@strapi-community/plugin-io 5.1.0 → 5.2.0

package/README.md

@@ -770,6 +770,130 @@ Configure permissions in the Strapi admin panel:
 
 ---
 
+## Security
+
+The plugin implements multiple security layers to protect your real-time connections.
+
+### Admin Session Tokens
+
+For admin panel connections (Live Presence), the plugin uses secure session tokens:
+
+```
++------------------+      +------------------+      +------------------+
+|  Admin Browser   | ---> |  Session Endpoint| ---> |   Socket.IO      |
+|  (Strapi Admin)  |      |  /io/presence/   |      |   Server         |
++------------------+      +------------------+      +------------------+
+        |                         |                         |
+        | 1. Request session      |                         |
+        | (Admin JWT in header)   |                         |
+        +------------------------>|                         |
+        |                         |                         |
+        | 2. Return session token |                         |
+        | (UUID, 10 min TTL)      |                         |
+        |<------------------------+                         |
+        |                         |                         |
+        | 3. Connect Socket.IO    |                         |
+        | (Session token in auth) |                         |
+        +-------------------------------------------------->|
+        |                         |                         |
+        | 4. Validate & connect   |                         |
+        |<--------------------------------------------------+
+```
+
+**Security Features:**
+- **Token Hashing**: Tokens stored as SHA-256 hashes (plaintext never persisted)
+- **Short TTL**: 10-minute expiration with automatic refresh at 70%
+- **Usage Limits**: Max 10 reconnects per token to prevent replay attacks
+- **Rate Limiting**: 30-second cooldown between token requests
+- **Minimal Data**: Only essential user info stored (ID, firstname, lastname)
+
+### Rate Limiting
+
+Prevent abuse with configurable rate limits:
+
+```javascript
+// In config/plugins.js
+module.exports = {
+  io: {
+    enabled: true,
+    config: {
+      security: {
+        rateLimit: {
+          enabled: true,
+          maxEventsPerSecond: 10,    // Max events per socket per second
+          maxConnectionsPerIp: 50    // Max connections from single IP
+        }
+      }
+    }
+  }
+};
+```
+
+### IP Whitelisting/Blacklisting
+
+Restrict access by IP address:
+
+```javascript
+// In config/plugins.js
+module.exports = {
+  io: {
+    enabled: true,
+    config: {
+      security: {
+        ipWhitelist: ['192.168.1.0/24', '10.0.0.1'],  // Only these IPs allowed
+        ipBlacklist: ['203.0.113.50'],                 // These IPs blocked
+        requireAuthentication: true                    // Require JWT/API token
+      }
+    }
+  }
+};
+```
+
+### Security Monitoring API
+
+Monitor active sessions via admin API:
+
+```bash
+# Get session statistics
+GET /io/security/sessions
+Authorization: Bearer <admin-jwt>
+
+# Response:
+{
+  "data": {
+    "activeSessions": 5,
+    "expiringSoon": 1,
+    "activeSocketConnections": 3,
+    "sessionTTL": 600000,
+    "refreshCooldown": 30000
+  }
+}
+
+# Force logout a user (invalidate all their sessions)
+POST /io/security/invalidate/:userId
+Authorization: Bearer <admin-jwt>
+
+# Response:
+{
+  "data": {
+    "userId": 1,
+    "invalidatedSessions": 2,
+    "message": "Successfully invalidated 2 session(s)"
+  }
+}
+```
+
+### Best Practices
+
+1. **Always use HTTPS** in production for encrypted WebSocket connections
+2. **Enable authentication** for sensitive content types
+3. **Configure CORS** to only allow your frontend domains
+4. **Monitor connections** via the admin dashboard
+5. **Set reasonable rate limits** based on your use case
+6. **Review access logs** periodically for suspicious activity
+
+---
+
 ## Admin Panel
 
 The plugin provides a full admin interface for configuration and monitoring.
@@ -1327,6 +1451,9 @@ Copyright (c) 2024 Strapi Community
 - **Admin Panel Sidebar** - Live presence panel integrated into edit view
 - **Admin Session Authentication** - Secure session tokens for Socket.IO
 - **Admin JWT Strategy** - New authentication strategy for admin users
+- **Enhanced Security** - Token hashing (SHA-256), usage limits, rate limiting
+- **Automatic Token Refresh** - Tokens auto-refresh at 70% of TTL
+- **Security Monitoring API** - Session stats and force-logout endpoints
 
 ### v5.0.0
 - Strapi v5 support

package/dist/_chunks/{LivePresencePanel-CNaEK-Gk.js → LivePresencePanel-2U3I3yL0.js}

@@ -7,7 +7,7 @@ const designSystem = require("@strapi/design-system");
 const admin = require("@strapi/strapi/admin");
 const styled = require("styled-components");
 const socket_ioClient = require("socket.io-client");
-const index$1 = require("./index--2NeIKGR.js");
+const index$1 = require("./index-BEZDDgvZ.js");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
 const pulse = styled.keyframes`
@@ -181,19 +181,46 @@ const LivePresencePanel = ({ documentId, model, document }) => {
       return;
     }
     let cancelled = false;
-    const getSession = async () => {
+    let refreshTimeoutId = null;
+    const getSession = async (isRefresh = false) => {
       try {
-        setPresenceState((prev) => ({ ...prev, status: "requesting" }));
+        if (!isRefresh) {
+          setPresenceState((prev) => ({ ...prev, status: "requesting" }));
+        }
         const { data } = await post(`/${index$1.PLUGIN_ID}/presence/session`, {});
         if (cancelled) return;
         if (!data || !data.token) {
           throw new Error("Invalid session response");
         }
-        console.log(`[${index$1.PLUGIN_ID}] Presence session obtained for:`, data.user?.email);
+        console.log(`[${index$1.PLUGIN_ID}] Session ${isRefresh ? "refreshed" : "obtained"}:`, {
+          expiresIn: Math.round((data.expiresAt - Date.now()) / 1e3) + "s",
+          refreshAfter: Math.round((data.refreshAfter - Date.now()) / 1e3) + "s"
+        });
         setSessionData(data);
-        setPresenceState((prev) => ({ ...prev, status: "connecting" }));
+        if (!isRefresh) {
+          setPresenceState((prev) => ({ ...prev, status: "connecting" }));
+        }
+        if (data.refreshAfter) {
+          const refreshIn = data.refreshAfter - Date.now();
+          if (refreshIn > 0) {
+            console.log(`[${index$1.PLUGIN_ID}] Token refresh scheduled in ${Math.round(refreshIn / 1e3)}s`);
+            refreshTimeoutId = setTimeout(() => {
+              if (!cancelled) {
+                console.log(`[${index$1.PLUGIN_ID}] Refreshing session token...`);
+                getSession(true);
+              }
+            }, refreshIn);
+          }
+        }
       } catch (error2) {
         if (cancelled) return;
+        if (error2.response?.status === 429) {
+          console.warn(`[${index$1.PLUGIN_ID}] Rate limited, retrying in 30s...`);
+          refreshTimeoutId = setTimeout(() => {
+            if (!cancelled) getSession(isRefresh);
+          }, 3e4);
+          return;
+        }
         console.error(`[${index$1.PLUGIN_ID}] Failed to get presence session:`, error2);
         setPresenceState((prev) => ({
           ...prev,
@@ -205,6 +232,9 @@ const LivePresencePanel = ({ documentId, model, document }) => {
     getSession();
     return () => {
       cancelled = true;
+      if (refreshTimeoutId) {
+        clearTimeout(refreshTimeoutId);
+      }
     };
   }, [uid, documentId, post]);
   React.useEffect(() => {

