strapi-plugin-magic-sessionmanager 3.0.1 → 3.1.0

package/admin/src/components/SessionInfoCard.jsx

@@ -30,7 +30,7 @@ const SessionInfoCard = ({ id, model }) => {
       }
 
       try {
-        const { data } = await get(`/magic-sessionmanager/admin/user/${id}/sessions`);
+        const { data } = await get(`/magic-sessionmanager/user/${id}/sessions`);
           setSessions(data.data || []);
       } catch (err) {
         console.error('[SessionInfoCard] Error fetching sessions:', err);

package/admin/src/components/SessionInfoPanel.jsx

@@ -26,7 +26,7 @@ const SessionInfoPanel = ({ documentId, model, document }) => {
 
     const fetchData = async () => {
       try {
-        const { data } = await get(`/magic-sessionmanager/admin/user/${userId}/sessions`);
+        const { data } = await get(`/magic-sessionmanager/user/${userId}/sessions`);
           // Filter by truly active (not just isActive, but also within timeout)
           const activeSessions = (data.data || []).filter(s => s.isTrulyActive);
           setSessions(activeSessions);

package/dist/_chunks/{Analytics-ByC7HfOE.mjs → Analytics-Bp1cPJx1.mjs}

@@ -4,8 +4,8 @@ import { useFetchClient } from "@strapi/strapi/admin";
 import styled, { css, keyframes } from "styled-components";
 import { Loader, Typography, Box, Flex, Badge } from "@strapi/design-system";
 import { ChartBubble, Crown, User, Clock, Monitor } from "@strapi/icons";
-import { a as pluginId } from "./index-BLEZRtuD.mjs";
-import { u as useLicense } from "./useLicense-D92JSFYj.mjs";
+import { a as pluginId } from "./index--JzOiQNw.mjs";
+import { u as useLicense } from "./useLicense-W1cxUaca.mjs";
 const theme = {
   colors: {
     primary: { 100: "#E0F2FE", 500: "#0EA5E9", 600: "#0284C7" },

package/dist/_chunks/{Analytics-CgaMF_rH.js → Analytics-CjqdGXnQ.js}

@@ -6,8 +6,8 @@ const admin = require("@strapi/strapi/admin");
 const styled = require("styled-components");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
-const index = require("./index-CD2Jls2n.js");
-const useLicense = require("./useLicense-C3OdhHzJ.js");
+const index = require("./index-DqtQaEBL.js");
+const useLicense = require("./useLicense-DA-averf.js");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
 const theme = {

package/dist/_chunks/{App-Dy-mAUPv.mjs → App-DONYhluL.mjs}

@@ -4,8 +4,8 @@ import { useFetchClient, useNotification } from "@strapi/strapi/admin";
 import styled, { css, keyframes } from "styled-components";
 import { Modal, Flex, Box, Typography, Badge, Divider, Button, Loader, SingleSelect, SingleSelectOption, Thead, Tr, Th, Tbody, Td, Table, TextInput } from "@strapi/design-system";
 import { Check, Information, Monitor, Server, Clock, Cross, Earth, Shield, Crown, Phone, Download, User, Eye, Trash, Search, Key } from "@strapi/icons";
-import { p as parseUserAgent, a as pluginId } from "./index-BLEZRtuD.mjs";
-import { u as useLicense } from "./useLicense-D92JSFYj.mjs";
+import { p as parseUserAgent, a as pluginId } from "./index--JzOiQNw.mjs";
+import { u as useLicense } from "./useLicense-W1cxUaca.mjs";
 import { useNavigate } from "react-router-dom";
 const TwoColumnGrid = styled.div`
   display: grid;

package/dist/_chunks/{App-CsWl6uAZ.js → App-DtfZMVae.js}

@@ -6,8 +6,8 @@ const admin = require("@strapi/strapi/admin");
 const styled = require("styled-components");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
-const index = require("./index-CD2Jls2n.js");
-const useLicense = require("./useLicense-C3OdhHzJ.js");
+const index = require("./index-DqtQaEBL.js");
+const useLicense = require("./useLicense-DA-averf.js");
 const reactRouterDom = require("react-router-dom");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);

