strapi-plugin-magic-sessionmanager 4.2.4 → 4.2.5

package/server/src/services/session.js

@@ -1,393 +0,0 @@
-'use strict';
-
-const { encryptToken, decryptToken, generateSessionId } = require('../utils/encryption');
-const { createLogger } = require('../utils/logger');
-
-/**
- * Session Service
- * Uses plugin::magic-sessionmanager.session content type with relation to users
- * All session tracking happens in the Session collection
- *
- * SECURITY: JWT tokens are encrypted before storing in database using AES-256-GCM
- * 
- * [SUCCESS] Migrated to strapi.documents() API (Strapi v5 Best Practice)
- * 
- * TODO: For production multi-instance deployments, use Redis for:
- *   - Session store instead of DB
- *   - Rate limiting locks
- *   - Distributed session state
- */
-
-const SESSION_UID = 'plugin::magic-sessionmanager.session';
-const USER_UID = 'plugin::users-permissions.user';
-
-module.exports = ({ strapi }) => {
-  const log = createLogger(strapi);
-  
-  return {
-  /**
-   * Create a new session record
-   * @param {Object} params - { userId, ip, userAgent, token, refreshToken }
-   * @returns {Promise<Object>} Created session
-   */
-  async createSession({ userId, ip = 'unknown', userAgent = 'unknown', token, refreshToken }) {
-    try {
-      const now = new Date();
-      
-      // Generate unique session ID
-      const sessionId = generateSessionId(userId);
-      
-      // Encrypt JWT tokens before storing (both access and refresh)
-      const encryptedToken = token ? encryptToken(token) : null;
-      const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
-      
-      // Using Document Service API (Strapi v5)
-      const session = await strapi.documents(SESSION_UID).create({
-        data: {
-          user: userId, // userId should be documentId (string)
-          ipAddress: ip.substring(0, 45),
-          userAgent: userAgent.substring(0, 500),
-          loginTime: now,
-          lastActive: now,
-          isActive: true,
-          token: encryptedToken,              // [SUCCESS] Encrypted Access Token
-          refreshToken: encryptedRefreshToken, // [SUCCESS] Encrypted Refresh Token
-          sessionId: sessionId,                // [SUCCESS] Unique identifier
-        },
-      });
-
-      log.info(`[SUCCESS] Session ${session.documentId} (${sessionId}) created for user ${userId}`);
-
-      return session;
-    } catch (err) {
-      log.error('Error creating session:', err);
-      throw err;
-    }
-  },
-
-  /**
-   * Terminate a session or all sessions for a user
-   * Supports both numeric id (legacy) and documentId (Strapi v5)
-   * @param {Object} params - { sessionId | userId }
-   * @returns {Promise<void>}
-   */
-  async terminateSession({ sessionId, userId }) {
-    try {
-      const now = new Date();
-
-      if (sessionId) {
-        // Using Document Service API (Strapi v5)
-        await strapi.documents(SESSION_UID).update({
-          documentId: sessionId,
-          data: {
-            isActive: false,
-            logoutTime: now,
-          },
-        });
-
-        log.info(`Session ${sessionId} terminated`);
-      } else if (userId) {
-        // Strapi v5: If numeric id provided, look up documentId first
-        let userDocumentId = userId;
-        if (!isNaN(userId)) {
-          const user = await strapi.entityService.findOne(USER_UID, parseInt(userId, 10));
-          if (user) {
-            userDocumentId = user.documentId;
-          }
-        }
-        
-        // Find all active sessions for user - use Deep Filtering (Strapi v5)
-        const activeSessions = await strapi.documents(SESSION_UID).findMany({
-          filters: {
-            user: { documentId: userDocumentId }, // Deep filtering syntax
-            isActive: true,
-          },
-        });
-
-        // Terminate all active sessions
-        for (const session of activeSessions) {
-          await strapi.documents(SESSION_UID).update({
-            documentId: session.documentId,
-            data: {
-              isActive: false,
-              logoutTime: now,
-            },
-          });
-        }
-
-        log.info(`All sessions terminated for user ${userDocumentId}`);
-      }
-    } catch (err) {
-      log.error('Error terminating session:', err);
-      throw err;
-    }
-  },
-
-  /**
-   * Get ALL sessions (active + inactive) with accurate online status
-   * @returns {Promise<Array>} All sessions with enhanced data
-   */
-  async getAllSessions() {
-    try {
-      const sessions = await strapi.documents(SESSION_UID).findMany( {
-        populate: { user: { fields: ['id', 'email', 'username'] } },
-        sort: { loginTime: 'desc' },
-        limit: 1000, // Reasonable limit
-      });
-
-      // Get inactivity timeout from config (default: 15 minutes)
-      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
-      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
-
-      // Enhance sessions with accurate online status
-      const now = new Date();
-      const enhancedSessions = sessions.map(session => {
-        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
-        const timeSinceActive = now - lastActiveTime;
-        
-        // Session is "truly active" if within timeout window AND isActive is true
-        const isTrulyActive = session.isActive && (timeSinceActive < inactivityTimeout);
-        
-        // Remove sensitive token field for security
-        const { token, ...sessionWithoutToken } = session;
-        
-        return {
-          ...sessionWithoutToken,
-          isTrulyActive,
-          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
-        };
-      });
-
-      return enhancedSessions;
-    } catch (err) {
-      log.error('Error getting all sessions:', err);
-      throw err;
-    }
-  },
-
-  /**
-   * Get all active sessions with accurate online status
-   * @returns {Promise<Array>} Active sessions with user data and online status
-   */
-  async getActiveSessions() {
-    try {
-      const sessions = await strapi.documents(SESSION_UID).findMany( {
-        filters: { isActive: true },
