strapi-plugin-magic-sessionmanager 4.0.0 → 4.0.2

package/dist/server/index.mjs

@@ -148,9 +148,9 @@ var encryption = {
 const SESSION_UID$3 = "plugin::magic-sessionmanager.session";
 var lastSeen = ({ strapi: strapi2, sessionService }) => {
   return async (ctx, next) => {
-    if (ctx.state.user && ctx.state.user.id) {
+    if (ctx.state.user && ctx.state.user.documentId) {
       try {
-        const userId = ctx.state.user.id;
+        const userId = ctx.state.user.documentId;
         const activeSessions = await strapi2.documents(SESSION_UID$3).findMany({
           filters: {
             user: { documentId: userId },
@@ -167,9 +167,9 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
       }
     }
     await next();
-    if (ctx.state.user && ctx.state.user.id) {
+    if (ctx.state.user && ctx.state.user.documentId) {
       try {
-        const userId = ctx.state.user.id;
+        const userId = ctx.state.user.documentId;
         const sessionId = ctx.state.sessionId;
         await sessionService.touch({
           userId,
@@ -184,6 +184,7 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
 const getClientIp = getClientIp_1;
 const { encryptToken: encryptToken$1, decryptToken: decryptToken$2 } = encryption;
 const SESSION_UID$2 = "plugin::magic-sessionmanager.session";
+const USER_UID$2 = "plugin::users-permissions.user";
 var bootstrap$1 = async ({ strapi: strapi2 }) => {
   strapi2.log.info("[magic-sessionmanager] [START] Bootstrap starting...");
   try {
@@ -291,7 +292,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
           const user = ctx.body.user;
           const ip = getClientIp(ctx);
           const userAgent = ctx.request.headers?.["user-agent"] || ctx.request.header?.["user-agent"] || "unknown";
-          strapi2.log.info(`[magic-sessionmanager] [CHECK] Login detected! User: ${user.id} (${user.email || user.username}) from IP: ${ip}`);
+          strapi2.log.info(`[magic-sessionmanager] [CHECK] Login detected! User: ${user.documentId || user.id} (${user.email || user.username}) from IP: ${ip}`);
           const config2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
           let shouldBlock = false;
           let blockReason = "";
@@ -344,8 +345,13 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             };
             return;
           }
+          let userDocId = user.documentId;
+          if (!userDocId && user.id) {
+            const fullUser = await strapi2.entityService.findOne(USER_UID$2, user.id);
+            userDocId = fullUser?.documentId || user.id;
+          }
           const newSession = await sessionService.createSession({
-            userId: user.id,
+            userId: userDocId,
             ip,
             userAgent,
             token: ctx.body.jwt,
@@ -353,7 +359,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             refreshToken: ctx.body.refreshToken
             // Store Refresh Token (encrypted) if exists
           });
-          strapi2.log.info(`[magic-sessionmanager] [SUCCESS] Session created for user ${user.id} (IP: ${ip})`);
+          strapi2.log.info(`[magic-sessionmanager] [SUCCESS] Session created for user ${userDocId} (IP: ${ip})`);
           if (geoData && (config2.enableEmailAlerts || config2.enableWebhooks)) {
             try {
               const notificationService = strapi2.plugin("magic-sessionmanager").service("notifications");
@@ -479,12 +485,55 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       lastSeen({ strapi: strapi2, sessionService })
     );
     strapi2.log.info("[magic-sessionmanager] [SUCCESS] LastSeen middleware mounted");
+    await ensureContentApiPermissions(strapi2);
     strapi2.log.info("[magic-sessionmanager] [SUCCESS] Bootstrap complete");
     strapi2.log.info("[magic-sessionmanager] [READY] Session Manager ready! Sessions stored in plugin::magic-sessionmanager.session");
   } catch (err) {
     strapi2.log.error("[magic-sessionmanager] [ERROR] Bootstrap error:", err);
   }
 };
+async function ensureContentApiPermissions(strapi2) {
+  try {
+    const authenticatedRole = await strapi2.query("plugin::users-permissions.role").findOne({
+      where: { type: "authenticated" }
+    });
+    if (!authenticatedRole) {
+      strapi2.log.warn("[magic-sessionmanager] Authenticated role not found - skipping permission setup");
+      return;
+    }
+    const requiredActions = [
+      "plugin::magic-sessionmanager.session.logout",
+      "plugin::magic-sessionmanager.session.logoutAll",
+      "plugin::magic-sessionmanager.session.getOwnSessions",
+      "plugin::magic-sessionmanager.session.getUserSessions"
+    ];
+    const existingPermissions = await strapi2.query("plugin::users-permissions.permission").findMany({
+      where: {
+        role: authenticatedRole.id,
+        action: { $in: requiredActions }
+      }
+    });
+    const existingActions = existingPermissions.map((p) => p.action);
