? "");
-  const email = rawEmail.toLowerCase();
-  if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
-    throw new Error(errorMessages.INVALID_EMAIL);
+  const email = String(userResponseData.email ?? "").toLowerCase();
+  if (!email || !isValidEmail(email)) {
+    throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
   }
   await whitelistService2.checkWhitelistForEmail(email);
-  const allRoles = await strapi.db.query("admin::role").findMany();
-  const { roles: roles2, fromGroupMapping } = await resolveRoles(
+  const resolved = await resolveRoles(userResponseData, config2, roleService2);
+  const { user, userCreated, rolesUpdated } = await ensureUser(
+    userService,
+    oauthService2,
+    email,
     userResponseData,
     config2,
-    roleService2,
-    allRoles
+    ctx,
+    resolved
   );
-  const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
-  let userCreated = false;
-  let rolesUpdated = false;
-  let user = await userService.findOneByEmail(email, ["roles"]);
-  if (!user) {
-    user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
-    userCreated = true;
-    rolesUpdated = true;
-  } else if (fromGroupMapping && roles2.length > 0) {
-    const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
-    if (rolesChanged(currentRoleIds, new Set(roles2))) {
-      await updateUserRoles(user, currentRoleIds, roles2);
-      rolesUpdated = true;
-    }
-  }
   const jwtToken = await oauthService2.generateToken(user, ctx);
   oauthService2.triggerSignInSuccess(user);
-  return { activateUser: user, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
-}
-function classifyOidcError(msg, userInfo) {
-  if (msg.includes("whitelist")) {
-    return {
-      action: "whitelist_rejected",
-      code: errorCodes.WHITELIST_CHECK_FAILED,
-      key: "whitelist_rejected"
-    };
-  }
-  if (msg === "Nonce mismatch")
-    return { action: "nonce_mismatch", code: errorCodes.NONCE_MISMATCH };
-  if (msg === "Token exchange failed")
-    return { action: "token_exchange_failed", code: errorCodes.TOKEN_EXCHANGE_FAILED };
-  if (msg === "Failed to fetch user info") {
-    return {
-      action: "login_failure",
-      code: errorCodes.USERINFO_FETCH_FAILED,
-      key: "userinfo_fetch_failed"
-    };
-  }
-  if (msg === "Failed to parse ID token") {
-    return {
-      action: "login_failure",
-      code: errorCodes.ID_TOKEN_PARSE_FAILED,
-      key: "id_token_parse_failed",
-      params: { error: msg }
-    };
-  }
-  if (msg === "User creation failed" || msg.includes("createUser")) {
-    return {
-      action: "login_failure",
-      code: errorCodes.USER_CREATION_FAILED,
-      key: "user_creation_failed",
-      params: userInfo?.email ? { email: userInfo.email, error: msg } : void 0
-    };
-  }
   return {
-    action: "login_failure",
-    code: errorCodes.TOKEN_EXCHANGE_FAILED,
-    key: "sign_in_unknown",
-    params: { error: msg || "unknown" }
+    activateUser: user,
+    jwtToken,
+    userCreated,
+    rolesUpdated,
+    resolvedRoleNames: resolved.resolvedRoleNames
   };
 }
-async function oidcSignInCallback(ctx) {
-  const config2 = configValidation();
-  const userService = strapi.service("admin::user");
-  const oauthService2 = strapi.plugin("strapi-plugin-oidc").service("oauth");
-  const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
-  const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
-  const auditLog2 = strapi.plugin("strapi-plugin-oidc").service("auditLog");
-  if (!ctx.query.code) {
-    await auditLog2.log({ action: "missing_code", ip: ctx.ip });
-    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.missing_code));
+function classifyOidcError(e, userInfo) {
+  const kind = e instanceof OidcError ? e.kind : "unknown";
+  const dispatch = OIDC_ERROR_DISPATCH[kind];
+  const msg = e instanceof Error ? e.message : String(e);
+  let params;
+  if (kind === "id_token_parse_failed" || kind === "unknown") {
+    params = { error: msg };
+  } else if (kind === "user_creation_failed" && userInfo?.email) {
+    params = { email: userInfo.email, error: msg };
   }
+  return {
+    action: dispatch.action,
+    code: dispatch.code,
+    key: dispatch.key,
+    params
+  };
+}
+function readAndClearPkceCookies(ctx) {
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
   const oidcNonce = ctx.cookies.get("oidc_nonce");
   ctx.cookies.set("oidc_state", null);
   ctx.cookies.set("oidc_code_verifier", null);
   ctx.cookies.set("oidc_nonce", null);
+  return { oidcState, codeVerifier, oidcNonce };
+}
+async function logSuccessfulAuth(auditLog2, ctx, user, userCreated, rolesUpdated, resolvedRoleNames) {
+  const roles2 = resolvedRoleNames.join(", ");
+  const entries = [
+    auditLog2.log({