package/dist/_chunks/{LivePresencePanel-BeNq_EnQ.mjs → LivePresencePanel-CIFG_05s.mjs}

@@ -5,7 +5,7 @@ import { Flex } from "@strapi/design-system";
 import { useFetchClient } from "@strapi/strapi/admin";
 import styled, { css, keyframes } from "styled-components";
 import { io } from "socket.io-client";
-import { P as PLUGIN_ID } from "./index-CzvX8YTe.mjs";
+import { P as PLUGIN_ID } from "./index-Dof_eA3e.mjs";
 const pulse = keyframes`
   0%, 100% { 
     box-shadow: 0 0 0 3px rgba(34, 197, 94, 0.2);
@@ -177,19 +177,46 @@ const LivePresencePanel = ({ documentId, model, document }) => {
       return;
     }
     let cancelled = false;
-    const getSession = async () => {
+    let refreshTimeoutId = null;
+    const getSession = async (isRefresh = false) => {
       try {
-        setPresenceState((prev) => ({ ...prev, status: "requesting" }));
+        if (!isRefresh) {
+          setPresenceState((prev) => ({ ...prev, status: "requesting" }));
+        }
         const { data } = await post(`/${PLUGIN_ID}/presence/session`, {});
         if (cancelled) return;
         if (!data || !data.token) {
           throw new Error("Invalid session response");
         }
-        console.log(`[${PLUGIN_ID}] Presence session obtained for:`, data.user?.email);
+        console.log(`[${PLUGIN_ID}] Session ${isRefresh ? "refreshed" : "obtained"}:`, {
+          expiresIn: Math.round((data.expiresAt - Date.now()) / 1e3) + "s",
+          refreshAfter: Math.round((data.refreshAfter - Date.now()) / 1e3) + "s"
+        });
         setSessionData(data);
-        setPresenceState((prev) => ({ ...prev, status: "connecting" }));
+        if (!isRefresh) {
+          setPresenceState((prev) => ({ ...prev, status: "connecting" }));
+        }
+        if (data.refreshAfter) {
+          const refreshIn = data.refreshAfter - Date.now();
+          if (refreshIn > 0) {
+            console.log(`[${PLUGIN_ID}] Token refresh scheduled in ${Math.round(refreshIn / 1e3)}s`);
+            refreshTimeoutId = setTimeout(() => {
+              if (!cancelled) {
+                console.log(`[${PLUGIN_ID}] Refreshing session token...`);
+                getSession(true);
+              }
+            }, refreshIn);
+          }
+        }
       } catch (error2) {
         if (cancelled) return;
+        if (error2.response?.status === 429) {
+          console.warn(`[${PLUGIN_ID}] Rate limited, retrying in 30s...`);
+          refreshTimeoutId = setTimeout(() => {
+            if (!cancelled) getSession(isRefresh);
+          }, 3e4);
+          return;
+        }
         console.error(`[${PLUGIN_ID}] Failed to get presence session:`, error2);
         setPresenceState((prev) => ({
           ...prev,
@@ -201,6 +228,9 @@ const LivePresencePanel = ({ documentId, model, document }) => {
     getSession();
     return () => {
       cancelled = true;
+      if (refreshTimeoutId) {
+        clearTimeout(refreshTimeoutId);
+      }
     };
   }, [uid, documentId, post]);
   useEffect(() => {

package/dist/_chunks/{MonitoringPage-K5Y3hhKF.js → MonitoringPage-9f4Gzd2X.js}

@@ -6,7 +6,7 @@ const admin = require("@strapi/strapi/admin");
 const styled = require("styled-components");
 const designSystem = require("@strapi/design-system");
 const index = require("./index-DkTxsEqL.js");
-const index$1 = require("./index--2NeIKGR.js");
+const index$1 = require("./index-BEZDDgvZ.js");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
 const UsersIcon = () => /* @__PURE__ */ jsxRuntime.jsx("svg", { xmlns: "http://www.w3.org/2000/svg", fill: "none", viewBox: "0 0 24 24", strokeWidth: 1.5, stroke: "currentColor", children: /* @__PURE__ */ jsxRuntime.jsx("path", { strokeLinecap: "round", strokeLinejoin: "round", d: "M15 19.128a9.38 9.38 0 0 0 2.625.372 9.337 9.337 0 0 0 4.121-.952 4.125 4.125 0 0 0-7.533-2.493M15 19.128v-.003c0-1.113-.285-2.16-.786-3.07M15 19.128v.106A12.318 12.318 0 0 1 8.624 21c-2.331 0-4.512-.645-6.374-1.766l-.001-.109a6.375 6.375 0 0 1 11.964-3.07M12 6.375a3.375 3.375 0 1 1-6.75 0 3.375 3.375 0 0 1 6.75 0Zm8.25 2.25a2.625 2.625 0 1 1-5.25 0 2.625 2.625 0 0 1 5.25 0Z" }) });