-        populate: { user: { fields: ['id', 'email', 'username'] } },
-        sort: { loginTime: 'desc' },
-      });
-
-      // Get inactivity timeout from config (default: 15 minutes)
-      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
-      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
-
-      // Enhance sessions with accurate online status
-      const now = new Date();
-      const enhancedSessions = sessions.map(session => {
-        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
-        const timeSinceActive = now - lastActiveTime;
-        
-        // Session is "truly active" if within timeout window
-        const isTrulyActive = timeSinceActive < inactivityTimeout;
-        
-        // Remove sensitive token field for security
-        const { token, ...sessionWithoutToken } = session;
-        
-        return {
-          ...sessionWithoutToken,
-          isTrulyActive,
-          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
-        };
-      });
-
-      // Only return truly active sessions
-      return enhancedSessions.filter(s => s.isTrulyActive);
-    } catch (err) {
-      log.error('Error getting active sessions:', err);
-      throw err;
-    }
-  },
-
-  /**
-   * Get all sessions for a specific user
-   * Supports both numeric id (legacy) and documentId (Strapi v5)
-   * @param {string|number} userId - User documentId or numeric id
-   * @returns {Promise<Array>} User's sessions with accurate online status
-   */
-  async getUserSessions(userId) {
-    try {
-      // Strapi v5: If numeric id provided, look up documentId first
-      let userDocumentId = userId;
-      if (!isNaN(userId)) {
-        const user = await strapi.entityService.findOne(USER_UID, parseInt(userId, 10));
-        if (user) {
-          userDocumentId = user.documentId;
-        }
-      }
-      
-      const sessions = await strapi.documents(SESSION_UID).findMany( {
-        filters: { user: { documentId: userDocumentId } },
-        sort: { loginTime: 'desc' },
-      });
-
-      // Get inactivity timeout from config (default: 15 minutes)
-      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
-      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
-
-      // Enhance sessions with accurate online status
-      const now = new Date();
-      const enhancedSessions = sessions.map(session => {
-        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
-        const timeSinceActive = now - lastActiveTime;
-        
-        // Session is "truly active" if:
-        // 1. isActive = true AND
-        // 2. lastActive is within timeout window
-        const isTrulyActive = session.isActive && (timeSinceActive < inactivityTimeout);
-        
-        // Remove sensitive token field for security
-        const { token, ...sessionWithoutToken } = session;
-        
-        return {
-          ...sessionWithoutToken,
-          isTrulyActive,
-          minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
-        };
-      });
-
-      return enhancedSessions;
-    } catch (err) {
-      log.error('Error getting user sessions:', err);
-      throw err;
-    }
-  },
-
-  /**
-   * Update lastActive timestamp on session (rate-limited to avoid DB noise)
-   * @param {Object} params - { userId, sessionId }
-   * @returns {Promise<void>}
-   */
-  async touch({ userId, sessionId }) {
-    try {
-      const now = new Date();
-      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
-      const rateLimit = config.lastSeenRateLimit || 30000;
-
-      // Update session lastActive only
-      if (sessionId) {
-        const session = await strapi.documents(SESSION_UID).findOne({ documentId: sessionId });
-
-        if (session && session.lastActive) {
-          const lastActiveTime = new Date(session.lastActive).getTime();
-          const currentTime = now.getTime();
-
-          if (currentTime - lastActiveTime > rateLimit) {
-            await strapi.documents(SESSION_UID).update({ documentId: sessionId,
-              data: { lastActive: now },
-            });
-          }
-        } else if (session) {
-          // First time or null
-          await strapi.documents(SESSION_UID).update({ documentId: sessionId,
-            data: { lastActive: now },
-          });
-        }
-      }
-    } catch (err) {
-      log.debug('Error touching session:', err.message);
-      // Don't throw - this is a non-critical operation
-    }
-  },
-
-  /**
-   * Cleanup inactive sessions - set isActive to false for sessions older than inactivityTimeout
-   * Should be called on bootstrap to clean up stale sessions
-   */
-  async cleanupInactiveSessions() {
-    try {
-      // Get inactivity timeout from config (default: 15 minutes)
-      const config = strapi.config.get('plugin::magic-sessionmanager') || {};
-      const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000; // 15 min in ms
-      
-      // Calculate cutoff time
-      const now = new Date();
-      const cutoffTime = new Date(now.getTime() - inactivityTimeout);
-      
-      log.info(`[CLEANUP] Cleaning up sessions inactive since before ${cutoffTime.toISOString()}`);
-      
-      // Find all active sessions
-      const activeSessions = await strapi.documents(SESSION_UID).findMany({
-        filters: { isActive: true },
-        fields: ['lastActive', 'loginTime'],
-      });
-      
-      // Deactivate old sessions
-      let deactivatedCount = 0;
-      for (const session of activeSessions) {
-        const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
-        
-        if (lastActiveTime < cutoffTime) {
-          await strapi.documents(SESSION_UID).update({
-            documentId: session.documentId,
-            data: { isActive: false },
-          });
-          deactivatedCount++;
-        }
-      }
-      
-      log.info(`[SUCCESS] Cleanup complete: ${deactivatedCount} sessions deactivated`);
-      return deactivatedCount;
-    } catch (err) {
-      log.error('Error cleaning up inactive sessions:', err);
-      throw err;
-    }
-  },
-
-  /**
-   * Delete a single session from database
-   * WARNING: This permanently deletes the record!
