strapi-plugin-oidc 1.7.6 → 1.8.0

package/README.md

@@ -44,19 +44,38 @@ module.exports = ({ env }) => ({
       OIDC_GRANT_TYPE: 'authorization_code',
       OIDC_FAMILY_NAME_FIELD: 'family_name',
       OIDC_GIVEN_NAME_FIELD: 'given_name',
-      OIDC_END_SESSION_ENDPOINT: '', // Provider end-session URL for RP-initiated logout
+      OIDC_END_SESSION_ENDPOINT: '', // Provider end-session URL (from discovery `end_session_endpoint`)
       OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
       OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
       REMEMBER_ME: false, // Persist session across browser restarts
       AUDIT_LOG_RETENTION_DAYS: 90, // Set to 0 to disable audit logging; otherwise entries older than this many days are purged daily at midnight
       OIDC_GROUP_FIELD: 'groups', // OIDC claim field containing group membership
       OIDC_GROUP_ROLE_MAP: '{}', // JSON map of group names to Strapi role names
+      OIDC_REQUIRE_EMAIL_VERIFIED: true, // Reject logins when provider does not report email_verified=true (set false to disable)
+      OIDC_TRUSTED_IP_HEADER: '', // Optional: 'cf-connecting-ip' for Cloudflare; read only when Strapi trusts the proxy
+      OIDC_JWKS_URI: '', // Provider's JWKS URI (from discovery `jwks_uri`) — enables ID token signature verification
+      OIDC_ISSUER: '', // Provider's issuer (from discovery `issuer`) — verified against ID token's `iss`
+      OIDC_FORCE_SECURE_COOKIES: false, // Set true when behind a trusted HTTPS proxy that Strapi can't auto-detect
     },
   },
 });
 ```
 
-All required values come from your provider's OIDC discovery document, typically available at `https://your-provider/.well-known/openid-configuration`.
+All OIDC values come from your provider's discovery document, typically available at `https://your-provider/.well-known/openid-configuration`.
+
+### Security features
+
+- **ID token verification** — `OIDC_JWKS_URI` and `OIDC_ISSUER` enable signature, issuer, audience, and expiry validation via [`jose`](https://github.com/panva/jose)
+- **Email verification** — `OIDC_REQUIRE_EMAIL_VERIFIED: true` (default) rejects unverified emails
+- **CSRF protection** — OIDC state/nonce and POST-only logout endpoint
+- **Rate limiting** — 1 000 req/min per IP+UA (in-process; use a reverse-proxy-level limiter for multi-node)
+- **Secure cookies** — `OIDC_FORCE_SECURE_COOKIES` ensures cookies are marked Secure
+
+### Client IP attribution and reverse proxies
+
+The plugin logs client IPs for rate-limit buckets and audit logs. When Strapi runs behind a reverse proxy, **set `server.proxy: true`** so Koa trusts `X-Forwarded-For`; otherwise all IPs will be the proxy's.
+
+Set `OIDC_TRUSTED_IP_HEADER: 'cf-connecting-ip'` when behind Cloudflare. The header is only honoured when `server.proxy: true` is set.
 
 ## Login
 
@@ -64,27 +83,27 @@ Navigate to `/strapi-plugin-oidc/oidc` to start the OIDC flow, or click the **Lo
 
 ## Logout
 
-When `OIDC_END_SESSION_ENDPOINT` is set, clicking logout in Strapi redirects the browser to the provider's end-session URL (RP-initiated logout). If the provider session has already expired, Strapi skips the redirect and goes straight to the login page.
+When `OIDC_END_SESSION_ENDPOINT` is set, clicking logout redirects to the provider's end-session URL (RP-initiated logout). If the provider session has already expired, Strapi skips the redirect and goes straight to the login page.
+
+The logout endpoint is `POST /strapi-plugin-oidc/logout`. Using POST instead of GET prevents CSRF-forced-logout attacks.
 
 ## Admin Settings
 
 Manage the plugin under **Settings → OIDC Plugin**.
 
-**Default Roles** — Select which Strapi admin role(s) are assigned to new users on first login.
+**Default Roles** — Strapi admin role(s) assigned to new users on first login.
 
-**Whitelist** — Restrict access to specific email addresses. When enabled, only listed emails can log in. When empty, any successfully authenticated OIDC user gets an account. The whitelist supports:
+**Whitelist** — Restrict access to specific email addresses. When empty, any authenticated OIDC user gets an account. Supports:
 
-- Adding individual emails with optional role overrides
-- JSON import / export (see [format](#import-format) below)
+- Individual emails with optional role overrides
+- JSON import / export
 - Bulk delete with confirmation
-- Unsaved changes are held in the UI until **Save Changes** is clicked
 
-**Audit Logs** — Every authentication event is recorded in the plugin's audit log table and visible in the **Audit Logs** section at the bottom of the settings page. Entries can be filtered by action, email, IP address, and date, and a **Download** button exports the current (filtered) view as NDJSON (newline-delimited JSON), compatible with SIEM tools and log processors. Setting `AUDIT_LOG_RETENTION_DAYS` to `0` disables audit logging entirely. Otherwise records older than the configured value (default: 90 days) are automatically purged by a daily cron job. The audit log is also accessible [via API](#audit-log-api).
+**Audit Logs** — Authentication events recorded and visible in the settings page. Filter by action, email, IP, and date. **Download** exports the current view as NDJSON. Set `AUDIT_LOG_RETENTION_DAYS` to `0` to disable. Records older than the configured value (default: 90 days) are purged daily.
 
-**Enforce OIDC Login** — Removes the standard email/password fields from the login page and blocks direct login API calls server-side. Automatically disabled when the whitelist is empty to prevent lockout.
+**Enforce OIDC Login** — Removes email/password fields from the login page and blocks direct login API calls. Automatically disabled when the whitelist is empty to prevent lockout.
 
-- The toggle is grayed out and locked when `OIDC_ENFORCE` is set in config.
-- **Lockout recovery**: set `OIDC_ENFORCE: false` in your plugin config and restart Strapi. This writes through to the database so removing the variable afterwards keeps the setting.
+The toggle is grayed out when `OIDC_ENFORCE` is set in config. **Lockout recovery**: set `OIDC_ENFORCE: false` in your plugin config and restart Strapi.