+    const missingActions = requiredActions.filter((action) => !existingActions.includes(action));
+    if (missingActions.length === 0) {
+      strapi2.log.debug("[magic-sessionmanager] Content-API permissions already configured");
+      return;
+    }
+    for (const action of missingActions) {
+      await strapi2.query("plugin::users-permissions.permission").create({
+        data: {
+          action,
+          role: authenticatedRole.id
+        }
+      });
+      strapi2.log.info(`[magic-sessionmanager] [PERMISSION] Enabled ${action} for authenticated users`);
+    }
+    strapi2.log.info("[magic-sessionmanager] [SUCCESS] Content-API permissions configured for authenticated users");
+  } catch (err) {
+    strapi2.log.warn("[magic-sessionmanager] Could not auto-configure permissions:", err.message);
+    strapi2.log.warn("[magic-sessionmanager] Please manually enable plugin permissions in Settings > Users & Permissions > Roles > Authenticated");
+  }
+}
 var destroy$1 = async ({ strapi: strapi2 }) => {
   if (strapi2.licenseGuard && strapi2.licenseGuard.pingInterval) {
     clearInterval(strapi2.licenseGuard.pingInterval);
@@ -637,13 +686,22 @@ var contentApi$1 = {
     // ============================================================
     // SESSION QUERIES
     // ============================================================
+    {
+      method: "GET",
+      path: "/my-sessions",
+      handler: "session.getOwnSessions",
+      config: {
+        auth: { strategies: ["users-permissions"] },
+        description: "Get own sessions (automatically uses authenticated user)"
+      }
+    },
     {
       method: "GET",
       path: "/user/:userId/sessions",
       handler: "session.getUserSessions",
       config: {
         auth: { strategies: ["users-permissions"] },
-        description: "Get own sessions (controller validates user can only see own sessions)"
+        description: "Get sessions by userId (validates user can only see own sessions)"
       }
     }
   ]
@@ -803,7 +861,7 @@ var routes$1 = {
 };
 const { decryptToken: decryptToken$1 } = encryption;
 const SESSION_UID$1 = "plugin::magic-sessionmanager.session";
-const USER_UID = "plugin::users-permissions.user";
+const USER_UID$1 = "plugin::users-permissions.user";
 var session$3 = {
   /**
    * Get ALL sessions (active + inactive) - Admin only
@@ -843,6 +901,30 @@ var session$3 = {
       ctx.throw(500, "Error fetching active sessions");
     }
   },
+  /**
+   * Get own sessions (authenticated user)
+   * GET /api/magic-sessionmanager/my-sessions
+   * Automatically uses the authenticated user's documentId
+   */
+  async getOwnSessions(ctx) {
+    try {
+      const userId = ctx.state.user?.documentId;
+      if (!userId) {
+        return ctx.throw(401, "Unauthorized");
+      }
+      const sessionService = strapi.plugin("magic-sessionmanager").service("session");
+      const sessions = await sessionService.getUserSessions(userId);
+      ctx.body = {
+        data: sessions,
+        meta: {
+          count: sessions.length
+        }
+      };
+    } catch (err) {
+      strapi.log.error("[magic-sessionmanager] Error fetching own sessions:", err);
+      ctx.throw(500, "Error fetching sessions");
+    }
+  },
   /**
    * Get user's sessions
    * GET /magic-sessionmanager/user/:userId/sessions (Admin API)
@@ -853,9 +935,9 @@ var session$3 = {
     try {
       const { userId } = ctx.params;
       const isAdminRequest = ctx.state.userAbility || ctx.state.admin;
-      const requestingUserId = ctx.state.user?.id;
-      if (!isAdminRequest && requestingUserId && String(requestingUserId) !== String(userId)) {
-        strapi.log.warn(`[magic-sessionmanager] Security: User ${requestingUserId} tried to access sessions of user ${userId}`);
+      const requestingUserDocId = ctx.state.user?.documentId;
+      if (!isAdminRequest && requestingUserDocId && String(requestingUserDocId) !== String(userId)) {
+        strapi.log.warn(`[magic-sessionmanager] Security: User ${requestingUserDocId} tried to access sessions of user ${userId}`);
         return ctx.forbidden("You can only access your own sessions");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
@@ -876,7 +958,7 @@ var session$3 = {
    */
   async logout(ctx) {
     try {
-      const userId = ctx.state.user?.id;
+      const userId = ctx.state.user?.documentId;
       const token = ctx.request.headers.authorization?.replace("Bearer ", "");
       if (!userId) {
         return ctx.throw(401, "Unauthorized");
@@ -915,7 +997,7 @@ var session$3 = {
    */
   async logoutAll(ctx) {
     try {
-      const userId = ctx.state.user?.id;
+      const userId = ctx.state.user?.documentId;
       if (!userId) {
         return ctx.throw(401, "Unauthorized");
       }
@@ -1055,24 +1137,34 @@ var session$3 = {
   /**
    * Toggle user blocked status
    * POST /magic-sessionmanager/user/:userId/toggle-block
+   * Supports both numeric id (from Content Manager) and documentId
