strapi-plugin-magic-sessionmanager 2.0.1 → 2.0.3

package/server/src/services/notifications.js

@@ -0,0 +1,319 @@
+/**
+ * Notifications Service (ADVANCED Feature)
+ * Send email alerts for session events
+ */
+
+module.exports = ({ strapi }) => ({
+  /**
+   * Get email templates from database settings
+   * Falls back to default hardcoded templates if not found
+   */
+  async getEmailTemplates() {
+    try {
+      // Try to load templates from database
+      const pluginStore = strapi.store({
+        type: 'plugin',
+        name: 'magic-sessionmanager',
+      });
+      
+      const settings = await pluginStore.get({ key: 'settings' });
+      
+      if (settings?.emailTemplates && Object.keys(settings.emailTemplates).length > 0) {
+        // Check if templates have content
+        const hasContent = Object.values(settings.emailTemplates).some(
+          template => template.html || template.text
+        );
+        
+        if (hasContent) {
+          strapi.log.debug('[magic-sessionmanager/notifications] Using templates from database');
+          return settings.emailTemplates;
+        }
+      }
+    } catch (err) {
+      strapi.log.warn('[magic-sessionmanager/notifications] Could not load templates from DB, using defaults:', err.message);
+    }
+    
+    // Default fallback templates
+    strapi.log.debug('[magic-sessionmanager/notifications] Using default fallback templates');
+    return {
+      suspiciousLogin: {
+        subject: '🚨 Suspicious Login Alert - Session Manager',
+        html: `
+<html>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+  <div style="max-width: 600px; margin: 0 auto; padding: 20px; background-color: #f9fafb; border-radius: 10px;">
+    <h2 style="color: #dc2626;">🚨 Suspicious Login Detected</h2>
+    <p>A potentially suspicious login was detected for your account.</p>
+    
+    <div style="background: white; padding: 15px; border-radius: 8px; margin: 20px 0;">
+      <h3 style="margin-top: 0;">Account Information:</h3>
+      <ul>
+        <li><strong>Email:</strong> {{user.email}}</li>
+        <li><strong>Username:</strong> {{user.username}}</li>
+      </ul>
+      
+      <h3>Login Details:</h3>
+      <ul>
+        <li><strong>Time:</strong> {{session.loginTime}}</li>
+        <li><strong>IP Address:</strong> {{session.ipAddress}}</li>
+        <li><strong>Location:</strong> {{geo.city}}, {{geo.country}}</li>
+        <li><strong>Timezone:</strong> {{geo.timezone}}</li>
+        <li><strong>Device:</strong> {{session.userAgent}}</li>
+      </ul>
+      
+      <h3 style="color: #dc2626;">Security Alert:</h3>
+      <ul>
+        <li>VPN Detected: {{reason.isVpn}}</li>
+        <li>Proxy Detected: {{reason.isProxy}}</li>
+        <li>Threat Detected: {{reason.isThreat}}</li>
+        <li>Security Score: {{reason.securityScore}}/100</li>
+      </ul>
+    </div>
+    
+    <p>If this was you, you can safely ignore this email. If you don't recognize this activity, please secure your account immediately.</p>
+    
+    <hr style="border: none; border-top: 1px solid #e5e7eb; margin: 20px 0;"/>
+    <p style="color: #666; font-size: 12px;">This is an automated security notification from Magic Session Manager.</p>
+  </div>
+</body>
+</html>`,
+        text: `🚨 Suspicious Login Detected\n\nA potentially suspicious login was detected for your account.\n\nAccount: {{user.email}}\nUsername: {{user.username}}\n\nLogin Details:\n- Time: {{session.loginTime}}\n- IP: {{session.ipAddress}}\n- Location: {{geo.city}}, {{geo.country}}\n\nSecurity: VPN={{reason.isVpn}}, Proxy={{reason.isProxy}}, Threat={{reason.isThreat}}, Score={{reason.securityScore}}/100`,
+      },
+      newLocation: {
+        subject: '📍 New Location Login Detected',
+        html: `<h2>📍 New Location Login</h2><p>Account: {{user.email}}</p><p>Time: {{session.loginTime}}</p><p>Location: {{geo.city}}, {{geo.country}}</p><p>IP: {{session.ipAddress}}</p>`,
+        text: `📍 New Location Login\n\nAccount: {{user.email}}\nTime: {{session.loginTime}}\nLocation: {{geo.city}}, {{geo.country}}\nIP: {{session.ipAddress}}`,
+      },
+      vpnProxy: {
+        subject: '⚠️ VPN/Proxy Login Detected',
+        html: `<h2>⚠️ VPN/Proxy Detected</h2><p>Account: {{user.email}}</p><p>Time: {{session.loginTime}}</p><p>IP: {{session.ipAddress}}</p><p>VPN: {{reason.isVpn}}, Proxy: {{reason.isProxy}}</p>`,
+        text: `⚠️ VPN/Proxy Detected\n\nAccount: {{user.email}}\nTime: {{session.loginTime}}\nIP: {{session.ipAddress}}\nVPN: {{reason.isVpn}}, Proxy: {{reason.isProxy}}`,
+      },
+    };
+  },
+  
+  /**
+   * Replace template variables with actual values
+   */
+  replaceVariables(template, data) {
+    let result = template;
+    
+    // User variables
+    result = result.replace(/\{\{user\.email\}\}/g, data.user?.email || 'N/A');