 
 ## Group-to-Role Mapping
 
@@ -118,18 +137,26 @@ Role names are the **display names** shown in **Settings → Roles** (e.g. `"Edi
 
 ### Role assignment precedence
 
-1. **User's OIDC groups match `OIDC_GROUP_ROLE_MAP`** → use the mapped Strapi roles
-2. **No group match or no mapping configured** → use the default OIDC roles (new users only — see below)
+1. **OIDC groups match `OIDC_GROUP_ROLE_MAP`** → mapped Strapi roles
+2. **No match or no mapping** → default OIDC roles (new users only)
 
 ### Role updates on subsequent logins
 
-- **New users** — Roles are always assigned on first login: group-mapped roles if a match is found, otherwise the configured default OIDC roles.
-- **Existing users with a group mapping match** — Roles are updated to reflect the current mapping. If a user's groups change between logins, their Strapi roles are updated accordingly.
-- **Existing users with no group mapping match** — Roles are left unchanged, regardless of what the default OIDC roles are set to. Manually-assigned roles are never overwritten by a default fallback.
+- **New users** — Roles assigned on first login (group-mapped or default).
+- **Existing users with group match** — Roles updated to reflect current mapping.
+- **Existing users without group match** — Roles left unchanged. Manually-assigned roles are never overwritten.
 
 ## Whitelist API
 
-The whitelist can be managed programmatically using a Strapi **API token** (Settings → API Tokens → Full Access). All endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+The whitelist can be managed programmatically using a Strapi **API token**. All endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+
+**Full-access tokens** can call all routes. **Custom tokens** must be granted one of the following scopes (Settings → API Tokens → Custom → plugin permissions):
+
+| Scope                                         | Routes                                          |
+| --------------------------------------------- | ----------------------------------------------- |
+| `plugin::strapi-plugin-oidc.whitelist.read`   | `GET /whitelist`, `GET /whitelist/export`       |
+| `plugin::strapi-plugin-oidc.whitelist.write`  | `POST /whitelist`, `POST /whitelist/import`     |
+| `plugin::strapi-plugin-oidc.whitelist.delete` | `DELETE /whitelist`, `DELETE /whitelist/:email` |
 
 | Method   | Path                                       | Description            |
 | -------- | ------------------------------------------ | ---------------------- |
@@ -185,7 +212,14 @@ curl -X DELETE -H "Authorization: Bearer <token>" \
 
 ## Audit Log API
 
-Audit log entries can be fetched programmatically using a Strapi **API token** (Settings → API Tokens → Full Access). Endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+Audit log entries can be fetched programmatically using a Strapi **API token**. Endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+
+**Full-access tokens** can call all routes. **Custom tokens** must be granted one of the following scopes:
+
+| Scope                                     | Routes                                      |
+| ----------------------------------------- | ------------------------------------------- |
+| `plugin::strapi-plugin-oidc.audit.read`   | `GET /audit-logs`, `GET /audit-logs/export` |
+| `plugin::strapi-plugin-oidc.audit.delete` | `DELETE /audit-logs`                        |
 
 | Method   | Path                                        | Description                         |
 | -------- | ------------------------------------------- | ----------------------------------- |
@@ -246,18 +280,20 @@ curl -H "Authorization: Bearer <token>" -G \
 
 ### Recorded actions
 
-| Action                  | Trigger                                             |
-| ----------------------- | --------------------------------------------------- |
-| `login_success`         | Successful OIDC authentication                      |
-| `user_created`          | New Strapi admin user created during login          |
-| `login_failure`         | Unexpected error during the OIDC login flow         |
-| `missing_code`          | Callback received without an authorisation code     |
-| `state_mismatch`        | CSRF state cookie does not match callback parameter |
-| `nonce_mismatch`        | ID token nonce does not match the session nonce     |
-| `token_exchange_failed` | Provider returned an error during token exchange    |
-| `whitelist_rejected`    | Email not present in the active whitelist           |
-| `logout`                | User logged out via `/logout`                       |
-| `session_expired`       | Logout attempted but provider session already stale |
+| Action                  | Trigger                                                           |
+| ----------------------- | ----------------------------------------------------------------- |
+| `login_success`         | Successful OIDC authentication                                    |
+| `user_created`          | New Strapi admin user created during login                        |
+| `login_failure`         | Unexpected error during the OIDC login flow                       |
+| `missing_code`          | Callback received without an authorisation code                   |
+| `state_mismatch`        | CSRF state cookie does not match callback parameter               |
+| `nonce_mismatch`        | ID token nonce does not match the session nonce                   |
+| `token_exchange_failed` | Provider returned an error during token exchange                  |
+| `whitelist_rejected`    | Email not present in the active whitelist                         |
+| `email_not_verified`    | Provider did not report `email_verified=true`                     |
+| `id_token_invalid`      | ID token failed signature, issuer, audience, or expiry validation |
+| `logout`                | User logged out via `/logout`                                     |
+| `session_expired`       | Logout attempted but provider session already stale               |
 
 Each event is also emitted on Strapi's internal eventHub as `strapi-plugin-oidc::auth.<action>`, which Enterprise audit log listeners pick up automatically.
 
@@ -280,16 +316,16 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
 
 ### Changes from the original:
 
-- Removed alternative SSO methods to focus solely on OIDC.
-- Redesigned the Whitelist and Role management UI using native Strapi components.
-- Added OIDC enforcement with an admin toggle and config override (`OIDC_ENFORCE`).
-- Added RP-initiated logout with smart session detection — skips the provider redirect if the session is already expired.
-- Migrated to Vitest with comprehensive e2e test coverage.
-- Config variable names aligned with OIDC discovery document field names (`OIDC_SCOPE`, `OIDC_USERINFO_ENDPOINT`, `OIDC_END_SESSION_ENDPOINT`).
-- Always injects a **Login via SSO** button on the Strapi login page. Button text is configurable via `OIDC_SSO_BUTTON_TEXT`.
-- Whitelist: programmatic REST API with JSON import/export, bulk delete, delete by email, and unsaved changes guard.
-- Hardened OIDC flow: server-generated state and nonce, PKCE, Bearer token auth for userinfo, and generic error messages on failure.