+      action: "login_success",
+      email: user.email,
+      ip: ctx.ip,
+      detailsKey: rolesUpdated ? "roles_updated" : void 0,
+      detailsParams: rolesUpdated ? { roles: roles2 } : void 0
+    })
+  ];
+  if (userCreated) {
+    entries.push(
+      auditLog2.log({
+        action: "user_created",
+        email: user.email,
+        ip: ctx.ip,
+        detailsKey: "user_created",
+        detailsParams: { roles: roles2 }
+      })
+    );
+  }
+  await Promise.all(entries);
+}
+async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
+  const errorInfo = classifyOidcError(e, userInfo);
+  const message = e instanceof Error ? e.message : String(e);
+  await auditLog2.log({
+    action: errorInfo.action,
+    email: userInfo?.email,
+    ip: ctx.ip,
+    detailsKey: errorInfo.action,
+    detailsParams: errorInfo.action === "login_failure" ? { message } : void 0
+  });
+  strapi.log.error({
+    code: errorInfo.code,
+    phase: "oidc_callback",
+    message: e instanceof Error ? e.message : "Unknown sign-in error",
+    detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
+    email: userInfo?.email
+  });
+  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
+  ctx.send(oauthService2.renderSignUpError(userFacingMessages(locale).signInError, locale));
+}
+async function oidcSignInCallback(ctx) {
+  const config2 = configValidation();
+  const oauthService2 = getOauthService();
+  const auditLog2 = getAuditLogService();
+  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
+  if (!ctx.query.code) {
+    await auditLog2.log({ action: "missing_code", ip: ctx.ip });
+    return ctx.send(
+      oauthService2.renderSignUpError(userFacingMessages(locale).missing_code, locale)
+    );
+  }
+  const { oidcState, codeVerifier, oidcNonce } = readAndClearPkceCookies(ctx);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
     await auditLog2.log({ action: "state_mismatch", ip: ctx.ip });
-    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.invalid_state));
+    return ctx.send(
+      oauthService2.renderSignUpError(userFacingMessages(locale).invalid_state, locale)
+    );
   }
   const params = new URLSearchParams({
     code: ctx.query.code,
@@ -613,107 +814,81 @@ async function oidcSignInCallback(ctx) {
   try {
     const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     userInfo = exchangeResult.userInfo;
-    const accessToken = exchangeResult.accessToken;
     const isProduction = strapi.config.get("environment") === "production";
-    ctx.cookies.set("oidc_access_token", accessToken, {
+    const secureFlag = isProduction && ctx.request.secure;
+    ctx.cookies.set("oidc_access_token", exchangeResult.accessToken, {
       httpOnly: true,
       maxAge: 3e5,
-      // 5 minutes — matches typical provider access token lifetime
-      secure: isProduction && ctx.request.secure,
+      secure: secureFlag,
       sameSite: "lax"
     });
     const { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames } = await handleUserAuthentication(
-      userService,
+      getAdminUserService(),
       oauthService2,
-      roleService2,
-      whitelistService2,
+      getRoleService(),
+      getWhitelistService(),
       userInfo,
       config2,
       ctx
     );
-    const identityCookieOptions = {
+    ctx.cookies.set("oidc_user_email", activateUser.email, {
       httpOnly: true,
       path: "/",
-      secure: isProduction && ctx.request.secure,
+      secure: secureFlag,
       sameSite: "lax"
-    };
-    ctx.cookies.set("oidc_user_email", activateUser.email, identityCookieOptions);
-    if (userCreated) {
-      await auditLog2.log({
-        action: "user_created",
-        email: activateUser.email,
-        ip: ctx.ip,
-        detailsKey: "user_created",
-        detailsParams: { roles: resolvedRoleNames.join(", ") }
-      });
-    }
-    await auditLog2.log({
-      action: "login_success",
-      email: activateUser.email,
-      ip: ctx.ip,
-      detailsKey: rolesUpdated ? "roles_updated" : void 0,
-      detailsParams: rolesUpdated ? { roles: resolvedRoleNames.join(", ") } : void 0
     });
+    await logSuccessfulAuth(
+      auditLog2,
+      ctx,
+      activateUser,
+      userCreated,
+      rolesUpdated,
+      resolvedRoleNames
+    );
     const nonce = randomUUID();
-    const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
-    ctx.send(html);
+    ctx.send(oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce, locale));
   } catch (e) {
-    const msg = e.message ?? "";
-    const errorInfo = classifyOidcError(msg, userInfo);
-    await auditLog2.log({
-      action: errorInfo.action,
-      email: userInfo?.email,
-      ip: ctx.ip,
-      detailsKey: errorInfo.action,