package/dist/_chunks/{License-V6Y3xHzi.js → License-IWH6ClOx.js}

@@ -6,7 +6,7 @@ const designSystem = require("@strapi/design-system");
 const admin = require("@strapi/strapi/admin");
 const icons = require("@strapi/icons");
 const styled = require("styled-components");
-const index = require("./index-CD2Jls2n.js");
+const index = require("./index-DqtQaEBL.js");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
 const theme = {

package/dist/_chunks/{License-DA8KK2GQ.mjs → License-lcVK7rtT.mjs}

@@ -4,7 +4,7 @@ import { Loader, Box, Alert, Flex, Typography, Button, Badge, Accordion } from "
 import { useFetchClient, useNotification } from "@strapi/strapi/admin";
 import { ArrowClockwise, Duplicate, Download, User, Shield, Sparkle, ChartBubble } from "@strapi/icons";
 import styled, { css, keyframes } from "styled-components";
-import { a as pluginId } from "./index-BLEZRtuD.mjs";
+import { a as pluginId } from "./index--JzOiQNw.mjs";
 const theme = {
   colors: {
     neutral: { 200: "#E5E7EB" }

package/dist/_chunks/{Settings-oXa82_Fo.mjs → Settings-JaiqQ_7r.mjs}

@@ -4,8 +4,8 @@ import { Flex, Loader, Typography, Button, Box, Badge, Accordion, Grid, SingleSe
 import { useFetchClient, useNotification } from "@strapi/strapi/admin";
 import { Check, Information, Cog, Trash, Shield, Mail, Code } from "@strapi/icons";
 import styled, { css, keyframes } from "styled-components";
-import { a as pluginId } from "./index-BLEZRtuD.mjs";
-import { u as useLicense } from "./useLicense-D92JSFYj.mjs";
+import { a as pluginId } from "./index--JzOiQNw.mjs";
+import { u as useLicense } from "./useLicense-W1cxUaca.mjs";
 const theme = {
   colors: {
     primary: { 600: "#0284C7", 700: "#075985" },

package/dist/_chunks/{Settings-BpB9rz0q.js → Settings-JixgQiB_.js}

@@ -6,8 +6,8 @@ const designSystem = require("@strapi/design-system");
 const admin = require("@strapi/strapi/admin");
 const icons = require("@strapi/icons");
 const styled = require("styled-components");
-const index = require("./index-CD2Jls2n.js");
-const useLicense = require("./useLicense-C3OdhHzJ.js");
+const index = require("./index-DqtQaEBL.js");
+const useLicense = require("./useLicense-DA-averf.js");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
 const theme = {

package/dist/_chunks/{index-BLEZRtuD.mjs → index--JzOiQNw.mjs}

@@ -95,7 +95,7 @@ const SessionInfoPanel = ({ documentId, model, document }) => {
     }
     const fetchData = async () => {
       try {
-        const { data } = await get(`/magic-sessionmanager/admin/user/${userId}/sessions`);
+        const { data } = await get(`/magic-sessionmanager/user/${userId}/sessions`);
         const activeSessions = (data.data || []).filter((s) => s.isTrulyActive);
         setSessions(activeSessions);
         setIsBlocked(document?.blocked || false);
@@ -403,7 +403,7 @@ const index = {
         id: `${pluginId}.plugin.name`,
         defaultMessage: pluginPkg.strapi.displayName
       },
-      Component: () => import("./App-Dy-mAUPv.mjs")
+      Component: () => import("./App-DONYhluL.mjs")
     });
     app.createSettingSection(
       {
@@ -419,7 +419,7 @@ const index = {
           },
           id: "general",
           to: `/settings/${pluginId}/general`,
-          Component: () => import("./Settings-oXa82_Fo.mjs")
+          Component: () => import("./Settings-JaiqQ_7r.mjs")
         },
         {
           intlLabel: {
@@ -428,7 +428,7 @@ const index = {
           },
           id: "analytics",
           to: `/settings/${pluginId}/analytics`,
-          Component: () => import("./Analytics-ByC7HfOE.mjs")
+          Component: () => import("./Analytics-Bp1cPJx1.mjs")
         },
         {
           intlLabel: {
@@ -437,7 +437,7 @@ const index = {
           },
           id: "license",
           to: `/settings/${pluginId}/license`,
-          Component: () => import("./License-DA8KK2GQ.mjs")
+          Component: () => import("./License-lcVK7rtT.mjs")
         }
       ]
     );