    */
   async toggleUserBlock(ctx) {
     try {
       const { userId } = ctx.params;
-      const user = await strapi.documents(USER_UID).findOne({ documentId: userId });
+      let userDocumentId = userId;
+      let user = null;
+      user = await strapi.documents(USER_UID$1).findOne({ documentId: userId });
+      if (!user && !isNaN(userId)) {
+        const numericUser = await strapi.entityService.findOne(USER_UID$1, parseInt(userId, 10));
+        if (numericUser) {
+          userDocumentId = numericUser.documentId;
+          user = numericUser;
+        }
+      }
       if (!user) {
         return ctx.throw(404, "User not found");
       }
       const newBlockedStatus = !user.blocked;
-      await strapi.documents(USER_UID).update({
-        documentId: userId,
+      await strapi.documents(USER_UID$1).update({
+        documentId: userDocumentId,
         data: {
           blocked: newBlockedStatus
         }
       });
       if (newBlockedStatus) {
         const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-        await sessionService.terminateSession({ userId });
+        await sessionService.terminateSession({ userId: userDocumentId });
       }
       ctx.body = {
         message: `User ${newBlockedStatus ? "blocked" : "unblocked"} successfully`,
@@ -1401,6 +1493,7 @@ var controllers$1 = {
 };
 const { encryptToken, decryptToken, generateSessionId } = encryption;
 const SESSION_UID = "plugin::magic-sessionmanager.session";
+const USER_UID = "plugin::users-permissions.user";
 var session$1 = ({ strapi: strapi2 }) => ({
   /**
    * Create a new session record
@@ -1439,6 +1532,7 @@ var session$1 = ({ strapi: strapi2 }) => ({
   },
   /**
    * Terminate a session or all sessions for a user
+   * Supports both numeric id (legacy) and documentId (Strapi v5)
    * @param {Object} params - { sessionId | userId }
    * @returns {Promise<void>}
    */
@@ -1455,9 +1549,16 @@ var session$1 = ({ strapi: strapi2 }) => ({
         });
         strapi2.log.info(`[magic-sessionmanager] Session ${sessionId} terminated`);
       } else if (userId) {
+        let userDocumentId = userId;
+        if (!isNaN(userId)) {
+          const user = await strapi2.entityService.findOne(USER_UID, parseInt(userId, 10));
+          if (user) {
+            userDocumentId = user.documentId;
+          }
+        }
         const activeSessions = await strapi2.documents(SESSION_UID).findMany({
           filters: {
-            user: { documentId: userId },
+            user: { documentId: userDocumentId },
             // Deep filtering syntax
             isActive: true
           }
@@ -1471,7 +1572,7 @@ var session$1 = ({ strapi: strapi2 }) => ({
             }
           });
         }
-        strapi2.log.info(`[magic-sessionmanager] All sessions terminated for user ${userId}`);
+        strapi2.log.info(`[magic-sessionmanager] All sessions terminated for user ${userDocumentId}`);
       }
     } catch (err) {
       strapi2.log.error("[magic-sessionmanager] Error terminating session:", err);
@@ -1543,13 +1644,21 @@ var session$1 = ({ strapi: strapi2 }) => ({
   },
   /**
    * Get all sessions for a specific user
-   * @param {number} userId
+   * Supports both numeric id (legacy) and documentId (Strapi v5)
+   * @param {string|number} userId - User documentId or numeric id
    * @returns {Promise<Array>} User's sessions with accurate online status
    */
   async getUserSessions(userId) {
     try {
+      let userDocumentId = userId;
+      if (!isNaN(userId)) {
+        const user = await strapi2.entityService.findOne(USER_UID, parseInt(userId, 10));
+        if (user) {
+          userDocumentId = user.documentId;
+        }
+      }
       const sessions = await strapi2.documents(SESSION_UID).findMany({
-        filters: { user: { documentId: userId } },
+        filters: { user: { documentId: userDocumentId } },
         sort: { loginTime: "desc" }
       });
       const config2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
@@ -1677,7 +1786,7 @@ var session$1 = ({ strapi: strapi2 }) => ({
     }
   }
 });
-const version = "3.7.0";
+const version = "4.0.1";
 const require$$2 = {
   version
 };
@@ -2108,12 +2217,12 @@ var notifications$1 = ({ strapi: strapi2 }) => ({
     strapi2.log.debug("[magic-sessionmanager/notifications] Using default fallback templates");
     return {
       suspiciousLogin: {
-        subject: "🚨 Suspicious Login Alert - Session Manager",
+        subject: "[ALERT] Suspicious Login Alert - Session Manager",
         html: `
 <html>
 <body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
   <div style="max-width: 600px; margin: 0 auto; padding: 20px; background-color: #f9fafb; border-radius: 10px;">
-    <h2 style="color: #dc2626;">🚨 Suspicious Login Detected</h2>
+    <h2 style="color: #dc2626;">[ALERT] Suspicious Login Detected</h2>
     <p>A potentially suspicious login was detected for your account.</p>
     
