npm - strapi-plugin-oidc - Versions diffs - 1.7.6 → 1.8.1 - Mend

strapi-plugin-oidc 1.7.6 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +77 -47
package/dist/admin/{index-DRJ6Ty2J.mjs → index-Bb9-aYb4.mjs} +54 -6
package/dist/admin/{index-D2rlNx1-.js → index-Bmg4eTYb.js} +115 -88
package/dist/admin/{index-pieFAsgM.mjs → index-BqWd-Iiq.mjs} +74 -47
package/dist/admin/{index-CrnGXADu.js → index-Dk6TYtio.js} +58 -8
package/dist/admin/index.js +3 -1
package/dist/admin/index.mjs +3 -1
package/dist/server/index.js +266 -92
package/dist/server/index.mjs +266 -92
package/package.json +2 -1

package/dist/server/index.mjs CHANGED Viewed

@@ -1,5 +1,6 @@
 import { randomUUID, randomBytes, createHash } from "node:crypto";
 import pkceChallenge from "pkce-challenge";
+import { jwtVerify, errors, createRemoteJWKSet } from "jose";
 import { Readable } from "node:stream";
 import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
@@ -37,8 +38,44 @@ const getRoleService = () => strapi.plugin(PLUGIN_NAME).service("role");
 const getWhitelistService = () => strapi.plugin(PLUGIN_NAME).service("whitelist");
 const getAuditLogService = () => strapi.plugin(PLUGIN_NAME).service("auditLog");
 const getAdminUserService = () => strapi.service("admin::user");
+const DISCOVERY_TIMEOUT_MS = 5e3;
+const FIELD_MAP = [
+  ["issuer", "OIDC_ISSUER"],
+  ["authorization_endpoint", "OIDC_AUTHORIZATION_ENDPOINT"],
+  ["token_endpoint", "OIDC_TOKEN_ENDPOINT"],
+  ["userinfo_endpoint", "OIDC_USERINFO_ENDPOINT"],
+  ["end_session_endpoint", "OIDC_END_SESSION_ENDPOINT"],
+  ["jwks_uri", "OIDC_JWKS_URI"]
+];
+async function applyDiscovery(strapi2) {
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
+  const discoveryUrl = config2.OIDC_DISCOVERY_URL;
+  if (!discoveryUrl) return;
+  let doc;
+  try {
+    const res = await fetch(discoveryUrl, { signal: AbortSignal.timeout(DISCOVERY_TIMEOUT_MS) });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    doc = await res.json();
+  } catch (e) {
+    strapi2.log.error(
+      `[strapi-plugin-oidc] Failed to fetch OIDC discovery document from ${discoveryUrl}: ${e instanceof Error ? e.message : String(e)}`
+    );
+    return;
+  }
+  const updates = {};
+  for (const [docField, configKey] of FIELD_MAP) {
+    if (doc[docField]) {
+      updates[configKey] = doc[docField];
+    }
+  }
+  if (Object.keys(updates).length > 0) {
+    strapi2.config.set("plugin::strapi-plugin-oidc", { ...config2, ...updates });
+    strapi2.log.info(`[strapi-plugin-oidc] Discovery applied: ${Object.keys(updates).join(", ")}`);
+  }
+}
 const AUTH_ROUTES = ["login", "register", "register-admin", "forgot-password", "reset-password"];
 async function bootstrap({ strapi: strapi2 }) {
+  await applyDiscovery(strapi2);
   const adminUrl = strapi2.config.get("admin.url", "/admin");
   const tokenRefreshPath = `${adminUrl}/token/refresh`;
   const enforceOidcMiddleware = async (ctx, next) => {
@@ -93,6 +130,16 @@ async function bootstrap({ strapi: strapi2 }) {
     { section: "plugins", displayName: "Update", uid: "update", pluginName: "strapi-plugin-oidc" }
   ];
   await strapi2.admin.services.permission.actionProvider.registerMany(actions);
+  const contentApiScopeUids = [
+    "plugin::strapi-plugin-oidc.whitelist.read",
+    "plugin::strapi-plugin-oidc.whitelist.write",
+    "plugin::strapi-plugin-oidc.whitelist.delete",
+    "plugin::strapi-plugin-oidc.audit.read",
+    "plugin::strapi-plugin-oidc.audit.delete"
+  ];
+  for (const uid of contentApiScopeUids) {
+    strapi2.contentAPI.permissions.providers.action.register(uid, { uid });
+  }