package/dist/_chunks/{index-CD2Jls2n.js → index-DqtQaEBL.js}

@@ -96,7 +96,7 @@ const SessionInfoPanel = ({ documentId, model, document }) => {
     }
     const fetchData = async () => {
       try {
-        const { data } = await get(`/magic-sessionmanager/admin/user/${userId}/sessions`);
+        const { data } = await get(`/magic-sessionmanager/user/${userId}/sessions`);
         const activeSessions = (data.data || []).filter((s) => s.isTrulyActive);
         setSessions(activeSessions);
         setIsBlocked(document?.blocked || false);
@@ -404,7 +404,7 @@ const index = {
         id: `${pluginId}.plugin.name`,
         defaultMessage: pluginPkg.strapi.displayName
       },
-      Component: () => Promise.resolve().then(() => require("./App-CsWl6uAZ.js"))
+      Component: () => Promise.resolve().then(() => require("./App-DtfZMVae.js"))
     });
     app.createSettingSection(
       {
@@ -420,7 +420,7 @@ const index = {
           },
           id: "general",
           to: `/settings/${pluginId}/general`,
-          Component: () => Promise.resolve().then(() => require("./Settings-BpB9rz0q.js"))
+          Component: () => Promise.resolve().then(() => require("./Settings-JixgQiB_.js"))
         },
         {
           intlLabel: {
@@ -429,7 +429,7 @@ const index = {
           },
           id: "analytics",
           to: `/settings/${pluginId}/analytics`,
-          Component: () => Promise.resolve().then(() => require("./Analytics-CgaMF_rH.js"))
+          Component: () => Promise.resolve().then(() => require("./Analytics-CjqdGXnQ.js"))
         },
         {
           intlLabel: {
@@ -438,7 +438,7 @@ const index = {
           },
           id: "license",
           to: `/settings/${pluginId}/license`,
-          Component: () => Promise.resolve().then(() => require("./License-V6Y3xHzi.js"))
+          Component: () => Promise.resolve().then(() => require("./License-IWH6ClOx.js"))
         }
       ]
     );

package/dist/_chunks/{useLicense-C3OdhHzJ.js → useLicense-DA-averf.js}

@@ -1,7 +1,7 @@
 "use strict";
 const react = require("react");
 const admin = require("@strapi/strapi/admin");
-const index = require("./index-CD2Jls2n.js");
+const index = require("./index-DqtQaEBL.js");
 const useLicense = () => {
   const { get } = admin.useFetchClient();
   const [isPremium, setIsPremium] = react.useState(false);

package/dist/_chunks/{useLicense-D92JSFYj.mjs → useLicense-W1cxUaca.mjs}

@@ -1,6 +1,6 @@
 import { useState, useEffect } from "react";
 import { useFetchClient } from "@strapi/strapi/admin";
-import { a as pluginId } from "./index-BLEZRtuD.mjs";
+import { a as pluginId } from "./index--JzOiQNw.mjs";
 const useLicense = () => {
   const { get } = useFetchClient();
   const [isPremium, setIsPremium] = useState(false);

package/dist/admin/index.js

@@ -1,3 +1,3 @@
 "use strict";
-const index = require("../_chunks/index-CD2Jls2n.js");
+const index = require("../_chunks/index-DqtQaEBL.js");
 module.exports = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "../_chunks/index-BLEZRtuD.mjs";
+import { i } from "../_chunks/index--JzOiQNw.mjs";
 export {
   i as default
 };

