strapi-plugin-oidc 1.6.6 → 1.7.1

package/dist/server/index.js

@@ -284,6 +284,7 @@ const en = {
   "page.save.error": "Update failed.",
   "page.add": "Add",
   "page.cancel": "Cancel",
+  "common.remove": "Remove {label}",
   "page.ok": "OK",
   "roles.title": "Default Role(s)",
   "roles.placeholder": "Select default role(s)",
@@ -315,7 +316,7 @@ const en = {
   "enforce.config.info": "Enforcement is controlled by the OIDC_ENFORCE config variable and cannot be changed here.",
   "login.settings.title": "Login Settings",
   "login.sso": "Login via SSO",
-  "whitelist.count": "{count, plural, one {# entry} other {# entries}}",
+  "pagination.total": "{count, plural, one {# entry} other {# entries}}",
   "whitelist.import": "Import",
   "whitelist.export": "Export",
   "whitelist.delete.all.label": "Delete All",
@@ -343,6 +344,20 @@ const en = {
   "auditlog.clear.success": "Audit logs cleared",
   "auditlog.clear.error": "Failed to clear audit logs",
   "auditlog.export.error": "Failed to export audit logs",
+  "auditlog.filters": "Filters",
+  "auditlog.filters.action": "Action",
+  "auditlog.filters.email": "Email",
+  "auditlog.filters.ip": "IP address",
+  "auditlog.filters.createdAt": "Date",
+  "auditlog.filters.clear": "Clear filters",
+  "auditlog.filters.empty": "No entries match the current filters",
+  "auditlog.calendar.prevMonth": "Previous month",
+  "auditlog.calendar.nextMonth": "Next month",
+  "auditlog.calendar.state.today": "today",
+  "auditlog.calendar.state.selected": "selected",
+  "auditlog.calendar.state.alreadyAdded": "already added",
+  "auditlog.calendar.state.future": "unavailable, future date",
+  "auditlog.calendar.dayWithState": "{date}, {state}",
   "auditlog.action.login_success": "User successfully authenticated via OIDC and was granted access.",
   "auditlog.action.user_created": "A new Strapi admin account was created for this user on their first OIDC login.",
   "auditlog.action.logout": "User logged out and their OIDC session was ended.",
@@ -353,23 +368,74 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auth.page.authenticating.title": "Authenticating...",
+  "auth.page.authenticating.noscript.heading": "JavaScript Required",
+  "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
+  "auth.page.error.title": "Authentication Failed",
+  "auth.page.error.returnToLogin": "Return to Login",
   "user.missing_code": "Authorisation code was not received from the OIDC provider.",
   "user.invalid_state": "State parameter mismatch. Please restart the login flow.",
   "user.signInError": "Authentication failed. Please try again.",
   "settings.section": "OIDC",
   "settings.configuration": "Configuration"
 };
-const userFacingMessages = {
-  get missing_code() {
-    return en["user.missing_code"];
-  },
-  get invalid_state() {
-    return en["user.invalid_state"];
-  },
-  get signInError() {
-    return en["user.signInError"];
+const __vite_glob_0_0 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  default: en
+}, Symbol.toStringTag, { value: "Module" }));
+const modules = /* @__PURE__ */ Object.assign({ "../translations/locales/en.json": __vite_glob_0_0 });
+const locales = Object.fromEntries(
+  Object.entries(modules).map(([path, mod]) => {
+    const code = path.match(/\/([^/]+)\.json$/)?.[1];
+    return [code ?? "", mod.default];
+  })
+);
+Object.keys(locales).filter(Boolean);
+const DEFAULT_LOCALE = "en";
+function parseAcceptLanguage(header) {
+  return header.split(",").map((part) => {
+    const [tag, ...params] = part.trim().split(";");
+    const qParam = params.find((p) => p.trim().startsWith("q="));
+    const q = qParam ? parseFloat(qParam.trim().slice(2)) : 1;
+    return { tag: tag.toLowerCase(), q: Number.isFinite(q) ? q : 1 };
+  }).filter((entry) => entry.tag).sort((a, b) => b.q - a.q);
+}
+function negotiateLocale(acceptLanguage) {
+  if (!acceptLanguage) return DEFAULT_LOCALE;
+  for (const { tag } of parseAcceptLanguage(acceptLanguage)) {
+    if (locales[tag]) return tag;
+    const base = tag.split("-")[0];
+    if (locales[base]) return base;
   }
-};
+  return DEFAULT_LOCALE;
+}
+function t(locale, key, fallback) {
+  return locales[locale]?.[key] ?? locales[DEFAULT_LOCALE]?.[key] ?? fallback ?? key;
+}
+const userFacingMessages = (locale) => ({
+  missing_code: t(
+    locale,
+    "user.missing_code",
+    "Authorisation code was not received from the OIDC provider."
