@strapi/plugin-users-permissions 0.0.0-next.d9724d67b33363354d7171a9f2265e1c42485e13 → 0.0.0-next.da19c0501ff87d14fb664b55b8e0630d3c548485

package/dist/server/services/user.mjs

@@ -21,13 +21,17 @@ function requireUser() {
     const { toNumber, getOr } = require$$0$1;
     const { getService } = requireUtils();
     const USER_MODEL_UID = 'plugin::users-permissions.user';
-    user = ({ strapi })=>({
+    const getSessionManager = ()=>{
+        const manager = strapi.sessionManager;
+        return manager ?? null;
+    };
+    user = ({ strapi: strapi1 })=>({
             /**
 	   * Promise to count users
 	   *
 	   * @return {Promise}
 	   */ count (params) {
-                return strapi.db.query(USER_MODEL_UID).count({
+                return strapi1.db.query(USER_MODEL_UID).count({
                     where: params
                 });
             },
@@ -39,7 +43,7 @@ function requireUser() {
 	   * @param {object} values - The object containing the fields to be hashed.
 	   * @return {object} The values object with hashed password fields if they were present.
 	   */ async ensureHashedPasswords (values) {
-                const attributes = strapi.getModel(USER_MODEL_UID).attributes;
+                const attributes = strapi1.getModel(USER_MODEL_UID).attributes;
                 for(const key in values){
                     if (attributes[key] && attributes[key].type === 'password') {
                         // Check if a custom encryption.rounds has been set on the password attribute
@@ -53,7 +57,7 @@ function requireUser() {
 	   * Promise to add a/an user.
 	   * @return {Promise}
 	   */ async add (values) {
-                return strapi.db.query(USER_MODEL_UID).create({
+                return strapi1.db.query(USER_MODEL_UID).create({
                     data: await this.ensureHashedPasswords(values),
                     populate: [
                         'role'
@@ -66,7 +70,7 @@ function requireUser() {
 	   * @param {object} params
 	   * @return {Promise}
 	   */ async edit (userId, params = {}) {
-                return strapi.db.query(USER_MODEL_UID).update({
+                return strapi1.db.query(USER_MODEL_UID).update({
                     where: {
                         id: userId
                     },
@@ -80,8 +84,8 @@ function requireUser() {
 	   * Promise to fetch a/an user.
 	   * @return {Promise}
 	   */ fetch (id, params) {
-                const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});
-                return strapi.db.query(USER_MODEL_UID).findOne({
+                const query = strapi1.get('query-params').transform(USER_MODEL_UID, params ?? {});
+                return strapi1.db.query(USER_MODEL_UID).findOne({
                     ...query,
                     where: {
                         $and: [
@@ -97,7 +101,7 @@ function requireUser() {
 	   * Promise to fetch authenticated user.
 	   * @return {Promise}
 	   */ fetchAuthenticatedUser (id) {
-                return strapi.db.query(USER_MODEL_UID).findOne({
+                return strapi1.db.query(USER_MODEL_UID).findOne({
                     where: {
                         id
                     },
@@ -110,14 +114,19 @@ function requireUser() {
 	   * Promise to fetch all users.
 	   * @return {Promise}
 	   */ fetchAll (params) {
-                const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});
-                return strapi.db.query(USER_MODEL_UID).findMany(query);
+                const query = strapi1.get('query-params').transform(USER_MODEL_UID, params ?? {});
+                return strapi1.db.query(USER_MODEL_UID).findMany(query);
             },
             /**
 	   * Promise to remove a/an user.
 	   * @return {Promise}
 	   */ async remove (params) {
-                return strapi.db.query(USER_MODEL_UID).delete({
+                // Invalidate sessions for all affected users
+                const sessionManager = getSessionManager();
+                if (sessionManager && sessionManager.hasOrigin('users-permissions') && params.id) {
+                    await sessionManager('users-permissions').invalidateRefreshToken(String(params.id));
+                }
+                return strapi1.db.query(USER_MODEL_UID).delete({
                     where: params
                 });
             },
@@ -126,29 +135,29 @@ function requireUser() {
             },
             async sendConfirmationEmail (user) {
                 const userPermissionService = getService('users-permissions');
-                const pluginStore = await strapi.store({
+                const pluginStore = await strapi1.store({
                     type: 'plugin',
                     name: 'users-permissions'
                 });
-                const userSchema = strapi.getModel(USER_MODEL_UID);
+                const userSchema = strapi1.getModel(USER_MODEL_UID);
                 const settings = await pluginStore.get({
                     key: 'email'
                 }).then((storeEmail)=>storeEmail.email_confirmation.options);
                 // Sanitize the template's user information
                 const sanitizedUserInfo = await sanitize.sanitizers.defaultSanitizeOutput({
                     schema: userSchema,
-                    getModel: strapi.getModel.bind(strapi)
+                    getModel: strapi1.getModel.bind(strapi1)
                 }, user);
                 const confirmationToken = crypto.randomBytes(20).toString('hex');
                 await this.edit(user.id, {
                     confirmationToken
                 });
-                const apiPrefix = strapi.config.get('api.rest.prefix');
+                const apiPrefix = strapi1.config.get('api.rest.prefix');
                 try {
                     settings.message = await userPermissionService.template(settings.message, {
-                        URL: urlJoin(strapi.config.get('server.absoluteUrl'), apiPrefix, '/auth/email-confirmation'),
-                        SERVER_URL: strapi.config.get('server.absoluteUrl'),
-                        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),
+                        URL: urlJoin(strapi1.config.get('server.absoluteUrl'), apiPrefix, '/auth/email-confirmation'),
+                        SERVER_URL: strapi1.config.get('server.absoluteUrl'),
+                        ADMIN_URL: strapi1.config.get('admin.absoluteUrl'),
                         USER: sanitizedUserInfo,
                         CODE: confirmationToken
                     });
@@ -156,11 +165,11 @@ function requireUser() {
                         USER: sanitizedUserInfo
                     });
                 } catch  {
-                    strapi.log.error('[plugin::users-permissions.sendConfirmationEmail]: Failed to generate a template for "user confirmation email". Please make sure your email template is valid and does not contain invalid characters or patterns');
+                    strapi1.log.error('[plugin::users-permissions.sendConfirmationEmail]: Failed to generate a template for "user confirmation email". Please make sure your email template is valid and does not contain invalid characters or patterns');
                     return;
                 }
                 // Send an email to the user.
-                await strapi.plugin('email').service('email').send({
+                await strapi1.plugin('email').service('email').send({
                     to: user.email,
                     from: settings.from.email && settings.from.name ? `${settings.from.name} <${settings.from.email}>` : undefined,
                     replyTo: settings.response_email,