     <div style="background: white; padding: 15px; border-radius: 8px; margin: 20px 0;">
@@ -2148,7 +2257,7 @@ var notifications$1 = ({ strapi: strapi2 }) => ({
   </div>
 </body>
 </html>`,
-        text: `🚨 Suspicious Login Detected
+        text: `[ALERT] Suspicious Login Detected
 
 A potentially suspicious login was detected for your account.
 
@@ -2319,10 +2428,10 @@ VPN: {{reason.isVpn}}, Proxy: {{reason.isProxy}}`
       title: this.getEventTitle(event),
       color: this.getEventColor(event),
       fields: [
-        { name: "👤 User", value: `${user.email}
+        { name: "User", value: `${user.email}
 ${user.username || "N/A"}`, inline: true },
-        { name: "🌐 IP", value: session2.ipAddress, inline: true },
-        { name: "📅 Time", value: new Date(session2.loginTime).toLocaleString(), inline: false }
+        { name: "IP", value: session2.ipAddress, inline: true },
+        { name: "Time", value: new Date(session2.loginTime).toLocaleString(), inline: false }
       ],
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       footer: { text: "Magic Session Manager" }
@@ -2350,11 +2459,11 @@ Score: ${geoData.securityScore}/100`,
   },
   getEventTitle(event) {
     const titles = {
-      "login.suspicious": "🚨 Suspicious Login",
+      "login.suspicious": "[ALERT] Suspicious Login",
       "login.new_location": "[LOCATION] New Location Login",
-      "login.vpn": "🔴 VPN Login Detected",
-      "login.threat": "⛔ Threat IP Login",
-      "session.terminated": "🔴 Session Terminated"
+      "login.vpn": "[WARNING] VPN Login Detected",
+      "login.threat": "[THREAT] Threat IP Login",
+      "session.terminated": "[INFO] Session Terminated"
     };
     return titles[event] || "[STATS] Session Event";
   },