+  ),
+  invalid_state: t(
+    locale,
+    "user.invalid_state",
+    "State parameter mismatch. Please restart the login flow."
+  ),
+  signInError: t(locale, "user.signInError", "Authentication failed. Please try again.")
+});
+const authPageMessages = (locale) => ({
+  authenticatingTitle: t(locale, "auth.page.authenticating.title", "Authenticating..."),
+  noscriptHeading: t(locale, "auth.page.authenticating.noscript.heading", "JavaScript Required"),
+  noscriptBody: t(
+    locale,
+    "auth.page.authenticating.noscript.body",
+    "JavaScript must be enabled for authentication to complete."
+  ),
+  errorTitle: t(locale, "auth.page.error.title", "Authentication Failed"),
+  returnToLogin: t(locale, "auth.page.error.returnToLogin", "Return to Login")
+});
 class OidcError extends Error {
   kind;
   cause;
@@ -417,6 +483,21 @@ const OIDC_ERROR_DISPATCH = {
     key: "sign_in_unknown"
   }
 };
+function getClientIp(ctx) {
+  const cfConnectingIp = ctx.get("CF-Connecting-IP");
+  if (cfConnectingIp) {
+    return cfConnectingIp.split(",")[0].trim();
+  }
+  const forwardedFor = ctx.get("X-Forwarded-For");
+  if (forwardedFor) {
+    return forwardedFor.split(",")[0].trim();
+  }
+  const realIp = ctx.get("X-Real-IP");
+  if (realIp) {
+    return realIp.trim();
+  }
+  return ctx.ip;
+}
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
@@ -560,62 +641,99 @@ async function updateUserRoles(user, currentRoleIds, newRoleIds) {
     throw updateErr;
   }
 }
-async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
-  const rawEmail = String(userResponseData.email ?? "");
-  const email = rawEmail.toLowerCase();
-  if (!email || !isValidEmail(email)) {
-    throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
+async function resolveRolesFromGroups(candidateNames) {
+  const matchedRoles = await strapi.db.query("admin::role").findMany({
+    where: { name: { $in: candidateNames } },
+    select: ["id", "name"]
+  });
+  const nameToId = new Map(matchedRoles.map((r) => [r.name, String(r.id)]));
+  const roles2 = [];
+  for (const name of candidateNames) {
+    const id = nameToId.get(name);
+    if (id) roles2.push(id);
   }
-  await whitelistService2.checkWhitelistForEmail(email);
+  return {
+    roles: roles2,
+    fromGroupMapping: true,
+    resolvedRoleNames: matchedRoles.map((r) => r.name)
+  };
+}
+async function resolveRolesFromDefaults(roleService2) {
+  const oidcRolesResult = await roleService2.oidcRoles();
+  const roles2 = oidcRolesResult?.roles || [];
+  if (roles2.length === 0) {
+    return { roles: roles2, fromGroupMapping: false, resolvedRoleNames: [] };
+  }
+  const records = await strapi.db.query("admin::role").findMany({
+    where: { id: { $in: roles2.map(Number) } },
+    select: ["id", "name"]
+  });
+  return {
+    roles: roles2,
+    fromGroupMapping: false,
+    resolvedRoleNames: records.map((r) => r.name)
+  };
+}
+async function resolveRoles(userResponseData, config2, roleService2) {
   const candidateNames = collectGroupMapRoleNames(userResponseData, config2);
-  let roles2 = [];
-  let fromGroupMapping = false;
-  let resolvedRoleNames = [];
   if (candidateNames.length > 0) {
-    const matchedRoles = await strapi.db.query("admin::role").findMany({
-      where: { name: { $in: candidateNames } },
-      select: ["id", "name"]
-    });
-    const nameToId = new Map(matchedRoles.map((r) => [r.name, String(r.id)]));
-    for (const name of candidateNames) {
-      const id = nameToId.get(name);
-      if (id) roles2.push(id);
-    }
-    resolvedRoleNames = matchedRoles.map((r) => r.name);
-    fromGroupMapping = true;
-  } else {
-    const oidcRolesResult = await roleService2.oidcRoles();
-    roles2 = oidcRolesResult?.roles || [];
-    if (roles2.length > 0) {
-      const oidcRoleRecords = await strapi.db.query("admin::role").findMany({
-        where: { id: { $in: roles2.map(Number) } },
-        select: ["id", "name"]
-      });
-      resolvedRoleNames = oidcRoleRecords.map((r) => r.name);
-    }
+    return resolveRolesFromGroups(candidateNames);
   }
-  let userCreated = false;
-  let rolesUpdated = false;
-  let user = await userService.findOneByEmail(email, ["roles"]);
-  if (!user) {
+  return resolveRolesFromDefaults(roleService2);
+}
+async function ensureUser(userService, oauthService2, email, userResponseData, config2, ctx, resolved) {