package/dist/server/services/user.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"user.mjs","sources":["../../../server/services/user.js"],"sourcesContent":["'use strict';\n\n/**\n * User.js service\n *\n * @description: A set of functions similar to controller's actions to avoid code duplication.\n */\n\nconst crypto = require('crypto');\nconst bcrypt = require('bcryptjs');\nconst urlJoin = require('url-join');\n\nconst { sanitize } = require('@strapi/utils');\nconst { toNumber, getOr } = require('lodash/fp');\nconst { getService } = require('../utils');\n\nconst USER_MODEL_UID = 'plugin::users-permissions.user';\n\nmodule.exports = ({ strapi }) => ({\n  /**\n   * Promise to count users\n   *\n   * @return {Promise}\n   */\n\n  count(params) {\n    return strapi.db.query(USER_MODEL_UID).count({ where: params });\n  },\n\n  /**\n   * Hashes password fields in the provided values object if they are present.\n   * It checks each key in the values object against the model's attributes and\n   * hashes it if the attribute type is 'password',\n   *\n   * @param {object} values - The object containing the fields to be hashed.\n   * @return {object} The values object with hashed password fields if they were present.\n   */\n  async ensureHashedPasswords(values) {\n    const attributes = strapi.getModel(USER_MODEL_UID).attributes;\n\n    for (const key in values) {\n      if (attributes[key] && attributes[key].type === 'password') {\n        // Check if a custom encryption.rounds has been set on the password attribute\n        const rounds = toNumber(getOr(10, 'encryption.rounds', attributes[key]));\n        values[key] = await bcrypt.hash(values[key], rounds);\n      }\n    }\n\n    return values;\n  },\n\n  /**\n   * Promise to add a/an user.\n   * @return {Promise}\n   */\n  async add(values) {\n    return strapi.db.query(USER_MODEL_UID).create({\n      data: await this.ensureHashedPasswords(values),\n      populate: ['role'],\n    });\n  },\n\n  /**\n   * Promise to edit a/an user.\n   * @param {string} userId\n   * @param {object} params\n   * @return {Promise}\n   */\n  async edit(userId, params = {}) {\n    return strapi.db.query(USER_MODEL_UID).update({\n      where: { id: userId },\n      data: await this.ensureHashedPasswords(params),\n      populate: ['role'],\n    });\n  },\n\n  /**\n   * Promise to fetch a/an user.\n   * @return {Promise}\n   */\n  fetch(id, params) {\n    const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});\n\n    return strapi.db.query(USER_MODEL_UID).findOne({\n      ...query,\n      where: {\n        $and: [{ id }, query.where || {}],\n      },\n    });\n  },\n\n  /**\n   * Promise to fetch authenticated user.\n   * @return {Promise}\n   */\n  fetchAuthenticatedUser(id) {\n    return strapi.db.query(USER_MODEL_UID).findOne({ where: { id }, populate: ['role'] });\n  },\n\n  /**\n   * Promise to fetch all users.\n   * @return {Promise}\n   */\n  fetchAll(params) {\n    const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});\n\n    return strapi.db.query(USER_MODEL_UID).findMany(query);\n  },\n\n  /**\n   * Promise to remove a/an user.\n   * @return {Promise}\n   */\n  async remove(params) {\n    return strapi.db.query(USER_MODEL_UID).delete({ where: params });\n  },\n\n  validatePassword(password, hash) {\n    return bcrypt.compare(password, hash);\n  },\n\n  async sendConfirmationEmail(user) {\n    const userPermissionService = getService('users-permissions');\n    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });\n    const userSchema = strapi.getModel(USER_MODEL_UID);\n\n    const settings = await pluginStore\n      .get({ key: 'email' })\n      .then((storeEmail) => storeEmail.email_confirmation.options);\n\n    // Sanitize the template's user information\n    const sanitizedUserInfo = await sanitize.sanitizers.defaultSanitizeOutput(\n      {\n        schema: userSchema,\n        getModel: strapi.getModel.bind(strapi),\n      },\n      user\n    );\n\n    const confirmationToken = crypto.randomBytes(20).toString('hex');\n\n    await this.edit(user.id, { confirmationToken });\n\n    const apiPrefix = strapi.config.get('api.rest.prefix');\n\n    try {\n      settings.message = await userPermissionService.template(settings.message, {\n        URL: urlJoin(\n          strapi.config.get('server.absoluteUrl'),\n          apiPrefix,\n          '/auth/email-confirmation'\n        ),\n        SERVER_URL: strapi.config.get('server.absoluteUrl'),\n        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),\n        USER: sanitizedUserInfo,\n        CODE: confirmationToken,\n      });\n\n      settings.object = await userPermissionService.template(settings.object, {\n        USER: sanitizedUserInfo,\n      });\n    } catch {\n      strapi.log.error(\n        '[plugin::users-permissions.sendConfirmationEmail]: Failed to generate a template for \"user confirmation email\". Please make sure your email template is valid and does not contain invalid characters or patterns'\n      );\n      return;\n    }\n\n    // Send an email to the user.