-      detailsParams: errorInfo.action === "login_failure" ? { message: msg } : void 0
-    });
-    strapi.log.error({
-      code: errorInfo.code,
-      phase: "oidc_callback",
-      message: msg || "Unknown sign-in error",
-      detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
-      email: userInfo?.email
+    await handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx);
+  }
+}
+async function isProviderSessionActive(userinfoEndpoint, accessToken) {
+  try {
+    const response = await fetch(userinfoEndpoint, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+      signal: AbortSignal.timeout(LOGOUT_USERINFO_TIMEOUT_MS)
     });
-    ctx.send(oauthService2.renderSignUpError(userFacingMessages.signInError));
+    return response.ok;
+  } catch {
+    return false;
   }
 }
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const auditLog2 = strapi.plugin("strapi-plugin-oidc").service("auditLog");
+  const auditLog2 = getAuditLogService();
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const adminPanelUrl = strapi.config.get("admin.url", "/admin");
+  const loginUrl = `${adminPanelUrl}/auth/login`;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
   const accessToken = ctx.cookies.get("oidc_access_token");
   const userEmail = ctx.cookies.get("oidc_user_email") ?? void 0;
   clearAuthCookies(strapi, ctx);
-  if (logoutUrl && isOidcSession && accessToken) {
-    try {
-      const response = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
-        headers: { Authorization: `Bearer ${accessToken}` }
+  if (!isOidcSession) {
+    return ctx.redirect(loginUrl);
+  }
+  const logAudit = (action) => userEmail ? auditLog2.log({ action, email: userEmail, ip: ctx.ip }) : Promise.resolve();
+  if (logoutUrl && accessToken) {
+    const active = await isProviderSessionActive(config2.OIDC_USERINFO_ENDPOINT, accessToken);
+    if (active) {
+      logAudit("logout").catch(() => {
       });
-      if (response.ok) {
-        if (userEmail)
-          auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip }).catch(() => {
-          });
-        return ctx.redirect(logoutUrl);
-      }
-      if (userEmail)
-        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
-      return ctx.redirect(`${adminPanelUrl}/auth/login`);
-    } catch {
-      if (userEmail)
-        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
-      return ctx.redirect(`${adminPanelUrl}/auth/login`);
+      return ctx.redirect(logoutUrl);
     }
+    await logAudit("session_expired");
+    return ctx.redirect(loginUrl);
   }
-  if (isOidcSession && userEmail) {
-    await auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip });
-  }
-  if (logoutUrl && isOidcSession) {
-    return ctx.redirect(logoutUrl);
-  }
-  ctx.redirect(`${adminPanelUrl}/auth/login`);
+  await logAudit("logout");
+  ctx.redirect(logoutUrl || loginUrl);
 }
 const oidc = {
   oidcSignIn,
@@ -721,7 +896,7 @@ const oidc = {
   logout
 };
 async function find$1(ctx) {
-  const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
+  const roleService2 = getRoleService();
   const roles2 = await roleService2.find();
   const oidcConstants = roleService2.getOidcRoles();
   for (const oidc2 of oidcConstants) {
@@ -735,7 +910,7 @@ async function find$1(ctx) {
 async function update(ctx) {
   try {
     const { roles: roles2 } = ctx.request.body;
-    const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
+    const roleService2 = getRoleService();
     await roleService2.update(roles2);
     ctx.send({}, 204);
   } catch (e) {
@@ -756,8 +931,17 @@ function formatDatetimeForFilename(date) {
   const seconds = String(date.getSeconds()).padStart(2, "0");
   return `${year}${month}${day}_${hours}${minutes}${seconds}`;
 }
-function getWhitelistService() {
-  return strapi.plugin("strapi-plugin-oidc").service("whitelist");
+function setJsonAttachmentHeaders(ctx, basename) {
+  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
+  ctx.set("Content-Type", "application/json");
+  ctx.set("Content-Disposition", `attachment; filename="${basename}-${datetime}.json"`);
+}
+function setNdjsonAttachmentHeaders(ctx, basename) {
+  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
+  ctx.set("Content-Type", "application/x-ndjson; charset=utf-8");
+  ctx.set("Content-Disposition", `attachment; filename="${basename}-${datetime}.ndjson"`);
+  ctx.set("Cache-Control", "no-store");
+  ctx.set("X-Content-Type-Options", "nosniff");
 }
 async function info(ctx) {
   const whitelistService2 = getWhitelistService();
@@ -772,8 +956,9 @@ async function info(ctx) {
   };
 }
 async function updateSettings(ctx) {
-  const { useWhitelist } = ctx.request.body;
-  let { enforceOIDC } = ctx.request.body;
+  const body = ctx.request.body;