-- Audit log: records all auth events to a queryable table with Admin UI, JSON export, and REST API. API responses use a single `datetime` field and omit framework metadata (id, documentId, locale, publishedAt, etc.). A separate `user_created` event is emitted when a Strapi admin is provisioned during login.
+- OIDC-only (removed other SSO methods)
+- Redesigned whitelist and role management UI using native Strapi components
+- OIDC enforcement via admin toggle or `OIDC_ENFORCE` config
+- RP-initiated logout with smart session detection
+- Migrated to Vitest with e2e coverage
+- Config variable names aligned with OIDC discovery document field names
+- **Login via SSO** button always injected; text configurable via `OIDC_SSO_BUTTON_TEXT`
+- Whitelist REST API with JSON import/export, bulk delete, delete by email
+- Hardened OIDC flow: server-generated state and nonce, PKCE, Bearer token auth for userinfo, generic error messages on failure
+- Audit log: records all auth events to a queryable table with UI, JSON/NDJSON export, and REST API
 
 ## License
 

package/dist/admin/{index-pieFAsgM.mjs → index-8YTLPV3h.mjs}

@@ -5,7 +5,7 @@ import { useState, useRef, useId, useEffect, useCallback, useReducer, useMemo, m
 import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Button, Dialog, Table, Pagination, PreviousLink, NextLink, PageLink, Field, Divider, Thead, Tr, Th, Tbody, Td, IconButton, Tooltip, Alert } from "@strapi/design-system";
 import { Cross, WarningCircle, Plus, Download, Upload, Trash, Calendar, Mail, Information } from "@strapi/icons";
 import { useIntl } from "react-intl";
-import { g as getTrad } from "./index-DRJ6Ty2J.mjs";
+import { g as getTrad } from "./index-B-K4X_N9.mjs";
 import styled from "styled-components";
 import { Filter, ClipboardList, Server } from "lucide-react";
 function Role({ oidcRoles, roles, onChangeRole }) {
@@ -3611,6 +3611,8 @@ const AUDIT_ACTIONS = [
   "nonce_mismatch",
   "token_exchange_failed",
   "whitelist_rejected",
+  "email_not_verified",
+  "id_token_invalid",
   "logout",
   "session_expired",
   "user_created"

package/dist/admin/{index-DRJ6Ty2J.mjs → index-B-K4X_N9.mjs}

@@ -125,6 +125,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -165,7 +167,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await import("./index-pieFAsgM.mjs");
+          return await import("./index-8YTLPV3h.mjs");
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }
@@ -268,7 +270,11 @@ const index = {
         window.sessionStorage.removeItem("isLoggedIn");
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        window.location.href = "/strapi-plugin-oidc/logout";
+        const form = document.createElement("form");
+        form.method = "POST";
+        form.action = "/strapi-plugin-oidc/logout";
+        document.body.appendChild(form);
+        form.submit();
         return new Promise(() => {
         });
       }

package/dist/admin/{index-CrnGXADu.js → index-BSgVStns.js}

@@ -126,6 +126,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -166,7 +168,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await Promise.resolve().then(() => require("./index-D2rlNx1-.js"));
+          return await Promise.resolve().then(() => require("./index-CgG_mHzZ.js"));
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }
@@ -269,7 +271,11 @@ const index = {
         window.sessionStorage.removeItem("isLoggedIn");
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        window.location.href = "/strapi-plugin-oidc/logout";
+        const form = document.createElement("form");
+        form.method = "POST";
+        form.action = "/strapi-plugin-oidc/logout";
+        document.body.appendChild(form);
+        form.submit();
         return new Promise(() => {
         });
       }

package/dist/admin/{index-D2rlNx1-.js → index-CgG_mHzZ.js}

@@ -7,7 +7,7 @@ const react = require("react");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
 const reactIntl = require("react-intl");
-const index = require("./index-CrnGXADu.js");
+const index = require("./index-BSgVStns.js");
 const styled = require("styled-components");
 const lucideReact = require("lucide-react");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
@@ -3615,6 +3615,8 @@ const AUDIT_ACTIONS = [
   "nonce_mismatch",
   "token_exchange_failed",
   "whitelist_rejected",
+  "email_not_verified",
+  "id_token_invalid",
   "logout",
   "session_expired",
   "user_created"

package/dist/admin/index.js

@@ -1,4 +1,4 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
-const index = require("./index-CrnGXADu.js");
+const index = require("./index-BSgVStns.js");
 exports.default = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "./index-DRJ6Ty2J.mjs";
+import { i } from "./index-B-K4X_N9.mjs";
 export {
   i as default
 };

package/dist/server/index.js

@@ -2,6 +2,7 @@
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
 const node_crypto = require("node:crypto");
 const pkceChallenge = require("pkce-challenge");
+const jose = require("jose");
 const node_stream = require("node:stream");
 const strapiUtils = require("@strapi/utils");
 const generator = require("generate-password");
@@ -99,6 +100,16 @@ async function bootstrap({ strapi: strapi2 }) {
     { section: "plugins", displayName: "Update", uid: "update", pluginName: "strapi-plugin-oidc" }
   ];
   await strapi2.admin.services.permission.actionProvider.registerMany(actions);
+  const contentApiScopeUids = [
+    "plugin::strapi-plugin-oidc.whitelist.read",
+    "plugin::strapi-plugin-oidc.whitelist.write",
+    "plugin::strapi-plugin-oidc.whitelist.delete",
