strapi-plugin-magic-sessionmanager 3.2.1 → 3.3.0

package/README.md

@@ -349,7 +349,7 @@ Log: "Cleaned up X inactive sessions"
 2. Inactivity timeout triggers cleanup
 3. Admin terminates the session
 
-#### Refresh Tokens ⚠️ **Critical Limitation**
+#### Refresh Tokens ✅ **SOLVED!**
 
 **What are Refresh Tokens?**
 Refresh tokens allow users to get new Access Tokens (JWTs) without re-entering credentials. This enables longer sessions:
@@ -367,78 +367,100 @@ Strapi issues new JWT
 User continues without re-login
 ```
 
-**The Problem:**
-- **Stored:** NO - Refresh tokens are NOT tracked by this plugin
-- **Reason:** Strapi v5 handles refresh tokens in `users-permissions` plugin
-- **Impact:** User can bypass session termination! ⚠️
+**The Solution (v3.2+):**
+- **Stored:** YES - Refresh tokens are encrypted and stored with sessions ✅
+- **Tracked:** YES - Middleware intercepts `/api/auth/refresh-token` requests ✅
+- **Validated:** YES - Checks if session is still active before issuing new tokens ✅
+
+**How It Works:**
 
-**Scenario:**
 ```
-Admin terminates user's session
+Login: User gets JWT + Refresh Token
+       ↓
+Both tokens encrypted and stored in session
+       ↓
+Admin terminates session
+       ↓
+Session: isActive = false ❌
+       ↓
+User tries to refresh token:
+POST /api/auth/refresh-token
+{ refreshToken: "..." }
        ↓
-Session Manager: isActive = false ❌
+[Refresh Token Middleware]
        ↓
-User's JWT still valid OR
-User has refresh token
+Decrypt all active session refresh tokens
        ↓
-User gets new JWT via refresh token
+Find matching session
        ↓
-Plugin creates NEW session automatically! ⚠️
+Session found but isActive = false?
+  → BLOCK! Return 401 Unauthorized ❌
+  → Message: "Session terminated. Please login again."
        ↓
-User is "logged in" again despite termination
+Session found and isActive = true?
+  → ALLOW! ✅
+  → Strapi issues new tokens
+  → Session updated with new encrypted tokens
 ```
 
-**Current Limitation:**
-This plugin **cannot prevent** users with valid refresh tokens from getting new JWTs. The session termination only affects the current JWT token.
+**Security Benefits:**
 
-**Workarounds:**
+✅ **Session termination is FINAL** - User cannot get new tokens  
+✅ **Refresh tokens tracked** - Encrypted & stored securely  
+✅ **Token rotation** - New tokens automatically updated in session  
+✅ **Admin control** - Force logout works even with refresh tokens  
+
+**Configuration:**
+
+Enable refresh tokens in Strapi:
 
-**Option 1: Disable Refresh Tokens (Strict Control)**
 ```typescript
 // src/config/plugins.ts
 export default () => ({
   'users-permissions': {
     config: {
-      jwt: {
-        expiresIn: '30m',
-        // Don't issue refresh tokens
+      jwtManagement: 'refresh',  // Enable refresh tokens
+      sessions: {
+        accessTokenLifespan: 3600,    // 1 hour (in seconds)
+        maxRefreshTokenLifespan: 2592000,  // 30 days
+        idleRefreshTokenLifespan: 604800,  // 7 days idle
       },
     },
   },
   'magic-sessionmanager': {
+    enabled: true,
     config: {
-      inactivityTimeout: 15 * 60 * 1000, // < JWT expiration
+      inactivityTimeout: 15 * 60 * 1000, // 15 minutes
     },
   },
 });
 ```
 
-**Option 2: Short Refresh Token Expiry**
-```typescript
-'users-permissions': {
-  config: {
-    jwt: {
-      expiresIn: '15m',        // Short Access Token
-      refreshExpiresIn: '30m', // Short Refresh Token
-    },
-  },
-}
-```
+**Testing Refresh Token Blocking:**
 
-**Option 3: Accept the Limitation**
-Understand that:
-- Session termination stops the **current** JWT
-- Users with refresh tokens can get **new** JWTs
-- New JWTs create **new** sessions
-- Use session analytics to detect unusual patterns
+```bash
+# 1. Login and get tokens
+curl -X POST http://localhost:1337/api/auth/local \
+  -H "Content-Type: application/json" \
+  -d '{"identifier":"user@example.com","password":"pass"}' 
 
-**Future Enhancement:**
-To fully block users, the plugin would need to:
-1. Track refresh tokens (complex)
-2. Hook into Strapi's token refresh endpoint
-3. Validate against active sessions before issuing new JWTs
+# Save both tokens:
+ACCESS_TOKEN="eyJhbGci..."