package/dist/_chunks/{MonitoringPage-Bn9XJSlg.mjs → MonitoringPage-Bbkoh6ih.mjs}

@@ -4,7 +4,7 @@ import { useFetchClient, useNotification } from "@strapi/strapi/admin";
 import styled, { css, keyframes } from "styled-components";
 import { Box, Loader, Flex, Field, TextInput, Badge, Typography } from "@strapi/design-system";
 import { u as useIntl } from "./index-CEh8vkxY.mjs";
-import { P as PLUGIN_ID } from "./index-CzvX8YTe.mjs";
+import { P as PLUGIN_ID } from "./index-Dof_eA3e.mjs";
 const UsersIcon = () => /* @__PURE__ */ jsx("svg", { xmlns: "http://www.w3.org/2000/svg", fill: "none", viewBox: "0 0 24 24", strokeWidth: 1.5, stroke: "currentColor", children: /* @__PURE__ */ jsx("path", { strokeLinecap: "round", strokeLinejoin: "round", d: "M15 19.128a9.38 9.38 0 0 0 2.625.372 9.337 9.337 0 0 0 4.121-.952 4.125 4.125 0 0 0-7.533-2.493M15 19.128v-.003c0-1.113-.285-2.16-.786-3.07M15 19.128v.106A12.318 12.318 0 0 1 8.624 21c-2.331 0-4.512-.645-6.374-1.766l-.001-.109a6.375 6.375 0 0 1 11.964-3.07M12 6.375a3.375 3.375 0 1 1-6.75 0 3.375 3.375 0 0 1 6.75 0Zm8.25 2.25a2.625 2.625 0 1 1-5.25 0 2.625 2.625 0 0 1 5.25 0Z" }) });
 const BoltIcon = () => /* @__PURE__ */ jsx("svg", { xmlns: "http://www.w3.org/2000/svg", fill: "none", viewBox: "0 0 24 24", strokeWidth: 1.5, stroke: "currentColor", children: /* @__PURE__ */ jsx("path", { strokeLinecap: "round", strokeLinejoin: "round", d: "m3.75 13.5 10.5-11.25L12 10.5h8.25L9.75 21.75 12 13.5H3.75Z" }) });
 const ChartBarIcon = () => /* @__PURE__ */ jsx("svg", { xmlns: "http://www.w3.org/2000/svg", fill: "none", viewBox: "0 0 24 24", strokeWidth: 1.5, stroke: "currentColor", children: /* @__PURE__ */ jsx("path", { strokeLinecap: "round", strokeLinejoin: "round", d: "M3 13.125C3 12.504 3.504 12 4.125 12h2.25c.621 0 1.125.504 1.125 1.125v6.75C7.5 20.496 6.996 21 6.375 21h-2.25A1.125 1.125 0 0 1 3 19.875v-6.75ZM9.75 8.625c0-.621.504-1.125 1.125-1.125h2.25c.621 0 1.125.504 1.125 1.125v11.25c0 .621-.504 1.125-1.125 1.125h-2.25a1.125 1.125 0 0 1-1.125-1.125V8.625ZM16.5 4.125c0-.621.504-1.125 1.125-1.125h2.25C20.496 3 21 3.504 21 4.125v15.75c0 .621-.504 1.125-1.125 1.125h-2.25a1.125 1.125 0 0 1-1.125-1.125V4.125Z" }) });

package/dist/_chunks/{SettingsPage-DMbMGU6J.mjs → SettingsPage-Btz_5MuC.mjs}

@@ -5,7 +5,7 @@ import { Download, Upload, Check } from "@strapi/icons";
 import { useFetchClient, useNotification } from "@strapi/strapi/admin";
 import { u as useIntl } from "./index-CEh8vkxY.mjs";
 import styled from "styled-components";
-import { P as PLUGIN_ID } from "./index-CzvX8YTe.mjs";
+import { P as PLUGIN_ID } from "./index-Dof_eA3e.mjs";
 const ResponsiveMain = styled(Main)`
   & > div {
     padding: 16px !important;

package/dist/_chunks/{SettingsPage-4OkXJAjU.js → SettingsPage-CsRazf0j.js}

@@ -7,7 +7,7 @@ const icons = require("@strapi/icons");
 const admin = require("@strapi/strapi/admin");
 const index = require("./index-DkTxsEqL.js");
 const styled = require("styled-components");
-const index$1 = require("./index--2NeIKGR.js");
+const index$1 = require("./index-BEZDDgvZ.js");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
 const ResponsiveMain = styled__default.default(designSystem.Main)`

package/dist/_chunks/{index--2NeIKGR.js → index-BEZDDgvZ.js}

@@ -51,7 +51,7 @@ const index = {
           },
           id: `${PLUGIN_ID}-settings`,
           to: `${PLUGIN_ID}/settings`,
-          Component: () => Promise.resolve().then(() => require("./SettingsPage-4OkXJAjU.js")).then((mod) => ({ default: mod.SettingsPage }))
+          Component: () => Promise.resolve().then(() => require("./SettingsPage-CsRazf0j.js")).then((mod) => ({ default: mod.SettingsPage }))
         },
         {
           intlLabel: {
@@ -60,7 +60,7 @@ const index = {
           },
           id: `${PLUGIN_ID}-monitoring`,
           to: `${PLUGIN_ID}/monitoring`,
-          Component: () => Promise.resolve().then(() => require("./MonitoringPage-K5Y3hhKF.js")).then((mod) => ({ default: mod.MonitoringPage }))
+          Component: () => Promise.resolve().then(() => require("./MonitoringPage-9f4Gzd2X.js")).then((mod) => ({ default: mod.MonitoringPage }))
         }
       ]
     );
@@ -84,7 +84,7 @@ const index = {
   async bootstrap(app) {
     console.log(`[${PLUGIN_ID}] [INFO] Bootstrapping plugin...`);
     try {
-      const { default: LivePresencePanel } = await Promise.resolve().then(() => require("./LivePresencePanel-CNaEK-Gk.js"));
+      const { default: LivePresencePanel } = await Promise.resolve().then(() => require("./LivePresencePanel-2U3I3yL0.js"));
       const contentManagerPlugin = app.getPlugin("content-manager");
       if (contentManagerPlugin && contentManagerPlugin.apis) {
         contentManagerPlugin.apis.addEditViewSidePanel([LivePresencePanel]);

package/dist/_chunks/{index-CzvX8YTe.mjs → index-Dof_eA3e.mjs}

@@ -50,7 +50,7 @@ const index = {
           },
           id: `${PLUGIN_ID}-settings`,
           to: `${PLUGIN_ID}/settings`,
-          Component: () => import("./SettingsPage-DMbMGU6J.mjs").then((mod) => ({ default: mod.SettingsPage }))
+          Component: () => import("./SettingsPage-Btz_5MuC.mjs").then((mod) => ({ default: mod.SettingsPage }))
         },
         {
           intlLabel: {
@@ -59,7 +59,7 @@ const index = {
           },
           id: `${PLUGIN_ID}-monitoring`,
           to: `${PLUGIN_ID}/monitoring`,
-          Component: () => import("./MonitoringPage-Bn9XJSlg.mjs").then((mod) => ({ default: mod.MonitoringPage }))
+          Component: () => import("./MonitoringPage-Bbkoh6ih.mjs").then((mod) => ({ default: mod.MonitoringPage }))
         }
       ]
     );
@@ -83,7 +83,7 @@ const index = {
   async bootstrap(app) {
     console.log(`[${PLUGIN_ID}] [INFO] Bootstrapping plugin...`);
     try {
-      const { default: LivePresencePanel } = await import("./LivePresencePanel-BeNq_EnQ.mjs");
+      const { default: LivePresencePanel } = await import("./LivePresencePanel-CIFG_05s.mjs");
       const contentManagerPlugin = app.getPlugin("content-manager");
       if (contentManagerPlugin && contentManagerPlugin.apis) {
         contentManagerPlugin.apis.addEditViewSidePanel([LivePresencePanel]);