package/dist/server/index.js

@@ -87,6 +87,68 @@ const isPrivateIp = (ip) => {
   return false;
 };
 var getClientIp_1 = getClientIp$1;
+const crypto$1 = require$$0__default.default;
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 16;
+function getEncryptionKey() {
+  const envKey = process.env.SESSION_ENCRYPTION_KEY;
+  if (envKey) {
+    const key2 = crypto$1.createHash("sha256").update(envKey).digest();
+    return key2;
+  }
+  const strapiKeys = process.env.APP_KEYS || process.env.API_TOKEN_SALT || "default-insecure-key";
+  const key = crypto$1.createHash("sha256").update(strapiKeys).digest();
+  console.warn("[magic-sessionmanager/encryption] ⚠️  No SESSION_ENCRYPTION_KEY found. Using fallback (not recommended for production).");
+  console.warn("[magic-sessionmanager/encryption] Set SESSION_ENCRYPTION_KEY in .env for better security.");
+  return key;
+}
+function encryptToken$2(token) {
+  if (!token) return null;
+  try {
+    const key = getEncryptionKey();
+    const iv = crypto$1.randomBytes(IV_LENGTH);
+    const cipher = crypto$1.createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(token, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+  } catch (err) {
+    console.error("[magic-sessionmanager/encryption] Encryption failed:", err);
+    throw new Error("Failed to encrypt token");
+  }
+}
+function decryptToken$3(encryptedToken) {
+  if (!encryptedToken) return null;
+  try {
+    const key = getEncryptionKey();
+    const parts = encryptedToken.split(":");
+    if (parts.length !== 3) {
+      throw new Error("Invalid encrypted token format");
+    }
+    const iv = Buffer.from(parts[0], "hex");
+    const authTag = Buffer.from(parts[1], "hex");
+    const encrypted = parts[2];
+    const decipher = crypto$1.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  } catch (err) {
+    console.error("[magic-sessionmanager/encryption] Decryption failed:", err);
+    return null;
+  }
+}
+function generateSessionId$1(userId) {
+  const timestamp = Date.now().toString(36);
+  const randomBytes = crypto$1.randomBytes(8).toString("hex");
+  const userHash = crypto$1.createHash("sha256").update(userId.toString()).digest("hex").substring(0, 8);
+  return `sess_${timestamp}_${userHash}_${randomBytes}`;
+}
+var encryption = {
+  encryptToken: encryptToken$2,
+  decryptToken: decryptToken$3,
+  generateSessionId: generateSessionId$1
+};
 var lastSeen = ({ strapi: strapi2, sessionService }) => {
   return async (ctx, next) => {
     if (ctx.state.user && ctx.state.user.id) {
@@ -123,6 +185,7 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
   };
 };
 const getClientIp = getClientIp_1;
+const { encryptToken: encryptToken$1, decryptToken: decryptToken$2 } = encryption;
 var bootstrap$1 = async ({ strapi: strapi2 }) => {
   strapi2.log.info("[magic-sessionmanager] 🚀 Bootstrap starting...");
   try {
@@ -190,16 +253,23 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             ctx.body = { message: "Logged out successfully" };
             return;
           }
-          const sessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+          const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
             filters: {
-              token,
               isActive: true
-            },
-            limit: 1
+            }
+          });
+          const matchingSession = allSessions.find((session2) => {
+            if (!session2.token) return false;
+            try {
+              const decrypted = decryptToken$2(session2.token);
+              return decrypted === token;
+            } catch (err) {
+              return false;
+            }
           });
-          if (sessions.length > 0) {
-            await sessionService.terminateSession({ sessionId: sessions[0].id });
-            strapi2.log.info(`[magic-sessionmanager] 🚪 Logout via /api/auth/logout - Session ${sessions[0].id} terminated`);
+          if (matchingSession) {
+            await sessionService.terminateSession({ sessionId: matchingSession.id });
+            strapi2.log.info(`[magic-sessionmanager] 🚪 Logout via /api/auth/logout - Session ${matchingSession.id} terminated`);
           }
           ctx.status = 200;
           ctx.body = { message: "Logged out successfully" };
@@ -387,6 +457,11 @@ const pluginOptions = {
   }
 };
 const attributes = {
+  sessionId: {
+    type: "string",
+    unique: true,
+    required: true
+  },
   user: {
     type: "relation",
     relation: "manyToOne",
@@ -643,6 +718,7 @@ var routes$1 = {
   admin,
   "content-api": contentApi
 };
+const { decryptToken: decryptToken$1 } = encryption;
 var session$3 = {
   /**
    * Get ALL sessions (active + inactive) - Admin only
@@ -722,13 +798,21 @@ var session$3 = {
       const sessions = await strapi.entityService.findMany("plugin::magic-sessionmanager.session", {
         filters: {
           user: { id: userId },
-          token,
           isActive: true
         }
       });
-      if (sessions.length > 0) {
-        await sessionService.terminateSession({ sessionId: sessions[0].id });
-        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${sessions[0].id})`);
+      const matchingSession = sessions.find((session2) => {
+        if (!session2.token) return false;
+        try {
+          const decrypted = decryptToken$1(session2.token);
+          return decrypted === token;
+        } catch (err) {
+          return false;
+        }
+      });
+      if (matchingSession) {
+        await sessionService.terminateSession({ sessionId: matchingSession.id });
+        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${matchingSession.id})`);
       }
       ctx.body = {
         message: "Logged out successfully"
@@ -1227,6 +1311,7 @@ var controllers$1 = {
   license,
   settings
 };
+const { encryptToken, decryptToken, generateSessionId } = encryption;
 var session$1 = ({ strapi: strapi2 }) => ({
   /**
    * Create a new session record
@@ -1236,6 +1321,8 @@ var session$1 = ({ strapi: strapi2 }) => ({
   async createSession({ userId, ip = "unknown", userAgent = "unknown", token }) {
     try {
       const now = /* @__PURE__ */ new Date();
+      const sessionId = generateSessionId(userId);
+      const encryptedToken = token ? encryptToken(token) : null;
       const session2 = await strapi2.entityService.create("plugin::magic-sessionmanager.session", {
         data: {
           user: userId,
@@ -1244,11 +1331,13 @@ var session$1 = ({ strapi: strapi2 }) => ({
           loginTime: now,
           lastActive: now,
           isActive: true,
-          token
-          // Store JWT for logout matching
+          token: encryptedToken,
+          // ✅ Encrypted JWT for security
+          sessionId
+          // ✅ Unique identifier
         }
       });
-      strapi2.log.info(`[magic-sessionmanager] ✅ Session ${session2.id} created for user ${userId}`);
+      strapi2.log.info(`[magic-sessionmanager] ✅ Session ${session2.id} (${sessionId}) created for user ${userId}`);
       return session2;
     } catch (err) {
       strapi2.log.error("[magic-sessionmanager] Error creating session:", err);