+    result = result.replace(/\{\{user\.username\}\}/g, data.user?.username || 'N/A');
+    
+    // Session variables
+    result = result.replace(/\{\{session\.loginTime\}\}/g, 
+      data.session?.loginTime ? new Date(data.session.loginTime).toLocaleString() : 'N/A');
+    result = result.replace(/\{\{session\.ipAddress\}\}/g, data.session?.ipAddress || 'N/A');
+    result = result.replace(/\{\{session\.userAgent\}\}/g, data.session?.userAgent || 'N/A');
+    
+    // Geo variables
+    result = result.replace(/\{\{geo\.city\}\}/g, data.geoData?.city || 'Unknown');
+    result = result.replace(/\{\{geo\.country\}\}/g, data.geoData?.country || 'Unknown');
+    result = result.replace(/\{\{geo\.timezone\}\}/g, data.geoData?.timezone || 'Unknown');
+    
+    // Reason variables
+    result = result.replace(/\{\{reason\.isVpn\}\}/g, data.reason?.isVpn ? 'Yes' : 'No');
+    result = result.replace(/\{\{reason\.isProxy\}\}/g, data.reason?.isProxy ? 'Yes' : 'No');
+    result = result.replace(/\{\{reason\.isThreat\}\}/g, data.reason?.isThreat ? 'Yes' : 'No');
+    result = result.replace(/\{\{reason\.securityScore\}\}/g, data.reason?.securityScore || '0');
+    
+    return result;
+  },
+
+  /**
+   * Send suspicious login alert
+   * @param {Object} params - { user, session, reason, geoData }
+   */
+  async sendSuspiciousLoginAlert({ user, session, reason, geoData }) {
+    try {
+      // Get templates from database (or defaults)
+      const templates = await this.getEmailTemplates();
+      const template = templates.suspiciousLogin;
+      
+      // Prepare data for variable replacement
+      const data = { user, session, reason, geoData };
+      
+      // Replace variables in template
+      const htmlContent = this.replaceVariables(template.html, data);
+      const textContent = this.replaceVariables(template.text, data);
+
+      await strapi.plugins['email'].services.email.send({
+        to: user.email,
+        subject: template.subject,
+        html: htmlContent,
+        text: textContent,
+      });
+
+      strapi.log.info(`[magic-sessionmanager/notifications] Suspicious login alert sent to ${user.email}`);
+      return true;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager/notifications] Error sending email:', err);
+      return false;
+    }
+  },
+
+  /**
+   * Send new location login alert
+   * @param {Object} params - { user, session, geoData }
+   */
+  async sendNewLocationAlert({ user, session, geoData }) {
+    try {
+      // Get templates from database (or defaults)
+      const templates = await this.getEmailTemplates();
+      const template = templates.newLocation;
+      
+      // Prepare data for variable replacement
+      const data = { user, session, geoData, reason: {} };
+      
+      // Replace variables in template
+      const htmlContent = this.replaceVariables(template.html, data);
+      const textContent = this.replaceVariables(template.text, data);
+
+      await strapi.plugins['email'].services.email.send({
+        to: user.email,
+        subject: template.subject,
+        html: htmlContent,
+        text: textContent,
+      });
+
+      strapi.log.info(`[magic-sessionmanager/notifications] New location alert sent to ${user.email}`);
+      return true;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager/notifications] Error sending new location email:', err);
+      return false;
+    }
+  },
+  
+  /**
+   * Send VPN/Proxy login alert
+   * @param {Object} params - { user, session, reason, geoData }
+   */
+  async sendVpnProxyAlert({ user, session, reason, geoData }) {
+    try {
+      // Get templates from database (or defaults)
+      const templates = await this.getEmailTemplates();
+      const template = templates.vpnProxy;
+      
+      // Prepare data for variable replacement
+      const data = { user, session, reason, geoData };
+      
+      // Replace variables in template
+      const htmlContent = this.replaceVariables(template.html, data);
+      const textContent = this.replaceVariables(template.text, data);
+
+      await strapi.plugins['email'].services.email.send({
+        to: user.email,
+        subject: template.subject,
+        html: htmlContent,
+        text: textContent,
+      });
+
+      strapi.log.info(`[magic-sessionmanager/notifications] VPN/Proxy alert sent to ${user.email}`);
+      return true;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager/notifications] Error sending VPN/Proxy email:', err);
+      return false;
+    }
+  },
+
+  /**
+   * Send webhook notification
+   * @param {Object} params - { event, data, webhookUrl }
+   */
+  async sendWebhook({ event, data, webhookUrl }) {
+    try {
+      const payload = {
+        event,
+        timestamp: new Date().toISOString(),
+        data,
+        source: 'magic-sessionmanager',
+      };
+