+  const { useWhitelist } = body;
+  let { enforceOIDC } = body;
   const whitelistService2 = getWhitelistService();
   if (useWhitelist && enforceOIDC) {
     const users = await whitelistService2.getUsers();
@@ -802,11 +987,9 @@ async function register(ctx) {
   const rawEmails = Array.isArray(email) ? email : email.split(",");
   const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
   const whitelistService2 = getWhitelistService();
-  let matchedExistingUsersCount = 0;
+  const matchedExistingUsersCount = await whitelistService2.countAdminUsersByEmails(emailList);
   for (const singleEmail of emailList) {
-    const existingUser = await strapi.query("admin::user").findOne({ where: { email: singleEmail } });
-    if (existingUser) matchedExistingUsersCount++;
-    const alreadyWhitelisted = await strapi.query("plugin::strapi-plugin-oidc.whitelists").findOne({ where: { email: singleEmail } });
+    const alreadyWhitelisted = await whitelistService2.hasUser(singleEmail);
     if (!alreadyWhitelisted) {
       await whitelistService2.registerUser(singleEmail);
     }
@@ -820,13 +1003,12 @@ async function removeEmail(ctx) {
   ctx.body = {};
 }
 async function deleteAll(ctx) {
-  await strapi.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({});
+  const whitelistService2 = getWhitelistService();
+  await whitelistService2.deleteAllUsers();
   ctx.body = {};
 }
 async function exportWhitelist(ctx) {
-  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
-  ctx.set("Content-Type", "application/json");
-  ctx.set("Content-Disposition", `attachment; filename="strapi-oidc-whitelist-${datetime}.json"`);
+  setJsonAttachmentHeaders(ctx, "strapi-oidc-whitelist");
   const whitelistService2 = getWhitelistService();
   const users = await whitelistService2.getUsers();
   ctx.body = users.map((u) => ({ email: u.email }));
@@ -838,7 +1020,7 @@ async function importUsers(ctx) {
     ctx.body = { error: "Expected { users: [{email}] }" };
     return;
   }
-  const normalized = users.filter((u) => u?.email).map((u) => String(u.email).trim().toLowerCase()).filter((email) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email));
+  const normalized = users.filter((u) => u?.email).map((u) => String(u.email).trim().toLowerCase()).filter(isValidEmail);
   const deduped = [...new Set(normalized)];
   const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
@@ -853,7 +1035,7 @@ async function importUsers(ctx) {
 }
 async function syncUsers(ctx) {
   const { users: rawUsers } = ctx.request.body;
-  const emails = rawUsers.map((u) => String(u.email).toLowerCase()).filter((e) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e));
+  const emails = rawUsers.map((u) => String(u.email).toLowerCase()).filter(isValidEmail);
   const whitelistService2 = getWhitelistService();
   const currentUsers = await whitelistService2.getUsers();
   const syncEmailSet = new Set(emails);
@@ -881,44 +1063,194 @@ const whitelist = {
   importUsers,
   exportWhitelist
 };
-function getAuditLogService() {
-  return strapi.plugin("strapi-plugin-oidc").service("auditLog");
+const AUDIT_ACTIONS = [
+  "login_success",
+  "login_failure",
+  "missing_code",
+  "state_mismatch",
+  "nonce_mismatch",
+  "token_exchange_failed",
+  "whitelist_rejected",
+  "logout",
+  "session_expired",
+  "user_created"
+];
+const ISO_UTC_DATETIME = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
+function isIsoUtcDatetime(value) {
+  return typeof value === "string" && ISO_UTC_DATETIME.test(value);
 }
-async function find(ctx) {
-  const page = Math.max(1, Number(ctx.query.page) || 1);
-  const pageSize = Math.min(100, Math.max(1, Number(ctx.query.pageSize) || 25));
-  ctx.body = await getAuditLogService().find({ page, pageSize });
+const ALLOWED_FIELDS = /* @__PURE__ */ new Set(["action", "email", "ip", "createdAt"]);
+const STRING_OPERATORS = /* @__PURE__ */ new Set([
+  "$eq",
+  "$contains",
+  "$endsWith",
+  "$null",
+  "$notNull"
+]);
+const DATE_OPERATORS = /* @__PURE__ */ new Set(["$gte", "$lt", "$lte", "$between", "$in"]);
+const ENUM_OPERATORS = /* @__PURE__ */ new Set(["$eq", "$in"]);
+function isPlainObject(value) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return false;
+  const proto = Object.getPrototypeOf(value);
+  return proto === Object.prototype || proto === null;
 }
-async function exportLogs(ctx) {
-  const datetime = formatDatetimeForFilename(/* @__PURE__ */ new Date());
-  ctx.set("Content-Type", "application/json");
-  ctx.set("Content-Disposition", `attachment; filename="strapi-oidc-audit-log-${datetime}.json"`);
-  const service = getAuditLogService();
-  const PAGE_SIZE = 1e3;
-  const allRows = [];
+function isStringOperator(op) {
+  return STRING_OPERATORS.has(op);
+}