package/dist/admin/index.js

@@ -1,3 +1,3 @@
 "use strict";
-const index = require("../_chunks/index--2NeIKGR.js");
+const index = require("../_chunks/index-BEZDDgvZ.js");
 module.exports = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "../_chunks/index-CzvX8YTe.mjs";
+import { i } from "../_chunks/index-Dof_eA3e.mjs";
 export {
   i as default
 };

package/dist/server/index.js

@@ -350,31 +350,56 @@ async function bootstrapIO$1({ strapi: strapi2 }) {
       return next(new Error("Max connections reached"));
     }
     const token = socket.handshake.auth?.token || socket.handshake.query?.token;
+    const strategy2 = socket.handshake.auth?.strategy;
+    const isAdmin = socket.handshake.auth?.isAdmin === true;
     if (token) {
-      try {
-        const decoded = await strapi2.plugin("users-permissions").service("jwt").verify(token);
-        strapi2.log.info(`socket.io: JWT decoded - user id: ${decoded.id}`);
-        if (decoded.id) {
-          const users = await strapi2.documents("plugin::users-permissions.user").findMany({
-            filters: { id: decoded.id },
-            populate: { role: true },
-            limit: 1
-          });
-          const user = users.length > 0 ? users[0] : null;
-          if (user) {
+      if (isAdmin || strategy2 === "admin-jwt") {
+        try {
+          const presenceController = strapi2.plugin(pluginId$6).controller("presence");
+          const session = presenceController.consumeSessionToken(token);
+          if (session) {
             socket.user = {
-              id: user.id,
-              username: user.username,
-              email: user.email,
-              role: user.role?.name || "authenticated"
+              id: session.userId,
+              username: `${session.user.firstname || ""} ${session.user.lastname || ""}`.trim() || `Admin ${session.userId}`,
+              email: session.user.email || `admin-${session.userId}`,
+              role: "strapi-super-admin",
+              isAdmin: true
             };
-            strapi2.log.info(`socket.io: User authenticated - ${user.username} (${user.email})`);
+            socket.adminUser = session.user;
+            presenceController.registerSocket(socket.id, token);
+            strapi2.log.info(`socket.io: Admin authenticated - ${socket.user.username} (ID: ${session.userId})`);
           } else {
-            strapi2.log.warn(`socket.io: User not found for id: ${decoded.id}`);
+            strapi2.log.warn(`socket.io: Admin session token invalid or expired`);
           }
+        } catch (err) {
+          strapi2.log.warn(`socket.io: Admin session verification failed: ${err.message}`);
+        }
+      } else {
+        try {
+          const decoded = await strapi2.plugin("users-permissions").service("jwt").verify(token);
+          strapi2.log.info(`socket.io: JWT decoded - user id: ${decoded.id}`);
+          if (decoded.id) {
+            const users = await strapi2.documents("plugin::users-permissions.user").findMany({
+              filters: { id: decoded.id },
+              populate: { role: true },
+              limit: 1
+            });
+            const user = users.length > 0 ? users[0] : null;
+            if (user) {
+              socket.user = {
+                id: user.id,
+                username: user.username,
+                email: user.email,
+                role: user.role?.name || "authenticated"
+              };
+              strapi2.log.info(`socket.io: User authenticated - ${user.username} (${user.email})`);
+            } else {
+              strapi2.log.warn(`socket.io: User not found for id: ${decoded.id}`);
+            }
+          }
+        } catch (err) {
+          strapi2.log.warn(`socket.io: JWT verification failed: ${err.message}`);
         }
-      } catch (err) {
-        strapi2.log.warn(`socket.io: JWT verification failed: ${err.message}`);
       }
     } else {
       strapi2.log.debug(`socket.io: No token provided, connecting as public`);
@@ -690,6 +715,13 @@ async function bootstrapIO$1({ strapi: strapi2 }) {
       if (settings2.livePreview?.enabled !== false) {
         previewService.cleanupSocket(socket.id);
       }
+      try {
+        const presenceController = strapi2.plugin(pluginId$6).controller("presence");
+        if (presenceController?.unregisterSocket) {
+          presenceController.unregisterSocket(socket.id);
+        }
+      } catch (e) {
+      }
     });
     socket.on("error", (error2) => {
       strapi2.log.error(`socket.io: Socket error (id: ${socket.id}): ${error2.message}`);
@@ -1311,19 +1343,38 @@ var settings$3 = ({ strapi: strapi2 }) => ({
     };
   }
 });
-const { randomUUID } = require$$1__default.default;
+const { randomUUID, createHash } = require$$1__default.default;
 const sessionTokens = /* @__PURE__ */ new Map();
+const activeSockets = /* @__PURE__ */ new Map();
+const refreshThrottle = /* @__PURE__ */ new Map();
+const SESSION_TTL = 10 * 60 * 1e3;
+const REFRESH_COOLDOWN = 30 * 1e3;
+const CLEANUP_INTERVAL = 2 * 60 * 1e3;
+const hashToken = (token) => {
+  return createHash("sha256").update(token).digest("hex");
+};
 setInterval(() => {
   const now = Date.now();
-  for (const [token, session] of sessionTokens.entries()) {
+  let cleaned = 0;
+  for (const [tokenHash, session] of sessionTokens.entries()) {
     if (session.expiresAt < now) {
-      sessionTokens.delete(token);