   const enforceOIDCConfig = getEnforceOIDCConfig(strapi2);
   if (enforceOIDCConfig !== null) {
     try {
@@ -140,23 +187,29 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
+    OIDC_DISCOVERY_URL: "",
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
     OIDC_SCOPE: "openid profile email",
-    OIDC_AUTHORIZATION_ENDPOINT: "",
-    OIDC_TOKEN_ENDPOINT: "",
-    OIDC_USERINFO_ENDPOINT: "",
-    OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_END_SESSION_ENDPOINT: "",
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null,
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
     AUDIT_LOG_RETENTION_DAYS: 90,
     OIDC_GROUP_FIELD: "groups",
-    OIDC_GROUP_ROLE_MAP: "{}"
+    OIDC_GROUP_ROLE_MAP: "{}",
+    OIDC_REQUIRE_EMAIL_VERIFIED: true,
+    OIDC_TRUSTED_IP_HEADER: "",
+    OIDC_FORCE_SECURE_COOKIES: false,
+    // Populated at bootstrap from OIDC_DISCOVERY_URL — not user-configurable directly
+    OIDC_AUTHORIZATION_ENDPOINT: "",
+    OIDC_TOKEN_ENDPOINT: "",
+    OIDC_USERINFO_ENDPOINT: "",
+    OIDC_END_SESSION_ENDPOINT: "",
+    OIDC_JWKS_URI: "",
+    OIDC_ISSUER: ""
   },
   validator() {
   }
@@ -205,11 +258,20 @@ const contentTypes = {
   whitelists,
   "audit-log": auditLog$1
 };
-function getExpiredCookieOptions(strapi2, ctx) {
+function shouldMarkSecure(strapi2, ctx) {
   const isProduction = strapi2.config.get("environment") === "production";
+  if (!isProduction) return false;
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc") ?? {};
+  if (config2.OIDC_FORCE_SECURE_COOKIES === true) return true;
+  if (ctx.request.secure) return true;
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted && ctx.get("x-forwarded-proto") === "https") return true;
+  return false;
+}
+function getExpiredCookieOptions(strapi2, ctx) {
   return {
     httpOnly: true,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi2, ctx),
     path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
     domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
     sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
@@ -236,7 +298,9 @@ const errorCodes = {
   NONCE_MISMATCH: "NONCE_MISMATCH",
   ROLE_UPDATE_FAILED: "ROLE_UPDATE_FAILED",
   USER_CREATION_FAILED: "USER_CREATION_FAILED",
-  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED"
+  WHITELIST_CHECK_FAILED: "WHITELIST_CHECK_FAILED",
+  EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED",
+  ID_TOKEN_INVALID: "ID_TOKEN_INVALID"
 };
 const ERROR_DETAIL_TEMPLATES = {
   token_exchange_failed: "Token exchange failed with HTTP status {status}",
@@ -246,6 +310,8 @@ const ERROR_DETAIL_TEMPLATES = {
   id_token_parse_failed: "ID token parse failed: {error}",
   sign_in_unknown: "Unknown sign-in error: {error}",
   invalid_email: "Invalid email address received from OIDC provider",
+  email_not_verified: "Email address has not been verified by the OIDC provider",
+  id_token_invalid: "ID token verification failed: {error}",
   whitelist_not_present: "Email not present in whitelist",
   session_manager_unsupported: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   missing_config: "Missing required config keys: {keys}"
@@ -265,6 +331,8 @@ const errorMessages = {
   ID_TOKEN_PARSE_FAILED: "Failed to parse ID token",
   NONCE_MISMATCH: "Nonce mismatch",
   INVALID_EMAIL: "Invalid email address received from OIDC provider",
+  EMAIL_NOT_VERIFIED: "Email address has not been verified by the OIDC provider",
+  ID_TOKEN_INVALID: "ID token verification failed",
   WHITELIST_NOT_PRESENT: "Not present in whitelist",
   SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