+function isDateOperator(op) {
+  return DATE_OPERATORS.has(op);
+}
+function isEnumOperator(op) {
+  return ENUM_OPERATORS.has(op);
+}
+function isAuditAction(value) {
+  return AUDIT_ACTIONS.includes(value);
+}
+class ValidationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ValidationError";
+  }
+}
+function requireType(field, op, value, check, expected) {
+  if (!check) {
+    throw new ValidationError(`Operator "${op}" for field "${field}" requires ${expected}`);
+  }
+  return value;
+}
+function parseActionOperator(op, opValue) {
+  if (!isEnumOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "action"`);
+  }
+  if (op === "$in") {
+    requireType("action", op, opValue, Array.isArray(opValue), "an array value");
+    for (const v of opValue) {
+      if (!isAuditAction(v)) {
+        throw new ValidationError(
+          `Invalid action value "${v}" — must be one of: ${AUDIT_ACTIONS.join(", ")}`
+        );
+      }
+    }
+    return opValue;
+  }
+  if (!isAuditAction(opValue)) {
+    throw new ValidationError(
+      `Invalid action value "${opValue}" — must be one of: ${AUDIT_ACTIONS.join(", ")}`
+    );
+  }
+  return opValue;
+}
+function parseCreatedAtOperator(op, opValue) {
+  if (!isDateOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "createdAt"`);
+  }
+  const expected = 'an ISO-8601 UTC datetime string (e.g. "2024-01-15T00:00:00.000Z")';
+  if (op === "$between") {
+    const isTuple = Array.isArray(opValue) && opValue.length === 2;
+    requireType("createdAt", op, opValue, isTuple, "a tuple [start, end]");
+    const [a, b] = opValue;
+    requireType("createdAt", op, opValue, isIsoUtcDatetime(a) && isIsoUtcDatetime(b), expected);
+    return opValue;
+  }
+  if (op === "$in") {
+    requireType("createdAt", op, opValue, Array.isArray(opValue), "an array value");
+    for (const v of opValue) {
+      requireType("createdAt", op, v, isIsoUtcDatetime(v), expected);
+    }
+    return opValue;
+  }
+  return requireType("createdAt", op, opValue, isIsoUtcDatetime(opValue), expected);
+}
+function parseStringFieldOperator(field, op, opValue) {
+  if (!isStringOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "${field}"`);
+  }
+  if (op === "$null" || op === "$notNull") {
+    return requireType(field, op, opValue, typeof opValue === "boolean", "a boolean value");
+  }
+  return requireType(field, op, opValue, typeof opValue === "string", "a string value");
+}
+function parseFieldOperators(field, fieldValue) {
+  if (!isPlainObject(fieldValue)) {
+    throw new ValidationError(
+      `Filter field "${field}" must be an object of operators, got ${typeof fieldValue}`
+    );
+  }
+  const parsed = {};
+  for (const [op, opValue] of Object.entries(fieldValue)) {
+    if (field === "action") parsed[op] = parseActionOperator(op, opValue);
+    else if (field === "createdAt") parsed[op] = parseCreatedAtOperator(op, opValue);
+    else parsed[op] = parseStringFieldOperator(field, op, opValue);
+  }
+  return Object.keys(parsed).length > 0 ? parsed : null;
+}
+function parseAuditLogFilters(query) {
+  if (!isPlainObject(query)) return {};
+  const result = {};
+  const filters = query.filters;
+  if (filters === void 0) return result;
+  if (!isPlainObject(filters)) {
+    throw new ValidationError(`"filters" must be an object, got ${typeof filters}`);
+  }
+  for (const [field, fieldValue] of Object.entries(filters)) {
+    if (!ALLOWED_FIELDS.has(field)) {
+      throw new ValidationError(`Unknown filter field: "${field}"`);
+    }
+    const parsed = parseFieldOperators(field, fieldValue);
+    if (parsed) result[field] = parsed;
+  }
+  return result;
+}
+const EXPORT_PAGE_SIZE = 500;
+async function* ndjsonRowStream(service, filters) {
   let page = 1;
   while (true) {
-    const { results } = await service.find({ page, pageSize: PAGE_SIZE });
+    const { results } = await service.find({ page, pageSize: EXPORT_PAGE_SIZE, filters });
+    if (results.length === 0) return;
+    let chunk = "";
     for (const row of results) {
-      allRows.push({
-        id: row.id,
-        createdAt: row.createdAt,
+      chunk += JSON.stringify({
+        datetime: row.createdAt,
         action: row.action,
         email: row.email ?? null,
         ip: row.ip ?? null,
         details: row.details
-      });
+      }) + "\n";
     }
-    if (results.length < PAGE_SIZE) break;
+    yield Buffer.from(chunk, "utf8");
+    if (results.length < EXPORT_PAGE_SIZE) return;
     page++;
   }
-  ctx.body = allRows.map((row) => ({
-    datetime: row.createdAt,
-    action: row.action,
-    email: row.email,
-    ip: row.ip,
-    details: row.details
-  }));
+}
+function errorAwareNdjsonStream(strapi2, service, filters) {
