strapi-plugin-magic-sessionmanager 3.2.1 → 3.3.1

package/README.md

@@ -349,7 +349,7 @@ Log: "Cleaned up X inactive sessions"
 2. Inactivity timeout triggers cleanup
 3. Admin terminates the session
 
-#### Refresh Tokens ⚠️ **Critical Limitation**
+#### Refresh Tokens ✅ **SOLVED!**
 
 **What are Refresh Tokens?**
 Refresh tokens allow users to get new Access Tokens (JWTs) without re-entering credentials. This enables longer sessions:
@@ -360,85 +360,195 @@ Access Token expires after 30 min
 User still has Refresh Token
        ↓
 User requests new Access Token:
-POST /api/auth/refresh-token
+POST /api/auth/refresh
        ↓
 Strapi issues new JWT
        ↓
 User continues without re-login
 ```
 
-**The Problem:**
-- **Stored:** NO - Refresh tokens are NOT tracked by this plugin
-- **Reason:** Strapi v5 handles refresh tokens in `users-permissions` plugin
-- **Impact:** User can bypass session termination! ⚠️
+**The Solution (v3.2+):**
+- **Stored:** YES - Refresh tokens are encrypted and stored with sessions ✅
+- **Tracked:** YES - Middleware intercepts `/api/auth/refresh` requests ✅
+- **Validated:** YES - Checks if session is still active before issuing new tokens ✅
+
+**How It Works:**
 
-**Scenario:**
 ```
-Admin terminates user's session
+Login: User gets JWT + Refresh Token
+       ↓
+Both tokens encrypted and stored in session
+       ↓
+Admin terminates session
+       ↓
+Session: isActive = false ❌
        ↓
-Session Manager: isActive = false ❌
+User tries to refresh token:
+POST /api/auth/refresh
+{ refreshToken: "..." }
        ↓
-User's JWT still valid OR
-User has refresh token
+[Refresh Token Middleware]
        ↓
-User gets new JWT via refresh token
+Decrypt all active session refresh tokens
        ↓
-Plugin creates NEW session automatically! ⚠️
+Find matching session
        ↓
-User is "logged in" again despite termination
+Session found but isActive = false?
+  → BLOCK! Return 401 Unauthorized ❌
+  → Message: "Session terminated. Please login again."
+       ↓
+Session found and isActive = true?
+  → ALLOW! ✅
+  → Strapi issues new tokens
+  → Session updated with new encrypted tokens
 ```
 
-**Current Limitation:**
-This plugin **cannot prevent** users with valid refresh tokens from getting new JWTs. The session termination only affects the current JWT token.
+**Security Benefits:**
+
+✅ **Session termination is FINAL** - User cannot get new tokens  
+✅ **Refresh tokens tracked** - Encrypted & stored securely  
+✅ **Token rotation** - New tokens automatically updated in session  
+✅ **Admin control** - Force logout works even with refresh tokens  
+
+**Configuration:**
 
-**Workarounds:**
+Enable refresh tokens in Strapi:
 
-**Option 1: Disable Refresh Tokens (Strict Control)**
 ```typescript
 // src/config/plugins.ts
 export default () => ({
   'users-permissions': {
     config: {
-      jwt: {
-        expiresIn: '30m',
-        // Don't issue refresh tokens
+      jwtManagement: 'refresh',  // Enable refresh tokens
+      sessions: {
+        accessTokenLifespan: 3600,    // 1 hour (in seconds)
+        maxRefreshTokenLifespan: 2592000,  // 30 days
+        idleRefreshTokenLifespan: 604800,  // 7 days idle
       },
     },
   },
   'magic-sessionmanager': {
+    enabled: true,
     config: {
-      inactivityTimeout: 15 * 60 * 1000, // < JWT expiration
+      inactivityTimeout: 15 * 60 * 1000, // 15 minutes
     },
   },
 });
 ```
 
-**Option 2: Short Refresh Token Expiry**
-```typescript
-'users-permissions': {
-  config: {
-    jwt: {
-      expiresIn: '15m',        // Short Access Token
-      refreshExpiresIn: '30m', // Short Refresh Token
-    },
-  },
-}
+**Testing Refresh Token Blocking:**
+
+```bash
+# 1. Login and get tokens
+curl -X POST http://localhost:1337/api/auth/local \
+  -H "Content-Type: application/json" \
+  -d '{"identifier":"user@example.com","password":"pass"}' 
+
+# Save both tokens:
+ACCESS_TOKEN="eyJhbGci..."
+REFRESH_TOKEN="abc123..."
+
+# 2. Admin terminates session
+# Go to Admin → Sessions → Find session → Terminate
+
+# 3. Try to refresh token
+curl -X POST http://localhost:1337/api/auth/refresh \
+  -H "Content-Type: application/json" \
+  -d "{\"refreshToken\":\"$REFRESH_TOKEN\"}"
+
+# Expected: 401 Unauthorized
+# "Session terminated. Please login again."
 ```
 