+  const existing = await userService.findOneByEmail(email, ["roles"]);
+  if (!existing) {
     try {
-      user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
+      const user = await registerNewUser(
+        oauthService2,
+        email,
+        userResponseData,
+        config2,
+        ctx,
+        resolved.roles
+      );
+      return { user, userCreated: true, rolesUpdated: true };
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
       throw new OidcError("user_creation_failed", msg, e);
     }
-    userCreated = true;
-    rolesUpdated = true;
-  } else if (fromGroupMapping && roles2.length > 0) {
-    const currentRoleIds = new Set((user.roles ?? []).map((r) => String(r.id)));
-    if (rolesChanged(currentRoleIds, new Set(roles2))) {
-      await updateUserRoles(user, currentRoleIds, roles2);
-      rolesUpdated = true;
-    }
   }
+  if (!resolved.fromGroupMapping || resolved.roles.length === 0) {
+    return { user: existing, userCreated: false, rolesUpdated: false };
+  }
+  const currentRoleIds = new Set((existing.roles ?? []).map((r) => String(r.id)));
+  if (!rolesChanged(currentRoleIds, new Set(resolved.roles))) {
+    return { user: existing, userCreated: false, rolesUpdated: false };
+  }
+  await updateUserRoles(existing, currentRoleIds, resolved.roles);
+  return { user: existing, userCreated: false, rolesUpdated: true };
+}
+async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
+  const email = String(userResponseData.email ?? "").toLowerCase();
+  if (!email || !isValidEmail(email)) {
+    throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
+  }
+  await whitelistService2.checkWhitelistForEmail(email);
+  const resolved = await resolveRoles(userResponseData, config2, roleService2);
+  const { user, userCreated, rolesUpdated } = await ensureUser(
+    userService,
+    oauthService2,
+    email,
+    userResponseData,
+    config2,
+    ctx,
+    resolved
+  );
   const jwtToken = await oauthService2.generateToken(user, ctx);
   oauthService2.triggerSignInSuccess(user);
-  return { activateUser: user, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
+  return {
+    activateUser: user,
+    jwtToken,
+    userCreated,
+    rolesUpdated,
+    resolvedRoleNames: resolved.resolvedRoleNames
+  };
 }
 function classifyOidcError(e, userInfo) {
   const kind = e instanceof OidcError ? e.kind : "unknown";
@@ -634,26 +752,76 @@ function classifyOidcError(e, userInfo) {
     params
   };
 }
-async function oidcSignInCallback(ctx) {
-  const config2 = configValidation();
-  const userService = getAdminUserService();
-  const oauthService2 = getOauthService();
-  const roleService2 = getRoleService();
-  const whitelistService2 = getWhitelistService();
-  const auditLog2 = getAuditLogService();
-  if (!ctx.query.code) {
-    await auditLog2.log({ action: "missing_code", ip: ctx.ip });
-    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.missing_code));
-  }
+function readAndClearPkceCookies(ctx) {
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
   const oidcNonce = ctx.cookies.get("oidc_nonce");
   ctx.cookies.set("oidc_state", null);
   ctx.cookies.set("oidc_code_verifier", null);
   ctx.cookies.set("oidc_nonce", null);
+  return { oidcState, codeVerifier, oidcNonce };
+}
+async function logSuccessfulAuth(auditLog2, ctx, user, userCreated, rolesUpdated, resolvedRoleNames) {
+  const roles2 = resolvedRoleNames.join(", ");
+  const entries = [
+    auditLog2.log({
+      action: "login_success",
+      email: user.email,
+      ip: getClientIp(ctx),
+      detailsKey: rolesUpdated ? "roles_updated" : void 0,
+      detailsParams: rolesUpdated ? { roles: roles2 } : void 0
+    })
+  ];
+  if (userCreated) {
+    entries.push(
+      auditLog2.log({
+        action: "user_created",
+        email: user.email,
+        ip: getClientIp(ctx),
+        detailsKey: "user_created",
+        detailsParams: { roles: roles2 }
+      })
+    );
+  }
+  await Promise.all(entries);
+}
+async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
+  const errorInfo = classifyOidcError(e, userInfo);
+  const message = e instanceof Error ? e.message : String(e);
+  await auditLog2.log({
+    action: errorInfo.action,
+    email: userInfo?.email,
+    ip: getClientIp(ctx),
+    detailsKey: errorInfo.action,
