@strapi-community/plugin-io 5.1.0 → 5.3.0

package/dist/server/index.js

@@ -350,31 +350,56 @@ async function bootstrapIO$1({ strapi: strapi2 }) {
       return next(new Error("Max connections reached"));
     }
     const token = socket.handshake.auth?.token || socket.handshake.query?.token;
+    const strategy2 = socket.handshake.auth?.strategy;
+    const isAdmin = socket.handshake.auth?.isAdmin === true;
     if (token) {
-      try {
-        const decoded = await strapi2.plugin("users-permissions").service("jwt").verify(token);
-        strapi2.log.info(`socket.io: JWT decoded - user id: ${decoded.id}`);
-        if (decoded.id) {
-          const users = await strapi2.documents("plugin::users-permissions.user").findMany({
-            filters: { id: decoded.id },
-            populate: { role: true },
-            limit: 1
-          });
-          const user = users.length > 0 ? users[0] : null;
-          if (user) {
+      if (isAdmin || strategy2 === "admin-jwt") {
+        try {
+          const presenceController = strapi2.plugin(pluginId$6).controller("presence");
+          const session = presenceController.consumeSessionToken(token);
+          if (session) {
             socket.user = {
-              id: user.id,
-              username: user.username,
-              email: user.email,
-              role: user.role?.name || "authenticated"
+              id: session.userId,
+              username: `${session.user.firstname || ""} ${session.user.lastname || ""}`.trim() || `Admin ${session.userId}`,
+              email: session.user.email || `admin-${session.userId}`,
+              role: "strapi-super-admin",
+              isAdmin: true
             };
-            strapi2.log.info(`socket.io: User authenticated - ${user.username} (${user.email})`);
+            socket.adminUser = session.user;
+            presenceController.registerSocket(socket.id, token);
+            strapi2.log.info(`socket.io: Admin authenticated - ${socket.user.username} (ID: ${session.userId})`);
           } else {
-            strapi2.log.warn(`socket.io: User not found for id: ${decoded.id}`);
+            strapi2.log.warn(`socket.io: Admin session token invalid or expired`);
           }
+        } catch (err) {
+          strapi2.log.warn(`socket.io: Admin session verification failed: ${err.message}`);
+        }
+      } else {
+        try {
+          const decoded = await strapi2.plugin("users-permissions").service("jwt").verify(token);
+          strapi2.log.info(`socket.io: JWT decoded - user id: ${decoded.id}`);
+          if (decoded.id) {
+            const users = await strapi2.documents("plugin::users-permissions.user").findMany({
+              filters: { id: decoded.id },
+              populate: { role: true },
+              limit: 1
+            });
+            const user = users.length > 0 ? users[0] : null;
+            if (user) {
+              socket.user = {
+                id: user.id,
+                username: user.username,
+                email: user.email,
+                role: user.role?.name || "authenticated"
+              };
+              strapi2.log.info(`socket.io: User authenticated - ${user.username} (${user.email})`);
+            } else {
+              strapi2.log.warn(`socket.io: User not found for id: ${decoded.id}`);
+            }
+          }
+        } catch (err) {
+          strapi2.log.warn(`socket.io: JWT verification failed: ${err.message}`);
         }
-      } catch (err) {
-        strapi2.log.warn(`socket.io: JWT verification failed: ${err.message}`);
       }
     } else {
       strapi2.log.debug(`socket.io: No token provided, connecting as public`);
@@ -641,7 +666,9 @@ async function bootstrapIO$1({ strapi: strapi2 }) {
     });
     socket.on("get-entity-subscriptions", (callback) => {
       const rooms = Array.from(socket.rooms).filter((r) => r !== socket.id && r.includes(":")).map((room) => {
-        const [uid, id] = room.split(":");
+        const lastColonIndex = room.lastIndexOf(":");
+        const uid = room.substring(0, lastColonIndex);
+        const id = room.substring(lastColonIndex + 1);
         return { uid, id, room };
       });
       if (callback) callback({ success: true, subscriptions: rooms });
@@ -690,6 +717,13 @@ async function bootstrapIO$1({ strapi: strapi2 }) {
       if (settings2.livePreview?.enabled !== false) {
         previewService.cleanupSocket(socket.id);
       }
+      try {
+        const presenceController = strapi2.plugin(pluginId$6).controller("presence");