-**Option 3: Accept the Limitation**
-Understand that:
-- Session termination stops the **current** JWT
-- Users with refresh tokens can get **new** JWTs
-- New JWTs create **new** sessions
-- Use session analytics to detect unusual patterns
+**This completely solves the refresh token security gap!** 🔒
 
-**Future Enhancement:**
-To fully block users, the plugin would need to:
-1. Track refresh tokens (complex)
-2. Hook into Strapi's token refresh endpoint
-3. Validate against active sessions before issuing new JWTs
+### Without Refresh Tokens (Default Behavior)
 
-This is planned for a future version.
+If you **don't enable** refresh tokens (`jwtManagement: 'refresh'`):
+
+```
+Login: User gets JWT (no refresh token)
+       ↓
+JWT stored in session (encrypted)
+       ↓
+JWT expires after 30 min (or configured time)
+       ↓
+User must re-login ❌
+       ↓
+No automatic token refresh
+```
+
+**Behavior:**
+- ✅ Session Manager works normally
+- ✅ Sessions tracked, logout works
+- ✅ Force logout works (no refresh token bypass possible)
+- ⚠️ Users must re-login when JWT expires
+- ℹ️ No refresh token middleware runs (skipped)
+
+**Logs when refresh tokens disabled:**
+```
+[magic-sessionmanager] ✅ Session created for user 1 (IP: 192.168.1.1)
+[magic-sessionmanager] ℹ️  No refresh token in response (JWT management not enabled)
+[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted
+```
+
+**If you try to call `/api/auth/refresh` without enabling it:**
+- Endpoint returns **404 Not Found** (Strapi doesn't create the route)
+- Or returns **401 Unauthorized** if route exists but tokens not configured
+- This is expected and correct behavior
+
+**Trade-offs:**
+
+| Feature | With Refresh Tokens | Without Refresh Tokens |
+|---------|---------------------|------------------------|
+| User Experience | ✅ Seamless (auto-refresh) | ⚠️ Must re-login |
+| Security | ✅ Tracked & blockable | ✅ No bypass risk |
+| Session Duration | Long (days/weeks) | Short (hours) |
+| Force Logout | ✅ Complete | ✅ Complete |
+
+**Recommendation:**
+
+**Enable refresh tokens** for better UX + use this plugin to secure them! 🔒
+
+**Testing in Postman:**
+
+```
+1. Login (get JWT + refreshToken)
+   POST /api/auth/local
+   → Save: jwt, refreshToken, session_id
+
+2. Refresh Token (should work)
+   POST /api/auth/refresh
+   Body: { "refreshToken": "..." }
+   → Returns: New jwt + refreshToken ✅
+
+3. Admin terminates session
+   POST /magic-sessionmanager/sessions/:id/terminate
+   
+4. Try refresh token again
+   POST /api/auth/refresh
+   Body: { "refreshToken": "..." }
+   → Returns: 401 Unauthorized ✅
+   → Message: "Session terminated. Please login again."
+```
+
+**Run Automated Test:**
+
+```bash
+cd /path/to/magic-sessionmanager
+
+# Set environment variables
+export TEST_USER_EMAIL=user@example.com
+export TEST_USER_PASSWORD=password123
+export ADMIN_EMAIL=admin@example.com
+export ADMIN_PASSWORD=adminpass
+
+# Run test suite
+node test-session-manager.js
+
+# Look for "USER TEST 5: Blocked Refresh Token Test"
+# Should show: ✅ Refresh token BLOCKED as expected!
+```
 