+    detailsParams: errorInfo.action === "login_failure" ? { message } : void 0
+  });
+  strapi.log.error({
+    code: errorInfo.code,
+    phase: "oidc_callback",
+    message: e instanceof Error ? e.message : "Unknown sign-in error",
+    detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
+    email: userInfo?.email
+  });
+  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
+  ctx.send(oauthService2.renderSignUpError(userFacingMessages(locale).signInError, locale));
+}
+async function oidcSignInCallback(ctx) {
+  const config2 = configValidation();
+  const oauthService2 = getOauthService();
+  const auditLog2 = getAuditLogService();
+  const locale = negotiateLocale(ctx.request.headers["accept-language"]);
+  if (!ctx.query.code) {
+    await auditLog2.log({ action: "missing_code", ip: getClientIp(ctx) });
+    return ctx.send(
+      oauthService2.renderSignUpError(userFacingMessages(locale).missing_code, locale)
+    );
+  }
+  const { oidcState, codeVerifier, oidcNonce } = readAndClearPkceCookies(ctx);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
-    await auditLog2.log({ action: "state_mismatch", ip: ctx.ip });
-    return ctx.send(oauthService2.renderSignUpError(userFacingMessages.invalid_state));
+    await auditLog2.log({ action: "state_mismatch", ip: getClientIp(ctx) });
+    return ctx.send(
+      oauthService2.renderSignUpError(userFacingMessages(locale).invalid_state, locale)
+    );
   }
   const params = new URLSearchParams({
     code: ctx.query.code,
@@ -667,67 +835,53 @@ async function oidcSignInCallback(ctx) {
   try {
     const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     userInfo = exchangeResult.userInfo;
-    const accessToken = exchangeResult.accessToken;
     const isProduction = strapi.config.get("environment") === "production";
-    ctx.cookies.set("oidc_access_token", accessToken, {
+    const secureFlag = isProduction && ctx.request.secure;
+    ctx.cookies.set("oidc_access_token", exchangeResult.accessToken, {
       httpOnly: true,
       maxAge: 3e5,
-      secure: isProduction && ctx.request.secure,
+      secure: secureFlag,
       sameSite: "lax"
     });
     const { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames } = await handleUserAuthentication(
-      userService,
+      getAdminUserService(),
       oauthService2,
-      roleService2,
-      whitelistService2,
+      getRoleService(),
+      getWhitelistService(),
       userInfo,
       config2,
       ctx
     );
-    const identityCookieOptions = {
+    ctx.cookies.set("oidc_user_email", activateUser.email, {
       httpOnly: true,
       path: "/",
-      secure: isProduction && ctx.request.secure,
+      secure: secureFlag,
       sameSite: "lax"
-    };
-    ctx.cookies.set("oidc_user_email", activateUser.email, identityCookieOptions);
-    if (userCreated) {
-      await auditLog2.log({
-        action: "user_created",
-        email: activateUser.email,
-        ip: ctx.ip,
-        detailsKey: "user_created",
-        detailsParams: { roles: resolvedRoleNames.join(", ") }
-      });
-    }
-    await auditLog2.log({
-      action: "login_success",
-      email: activateUser.email,
-      ip: ctx.ip,
-      detailsKey: rolesUpdated ? "roles_updated" : void 0,
-      detailsParams: rolesUpdated ? { roles: resolvedRoleNames.join(", ") } : void 0
     });
+    await logSuccessfulAuth(
+      auditLog2,
+      ctx,
+      activateUser,
+      userCreated,
+      rolesUpdated,
+      resolvedRoleNames
+    );
     const nonce = node_crypto.randomUUID();
-    const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
-    ctx.send(html);
+    ctx.send(oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce, locale));
   } catch (e) {
-    const errorInfo = classifyOidcError(e, userInfo);
-    await auditLog2.log({
-      action: errorInfo.action,
-      email: userInfo?.email,
-      ip: ctx.ip,
-      detailsKey: errorInfo.action,
-      detailsParams: errorInfo.action === "login_failure" ? { message: e instanceof Error ? e.message : String(e) } : void 0
-    });
-    strapi.log.error({
-      code: errorInfo.code,
-      phase: "oidc_callback",
-      message: e instanceof Error ? e.message : "Unknown sign-in error",
-      detail: errorInfo.key ? getErrorDetail(errorInfo.key, errorInfo.params) : void 0,
-      email: userInfo?.email
