strapi-plugin-magic-sessionmanager 2.0.0 → 2.0.2

package/server/src/services/session.js

@@ -0,0 +1,345 @@
+'use strict';
+
+/**
+ * Session Service
+ * Uses plugin::magic-sessionmanager.session content type with relation to users
+ * All session tracking happens in the Session collection
+ *
+ * TODO: For production multi-instance deployments, use Redis for:
+ *   - Session store instead of DB
+ *   - Rate limiting locks
+ *   - Distributed session state
+ */
+module.exports = ({ strapi }) => ({
+  /**
+   * Create a new session record
+   * @param {Object} params - { userId, ip, userAgent, token }
+   * @returns {Promise<Object>} Created session
+   */
+  async createSession({ userId, ip = 'unknown', userAgent = 'unknown', token }) {
+    try {
+      const now = new Date();
+      
+      const session = await strapi.entityService.create('plugin::magic-sessionmanager.session', {
+        data: {
+          user: userId,
+          ipAddress: ip.substring(0, 45),
+          userAgent: userAgent.substring(0, 500),
+          loginTime: now,
+          lastActive: now,
+          isActive: true,
+          token: token, // Store JWT for logout matching
+        },
+      });
+
+      strapi.log.info(`[magic-sessionmanager] ✅ Session ${session.id} created for user ${userId}`);
+
+      return session;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error creating session:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Terminate a session or all sessions for a user
+   * @param {Object} params - { sessionId | userId }
+   * @returns {Promise<void>}
+   */
+  async terminateSession({ sessionId, userId }) {
+    try {
+      const now = new Date();
+
+      if (sessionId) {
+        await strapi.entityService.update('plugin::magic-sessionmanager.session', sessionId, {
+          data: {
+            isActive: false,
+            logoutTime: now,
+          },
+        });
+
+        strapi.log.info(`[magic-sessionmanager] Session ${sessionId} terminated`);
+      } else if (userId) {
+        // Find all active sessions for user
+        const activeSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+          filters: {
+            user: { id: userId },
+            isActive: true,
+          },
+        });
+
+        // Terminate all active sessions
+        for (const session of activeSessions) {
+          await strapi.entityService.update('plugin::magic-sessionmanager.session', session.id, {
+            data: {
+              isActive: false,
+              logoutTime: now,
+            },
+          });
+        }
+
+        strapi.log.info(`[magic-sessionmanager] All sessions terminated for user ${userId}`);
+      }
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error terminating session:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Get ALL sessions (active + inactive) with accurate online status
+   * @returns {Promise<Array>} All sessions with enhanced data
+   */
+  async getAllSessions() {
+    try {
+      const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        populate: { user: { fields: ['id', 'email', 'username'] } },
+        sort: { loginTime: 'desc' },
+        limit: 1000, // Reasonable limit
+      });
+
+      // Get inactivity timeout from config (default: 15 minutes)
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
+
+      // Enhance sessions with accurate online status
+      const now = new Date();
+      const enhancedSessions = sessions.map(session => {
+        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
+        const timeSinceActive = now - lastActiveTime;
+        
+        // Session is "truly active" if within timeout window AND isActive is true
+        const isTrulyActive = session.isActive && (timeSinceActive < inactivityTimeout);
+        
+        // Remove sensitive token field for security
+        const { token, ...sessionWithoutToken } = session;
+        
+        return {
+          ...sessionWithoutToken,
+          isTrulyActive,
+          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
+        };
+      });
+
+      return enhancedSessions;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error getting all sessions:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Get all active sessions with accurate online status
+   * @returns {Promise<Array>} Active sessions with user data and online status
+   */
+  async getActiveSessions() {
+    try {
+      const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        filters: { isActive: true },
+        populate: { user: { fields: ['id', 'email', 'username'] } },
+        sort: { loginTime: 'desc' },
+      });
+
+      // Get inactivity timeout from config (default: 15 minutes)
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
+
+      // Enhance sessions with accurate online status
+      const now = new Date();
+      const enhancedSessions = sessions.map(session => {
+        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
+        const timeSinceActive = now - lastActiveTime;
+        
+        // Session is "truly active" if within timeout window
+        const isTrulyActive = timeSinceActive < inactivityTimeout;
+        
+        // Remove sensitive token field for security
+        const { token, ...sessionWithoutToken } = session;
+        
+        return {
+          ...sessionWithoutToken,