+    "plugin::strapi-plugin-oidc.audit.read",
+    "plugin::strapi-plugin-oidc.audit.delete"
+  ];
+  for (const uid of contentApiScopeUids) {
+    strapi2.contentAPI.permissions.providers.action.register(uid, { uid });
+  }
   const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
   if (enforceOIDCConfig !== null) {
     try {
@@ -162,7 +173,12 @@ const config = {
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
     AUDIT_LOG_RETENTION_DAYS: 90,
     OIDC_GROUP_FIELD: "groups",
-    OIDC_GROUP_ROLE_MAP: "{}"
+    OIDC_GROUP_ROLE_MAP: "{}",
+    OIDC_REQUIRE_EMAIL_VERIFIED: true,
+    OIDC_TRUSTED_IP_HEADER: "",
+    OIDC_JWKS_URI: "",
+    OIDC_ISSUER: "",
+    OIDC_FORCE_SECURE_COOKIES: false
   },
   validator() {
   }
@@ -211,11 +227,21 @@ const contentTypes = {
   whitelists,
   "audit-log": auditLog$1
 };
-function getExpiredCookieOptions(strapi2, ctx) {
+function shouldMarkSecure(strapi2, ctx) {
   const isProduction = strapi2.config.get("environment") === "production";
+  if (!isProduction) return false;
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc") ?? {};
+  if (config2.OIDC_FORCE_SECURE_COOKIES === true) return true;
+  if (ctx.request.secure) return true;
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted && typeof ctx.get === "function" && ctx.get("x-forwarded-proto") === "https")
+    return true;
+  return false;
+}
+function getExpiredCookieOptions(strapi2, ctx) {
   return {
     httpOnly: true,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi2, ctx),
     path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
     domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
     sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
@@ -242,7 +268,9 @@ const errorCodes = {
   NONCE_MISMATCH: "NONCE_MISMATCH",
   ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
   USER_CREATION_FAILED: "USER_CREATION_FAILED",
-  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED"
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
+  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
+  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
 };
 const ERROR_DETAIL_TEMPLATES = {
   token_exchange_failed: "Token exchange failed with HTTP status {status}",
@@ -252,6 +280,8 @@ const ERROR_DETAIL_TEMPLATES = {
   id_token_parse_failed: "ID token parse failed: {error}",
   sign_in_unknown: "Unknown sign-in error: {error}",
   invalid_email: "Invalid email address received from OIDC provider",
+  email_not_verified: "Email address has not been verified by the OIDC provider",
+  id_token_invalid: "ID token verification failed: {error}",
   whitelist_not_present: "Email not present in whitelist",
   session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   missing_config: "Missing required config keys: {keys}"
@@ -271,6 +301,8 @@ const errorMessages = {
   ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
   NONCE_MISMATCH: "Nonce mismatch",
   INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
+  ID_TOKEN_INVALID: "ID token verification failed",
   WHITELIST_NOT_PRESENT: "Not present in whitelist",
   SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
@@ -368,6 +400,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -477,24 +511,42 @@ const OIDC_ERROR_DISPATCH = {
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   },
+  email_not_verified: {
+    action: "email_not_verified",
+    code: errorCodes.EMAIL_NOT_VERIFIED,
+    key: "email_not_verified"
+  },
+  id_token_invalid: {
+    action: "id_token_invalid",
+    code: errorCodes.ID_TOKEN_INVALID,
+    key: "id_token_invalid"
+  },
   unknown: {
     action: "login_failure",
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   }
 };
+const TRUSTED_HEADER_WHITELIST = /* @__PURE__ */ new Set(["cf-connecting-ip"]);
+function getTrustedHeaderName() {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
+  const raw = config2.OIDC_TRUSTED_IP_HEADER;
+  if (typeof raw !== "string" || !raw) return void 0;
+  const normalized = raw.trim().toLowerCase();
+  return TRUSTED_HEADER_WHITELIST.has(normalized) ? normalized : void 0;
+}
 function getClientIp(ctx) {
-  const cfConnectingIp = ctx.get("CF-Connecting-IP");
-  if (cfConnectingIp) {
-    return cfConnectingIp.split(",")[0].trim();
-  }
-  const forwardedFor = ctx.get("X-Forwarded-For");
-  if (forwardedFor) {
-    return forwardedFor.split(",")[0].trim();
-  }
-  const realIp = ctx.get("X-Real-IP");
-  if (realIp) {
-    return realIp.trim();
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted) {
+    const trustedHeader = getTrustedHeaderName();
+    if (trustedHeader) {
+      const value = ctx.get(trustedHeader);
+      if (value) return value.split(",")[0].trim();
+    }
+    const forwarded = ctx.request.ips;
+    if (forwarded && forwarded.length > 0) {
+      return forwarded[0];
+    }
   }
   return ctx.ip;
 }
@@ -511,6 +563,43 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
 const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
+const jwksCache = /* @__PURE__ */ new Map();
+let jwksDisabledWarned = false;
+function getJwks(uri) {
+  let jwks = jwksCache.get(uri);
+  if (!jwks) {
+    jwks = jose.createRemoteJWKSet(new URL(uri));
+    jwksCache.set(uri, jwks);
+  }
+  return jwks;
+}
+async function verifyIdToken(idToken, config2) {
+  const jwksUri = config2.OIDC_JWKS_URI;
+  const issuer = config2.OIDC_ISSUER;
+  if (!jwksUri) {
+    if (!jwksDisabledWarned) {
+      jwksDisabledWarned = true;
+      strapi.log.warn(
+        "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document."