package/dist/server/index.mjs

@@ -83,6 +83,68 @@ const isPrivateIp = (ip) => {
   return false;
 };
 var getClientIp_1 = getClientIp$1;
+const crypto$1 = require$$0$1;
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 16;
+function getEncryptionKey() {
+  const envKey = process.env.SESSION_ENCRYPTION_KEY;
+  if (envKey) {
+    const key2 = crypto$1.createHash("sha256").update(envKey).digest();
+    return key2;
+  }
+  const strapiKeys = process.env.APP_KEYS || process.env.API_TOKEN_SALT || "default-insecure-key";
+  const key = crypto$1.createHash("sha256").update(strapiKeys).digest();
+  console.warn("[magic-sessionmanager/encryption] ⚠️  No SESSION_ENCRYPTION_KEY found. Using fallback (not recommended for production).");
+  console.warn("[magic-sessionmanager/encryption] Set SESSION_ENCRYPTION_KEY in .env for better security.");
+  return key;
+}
+function encryptToken$2(token) {
+  if (!token) return null;
+  try {
+    const key = getEncryptionKey();
+    const iv = crypto$1.randomBytes(IV_LENGTH);
+    const cipher = crypto$1.createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(token, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+  } catch (err) {
+    console.error("[magic-sessionmanager/encryption] Encryption failed:", err);
+    throw new Error("Failed to encrypt token");
+  }
+}
+function decryptToken$3(encryptedToken) {
+  if (!encryptedToken) return null;
+  try {
+    const key = getEncryptionKey();
+    const parts = encryptedToken.split(":");
+    if (parts.length !== 3) {
+      throw new Error("Invalid encrypted token format");
+    }
+    const iv = Buffer.from(parts[0], "hex");
+    const authTag = Buffer.from(parts[1], "hex");
+    const encrypted = parts[2];
+    const decipher = crypto$1.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  } catch (err) {
+    console.error("[magic-sessionmanager/encryption] Decryption failed:", err);
+    return null;
+  }
+}
+function generateSessionId$1(userId) {
+  const timestamp = Date.now().toString(36);
+  const randomBytes = crypto$1.randomBytes(8).toString("hex");
+  const userHash = crypto$1.createHash("sha256").update(userId.toString()).digest("hex").substring(0, 8);
+  return `sess_${timestamp}_${userHash}_${randomBytes}`;
+}
+var encryption = {
+  encryptToken: encryptToken$2,
+  decryptToken: decryptToken$3,
+  generateSessionId: generateSessionId$1
+};
 var lastSeen = ({ strapi: strapi2, sessionService }) => {
   return async (ctx, next) => {
     if (ctx.state.user && ctx.state.user.id) {
@@ -119,6 +181,7 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
   };
 };
 const getClientIp = getClientIp_1;
+const { encryptToken: encryptToken$1, decryptToken: decryptToken$2 } = encryption;
 var bootstrap$1 = async ({ strapi: strapi2 }) => {
   strapi2.log.info("[magic-sessionmanager] 🚀 Bootstrap starting...");
   try {
@@ -186,16 +249,23 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             ctx.body = { message: "Logged out successfully" };
             return;
           }
-          const sessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+          const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
             filters: {
-              token,
               isActive: true
-            },
-            limit: 1
+            }
+          });
+          const matchingSession = allSessions.find((session2) => {
+            if (!session2.token) return false;
+            try {
+              const decrypted = decryptToken$2(session2.token);
+              return decrypted === token;