+        if (presenceController?.unregisterSocket) {
+          presenceController.unregisterSocket(socket.id);
+        }
+      } catch (e) {
+      }
     });
     socket.on("error", (error2) => {
       strapi2.log.error(`socket.io: Socket error (id: ${socket.id}): ${error2.message}`);
@@ -1311,19 +1345,38 @@ var settings$3 = ({ strapi: strapi2 }) => ({
     };
   }
 });
-const { randomUUID } = require$$1__default.default;
+const { randomUUID, createHash } = require$$1__default.default;
 const sessionTokens = /* @__PURE__ */ new Map();
+const activeSockets = /* @__PURE__ */ new Map();
+const refreshThrottle = /* @__PURE__ */ new Map();
+const SESSION_TTL = 10 * 60 * 1e3;
+const REFRESH_COOLDOWN = 3 * 1e3;
+const CLEANUP_INTERVAL = 2 * 60 * 1e3;
+const hashToken = (token) => {
+  return createHash("sha256").update(token).digest("hex");
+};
 setInterval(() => {
   const now = Date.now();
-  for (const [token, session] of sessionTokens.entries()) {
+  let cleaned = 0;
+  for (const [tokenHash, session] of sessionTokens.entries()) {
     if (session.expiresAt < now) {
-      sessionTokens.delete(token);
+      sessionTokens.delete(tokenHash);
+      cleaned++;
     }
   }
-}, 5 * 60 * 1e3);
+  for (const [userId, lastRefresh] of refreshThrottle.entries()) {
+    if (now - lastRefresh > 60 * 60 * 1e3) {
+      refreshThrottle.delete(userId);
+    }
+  }
+  if (cleaned > 0) {
+    console.log(`[plugin-io] [CLEANUP] Removed ${cleaned} expired session tokens`);
+  }
+}, CLEANUP_INTERVAL);
 var presence$3 = ({ strapi: strapi2 }) => ({
   /**
    * Creates a session token for admin users to connect to Socket.IO
+   * Implements rate limiting and secure token storage
    * @param {object} ctx - Koa context
    */
   async createSession(ctx) {
@@ -1332,28 +1385,40 @@ var presence$3 = ({ strapi: strapi2 }) => ({
       strapi2.log.warn("[plugin-io] Presence session requested without admin user");
       return ctx.unauthorized("Admin authentication required");
     }
+    const lastRefresh = refreshThrottle.get(adminUser.id);
+    const now = Date.now();
+    if (lastRefresh && now - lastRefresh < REFRESH_COOLDOWN) {
+      const waitTime = Math.ceil((REFRESH_COOLDOWN - (now - lastRefresh)) / 1e3);
+      strapi2.log.warn(`[plugin-io] Rate limit: User ${adminUser.id} must wait ${waitTime}s`);
+      return ctx.tooManyRequests(`Please wait ${waitTime} seconds before requesting a new session`);
+    }
     try {
       const token = randomUUID();
-      const expiresAt = Date.now() + 2 * 60 * 1e3;
-      sessionTokens.set(token, {
-        token,
+      const tokenHash = hashToken(token);
+      const expiresAt = now + SESSION_TTL;
+      sessionTokens.set(tokenHash, {
+        tokenHash,
+        userId: adminUser.id,
         user: {
           id: adminUser.id,
           email: adminUser.email,
           firstname: adminUser.firstname,
           lastname: adminUser.lastname
         },
-        expiresAt
+        createdAt: now,
+        expiresAt,
+        usageCount: 0,
+        maxUsage: 10
+        // Max reconnects with same token
       });
-      strapi2.log.info(`[plugin-io] Presence session created for admin user: ${adminUser.email}`);
+      refreshThrottle.set(adminUser.id, now);
+      strapi2.log.info(`[plugin-io] Presence session created for admin user: ${adminUser.id}`);
       ctx.body = {
         token,
-        user: {
-          id: adminUser.id,
-          email: adminUser.email,
-          firstname: adminUser.firstname,
-          lastname: adminUser.lastname
-        },
+        // Send plaintext token to client (only time it's exposed)
+        expiresAt,
+        refreshAfter: now + SESSION_TTL * 0.7,
+        // Suggest refresh at 70% of TTL
         wsPath: "/socket.io",
         wsUrl: `${ctx.protocol}://${ctx.host}`
       };
@@ -1363,23 +1428,168 @@ var presence$3 = ({ strapi: strapi2 }) => ({
     }
   },
   /**
-   * Validates and consumes a session token (one-time use)
+   * Validates a session token and tracks usage
+   * Implements usage limits to prevent token abuse
    * @param {string} token - Session token to validate
    * @returns {object|null} Session data or null if invalid/expired
    */
   consumeSessionToken(token) {
-    if (!token) {
+    if (!token || typeof token !== "string") {
       return null;
     }
-    const session = sessionTokens.get(token);
+    const tokenHash = hashToken(token);
+    const session = sessionTokens.get(tokenHash);