+REFRESH_TOKEN="abc123..."
+
+# 2. Admin terminates session
+# Go to Admin → Sessions → Find session → Terminate
+
+# 3. Try to refresh token
+curl -X POST http://localhost:1337/api/auth/refresh-token \
+  -H "Content-Type: application/json" \
+  -d "{\"refreshToken\":\"$REFRESH_TOKEN\"}"
+
+# Expected: 401 Unauthorized
+# "Session terminated. Please login again."
+```
 
-This is planned for a future version.
+**This completely solves the refresh token security gap!** 🔒
 
 ### Multi-Login Behavior
 

package/dist/server/index.js

@@ -350,8 +350,10 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             userId: user.id,
             ip,
             userAgent,
-            token: ctx.body.jwt
-            // Store JWT token reference
+            token: ctx.body.jwt,
+            // Store Access Token (encrypted)
+            refreshToken: ctx.body.refreshToken
+            // Store Refresh Token (encrypted) if exists
           });
           strapi2.log.info(`[magic-sessionmanager] ✅ Session created for user ${user.id} (IP: ${ip})`);
           if (geoData && (config2.enableEmailAlerts || config2.enableWebhooks)) {
@@ -396,6 +398,84 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       }
     });
     strapi2.log.info("[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted");
+    strapi2.server.use(async (ctx, next) => {
+      const isRefreshToken = ctx.path === "/api/auth/refresh-token" && ctx.method === "POST";
+      if (isRefreshToken) {
+        try {
+          const refreshToken = ctx.request.body?.refreshToken;
+          if (refreshToken) {
+            const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+              filters: {
+                isActive: true
+              }
+            });
+            const matchingSession = allSessions.find((session2) => {
+              if (!session2.refreshToken) return false;
+              try {
+                const decrypted = decryptToken$2(session2.refreshToken);
+                return decrypted === refreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+            if (!matchingSession) {
+              strapi2.log.warn("[magic-sessionmanager] 🚫 Blocked refresh token request - no active session");
+              ctx.status = 401;
+              ctx.body = {
+                error: {
+                  status: 401,
+                  message: "Session terminated. Please login again.",
+                  name: "UnauthorizedError"
+                }
+              };
+              return;
+            }
+            strapi2.log.info(`[magic-sessionmanager] ✅ Refresh token allowed for session ${matchingSession.id}`);
+          }
+        } catch (err) {
+          strapi2.log.error("[magic-sessionmanager] Error checking refresh token:", err);
+        }
+      }
+      await next();
+      if (isRefreshToken && ctx.status === 200 && ctx.body && ctx.body.jwt) {
+        try {
+          const oldRefreshToken = ctx.request.body?.refreshToken;
+          const newAccessToken = ctx.body.jwt;
+          const newRefreshToken = ctx.body.refreshToken;
+          if (oldRefreshToken) {
+            const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+              filters: {
+                isActive: true
+              }
+            });
+            const matchingSession = allSessions.find((session2) => {
+              if (!session2.refreshToken) return false;
+              try {
+                const decrypted = decryptToken$2(session2.refreshToken);
+                return decrypted === oldRefreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+            if (matchingSession) {
+              const encryptedToken = newAccessToken ? encryptToken$1(newAccessToken) : matchingSession.token;
+              const encryptedRefreshToken = newRefreshToken ? encryptToken$1(newRefreshToken) : matchingSession.refreshToken;
+              await strapi2.entityService.update("plugin::magic-sessionmanager.session", matchingSession.id, {
+                data: {
+                  token: encryptedToken,
+                  refreshToken: encryptedRefreshToken,
+                  lastActive: /* @__PURE__ */ new Date()
+                }
+              });
+              strapi2.log.info(`[magic-sessionmanager] 🔄 Tokens refreshed for session ${matchingSession.id}`);
+            }
+          }
+        } catch (err) {
+          strapi2.log.error("[magic-sessionmanager] Error updating refreshed tokens:", err);
+        }
+      }
+    });
+    strapi2.log.info("[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted");
     strapi2.server.use(