+            } catch (err) {
+              return false;
+            }
           });
-          if (sessions.length > 0) {
-            await sessionService.terminateSession({ sessionId: sessions[0].id });
-            strapi2.log.info(`[magic-sessionmanager] 🚪 Logout via /api/auth/logout - Session ${sessions[0].id} terminated`);
+          if (matchingSession) {
+            await sessionService.terminateSession({ sessionId: matchingSession.id });
+            strapi2.log.info(`[magic-sessionmanager] 🚪 Logout via /api/auth/logout - Session ${matchingSession.id} terminated`);
           }
           ctx.status = 200;
           ctx.body = { message: "Logged out successfully" };
@@ -383,6 +453,11 @@ const pluginOptions = {
   }
 };
 const attributes = {
+  sessionId: {
+    type: "string",
+    unique: true,
+    required: true
+  },
   user: {
     type: "relation",
     relation: "manyToOne",
@@ -639,6 +714,7 @@ var routes$1 = {
   admin,
   "content-api": contentApi
 };
+const { decryptToken: decryptToken$1 } = encryption;
 var session$3 = {
   /**
    * Get ALL sessions (active + inactive) - Admin only
@@ -718,13 +794,21 @@ var session$3 = {
       const sessions = await strapi.entityService.findMany("plugin::magic-sessionmanager.session", {
         filters: {
           user: { id: userId },
-          token,
           isActive: true
         }
       });
-      if (sessions.length > 0) {
-        await sessionService.terminateSession({ sessionId: sessions[0].id });
-        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${sessions[0].id})`);
+      const matchingSession = sessions.find((session2) => {
+        if (!session2.token) return false;
+        try {
+          const decrypted = decryptToken$1(session2.token);
+          return decrypted === token;
+        } catch (err) {
+          return false;
+        }
+      });
+      if (matchingSession) {
+        await sessionService.terminateSession({ sessionId: matchingSession.id });
+        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${matchingSession.id})`);
       }
       ctx.body = {
         message: "Logged out successfully"
@@ -1223,6 +1307,7 @@ var controllers$1 = {
   license,
   settings
 };
+const { encryptToken, decryptToken, generateSessionId } = encryption;
 var session$1 = ({ strapi: strapi2 }) => ({
   /**
    * Create a new session record
@@ -1232,6 +1317,8 @@ var session$1 = ({ strapi: strapi2 }) => ({
   async createSession({ userId, ip = "unknown", userAgent = "unknown", token }) {
     try {
       const now = /* @__PURE__ */ new Date();
+      const sessionId = generateSessionId(userId);
+      const encryptedToken = token ? encryptToken(token) : null;
       const session2 = await strapi2.entityService.create("plugin::magic-sessionmanager.session", {
         data: {
           user: userId,
@@ -1240,11 +1327,13 @@ var session$1 = ({ strapi: strapi2 }) => ({
           loginTime: now,
           lastActive: now,
           isActive: true,
-          token
-          // Store JWT for logout matching
+          token: encryptedToken,
+          // ✅ Encrypted JWT for security
+          sessionId
+          // ✅ Unique identifier
         }
       });
-      strapi2.log.info(`[magic-sessionmanager] ✅ Session ${session2.id} created for user ${userId}`);
+      strapi2.log.info(`[magic-sessionmanager] ✅ Session ${session2.id} (${sessionId}) created for user ${userId}`);
       return session2;
     } catch (err) {
       strapi2.log.error("[magic-sessionmanager] Error creating session:", err);