+      sessionTokens.delete(tokenHash);
+      cleaned++;
     }
   }
-}, 5 * 60 * 1e3);
+  for (const [userId, lastRefresh] of refreshThrottle.entries()) {
+    if (now - lastRefresh > 60 * 60 * 1e3) {
+      refreshThrottle.delete(userId);
+    }
+  }
+  if (cleaned > 0) {
+    console.log(`[plugin-io] [CLEANUP] Removed ${cleaned} expired session tokens`);
+  }
+}, CLEANUP_INTERVAL);
 var presence$3 = ({ strapi: strapi2 }) => ({
   /**
    * Creates a session token for admin users to connect to Socket.IO
+   * Implements rate limiting and secure token storage
    * @param {object} ctx - Koa context
    */
   async createSession(ctx) {
@@ -1332,28 +1383,40 @@ var presence$3 = ({ strapi: strapi2 }) => ({
       strapi2.log.warn("[plugin-io] Presence session requested without admin user");
       return ctx.unauthorized("Admin authentication required");
     }
+    const lastRefresh = refreshThrottle.get(adminUser.id);
+    const now = Date.now();
+    if (lastRefresh && now - lastRefresh < REFRESH_COOLDOWN) {
+      const waitTime = Math.ceil((REFRESH_COOLDOWN - (now - lastRefresh)) / 1e3);
+      strapi2.log.warn(`[plugin-io] Rate limit: User ${adminUser.id} must wait ${waitTime}s`);
+      return ctx.tooManyRequests(`Please wait ${waitTime} seconds before requesting a new session`);
+    }
     try {
       const token = randomUUID();
-      const expiresAt = Date.now() + 2 * 60 * 1e3;
-      sessionTokens.set(token, {
-        token,
+      const tokenHash = hashToken(token);
+      const expiresAt = now + SESSION_TTL;
+      sessionTokens.set(tokenHash, {
+        tokenHash,
+        userId: adminUser.id,
         user: {
           id: adminUser.id,
-          email: adminUser.email,
+          // Only store minimal user data needed for display
           firstname: adminUser.firstname,
           lastname: adminUser.lastname
         },
-        expiresAt
+        createdAt: now,
+        expiresAt,
+        usageCount: 0,
+        maxUsage: 10
+        // Max reconnects with same token
       });
-      strapi2.log.info(`[plugin-io] Presence session created for admin user: ${adminUser.email}`);
+      refreshThrottle.set(adminUser.id, now);
+      strapi2.log.info(`[plugin-io] Presence session created for admin user: ${adminUser.id}`);
       ctx.body = {
         token,
-        user: {
-          id: adminUser.id,
-          email: adminUser.email,
-          firstname: adminUser.firstname,
-          lastname: adminUser.lastname
-        },
+        // Send plaintext token to client (only time it's exposed)
+        expiresAt,
+        refreshAfter: now + SESSION_TTL * 0.7,
+        // Suggest refresh at 70% of TTL
         wsPath: "/socket.io",
         wsUrl: `${ctx.protocol}://${ctx.host}`
       };
@@ -1363,23 +1426,142 @@ var presence$3 = ({ strapi: strapi2 }) => ({
     }
   },
   /**
-   * Validates and consumes a session token (one-time use)
+   * Validates a session token and tracks usage
+   * Implements usage limits to prevent token abuse
    * @param {string} token - Session token to validate
    * @returns {object|null} Session data or null if invalid/expired
    */
   consumeSessionToken(token) {
-    if (!token) {
+    if (!token || typeof token !== "string") {
       return null;
     }
-    const session = sessionTokens.get(token);
+    const tokenHash = hashToken(token);
+    const session = sessionTokens.get(tokenHash);
     if (!session) {
+      strapi2.log.debug("[plugin-io] Token not found in session store");
       return null;
     }
-    if (session.expiresAt < Date.now()) {
-      sessionTokens.delete(token);
+    const now = Date.now();
+    if (session.expiresAt < now) {
+      sessionTokens.delete(tokenHash);
+      strapi2.log.debug("[plugin-io] Token expired, removed from store");
       return null;
     }
+    if (session.usageCount >= session.maxUsage) {
+      strapi2.log.warn(`[plugin-io] Token usage limit exceeded for user ${session.userId}`);
+      sessionTokens.delete(tokenHash);
+      return null;
+    }
+    session.usageCount++;
+    session.lastUsed = now;
     return session;
+  },
+  /**
+   * Registers a socket as using a specific token
+   * @param {string} socketId - Socket ID
+   * @param {string} token - The token being used
+   */
+  registerSocket(socketId, token) {
+    if (!socketId || !token) return;
+    const tokenHash = hashToken(token);
+    activeSockets.set(socketId, tokenHash);
+  },
+  /**
+   * Unregisters a socket when it disconnects
+   * @param {string} socketId - Socket ID
+   */
+  unregisterSocket(socketId) {
+    activeSockets.delete(socketId);
+  },
+  /**
+   * Invalidates all sessions for a specific user (e.g., on logout)
+   * @param {number} userId - User ID to invalidate
+   * @returns {number} Number of sessions invalidated
+   */
+  invalidateUserSessions(userId) {
+    let invalidated = 0;
+    for (const [tokenHash, session] of sessionTokens.entries()) {
+      if (session.userId === userId) {
+        sessionTokens.delete(tokenHash);
+        invalidated++;
+      }
+    }
+    refreshThrottle.delete(userId);
+    strapi2.log.info(`[plugin-io] Invalidated ${invalidated} sessions for user ${userId}`);
+    return invalidated;
+  },
+  /**
+   * Gets session statistics (for monitoring) - internal method
+   * @returns {object} Session statistics
+   */
+  getSessionStatsInternal() {