       lastSeen({ strapi: strapi2, sessionService })
     );
@@ -480,6 +560,10 @@ const attributes = {
     type: "text",
     "private": true
   },
+  refreshToken: {
+    type: "text",
+    "private": true
+  },
   loginTime: {
     type: "datetime",
     required: true
@@ -1317,14 +1401,15 @@ const { encryptToken, decryptToken, generateSessionId } = encryption;
 var session$1 = ({ strapi: strapi2 }) => ({
   /**
    * Create a new session record
-   * @param {Object} params - { userId, ip, userAgent, token }
+   * @param {Object} params - { userId, ip, userAgent, token, refreshToken }
    * @returns {Promise<Object>} Created session
    */
-  async createSession({ userId, ip = "unknown", userAgent = "unknown", token }) {
+  async createSession({ userId, ip = "unknown", userAgent = "unknown", token, refreshToken }) {
     try {
       const now = /* @__PURE__ */ new Date();
       const sessionId = generateSessionId(userId);
       const encryptedToken = token ? encryptToken(token) : null;
+      const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
       const session2 = await strapi2.entityService.create("plugin::magic-sessionmanager.session", {
         data: {
           user: userId,
@@ -1334,7 +1419,9 @@ var session$1 = ({ strapi: strapi2 }) => ({
           lastActive: now,
           isActive: true,
           token: encryptedToken,
-          // ✅ Encrypted JWT for security
+          // ✅ Encrypted Access Token
+          refreshToken: encryptedRefreshToken,
+          // ✅ Encrypted Refresh Token
           sessionId
           // ✅ Unique identifier
         }

package/dist/server/index.mjs

@@ -346,8 +346,10 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             userId: user.id,
             ip,
             userAgent,
-            token: ctx.body.jwt
-            // Store JWT token reference
+            token: ctx.body.jwt,
+            // Store Access Token (encrypted)
+            refreshToken: ctx.body.refreshToken
+            // Store Refresh Token (encrypted) if exists
           });
           strapi2.log.info(`[magic-sessionmanager] ✅ Session created for user ${user.id} (IP: ${ip})`);
           if (geoData && (config2.enableEmailAlerts || config2.enableWebhooks)) {
@@ -392,6 +394,84 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       }
     });
     strapi2.log.info("[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted");
+    strapi2.server.use(async (ctx, next) => {
+      const isRefreshToken = ctx.path === "/api/auth/refresh-token" && ctx.method === "POST";
+      if (isRefreshToken) {
+        try {
+          const refreshToken = ctx.request.body?.refreshToken;
+          if (refreshToken) {
+            const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+              filters: {
+                isActive: true
+              }
+            });
+            const matchingSession = allSessions.find((session2) => {
+              if (!session2.refreshToken) return false;
+              try {
+                const decrypted = decryptToken$2(session2.refreshToken);
+                return decrypted === refreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+            if (!matchingSession) {
+              strapi2.log.warn("[magic-sessionmanager] 🚫 Blocked refresh token request - no active session");
+              ctx.status = 401;
+              ctx.body = {
+                error: {
+                  status: 401,
+                  message: "Session terminated. Please login again.",
+                  name: "UnauthorizedError"
+                }
+              };
+              return;
+            }
+            strapi2.log.info(`[magic-sessionmanager] ✅ Refresh token allowed for session ${matchingSession.id}`);
+          }
+        } catch (err) {
+          strapi2.log.error("[magic-sessionmanager] Error checking refresh token:", err);
+        }
+      }
+      await next();
+      if (isRefreshToken && ctx.status === 200 && ctx.body && ctx.body.jwt) {
+        try {
+          const oldRefreshToken = ctx.request.body?.refreshToken;
+          const newAccessToken = ctx.body.jwt;
+          const newRefreshToken = ctx.body.refreshToken;
+          if (oldRefreshToken) {
+            const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+              filters: {
+                isActive: true
+              }
+            });
+            const matchingSession = allSessions.find((session2) => {
+              if (!session2.refreshToken) return false;
+              try {
+                const decrypted = decryptToken$2(session2.refreshToken);