\n    await strapi\n      .plugin('email')\n      .service('email')\n      .send({\n        to: user.email,\n        from:\n          settings.from.email && settings.from.name\n            ? `${settings.from.name} <${settings.from.email}>`\n            : undefined,\n        replyTo: settings.response_email,\n        subject: settings.object,\n        text: settings.message,\n        html: settings.message,\n      });\n  },\n});\n"],"names":["crypto","require$$0","bcrypt","require$$1","urlJoin","require$$2","sanitize","require$$3","toNumber","getOr","require$$4","getService","require$$5","USER_MODEL_UID","user","strapi","count","params","db","query","where","ensureHashedPasswords","values","attributes","getModel","key","type","rounds","hash","add","create","data","populate","edit","userId","update","id","fetch","get","transform","findOne","$and","fetchAuthenticatedUser","fetchAll","findMany","remove","delete","validatePassword","password","compare","sendConfirmationEmail","userPermissionService","pluginStore","store","name","userSchema","settings","then","storeEmail","email_confirmation","options","sanitizedUserInfo","sanitizers","defaultSanitizeOutput","schema","bind","confirmationToken","randomBytes","toString","apiPrefix","config","message","template","URL","SERVER_URL","ADMIN_URL","USER","CODE","object","log","error","plugin","service","send","to","email","from","undefined","replyTo","response_email","subject","text","html"],"mappings":";;;;;;;;;;;;AAEA;;;;AAIA,KAEA,MAAMA,MAASC,GAAAA,UAAAA;AACf,IAAA,MAAMC,MAASC,GAAAA,UAAAA;AACf,IAAA,MAAMC,OAAUC,GAAAA,UAAAA;IAEhB,MAAM,EAAEC,QAAQ,EAAE,GAAGC,YAAAA;AACrB,IAAA,MAAM,EAAEC,QAAQ,EAAEC,KAAK,EAAE,GAAGC,YAAAA;IAC5B,MAAM,EAAEC,UAAU,EAAE,GAAGC,YAAAA,EAAAA;AAEvB,IAAA,MAAMC,cAAiB,GAAA,gCAAA;AAEvBC,IAAAA,IAAAA,GAAiB,CAAC,EAAEC,MAAM,EAAE,IAAM;AAClC;;;;AAIA,OAEEC,OAAMC,MAAM,EAAA;AACV,gBAAA,OAAOF,OAAOG,EAAE,CAACC,KAAK,CAACN,cAAAA,CAAAA,CAAgBG,KAAK,CAAC;oBAAEI,KAAOH,EAAAA;AAAM,iBAAA,CAAA;AAC7D,aAAA;AAEH;;;;;;;OAQE,MAAMI,uBAAsBC,MAAM,EAAA;AAChC,gBAAA,MAAMC,UAAaR,GAAAA,MAAAA,CAAOS,QAAQ,CAACX,gBAAgBU,UAAU;gBAE7D,IAAK,MAAME,OAAOH,MAAQ,CAAA;oBACxB,IAAIC,UAAU,CAACE,GAAAA,CAAI,IAAIF,UAAU,CAACE,GAAI,CAAA,CAACC,IAAI,KAAK,UAAY,EAAA;;AAE1D,wBAAA,MAAMC,SAASnB,QAASC,CAAAA,KAAAA,CAAM,IAAI,mBAAqBc,EAAAA,UAAU,CAACE,GAAI,CAAA,CAAA,CAAA;wBACtEH,MAAM,CAACG,GAAI,CAAA,GAAG,MAAMvB,MAAAA,CAAO0B,IAAI,CAACN,MAAM,CAACG,GAAAA,CAAI,EAAEE,MAAAA,CAAAA;AAC9C;AACF;gBAED,OAAOL,MAAAA;AACR,aAAA;AAEH;;;OAIE,MAAMO,KAAIP,MAAM,EAAA;AACd,gBAAA,OAAOP,OAAOG,EAAE,CAACC,KAAK,CAACN,cAAAA,CAAAA,CAAgBiB,MAAM,CAAC;AAC5CC,oBAAAA,IAAAA,EAAM,MAAM,IAAI,CAACV,qBAAqB,CAACC,MAAAA,CAAAA;oBACvCU,QAAU,EAAA;AAAC,wBAAA;AAAO;AACxB,iBAAA,CAAA;AACG,aAAA;AAEH;;;;;AAKA,OACE,MAAMC,IAAKC,CAAAA,CAAAA,MAAM,EAAEjB,MAAAA,GAAS,EAAE,EAAA;AAC5B,gBAAA,OAAOF,OAAOG,EAAE,CAACC,KAAK,CAACN,cAAAA,CAAAA,CAAgBsB,MAAM,CAAC;oBAC5Cf,KAAO,EAAA;wBAAEgB,EAAIF,EAAAA;AAAQ,qBAAA;AACrBH,oBAAAA,IAAAA,EAAM,MAAM,IAAI,CAACV,qBAAqB,CAACJ,MAAAA,CAAAA;oBACvCe,QAAU,EAAA;AAAC,wBAAA;AAAO;AACxB,iBAAA,CAAA;AACG,aAAA;AAEH;;;OAIEK,KAAAA,CAAAA,CAAMD,EAAE,EAAEnB,MAAM,EAAA;gBACd,MAAME,KAAAA,GAAQJ,OAAOuB,GAAG,CAAC,gBAAgBC,SAAS,CAAC1B,cAAgBI,EAAAA,MAAAA,IAAU,EAAA,CAAA;AAE7E,gBAAA,OAAOF,OAAOG,EAAE,CAACC,KAAK,CAACN,cAAAA,CAAAA,CAAgB2B,OAAO,CAAC;AAC7C,oBAAA,GAAGrB,KAAK;oBACRC,KAAO,EAAA;wBACLqB,IAAM,EAAA;AAAC,4BAAA;AAAEL,gCAAAA;AAAE,6BAAA;4BAAIjB,KAAMC,CAAAA,KAAK,IAAI;AAAG;AAClC;AACP,iBAAA,CAAA;AACG,aAAA;AAEH;;;AAGA,OACEsB,wBAAuBN,EAAE,EAAA;AACvB,gBAAA,OAAOrB,OAAOG,EAAE,CAACC,KAAK,CAACN,cAAAA,CAAAA,CAAgB2B,OAAO,CAAC;oBAAEpB,KAAO,EAAA;AAAEgB,wBAAAA;AAAE,qBAAA;oBAAIJ,QAAU,EAAA;AAAC,wBAAA;AAAO;AAAE,iBAAA,CAAA;AACrF,aAAA;AAEH;;;AAGA,OACEW,UAAS1B,MAAM,EAAA;gBACb,MAAME,KAAAA,GAAQJ,OAAOuB,GAAG,CAAC,gBAAgBC,SAAS,CAAC1B,cAAgBI,EAAAA,MAAAA,IAAU,EAAA,CAAA;AAE7E,gBAAA,OAAOF,OAAOG,EAAE,CAACC,KAAK,CAACN,cAAAA,CAAAA,CAAgB+B,QAAQ,CAACzB,KAAAA,CAAAA;AACjD,aAAA;AAEH;;;OAIE,MAAM0B,QAAO5B,MAAM,EAAA;AACjB,gBAAA,OAAOF,OAAOG,EAAE,CAACC,KAAK,CAACN,cAAAA,CAAAA,CAAgBiC,MAAM,CAAC;oBAAE1B,KAAOH,EAAAA;AAAM,iBAAA,CAAA;AAC9D,aAAA;YAED8B,gBAAiBC,CAAAA,CAAAA,QAAQ,EAAEpB,IAAI,EAAA;gBAC7B,OAAO1B,MAAAA,CAAO+C,OAAO,CAACD,QAAUpB,EAAAA,IAAAA,CAAAA;AACjC,aAAA;AAED,YAAA,MAAMsB,uBAAsBpC,IAAI,EAAA;AAC9B,gBAAA,MAAMqC,wBAAwBxC,UAAW,CAAA,mBAAA,CAAA;AACzC,gBAAA,MAAMyC,WAAc,GAAA,MAAMrC,MAAOsC,CAAAA,KAAK,CAAC;oBAAE3B,IAAM,EAAA,QAAA;oBAAU4B,IAAM,EAAA;AAAmB,iBAAA,CAAA;gBAClF,MAAMC,UAAAA,GAAaxC,MAAOS,CAAAA,QAAQ,CAACX,cAAAA,CAAAA;AAEnC,gBAAA,MAAM2C,QAAW,GAAA,MAAMJ,WACpBd,CAAAA,GAAG,CAAC;oBAAEb,GAAK,EAAA;mBACXgC,IAAI,CAAC,CAACC,aAAeA,UAAWC,CAAAA,kBAAkB,CAACC,OAAO,CAAA;;AAG7D,gBAAA,MAAMC,oBAAoB,MAAMvD,QAAAA,CAASwD,UAAU,CAACC,qBAAqB,CACvE;oBACEC,MAAQT,EAAAA,UAAAA;AACR/B,oBAAAA,QAAAA,EAAUT,MAAOS,CAAAA,QAAQ,CAACyC,IAAI,CAAClD,MAAAA;iBAEjCD,EAAAA,IAAAA,CAAAA;AAGF,gBAAA,MAAMoD,oBAAoBlE,MAAOmE,CAAAA,WAAW,CAAC,EAAA,CAAA,CAAIC,QAAQ,CAAC,KAAA,CAAA;AAE1D,gBAAA,MAAM,IAAI,CAACnC,IAAI,CAACnB,IAAAA,CAAKsB,EAAE,EAAE;AAAE8B,oBAAAA;AAAiB,iBAAA,CAAA;AAE5C,gBAAA,MAAMG,SAAYtD,GAAAA,MAAAA,CAAOuD,MAAM,CAAChC,GAAG,CAAC,iBAAA,CAAA;gBAEpC,IAAI;oBACFkB,QAASe,CAAAA,OAAO,GAAG,MAAMpB,qBAAAA,CAAsBqB,QAAQ,CAAChB,QAAAA,CAASe,OAAO,EAAE;AACxEE,wBAAAA,GAAAA,EAAKrE,QACHW,MAAOuD,CAAAA,MAAM,CAAChC,GAAG,CAAC,uBAClB+B,SACA,EAAA,0BAAA,CAAA;AAEFK,wBAAAA,UAAAA,EAAY3D,MAAOuD,CAAAA,MAAM,CAAChC,GAAG,CAAC,oBAAA,CAAA;AAC9BqC,wBAAAA,SAAAA,EAAW5D,MAAOuD,CAAAA,MAAM,CAAChC,GAAG,CAAC,mBAAA,CAAA;wBAC7BsC,IAAMf,EAAAA,iBAAAA;wBACNgB,IAAMX,EAAAA;AACd,qBAAA,CAAA;oBAEMV,QAASsB,CAAAA,MAAM,GAAG,MAAM3B,qBAAAA,CAAsBqB,QAAQ,CAAChB,QAAAA,CAASsB,MAAM,EAAE;wBACtEF,IAAMf,EAAAA;AACd,qBAAA,CAAA;AACA,iBAAA,CAAM,OAAM;oBACN9C,MAAOgE,CAAAA,GAAG,CAACC,KAAK,CACd,mNAAA,CAAA;AAEF,oBAAA;AACD;;gBAGD,MAAMjE,MAAAA,CACHkE,MAAM,CAAC,OAAA,CAAA,CACPC,OAAO,CAAC,OAAA,CAAA,CACRC,IAAI,CAAC;AACJC,oBAAAA,EAAAA,EAAItE,KAAKuE,KAAK;oBACdC,IACE9B,EAAAA,QAAAA,CAAS8B,IAAI,CAACD,KAAK,IAAI7B,QAAS8B,CAAAA,IAAI,CAAChC,IAAI,GACrC,CAAC,EAAEE,QAAAA,CAAS8B,IAAI,CAAChC,IAAI,CAAC,EAAE,EAAEE,QAAAA,CAAS8B,IAAI,CAACD,KAAK,CAAC,CAAC,CAAC,GAChDE,SAAAA;AACNC,oBAAAA,OAAAA,EAAShC,SAASiC,cAAc;AAChCC,oBAAAA,OAAAA,EAASlC,SAASsB,MAAM;AACxBa,oBAAAA,IAAAA,EAAMnC,SAASe,OAAO;AACtBqB,oBAAAA,IAAAA,EAAMpC,SAASe;AACvB,iBAAA,CAAA;AACG;SACH,CAAA;;;;;;"}
+{"version":3,"file":"user.mjs","sources":["../../../server/services/user.js"],"sourcesContent":["'use strict';\n\n/**\n * User.js service\n *\n * @description: A set of functions similar to controller's actions to avoid code duplication.\n */\n\nconst crypto = require('crypto');\nconst bcrypt = require('bcryptjs');\nconst urlJoin = require('url-join');\n\nconst { sanitize } = require('@strapi/utils');\nconst { toNumber, getOr } = require('lodash/fp');\nconst { getService } = require('../utils');\n\nconst USER_MODEL_UID = 'plugin::users-permissions.user';\n\nconst getSessionManager = () => {\n  const manager = strapi.sessionManager;\n  return manager ?? null;\n};\n\nmodule.exports = ({ strapi }) => ({\n  /**\n   * Promise to count users\n   *\n   * @return {Promise}\n   */\n\n  count(params) {\n    return strapi.db.query(USER_MODEL_UID).count({ where: params });\n  },\n\n  /**\n   * Hashes password fields in the provided values object if they are present.\n   * It checks each key in the values object against the model's attributes and\n   * hashes it if the attribute type is 'password',\n   *\n   * @param {object} values - The object containing the fields to be hashed.\n   * @return {object} The values object with hashed password fields if they were present.\n   */\n  async ensureHashedPasswords(values) {\n    const attributes = strapi.getModel(USER_MODEL_UID).attributes;\n\n    for (const key in values) {\n      if (attributes[key] && attributes[key].type === 'password') {\n        // Check if a custom encryption.rounds has been set on the password attribute\n        const rounds = toNumber(getOr(10, 'encryption.rounds', attributes[key]));\n        values[key] = await bcrypt.hash(values[key], rounds);\n      }\n    }\n\n    return values;\n  },\n\n  /**\n   * Promise to add a/an user.\n   * @return {Promise}\n   */\n  async add(values) {\n    return strapi.db.query(USER_MODEL_UID).create({\n      data: await this.ensureHashedPasswords(values),\n      populate: ['role'],\n    });\n  },\n\n  /**\n   * Promise to edit a/an user.\n   * @param {string} userId\n   * @param {object} params\n   * @return {Promise}\n   */\n  async edit(userId, params = {}) {\n    return strapi.db.query(USER_MODEL_UID).update({\n      where: { id: userId },\n      data: await this.ensureHashedPasswords(params),\n      populate: ['role'],\n    });\n  },\n\n  /**\n   * Promise to fetch a/an user.\n   * @return {Promise}\n   */\n  fetch(id, params) {\n    const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});\n\n    return strapi.db.query(USER_MODEL_UID).findOne({\n      ...query,\n      where: {\n        $and: [{ id }, query.where || {}],\n      },\n    });\n  },\n\n  /**\n   * Promise to fetch authenticated user.\n   * @return {Promise}\n   */\n  fetchAuthenticatedUser(id) {\n    return strapi.db.query(USER_MODEL_UID).findOne({ where: { id }, populate: ['role'] });\n  },\n\n  /**\n   * Promise to fetch all users.\n   * @return {Promise}\n   */\n  fetchAll(params) {\n    const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});\n\n    return strapi.db.query(USER_MODEL_UID).findMany(query);\n  },\n\n  /**\n   * Promise to remove a/an user.