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "3.0.1",
+  "version": "3.1.0",
   "keywords": [
     "strapi",
     "strapi-plugin",

package/server/src/bootstrap.js

@@ -8,6 +8,7 @@
  */
 
 const getClientIp = require('./utils/getClientIp');
+const { encryptToken, decryptToken } = require('./utils/encryption');
 
 module.exports = async ({ strapi }) => {
   strapi.log.info('[magic-sessionmanager] 🚀 Bootstrap starting...');
@@ -101,18 +102,28 @@ module.exports = async ({ strapi }) => {
             return;
           }
 
-          // Find and terminate session by token
-          const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+          // Find session by decrypting tokens and matching
+          // Since tokens are encrypted, we need to get all active sessions and check each one
+          const allSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
             filters: {
-              token: token,
               isActive: true,
             },
-            limit: 1,
           });
 
-          if (sessions.length > 0) {
-            await sessionService.terminateSession({ sessionId: sessions[0].id });
-            strapi.log.info(`[magic-sessionmanager] 🚪 Logout via /api/auth/logout - Session ${sessions[0].id} terminated`);
+          // Find matching session by decrypting and comparing tokens
+          const matchingSession = allSessions.find(session => {
+            if (!session.token) return false;
+            try {
+              const decrypted = decryptToken(session.token);
+              return decrypted === token;
+            } catch (err) {
+              return false;
+            }
+          });
+
+          if (matchingSession) {
+            await sessionService.terminateSession({ sessionId: matchingSession.id });
+            strapi.log.info(`[magic-sessionmanager] 🚪 Logout via /api/auth/logout - Session ${matchingSession.id} terminated`);
           }
 
           ctx.status = 200;

package/server/src/content-types/session/schema.json

@@ -20,6 +20,11 @@
     }
   },
   "attributes": {
+    "sessionId": {
+      "type": "string",
+      "unique": true,
+      "required": true
+    },
     "user": {
       "type": "relation",
       "relation": "manyToOne",

package/server/src/controllers/session.js

@@ -1,5 +1,7 @@
 'use strict';
 
+const { decryptToken } = require('../utils/encryption');
+
 /**
  * Session Controller
  * Handles HTTP requests for session management
@@ -103,19 +105,29 @@ module.exports = {
         .plugin('magic-sessionmanager')
         .service('session');
 
-      // Find current session by token
+      // Find current session by decrypting and comparing tokens
       const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
         filters: {
           user: { id: userId },
-          token: token,
           isActive: true,
         },
       });
 
-      if (sessions.length > 0) {
+      // Find matching session by decrypting tokens
+      const matchingSession = sessions.find(session => {
+        if (!session.token) return false;
+        try {
+          const decrypted = decryptToken(session.token);
+          return decrypted === token;
+        } catch (err) {
+          return false;
+        }
+      });
+
+      if (matchingSession) {
         // Terminate only the current session
-        await sessionService.terminateSession({ sessionId: sessions[0].id });
-        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${sessions[0].id})`);
+        await sessionService.terminateSession({ sessionId: matchingSession.id });
+        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${matchingSession.id})`);
       }
 
       ctx.body = {

package/server/src/services/session.js

@@ -1,10 +1,14 @@
 'use strict';
 
+const { encryptToken, decryptToken, generateSessionId } = require('../utils/encryption');
+
 /**
  * Session Service
  * Uses plugin::magic-sessionmanager.session content type with relation to users
  * All session tracking happens in the Session collection
  *
+ * SECURITY: JWT tokens are encrypted before storing in database using AES-256-GCM
+ * 
  * TODO: For production multi-instance deployments, use Redis for:
  *   - Session store instead of DB
  *   - Rate limiting locks
@@ -20,6 +24,12 @@ module.exports = ({ strapi }) => ({
     try {
       const now = new Date();
       
+      // Generate unique session ID
+      const sessionId = generateSessionId(userId);
+      
+      // Encrypt JWT token before storing
+      const encryptedToken = token ? encryptToken(token) : null;
+      
       const session = await strapi.entityService.create('plugin::magic-sessionmanager.session', {
         data: {
           user: userId,
@@ -28,11 +38,12 @@ module.exports = ({ strapi }) => ({
           loginTime: now,
           lastActive: now,
           isActive: true,
-          token: token, // Store JWT for logout matching
+          token: encryptedToken, // ✅ Encrypted JWT for security
+          sessionId: sessionId,  // ✅ Unique identifier
         },
       });
 