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.0.0",
+  "version": "4.0.2",
   "keywords": [
     "strapi",
     "strapi-plugin",

package/server/src/bootstrap.js

@@ -163,7 +163,8 @@ module.exports = async ({ strapi }) => {
           const ip = getClientIp(ctx);
           const userAgent = ctx.request.headers?.['user-agent'] || ctx.request.header?.['user-agent'] || 'unknown';
           
-          strapi.log.info(`[magic-sessionmanager] [CHECK] Login detected! User: ${user.id} (${user.email || user.username}) from IP: ${ip}`);
+          // Strapi v5: Use documentId for session creation
+          strapi.log.info(`[magic-sessionmanager] [CHECK] Login detected! User: ${user.documentId || user.id} (${user.email || user.username}) from IP: ${ip}`);
           
           // Get config
           const config = strapi.config.get('plugin::magic-sessionmanager') || {};
@@ -235,16 +236,23 @@ module.exports = async ({ strapi }) => {
             return; // Stop here
           }
           
-          // Create a new session
+          // Create a new session (Strapi v5: Use documentId instead of numeric id)
+          // If login response doesn't include documentId, fetch it from DB
+          let userDocId = user.documentId;
+          if (!userDocId && user.id) {
+            const fullUser = await strapi.entityService.findOne(USER_UID, user.id);
+            userDocId = fullUser?.documentId || user.id;
+          }
+          
           const newSession = await sessionService.createSession({
-            userId: user.id,
+            userId: userDocId,
             ip,
             userAgent,
             token: ctx.body.jwt,              // Store Access Token (encrypted)
             refreshToken: ctx.body.refreshToken, // Store Refresh Token (encrypted) if exists
           });
           
-          strapi.log.info(`[magic-sessionmanager] [SUCCESS] Session created for user ${user.id} (IP: ${ip})`);
+          strapi.log.info(`[magic-sessionmanager] [SUCCESS] Session created for user ${userDocId} (IP: ${ip})`);
           
           // Advanced: Send notifications
           if (geoData && (config.enableEmailAlerts || config.enableWebhooks)) {
@@ -407,6 +415,10 @@ module.exports = async ({ strapi }) => {
     );
 
     strapi.log.info('[magic-sessionmanager] [SUCCESS] LastSeen middleware mounted');
+
+    // Auto-enable Content-API permissions for authenticated users
+    await ensureContentApiPermissions(strapi);
+
     strapi.log.info('[magic-sessionmanager] [SUCCESS] Bootstrap complete');
     strapi.log.info('[magic-sessionmanager] [READY] Session Manager ready! Sessions stored in plugin::magic-sessionmanager.session');
     