   MISSING_CONFIG: (keys) => `Missing required config keys: ${keys}`
@@ -331,7 +399,6 @@ const en = {
   "auditlog.table.ip": "IP",
   "auditlog.table.details": "Details",
   "auditlog.table.empty": "No audit log entries",
-  "auditlog.loading": "Loading…",
   "auditlog.clear": "Clear Logs",
   "auditlog.clear.title": "Clear All Logs",
   "auditlog.clear.description": "This will permanently delete all {count, plural, one {# audit log entry} other {# audit log entries}}. This action cannot be undone.",
@@ -362,6 +429,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -384,7 +453,6 @@ const locales = Object.fromEntries(
     return [code ?? "", mod.default];
   })
 );
-Object.keys(locales).filter(Boolean);
 const DEFAULT_LOCALE = "en";
 function parseAcceptLanguage(header) {
   return header.split(",").map((part) => {
@@ -471,40 +539,99 @@ const OIDC_ERROR_DISPATCH = {
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   },
+  email_not_verified: {
+    action: "email_not_verified",
+    code: errorCodes.EMAIL_NOT_VERIFIED,
+    key: "email_not_verified"
+  },
+  id_token_invalid: {
+    action: "id_token_invalid",
+    code: errorCodes.ID_TOKEN_INVALID,
+    key: "id_token_invalid"
+  },
   unknown: {
     action: "login_failure",
     code: errorCodes.TOKEN_EXCHANGE_FAILED,
     key: "sign_in_unknown"
   }
 };
+const TRUSTED_IP_HEADER = "cf-connecting-ip";
+function getTrustedHeaderName() {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc") ?? {};
+  const raw = config2.OIDC_TRUSTED_IP_HEADER;
+  if (typeof raw !== "string" || !raw) return void 0;
+  const normalized = raw.trim().toLowerCase();
+  return normalized === TRUSTED_IP_HEADER ? normalized : void 0;
+}
 function getClientIp(ctx) {
-  const cfConnectingIp = ctx.get("CF-Connecting-IP");
-  if (cfConnectingIp) {
-    return cfConnectingIp.split(",")[0].trim();
-  }
-  const forwardedFor = ctx.get("X-Forwarded-For");
-  if (forwardedFor) {
-    return forwardedFor.split(",")[0].trim();
-  }
-  const realIp = ctx.get("X-Real-IP");
-  if (realIp) {
-    return realIp.trim();
+  const proxyTrusted = ctx.app?.proxy === true;
+  if (proxyTrusted) {
+    const trustedHeader = getTrustedHeaderName();
+    if (trustedHeader) {
+      const value = ctx.get(trustedHeader);
+      if (value) return value.split(",")[0].trim();
+    }
+    const forwarded = ctx.request.ips;
+    if (forwarded && forwarded.length > 0) {
+      return forwarded[0];
+    }
   }
   return ctx.ip;
 }
+function toMessage(e) {
+  return e instanceof Error ? e.message : String(e);
+}
 const REQUIRED_CONFIG_KEYS = [
+  "OIDC_DISCOVERY_URL",
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
   "OIDC_SCOPE",
-  "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USERINFO_ENDPOINT",
-  "OIDC_GRANT_TYPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
+  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
+  "OIDC_TOKEN_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
-const LOGOUT_USERINFO_TIMEOUT_MS = 3e3;
+const LOGOUT_USERINFO_TIMEOUT_MS = 1500;
+const jwksCache = /* @__PURE__ */ new Map();
+let jwksDisabledWarned = false;
+function getJwks(uri) {
+  let jwks = jwksCache.get(uri);
+  if (!jwks) {
+    jwks = createRemoteJWKSet(new URL(uri));
+    jwksCache.set(uri, jwks);
+  }
+  return jwks;
+}
+async function verifyIdToken(idToken, config2) {
+  const jwksUri = config2.OIDC_JWKS_URI;
+  const issuer = config2.OIDC_ISSUER;
+  if (!jwksUri) {
+    if (!jwksDisabledWarned) {
+      jwksDisabledWarned = true;
+      strapi.log.warn(
+        "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document."