+    await handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx);
+  }
+}
+async function isProviderSessionActive(userinfoEndpoint, accessToken) {
+  try {
+    const response = await fetch(userinfoEndpoint, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+      signal: AbortSignal.timeout(LOGOUT_USERINFO_TIMEOUT_MS)
     });
-    ctx.send(oauthService2.renderSignUpError(userFacingMessages.signInError));
+    return response.ok;
+  } catch {
+    return false;
   }
 }
 async function logout(ctx) {
@@ -735,38 +889,27 @@ async function logout(ctx) {
   const auditLog2 = getAuditLogService();
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const adminPanelUrl = strapi.config.get("admin.url", "/admin");
+  const loginUrl = `${adminPanelUrl}/auth/login`;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
   const accessToken = ctx.cookies.get("oidc_access_token");
   const userEmail = ctx.cookies.get("oidc_user_email") ?? void 0;
   clearAuthCookies(strapi, ctx);
-  if (logoutUrl && isOidcSession && accessToken) {
-    try {
-      const response = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-        signal: AbortSignal.timeout(LOGOUT_USERINFO_TIMEOUT_MS)
+  if (!isOidcSession) {
+    return ctx.redirect(loginUrl);
+  }
+  const logAudit = (action) => userEmail ? auditLog2.log({ action, email: userEmail, ip: getClientIp(ctx) }) : Promise.resolve();
+  if (logoutUrl && accessToken) {
+    const active = await isProviderSessionActive(config2.OIDC_USERINFO_ENDPOINT, accessToken);
+    if (active) {
+      logAudit("logout").catch(() => {
       });
-      if (response.ok) {
-        if (userEmail)
-          auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip }).catch(() => {
-          });
-        return ctx.redirect(logoutUrl);
-      }
-      if (userEmail)
-        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
-      return ctx.redirect(`${adminPanelUrl}/auth/login`);
-    } catch {
-      if (userEmail)
-        await auditLog2.log({ action: "session_expired", email: userEmail, ip: ctx.ip });
-      return ctx.redirect(`${adminPanelUrl}/auth/login`);
+      return ctx.redirect(logoutUrl);
     }
+    await logAudit("session_expired");
+    return ctx.redirect(loginUrl);
   }
-  if (isOidcSession && userEmail) {
-    await auditLog2.log({ action: "logout", email: userEmail, ip: ctx.ip });
-  }
-  if (logoutUrl && isOidcSession) {
-    return ctx.redirect(logoutUrl);
-  }
-  ctx.redirect(`${adminPanelUrl}/auth/login`);
+  await logAudit("logout");
+  ctx.redirect(logoutUrl || loginUrl);
 }
 const oidc = {
   oidcSignIn,
@@ -941,11 +1084,149 @@ const whitelist = {
   importUsers,
   exportWhitelist
 };
+const AUDIT_ACTIONS = [
+  "login_success",
+  "login_failure",
+  "missing_code",
+  "state_mismatch",
+  "nonce_mismatch",
+  "token_exchange_failed",
+  "whitelist_rejected",
+  "logout",
+  "session_expired",
+  "user_created"
+];
+const ISO_UTC_DATETIME = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
+function isIsoUtcDatetime(value) {
+  return typeof value === "string" && ISO_UTC_DATETIME.test(value);
+}
+const ALLOWED_FIELDS = /* @__PURE__ */ new Set(["action", "email", "ip", "createdAt"]);
+const STRING_OPERATORS = /* @__PURE__ */ new Set([
+  "$eq",
+  "$contains",
+  "$endsWith",
+  "$null",
+  "$notNull"
+]);
+const DATE_OPERATORS = /* @__PURE__ */ new Set(["$gte", "$lt", "$lte", "$between", "$in"]);
+const ENUM_OPERATORS = /* @__PURE__ */ new Set(["$eq", "$in"]);
+function isPlainObject(value) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return false;
+  const proto = Object.getPrototypeOf(value);
+  return proto === Object.prototype || proto === null;
+}
+function isStringOperator(op) {
+  return STRING_OPERATORS.has(op);
+}
+function isDateOperator(op) {
+  return DATE_OPERATORS.has(op);
+}
+function isEnumOperator(op) {
+  return ENUM_OPERATORS.has(op);
+}
+function isAuditAction(value) {
+  return AUDIT_ACTIONS.includes(value);
+}
+class ValidationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ValidationError";
+  }
+}
+function requireType(field, op, value, check, expected) {
+  if (!check) {
+    throw new ValidationError(`Operator "${op}" for field "${field}" requires ${expected}`);
+  }
+  return value;
+}
+function parseActionOperator(op, opValue) {