@@ -414,3 +426,63 @@ module.exports = async ({ strapi }) => {
     strapi.log.error('[magic-sessionmanager] [ERROR] Bootstrap error:', err);
   }
 };
+
+/**
+ * Auto-enable Content-API permissions for authenticated users
+ * This ensures plugin endpoints are accessible after installation
+ * @param {object} strapi - Strapi instance
+ */
+async function ensureContentApiPermissions(strapi) {
+  try {
+    // Get the authenticated role
+    const authenticatedRole = await strapi.query('plugin::users-permissions.role').findOne({
+      where: { type: 'authenticated' },
+    });
+
+    if (!authenticatedRole) {
+      strapi.log.warn('[magic-sessionmanager] Authenticated role not found - skipping permission setup');
+      return;
+    }
+
+    // Content-API actions that should be enabled for authenticated users
+    const requiredActions = [
+      'plugin::magic-sessionmanager.session.logout',
+      'plugin::magic-sessionmanager.session.logoutAll',
+      'plugin::magic-sessionmanager.session.getOwnSessions',
+      'plugin::magic-sessionmanager.session.getUserSessions',
+    ];
+
+    // Get existing permissions for this role
+    const existingPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
+      where: {
+        role: authenticatedRole.id,
+        action: { $in: requiredActions },
+      },
+    });
+
+    // Find which actions are missing
+    const existingActions = existingPermissions.map(p => p.action);
+    const missingActions = requiredActions.filter(action => !existingActions.includes(action));
+
+    if (missingActions.length === 0) {
+      strapi.log.debug('[magic-sessionmanager] Content-API permissions already configured');
+      return;
+    }
+
+    // Create missing permissions
+    for (const action of missingActions) {
+      await strapi.query('plugin::users-permissions.permission').create({
+        data: {
+          action,
+          role: authenticatedRole.id,
+        },
+      });
+      strapi.log.info(`[magic-sessionmanager] [PERMISSION] Enabled ${action} for authenticated users`);
+    }
+
+    strapi.log.info('[magic-sessionmanager] [SUCCESS] Content-API permissions configured for authenticated users');
+  } catch (err) {
+    strapi.log.warn('[magic-sessionmanager] Could not auto-configure permissions:', err.message);
+    strapi.log.warn('[magic-sessionmanager] Please manually enable plugin permissions in Settings > Users & Permissions > Roles > Authenticated');
+  }
+}

package/server/src/controllers/session.js

@@ -58,6 +58,38 @@ module.exports = {
     }
   },
 
+  /**
+   * Get own sessions (authenticated user)
+   * GET /api/magic-sessionmanager/my-sessions
+   * Automatically uses the authenticated user's documentId
+   */
+  async getOwnSessions(ctx) {
+    try {
+      // Strapi v5: Use documentId from authenticated user
+      const userId = ctx.state.user?.documentId;
+
+      if (!userId) {
+        return ctx.throw(401, 'Unauthorized');
+      }
+
+      const sessionService = strapi
+        .plugin('magic-sessionmanager')
+        .service('session');
+
+      const sessions = await sessionService.getUserSessions(userId);
+
+      ctx.body = {
+        data: sessions,
+        meta: {
+          count: sessions.length,
+        },
+      };
+    } catch (err) {
+      strapi.log.error('[magic-sessionmanager] Error fetching own sessions:', err);
+      ctx.throw(500, 'Error fetching sessions');
+    }
+  },
+
   /**
    * Get user's sessions
    * GET /magic-sessionmanager/user/:userId/sessions (Admin API)
@@ -70,12 +102,13 @@ module.exports = {
       
       // Check if this is an admin request
       const isAdminRequest = ctx.state.userAbility || ctx.state.admin;
-      const requestingUserId = ctx.state.user?.id;
+      // Strapi v5: Use documentId instead of numeric id
+      const requestingUserDocId = ctx.state.user?.documentId;
 
       // SECURITY CHECK: Content API users can only see their own sessions
       // Admins can see any user's sessions
-      if (!isAdminRequest && requestingUserId && String(requestingUserId) !== String(userId)) {
-        strapi.log.warn(`[magic-sessionmanager] Security: User ${requestingUserId} tried to access sessions of user ${userId}`);
+      if (!isAdminRequest && requestingUserDocId && String(requestingUserDocId) !== String(userId)) {
+        strapi.log.warn(`[magic-sessionmanager] Security: User ${requestingUserDocId} tried to access sessions of user ${userId}`);
         return ctx.forbidden('You can only access your own sessions');
       }
 
