npm - strapi-plugin-magic-sessionmanager - Versions diffs - 3.3.0 → 3.3.2 - Mend

strapi-plugin-magic-sessionmanager 3.3.0 → 3.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -360,7 +360,7 @@ Access Token expires after 30 min
 User still has Refresh Token
        ↓
 User requests new Access Token:
-POST /api/auth/refresh-token
+POST /api/auth/refresh
        ↓
 Strapi issues new JWT
        ↓
@@ -369,7 +369,7 @@ User continues without re-login
 **The Solution (v3.2+):**
 - **Stored:** YES - Refresh tokens are encrypted and stored with sessions ✅
-- **Tracked:** YES - Middleware intercepts `/api/auth/refresh-token` requests ✅
+- **Tracked:** YES - Middleware intercepts `/api/auth/refresh` requests ✅
 - **Validated:** YES - Checks if session is still active before issuing new tokens ✅
 **How It Works:**
@@ -384,7 +384,7 @@ Admin terminates session
 Session: isActive = false ❌
        ↓
 User tries to refresh token:
-POST /api/auth/refresh-token
+POST /api/auth/refresh
 { refreshToken: "..." }
        ↓
 [Refresh Token Middleware]
@@ -452,7 +452,7 @@ REFRESH_TOKEN="abc123..."
 # Go to Admin → Sessions → Find session → Terminate
 # 3. Try to refresh token
-curl -X POST http://localhost:1337/api/auth/refresh-token \
+curl -X POST http://localhost:1337/api/auth/refresh \
   -H "Content-Type: application/json" \
   -d "{\"refreshToken\":\"$REFRESH_TOKEN\"}"
@@ -462,6 +462,106 @@ curl -X POST http://localhost:1337/api/auth/refresh-token \
 **This completely solves the refresh token security gap!** 🔒
+### Without Refresh Tokens (Default Behavior)
+If you **don't enable** refresh tokens (`jwtManagement: 'refresh'`):
+```
+Login: User gets JWT (no refresh token)
+       ↓
+JWT stored in session (encrypted)
+       ↓
+JWT expires after 30 min (or configured time)
+       ↓
+User must re-login ❌
+       ↓
+No automatic token refresh
+```
+**Behavior:**
+- ✅ Session Manager works normally
+- ✅ Sessions tracked, logout works
+- ✅ Force logout works (no refresh token bypass possible)
+- ⚠️ Users must re-login when JWT expires
+- ℹ️ No refresh token middleware runs (skipped)
+**Logs when refresh tokens disabled:**
+```
+[magic-sessionmanager] ✅ Session created for user 1 (IP: 192.168.1.1)
+[magic-sessionmanager] ℹ️  No refresh token in response (JWT management not enabled)
+[magic-sessionmanager] ✅ Refresh Token interceptor middleware mounted
+```
+**If you try to call `/api/auth/refresh` without enabling it:**
+- Endpoint returns **404 Not Found** (Strapi doesn't create the route)
+- Or returns **401 Unauthorized** if route exists but tokens not configured
+- This is expected and correct behavior
+**Trade-offs:**
+| Feature | With Refresh Tokens | Without Refresh Tokens |
+|---------|---------------------|------------------------|
+| User Experience | ✅ Seamless (auto-refresh) | ⚠️ Must re-login |
+| Security | ✅ Tracked & blockable | ✅ No bypass risk |
+| Session Duration | Long (days/weeks) | Short (hours) |
+| Force Logout | ✅ Complete | ✅ Complete |
+**Recommendation:**
+**Enable refresh tokens** for better UX + use this plugin to secure them! 🔒
+**Testing in Postman:**
+```
+1. Login (get JWT + refreshToken)
+   POST /api/auth/local
+   → Save: jwt, refreshToken, session_id
+2. Refresh Token (should work)
+   POST /api/auth/refresh
+   Body: { "refreshToken": "..." }
+   → Returns: New jwt + refreshToken ✅
+3. Admin terminates session
+   POST /magic-sessionmanager/sessions/:id/terminate
+4. Try refresh token again
+   POST /api/auth/refresh
+   Body: { "refreshToken": "..." }
+   → Returns: 401 Unauthorized ✅
+   → Message: "Session terminated. Please login again."
+```
+**Run Automated Test:**
+```bash
+cd /path/to/magic-sessionmanager
+# Set environment variables
+export TEST_USER_EMAIL=user@example.com
+export TEST_USER_PASSWORD=password123
+export ADMIN_EMAIL=admin@example.com
+export ADMIN_PASSWORD=adminpass
+# Run test suite
+node test-session-manager.js
+# Look for "USER TEST 5: Blocked Refresh Token Test"
+# Should show: ✅ Refresh token BLOCKED as expected!
+# Note: Tests include delays to avoid rate limiting
+# Total runtime: ~45-60 seconds (includes 8s pause before refresh token test)
+```
+**Troubleshooting Tests:**
+If you get "Too many requests":
+- Tests include 1-5 second delays between requests (8s before final test)
+- Strapi may have aggressive rate limiting enabled
+- **Wait 3-5 minutes** and run tests again
+- Or disable rate limiting in Strapi config temporarily for testing
+- Or run individual tests instead of full suite
 ### Multi-Login Behavior
 **Strapi Default:** Allows multiple simultaneous logins

package/dist/server/index.js CHANGED Viewed

@@ -399,7 +399,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     });
     strapi2.log.info("[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted");
     strapi2.server.use(async (ctx, next) => {
-      const isRefreshToken = ctx.path === "/api/auth/refresh-token" && ctx.method === "POST";
+      const isRefreshToken = ctx.path === "/api/auth/refresh" && ctx.method === "POST";
       if (isRefreshToken) {
         try {
           const refreshToken = ctx.request.body?.refreshToken;

package/dist/server/index.mjs CHANGED Viewed

@@ -395,7 +395,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     });
     strapi2.log.info("[magic-sessionmanager] ✅ Login/Logout interceptor middleware mounted");
     strapi2.server.use(async (ctx, next) => {
-      const isRefreshToken = ctx.path === "/api/auth/refresh-token" && ctx.method === "POST";
+      const isRefreshToken = ctx.path === "/api/auth/refresh" && ctx.method === "POST";
       if (isRefreshToken) {
         try {
           const refreshToken = ctx.request.body?.refreshToken;

package/package.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "version": "3.3.0",
+  "version": "3.3.2",
   "keywords": [
     "strapi",
     "strapi-plugin",

package/server/src/bootstrap.js CHANGED Viewed

@@ -296,8 +296,8 @@ module.exports = async ({ strapi }) => {
     // Middleware to block refresh token requests for terminated sessions
     strapi.server.use(async (ctx, next) => {
-      // Check if this is a refresh token request
-      const isRefreshToken = ctx.path === '/api/auth/refresh-token' && ctx.method === 'POST';
+      // Check if this is a refresh token request (Strapi v5: /api/auth/refresh)
+      const isRefreshToken = ctx.path === '/api/auth/refresh' && ctx.method === 'POST';
       if (isRefreshToken) {
         try {