+      const response = await fetch(webhookUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'User-Agent': 'Strapi-Magic-SessionManager-Webhook/1.0',
+        },
+        body: JSON.stringify(payload),
+      });
+
+      if (response.ok) {
+        strapi.log.info(`[magic-sessionmanager/notifications] Webhook sent: ${event}`);
+        return true;
+      } else {
+        strapi.log.warn(`[magic-sessionmanager/notifications] Webhook failed: ${response.status}`);
+        return false;
+      }
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager/notifications] Webhook error:', err);
+      return false;
+    }
+  },
+
+  /**
+   * Format webhook for Discord
+   * @param {Object} params - { event, session, user, geoData }
+   */
+  formatDiscordWebhook({ event, session, user, geoData }) {
+    const embed = {
+      title: this.getEventTitle(event),
+      color: this.getEventColor(event),
+      fields: [
+        { name: '👤 User', value: `${user.email}\n${user.username || 'N/A'}`, inline: true },
+        { name: '🌐 IP', value: session.ipAddress, inline: true },
+        { name: '📅 Time', value: new Date(session.loginTime).toLocaleString(), inline: false },
+      ],
+      timestamp: new Date().toISOString(),
+      footer: { text: 'Magic Session Manager' },
+    };
+
+    if (geoData) {
+      embed.fields.push({
+        name: '📍 Location',
+        value: `${geoData.country_flag} ${geoData.city}, ${geoData.country}`,
+        inline: true,
+      });
+      
+      if (geoData.isVpn || geoData.isProxy || geoData.isThreat) {
+        const warnings = [];
+        if (geoData.isVpn) warnings.push('VPN');
+        if (geoData.isProxy) warnings.push('Proxy');
+        if (geoData.isThreat) warnings.push('Threat');
+        
+        embed.fields.push({
+          name: '⚠️ Security',
+          value: `${warnings.join(', ')} detected\nScore: ${geoData.securityScore}/100`,
+          inline: true,
+        });
+      }
+    }
+
+    return { embeds: [embed] };
+  },
+
+  getEventTitle(event) {
+    const titles = {
+      'login.suspicious': '🚨 Suspicious Login',
+      'login.new_location': '📍 New Location Login',
+      'login.vpn': '🔴 VPN Login Detected',
+      'login.threat': '⛔ Threat IP Login',
+      'session.terminated': '🔴 Session Terminated',
+    };
+    return titles[event] || '📊 Session Event';
+  },
+
+  getEventColor(event) {
+    const colors = {
+      'login.suspicious': 0xFF0000, // Red
+      'login.new_location': 0xFFA500, // Orange
+      'login.vpn': 0xFF6B6B, // Light Red
+      'login.threat': 0x8B0000, // Dark Red
+      'session.terminated': 0x808080, // Gray
+    };
+    return colors[event] || 0x5865F2; // Discord Blue
+  },
+});
+

package/server/src/services/service.js

@@ -0,0 +1,7 @@
+const service = ({ strapi }) => ({
+  getWelcomeMessage() {
+    return 'Welcome to Strapi 🚀';
+  },
+});
+
+export default service;

package/server/src/services/session.js

@@ -0,0 +1,345 @@
+'use strict';
+
+/**
+ * Session Service
+ * Uses plugin::magic-sessionmanager.session content type with relation to users
+ * All session tracking happens in the Session collection
+ *
+ * TODO: For production multi-instance deployments, use Redis for:
+ *   - Session store instead of DB
+ *   - Rate limiting locks
+ *   - Distributed session state
+ */
+module.exports = ({ strapi }) => ({
+  /**
+   * Create a new session record
+   * @param {Object} params - { userId, ip, userAgent, token }
+   * @returns {Promise<Object>} Created session
+   */
+  async createSession({ userId, ip = 'unknown', userAgent = 'unknown', token }) {
+    try {
+      const now = new Date();
+      
+      const session = await strapi.entityService.create('plugin::magic-sessionmanager.session', {
+        data: {
+          user: userId,
+          ipAddress: ip.substring(0, 45),
+          userAgent: userAgent.substring(0, 500),
+          loginTime: now,
+          lastActive: now,
+          isActive: true,
+          token: token, // Store JWT for logout matching
+        },
+      });
+
+      strapi.log.info(`[magic-sessionmanager] ✅ Session ${session.id} created for user ${userId}`);
+
+      return session;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error creating session:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Terminate a session or all sessions for a user
+   * @param {Object} params - { sessionId | userId }
+   * @returns {Promise<void>}
+   */
+  async terminateSession({ sessionId, userId }) {
+    try {
+      const now = new Date();
+
+      if (sessionId) {
+        await strapi.entityService.update('plugin::magic-sessionmanager.session', sessionId, {
+          data: {
+            isActive: false,
+            logoutTime: now,
+          },
+        });
+
+        strapi.log.info(`[magic-sessionmanager] Session ${sessionId} terminated`);
+      } else if (userId) {