+      );
+    }
+    return null;
+  }
+  try {
+    const jwks = getJwks(jwksUri);
+    const { payload } = await jwtVerify(idToken, jwks, {
+      issuer: issuer || void 0,
+      audience: config2.OIDC_CLIENT_ID
+    });
+    return payload;
+  } catch (e) {
+    if (e instanceof errors.JWTClaimValidationFailed || e instanceof errors.JWSSignatureVerificationFailed || e instanceof errors.JWTExpired || e instanceof errors.JWTInvalid || e instanceof errors.JWSInvalid) {
+      const msg = toMessage(e);
+      throw new OidcError("id_token_invalid", msg, e);
+    }
+    throw e;
+  }
+}
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const missing = REQUIRED_CONFIG_KEYS.filter((key) => !config2[key]);
@@ -518,11 +645,10 @@ async function oidcSignIn(ctx) {
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
   const state = randomBytes(32).toString("base64url");
   const nonce = randomBytes(32).toString("base64url");
-  const isProduction = strapi.config.get("environment") === "production";
   const cookieOptions = {
     httpOnly: true,
     maxAge: 6e5,
-    secure: isProduction && ctx.request.secure,
+    secure: shouldMarkSecure(strapi, ctx),
     sameSite: "lax"
   };
   ctx.cookies.set("oidc_code_verifier", codeVerifier, cookieOptions);
@@ -555,14 +681,16 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   }
   const tokenData = await response.json();
   if (tokenData.id_token) {
+    const verifiedPayload = await verifyIdToken(tokenData.id_token, config2);
     try {
-      const payloadB64 = tokenData.id_token.split(".")[1];
-      const idTokenPayload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      const idTokenPayload = verifiedPayload ?? JSON.parse(
+        Buffer.from(tokenData.id_token.split(".")[1], "base64url").toString("utf8")
+      );
       if (idTokenPayload.nonce !== expectedNonce) {
         throw new OidcError("nonce_mismatch", errorMessages.NONCE_MISMATCH);
       }
     } catch (e) {
-      if (e instanceof OidcError && e.kind === "nonce_mismatch") throw e;
+      if (e instanceof OidcError) throw e;
       throw new OidcError("id_token_parse_failed", errorMessages.ID_TOKEN_PARSE_FAILED, e);
     }
   }
@@ -689,7 +817,7 @@ async function ensureUser(userService, oauthService2, email, userResponseData, c
       );
       return { user, userCreated: true, rolesUpdated: true };
     } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
+      const msg = toMessage(e);
       throw new OidcError("user_creation_failed", msg, e);
     }
   }
@@ -708,6 +836,13 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   if (!email || !isValidEmail(email)) {
     throw new OidcError("invalid_email", errorMessages.INVALID_EMAIL);
   }
+  if (config2.OIDC_REQUIRE_EMAIL_VERIFIED !== false) {
+    const emailVerified = userResponseData.email_verified;
+    const isVerified = emailVerified === true || emailVerified === "true";
+    if (!isVerified) {
+      throw new OidcError("email_not_verified", errorMessages.EMAIL_NOT_VERIFIED);
+    }
+  }
   await whitelistService2.checkWhitelistForEmail(email);
   const resolved = await resolveRoles(userResponseData, config2, roleService2);
   const { user, userCreated, rolesUpdated } = await ensureUser(
@@ -732,9 +867,9 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
 function classifyOidcError(e, userInfo) {
   const kind = e instanceof OidcError ? e.kind : "unknown";
   const dispatch = OIDC_ERROR_DISPATCH[kind];
-  const msg = e instanceof Error ? e.message : String(e);
+  const msg = toMessage(e);
   let params;
-  if (kind === "id_token_parse_failed" || kind === "unknown") {
+  if (kind === "id_token_parse_failed" || kind === "id_token_invalid" || kind === "unknown") {
     params = { error: msg };
   } else if (kind === "user_creation_failed" && userInfo?.email) {
     params = { email: userInfo.email, error: msg };