+                return decrypted === oldRefreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+            if (matchingSession) {
+              const encryptedToken = newAccessToken ? encryptToken$1(newAccessToken) : matchingSession.token;
+              const encryptedRefreshToken = newRefreshToken ? encryptToken$1(newRefreshToken) : matchingSession.refreshToken;
+              await strapi2.entityService.update("plugin::magic-sessionmanager.session", matchingSession.id, {
+                data: {
+                  token: encryptedToken,
+                  refreshToken: encryptedRefreshToken,
+                  lastActive: /* @__PURE__ */ new Date()
+                }
+              });
+              strapi2.log.info(`[magic-sessionmanager] 🔄 Tokens refreshed for session ${matchingSession.id}`);
+            }
+          }
+        } catch (err) {
+          strapi2.log.error("[magic-sessionmanager] Error updating refreshed tokens:", err);
+        }
+      }
+    });
+    strapi2.log.info("[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted");
     strapi2.server.use(
       lastSeen({ strapi: strapi2, sessionService })
     );
@@ -476,6 +556,10 @@ const attributes = {
     type: "text",
     "private": true
   },
+  refreshToken: {
+    type: "text",
+    "private": true
+  },
   loginTime: {
     type: "datetime",
     required: true
@@ -1313,14 +1397,15 @@ const { encryptToken, decryptToken, generateSessionId } = encryption;
 var session$1 = ({ strapi: strapi2 }) => ({
   /**
    * Create a new session record
-   * @param {Object} params - { userId, ip, userAgent, token }
+   * @param {Object} params - { userId, ip, userAgent, token, refreshToken }
    * @returns {Promise<Object>} Created session
    */
-  async createSession({ userId, ip = "unknown", userAgent = "unknown", token }) {
+  async createSession({ userId, ip = "unknown", userAgent = "unknown", token, refreshToken }) {
     try {
       const now = /* @__PURE__ */ new Date();
       const sessionId = generateSessionId(userId);
       const encryptedToken = token ? encryptToken(token) : null;
+      const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
       const session2 = await strapi2.entityService.create("plugin::magic-sessionmanager.session", {
         data: {
           user: userId,
@@ -1330,7 +1415,9 @@ var session$1 = ({ strapi: strapi2 }) => ({
           lastActive: now,
           isActive: true,
           token: encryptedToken,
-          // ✅ Encrypted JWT for security
+          // ✅ Encrypted Access Token
+          refreshToken: encryptedRefreshToken,
+          // ✅ Encrypted Refresh Token
           sessionId
           // ✅ Unique identifier
         }

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "3.2.1",
+  "version": "3.3.0",
   "keywords": [
     "strapi",
     "strapi-plugin",

package/server/src/bootstrap.js

@@ -235,7 +235,8 @@ module.exports = async ({ strapi }) => {
             userId: user.id,
             ip,
             userAgent,
-            token: ctx.body.jwt, // Store JWT token reference
+            token: ctx.body.jwt,              // Store Access Token (encrypted)
+            refreshToken: ctx.body.refreshToken, // Store Refresh Token (encrypted) if exists
           });
           
           strapi.log.info(`[magic-sessionmanager] ✅ Session created for user ${user.id} (IP: ${ip})`);
@@ -293,6 +294,107 @@ module.exports = async ({ strapi }) => {
 
     strapi.log.info('[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted');
 
+    // Middleware to block refresh token requests for terminated sessions
+    strapi.server.use(async (ctx, next) => {
+      // Check if this is a refresh token request
+      const isRefreshToken = ctx.path === '/api/auth/refresh-token' && ctx.method === 'POST';
+      
+      if (isRefreshToken) {
+        try {
+          const refreshToken = ctx.request.body?.refreshToken;
+          
+          if (refreshToken) {
+            // Find session with this refresh token
+            const allSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+              filters: {
+                isActive: true,
+              },
+            });
+
+            // Find matching session by decrypting and comparing refresh tokens
+            const matchingSession = allSessions.find(session => {
+              if (!session.refreshToken) return false;
+              try {
+                const decrypted = decryptToken(session.refreshToken);
+                return decrypted === refreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+
+            if (!matchingSession) {
+              // No active session with this refresh token → Block!
