npm - strapi-plugin-magic-sessionmanager - Versions diffs - 3.0.2 → 3.2.0 - Mend

strapi-plugin-magic-sessionmanager 3.0.2 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/server/src/bootstrap.js CHANGED Viewed

@@ -8,6 +8,7 @@
  */
 const getClientIp = require('./utils/getClientIp');
+const { encryptToken, decryptToken } = require('./utils/encryption');
 module.exports = async ({ strapi }) => {
   strapi.log.info('[magic-sessionmanager] 🚀 Bootstrap starting...');
@@ -101,18 +102,28 @@ module.exports = async ({ strapi }) => {
             return;
           }
-          // Find and terminate session by token
-          const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+          // Find session by decrypting tokens and matching
+          // Since tokens are encrypted, we need to get all active sessions and check each one
+          const allSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
             filters: {
-              token: token,
               isActive: true,
             },
-            limit: 1,
           });
-          if (sessions.length > 0) {
-            await sessionService.terminateSession({ sessionId: sessions[0].id });
-            strapi.log.info(`[magic-sessionmanager] 🚪 Logout via /api/auth/logout - Session ${sessions[0].id} terminated`);
+          // Find matching session by decrypting and comparing tokens
+          const matchingSession = allSessions.find(session => {
+            if (!session.token) return false;
+            try {
+              const decrypted = decryptToken(session.token);
+              return decrypted === token;
+            } catch (err) {
+              return false;
+            }
+          });
+          if (matchingSession) {
+            await sessionService.terminateSession({ sessionId: matchingSession.id });
+            strapi.log.info(`[magic-sessionmanager] 🚪 Logout via /api/auth/logout - Session ${matchingSession.id} terminated`);
           }
           ctx.status = 200;

package/server/src/content-types/session/schema.json CHANGED Viewed

@@ -20,6 +20,11 @@
     }
   },
   "attributes": {
+    "sessionId": {
+      "type": "string",
+      "unique": true,
+      "required": true
+    },
     "user": {
       "type": "relation",
       "relation": "manyToOne",

package/server/src/controllers/session.js CHANGED Viewed

@@ -1,5 +1,7 @@
 'use strict';
+const { decryptToken } = require('../utils/encryption');
 /**
  * Session Controller
  * Handles HTTP requests for session management
@@ -103,19 +105,29 @@ module.exports = {
         .plugin('magic-sessionmanager')
         .service('session');
-      // Find current session by token
+      // Find current session by decrypting and comparing tokens
       const sessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
         filters: {
           user: { id: userId },
-          token: token,
           isActive: true,
         },
       });
-      if (sessions.length > 0) {
+      // Find matching session by decrypting tokens
+      const matchingSession = sessions.find(session => {
+        if (!session.token) return false;
+        try {
+          const decrypted = decryptToken(session.token);
+          return decrypted === token;
+        } catch (err) {
+          return false;
+        }
+      });
+      if (matchingSession) {
         // Terminate only the current session
-        await sessionService.terminateSession({ sessionId: sessions[0].id });
-        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${sessions[0].id})`);
+        await sessionService.terminateSession({ sessionId: matchingSession.id });
+        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${matchingSession.id})`);
       }
       ctx.body = {

package/server/src/services/session.js CHANGED Viewed

@@ -1,10 +1,14 @@
 'use strict';
+const { encryptToken, decryptToken, generateSessionId } = require('../utils/encryption');
 /**
  * Session Service
  * Uses plugin::magic-sessionmanager.session content type with relation to users
  * All session tracking happens in the Session collection
  *
+ * SECURITY: JWT tokens are encrypted before storing in database using AES-256-GCM
+ *
  * TODO: For production multi-instance deployments, use Redis for:
  *   - Session store instead of DB
  *   - Rate limiting locks
@@ -20,6 +24,12 @@ module.exports = ({ strapi }) => ({
     try {
       const now = new Date();
+      // Generate unique session ID
+      const sessionId = generateSessionId(userId);
+      // Encrypt JWT token before storing
+      const encryptedToken = token ? encryptToken(token) : null;
       const session = await strapi.entityService.create('plugin::magic-sessionmanager.session', {
         data: {
           user: userId,
@@ -28,11 +38,12 @@ module.exports = ({ strapi }) => ({
           loginTime: now,
           lastActive: now,
           isActive: true,
-          token: token, // Store JWT for logout matching
+          token: encryptedToken, // ✅ Encrypted JWT for security
+          sessionId: sessionId,  // ✅ Unique identifier
         },
       });
-      strapi.log.info(`[magic-sessionmanager] ✅ Session ${session.id} created for user ${userId}`);
+      strapi.log.info(`[magic-sessionmanager] ✅ Session ${session.id} (${sessionId}) created for user ${userId}`);
       return session;
     } catch (err) {