+      );
+    }
+    return null;
+  }
+  try {
+    const jwks = getJwks(jwksUri);
+    const { payload } = await jose.jwtVerify(idToken, jwks, {
+      issuer: issuer || void 0,
+      audience: config2.OIDC_CLIENT_ID
+    });
+    return payload;
+  } catch (e) {
+    if (e instanceof jose.errors.JWTClaimValidationFailed || e instanceof jose.errors.JWSSignatureVerificationFailed || e instanceof jose.errors.JWTExpired || e instanceof jose.errors.JWTInvalid || e instanceof jose.errors.JWSInvalid) {
+      const msg = e instanceof Error ? e.message : String(e);
+      throw new OidcError("id_token_invalid", msg, e);
+    }
+    throw e;
+  }
+}
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
@@ -524,11 +613,10 @@ async function oidcSignIn(ctx) {
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
   const state = node_crypto.randomBytes(32).toString("base64url");
   const nonce = node_crypto.randomBytes(32).toString("base64url");
-  const isProduction = strapi.config.get("environment") === "production";
   const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi, ctx),
     sameSite: "lax"
   };
   ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
@@ -561,14 +649,16 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   }
   const tokenData = await response.json();
   if (tokenData.id_token) {
+    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
     try {
-      const payloadB64 = tokenData.id_token.split(".")[1];
-      const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      const idTokenPayload = verifiedPayload ?? JSON.parse(
+        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
+      );
       if (idTokenPayload.nonce !== expectedNonce) {
         throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
       }
     } catch (e) {
-      if (e instanceof OidcError && e.kind === "nonce_mismatch") throw e;
+      if (e instanceof OidcError) throw e;
       throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
     }
   }
@@ -714,6 +804,13 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   if (!email || !isValidEmail(email)) {
     throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
   }
+  if (config2.OIDC_REQUIRE_EMAIL_VERIFIED !== false) {
+    const emailVerified = userResponseData.email_verified;
+    const isVerified = emailVerified === true || emailVerified === "true";
+    if (!isVerified) {
+      throw new OidcError("email_not_verified", errorMessages.EMAIL_NOT_VERIFIED);
+    }
+  }
   await whitelistService2.checkWhitelistForEmail(email);
   const resolved = await resolveRoles(userResponseData, config2, roleService2);
   const { user, userCreated, rolesUpdated } = await ensureUser(
@@ -740,7 +837,7 @@ function classifyOidcError(e, userInfo) {
   const dispatch = OIDC_ERROR_DISPATCH[kind];
   const msg = e instanceof Error ? e.message : String(e);
   let params;
-  if (kind === "id_token_parse_failed" || kind === "unknown") {
+  if (kind === "id_token_parse_failed" || kind === "id_token_invalid" || kind === "unknown") {
     params = { error: msg };
   } else if (kind === "user_creation_failed" && userInfo?.email) {
     params = { email: userInfo.email, error: msg };
@@ -835,8 +932,7 @@ async function oidcSignInCallback(ctx) {
   try {
     const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     userInfo = exchangeResult.userInfo;
-    const isProduction = strapi.config.get("environment") === "production";
-    const secureFlag = isProduction && ctx.request.secure;
+    const secureFlag = shouldMarkSecure(strapi, ctx);
     ctx.cookies.set("oidc_access_token", exchangeResult.accessToken, {
       httpOnly: true,
       maxAge: 3e5,
@@ -1006,16 +1102,34 @@ async function register(ctx) {
     return;
   }
   const rawEmails = Array.isArray(email) ? email : email.split(",");
-  const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const normalized = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const rejectedEmails = [];
+  const validEmails = [];
+  for (const e of normalized) {
+    if (isValidEmail(e)) {
+      validEmails.push(e);
+    } else {
+      rejectedEmails.push(e);
+    }
+  }
+  if (validEmails.length === 0) {
+    ctx.status = 400;
+    ctx.body = { error: "No valid email addresses supplied", rejectedEmails };
+    return;
+  }
   const whitelistService2 = getWhitelistService();
-  const matchedExistingUsersCount = await whitelistService2.countAdminUsersByEmails(emailList);
-  for (const singleEmail of emailList) {
+  let acceptedCount = 0;
+  let alreadyWhitelistedCount = 0;
+  for (const singleEmail of validEmails) {
     const alreadyWhitelisted = await whitelistService2.hasUser(singleEmail);
-    if (!alreadyWhitelisted) {
+    if (alreadyWhitelisted) {
+      alreadyWhitelistedCount++;
+    } else {
       await whitelistService2.registerUser(singleEmail);
+      acceptedCount++;
     }
   }
-  ctx.body = { matchedExistingUsersCount };
+  ctx.body = { acceptedCount, alreadyWhitelistedCount, rejectedEmails };
 }
 async function removeEmail(ctx) {
   const { email } = ctx.params;
@@ -1071,7 +1185,7 @@ async function syncUsers(ctx) {
       await whitelistService2.registerUser(email);
     }
   }
-  ctx.body = { matchedExistingUsersCount: 0 };
+  ctx.body = {};
 }
 const whitelist = {
   info,
@@ -1092,6 +1206,8 @@ const AUDIT_ACTIONS = [
   "nonce_mismatch",
   "token_exchange_failed",
   "whitelist_rejected",
+  "email_not_verified",
+  "id_token_invalid",
   "logout",
   "session_expired",
   "user_created"
@@ -1291,6 +1407,22 @@ const controllers = {
 const rateLimitMap = /* @__PURE__ */ new Map();
 const RATE_LIMIT_WINDOW = 6e4;
 const MAX_REQUESTS = 1e3;
+const MAX_MAP_SIZE = 1e4;
+const PRUNE_THRESHOLD = 1e3;
+function pruneExpiredEntries(now) {
+  const windowStart = now - RATE_LIMIT_WINDOW;
+  for (const [key, stamps] of rateLimitMap) {
+    if (stamps.length === 0 || stamps[stamps.length - 1] <= windowStart) {
+      rateLimitMap.delete(key);
+    }
+  }
+}
+function evictOldestEntry() {
+  const oldest = rateLimitMap.keys().next().value;
+  if (oldest !== void 0) {
+    rateLimitMap.delete(oldest);
+  }
+}
 function getRateLimitKey(ctx) {
   const ip = getClientIp(ctx);
   const ua = ctx.request.header["user-agent"] ?? "";
@@ -1301,6 +1433,9 @@ function rateLimitMiddleware(ctx, next) {
   const key = getRateLimitKey(ctx);
   const now = Date.now();
   const windowStart = now - RATE_LIMIT_WINDOW;
+  if (rateLimitMap.size > PRUNE_THRESHOLD) {
+    pruneExpiredEntries(now);
+  }
   const requestStamps = (rateLimitMap.get(key) ?? []).filter((ts) => ts > windowStart);
   if (requestStamps.length >= MAX_REQUESTS) {
     ctx.status = 429;
@@ -1308,6 +1443,9 @@ function rateLimitMiddleware(ctx, next) {
     return;
   }
   requestStamps.push(now);
+  if (!rateLimitMap.has(key) && rateLimitMap.size >= MAX_MAP_SIZE) {
+    evictOldestEntry();
+  }
   rateLimitMap.set(key, requestStamps);
   return next();
 }
@@ -1351,7 +1489,7 @@ const routes = {
         config: { auth: false, middlewares: [rateLimitMiddleware] }
       },
       {
-        method: "GET",
+        method: "POST",
         path: "/logout",
         handler: "oidc.logout",
         config: { auth: false }
@@ -1433,53 +1571,63 @@ const routes = {
   // API-token-authenticated routes for programmatic whitelist management.