+  if (!isEnumOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "action"`);
+  }
+  if (op === "$in") {
+    requireType("action", op, opValue, Array.isArray(opValue), "an array value");
+    for (const v of opValue) {
+      if (!isAuditAction(v)) {
+        throw new ValidationError(
+          `Invalid action value "${v}" — must be one of: ${AUDIT_ACTIONS.join(", ")}`
+        );
+      }
+    }
+    return opValue;
+  }
+  if (!isAuditAction(opValue)) {
+    throw new ValidationError(
+      `Invalid action value "${opValue}" — must be one of: ${AUDIT_ACTIONS.join(", ")}`
+    );
+  }
+  return opValue;
+}
+function parseCreatedAtOperator(op, opValue) {
+  if (!isDateOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "createdAt"`);
+  }
+  const expected = 'an ISO-8601 UTC datetime string (e.g. "2024-01-15T00:00:00.000Z")';
+  if (op === "$between") {
+    const isTuple = Array.isArray(opValue) && opValue.length === 2;
+    requireType("createdAt", op, opValue, isTuple, "a tuple [start, end]");
+    const [a, b] = opValue;
+    requireType("createdAt", op, opValue, isIsoUtcDatetime(a) && isIsoUtcDatetime(b), expected);
+    return opValue;
+  }
+  if (op === "$in") {
+    requireType("createdAt", op, opValue, Array.isArray(opValue), "an array value");
+    for (const v of opValue) {
+      requireType("createdAt", op, v, isIsoUtcDatetime(v), expected);
+    }
+    return opValue;
+  }
+  return requireType("createdAt", op, opValue, isIsoUtcDatetime(opValue), expected);
+}
+function parseStringFieldOperator(field, op, opValue) {
+  if (!isStringOperator(op)) {
+    throw new ValidationError(`Unknown operator "${op}" for field "${field}"`);
+  }
+  if (op === "$null" || op === "$notNull") {
+    return requireType(field, op, opValue, typeof opValue === "boolean", "a boolean value");
+  }
+  return requireType(field, op, opValue, typeof opValue === "string", "a string value");
+}
+function parseFieldOperators(field, fieldValue) {
+  if (!isPlainObject(fieldValue)) {
+    throw new ValidationError(
+      `Filter field "${field}" must be an object of operators, got ${typeof fieldValue}`
+    );
+  }
+  const parsed = {};
+  for (const [op, opValue] of Object.entries(fieldValue)) {
+    if (field === "action") parsed[op] = parseActionOperator(op, opValue);
+    else if (field === "createdAt") parsed[op] = parseCreatedAtOperator(op, opValue);
+    else parsed[op] = parseStringFieldOperator(field, op, opValue);
+  }
+  return Object.keys(parsed).length > 0 ? parsed : null;
+}
+function parseAuditLogFilters(query) {
+  if (!isPlainObject(query)) return {};
+  const result = {};
+  const filters = query.filters;
+  if (filters === void 0) return result;
+  if (!isPlainObject(filters)) {
+    throw new ValidationError(`"filters" must be an object, got ${typeof filters}`);
+  }
+  for (const [field, fieldValue] of Object.entries(filters)) {
+    if (!ALLOWED_FIELDS.has(field)) {
+      throw new ValidationError(`Unknown filter field: "${field}"`);
+    }
+    const parsed = parseFieldOperators(field, fieldValue);
+    if (parsed) result[field] = parsed;
+  }
+  return result;
+}
 const EXPORT_PAGE_SIZE = 500;
-async function* ndjsonRowStream(service) {
+async function* ndjsonRowStream(service, filters) {
   let page = 1;
   while (true) {
-    const { results } = await service.find({ page, pageSize: EXPORT_PAGE_SIZE });
+    const { results } = await service.find({ page, pageSize: EXPORT_PAGE_SIZE, filters });
     if (results.length === 0) return;
     let chunk = "";
     for (const row of results) {
@@ -962,28 +1243,35 @@ async function* ndjsonRowStream(service) {
     page++;
   }
 }
-function errorAwareNdjsonStream(service) {
-  const gen = ndjsonRowStream(service);
+function errorAwareNdjsonStream(strapi2, service, filters) {
+  const gen = ndjsonRowStream(service, filters);
   const readable = node_stream.Readable.from(gen);
   readable.on("error", (err) => {
-    strapi$1.log.error({ phase: "audit_log_export", err }, "NDJSON export stream failed");
+    strapi2.log.error({ phase: "audit_log_export", err }, "NDJSON export stream failed");
   });
   return readable;
 }
-let strapi$1;
-function find(ctx) {
-  strapi$1 = ctx.strapi;
+function parseFiltersOr400(ctx) {
+  try {
+    return parseAuditLogFilters(ctx.query);
+  } catch (err) {
+    ctx.status = 400;
