strapi-plugin-magic-sessionmanager 3.3.0 → 3.3.1

package/README.md

@@ -360,7 +360,7 @@ Access Token expires after 30 min
 User still has Refresh Token
        ↓
 User requests new Access Token:
-POST /api/auth/refresh-token
+POST /api/auth/refresh
        ↓
 Strapi issues new JWT
        ↓
@@ -369,7 +369,7 @@ User continues without re-login
 
 **The Solution (v3.2+):**
 - **Stored:** YES - Refresh tokens are encrypted and stored with sessions ✅
-- **Tracked:** YES - Middleware intercepts `/api/auth/refresh-token` requests ✅
+- **Tracked:** YES - Middleware intercepts `/api/auth/refresh` requests ✅
 - **Validated:** YES - Checks if session is still active before issuing new tokens ✅
 
 **How It Works:**
@@ -384,7 +384,7 @@ Admin terminates session
 Session: isActive = false ❌
        ↓
 User tries to refresh token:
-POST /api/auth/refresh-token
+POST /api/auth/refresh
 { refreshToken: "..." }
        ↓
 [Refresh Token Middleware]
@@ -452,7 +452,7 @@ REFRESH_TOKEN="abc123..."
 # Go to Admin → Sessions → Find session → Terminate
 
 # 3. Try to refresh token
-curl -X POST http://localhost:1337/api/auth/refresh-token \
+curl -X POST http://localhost:1337/api/auth/refresh \
   -H "Content-Type: application/json" \
   -d "{\"refreshToken\":\"$REFRESH_TOKEN\"}"
 
@@ -462,6 +462,94 @@ curl -X POST http://localhost:1337/api/auth/refresh-token \
 
 **This completely solves the refresh token security gap!** 🔒
 
+### Without Refresh Tokens (Default Behavior)
+
+If you **don't enable** refresh tokens (`jwtManagement: 'refresh'`):
+
+```
+Login: User gets JWT (no refresh token)
+       ↓
+JWT stored in session (encrypted)
+       ↓
+JWT expires after 30 min (or configured time)
+       ↓
+User must re-login ❌
+       ↓
+No automatic token refresh
+```
+
+**Behavior:**
+- ✅ Session Manager works normally
+- ✅ Sessions tracked, logout works
+- ✅ Force logout works (no refresh token bypass possible)
+- ⚠️ Users must re-login when JWT expires
+- ℹ️ No refresh token middleware runs (skipped)
+
+**Logs when refresh tokens disabled:**
+```
+[magic-sessionmanager] ✅ Session created for user 1 (IP: 192.168.1.1)
+[magic-sessionmanager] ℹ️  No refresh token in response (JWT management not enabled)
+[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted
+```
+
+**If you try to call `/api/auth/refresh` without enabling it:**
+- Endpoint returns **404 Not Found** (Strapi doesn't create the route)
+- Or returns **401 Unauthorized** if route exists but tokens not configured
+- This is expected and correct behavior
+
+**Trade-offs:**
+
+| Feature | With Refresh Tokens | Without Refresh Tokens |
+|---------|---------------------|------------------------|
+| User Experience | ✅ Seamless (auto-refresh) | ⚠️ Must re-login |
+| Security | ✅ Tracked & blockable | ✅ No bypass risk |
+| Session Duration | Long (days/weeks) | Short (hours) |
+| Force Logout | ✅ Complete | ✅ Complete |
+
+**Recommendation:**
+
+**Enable refresh tokens** for better UX + use this plugin to secure them! 🔒
+
+**Testing in Postman:**
+
+```
+1. Login (get JWT + refreshToken)
+   POST /api/auth/local
+   → Save: jwt, refreshToken, session_id
+
+2. Refresh Token (should work)
+   POST /api/auth/refresh
+   Body: { "refreshToken": "..." }
+   → Returns: New jwt + refreshToken ✅
+
+3. Admin terminates session
+   POST /magic-sessionmanager/sessions/:id/terminate
+   
+4. Try refresh token again
+   POST /api/auth/refresh
+   Body: { "refreshToken": "..." }
+   → Returns: 401 Unauthorized ✅
+   → Message: "Session terminated. Please login again."
+```
+
+**Run Automated Test:**
+
+```bash
+cd /path/to/magic-sessionmanager
+
+# Set environment variables
+export TEST_USER_EMAIL=user@example.com
+export TEST_USER_PASSWORD=password123
+export ADMIN_EMAIL=admin@example.com
+export ADMIN_PASSWORD=adminpass
+
+# Run test suite
+node test-session-manager.js
+
+# Look for "USER TEST 5: Blocked Refresh Token Test"
+# Should show: ✅ Refresh token BLOCKED as expected!
+```
+
 ### Multi-Login Behavior
 
 **Strapi Default:** Allows multiple simultaneous logins

package/dist/server/index.js

@@ -399,7 +399,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     });
     strapi2.log.info("[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted");
     strapi2.server.use(async (ctx, next) => {
-      const isRefreshToken = ctx.path === "/api/auth/refresh-token" && ctx.method === "POST";
+      const isRefreshToken = ctx.path === "/api/auth/refresh" && ctx.method === "POST";
       if (isRefreshToken) {
         try {
           const refreshToken = ctx.request.body?.refreshToken;

package/dist/server/index.mjs

@@ -395,7 +395,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     });
     strapi2.log.info("[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted");
     strapi2.server.use(async (ctx, next) => {
-      const isRefreshToken = ctx.path === "/api/auth/refresh-token" && ctx.method === "POST";
+      const isRefreshToken = ctx.path === "/api/auth/refresh" && ctx.method === "POST";
       if (isRefreshToken) {
         try {
           const refreshToken = ctx.request.body?.refreshToken;

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "3.3.0",
+  "version": "3.3.1",
   "keywords": [
     "strapi",
     "strapi-plugin",

package/server/src/bootstrap.js

@@ -296,8 +296,8 @@ module.exports = async ({ strapi }) => {
 
     // Middleware to block refresh token requests for terminated sessions
     strapi.server.use(async (ctx, next) => {
-      // Check if this is a refresh token request
-      const isRefreshToken = ctx.path === '/api/auth/refresh-token' && ctx.method === 'POST';
+      // Check if this is a refresh token request (Strapi v5: /api/auth/refresh)
+      const isRefreshToken = ctx.path === '/api/auth/refresh' && ctx.method === 'POST';
       
       if (isRefreshToken) {
         try {