     if (!session) {
+      strapi2.log.debug("[plugin-io] Token not found in session store");
       return null;
     }
-    if (session.expiresAt < Date.now()) {
-      sessionTokens.delete(token);
+    const now = Date.now();
+    if (session.expiresAt < now) {
+      sessionTokens.delete(tokenHash);
+      strapi2.log.debug("[plugin-io] Token expired, removed from store");
+      return null;
+    }
+    if (session.usageCount >= session.maxUsage) {
+      strapi2.log.warn(`[plugin-io] Token usage limit exceeded for user ${session.userId}`);
+      sessionTokens.delete(tokenHash);
       return null;
     }
+    session.usageCount++;
+    session.lastUsed = now;
     return session;
+  },
+  /**
+   * Registers a socket as using a specific token
+   * @param {string} socketId - Socket ID
+   * @param {string} token - The token being used
+   */
+  registerSocket(socketId, token) {
+    if (!socketId || !token) return;
+    const tokenHash = hashToken(token);
+    activeSockets.set(socketId, tokenHash);
+  },
+  /**
+   * Unregisters a socket when it disconnects
+   * @param {string} socketId - Socket ID
+   */
+  unregisterSocket(socketId) {
+    activeSockets.delete(socketId);
+  },
+  /**
+   * Invalidates all sessions for a specific user (e.g., on logout)
+   * @param {number} userId - User ID to invalidate
+   * @returns {number} Number of sessions invalidated
+   */
+  invalidateUserSessions(userId) {
+    let invalidated = 0;
+    for (const [tokenHash, session] of sessionTokens.entries()) {
+      if (session.userId === userId) {
+        sessionTokens.delete(tokenHash);
+        invalidated++;
+      }
+    }
+    refreshThrottle.delete(userId);
+    strapi2.log.info(`[plugin-io] Invalidated ${invalidated} sessions for user ${userId}`);
+    return invalidated;
+  },
+  /**
+   * Gets session statistics (for monitoring) - internal method
+   * @returns {object} Session statistics
+   */
+  getSessionStatsInternal() {
+    const now = Date.now();
+    let active = 0;
+    let expiringSoon = 0;
+    for (const session of sessionTokens.values()) {
+      if (session.expiresAt > now) {
+        active++;
+        if (session.expiresAt - now < 2 * 60 * 1e3) {
+          expiringSoon++;
+        }
+      }
+    }
+    return {
+      activeSessions: active,
+      expiringSoon,
+      activeSocketConnections: activeSockets.size,
+      sessionTTL: SESSION_TTL,
+      refreshCooldown: REFRESH_COOLDOWN
+    };
+  },
+  /**
+   * HTTP Handler: Gets session statistics for admin monitoring
+   * @param {object} ctx - Koa context
+   */
+  async getSessionStats(ctx) {
+    const adminUser = ctx.state.user;
+    if (!adminUser) {
+      return ctx.unauthorized("Admin authentication required");
+    }
+    try {
+      const stats = this.getSessionStatsInternal();
+      ctx.body = { data: stats };
+    } catch (error2) {
+      strapi2.log.error("[plugin-io] Failed to get session stats:", error2);
+      return ctx.internalServerError("Failed to get session statistics");
+    }
+  },
+  /**
+   * HTTP Handler: Invalidates all sessions for a specific user
+   * @param {object} ctx - Koa context
+   */
+  async invalidateUserSessionsHandler(ctx) {
+    const adminUser = ctx.state.user;
+    if (!adminUser) {
+      return ctx.unauthorized("Admin authentication required");
+    }
+    const { userId } = ctx.params;
+    if (!userId) {
+      return ctx.badRequest("User ID is required");
+    }
+    try {
+      const userIdNum = parseInt(userId, 10);
+      if (isNaN(userIdNum)) {
+        return ctx.badRequest("Invalid user ID");
+      }
+      const invalidated = this.invalidateUserSessions(userIdNum);
+      strapi2.log.info(`[plugin-io] Admin ${adminUser.id} invalidated ${invalidated} sessions for user ${userIdNum}`);
+      ctx.body = {
+        data: {
+          userId: userIdNum,
+          invalidatedSessions: invalidated,
+          message: `Successfully invalidated ${invalidated} session(s)`
+        }
+      };
+    } catch (error2) {
+      strapi2.log.error("[plugin-io] Failed to invalidate user sessions:", error2);
+      return ctx.internalServerError("Failed to invalidate sessions");
+    }
+  },
+  /**
+   * HTTP Handler: Gets all online users with their editing info
+   * Used for the "Who's Online" dashboard widget
+   * @param {object} ctx - Koa context
+   */
+  async getOnlineUsers(ctx) {
+    const adminUser = ctx.state.user;
+    if (!adminUser) {
+      return ctx.unauthorized("Admin authentication required");