+          isTrulyActive,
+          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
+        };
+      });
+
+      // Only return truly active sessions
+      return enhancedSessions.filter(s => s.isTrulyActive);
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error getting active sessions:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Get all sessions for a specific user
+   * @param {number} userId
+   * @returns {Promise<Array>} User's sessions with accurate online status
+   */
+  async getUserSessions(userId) {
+    try {
+      const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        filters: { user: { id: userId } },
+        sort: { loginTime: 'desc' },
+      });
+
+      // Get inactivity timeout from config (default: 15 minutes)
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
+
+      // Enhance sessions with accurate online status
+      const now = new Date();
+      const enhancedSessions = sessions.map(session => {
+        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
+        const timeSinceActive = now - lastActiveTime;
+        
+        // Session is "truly active" if:
+        // 1. isActive = true AND
+        // 2. lastActive is within timeout window
+        const isTrulyActive = session.isActive && (timeSinceActive < inactivityTimeout);
+        
+        // Remove sensitive token field for security
+        const { token, ...sessionWithoutToken } = session;
+        
+        return {
+          ...sessionWithoutToken,
+          isTrulyActive,
+          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
+        };
+      });
+
+      return enhancedSessions;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error getting user sessions:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Update lastActive timestamp on session (rate-limited to avoid DB noise)
+   * @param {Object} params - { userId, sessionId }
+   * @returns {Promise<void>}
+   */
+  async touch({ userId, sessionId }) {
+    try {
+      const now = new Date();
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const rateLimit = config.lastSeenRateLimit || 30000;
+
+      // Update session lastActive only
+      if (sessionId) {
+        const session = await strapi.entityService.findOne('plugin::magic-sessionmanager.session', sessionId);
+
+        if (session && session.lastActive) {
+          const lastActiveTime = new Date(session.lastActive).getTime();
+          const currentTime = now.getTime();
+
+          if (currentTime - lastActiveTime > rateLimit) {
+            await strapi.entityService.update('plugin::magic-sessionmanager.session', sessionId, {
+              data: { lastActive: now },
+            });
+          }
+        } else if (session) {
+          // First time or null
+          await strapi.entityService.update('plugin::magic-sessionmanager.session', sessionId, {
+            data: { lastActive: now },
+          });
+        }
+      }
+    } catch (err) {
+      strapi.log.debug('[magic-sessionmanager] Error touching session:', err.message);
+      // Don't throw - this is a non-critical operation
+    }
+  },
+
+  /**
+   * Cleanup inactive sessions - set isActive to false for sessions older than inactivityTimeout
+   * Should be called on bootstrap to clean up stale sessions
+   */
+  async cleanupInactiveSessions() {
+    try {
+      // Get inactivity timeout from config (default: 15 minutes)
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
+      
+      // Calculate cutoff time
+      const now = new Date();
+      const cutoffTime = new Date(now.getTime() - inactivityTimeout);
+      
+      strapi.log.info(`[magic-sessionmanager] 🧹 Cleaning up sessions inactive since before ${cutoffTime.toISOString()}`);
+      
+      // Find all active sessions
+      const activeSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        filters: { isActive: true },
+        fields: ['id', 'lastActive', 'loginTime'],
+      });
+      
+      // Deactivate old sessions
+      let deactivatedCount = 0;
+      for (const session of activeSessions) {
+        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
+        
+        if (lastActiveTime < cutoffTime) {
+          await strapi.entityService.update('plugin::magic-sessionmanager.session', session.id, {
+            data: { isActive: false },
+          });
+          deactivatedCount++;
+        }
+      }
+      
+      strapi.log.info(`[magic-sessionmanager] ✅ Cleanup complete: ${deactivatedCount} sessions deactivated`);
+      return deactivatedCount;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error cleaning up inactive sessions:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Delete a single session from database
+   * WARNING: This permanently deletes the record!
+   * @param {number} sessionId - Session ID to delete
+   * @returns {Promise<boolean>} Success status
+   */
+  async deleteSession(sessionId) {
+    try {
+      await strapi.entityService.delete('plugin::magic-sessionmanager.session', sessionId);
+      strapi.log.info(`[magic-sessionmanager] 🗑️ Session ${sessionId} permanently deleted`);
+      return true;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error deleting session:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Delete all inactive sessions from database
+   * WARNING: This permanently deletes records!