   // Accessible at /strapi-plugin-oidc/... using a Strapi API token
   // (full-access or custom) in the Authorization: Bearer <token> header.
+  // Custom tokens must be granted one or more of the semantic scopes below.
   "content-api": {
     type: "content-api",
     routes: [
       {
         method: "GET",
         path: "/whitelist",
-        handler: "whitelist.info"
+        handler: "whitelist.info",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "POST",
         path: "/whitelist",
-        handler: "whitelist.register"
+        handler: "whitelist.register",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "POST",
         path: "/whitelist/import",
-        handler: "whitelist.importUsers"
+        handler: "whitelist.importUsers",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist/:email",
-        handler: "whitelist.removeEmail"
+        handler: "whitelist.removeEmail",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist",
-        handler: "whitelist.deleteAll"
+        handler: "whitelist.deleteAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "GET",
         path: "/whitelist/export",
-        handler: "whitelist.exportWhitelist"
+        handler: "whitelist.exportWhitelist",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs",
-        handler: "auditLog.find"
+        handler: "auditLog.find",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs/export",
-        handler: "auditLog.export"
+        handler: "auditLog.export",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "DELETE",
         path: "/audit-logs",
-        handler: "auditLog.clearAll"
+        handler: "auditLog.clearAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.delete"] } }
       }
     ]
   }
@@ -1731,13 +1879,12 @@ function oauthService({ strapi: strapi2 }) {
           type: rememberMe ? "refresh" : "session"
         }
       );
-      const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
       const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
       const cookieOptions = {
         httpOnly: true,
-        secure: isProduction && ctx.request.secure,
+        secure: shouldMarkSecure(strapi2, ctx),
         overwrite: true,
         domain,
         path,
@@ -1856,14 +2003,6 @@ function whitelistService({ strapi: strapi2 }) {
     },
     async deleteAllUsers() {
       await getWhitelistQuery().deleteMany({});
-    },
-    async countAdminUsersByEmails(emails) {
-      if (emails.length === 0) return 0;
-      const rows = await strapi2.query("admin::user").findMany({
-        where: { email: { $in: emails } },
-        select: ["id"]
-      });
-      return rows.length;
     }
   };
 }

package/dist/server/index.mjs

@@ -1,5 +1,6 @@
 import { randomUUID, randomBytes, createHash } from "node:crypto";
 import pkceChallenge from "pkce-challenge";
+import { jwtVerify, errors, createRemoteJWKSet } from "jose";
 import { Readable } from "node:stream";
 import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
@@ -93,6 +94,16 @@ async function bootstrap({ strapi: strapi2 }) {
     { section: "plugins", displayName: "Update", uid: "update", pluginName: "strapi-plugin-oidc" }
   ];
   await strapi2.admin.services.permission.actionProvider.registerMany(actions);
+  const contentApiScopeUids = [
+    "plugin::strapi-plugin-oidc.whitelist.read",
+    "plugin::strapi-plugin-oidc.whitelist.write",
+    "plugin::strapi-plugin-oidc.whitelist.delete",
+    "plugin::strapi-plugin-oidc.audit.read",
+    "plugin::strapi-plugin-oidc.audit.delete"
+  ];
+  for (const uid of contentApiScopeUids) {
+    strapi2.contentAPI.permissions.providers.action.register(uid, { uid });
+  }
   const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
   if (enforceOIDCConfig !== null) {
     try {
@@ -156,7 +167,12 @@ const config = {
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
     AUDIT_LOG_RETENTION_DAYS: 90,
     OIDC_GROUP_FIELD: "groups",
-    OIDC_GROUP_ROLE_MAP: "{}"
+    OIDC_GROUP_ROLE_MAP: "{}",
+    OIDC_REQUIRE_EMAIL_VERIFIED: true,
+    OIDC_TRUSTED_IP_HEADER: "",
+    OIDC_JWKS_URI: "",
+    OIDC_ISSUER: "",
+    OIDC_FORCE_SECURE_COOKIES: false
   },
   validator() {
   }
@@ -205,11 +221,21 @@ const contentTypes = {
   whitelists,
   "audit-log": auditLog$1
 };
-function getExpiredCookieOptions(strapi2, ctx) {
+function shouldMarkSecure(strapi2, ctx) {
   const isProduction = strapi2.config.get("environment") === "production";
+  if (!isProduction) return false;
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc") ?? {};
+  if (config2.OIDC_FORCE_SECURE_COOKIES === true) return true;
+  if (ctx.request.secure) return true;
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted && typeof ctx.get === "function" && ctx.get("x-forwarded-proto") === "https")
+    return true;
+  return false;
+}
+function getExpiredCookieOptions(strapi2, ctx) {
   return {
     httpOnly: true,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi2, ctx),
     path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
     domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
     sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
@@ -236,7 +262,9 @@ const errorCodes = {
   NONCE_MISMATCH: "NONCE_MISMATCH",
   ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
   USER_CREATION_FAILED: "USER_CREATION_FAILED",
-  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED"
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
+  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
+  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
 };
 const ERROR_DETAIL_TEMPLATES = {
   token_exchange_failed: "Token exchange failed with HTTP status {status}",
@@ -246,6 +274,8 @@ const ERROR_DETAIL_TEMPLATES = {
   id_token_parse_failed: "ID token parse failed: {error}",
   sign_in_unknown: "Unknown sign-in error: {error}",
   invalid_email: "Invalid email address received from OIDC provider",
+  email_not_verified: "Email address has not been verified by the OIDC provider",
+  id_token_invalid: "ID token verification failed: {error}",
   whitelist_not_present: "Email not present in whitelist",
   session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   missing_config: "Missing required config keys: {keys}"
@@ -265,6 +295,8 @@ const errorMessages = {
   ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
   NONCE_MISMATCH: "Nonce mismatch",
   INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