+    ctx.body = { message: err instanceof ValidationError ? err.message : "Invalid filters" };
+    return null;
+  }
+}
+async function find(ctx) {
+  const filters = parseFiltersOr400(ctx);
+  if (!filters) return;
   const page = Math.max(1, Number(ctx.query.page) || 1);
   const pageSize = Math.min(100, Math.max(1, Number(ctx.query.pageSize) || 25));
-  return getAuditLogService().find({ page, pageSize }).then((result) => {
-    ctx.body = result;
-  });
+  ctx.body = await getAuditLogService().find({ page, pageSize, filters });
 }
 async function exportLogs(ctx) {
-  strapi$1 = ctx.strapi;
+  const filters = parseFiltersOr400(ctx);
+  if (!filters) return;
   setNdjsonAttachmentHeaders(ctx, "strapi-oidc-audit-log");
-  const service = getAuditLogService();
-  ctx.body = errorAwareNdjsonStream(service);
+  ctx.body = errorAwareNdjsonStream(ctx.strapi, getAuditLogService(), filters);
 }
 async function clearAll(ctx) {
   await getAuditLogService().clearAll();
@@ -1004,7 +1292,7 @@ const rateLimitMap = /* @__PURE__ */ new Map();
 const RATE_LIMIT_WINDOW = 6e4;
 const MAX_REQUESTS = 1e3;
 function getRateLimitKey(ctx) {
-  const ip = ctx.request.ip;
+  const ip = getClientIp(ctx);
   const ua = ctx.request.header["user-agent"] ?? "";
   const uaHash = node_crypto.createHash("sha256").update(ua).digest("hex").slice(0, 16);
   return `${ip}:${uaHash}`;
@@ -1197,10 +1485,10 @@ const routes = {
   }
 };
 const policies = {};
-function renderHtmlTemplate(title, content) {
+function renderHtmlTemplate(title, content, locale = "en") {
   return `
 <!doctype html>
-<html lang="en">
+<html lang="${locale}">
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -1379,9 +1667,10 @@ function oauthService({ strapi: strapi2 }) {
         provider: "strapi-plugin-oidc"
       });
     },
-    renderSignUpSuccess(jwtToken, user, nonce) {
+    renderSignUpSuccess(jwtToken, user, nonce, locale = "en") {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
       const isRememberMe = !!config2?.REMEMBER_ME;
+      const messages = authPageMessages(locale);
       const content = `
     <noscript>
       <div class="card">
@@ -1390,8 +1679,8 @@ function oauthService({ strapi: strapi2 }) {
             <path d="M20 6 9 17l-5-5"/>
           </svg>
         </div>
-        <h1>JavaScript Required</h1>
-        <p>JavaScript must be enabled for authentication to complete.</p>
+        <h1>${messages.noscriptHeading}</h1>
+        <p>${messages.noscriptBody}</p>
       </div>
     </noscript>
     <script nonce="${nonce}">
@@ -1405,9 +1694,10 @@ function oauthService({ strapi: strapi2 }) {
       location.href = '${strapi2.config.admin.url}'
      })
     <\/script>`;
-      return renderHtmlTemplate("Authenticating...", content);
+      return renderHtmlTemplate(messages.authenticatingTitle, content, locale);
     },
-    renderSignUpError(message) {
+    renderSignUpError(message, locale = "en") {
+      const messages = authPageMessages(locale);
       const safeMessage = String(message).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
       const content = `
   <div class="card">
@@ -1418,11 +1708,11 @@ function oauthService({ strapi: strapi2 }) {
         <path d="M12 17h.01"/>
       </svg>
     </div>
-    <h1>Authentication Failed</h1>
+    <h1>${messages.errorTitle}</h1>
     <p>${safeMessage}</p>
-    <a href="${strapi2.config.admin.url}" class="btn">Return to Login</a>
+    <a href="${strapi2.config.admin.url}" class="btn">${messages.returnToLogin}</a>
   </div>`;
-      return renderHtmlTemplate("Authentication Failed", content);
+      return renderHtmlTemplate(messages.errorTitle, content, locale);
     },
     async generateToken(user, ctx) {
       const sessionManager = strapi2.sessionManager;
@@ -1586,6 +1876,58 @@ function translateDetails(key, params) {
   if (!translation) return null;
   return interpolate(translation, params);
 }
+const STRING_OP_MAP = {
+  $eq: (v) => v,
+  $contains: (v) => ({ $containsi: v }),
+  $endsWith: (v) => ({ $endsWith: v }),
+  $null: (v) => v === true ? null : void 0,
+  $notNull: (v) => v === true ? { $notNull: true } : void 0
+};
+const DATE_OP_MAP = {
+  $gte: (v) => ({ $gte: v }),
+  $lt: (v) => ({ $lt: v }),
+  $lte: (v) => ({ $lte: v }),
+  $between: (v) => ({ $between: v })
+  // $in is handled separately: each ISO day-start is expanded to a [day, day+1) range.