+              strapi.log.warn('[magic-sessionmanager] 🚫 Blocked refresh token request - no active session');
+              ctx.status = 401;
+              ctx.body = {
+                error: {
+                  status: 401,
+                  message: 'Session terminated. Please login again.',
+                  name: 'UnauthorizedError'
+                }
+              };
+              return; // Don't continue
+            }
+            
+            strapi.log.info(`[magic-sessionmanager] ✅ Refresh token allowed for session ${matchingSession.id}`);
+          }
+        } catch (err) {
+          strapi.log.error('[magic-sessionmanager] Error checking refresh token:', err);
+          // On error, allow request to continue (fail-open for availability)
+        }
+      }
+      
+      // Continue with request
+      await next();
+      
+      // AFTER: If refresh token response was successful, update session with new tokens
+      if (isRefreshToken && ctx.status === 200 && ctx.body && ctx.body.jwt) {
+        try {
+          const oldRefreshToken = ctx.request.body?.refreshToken;
+          const newAccessToken = ctx.body.jwt;
+          const newRefreshToken = ctx.body.refreshToken;
+          
+          if (oldRefreshToken) {
+            // Find session and update with new tokens
+            const allSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+              filters: {
+                isActive: true,
+              },
+            });
+
+            const matchingSession = allSessions.find(session => {
+              if (!session.refreshToken) return false;
+              try {
+                const decrypted = decryptToken(session.refreshToken);
+                return decrypted === oldRefreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+
+            if (matchingSession) {
+              const encryptedToken = newAccessToken ? encryptToken(newAccessToken) : matchingSession.token;
+              const encryptedRefreshToken = newRefreshToken ? encryptToken(newRefreshToken) : matchingSession.refreshToken;
+              
+              await strapi.entityService.update('plugin::magic-sessionmanager.session', matchingSession.id, {
+                data: {
+                  token: encryptedToken,
+                  refreshToken: encryptedRefreshToken,
+                  lastActive: new Date(),
+                },
+              });
+              
+              strapi.log.info(`[magic-sessionmanager] 🔄 Tokens refreshed for session ${matchingSession.id}`);
+            }
+          }
+        } catch (err) {
+          strapi.log.error('[magic-sessionmanager] Error updating refreshed tokens:', err);
+        }
+      }
+    });
+
+    strapi.log.info('[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted');
+
     // Mount lastSeen update middleware
     strapi.server.use(
       require('./middlewares/last-seen')({ strapi, sessionService })

package/server/src/content-types/session/schema.json

@@ -43,6 +43,10 @@
       "type": "text",
       "private": true
     },
+    "refreshToken": {
+      "type": "text",
+      "private": true
+    },
     "loginTime": {
       "type": "datetime",
       "required": true

package/server/src/services/session.js

@@ -17,18 +17,19 @@ const { encryptToken, decryptToken, generateSessionId } = require('../utils/encr
 module.exports = ({ strapi }) => ({
   /**
    * Create a new session record
-   * @param {Object} params - { userId, ip, userAgent, token }
+   * @param {Object} params - { userId, ip, userAgent, token, refreshToken }
    * @returns {Promise<Object>} Created session
    */
-  async createSession({ userId, ip = 'unknown', userAgent = 'unknown', token }) {
+  async createSession({ userId, ip = 'unknown', userAgent = 'unknown', token, refreshToken }) {
     try {
       const now = new Date();
       
       // Generate unique session ID
       const sessionId = generateSessionId(userId);
       
-      // Encrypt JWT token before storing
+      // Encrypt JWT tokens before storing (both access and refresh)
       const encryptedToken = token ? encryptToken(token) : null;
+      const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
       
       const session = await strapi.entityService.create('plugin::magic-sessionmanager.session', {
         data: {
@@ -38,8 +39,9 @@ module.exports = ({ strapi }) => ({
           loginTime: now,
           lastActive: now,
           isActive: true,
-          token: encryptedToken, // ✅ Encrypted JWT for security
-          sessionId: sessionId,  // ✅ Unique identifier
+          token: encryptedToken,              // ✅ Encrypted Access Token
+          refreshToken: encryptedRefreshToken, // ✅ Encrypted Refresh Token
+          sessionId: sessionId,                // ✅ Unique identifier
         },
       });