\n   * @return {Promise}\n   */\n  async remove(params) {\n    // Invalidate sessions for all affected users\n    const sessionManager = getSessionManager();\n    if (sessionManager && sessionManager.hasOrigin('users-permissions') && params.id) {\n      await sessionManager('users-permissions').invalidateRefreshToken(String(params.id));\n    }\n\n    return strapi.db.query(USER_MODEL_UID).delete({ where: params });\n  },\n\n  validatePassword(password, hash) {\n    return bcrypt.compare(password, hash);\n  },\n\n  async sendConfirmationEmail(user) {\n    const userPermissionService = getService('users-permissions');\n    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });\n    const userSchema = strapi.getModel(USER_MODEL_UID);\n\n    const settings = await pluginStore\n      .get({ key: 'email' })\n      .then((storeEmail) => storeEmail.email_confirmation.options);\n\n    // Sanitize the template's user information\n    const sanitizedUserInfo = await sanitize.sanitizers.defaultSanitizeOutput(\n      {\n        schema: userSchema,\n        getModel: strapi.getModel.bind(strapi),\n      },\n      user\n    );\n\n    const confirmationToken = crypto.randomBytes(20).toString('hex');\n\n    await this.edit(user.id, { confirmationToken });\n\n    const apiPrefix = strapi.config.get('api.rest.prefix');\n\n    try {\n      settings.message = await userPermissionService.template(settings.message, {\n        URL: urlJoin(\n          strapi.config.get('server.absoluteUrl'),\n          apiPrefix,\n          '/auth/email-confirmation'\n        ),\n        SERVER_URL: strapi.config.get('server.absoluteUrl'),\n        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),\n        USER: sanitizedUserInfo,\n        CODE: confirmationToken,\n      });\n\n      settings.object = await userPermissionService.template(settings.object, {\n        USER: sanitizedUserInfo,\n      });\n    } catch {\n      strapi.log.error(\n        '[plugin::users-permissions.sendConfirmationEmail]: Failed to generate a template for \"user confirmation email\". Please make sure your email template is valid and does not contain invalid characters or patterns'\n      );\n      return;\n    }\n\n    // Send an email to the user.\n    await strapi\n      .plugin('email')\n      .service('email')\n      .send({\n        to: user.email,\n        from:\n          settings.from.email && settings.from.name\n            ? `${settings.from.name} <${settings.from.email}>`\n            : undefined,\n        replyTo: settings.response_email,\n        subject: settings.object,\n        text: settings.message,\n        html: settings.message,\n      });\n  },\n});\n"],"names":["crypto","require$$0","bcrypt","require$$1","urlJoin","require$$2","sanitize","require$$3","toNumber","getOr","require$$4","getService","require$$5","USER_MODEL_UID","getSessionManager","manager","strapi","sessionManager","user","count","params","db","query","where","ensureHashedPasswords","values","attributes","getModel","key","type","rounds","hash","add","create","data","populate","edit","userId","update","id","fetch","get","transform","findOne","$and","fetchAuthenticatedUser","fetchAll","findMany","remove","hasOrigin","invalidateRefreshToken","String","delete","validatePassword","password","compare","sendConfirmationEmail","userPermissionService","pluginStore","store","name","userSchema","settings","then","storeEmail","email_confirmation","options","sanitizedUserInfo","sanitizers","defaultSanitizeOutput","schema","bind","confirmationToken","randomBytes","toString","apiPrefix","config","message","template","URL","SERVER_URL","ADMIN_URL","USER","CODE","object","log","error","plugin","service","send","to","email","from","undefined","replyTo","response_email","subject","text","html"],"mappings":";;;;;;;;;;;;AAEA;;;;AAIA,KAEA,MAAMA,MAASC,GAAAA,UAAAA;AACf,IAAA,MAAMC,MAASC,GAAAA,UAAAA;AACf,IAAA,MAAMC,OAAUC,GAAAA,UAAAA;IAEhB,MAAM,EAAEC,QAAQ,EAAE,GAAGC,YAAAA;AACrB,IAAA,MAAM,EAAEC,QAAQ,EAAEC,KAAK,EAAE,GAAGC,YAAAA;IAC5B,MAAM,EAAEC,UAAU,EAAE,GAAGC,YAAAA,EAAAA;AAEvB,IAAA,MAAMC,cAAiB,GAAA,gCAAA;AAEvB,IAAA,MAAMC,iBAAoB,GAAA,IAAA;QACxB,MAAMC,OAAAA,GAAUC,OAAOC,cAAc;AACrC,QAAA,OAAOF,OAAW,IAAA,IAAA;AACpB,KAAA;AAEAG,IAAAA,IAAAA,GAAiB,CAAC,EAAEF,MAAAA,EAAAA,OAAM,EAAE,IAAM;AAClC;;;;AAIA,OAEEG,OAAMC,MAAM,EAAA;AACV,gBAAA,OAAOJ,QAAOK,EAAE,CAACC,KAAK,CAACT,cAAAA,CAAAA,CAAgBM,KAAK,CAAC;oBAAEI,KAAOH,EAAAA;AAAM,iBAAA,CAAA;AAC7D,aAAA;AAEH;;;;;;;OAQE,MAAMI,uBAAsBC,MAAM,EAAA;AAChC,gBAAA,MAAMC,UAAaV,GAAAA,OAAAA,CAAOW,QAAQ,CAACd,gBAAgBa,UAAU;gBAE7D,IAAK,MAAME,OAAOH,MAAQ,CAAA;oBACxB,IAAIC,UAAU,CAACE,GAAAA,CAAI,IAAIF,UAAU,CAACE,GAAI,CAAA,CAACC,IAAI,KAAK,UAAY,EAAA;;AAE1D,wBAAA,MAAMC,SAAStB,QAASC,CAAAA,KAAAA,CAAM,IAAI,mBAAqBiB,EAAAA,UAAU,CAACE,GAAI,CAAA,CAAA,CAAA;wBACtEH,MAAM,CAACG,GAAI,CAAA,GAAG,MAAM1B,MAAAA,CAAO6B,IAAI,CAACN,MAAM,CAACG,GAAAA,CAAI,EAAEE,MAAAA,CAAAA;AAC9C;AACF;gBAED,OAAOL,MAAAA;AACR,aAAA;AAEH;;;OAIE,MAAMO,KAAIP,MAAM,EAAA;AACd,gBAAA,OAAOT,QAAOK,EAAE,CAACC,KAAK,CAACT,cAAAA,CAAAA,CAAgBoB,MAAM,CAAC;AAC5