+  const gen = ndjsonRowStream(service, filters);
+  const readable = Readable.from(gen);
+  readable.on("error", (err) => {
+    strapi2.log.error({ phase: "audit_log_export", err }, "NDJSON export stream failed");
+  });
+  return readable;
+}
+function parseFiltersOr400(ctx) {
+  try {
+    return parseAuditLogFilters(ctx.query);
+  } catch (err) {
+    ctx.status = 400;
+    ctx.body = { message: err instanceof ValidationError ? err.message : "Invalid filters" };
+    return null;
+  }
+}
+async function find(ctx) {
+  const filters = parseFiltersOr400(ctx);
+  if (!filters) return;
+  const page = Math.max(1, Number(ctx.query.page) || 1);
+  const pageSize = Math.min(100, Math.max(1, Number(ctx.query.pageSize) || 25));
+  ctx.body = await getAuditLogService().find({ page, pageSize, filters });
+}
+async function exportLogs(ctx) {
+  const filters = parseFiltersOr400(ctx);
+  if (!filters) return;
+  setNdjsonAttachmentHeaders(ctx, "strapi-oidc-audit-log");
+  ctx.body = errorAwareNdjsonStream(ctx.strapi, getAuditLogService(), filters);
 }
 async function clearAll(ctx) {
   await getAuditLogService().clearAll();
@@ -1132,10 +1464,10 @@ const routes = {
   }
 };
 const policies = {};
-function renderHtmlTemplate(title, content) {
+function renderHtmlTemplate(title, content, locale = "en") {
   return `
 <!doctype html>
-<html lang="en">
+<html lang="${locale}">
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -1153,7 +1485,7 @@ function renderHtmlTemplate(title, content) {
       --icon-color: #d02b20;
       --success-bg: #eafbe7;
       --success-color: #328048;
-      --shadow: 0 1px 4px rgba(33, 33, 52, 0.1);
+      --shadow: 0 1px 4 rgba(33, 33, 52, 0.1);
     }
     @media (prefers-color-scheme: dark) {
       :root {
@@ -1168,7 +1500,7 @@ function renderHtmlTemplate(title, content) {
         --icon-color: #f23628;
         --success-bg: #1c3523;
         --success-color: #55ca76;
-        --shadow: 0 1px 4px rgba(0, 0, 0, 0.5);
+        --shadow: 0 1px 4 rgba(0, 0, 0, 0.5);
       }
     }
     body {
@@ -1253,14 +1585,11 @@ function oauthService({ strapi: strapi2 }) {
   return {
     async createUser(email, lastname, firstname, locale, roles2 = []) {
       const userService = strapi2.service("admin::user");
-      if (/[A-Z]/.test(email)) {
-        const dbUser = await userService.findOneByEmail(email.toLocaleLowerCase());
-        if (dbUser) return dbUser;
-      }
+      const normalizedEmail = email.toLowerCase();
       const createdUser = await userService.create({
         firstname: firstname || "unset",
         lastname: lastname || "",
-        email: email.toLocaleLowerCase(),
+        email: normalizedEmail,
         roles: roles2,
         preferedLanguage: locale
       });
@@ -1291,35 +1620,36 @@ function oauthService({ strapi: strapi2 }) {
     },
     async triggerWebHook(user) {
       let ENTRY_CREATE;
-      const webhookStore = strapi2.serviceMap.get("webhookStore");
-      const eventHub = strapi2.serviceMap.get("eventHub");
+      const webhookStore = strapi2.serviceMap?.get("webhookStore");
+      const eventHub = strapi2.serviceMap?.get("eventHub");
       if (webhookStore) {
         ENTRY_CREATE = webhookStore.allowedEvents.get("ENTRY_CREATE");
       }
       const modelDef = strapi2.getModel("admin::user");
       const sanitizedEntity = await strapiUtils.sanitize.sanitizers.defaultSanitizeOutput(
-        {
-          schema: modelDef,
-          getModel: (uid2) => strapi2.getModel(uid2)
-        },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        { schema: modelDef, getModel: (uid2) => strapi2.getModel(uid2) },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
         user
       );
-      eventHub.emit(ENTRY_CREATE, {
+      eventHub?.emit(ENTRY_CREATE ?? "entry.create", {
         model: modelDef.modelName,
         entry: sanitizedEntity
       });
     },
     triggerSignInSuccess(user) {
-      delete user.password;
-      const eventHub = strapi2.serviceMap.get("eventHub");
-      eventHub.emit("admin.auth.success", {
-        user,
+      const userCopy = { ...user };
+      delete userCopy.password;
+      const eventHub = strapi2.serviceMap?.get("eventHub");
+      eventHub?.emit("admin.auth.success", {
+        user: userCopy,
         provider: "strapi-plugin-oidc"
       });
     },
-    renderSignUpSuccess(jwtToken, user, nonce) {
+    renderSignUpSuccess(jwtToken, user, nonce, locale = "en") {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const isRememberMe = !!config2["REMEMBER_ME"];
+      const isRememberMe = !!config2?.REMEMBER_ME;
+      const messages = authPageMessages(locale);
       const content = `
     <noscript>
       <div class="card">
@@ -1328,8 +1658,8 @@ function oauthService({ strapi: strapi2 }) {