 ### Multi-Login Behavior
 

package/dist/server/index.js

@@ -350,8 +350,10 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             userId: user.id,
             ip,
             userAgent,
-            token: ctx.body.jwt
-            // Store JWT token reference
+            token: ctx.body.jwt,
+            // Store Access Token (encrypted)
+            refreshToken: ctx.body.refreshToken
+            // Store Refresh Token (encrypted) if exists
           });
           strapi2.log.info(`[magic-sessionmanager] ✅ Session created for user ${user.id} (IP: ${ip})`);
           if (geoData && (config2.enableEmailAlerts || config2.enableWebhooks)) {
@@ -396,6 +398,84 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       }
     });
     strapi2.log.info("[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted");
+    strapi2.server.use(async (ctx, next) => {
+      const isRefreshToken = ctx.path === "/api/auth/refresh" && ctx.method === "POST";
+      if (isRefreshToken) {
+        try {
+          const refreshToken = ctx.request.body?.refreshToken;
+          if (refreshToken) {
+            const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+              filters: {
+                isActive: true
+              }
+            });
+            const matchingSession = allSessions.find((session2) => {
+              if (!session2.refreshToken) return false;
+              try {
+                const decrypted = decryptToken$2(session2.refreshToken);
+                return decrypted === refreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+            if (!matchingSession) {
+              strapi2.log.warn("[magic-sessionmanager] 🚫 Blocked refresh token request - no active session");
+              ctx.status = 401;
+              ctx.body = {
+                error: {
+                  status: 401,
+                  message: "Session terminated. Please login again.",
+                  name: "UnauthorizedError"
+                }
+              };
+              return;
+            }
+            strapi2.log.info(`[magic-sessionmanager] ✅ Refresh token allowed for session ${matchingSession.id}`);
+          }
+        } catch (err) {
+          strapi2.log.error("[magic-sessionmanager] Error checking refresh token:", err);
+        }
+      }
+      await next();
+      if (isRefreshToken && ctx.status === 200 && ctx.body && ctx.body.jwt) {
+        try {
+          const oldRefreshToken = ctx.request.body?.refreshToken;
+          const newAccessToken = ctx.body.jwt;
+          const newRefreshToken = ctx.body.refreshToken;
+          if (oldRefreshToken) {
+            const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+              filters: {
+                isActive: true
+              }
+            });
+            const matchingSession = allSessions.find((session2) => {
+              if (!session2.refreshToken) return false;
+              try {
+                const decrypted = decryptToken$2(session2.refreshToken);
+                return decrypted === oldRefreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+            if (matchingSession) {
+              const encryptedToken = newAccessToken ? encryptToken$1(newAccessToken) : matchingSession.token;
+              const encryptedRefreshToken = newRefreshToken ? encryptToken$1(newRefreshToken) : matchingSession.refreshToken;
+              await strapi2.entityService.update("plugin::magic-sessionmanager.session", matchingSession.id, {
+                data: {
+                  token: encryptedToken,
+                  refreshToken: encryptedRefreshToken,
+                  lastActive: /* @__PURE__ */ new Date()
+                }
+              });
+              strapi2.log.info(`[magic-sessionmanager] 🔄 Tokens refreshed for session ${matchingSession.id}`);
+            }
+          }
+        } catch (err) {
+          strapi2.log.error("[magic-sessionmanager] Error updating refreshed tokens:", err);
+        }
+      }
+    });
+    strapi2.log.info("[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted");
     strapi2.server.use(
       lastSeen({ strapi: strapi2, sessionService })
     );
@@ -480,6 +560,10 @@ const attributes = {
     type: "text",
     "private": true
   },
+  refreshToken: {
+    type: "text",
+    "private": true
+  },
   loginTime: {
     type: "datetime",
     required: true
@@ -1317,14 +1401,15 @@ const { encryptToken, decryptToken, generateSessionId } = encryption;
 var session$1 = ({ strapi: strapi2 }) => ({
   /**
    * Create a new session record
-   * @param {Object} params - { userId, ip, userAgent, token }
+   * @param {Object} params - { userId, ip, userAgent, token, refreshToken }
    * @returns {Promise<Object>} Created session
    */
-  async createSession({ userId, ip = "unknown", userAgent = "unknown", token }) {
+  async createSession({ userId, ip = "unknown", userAgent = "unknown", token, refreshToken }) {
     try {
       const now = /* @__PURE__ */ new Date();
       const sessionId = generateSessionId(userId);
       const encryptedToken = token ? encryptToken(token) : null;
+      const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
       const session2 = await strapi2.entityService.create("plugin::magic-sessionmanager.session", {
         data: {
           user: userId,
@@ -1334,7 +1419,9 @@ var session$1 = ({ strapi: strapi2 }) => ({
           lastActive: now,
           isActive: true,
           token: encryptedToken,
-          // ✅ Encrypted JWT for security
+          // ✅ Encrypted Access Token
+          refreshToken: encryptedRefreshToken,
+          // ✅ Encrypted Refresh Token
           sessionId
           // ✅ Unique identifier
         }