+    const now = Date.now();
+    let active = 0;
+    let expiringSoon = 0;
+    for (const session of sessionTokens.values()) {
+      if (session.expiresAt > now) {
+        active++;
+        if (session.expiresAt - now < 2 * 60 * 1e3) {
+          expiringSoon++;
+        }
+      }
+    }
+    return {
+      activeSessions: active,
+      expiringSoon,
+      activeSocketConnections: activeSockets.size,
+      sessionTTL: SESSION_TTL,
+      refreshCooldown: REFRESH_COOLDOWN
+    };
+  },
+  /**
+   * HTTP Handler: Gets session statistics for admin monitoring
+   * @param {object} ctx - Koa context
+   */
+  async getSessionStats(ctx) {
+    const adminUser = ctx.state.user;
+    if (!adminUser) {
+      return ctx.unauthorized("Admin authentication required");
+    }
+    try {
+      const stats = this.getSessionStatsInternal();
+      ctx.body = { data: stats };
+    } catch (error2) {
+      strapi2.log.error("[plugin-io] Failed to get session stats:", error2);
+      return ctx.internalServerError("Failed to get session statistics");
+    }
+  },
+  /**
+   * HTTP Handler: Invalidates all sessions for a specific user
+   * @param {object} ctx - Koa context
+   */
+  async invalidateUserSessionsHandler(ctx) {
+    const adminUser = ctx.state.user;
+    if (!adminUser) {
+      return ctx.unauthorized("Admin authentication required");
+    }
+    const { userId } = ctx.params;
+    if (!userId) {
+      return ctx.badRequest("User ID is required");
+    }
+    try {
+      const userIdNum = parseInt(userId, 10);
+      if (isNaN(userIdNum)) {
+        return ctx.badRequest("Invalid user ID");
+      }
+      const invalidated = this.invalidateUserSessions(userIdNum);
+      strapi2.log.info(`[plugin-io] Admin ${adminUser.id} invalidated ${invalidated} sessions for user ${userIdNum}`);
+      ctx.body = {
+        data: {
+          userId: userIdNum,
+          invalidatedSessions: invalidated,
+          message: `Successfully invalidated ${invalidated} session(s)`
+        }
+      };
+    } catch (error2) {
+      strapi2.log.error("[plugin-io] Failed to invalidate user sessions:", error2);
+      return ctx.internalServerError("Failed to invalidate sessions");
+    }
   }
 });
 const settings$2 = settings$3;
@@ -1471,6 +1653,24 @@ var admin$1 = {
       config: {
         policies: ["admin::isAuthenticatedAdmin"]
       }
+    },
+    // Security: Session statistics
+    {
+      method: "GET",
+      path: "/security/sessions",
+      handler: "presence.getSessionStats",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
+    },
+    // Security: Invalidate user sessions (force logout)
+    {
+      method: "POST",
+      path: "/security/invalidate/:userId",
+      handler: "presence.invalidateUserSessionsHandler",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
     }
   ]
 };
@@ -29677,21 +29877,55 @@ var strategies = ({ strapi: strapi2 }) => {
     credentials: function(user) {
       return `${this.name}-${user.id}`;
     },
-    authenticate: async function(auth) {
+    /**
+     * Authenticates admin user via session token
+     * @param {object} auth - Auth object containing token
+     * @param {object} socket - Socket instance for registration
+     * @returns {object} User data if authenticated
+     * @throws {UnauthorizedError} If authentication fails
+     */
+    authenticate: async function(auth, socket) {
       const token2 = auth.token;
-      if (!token2) {
+      if (!token2 || typeof token2 !== "string") {
+        strapi2.log.warn("[plugin-io] Admin auth failed: No token provided");
         throw new UnauthorizedError2("Invalid admin credentials");
       }
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (!uuidRegex.test(token2)) {
+        strapi2.log.warn("[plugin-io] Admin auth failed: Invalid token format");
+        throw new UnauthorizedError2("Invalid token format");
+      }
       try {
         const presenceController = strapi2.plugin("io").controller("presence");
         const session = presenceController.consumeSessionToken(token2);
         if (!session) {
+          strapi2.log.warn("[plugin-io] Admin auth failed: Token not valid or expired");
           throw new UnauthorizedError2("Invalid or expired session token");
         }
-        return session.user;
+        if (socket?.id) {
+          presenceController.registerSocket(socket.id, token2);
+        }
+        strapi2.log.info(`[plugin-io] Admin authenticated: User ID ${session.userId}`);
+        return {
+          id: session.userId,
+          ...session.user
+        };
       } catch (error2) {
-        strapi2.log.warn("[plugin-io] Admin session verification failed:", error2.message);
-        throw new UnauthorizedError2("Invalid admin credentials");
+        if (error2 instanceof UnauthorizedError2) {
+          throw error2;
+        }
+        strapi2.log.error("[plugin-io] Admin session verification error:", error2.message);
+        throw new UnauthorizedError2("Authentication failed");
+      }
+    },
+    /**
+     * Cleanup when socket disconnects
+     * @param {object} socket - Socket instance
+     */
+    onDisconnect: function(socket) {
+      if (socket?.id) {
+        const presenceController = strapi2.plugin("io").controller("presence");
+        presenceController.unregisterSocket(socket.id);
       }
     },
     getRoomName: function(user) {