             <path d="M20 6 9 17l-5-5"/>
           </svg>
         </div>
-        <h1>JavaScript Required</h1>
-        <p>JavaScript must be enabled for authentication to complete.</p>
+        <h1>${messages.noscriptHeading}</h1>
+        <p>${messages.noscriptBody}</p>
       </div>
     </noscript>
     <script nonce="${nonce}">
@@ -1343,9 +1673,10 @@ function oauthService({ strapi: strapi2 }) {
       location.href = '${strapi2.config.admin.url}'
      })
     <\/script>`;
-      return renderHtmlTemplate("Authenticating...", content);
+      return renderHtmlTemplate(messages.authenticatingTitle, content, locale);
     },
-    renderSignUpError(message) {
+    renderSignUpError(message, locale = "en") {
+      const messages = authPageMessages(locale);
       const safeMessage = String(message).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
       const content = `
   <div class="card">
@@ -1356,11 +1687,11 @@ function oauthService({ strapi: strapi2 }) {
         <path d="M12 17h.01"/>
       </svg>
     </div>
-    <h1>Authentication Failed</h1>
+    <h1>${messages.errorTitle}</h1>
     <p>${safeMessage}</p>
-    <a href="${strapi2.config.admin.url}" class="btn">Return to Login</a>
+    <a href="${strapi2.config.admin.url}" class="btn">${messages.returnToLogin}</a>
   </div>`;
-      return renderHtmlTemplate("Authentication Failed", content);
+      return renderHtmlTemplate(messages.errorTitle, content, locale);
     },
     async generateToken(user, ctx) {
       const sessionManager = strapi2.sessionManager;
@@ -1370,12 +1701,15 @@ function oauthService({ strapi: strapi2 }) {
       const userId = String(user.id);
       const deviceId = randomUUID();
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-      const rememberMe = !!config2["REMEMBER_ME"];
-      const { token: refreshToken, absoluteExpiresAt } = await sessionManager(
-        "admin"
-      ).generateRefreshToken(userId, deviceId, {
-        type: rememberMe ? "refresh" : "session"
-      });
+      const rememberMe = !!config2?.REMEMBER_ME;
+      const smAdmin = sessionManager("admin");
+      const { token: refreshToken, absoluteExpiresAt } = await smAdmin.generateRefreshToken(
+        userId,
+        deviceId,
+        {
+          type: rememberMe ? "refresh" : "session"
+        }
+      );
       const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
@@ -1392,7 +1726,6 @@ function oauthService({ strapi: strapi2 }) {
         const idleLifespanSec = strapi2.config.get(
           "admin.auth.sessions.idleRefreshTokenLifespan",
           1209600
-          // 14 days — Strapi default
         );
         const idleMs = idleLifespanSec * 1e3;
         const absoluteMs = new Date(absoluteExpiresAt).getTime() - Date.now();
@@ -1402,7 +1735,7 @@ function oauthService({ strapi: strapi2 }) {
       }
       ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
       ctx.cookies.set("oidc_authenticated", "1", { ...cookieOptions, path: "/" });
-      const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
+      const accessResult = await smAdmin.generateAccessToken(refreshToken);
       if ("error" in accessResult) {
         throw new Error(accessResult.error);
       }
@@ -1493,8 +1826,23 @@ function whitelistService({ strapi: strapi2 }) {
       const result = await getWhitelistQuery().findOne({
         where: { email }
       });
-      if (!result) throw new Error(errorMessages.WHITELIST_NOT_PRESENT);
+      if (!result) throw new OidcError("whitelist_rejected", errorMessages.WHITELIST_NOT_PRESENT);
       return result;
+    },
+    async hasUser(email) {
+      const row = await getWhitelistQuery().findOne({ where: { email }, select: ["id"] });
+      return !!row;
+    },
+    async deleteAllUsers() {
+      await getWhitelistQuery().deleteMany({});
+    },
+    async countAdminUsersByEmails(emails) {
+      if (emails.length === 0) return 0;
+      const rows = await strapi2.query("admin::user").findMany({
+        where: { email: { $in: emails } },
+        select: ["id"]
+      });
+      return rows.length;
     }
   };
 }
@@ -1507,6 +1855,58 @@ function translateDetails(key, params) {
   if (!translation) return null;
   return interpolate(translation, params);
 }
+const STRING_OP_MAP = {
+  $eq: (v) => v,
+  $contains: (v) => ({ $containsi: v }),
+  $endsWith: (v) => ({ $endsWith: v }),
+  $null: (v) => v === true ? null : void 0,
+  $notNull: (v) => v === true ? { $notNull: true } : void 0
+};
+const DATE_OP_MAP = {
+  $gte: (v) => ({ $gte: v }),
+  $lt: (v) => ({ $lt: v }),
+  $lte: (v) => ({ $lte: v }),
+  $between: (v) => ({ $between: v })
+  // $in is handled separately: each ISO day-start is expanded to a [day, day+1) range.