+        // Find all active sessions for user
+        const activeSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+          filters: {
+            user: { id: userId },
+            isActive: true,
+          },
+        });
+
+        // Terminate all active sessions
+        for (const session of activeSessions) {
+          await strapi.entityService.update('plugin::magic-sessionmanager.session', session.id, {
+            data: {
+              isActive: false,
+              logoutTime: now,
+            },
+          });
+        }
+
+        strapi.log.info(`[magic-sessionmanager] All sessions terminated for user ${userId}`);
+      }
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error terminating session:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Get ALL sessions (active + inactive) with accurate online status
+   * @returns {Promise<Array>} All sessions with enhanced data
+   */
+  async getAllSessions() {
+    try {
+      const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        populate: { user: { fields: ['id', 'email', 'username'] } },
+        sort: { loginTime: 'desc' },
+        limit: 1000, // Reasonable limit
+      });
+
+      // Get inactivity timeout from config (default: 15 minutes)
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
+
+      // Enhance sessions with accurate online status
+      const now = new Date();
+      const enhancedSessions = sessions.map(session => {
+        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
+        const timeSinceActive = now - lastActiveTime;
+        
+        // Session is "truly active" if within timeout window AND isActive is true
+        const isTrulyActive = session.isActive && (timeSinceActive < inactivityTimeout);
+        
+        // Remove sensitive token field for security
+        const { token, ...sessionWithoutToken } = session;
+        
+        return {
+          ...sessionWithoutToken,
+          isTrulyActive,
+          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
+        };
+      });
+
+      return enhancedSessions;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error getting all sessions:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Get all active sessions with accurate online status
+   * @returns {Promise<Array>} Active sessions with user data and online status
+   */
+  async getActiveSessions() {
+    try {
+      const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        filters: { isActive: true },
+        populate: { user: { fields: ['id', 'email', 'username'] } },
+        sort: { loginTime: 'desc' },
+      });
+
+      // Get inactivity timeout from config (default: 15 minutes)
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
+
+      // Enhance sessions with accurate online status
+      const now = new Date();
+      const enhancedSessions = sessions.map(session => {
+        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
+        const timeSinceActive = now - lastActiveTime;
+        
+        // Session is "truly active" if within timeout window
+        const isTrulyActive = timeSinceActive < inactivityTimeout;
+        
+        // Remove sensitive token field for security
+        const { token, ...sessionWithoutToken } = session;
+        
+        return {
+          ...sessionWithoutToken,
+          isTrulyActive,
+          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
+        };
+      });
+
+      // Only return truly active sessions
+      return enhancedSessions.filter(s => s.isTrulyActive);
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error getting active sessions:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Get all sessions for a specific user
+   * @param {number} userId
+   * @returns {Promise<Array>} User's sessions with accurate online status
+   */
+  async getUserSessions(userId) {
+    try {
+      const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        filters: { user: { id: userId } },
+        sort: { loginTime: 'desc' },
+      });
+
+      // Get inactivity timeout from config (default: 15 minutes)
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
+
+      // Enhance sessions with accurate online status
+      const now = new Date();
+      const enhancedSessions = sessions.map(session => {
+        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
+        const timeSinceActive = now - lastActiveTime;
+        
+        // Session is "truly active" if:
+        // 1. isActive = true AND
+        // 2. lastActive is within timeout window
+        const isTrulyActive = session.isActive && (timeSinceActive < inactivityTimeout);
+        
+        // Remove sensitive token field for security
+        const { token, ...sessionWithoutToken } = session;
+        
+        return {
+          ...sessionWithoutToken,