CC,oBAAAA,IAAAA,EAAM,MAAM,IAAI,CAACV,qBAAqB,CAACC,MAAAA,CAAAA;oBACvCU,QAAU,EAAA;AAAC,wBAAA;AAAO;AACxB,iBAAA,CAAA;AACG,aAAA;AAEH;;;;;AAKA,OACE,MAAMC,IAAKC,CAAAA,CAAAA,MAAM,EAAEjB,MAAAA,GAAS,EAAE,EAAA;AAC5B,gBAAA,OAAOJ,QAAOK,EAAE,CAACC,KAAK,CAACT,cAAAA,CAAAA,CAAgByB,MAAM,CAAC;oBAC5Cf,KAAO,EAAA;wBAAEgB,EAAIF,EAAAA;AAAQ,qBAAA;AACrBH,oBAAAA,IAAAA,EAAM,MAAM,IAAI,CAACV,qBAAqB,CAACJ,MAAAA,CAAAA;oBACvCe,QAAU,EAAA;AAAC,wBAAA;AAAO;AACxB,iBAAA,CAAA;AACG,aAAA;AAEH;;;OAIEK,KAAAA,CAAAA,CAAMD,EAAE,EAAEnB,MAAM,EAAA;gBACd,MAAME,KAAAA,GAAQN,QAAOyB,GAAG,CAAC,gBAAgBC,SAAS,CAAC7B,cAAgBO,EAAAA,MAAAA,IAAU,EAAA,CAAA;AAE7E,gBAAA,OAAOJ,QAAOK,EAAE,CAACC,KAAK,CAACT,cAAAA,CAAAA,CAAgB8B,OAAO,CAAC;AAC7C,oBAAA,GAAGrB,KAAK;oBACRC,KAAO,EAAA;wBACLqB,IAAM,EAAA;AAAC,4BAAA;AAAEL,gCAAAA;AAAE,6BAAA;4BAAIjB,KAAMC,CAAAA,KAAK,IAAI;AAAG;AAClC;AACP,iBAAA,CAAA;AACG,aAAA;AAEH;;;AAGA,OACEsB,wBAAuBN,EAAE,EAAA;AACvB,gBAAA,OAAOvB,QAAOK,EAAE,CAACC,KAAK,CAACT,cAAAA,CAAAA,CAAgB8B,OAAO,CAAC;oBAAEpB,KAAO,EAAA;AAAEgB,wBAAAA;AAAE,qBAAA;oBAAIJ,QAAU,EAAA;AAAC,wBAAA;AAAO;AAAE,iBAAA,CAAA;AACrF,aAAA;AAEH;;;AAGA,OACEW,UAAS1B,MAAM,EAAA;gBACb,MAAME,KAAAA,GAAQN,QAAOyB,GAAG,CAAC,gBAAgBC,SAAS,CAAC7B,cAAgBO,EAAAA,MAAAA,IAAU,EAAA,CAAA;AAE7E,gBAAA,OAAOJ,QAAOK,EAAE,CAACC,KAAK,CAACT,cAAAA,CAAAA,CAAgBkC,QAAQ,CAACzB,KAAAA,CAAAA;AACjD,aAAA;AAEH;;;OAIE,MAAM0B,QAAO5B,MAAM,EAAA;;AAEjB,gBAAA,MAAMH,cAAiBH,GAAAA,iBAAAA,EAAAA;AACvB,gBAAA,IAAIG,kBAAkBA,cAAegC,CAAAA,SAAS,CAAC,mBAAwB7B,CAAAA,IAAAA,MAAAA,CAAOmB,EAAE,EAAE;AAChF,oBAAA,MAAMtB,eAAe,mBAAqBiC,CAAAA,CAAAA,sBAAsB,CAACC,MAAAA,CAAO/B,OAAOmB,EAAE,CAAA,CAAA;AAClF;AAED,gBAAA,OAAOvB,QAAOK,EAAE,CAACC,KAAK,CAACT,cAAAA,CAAAA,CAAgBuC,MAAM,CAAC;oBAAE7B,KAAOH,EAAAA;AAAM,iBAAA,CAAA;AAC9D,aAAA;YAEDiC,gBAAiBC,CAAAA,CAAAA,QAAQ,EAAEvB,IAAI,EAAA;gBAC7B,OAAO7B,MAAAA,CAAOqD,OAAO,CAACD,QAAUvB,EAAAA,IAAAA,CAAAA;AACjC,aAAA;AAED,YAAA,MAAMyB,uBAAsBtC,IAAI,EAAA;AAC9B,gBAAA,MAAMuC,wBAAwB9C,UAAW,CAAA,mBAAA,CAAA;AACzC,gBAAA,MAAM+C,WAAc,GAAA,MAAM1C,OAAO2C,CAAAA,KAAK,CAAC;oBAAE9B,IAAM,EAAA,QAAA;oBAAU+B,IAAM,EAAA;AAAmB,iBAAA,CAAA;gBAClF,MAAMC,UAAAA,GAAa7C,OAAOW,CAAAA,QAAQ,CAACd,cAAAA,CAAAA;AAEnC,gBAAA,MAAMiD,QAAW,GAAA,MAAMJ,WACpBjB,CAAAA,GAAG,CAAC;oBAAEb,GAAK,EAAA;mBACXmC,IAAI,CAAC,CAACC,aAAeA,UAAWC,CAAAA,kBAAkB,CAACC,OAAO,CAAA;;AAG7D,gBAAA,MAAMC,oBAAoB,MAAM7D,QAAAA,CAAS8D,UAAU,CAACC,qBAAqB,CACvE;oBACEC,MAAQT,EAAAA,UAAAA;AACRlC,oBAAAA,QAAAA,EAAUX,OAAOW,CAAAA,QAAQ,CAAC4C,IAAI,CAACvD,OAAAA;iBAEjCE,EAAAA,IAAAA,CAAAA;AAGF,gBAAA,MAAMsD,oBAAoBxE,MAAOyE,CAAAA,WAAW,CAAC,EAAA,CAAA,CAAIC,QAAQ,CAAC,KAAA,CAAA;AAE1D,gBAAA,MAAM,IAAI,CAACtC,IAAI,CAAClB,IAAAA,CAAKqB,EAAE,EAAE;AAAEiC,oBAAAA;AAAiB,iBAAA,CAAA;AAE5C,gBAAA,MAAMG,SAAY3D,GAAAA,OAAAA,CAAO4D,MAAM,CAACnC,GAAG,CAAC,iBAAA,CAAA;gBAEpC,IAAI;oBACFqB,QAASe,CAAAA,OAAO,GAAG,MAAMpB,qBAAAA,CAAsBqB,QAAQ,CAAChB,QAAAA,CAASe,OAAO,EAAE;AACxEE,wBAAAA,GAAAA,EAAK3E,QACHY,OAAO4D,CAAAA,MAAM,CAACnC,GAAG,CAAC,uBAClBkC,SACA,EAAA,0BAAA,CAAA;AAEFK,wBAAAA,UAAAA,EAAYhE,OAAO4D,CAAAA,MAAM,CAACnC,GAAG,CAAC,oBAAA,CAAA;AAC9BwC,wBAAAA,SAAAA,EAAWjE,OAAO4D,CAAAA,MAAM,CAACnC,GAAG,CAAC,mBAAA,CAAA;wBAC7ByC,IAAMf,EAAAA,iBAAAA;wBACNgB,IAAMX,EAAAA;AACd,qBAAA,CAAA;oBAEMV,QAASsB,CAAAA,MAAM,GAAG,MAAM3B,qBAAAA,CAAsBqB,QAAQ,CAAChB,QAAAA,CAASsB,MAAM,EAAE;wBACtEF,IAAMf,EAAAA;AACd,qBAAA,CAAA;AACA,iBAAA,CAAM,OAAM;oBACNnD,OAAOqE,CAAAA,GAAG,CAACC,KAAK,CACd,mNAAA,CAAA;AAEF,oBAAA;AACD;;gBAGD,MAAMtE,OAAAA,CACHuE,MAAM,CAAC,OAAA,CAAA,CACPC,OAAO,CAAC,OAAA,CAAA,CACRC,IAAI,CAAC;AACJC,oBAAAA,EAAAA,EAAIxE,KAAKyE,KAAK;oBACdC,IACE9B,EAAAA,QAAAA,CAAS8B,IAAI,CAACD,KAAK,IAAI7B,QAAS8B,CAAAA,IAAI,CAAChC,IAAI,GACrC,CAAC,EAAEE,QAAAA,CAAS8B,IAAI,CAAChC,IAAI,CAAC,EAAE,EAAEE,QAAAA,CAAS8B,IAAI,CAACD,KAAK,CAAC,CAAC,CAAC,GAChDE,SAAAA;AACNC,oBAAAA,OAAAA,EAAShC,SAASiC,cAAc;AAChCC,oBAAAA,OAAAA,EAASlC,SAASsB,MAAM;AACxBa,oBAAAA,IAAAA,EAAMnC,SAASe,OAAO;AACtBqB,oBAAAA,IAAAA,EAAMpC,SAASe;AACvB,iBAAA,CAAA;AACG;SACH,CAAA;;;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "0.0.0-next.d9724d67b33363354d7171a9f2265e1c42485e13",
+  "version": "0.0.0-next.da19c0501ff87d14fb664b55b8e0630d3c548485",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -48,9 +48,9 @@
     "watch": "run -T rollup -c -w"
   },
   "dependencies": {
-    "@strapi/design-system": "2.0.0-rc.29",
-    "@strapi/icons": "2.0.0-rc.29",
-    "@strapi/utils": "0.0.0-next.d9724d67b33363354d7171a9f2265e1c42485e13",
+    "@strapi/design-system": "2.0.0-rc.30",
+    "@strapi/icons": "2.0.0-rc.30",
+    "@strapi/utils": "0.0.0-next.da19c0501ff87d14fb664b55b8e0630d3c548485",
     "bcryptjs": "2.4.3",
     "formik": "2.4.5",
     "grant": "^5.4.8",
@@ -70,7 +70,7 @@
     "zod": "3.25.67"
   },
   "devDependencies": {
-    "@strapi/strapi": "0.0.0-next.d9724d67b33363354d7171a9f2265e1c42485e13",
+    "@strapi/strapi": "0.0.0-next.da19c0501ff87d14fb664b55b8e0630d3c548485",
     "@testing-library/dom": "10.1.0",
     "@testing-library/react": "15.0.7",
     "@testing-library/user-event": "14.5.2",