package/dist/server/index.mjs

@@ -318,31 +318,56 @@ async function bootstrapIO$1({ strapi: strapi2 }) {
       return next(new Error("Max connections reached"));
     }
     const token = socket.handshake.auth?.token || socket.handshake.query?.token;
+    const strategy2 = socket.handshake.auth?.strategy;
+    const isAdmin = socket.handshake.auth?.isAdmin === true;
     if (token) {
-      try {
-        const decoded = await strapi2.plugin("users-permissions").service("jwt").verify(token);
-        strapi2.log.info(`socket.io: JWT decoded - user id: ${decoded.id}`);
-        if (decoded.id) {
-          const users = await strapi2.documents("plugin::users-permissions.user").findMany({
-            filters: { id: decoded.id },
-            populate: { role: true },
-            limit: 1
-          });
-          const user = users.length > 0 ? users[0] : null;
-          if (user) {
+      if (isAdmin || strategy2 === "admin-jwt") {
+        try {
+          const presenceController = strapi2.plugin(pluginId$6).controller("presence");
+          const session = presenceController.consumeSessionToken(token);
+          if (session) {
             socket.user = {
-              id: user.id,
-              username: user.username,
-              email: user.email,
-              role: user.role?.name || "authenticated"
+              id: session.userId,
+              username: `${session.user.firstname || ""} ${session.user.lastname || ""}`.trim() || `Admin ${session.userId}`,
+              email: session.user.email || `admin-${session.userId}`,
+              role: "strapi-super-admin",
+              isAdmin: true
             };
-            strapi2.log.info(`socket.io: User authenticated - ${user.username} (${user.email})`);
+            socket.adminUser = session.user;
+            presenceController.registerSocket(socket.id, token);
+            strapi2.log.info(`socket.io: Admin authenticated - ${socket.user.username} (ID: ${session.userId})`);
           } else {
-            strapi2.log.warn(`socket.io: User not found for id: ${decoded.id}`);
+            strapi2.log.warn(`socket.io: Admin session token invalid or expired`);
           }
+        } catch (err) {
+          strapi2.log.warn(`socket.io: Admin session verification failed: ${err.message}`);
+        }
+      } else {
+        try {
+          const decoded = await strapi2.plugin("users-permissions").service("jwt").verify(token);
+          strapi2.log.info(`socket.io: JWT decoded - user id: ${decoded.id}`);
+          if (decoded.id) {
+            const users = await strapi2.documents("plugin::users-permissions.user").findMany({
+              filters: { id: decoded.id },
+              populate: { role: true },
+              limit: 1
+            });
+            const user = users.length > 0 ? users[0] : null;
+            if (user) {
+              socket.user = {
+                id: user.id,
+                username: user.username,
+                email: user.email,
+                role: user.role?.name || "authenticated"
+              };
+              strapi2.log.info(`socket.io: User authenticated - ${user.username} (${user.email})`);
+            } else {
+              strapi2.log.warn(`socket.io: User not found for id: ${decoded.id}`);
+            }
+          }
+        } catch (err) {
+          strapi2.log.warn(`socket.io: JWT verification failed: ${err.message}`);
         }
-      } catch (err) {
-        strapi2.log.warn(`socket.io: JWT verification failed: ${err.message}`);
       }
     } else {
       strapi2.log.debug(`socket.io: No token provided, connecting as public`);
@@ -658,6 +683,13 @@ async function bootstrapIO$1({ strapi: strapi2 }) {
       if (settings2.livePreview?.enabled !== false) {
         previewService.cleanupSocket(socket.id);
       }
+      try {
+        const presenceController = strapi2.plugin(pluginId$6).controller("presence");
+        if (presenceController?.unregisterSocket) {
+          presenceController.unregisterSocket(socket.id);
+        }
+      } catch (e) {
+      }
     });
     socket.on("error", (error2) => {
       strapi2.log.error(`socket.io: Socket error (id: ${socket.id}): ${error2.message}`);
@@ -1279,19 +1311,38 @@ var settings$3 = ({ strapi: strapi2 }) => ({
     };
   }
 });
-const { randomUUID } = require$$1;
+const { randomUUID, createHash } = require$$1;
 const sessionTokens = /* @__PURE__ */ new Map();
+const activeSockets = /* @__PURE__ */ new Map();
+const refreshThrottle = /* @__PURE__ */ new Map();
+const SESSION_TTL = 10 * 60 * 1e3;
+const REFRESH_COOLDOWN = 30 * 1e3;
+const CLEANUP_INTERVAL = 2 * 60 * 1e3;
+const hashToken = (token) => {
+  return createHash("sha256").update(token).digest("hex");
+};
 setInterval(() => {
   const now = Date.now();
-  for (const [token, session] of sessionTokens.entries()) {
+  let cleaned = 0;
+  for (const [tokenHash, session] of sessionTokens.entries()) {
     if (session.expiresAt < now) {
-      sessionTokens.delete(token);
+      sessionTokens.delete(tokenHash);
+      cleaned++;
     }
   }
-}, 5 * 60 * 1e3);
+  for (const [userId, lastRefresh] of refreshThrottle.entries()) {
+    if (now - lastRefresh > 60 * 60 * 1e3) {
+      refreshThrottle.delete(userId);
+    }
+  }
+  if (cleaned > 0) {
+    console.log(`[plugin-io] [CLEANUP] Removed ${cleaned} expired session tokens`);
+  }
+}, CLEANUP_INTERVAL);
 var presence$3 = ({ strapi: strapi2 }) => ({
   /**
    * Creates a session token for admin users to connect to Socket.IO
+   * Implements rate limiting and secure token storage
    * @param {object} ctx - Koa context
    */
   async createSession(ctx) {
@@ -1300,28 +1351,40 @@ var presence$3 = ({ strapi: strapi2 }) => ({
       strapi2.log.warn("[plugin-io] Presence session requested without admin user");
       return ctx.unauthorized("Admin authentication required");
     }
+    const lastRefresh = refreshThrottle.get(adminUser.id);
+    const now = Date.now();
+    if (lastRefresh && now - lastRefresh < REFRESH_COOLDOWN) {
+      const waitTime = Math.ceil((REFRESH_COOLDOWN - (now - lastRefresh)) / 1e3);
+      strapi2.log.warn(`[plugin-io] Rate limit: User ${adminUser.id} must wait ${waitTime}s`);
+      return ctx.tooManyRequests(`Please wait ${waitTime} seconds before requesting a new session`);
+    }
     try {
       const token = randomUUID();
-      const expiresAt = Date.now() + 2 * 60 * 1e3;
-      sessionTokens.set(token, {
-        token,
+      const tokenHash = hashToken(token);
+      const expiresAt = now + SESSION_TTL;
+      sessionTokens.set(tokenHash, {
+        tokenHash,
+        userId: adminUser.id,
         user: {
           id: adminUser.id,
-          email: adminUser.email,
+          // Only store minimal user data needed for display
           firstname: adminUser.firstname,
           lastname: adminUser.lastname
         },
-        expiresAt
+        createdAt: now,
+        expiresAt,
+        usageCount: 0,
+        maxUsage: 10
+        // Max reconnects with same token
       });
-      strapi2.log.info(`[plugin-io] Presence session created for admin user: ${adminUser.email}`);
+      refreshThrottle.set(adminUser.id, now);
+      strapi2.log.info(`[plugin-io] Presence session created for admin user: ${adminUser.id}`);
       ctx.body = {
         token,
-        user: {
-          id: adminUser.id,
-          email: adminUser.email,
-          firstname: adminUser.firstname,
-          lastname: adminUser.lastname
-        },
+        // Send plaintext token to client (only time it's exposed)
+        expiresAt,
+        refreshAfter: now + SESSION_TTL * 0.7,
+        // Suggest refresh at 70% of TTL
         wsPath: "/socket.io",
         wsUrl: `${ctx.protocol}://${ctx.host}`
       };
@@ -1331,23 +1394,142 @@ var presence$3 = ({ strapi: strapi2 }) => ({
     }
   },
   /**
-   * Validates and consumes a session token (one-time use)
+   * Validates a session token and tracks usage
+   * Implements usage limits to prevent token abuse