package/dist/server/index.mjs

@@ -346,8 +346,10 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             userId: user.id,
             ip,
             userAgent,
-            token: ctx.body.jwt
-            // Store JWT token reference
+            token: ctx.body.jwt,
+            // Store Access Token (encrypted)
+            refreshToken: ctx.body.refreshToken
+            // Store Refresh Token (encrypted) if exists
           });
           strapi2.log.info(`[magic-sessionmanager] ✅ Session created for user ${user.id} (IP: ${ip})`);
           if (geoData && (config2.enableEmailAlerts || config2.enableWebhooks)) {
@@ -392,6 +394,84 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       }
     });
     strapi2.log.info("[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted");
+    strapi2.server.use(async (ctx, next) => {
+      const isRefreshToken = ctx.path === "/api/auth/refresh" && ctx.method === "POST";
+      if (isRefreshToken) {
+        try {
+          const refreshToken = ctx.request.body?.refreshToken;
+          if (refreshToken) {
+            const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+              filters: {
+                isActive: true
+              }
+            });
+            const matchingSession = allSessions.find((session2) => {
+              if (!session2.refreshToken) return false;
+              try {
+                const decrypted = decryptToken$2(session2.refreshToken);
+                return decrypted === refreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+            if (!matchingSession) {
+              strapi2.log.warn("[magic-sessionmanager] 🚫 Blocked refresh token request - no active session");
+              ctx.status = 401;
+              ctx.body = {
+                error: {
+                  status: 401,
+                  message: "Session terminated. Please login again.",
+                  name: "UnauthorizedError"
+                }
+              };
+              return;
+            }
+            strapi2.log.info(`[magic-sessionmanager] ✅ Refresh token allowed for session ${matchingSession.id}`);
+          }
+        } catch (err) {
+          strapi2.log.error("[magic-sessionmanager] Error checking refresh token:", err);
+        }
+      }
+      await next();
+      if (isRefreshToken && ctx.status === 200 && ctx.body && ctx.body.jwt) {
+        try {
+          const oldRefreshToken = ctx.request.body?.refreshToken;
+          const newAccessToken = ctx.body.jwt;
+          const newRefreshToken = ctx.body.refreshToken;
+          if (oldRefreshToken) {
+            const allSessions = await strapi2.entityService.findMany("plugin::magic-sessionmanager.session", {
+              filters: {
+                isActive: true
+              }
+            });
+            const matchingSession = allSessions.find((session2) => {
+              if (!session2.refreshToken) return false;
+              try {
+                const decrypted = decryptToken$2(session2.refreshToken);
+                return decrypted === oldRefreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+            if (matchingSession) {
+              const encryptedToken = newAccessToken ? encryptToken$1(newAccessToken) : matchingSession.token;
+              const encryptedRefreshToken = newRefreshToken ? encryptToken$1(newRefreshToken) : matchingSession.refreshToken;
+              await strapi2.entityService.update("plugin::magic-sessionmanager.session", matchingSession.id, {
+                data: {
+                  token: encryptedToken,
+                  refreshToken: encryptedRefreshToken,
+                  lastActive: /* @__PURE__ */ new Date()
+                }
+              });
+              strapi2.log.info(`[magic-sessionmanager] 🔄 Tokens refreshed for session ${matchingSession.id}`);
+            }
+          }
+        } catch (err) {
+          strapi2.log.error("[magic-sessionmanager] Error updating refreshed tokens:", err);
+        }
+      }
+    });
+    strapi2.log.info("[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted");
     strapi2.server.use(
       lastSeen({ strapi: strapi2, sessionService })
     );
@@ -476,6 +556,10 @@ const attributes = {
     type: "text",
     "private": true
   },
+  refreshToken: {
+    type: "text",
+    "private": true
+  },
   loginTime: {
     type: "datetime",
     required: true
@@ -1313,14 +1397,15 @@ const { encryptToken, decryptToken, generateSessionId } = encryption;
 var session$1 = ({ strapi: strapi2 }) => ({
   /**
    * Create a new session record
-   * @param {Object} params - { userId, ip, userAgent, token }
+   * @param {Object} params - { userId, ip, userAgent, token, refreshToken }
    * @returns {Promise<Object>} Created session
    */
-  async createSession({ userId, ip = "unknown", userAgent = "unknown", token }) {
+  async createSession({ userId, ip = "unknown", userAgent = "unknown", token, refreshToken }) {
     try {
       const now = /* @__PURE__ */ new Date();
       const sessionId = generateSessionId(userId);
       const encryptedToken = token ? encryptToken(token) : null;
+      const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
       const session2 = await strapi2.entityService.create("plugin::magic-sessionmanager.session", {
         data: {
           user: userId,
@@ -1330,7 +1415,9 @@ var session$1 = ({ strapi: strapi2 }) => ({
           lastActive: now,
           isActive: true,
           token: encryptedToken,
-          // ✅ Encrypted JWT for security
+          // ✅ Encrypted Access Token
+          refreshToken: encryptedRefreshToken,
+          // ✅ Encrypted Refresh Token
           sessionId
           // ✅ Unique identifier
         }