+};
+const DAY_MS = 864e5;
+function nextDayIso(iso) {
+  return new Date(new Date(iso).getTime() + DAY_MS).toISOString();
+}
+function expandCreatedAtInToDayRanges(days) {
+  const ranges = days.map((d) => ({ createdAt: { $gte: d, $lt: nextDayIso(d) } }));
+  return ranges.length === 1 ? ranges[0] : { $or: ranges };
+}
+const ACTION_OP_MAP = {
+  $eq: (v) => v,
+  $in: (v) => ({ $in: v })
+};
+function mapFieldFilter(conditions, field, filter, opMap) {
+  for (const [op, value] of Object.entries(filter)) {
+    const transform = opMap[op];
+    if (!transform) continue;
+    const result = transform(value);
+    if (result !== void 0) conditions.push({ [field]: result });
+  }
+}
+function buildWhereClause(filters) {
+  const conditions = [];
+  if (filters.action) mapFieldFilter(conditions, "action", filters.action, ACTION_OP_MAP);
+  if (filters.email) mapFieldFilter(conditions, "email", filters.email, STRING_OP_MAP);
+  if (filters.ip) mapFieldFilter(conditions, "ip", filters.ip, STRING_OP_MAP);
+  if (filters.createdAt) {
+    const { $in: inDays, ...rest } = filters.createdAt;
+    if (Array.isArray(inDays) && inDays.length > 0) {
+      conditions.push(expandCreatedAtInToDayRanges(inDays));
+    }
+    if (Object.keys(rest).length > 0) {
+      mapFieldFilter(conditions, "createdAt", rest, DATE_OP_MAP);
+    }
+  }
+  if (conditions.length === 0) return {};
+  if (conditions.length === 1) return conditions[0];
+  return { $and: conditions };
+}
 function auditLogService({ strapi: strapi2 }) {
   return {
     async log({ action, email, ip, detailsKey, detailsParams }) {
@@ -1529,19 +1929,33 @@ function auditLogService({ strapi: strapi2 }) {
         });
       }
     },
-    async find({ page = 1, pageSize = 25 } = {}) {
-      const result = await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").findPage({
-        sort: { createdAt: "desc" },
-        page,
-        pageSize
-      });
-      const results = result.results.map((row) => ({
-        ...row,
-        details: row.detailsKey ? translateDetails(row.detailsKey, row.detailsParams) : null
-      }));
+    async find({
+      page = 1,
+      pageSize = 25,
+      filters
+    } = {}) {
+      const where = filters ? buildWhereClause(filters) : {};
+      const dbQuery = strapi2.db.query("plugin::strapi-plugin-oidc.audit-log");
+      const [rows, total] = await Promise.all([
+        dbQuery.findMany({
+          where,
+          orderBy: [{ createdAt: "desc" }],
+          limit: pageSize,
+          offset: (page - 1) * pageSize
+        }),
+        dbQuery.count({ where })
+      ]);
       return {
-        results,
-        pagination: result.pagination
+        results: rows.map((row) => ({
+          ...row,
+          details: row.detailsKey ? translateDetails(row.detailsKey, row.detailsParams) : null
+        })),
+        pagination: {
+          page,
+          pageSize,
+          total,
+          pageCount: Math.ceil(total / pageSize)
+        }
       };
     },
     async clearAll() {
@@ -1553,7 +1967,7 @@ function auditLogService({ strapi: strapi2 }) {
       } while (deletedCount === BATCH_SIZE);
     },
     async cleanup(retentionDays) {
-      const cutoff = new Date(Date.now() - retentionDays * 864e5);
+      const cutoff = new Date(Date.now() - retentionDays * DAY_MS);
       await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({ where: { createdAt: { $lt: cutoff } } });
     }
   };