-      strapi.log.info(`[magic-sessionmanager] ✅ Session ${session.id} created for user ${userId}`);
+      strapi.log.info(`[magic-sessionmanager] ✅ Session ${session.id} (${sessionId}) created for user ${userId}`);
 
       return session;
     } catch (err) {

package/server/src/utils/encryption.js

@@ -0,0 +1,121 @@
+'use strict';
+
+const crypto = require('crypto');
+
+/**
+ * JWT Encryption Utility
+ * Uses AES-256-GCM for secure token storage
+ * 
+ * SECURITY: Tokens are encrypted before storing in database
+ * This prevents exposure if database is compromised
+ */
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+
+/**
+ * Get encryption key from environment or generate one
+ * IMPORTANT: Set SESSION_ENCRYPTION_KEY in .env for production!
+ */
+function getEncryptionKey() {
+  const envKey = process.env.SESSION_ENCRYPTION_KEY;
+  
+  if (envKey) {
+    // Use provided key (must be 32 bytes for AES-256)
+    const key = crypto.createHash('sha256').update(envKey).digest();
+    return key;
+  }
+  
+  // Fallback: Use Strapi's app keys (not recommended for production)
+  const strapiKeys = process.env.APP_KEYS || process.env.API_TOKEN_SALT || 'default-insecure-key';
+  const key = crypto.createHash('sha256').update(strapiKeys).digest();
+  
+  console.warn('[magic-sessionmanager/encryption] ⚠️  No SESSION_ENCRYPTION_KEY found. Using fallback (not recommended for production).');
+  console.warn('[magic-sessionmanager/encryption] Set SESSION_ENCRYPTION_KEY in .env for better security.');
+  
+  return key;
+}
+
+/**
+ * Encrypt JWT token before storing in database
+ * @param {string} token - JWT token to encrypt
+ * @returns {string} Encrypted token with IV and auth tag
+ */
+function encryptToken(token) {
+  if (!token) return null;
+  
+  try {
+    const key = getEncryptionKey();
+    const iv = crypto.randomBytes(IV_LENGTH);
+    
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    
+    let encrypted = cipher.update(token, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    
+    const authTag = cipher.getAuthTag();
+    
+    // Format: iv:authTag:encryptedData
+    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+  } catch (err) {
+    console.error('[magic-sessionmanager/encryption] Encryption failed:', err);
+    throw new Error('Failed to encrypt token');
+  }
+}
+
+/**
+ * Decrypt JWT token from database
+ * @param {string} encryptedToken - Encrypted token from database
+ * @returns {string} Decrypted JWT token
+ */
+function decryptToken(encryptedToken) {
+  if (!encryptedToken) return null;
+  
+  try {
+    const key = getEncryptionKey();
+    
+    // Parse: iv:authTag:encryptedData
+    const parts = encryptedToken.split(':');
+    
+    if (parts.length !== 3) {
+      throw new Error('Invalid encrypted token format');
+    }
+    
+    const iv = Buffer.from(parts[0], 'hex');
+    const authTag = Buffer.from(parts[1], 'hex');
+    const encrypted = parts[2];
+    
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    
+    return decrypted;
+  } catch (err) {
+    console.error('[magic-sessionmanager/encryption] Decryption failed:', err);
+    return null; // Return null if decryption fails (invalid/tampered token)
+  }
+}
+
+/**
+ * Generate unique session ID
+ * Combines timestamp + random bytes + user ID for uniqueness
+ * @param {number} userId - User ID
+ * @returns {string} Unique session identifier
+ */
+function generateSessionId(userId) {
+  const timestamp = Date.now().toString(36);
+  const randomBytes = crypto.randomBytes(8).toString('hex');
+  const userHash = crypto.createHash('sha256').update(userId.toString()).digest('hex').substring(0, 8);
+  
+  return `sess_${timestamp}_${userHash}_${randomBytes}`;
+}
+
+module.exports = {
+  encryptToken,
+  decryptToken,
+  generateSessionId,
+};
+