+  ID_TOKEN_INVALID: "ID token verification failed",
   WHITELIST_NOT_PRESENT: "Not present in whitelist",
   SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
@@ -362,6 +394,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -471,24 +505,42 @@ const OIDC_ERROR_DISPATCH = {
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   },
+  email_not_verified: {
+    action: "email_not_verified",
+    code: errorCodes.EMAIL_NOT_VERIFIED,
+    key: "email_not_verified"
+  },
+  id_token_invalid: {
+    action: "id_token_invalid",
+    code: errorCodes.ID_TOKEN_INVALID,
+    key: "id_token_invalid"
+  },
   unknown: {
     action: "login_failure",
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   }
 };
+const TRUSTED_HEADER_WHITELIST = /* @__PURE__ */ new Set(["cf-connecting-ip"]);
+function getTrustedHeaderName() {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
+  const raw = config2.OIDC_TRUSTED_IP_HEADER;
+  if (typeof raw !== "string" || !raw) return void 0;
+  const normalized = raw.trim().toLowerCase();
+  return TRUSTED_HEADER_WHITELIST.has(normalized) ? normalized : void 0;
+}
 function getClientIp(ctx) {
-  const cfConnectingIp = ctx.get("CF-Connecting-IP");
-  if (cfConnectingIp) {
-    return cfConnectingIp.split(",")[0].trim();
-  }
-  const forwardedFor = ctx.get("X-Forwarded-For");
-  if (forwardedFor) {
-    return forwardedFor.split(",")[0].trim();
-  }
-  const realIp = ctx.get("X-Real-IP");
-  if (realIp) {
-    return realIp.trim();
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted) {
+    const trustedHeader = getTrustedHeaderName();
+    if (trustedHeader) {
+      const value = ctx.get(trustedHeader);
+      if (value) return value.split(",")[0].trim();
+    }
+    const forwarded = ctx.request.ips;
+    if (forwarded && forwarded.length > 0) {
+      return forwarded[0];
+    }
   }
   return ctx.ip;
 }
@@ -505,6 +557,43 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
 const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
+const jwksCache = /* @__PURE__ */ new Map();
+let jwksDisabledWarned = false;
+function getJwks(uri) {
+  let jwks = jwksCache.get(uri);
+  if (!jwks) {
+    jwks = createRemoteJWKSet(new URL(uri));
+    jwksCache.set(uri, jwks);
+  }
+  return jwks;
+}
+async function verifyIdToken(idToken, config2) {
+  const jwksUri = config2.OIDC_JWKS_URI;
+  const issuer = config2.OIDC_ISSUER;
+  if (!jwksUri) {
+    if (!jwksDisabledWarned) {
+      jwksDisabledWarned = true;
+      strapi.log.warn(
+        "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document."
+      );
+    }
+    return null;
+  }
+  try {
+    const jwks = getJwks(jwksUri);
+    const { payload } = await jwtVerify(idToken, jwks, {
+      issuer: issuer || void 0,
+      audience: config2.OIDC_CLIENT_ID
+    });
+    return payload;
+  } catch (e) {
+    if (e instanceof errors.JWTClaimValidationFailed || e instanceof errors.JWSSignatureVerificationFailed || e instanceof errors.JWTExpired || e instanceof errors.JWTInvalid || e instanceof errors.JWSInvalid) {
+      const msg = e instanceof Error ? e.message : String(e);
+      throw new OidcError("id_token_invalid", msg, e);
+    }
+    throw e;
+  }
+}
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
@@ -518,11 +607,10 @@ async function oidcSignIn(ctx) {
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
   const state = randomBytes(32).toString("base64url");
   const nonce = randomBytes(32).toString("base64url");
-  const isProduction = strapi.config.get("environment") === "production";
   const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi, ctx),
     sameSite: "lax"
   };
   ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
@@ -555,14 +643,16 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   }
   const tokenData = await response.json();
   if (tokenData.id_token) {
+    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
     try {
-      const payloadB64 = tokenData.id_token.split(".")[1];
-      const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      const idTokenPayload = verifiedPayload ?? JSON.parse(
+        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
+      );
       if (idTokenPayload.nonce !== expectedNonce) {
         throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
       }
     } catch (e) {
-      if (e instanceof OidcError && e.kind === "nonce_mismatch") throw e;
+      if (e instanceof OidcError) throw e;
       throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
     }
   }
@@ -708,6 +798,13 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   if (!email || !isValidEmail(email)) {
     throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
   }
+  if (config2.OIDC_REQUIRE_EMAIL_VERIFIED !== false) {
+    const emailVerified = userResponseData.email_verified;
+    const isVerified = emailVerified === true || emailVerified === "true";
+    if (!isVerified) {
+      throw new OidcError("email_not_verified", errorMessages.EMAIL_NOT_VERIFIED);
+    }
+  }
   await whitelistService2.checkWhitelistForEmail(email);
   const resolved = await resolveRoles(userResponseData, config2, roleService2);
   const { user, userCreated, rolesUpdated } = await ensureUser(
@@ -734,7 +831,7 @@ function classifyOidcError(e, userInfo) {
   const dispatch = OIDC_ERROR_DISPATCH[kind];
   const msg = e instanceof Error ? e.message : String(e);
   let params;
-  if (kind === "id_token_parse_failed" || kind === "unknown") {
+  if (kind === "id_token_parse_failed" || kind === "id_token_invalid" || kind === "unknown") {
     params = { error: msg };
   } else if (kind === "user_creation_failed" && userInfo?.email) {
     params = { email: userInfo.email, error: msg };
@@ -829,8 +926,7 @@ async function oidcSignInCallback(ctx) {
   try {
     const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     userInfo = exchangeResult.userInfo;
-    const isProduction = strapi.config.get("environment") === "production";
-    const secureFlag = isProduction && ctx.request.secure;
+    const secureFlag = shouldMarkSecure(strapi, ctx);
     ctx.cookies.set("oidc_access_token", exchangeResult.accessToken, {
       httpOnly: true,
       maxAge: 3e5,
@@ -1000,16 +1096,34 @@ async function register(ctx) {
     return;
   }
   const rawEmails = Array.isArray(email) ? email : email.split(",");
-  const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const normalized = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const rejectedEmails = [];