+          isTrulyActive,
+          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
+        };
+      });
+
+      return enhancedSessions;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error getting user sessions:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Update lastActive timestamp on session (rate-limited to avoid DB noise)
+   * @param {Object} params - { userId, sessionId }
+   * @returns {Promise<void>}
+   */
+  async touch({ userId, sessionId }) {
+    try {
+      const now = new Date();
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const rateLimit = config.lastSeenRateLimit || 30000;
+
+      // Update session lastActive only
+      if (sessionId) {
+        const session = await strapi.entityService.findOne('plugin::magic-sessionmanager.session', sessionId);
+
+        if (session && session.lastActive) {
+          const lastActiveTime = new Date(session.lastActive).getTime();
+          const currentTime = now.getTime();
+
+          if (currentTime - lastActiveTime > rateLimit) {
+            await strapi.entityService.update('plugin::magic-sessionmanager.session', sessionId, {
+              data: { lastActive: now },
+            });
+          }
+        } else if (session) {
+          // First time or null
+          await strapi.entityService.update('plugin::magic-sessionmanager.session', sessionId, {
+            data: { lastActive: now },
+          });
+        }
+      }
+    } catch (err) {
+      strapi.log.debug('[magic-sessionmanager] Error touching session:', err.message);
+      // Don't throw - this is a non-critical operation
+    }
+  },
+
+  /**
+   * Cleanup inactive sessions - set isActive to false for sessions older than inactivityTimeout
+   * Should be called on bootstrap to clean up stale sessions
+   */
+  async cleanupInactiveSessions() {
+    try {
+      // Get inactivity timeout from config (default: 15 minutes)
+      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
+      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
+      
+      // Calculate cutoff time
+      const now = new Date();
+      const cutoffTime = new Date(now.getTime() - inactivityTimeout);
+      
+      strapi.log.info(`[magic-sessionmanager] 🧹 Cleaning up sessions inactive since before ${cutoffTime.toISOString()}`);
+      
+      // Find all active sessions
+      const activeSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        filters: { isActive: true },
+        fields: ['id', 'lastActive', 'loginTime'],
+      });
+      
+      // Deactivate old sessions
+      let deactivatedCount = 0;
+      for (const session of activeSessions) {
+        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
+        
+        if (lastActiveTime < cutoffTime) {
+          await strapi.entityService.update('plugin::magic-sessionmanager.session', session.id, {
+            data: { isActive: false },
+          });
+          deactivatedCount++;
+        }
+      }
+      
+      strapi.log.info(`[magic-sessionmanager] ✅ Cleanup complete: ${deactivatedCount} sessions deactivated`);
+      return deactivatedCount;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error cleaning up inactive sessions:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Delete a single session from database
+   * WARNING: This permanently deletes the record!
+   * @param {number} sessionId - Session ID to delete
+   * @returns {Promise<boolean>} Success status
+   */
+  async deleteSession(sessionId) {
+    try {
+      await strapi.entityService.delete('plugin::magic-sessionmanager.session', sessionId);
+      strapi.log.info(`[magic-sessionmanager] 🗑️ Session ${sessionId} permanently deleted`);
+      return true;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error deleting session:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Delete all inactive sessions from database
+   * WARNING: This permanently deletes records!
+   * @returns {Promise<number>} Number of deleted sessions
+   */
+  async deleteInactiveSessions() {
+    try {
+      strapi.log.info('[magic-sessionmanager] 🗑️ Deleting all inactive sessions...');
+      
+      // Find all inactive sessions
+      const inactiveSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+        filters: { isActive: false },
+        fields: ['id'],
+      });
+      
+      let deletedCount = 0;
+      
+      // Delete each inactive session
+      for (const session of inactiveSessions) {
+        await strapi.entityService.delete('plugin::magic-sessionmanager.session', session.id);
+        deletedCount++;
+      }
+      
+      strapi.log.info(`[magic-sessionmanager] ✅ Deleted ${deletedCount} inactive sessions`);
+      return deletedCount;
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error deleting inactive sessions:', err);
+      throw err;
+    }
+  },
+});