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "3.2.1",
+  "version": "3.3.1",
   "keywords": [
     "strapi",
     "strapi-plugin",

package/server/src/bootstrap.js

@@ -235,7 +235,8 @@ module.exports = async ({ strapi }) => {
             userId: user.id,
             ip,
             userAgent,
-            token: ctx.body.jwt, // Store JWT token reference
+            token: ctx.body.jwt,              // Store Access Token (encrypted)
+            refreshToken: ctx.body.refreshToken, // Store Refresh Token (encrypted) if exists
           });
           
           strapi.log.info(`[magic-sessionmanager] ✅ Session created for user ${user.id} (IP: ${ip})`);
@@ -293,6 +294,107 @@ module.exports = async ({ strapi }) => {
 
     strapi.log.info('[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted');
 
+    // Middleware to block refresh token requests for terminated sessions
+    strapi.server.use(async (ctx, next) => {
+      // Check if this is a refresh token request (Strapi v5: /api/auth/refresh)
+      const isRefreshToken = ctx.path === '/api/auth/refresh' && ctx.method === 'POST';
+      
+      if (isRefreshToken) {
+        try {
+          const refreshToken = ctx.request.body?.refreshToken;
+          
+          if (refreshToken) {
+            // Find session with this refresh token
+            const allSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+              filters: {
+                isActive: true,
+              },
+            });
+
+            // Find matching session by decrypting and comparing refresh tokens
+            const matchingSession = allSessions.find(session => {
+              if (!session.refreshToken) return false;
+              try {
+                const decrypted = decryptToken(session.refreshToken);
+                return decrypted === refreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+
+            if (!matchingSession) {
+              // No active session with this refresh token → Block!
+              strapi.log.warn('[magic-sessionmanager] 🚫 Blocked refresh token request - no active session');
+              ctx.status = 401;
+              ctx.body = {
+                error: {
+                  status: 401,
+                  message: 'Session terminated. Please login again.',
+                  name: 'UnauthorizedError'
+                }
+              };
+              return; // Don't continue
+            }
+            
+            strapi.log.info(`[magic-sessionmanager] ✅ Refresh token allowed for session ${matchingSession.id}`);
+          }
+        } catch (err) {
+          strapi.log.error('[magic-sessionmanager] Error checking refresh token:', err);
+          // On error, allow request to continue (fail-open for availability)
+        }
+      }
+      
+      // Continue with request
+      await next();
+      
+      // AFTER: If refresh token response was successful, update session with new tokens
+      if (isRefreshToken && ctx.status === 200 && ctx.body && ctx.body.jwt) {
+        try {
+          const oldRefreshToken = ctx.request.body?.refreshToken;
+          const newAccessToken = ctx.body.jwt;
+          const newRefreshToken = ctx.body.refreshToken;
+          
+          if (oldRefreshToken) {
+            // Find session and update with new tokens
+            const allSessions = await strapi.entityService.findMany('plugin::magic-sessionmanager.session', {
+              filters: {