+  const validEmails = [];
+  for (const e of normalized) {
+    if (isValidEmail(e)) {
+      validEmails.push(e);
+    } else {
+      rejectedEmails.push(e);
+    }
+  }
+  if (validEmails.length === 0) {
+    ctx.status = 400;
+    ctx.body = { error: "No valid email addresses supplied", rejectedEmails };
+    return;
+  }
   const whitelistService2 = getWhitelistService();
-  const matchedExistingUsersCount = await whitelistService2.countAdminUsersByEmails(emailList);
-  for (const singleEmail of emailList) {
+  let acceptedCount = 0;
+  let alreadyWhitelistedCount = 0;
+  for (const singleEmail of validEmails) {
     const alreadyWhitelisted = await whitelistService2.hasUser(singleEmail);
-    if (!alreadyWhitelisted) {
+    if (alreadyWhitelisted) {
+      alreadyWhitelistedCount++;
+    } else {
       await whitelistService2.registerUser(singleEmail);
+      acceptedCount++;
     }
   }
-  ctx.body = { matchedExistingUsersCount };
+  ctx.body = { acceptedCount, alreadyWhitelistedCount, rejectedEmails };
 }
 async function removeEmail(ctx) {
   const { email } = ctx.params;
@@ -1065,7 +1179,7 @@ async function syncUsers(ctx) {
       await whitelistService2.registerUser(email);
     }
   }
-  ctx.body = { matchedExistingUsersCount: 0 };
+  ctx.body = {};
 }
 const whitelist = {
   info,
@@ -1086,6 +1200,8 @@ const AUDIT_ACTIONS = [
   "nonce_mismatch",
   "token_exchange_failed",
   "whitelist_rejected",
+  "email_not_verified",
+  "id_token_invalid",
   "logout",
   "session_expired",
   "user_created"
@@ -1285,6 +1401,22 @@ const controllers = {
 const rateLimitMap = /* @__PURE__ */ new Map();
 const RATE_LIMIT_WINDOW = 6e4;
 const MAX_REQUESTS = 1e3;
+const MAX_MAP_SIZE = 1e4;
+const PRUNE_THRESHOLD = 1e3;
+function pruneExpiredEntries(now) {
+  const windowStart = now - RATE_LIMIT_WINDOW;
+  for (const [key, stamps] of rateLimitMap) {
+    if (stamps.length === 0 || stamps[stamps.length - 1] <= windowStart) {
+      rateLimitMap.delete(key);
+    }
+  }
+}
+function evictOldestEntry() {
+  const oldest = rateLimitMap.keys().next().value;
+  if (oldest !== void 0) {
+    rateLimitMap.delete(oldest);
+  }
+}
 function getRateLimitKey(ctx) {
   const ip = getClientIp(ctx);
   const ua = ctx.request.header["user-agent"] ?? "";
@@ -1295,6 +1427,9 @@ function rateLimitMiddleware(ctx, next) {
   const key = getRateLimitKey(ctx);
   const now = Date.now();
   const windowStart = now - RATE_LIMIT_WINDOW;
+  if (rateLimitMap.size > PRUNE_THRESHOLD) {
+    pruneExpiredEntries(now);
+  }
   const requestStamps = (rateLimitMap.get(key) ?? []).filter((ts) => ts > windowStart);
   if (requestStamps.length >= MAX_REQUESTS) {
     ctx.status = 429;
@@ -1302,6 +1437,9 @@ function rateLimitMiddleware(ctx, next) {
     return;
   }
   requestStamps.push(now);
+  if (!rateLimitMap.has(key) && rateLimitMap.size >= MAX_MAP_SIZE) {
+    evictOldestEntry();
+  }
   rateLimitMap.set(key, requestStamps);
   return next();
 }
@@ -1345,7 +1483,7 @@ const routes = {
         config: { auth: false, middlewares: [rateLimitMiddleware] }
       },
       {
-        method: "GET",
+        method: "POST",
         path: "/logout",
         handler: "oidc.logout",
         config: { auth: false }
@@ -1427,53 +1565,63 @@ const routes = {
   // API-token-authenticated routes for programmatic whitelist management.
   // Accessible at /strapi-plugin-oidc/... using a Strapi API token
   // (full-access or custom) in the Authorization: Bearer <token> header.
+  // Custom tokens must be granted one or more of the semantic scopes below.
   "content-api": {
     type: "content-api",
     routes: [
       {
         method: "GET",
         path: "/whitelist",
-        handler: "whitelist.info"
+        handler: "whitelist.info",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "POST",
         path: "/whitelist",
-        handler: "whitelist.register"
+        handler: "whitelist.register",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "POST",
         path: "/whitelist/import",
-        handler: "whitelist.importUsers"
+        handler: "whitelist.importUsers",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist/:email",
-        handler: "whitelist.removeEmail"
+        handler: "whitelist.removeEmail",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist",
-        handler: "whitelist.deleteAll"
+        handler: "whitelist.deleteAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "GET",
         path: "/whitelist/export",
-        handler: "whitelist.exportWhitelist"
+        handler: "whitelist.exportWhitelist",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs",
-        handler: "auditLog.find"
+        handler: "auditLog.find",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs/export",
-        handler: "auditLog.export"
+        handler: "auditLog.export",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "DELETE",
         path: "/audit-logs",
-        handler: "auditLog.clearAll"
+        handler: "auditLog.clearAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.delete"] } }
       }
     ]
   }
@@ -1725,13 +1873,12 @@ function oauthService({ strapi: strapi2 }) {
           type: rememberMe ? "refresh" : "session"
         }
       );
-      const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
       const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
       const cookieOptions = {
         httpOnly: true,
-        secure: isProduction && ctx.request.secure,
+        secure: shouldMarkSecure(strapi2, ctx),
         overwrite: true,
         domain,
         path,
@@ -1850,14 +1997,6 @@ function whitelistService({ strapi: strapi2 }) {
     },
     async deleteAllUsers() {
       await getWhitelistQuery().deleteMany({});
-    },
-    async countAdminUsersByEmails(emails) {
-      if (emails.length === 0) return 0;
-      const rows = await strapi2.query("admin::user").findMany({
-        where: { email: { $in: emails } },
-        select: ["id"]
-      });
-      return rows.length;
     }
   };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.7.6",
+  "version": "1.8.0",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",
@@ -50,6 +50,7 @@
     "@strapi/icons": "^2.2.0",
     "@strapi/utils": "^5.41.1",
     "generate-password": "^1.7.1",
+    "jose": "^6.2.2",
     "lucide-react": "^1.8.0",
     "pkce-challenge": "^6.0.0",
     "react-intl": "^6.8.9"