@@ -781,7 +916,7 @@ async function logSuccessfulAuth(auditLog2, ctx, user, userCreated, rolesUpdated
 }
 async function handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx) {
   const errorInfo = classifyOidcError(e, userInfo);
-  const message = e instanceof Error ? e.message : String(e);
+  const message = toMessage(e);
   await auditLog2.log({
     action: errorInfo.action,
     email: userInfo?.email,
@@ -822,15 +957,14 @@ async function oidcSignInCallback(ctx) {
     client_id: config2.OIDC_CLIENT_ID,
     client_secret: config2.OIDC_CLIENT_SECRET,
     redirect_uri: config2.OIDC_REDIRECT_URI,
-    grant_type: config2.OIDC_GRANT_TYPE,
+    grant_type: "authorization_code",
     code_verifier: codeVerifier ?? ""
   });
   let userInfo;
   try {
     const exchangeResult = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     userInfo = exchangeResult.userInfo;
-    const isProduction = strapi.config.get("environment") === "production";
-    const secureFlag = isProduction && ctx.request.secure;
+    const secureFlag = shouldMarkSecure(strapi, ctx);
     ctx.cookies.set("oidc_access_token", exchangeResult.accessToken, {
       httpOnly: true,
       maxAge: 3e5,
@@ -867,13 +1001,13 @@ async function oidcSignInCallback(ctx) {
     await handleCallbackError(e, userInfo, auditLog2, oauthService2, ctx);
   }
 }
-async function isProviderSessionActive(userinfoEndpoint, accessToken) {
+async function isProviderSessionExpired(userinfoEndpoint, accessToken) {
   try {
     const response = await fetch(userinfoEndpoint, {
       headers: { Authorization: `Bearer ${accessToken}` },
       signal: AbortSignal.timeout(LOGOUT_USERINFO_TIMEOUT_MS)
     });
-    return response.ok;
+    return !response.ok;
   } catch {
     return false;
   }
@@ -893,14 +1027,14 @@ async function logout(ctx) {
   }
   const logAudit = (action) => userEmail ? auditLog2.log({ action, email: userEmail, ip: getClientIp(ctx) }) : Promise.resolve();
   if (logoutUrl && accessToken) {
-    const active = await isProviderSessionActive(config2.OIDC_USERINFO_ENDPOINT, accessToken);
-    if (active) {
-      logAudit("logout").catch(() => {
-      });
-      return ctx.redirect(logoutUrl);
+    const expired = await isProviderSessionExpired(config2.OIDC_USERINFO_ENDPOINT, accessToken);
+    if (expired) {
+      await logAudit("session_expired");
+      return ctx.redirect(loginUrl);
     }
-    await logAudit("session_expired");
-    return ctx.redirect(loginUrl);
+    logAudit("logout").catch(() => {
+    });
+    return ctx.redirect(logoutUrl);
   }
   await logAudit("logout");
   ctx.redirect(logoutUrl || loginUrl);
@@ -1000,16 +1134,34 @@ async function register(ctx) {
     return;
   }
   const rawEmails = Array.isArray(email) ? email : email.split(",");
-  const emailList = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const normalized = rawEmails.map((e) => String(e).trim().toLowerCase()).filter(Boolean);
+  const rejectedEmails = [];
+  const validEmails = [];
+  for (const e of normalized) {
+    if (isValidEmail(e)) {
+      validEmails.push(e);
+    } else {
+      rejectedEmails.push(e);
+    }
+  }
+  if (validEmails.length === 0) {
+    ctx.status = 400;
+    ctx.body = { error: "No valid email addresses supplied", rejectedEmails };
+    return;
+  }
   const whitelistService2 = getWhitelistService();
-  const matchedExistingUsersCount = await whitelistService2.countAdminUsersByEmails(emailList);
-  for (const singleEmail of emailList) {
+  let acceptedCount = 0;
+  let alreadyWhitelistedCount = 0;
+  for (const singleEmail of validEmails) {
     const alreadyWhitelisted = await whitelistService2.hasUser(singleEmail);
-    if (!alreadyWhitelisted) {
+    if (alreadyWhitelisted) {
+      alreadyWhitelistedCount++;
+    } else {
       await whitelistService2.registerUser(singleEmail);
+      acceptedCount++;
     }
   }
-  ctx.body = { matchedExistingUsersCount };