+                isActive: true,
+              },
+            });
+
+            const matchingSession = allSessions.find(session => {
+              if (!session.refreshToken) return false;
+              try {
+                const decrypted = decryptToken(session.refreshToken);
+                return decrypted === oldRefreshToken;
+              } catch (err) {
+                return false;
+              }
+            });
+
+            if (matchingSession) {
+              const encryptedToken = newAccessToken ? encryptToken(newAccessToken) : matchingSession.token;
+              const encryptedRefreshToken = newRefreshToken ? encryptToken(newRefreshToken) : matchingSession.refreshToken;
+              
+              await strapi.entityService.update('plugin::magic-sessionmanager.session', matchingSession.id, {
+                data: {
+                  token: encryptedToken,
+                  refreshToken: encryptedRefreshToken,
+                  lastActive: new Date(),
+                },
+              });
+              
+              strapi.log.info(`[magic-sessionmanager] 🔄 Tokens refreshed for session ${matchingSession.id}`);
+            }
+          }
+        } catch (err) {
+          strapi.log.error('[magic-sessionmanager] Error updating refreshed tokens:', err);
+        }
+      }
+    });
+
+    strapi.log.info('[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted');
+
     // Mount lastSeen update middleware
     strapi.server.use(
       require('./middlewares/last-seen')({ strapi, sessionService })

package/server/src/content-types/session/schema.json

@@ -43,6 +43,10 @@
       "type": "text",
       "private": true
     },
+    "refreshToken": {
+      "type": "text",
+      "private": true
+    },
     "loginTime": {
       "type": "datetime",
       "required": true

package/server/src/services/session.js

@@ -17,18 +17,19 @@ const { encryptToken, decryptToken, generateSessionId } = require('../utils/encr
 module.exports = ({ strapi }) => ({
   /**
    * Create a new session record
-   * @param {Object} params - { userId, ip, userAgent, token }
+   * @param {Object} params - { userId, ip, userAgent, token, refreshToken }
    * @returns {Promise<Object>} Created session
    */
-  async createSession({ userId, ip = 'unknown', userAgent = 'unknown', token }) {
+  async createSession({ userId, ip = 'unknown', userAgent = 'unknown', token, refreshToken }) {
     try {
       const now = new Date();
       
       // Generate unique session ID
       const sessionId = generateSessionId(userId);
       
-      // Encrypt JWT token before storing
+      // Encrypt JWT tokens before storing (both access and refresh)
       const encryptedToken = token ? encryptToken(token) : null;
+      const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
       
       const session = await strapi.entityService.create('plugin::magic-sessionmanager.session', {
         data: {
@@ -38,8 +39,9 @@ module.exports = ({ strapi }) => ({
           loginTime: now,
           lastActive: now,
           isActive: true,
-          token: encryptedToken, // ✅ Encrypted JWT for security
-          sessionId: sessionId,  // ✅ Unique identifier
+          token: encryptedToken,              // ✅ Encrypted Access Token
+          refreshToken: encryptedRefreshToken, // ✅ Encrypted Refresh Token
+          sessionId: sessionId,                // ✅ Unique identifier
         },
       });