    * @param {string} token - Session token to validate
    * @returns {object|null} Session data or null if invalid/expired
    */
   consumeSessionToken(token) {
-    if (!token) {
+    if (!token || typeof token !== "string") {
       return null;
     }
-    const session = sessionTokens.get(token);
+    const tokenHash = hashToken(token);
+    const session = sessionTokens.get(tokenHash);
     if (!session) {
+      strapi2.log.debug("[plugin-io] Token not found in session store");
       return null;
     }
-    if (session.expiresAt < Date.now()) {
-      sessionTokens.delete(token);
+    const now = Date.now();
+    if (session.expiresAt < now) {
+      sessionTokens.delete(tokenHash);
+      strapi2.log.debug("[plugin-io] Token expired, removed from store");
       return null;
     }
+    if (session.usageCount >= session.maxUsage) {
+      strapi2.log.warn(`[plugin-io] Token usage limit exceeded for user ${session.userId}`);
+      sessionTokens.delete(tokenHash);
+      return null;
+    }
+    session.usageCount++;
+    session.lastUsed = now;
     return session;
+  },
+  /**
+   * Registers a socket as using a specific token
+   * @param {string} socketId - Socket ID
+   * @param {string} token - The token being used
+   */
+  registerSocket(socketId, token) {
+    if (!socketId || !token) return;
+    const tokenHash = hashToken(token);
+    activeSockets.set(socketId, tokenHash);
+  },
+  /**
+   * Unregisters a socket when it disconnects
+   * @param {string} socketId - Socket ID
+   */
+  unregisterSocket(socketId) {
+    activeSockets.delete(socketId);
+  },
+  /**
+   * Invalidates all sessions for a specific user (e.g., on logout)
+   * @param {number} userId - User ID to invalidate
+   * @returns {number} Number of sessions invalidated
+   */
+  invalidateUserSessions(userId) {
+    let invalidated = 0;
+    for (const [tokenHash, session] of sessionTokens.entries()) {
+      if (session.userId === userId) {
+        sessionTokens.delete(tokenHash);
+        invalidated++;
+      }
+    }
+    refreshThrottle.delete(userId);
+    strapi2.log.info(`[plugin-io] Invalidated ${invalidated} sessions for user ${userId}`);
+    return invalidated;
+  },
+  /**
+   * Gets session statistics (for monitoring) - internal method
+   * @returns {object} Session statistics
+   */
+  getSessionStatsInternal() {
+    const now = Date.now();
+    let active = 0;
+    let expiringSoon = 0;
+    for (const session of sessionTokens.values()) {
+      if (session.expiresAt > now) {
+        active++;
+        if (session.expiresAt - now < 2 * 60 * 1e3) {
+          expiringSoon++;
+        }
+      }
+    }
+    return {
+      activeSessions: active,
+      expiringSoon,
+      activeSocketConnections: activeSockets.size,
+      sessionTTL: SESSION_TTL,
+      refreshCooldown: REFRESH_COOLDOWN
+    };
+  },
+  /**
+   * HTTP Handler: Gets session statistics for admin monitoring
+   * @param {object} ctx - Koa context
+   */
+  async getSessionStats(ctx) {
+    const adminUser = ctx.state.user;
+    if (!adminUser) {
+      return ctx.unauthorized("Admin authentication required");
+    }
+    try {
+      const stats = this.getSessionStatsInternal();
+      ctx.body = { data: stats };
+    } catch (error2) {
+      strapi2.log.error("[plugin-io] Failed to get session stats:", error2);
+      return ctx.internalServerError("Failed to get session statistics");
+    }
+  },
+  /**
+   * HTTP Handler: Invalidates all sessions for a specific user
+   * @param {object} ctx - Koa context
+   */
+  async invalidateUserSessionsHandler(ctx) {
+    const adminUser = ctx.state.user;
+    if (!adminUser) {
+      return ctx.unauthorized("Admin authentication required");
+    }
+    const { userId } = ctx.params;
+    if (!userId) {
+      return ctx.badRequest("User ID is required");
+    }
+    try {
+      const userIdNum = parseInt(userId, 10);
+      if (isNaN(userIdNum)) {
+        return ctx.badRequest("Invalid user ID");
+      }
+      const invalidated = this.invalidateUserSessions(userIdNum);
+      strapi2.log.info(`[plugin-io] Admin ${adminUser.id} invalidated ${invalidated} sessions for user ${userIdNum}`);
+      ctx.body = {
+        data: {
+          userId: userIdNum,
+          invalidatedSessions: invalidated,
+          message: `Successfully invalidated ${invalidated} session(s)`
+        }
+      };
+    } catch (error2) {
+      strapi2.log.error("[plugin-io] Failed to invalidate user sessions:", error2);
+      return ctx.internalServerError("Failed to invalidate sessions");
+    }
   }
 });
 const settings$2 = settings$3;
@@ -1439,6 +1621,24 @@ var admin$1 = {
       config: {
         policies: ["admin::isAuthenticatedAdmin"]
       }
+    },
+    // Security: Session statistics
+    {
+      method: "GET",
+      path: "/security/sessions",
+      handler: "presence.getSessionStats",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
+    },
+    // Security: Invalidate user sessions (force logout)
+    {
+      method: "POST",
+      path: "/security/invalidate/:userId",
+      handler: "presence.invalidateUserSessionsHandler",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
     }
   ]
 };
@@ -29645,21 +29845,55 @@ var strategies = ({ strapi: strapi2 }) => {
     credentials: function(user) {
       return `${this.name}-${user.id}`;
     },
-    authenticate: async function(auth) {
+    /**
+     * Authenticates admin user via session token
+     * @param {object} auth - Auth object containing token
+     * @param {object} socket - Socket instance for registration
+     * @returns {object} User data if authenticated
+     * @throws {UnauthorizedError} If authentication fails
+     */
+    authenticate: async function(auth, socket) {
       const token2 = auth.token;
-      if (!token2) {
+      if (!token2 || typeof token2 !== "string") {
+        strapi2.log.warn("[plugin-io] Admin auth failed: No token provided");
         throw new UnauthorizedError2("Invalid admin credentials");
       }
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (!uuidRegex.test(token2)) {
+        strapi2.log.warn("[plugin-io] Admin auth failed: Invalid token format");
+        throw new UnauthorizedError2("Invalid token format");
+      }
       try {
         const presenceController = strapi2.plugin("io").controller("presence");
         const session = presenceController.consumeSessionToken(token2);
         if (!session) {
+          strapi2.log.warn("[plugin-io] Admin auth failed: Token not valid or expired");
           throw new UnauthorizedError2("Invalid or expired session token");
         }
-        return session.user;
+        if (socket?.id) {
+          presenceController.registerSocket(socket.id, token2);
+        }
+        strapi2.log.info(`[plugin-io] Admin authenticated: User ID ${session.userId}`);
+        return {
+          id: session.userId,
+          ...session.user
+        };
       } catch (error2) {
-        strapi2.log.warn("[plugin-io] Admin session verification failed:", error2.message);
-        throw new UnauthorizedError2("Invalid admin credentials");
+        if (error2 instanceof UnauthorizedError2) {
+          throw error2;
+        }
+        strapi2.log.error("[plugin-io] Admin session verification error:", error2.message);
+        throw new UnauthorizedError2("Authentication failed");
+      }
+    },
+    /**
+     * Cleanup when socket disconnects
+     * @param {object} socket - Socket instance
+     */
+    onDisconnect: function(socket) {
+      if (socket?.id) {
+        const presenceController = strapi2.plugin("io").controller("presence");
+        presenceController.unregisterSocket(socket.id);
       }
     },
     getRoomName: function(user) {

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package",
   "name": "@strapi-community/plugin-io",
-  "version": "5.1.0",
+  "version": "5.2.0",
   "description": "A plugin for Strapi CMS that provides the ability for Socket IO integration",
   "keywords": [
     "strapi",