package/server/src/utils/encryption.js ADDED Viewed

@@ -0,0 +1,121 @@
+'use strict';
+const crypto = require('crypto');
+/**
+ * JWT Encryption Utility
+ * Uses AES-256-GCM for secure token storage
+ *
+ * SECURITY: Tokens are encrypted before storing in database
+ * This prevents exposure if database is compromised
+ */
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+/**
+ * Get encryption key from environment or generate one
+ * IMPORTANT: Set SESSION_ENCRYPTION_KEY in .env for production!
+ */
+function getEncryptionKey() {
+  const envKey = process.env.SESSION_ENCRYPTION_KEY;
+  if (envKey) {
+    // Use provided key (must be 32 bytes for AES-256)
+    const key = crypto.createHash('sha256').update(envKey).digest();
+    return key;
+  }
+  // Fallback: Use Strapi's app keys (not recommended for production)
+  const strapiKeys = process.env.APP_KEYS || process.env.API_TOKEN_SALT || 'default-insecure-key';
+  const key = crypto.createHash('sha256').update(strapiKeys).digest();
+  console.warn('[magic-sessionmanager/encryption] ⚠️  No SESSION_ENCRYPTION_KEY found. Using fallback (not recommended for production).');
+  console.warn('[magic-sessionmanager/encryption] Set SESSION_ENCRYPTION_KEY in .env for better security.');
+  return key;
+}
+/**
+ * Encrypt JWT token before storing in database
+ * @param {string} token - JWT token to encrypt
+ * @returns {string} Encrypted token with IV and auth tag
+ */
+function encryptToken(token) {
+  if (!token) return null;
+  try {
+    const key = getEncryptionKey();
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(token, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    const authTag = cipher.getAuthTag();
+    // Format: iv:authTag:encryptedData
+    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+  } catch (err) {
+    console.error('[magic-sessionmanager/encryption] Encryption failed:', err);
+    throw new Error('Failed to encrypt token');
+  }
+}
+/**
+ * Decrypt JWT token from database
+ * @param {string} encryptedToken - Encrypted token from database
+ * @returns {string} Decrypted JWT token
+ */
+function decryptToken(encryptedToken) {
+  if (!encryptedToken) return null;
+  try {
+    const key = getEncryptionKey();
+    // Parse: iv:authTag:encryptedData
+    const parts = encryptedToken.split(':');
+    if (parts.length !== 3) {
+      throw new Error('Invalid encrypted token format');
+    }
+    const iv = Buffer.from(parts[0], 'hex');
+    const authTag = Buffer.from(parts[1], 'hex');
+    const encrypted = parts[2];
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+  } catch (err) {
+    console.error('[magic-sessionmanager/encryption] Decryption failed:', err);
+    return null; // Return null if decryption fails (invalid/tampered token)
+  }
+}
+/**
+ * Generate unique session ID
+ * Combines timestamp + random bytes + user ID for uniqueness
+ * @param {number} userId - User ID
+ * @returns {string} Unique session identifier
+ */
+function generateSessionId(userId) {
+  const timestamp = Date.now().toString(36);
+  const randomBytes = crypto.randomBytes(8).toString('hex');
+  const userHash = crypto.createHash('sha256').update(userId.toString()).digest('hex').substring(0, 8);
+  return `sess_${timestamp}_${userHash}_${randomBytes}`;
+}
+module.exports = {
+  encryptToken,
+  decryptToken,
+  generateSessionId,
+};