+    }
+    try {
+      const presenceService = strapi2.plugin("io").service("presence");
+      const onlineUsers = presenceService.getOnlineUsers();
+      const counts = presenceService.getOnlineCounts();
+      ctx.body = {
+        data: {
+          users: onlineUsers,
+          counts,
+          timestamp: Date.now()
+        }
+      };
+    } catch (error2) {
+      strapi2.log.error("[plugin-io] Failed to get online users:", error2);
+      return ctx.internalServerError("Failed to get online users");
+    }
   }
 });
 const settings$2 = settings$3;
@@ -1471,6 +1681,33 @@ var admin$1 = {
       config: {
         policies: ["admin::isAuthenticatedAdmin"]
       }
+    },
+    // Security: Session statistics
+    {
+      method: "GET",
+      path: "/security/sessions",
+      handler: "presence.getSessionStats",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
+    },
+    // Security: Invalidate user sessions (force logout)
+    {
+      method: "POST",
+      path: "/security/invalidate/:userId",
+      handler: "presence.invalidateUserSessionsHandler",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
+    },
+    // Who's Online: Get all online users with editing info
+    {
+      method: "GET",
+      path: "/online-users",
+      handler: "presence.getOnlineUsers",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
     }
   ]
 };
@@ -29677,21 +29914,55 @@ var strategies = ({ strapi: strapi2 }) => {
     credentials: function(user) {
       return `${this.name}-${user.id}`;
     },
-    authenticate: async function(auth) {
+    /**
+     * Authenticates admin user via session token
+     * @param {object} auth - Auth object containing token
+     * @param {object} socket - Socket instance for registration
+     * @returns {object} User data if authenticated
+     * @throws {UnauthorizedError} If authentication fails
+     */
+    authenticate: async function(auth, socket) {
       const token2 = auth.token;
-      if (!token2) {
+      if (!token2 || typeof token2 !== "string") {
+        strapi2.log.warn("[plugin-io] Admin auth failed: No token provided");
         throw new UnauthorizedError2("Invalid admin credentials");
       }
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (!uuidRegex.test(token2)) {
+        strapi2.log.warn("[plugin-io] Admin auth failed: Invalid token format");
+        throw new UnauthorizedError2("Invalid token format");
+      }
       try {
         const presenceController = strapi2.plugin("io").controller("presence");
         const session = presenceController.consumeSessionToken(token2);
         if (!session) {
+          strapi2.log.warn("[plugin-io] Admin auth failed: Token not valid or expired");
           throw new UnauthorizedError2("Invalid or expired session token");
         }
-        return session.user;
+        if (socket?.id) {
+          presenceController.registerSocket(socket.id, token2);
+        }
+        strapi2.log.info(`[plugin-io] Admin authenticated: User ID ${session.userId}`);
+        return {
+          id: session.userId,
+          ...session.user
+        };
       } catch (error2) {
-        strapi2.log.warn("[plugin-io] Admin session verification failed:", error2.message);
-        throw new UnauthorizedError2("Invalid admin credentials");
+        if (error2 instanceof UnauthorizedError2) {
+          throw error2;
+        }
+        strapi2.log.error("[plugin-io] Admin session verification error:", error2.message);
+        throw new UnauthorizedError2("Authentication failed");
+      }
+    },
+    /**
+     * Cleanup when socket disconnects
+     * @param {object} socket - Socket instance
+     */
+    onDisconnect: function(socket) {
+      if (socket?.id) {
+        const presenceController = strapi2.plugin("io").controller("presence");
+        presenceController.unregisterSocket(socket.id);
       }
     },
     getRoomName: function(user) {
@@ -30316,7 +30587,10 @@ var presence$1 = ({ strapi: strapi2 }) => {
      */
     registerConnection(socketId, user = null) {
       const settings2 = getPresenceSettings();
-      if (!settings2.enabled) return;
+      if (!settings2.enabled) {
+        strapi2.log.warn(`socket.io: Presence disabled, skipping registration for ${socketId}`);
+        return;
+      }
       activeConnections.set(socketId, {
         user,
         entities: /* @__PURE__ */ new Map(),
@@ -30324,7 +30598,8 @@ var presence$1 = ({ strapi: strapi2 }) => {
         lastSeen: Date.now(),