@@ -102,7 +135,8 @@ module.exports = {
    */
   async logout(ctx) {
     try {
-      const userId = ctx.state.user?.id;
+      // Strapi v5: Use documentId instead of numeric id
+      const userId = ctx.state.user?.documentId;
       const token = ctx.request.headers.authorization?.replace('Bearer ', '');
 
       if (!userId) {
@@ -153,7 +187,8 @@ module.exports = {
    */
   async logoutAll(ctx) {
     try {
-      const userId = ctx.state.user?.id;
+      // Strapi v5: Use documentId instead of numeric id
+      const userId = ctx.state.user?.documentId;
 
       if (!userId) {
         return ctx.throw(401, 'Unauthorized');
@@ -340,13 +375,28 @@ module.exports = {
   /**
    * Toggle user blocked status
    * POST /magic-sessionmanager/user/:userId/toggle-block
+   * Supports both numeric id (from Content Manager) and documentId
    */
   async toggleUserBlock(ctx) {
     try {
       const { userId } = ctx.params;
       
-      // Get current user status
-      const user = await strapi.documents(USER_UID).findOne({ documentId: userId });
+      // Strapi v5: userId from params could be numeric id or documentId
+      // If numeric, look up the documentId first using entityService (fallback)
+      let userDocumentId = userId;
+      let user = null;
+      
+      // Try to find by documentId first (preferred)
+      user = await strapi.documents(USER_UID).findOne({ documentId: userId });
+      
+      // If not found, try numeric id lookup via entityService (fallback for Content Manager)
+      if (!user && !isNaN(userId)) {
+        const numericUser = await strapi.entityService.findOne(USER_UID, parseInt(userId, 10));
+        if (numericUser) {
+          userDocumentId = numericUser.documentId;
+          user = numericUser;
+        }
+      }
       
       if (!user) {
         return ctx.throw(404, 'User not found');
@@ -356,7 +406,7 @@ module.exports = {
       const newBlockedStatus = !user.blocked;
       
       await strapi.documents(USER_UID).update({
-        documentId: userId,
+        documentId: userDocumentId,
         data: {
           blocked: newBlockedStatus,
         },
@@ -367,7 +417,7 @@ module.exports = {
         const sessionService = strapi
           .plugin('magic-sessionmanager')
           .service('session');
-        await sessionService.terminateSession({ userId });
+        await sessionService.terminateSession({ userId: userDocumentId });
       }
 
       ctx.body = {

package/server/src/middlewares/last-seen.js

@@ -13,9 +13,10 @@ const SESSION_UID = 'plugin::magic-sessionmanager.session';
 module.exports = ({ strapi, sessionService }) => {
   return async (ctx, next) => {
     // BEFORE processing request: Check if user's sessions are active
-    if (ctx.state.user && ctx.state.user.id) {
+    // Strapi v5: Use documentId instead of numeric id for Document Service API
+    if (ctx.state.user && ctx.state.user.documentId) {
       try {
-        const userId = ctx.state.user.id;
+        const userId = ctx.state.user.documentId;
         
         // Check if user has ANY active sessions
         const activeSessions = await strapi.documents(SESSION_UID).findMany( {
@@ -41,9 +42,9 @@ module.exports = ({ strapi, sessionService }) => {
     await next();
 
     // AFTER response: Update activity timestamps if user is authenticated
-    if (ctx.state.user && ctx.state.user.id) {
+    if (ctx.state.user && ctx.state.user.documentId) {
       try {
-        const userId = ctx.state.user.id;
+        const userId = ctx.state.user.documentId;
 
         // Try to find or extract sessionId from context
         const sessionId = ctx.state.sessionId;

package/server/src/routes/content-api.js

@@ -38,14 +38,23 @@ module.exports = {
     // SESSION QUERIES
     // ============================================================
     
+    {
+      method: 'GET',
+      path: '/my-sessions',
+      handler: 'session.getOwnSessions',
+      config: {
+        auth: { strategies: ['users-permissions'] },
+        description: 'Get own sessions (automatically uses authenticated user)',
+      },
+    },
     {
       method: 'GET',
       path: '/user/:userId/sessions',
       handler: 'session.getUserSessions',
       config: {
         auth: { strategies: ['users-permissions'] },
-        description: 'Get own sessions (controller validates user can only see own sessions)',
+        description: 'Get sessions by userId (validates user can only see own sessions)',
+      },
     },
-  },
   ],
 };