package/server/bootstrap/index.js

@@ -11,6 +11,18 @@ const crypto = require('crypto');
 const _ = require('lodash');
 const { getService } = require('../utils');
 const usersPermissionsActions = require('./users-permissions-actions');
+const {
+  DEFAULT_ACCESS_TOKEN_LIFESPAN,
+  DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_MAX_SESSION_LIFESPAN,
+  DEFAULT_IDLE_SESSION_LIFESPAN,
+} = require('../services/constants');
+
+const getSessionManager = () => {
+  const manager = strapi.sessionManager;
+  return manager ?? null;
+};
 
 const initGrant = async (pluginStore) => {
   const allProviders = getService('providers-registry').getAll();
@@ -113,6 +125,25 @@ module.exports = async ({ strapi }) => {
 
   await getService('users-permissions').initialize();
 
+  // Define users-permissions origin configuration for sessionManager
+  const upConfig = strapi.config.get('plugin::users-permissions');
+  const sessionManager = getSessionManager();
+
+  if (sessionManager) {
+    sessionManager.defineOrigin('users-permissions', {
+      jwtSecret: upConfig.jwtSecret || strapi.config.get('admin.auth.secret'),
+      accessTokenLifespan: upConfig.sessions?.accessTokenLifespan || DEFAULT_ACCESS_TOKEN_LIFESPAN,
+      maxRefreshTokenLifespan:
+        upConfig.sessions?.maxRefreshTokenLifespan || DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+      idleRefreshTokenLifespan:
+        upConfig.sessions?.idleRefreshTokenLifespan || DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+      maxSessionLifespan: upConfig.sessions?.maxSessionLifespan || DEFAULT_MAX_SESSION_LIFESPAN,
+      idleSessionLifespan: upConfig.sessions?.idleSessionLifespan || DEFAULT_IDLE_SESSION_LIFESPAN,
+      algorithm: upConfig.jwt?.algorithm,
+      jwtOptions: upConfig.jwt || {},
+    });
+  }
+
   if (!strapi.config.get('plugin::users-permissions.jwtSecret')) {
     if (process.env.NODE_ENV !== 'development') {
       throw new Error(

package/server/config.js

@@ -1,11 +1,33 @@
 'use strict';
 