         connectedAt: Date.now()
       });
-      strapi2.log.debug(`socket.io: Presence registered for socket ${socketId}`);
+      const username = user?.username || user?.firstname || "anonymous";
+      strapi2.log.info(`socket.io: Presence registered for ${username} (socket: ${socketId}, total: ${activeConnections.size})`);
     },
     /**
      * Unregisters a socket connection and cleans up all entity presence
@@ -30335,7 +30610,9 @@ var presence$1 = ({ strapi: strapi2 }) => {
       if (!connection) return;
       if (connection.entities) {
         for (const entityKey of connection.entities.keys()) {
-          const [uid, documentId] = entityKey.split(":");
+          const lastColonIndex = entityKey.lastIndexOf(":");
+          const uid = entityKey.substring(0, lastColonIndex);
+          const documentId = entityKey.substring(lastColonIndex + 1);
           await this.leaveEntity(socketId, uid, documentId, false);
         }
       }
@@ -30570,6 +30847,90 @@ var presence$1 = ({ strapi: strapi2 }) => {
           timestamp: Date.now()
         });
       }
+    },
+    /**
+     * Gets all online users with their currently editing entities
+     * Used for the "Who's Online" dashboard widget
+     * @returns {Array} List of online users with their editing info
+     */
+    getOnlineUsers() {
+      const users = [];
+      const now = Date.now();
+      for (const [socketId, connection] of activeConnections) {
+        if (!connection.user) continue;
+        const editingEntities = [];
+        if (connection.entities) {
+          for (const [entityKey, joinedAt] of connection.entities) {
+            const lastColonIndex = entityKey.lastIndexOf(":");
+            const uid = entityKey.substring(0, lastColonIndex);
+            const documentId = entityKey.substring(lastColonIndex + 1);
+            let contentTypeName = uid;
+            try {
+              const contentType = strapi2.contentTypes[uid];
+              if (contentType?.info?.displayName) {
+                contentTypeName = contentType.info.displayName;
+              } else if (contentType?.info?.singularName) {
+                contentTypeName = contentType.info.singularName;
+              }
+            } catch (e) {
+            }
+            editingEntities.push({
+              uid,
+              documentId,
+              contentTypeName,
+              joinedAt,
+              editingFor: Math.floor((now - joinedAt) / 1e3)
+              // seconds
+            });
+          }
+        }
+        users.push({
+          socketId,
+          user: {
+            id: connection.user.id,
+            username: connection.user.username,
+            email: connection.user.email,
+            firstname: connection.user.firstname,
+            lastname: connection.user.lastname,
+            isAdmin: connection.user.isAdmin || false
+          },
+          connectedAt: connection.connectedAt,
+          lastSeen: connection.lastSeen,
+          onlineFor: Math.floor((now - connection.connectedAt) / 1e3),
+          // seconds
+          editingEntities,
+          isEditing: editingEntities.length > 0
+        });
+      }
+      users.sort((a, b) => {
+        if (a.isEditing && !b.isEditing) return -1;
+        if (!a.isEditing && b.isEditing) return 1;
+        return b.connectedAt - a.connectedAt;
+      });
+      return users;
+    },
+    /**
+     * Gets count of online users
+     * @returns {object} Online user counts
+     */
+    getOnlineCounts() {
+      let total = 0;
+      let admins = 0;
+      let users = 0;
+      let editing = 0;
+      for (const connection of activeConnections.values()) {
+        if (!connection.user) continue;
+        total++;
+        if (connection.user.isAdmin) {
+          admins++;
+        } else {
+          users++;
+        }
+        if (connection.entities?.size > 0) {
+          editing++;
+        }
+      }
+      return { total, admins, users, editing };
     }
   };
 };
@@ -30786,7 +31147,9 @@ var preview$1 = ({ strapi: strapi2 }) => {
     getActivePreviewEntities() {
       const entities = [];
       for (const [entityKey, subscribers] of previewSubscribers) {
-        const [uid, documentId] = entityKey.split(":");
+        const lastColonIndex = entityKey.lastIndexOf(":");
+        const uid = entityKey.substring(0, lastColonIndex);
+        const documentId = entityKey.substring(lastColonIndex + 1);
         entities.push({
           uid,
           documentId,