+  ctx.body = { acceptedCount, alreadyWhitelistedCount, rejectedEmails };
 }
 async function removeEmail(ctx) {
   const { email } = ctx.params;
@@ -1040,13 +1192,9 @@ async function importUsers(ctx) {
   const whitelistService2 = getWhitelistService();
   const existing = await whitelistService2.getUsers();
   const existingEmails = new Set(existing.map((u) => u.email));
-  let importedCount = 0;
-  for (const email of deduped) {
-    if (existingEmails.has(email)) continue;
-    await whitelistService2.registerUser(email);
-    importedCount++;
-  }
-  ctx.body = { importedCount };
+  const toImport = deduped.filter((email) => !existingEmails.has(email));
+  await Promise.all(toImport.map((email) => whitelistService2.registerUser(email)));
+  ctx.body = { importedCount: toImport.length };
 }
 async function syncUsers(ctx) {
   const { users: rawUsers } = ctx.request.body;
@@ -1055,17 +1203,11 @@ async function syncUsers(ctx) {
   const currentUsers = await whitelistService2.getUsers();
   const syncEmailSet = new Set(emails);
   const currentUsersByEmail = new Map(currentUsers.map((u) => [u.email, u]));
-  for (const currUser of currentUsers) {
-    if (!syncEmailSet.has(currUser.email)) {
-      await whitelistService2.removeUser(currUser.email);
-    }
-  }
-  for (const email of emails) {
-    if (!currentUsersByEmail.has(email)) {
-      await whitelistService2.registerUser(email);
-    }
-  }
-  ctx.body = { matchedExistingUsersCount: 0 };
+  await Promise.all([
+    ...currentUsers.filter((u) => !syncEmailSet.has(u.email)).map((u) => whitelistService2.removeUser(u.email)),
+    ...emails.filter((email) => !currentUsersByEmail.has(email)).map((email) => whitelistService2.registerUser(email))
+  ]);
+  ctx.body = {};
 }
 const whitelist = {
   info,
@@ -1086,6 +1228,8 @@ const AUDIT_ACTIONS = [
   "nonce_mismatch",
   "token_exchange_failed",
   "whitelist_rejected",
+  "email_not_verified",
+  "id_token_invalid",
   "logout",
   "session_expired",
   "user_created"
@@ -1285,6 +1429,22 @@ const controllers = {
 const rateLimitMap = /* @__PURE__ */ new Map();
 const RATE_LIMIT_WINDOW = 6e4;
 const MAX_REQUESTS = 1e3;
+const MAX_MAP_SIZE = 1e4;
+const PRUNE_THRESHOLD = 1e3;
+function pruneExpiredEntries(now) {
+  const windowStart = now - RATE_LIMIT_WINDOW;
+  for (const [key, stamps] of rateLimitMap) {
+    if (stamps.length === 0 || stamps[stamps.length - 1] <= windowStart) {
+      rateLimitMap.delete(key);
+    }
+  }
+}
+function evictOldestEntry() {
+  const oldest = rateLimitMap.keys().next().value;
+  if (oldest !== void 0) {
+    rateLimitMap.delete(oldest);
+  }
+}
 function getRateLimitKey(ctx) {
   const ip = getClientIp(ctx);
   const ua = ctx.request.header["user-agent"] ?? "";
@@ -1295,6 +1455,9 @@ function rateLimitMiddleware(ctx, next) {
   const key = getRateLimitKey(ctx);
   const now = Date.now();
   const windowStart = now - RATE_LIMIT_WINDOW;
+  if (rateLimitMap.size > PRUNE_THRESHOLD) {
+    pruneExpiredEntries(now);
+  }
   const requestStamps = (rateLimitMap.get(key) ?? []).filter((ts) => ts > windowStart);
   if (requestStamps.length >= MAX_REQUESTS) {
     ctx.status = 429;
@@ -1302,6 +1465,9 @@ function rateLimitMiddleware(ctx, next) {
     return;
   }
   requestStamps.push(now);
+  if (!rateLimitMap.has(key) && rateLimitMap.size >= MAX_MAP_SIZE) {
+    evictOldestEntry();
+  }
   rateLimitMap.set(key, requestStamps);
   return next();
 }
@@ -1350,6 +1516,12 @@ const routes = {
         handler: "oidc.logout",
         config: { auth: false }
       },
+      {
+        method: "POST",
+        path: "/logout",
+        handler: "oidc.logout",
+        config: { auth: false }
+      },
       {
         method: "GET",
         path: "/whitelist",
@@ -1427,53 +1599,63 @@ const routes = {
   // API-token-authenticated routes for programmatic whitelist management.