+   * @returns {Promise<number>} Number of deleted sessions
+   */
+  async deleteInactiveSessions() {
+    try {
+      strapi.log.info('[magic-sessionmanager] 🗑️ Deleting all inactive sessions...');
+      
+      // Find all inactive sessions
+      const inactiveSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        filters: { isActive: false },
+        fields: ['id'],
+      });
+      
+      let deletedCount = 0;
+      
+      // Delete each inactive session
+      for (const session of inactiveSessions) {
+        await strapi.entityService.delete('plugin::magic-sessionmanager.session', session.id);
+        deletedCount++;
+      }
+      
+      strapi.log.info(`[magic-sessionmanager] ✅ Deleted ${deletedCount} inactive sessions`);
+      return deletedCount;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error deleting inactive sessions:', err);
+      throw err;
+    }
+  },
+});

package/server/src/utils/getClientIp.js

@@ -0,0 +1,118 @@
+/**
+ * Extract real client IP address from request
+ * Handles proxies, load balancers, and various header formats
+ * 
+ * Priority order:
+ * 1. CF-Connecting-IP (Cloudflare)
+ * 2. True-Client-IP (Akamai, Cloudflare)
+ * 3. X-Real-IP (nginx)
+ * 4. X-Forwarded-For (standard proxy header)
+ * 5. X-Client-IP
+ * 6. X-Cluster-Client-IP
+ * 7. ctx.request.ip (Koa default)
+ */
+
+const getClientIp = (ctx) => {
+  try {
+    const headers = ctx.request.headers || ctx.request.header || {};
+    
+    // 1. Cloudflare
+    if (headers['cf-connecting-ip']) {
+      return cleanIp(headers['cf-connecting-ip']);
+    }
+    
+    // 2. True-Client-IP (Akamai, Cloudflare Enterprise)
+    if (headers['true-client-ip']) {
+      return cleanIp(headers['true-client-ip']);
+    }
+    
+    // 3. X-Real-IP (nginx proxy_pass)
+    if (headers['x-real-ip']) {
+      return cleanIp(headers['x-real-ip']);
+    }
+    
+    // 4. X-Forwarded-For (most common)
+    // Format: "client, proxy1, proxy2"
+    // We want the FIRST IP (the actual client)
+    if (headers['x-forwarded-for']) {
+      const forwardedIps = headers['x-forwarded-for'].split(',');
+      const clientIp = forwardedIps[0].trim();
+      if (clientIp && !isPrivateIp(clientIp)) {
+        return cleanIp(clientIp);
+      }
+    }
+    
+    // 5. X-Client-IP
+    if (headers['x-client-ip']) {
+      return cleanIp(headers['x-client-ip']);
+    }
+    
+    // 6. X-Cluster-Client-IP (Rackspace, Riverbed)
+    if (headers['x-cluster-client-ip']) {
+      return cleanIp(headers['x-cluster-client-ip']);
+    }
+    
+    // 7. Forwarded (RFC 7239)
+    if (headers['forwarded']) {
+      const match = headers['forwarded'].match(/for=([^;,\s]+)/);
+      if (match && match[1]) {
+        return cleanIp(match[1].replace(/"/g, ''));
+      }
+    }
+    
+    // 8. Fallback to Koa's ctx.request.ip
+    if (ctx.request.ip) {
+      return cleanIp(ctx.request.ip);
+    }
+    
+    // 9. Last resort
+    return 'unknown';
+    
+  } catch (error) {
+    console.error('[getClientIp] Error extracting IP:', error);
+    return 'unknown';
+  }
+};
+
+/**
+ * Clean IP address (remove IPv6 prefix, port, etc.)
+ */
+const cleanIp = (ip) => {
+  if (!ip) return 'unknown';
+  
+  // Remove port if present
+  ip = ip.split(':')[0];
+  
+  // Remove IPv6 prefix (::ffff:)
+  if (ip.startsWith('::ffff:')) {
+    ip = ip.substring(7);
+  }
+  
+  // Trim whitespace
+  ip = ip.trim();
+  
+  return ip || 'unknown';
+};
+
+/**
+ * Check if IP is private/local
+ */
+const isPrivateIp = (ip) => {
+  if (!ip) return true;
+  
+  // Private IP ranges
+  if (ip === '127.0.0.1' || ip === 'localhost' || ip === '::1') return true;
+  if (ip.startsWith('192.168.')) return true;
+  if (ip.startsWith('10.')) return true;
+  if (ip.startsWith('172.')) {
+    const second = parseInt(ip.split('.')[1]);
+    if (second >= 16 && second <= 31) return true;
+  }
+  if (ip.startsWith('fc00:') || ip.startsWith('fd00:')) return true;
+  if (ip.startsWith('fe80:')) return true;
+  
+  return false;
+};
+
+module.exports = getClientIp;
+