+const {
+  DEFAULT_ACCESS_TOKEN_LIFESPAN,
+  DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_MAX_SESSION_LIFESPAN,
+  DEFAULT_IDLE_SESSION_LIFESPAN,
+} = require('./services/constants');
+
 module.exports = {
   default: ({ env }) => ({
     jwtSecret: env('JWT_SECRET'),
     jwt: {
       expiresIn: '30d',
     },
+    /**
+     * JWT management mode for the Content API authentication
+     * - "legacy-support": use plugin JWTs (backward compatible)
+     * - "refresh": use SessionManager (access/refresh tokens)
+     */
+    jwtManagement: 'legacy-support',
+    sessions: {
+      accessTokenLifespan: DEFAULT_ACCESS_TOKEN_LIFESPAN,
+      maxRefreshTokenLifespan: DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+      idleRefreshTokenLifespan: DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+      maxSessionLifespan: DEFAULT_MAX_SESSION_LIFESPAN,
+      idleSessionLifespan: DEFAULT_IDLE_SESSION_LIFESPAN,
+      httpOnly: false,
+    },
     ratelimit: {
       interval: 60000,
       max: 10,

package/server/controllers/auth.js

@@ -31,6 +31,12 @@ const sanitizeUser = (user, ctx) => {
   return strapi.contentAPI.sanitize.output(user, userSchema, { auth });
 };
 
+const extractDeviceId = (requestBody) => {
+  const { deviceId } = requestBody || {};
+
+  return typeof deviceId === 'string' && deviceId.length > 0 ? deviceId : undefined;
+};
+
 module.exports = ({ strapi }) => ({
   async callback(ctx) {
     const provider = ctx.params.provider || 'local';
@@ -86,6 +92,51 @@ module.exports = ({ strapi }) => ({
         throw new ApplicationError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const isProduction = process.env.NODE_ENV === 'production';
+          const isSecure =
+            typeof upSessions.cookie?.secure === 'boolean'
+              ? upSessions.cookie?.secure
+              : isProduction;
+
+          const cookieOptions = {
+            httpOnly: true,
+            secure: isSecure,
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -100,6 +151,49 @@ module.exports = ({ strapi }) => ({
         throw new ForbiddenError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const isProduction = process.env.NODE_ENV === 'production';
+          const isSecure =
+            typeof upSessions.cookie?.secure === 'boolean'
+              ? upSessions.cookie?.secure
+              : isProduction;
+
+          const cookieOptions = {
+            httpOnly: true,
+            secure: isSecure,
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -137,7 +231,37 @@ module.exports = ({ strapi }) => ({
 
     await getService('user').edit(user.id, { password });
 
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
@@ -168,13 +292,115 @@ module.exports = ({ strapi }) => ({
       password,
     });
 
-    // Update the user.
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
+  async refresh(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    const { refreshToken } = ctx.request.body || {};
+    if (!refreshToken || typeof refreshToken !== 'string') {
+      return ctx.badRequest('Missing refresh token');
+    }
+
+    const rotation = await strapi
+      .sessionManager('users-permissions')
+      .rotateRefreshToken(refreshToken);
+    if ('error' in rotation) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const result = await strapi
+      .sessionManager('users-permissions')
+      .generateAccessToken(rotation.token);
+    if ('error' in result) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      const isProduction = process.env.NODE_ENV === 'production';
+      const isSecure =
+        typeof upSessions.cookie?.secure === 'boolean' ? upSessions.cookie?.secure : isProduction;
+
+      const cookieOptions = {
+        httpOnly: true,
+        secure: isSecure,
+        sameSite: upSessions.cookie?.sameSite ?? 'lax',
+        path: upSessions.cookie?.path ?? '/',
+        domain: upSessions.cookie?.domain,
+        overwrite: true,
+      };
+      ctx.cookies.set(cookieName, rotation.token, cookieOptions);
+      return ctx.send({ jwt: result.token });
+    }
+    return ctx.send({ jwt: result.token, refreshToken: rotation.token });
+  },
+  async logout(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    // Invalidate all sessions for the authenticated user, or by deviceId if provided
+    if (!ctx.state.user) {
+      return ctx.unauthorized('Missing authentication');
+    }
+
+    const deviceId = extractDeviceId(ctx.request.body);
+    try {
+      await strapi
+        .sessionManager('users-permissions')
+        .invalidateRefreshToken(String(ctx.state.user.id), deviceId);
+    } catch (err) {
+      strapi.log.error('UP logout failed', err);
+    }
 
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      ctx.cookies.set(cookieName, '', { expires: new Date(0) });
+    }
+    return ctx.send({ ok: true });
+  },
   async connect(ctx, next) {
     const grant = require('grant').koa();
 
@@ -387,12 +613,26 @@ module.exports = ({ strapi }) => ({
       return ctx.send({ user: sanitizedUser });
     }
 
-    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body) || crypto.randomUUID();
 
-    return ctx.send({
-      jwt,
-      user: sanitizedUser,
-    });
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({ jwt: access.token, refreshToken: refresh.token, user: sanitizedUser });
+    }
+
+    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    return ctx.send({ jwt, user: sanitizedUser });
   },
 
   async emailConfirmation(ctx, next, returnUser) {

package/server/routes/content-api/auth.js

@@ -114,5 +114,17 @@ module.exports = (strapi) => {
       },
       response: validator.authResponseSchema,
     },
+    {
+      method: 'POST',
+      path: '/auth/refresh',
+      handler: 'auth.refresh',
+      config: { prefix: '' },
+    },
+    {
+      method: 'POST',
+      path: '/auth/logout',
+      handler: 'auth.logout',
+      config: { prefix: '' },
+    },
   ];
 };

package/server/routes/content-api/validation.js

@@ -87,6 +87,7 @@ class UsersPermissionsRouteValidator extends AbstractRouteValidator {
   get authResponseSchema() {
     return z.object({
       jwt: z.string(),
+      refreshToken: z.string().optional(),
       user: this.userSchema,
     });
   }

package/server/services/constants.js

@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = {
+  DEFAULT_ACCESS_TOKEN_LIFESPAN: 10 * 60, // 10 minutes
+  DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN: 30 * 24 * 60 * 60, // 30 days
+  DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN: 14 * 24 * 60 * 60, // 14 days
+  DEFAULT_MAX_SESSION_LIFESPAN: 1 * 24 * 60 * 60, // 1 day
+  DEFAULT_IDLE_SESSION_LIFESPAN: 2 * 60 * 60, // 2 hours
+};