   // Accessible at /strapi-plugin-oidc/... using a Strapi API token
   // (full-access or custom) in the Authorization: Bearer <token> header.
+  // Custom tokens must be granted one or more of the semantic scopes below.
   "content-api": {
     type: "content-api",
     routes: [
       {
         method: "GET",
         path: "/whitelist",
-        handler: "whitelist.info"
+        handler: "whitelist.info",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "POST",
         path: "/whitelist",
-        handler: "whitelist.register"
+        handler: "whitelist.register",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "POST",
         path: "/whitelist/import",
-        handler: "whitelist.importUsers"
+        handler: "whitelist.importUsers",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.write"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist/:email",
-        handler: "whitelist.removeEmail"
+        handler: "whitelist.removeEmail",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "DELETE",
         path: "/whitelist",
-        handler: "whitelist.deleteAll"
+        handler: "whitelist.deleteAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.delete"] } }
       },
       {
         method: "GET",
         path: "/whitelist/export",
-        handler: "whitelist.exportWhitelist"
+        handler: "whitelist.exportWhitelist",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.whitelist.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs",
-        handler: "auditLog.find"
+        handler: "auditLog.find",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "GET",
         path: "/audit-logs/export",
-        handler: "auditLog.export"
+        handler: "auditLog.export",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.read"] } }
       },
       {
         method: "DELETE",
         path: "/audit-logs",
-        handler: "auditLog.clearAll"
+        handler: "auditLog.clearAll",
+        config: { auth: { scope: ["plugin::strapi-plugin-oidc.audit.delete"] } }
       }
     ]
   }
@@ -1642,9 +1824,10 @@ function oauthService({ strapi: strapi2 }) {
       }
       const modelDef = strapi2.getModel("admin::user");
       const sanitizedEntity = await strapiUtils.sanitize.sanitizers.defaultSanitizeOutput(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        { schema: modelDef, getModel: (uid2) => strapi2.getModel(uid2) },
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        {
+          schema: modelDef,
+          getModel: (uid2) => strapi2.getModel(uid2)
+        },
         user
       );
       eventHub?.emit(ENTRY_CREATE ?? "entry.create", {
@@ -1725,13 +1908,12 @@ function oauthService({ strapi: strapi2 }) {
           type: rememberMe ? "refresh" : "session"
         }
       );
-      const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
       const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
       const cookieOptions = {
         httpOnly: true,
-        secure: isProduction && ctx.request.secure,
+        secure: shouldMarkSecure(strapi2, ctx),
         overwrite: true,
         domain,
         path,
@@ -1850,14 +2032,6 @@ function whitelistService({ strapi: strapi2 }) {
     },
     async deleteAllUsers() {
       await getWhitelistQuery().deleteMany({});
-    },
-    async countAdminUsersByEmails(emails) {
-      if (emails.length === 0) return 0;
-      const rows = await strapi2.query("admin::user").findMany({
-        where: { email: { $in: emails } },
-        select: ["id"]
-      });
-      return rows.length;
     }
   };
 }