+};
+const DAY_MS = 864e5;
+function nextDayIso(iso) {
+  return new Date(new Date(iso).getTime() + DAY_MS).toISOString();
+}
+function expandCreatedAtInToDayRanges(days) {
+  const ranges = days.map((d) => ({ createdAt: { $gte: d, $lt: nextDayIso(d) } }));
+  return ranges.length === 1 ? ranges[0] : { $or: ranges };
+}
+const ACTION_OP_MAP = {
+  $eq: (v) => v,
+  $in: (v) => ({ $in: v })
+};
+function mapFieldFilter(conditions, field, filter, opMap) {
+  for (const [op, value] of Object.entries(filter)) {
+    const transform = opMap[op];
+    if (!transform) continue;
+    const result = transform(value);
+    if (result !== void 0) conditions.push({ [field]: result });
+  }
+}
+function buildWhereClause(filters) {
+  const conditions = [];
+  if (filters.action) mapFieldFilter(conditions, "action", filters.action, ACTION_OP_MAP);
+  if (filters.email) mapFieldFilter(conditions, "email", filters.email, STRING_OP_MAP);
+  if (filters.ip) mapFieldFilter(conditions, "ip", filters.ip, STRING_OP_MAP);
+  if (filters.createdAt) {
+    const { $in: inDays, ...rest } = filters.createdAt;
+    if (Array.isArray(inDays) && inDays.length > 0) {
+      conditions.push(expandCreatedAtInToDayRanges(inDays));
+    }
+    if (Object.keys(rest).length > 0) {
+      mapFieldFilter(conditions, "createdAt", rest, DATE_OP_MAP);
+    }
+  }
+  if (conditions.length === 0) return {};
+  if (conditions.length === 1) return conditions[0];
+  return { $and: conditions };
+}
 function auditLogService({ strapi: strapi2 }) {
   return {
     async log({ action, email, ip, detailsKey, detailsParams }) {
@@ -1610,20 +1952,31 @@ function auditLogService({ strapi: strapi2 }) {
     },
     async find({
       page = 1,
-      pageSize = 25
+      pageSize = 25,
+      filters
     } = {}) {
-      const result = await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").findPage({
-        sort: { createdAt: "desc" },
-        page,
-        pageSize
-      });
-      const results = result.results.map((row) => ({
-        ...row,
-        details: row.detailsKey ? translateDetails(row.detailsKey, row.detailsParams) : null
-      }));
+      const where = filters ? buildWhereClause(filters) : {};
+      const dbQuery = strapi2.db.query("plugin::strapi-plugin-oidc.audit-log");
+      const [rows, total] = await Promise.all([
+        dbQuery.findMany({
+          where,
+          orderBy: [{ createdAt: "desc" }],
+          limit: pageSize,
+          offset: (page - 1) * pageSize
+        }),
+        dbQuery.count({ where })
+      ]);
       return {
-        results,
-        pagination: result.pagination
+        results: rows.map((row) => ({
+          ...row,
+          details: row.detailsKey ? translateDetails(row.detailsKey, row.detailsParams) : null
+        })),
+        pagination: {
+          page,
+          pageSize,
+          total,
+          pageCount: Math.ceil(total / pageSize)
+        }
       };
     },
     async clearAll() {
@@ -1635,7 +1988,7 @@ function auditLogService({ strapi: strapi2 }) {
       } while (deletedCount === BATCH_SIZE);
     },
     async cleanup(retentionDays) {
-      const cutoff = new Date(Date.now() - retentionDays * 864e5);
+      const cutoff = new Date(Date.now() - retentionDays * DAY_MS);
       await strapi2.db.query("plugin::strapi-plugin-oidc.audit-log").deleteMany({ where: { createdAt: { $lt: cutoff } } });
     }
   };