-   * @param {number} sessionId - Session ID to delete
-   * @returns {Promise<boolean>} Success status
-   */
-  async deleteSession(sessionId) {
-    try {
-      await strapi.documents(SESSION_UID).delete({ documentId: sessionId });
-      log.info(`[DELETE] Session ${sessionId} permanently deleted`);
-      return true;
-    } catch (err) {
-      log.error('Error deleting session:', err);
-      throw err;
-    }
-  },
-
-  /**
-   * Delete all inactive sessions from database
-   * WARNING: This permanently deletes records!
-   * @returns {Promise<number>} Number of deleted sessions
-   */
-  async deleteInactiveSessions() {
-    try {
-      log.info('[DELETE] Deleting all inactive sessions...');
-      
-      // Find all inactive sessions (documentId is always included automatically)
-      const inactiveSessions = await strapi.documents(SESSION_UID).findMany({
-        filters: { isActive: false },
-      });
-      
-      let deletedCount = 0;
-      
-      // Delete each inactive session
-      for (const session of inactiveSessions) {
-        await strapi.documents(SESSION_UID).delete({ documentId: session.documentId });
-        deletedCount++;
-      }
-      
-      log.info(`[SUCCESS] Deleted ${deletedCount} inactive sessions`);
-      return deletedCount;
-    } catch (err) {
-      log.error('Error deleting inactive sessions:', err);
-      throw err;
-    }
-  },
-};
-};

package/server/src/utils/encryption.js

@@ -1,121 +0,0 @@
-'use strict';
-
-const crypto = require('crypto');
-
-/**
- * JWT Encryption Utility
- * Uses AES-256-GCM for secure token storage
- * 
- * SECURITY: Tokens are encrypted before storing in database
- * This prevents exposure if database is compromised
- */
-
-const ALGORITHM = 'aes-256-gcm';
-const IV_LENGTH = 16;
-const AUTH_TAG_LENGTH = 16;
-
-/**
- * Get encryption key from environment or generate one
- * IMPORTANT: Set SESSION_ENCRYPTION_KEY in .env for production!
- */
-function getEncryptionKey() {
-  const envKey = process.env.SESSION_ENCRYPTION_KEY;
-  
-  if (envKey) {
-    // Use provided key (must be 32 bytes for AES-256)
-    const key = crypto.createHash('sha256').update(envKey).digest();
-    return key;
-  }
-  
-  // Fallback: Use Strapi's app keys (not recommended for production)
-  const strapiKeys = process.env.APP_KEYS || process.env.API_TOKEN_SALT || 'default-insecure-key';
-  const key = crypto.createHash('sha256').update(strapiKeys).digest();
-  
-  console.warn('[magic-sessionmanager/encryption] [WARNING]  No SESSION_ENCRYPTION_KEY found. Using fallback (not recommended for production).');
-  console.warn('[magic-sessionmanager/encryption] Set SESSION_ENCRYPTION_KEY in .env for better security.');
-  
-  return key;
-}
-
-/**
- * Encrypt JWT token before storing in database
- * @param {string} token - JWT token to encrypt
- * @returns {string} Encrypted token with IV and auth tag
- */
-function encryptToken(token) {
-  if (!token) return null;
-  
-  try {
-    const key = getEncryptionKey();
-    const iv = crypto.randomBytes(IV_LENGTH);
-    
-    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
-    
-    let encrypted = cipher.update(token, 'utf8', 'hex');
-    encrypted += cipher.final('hex');
-    
-    const authTag = cipher.getAuthTag();
-    
-    // Format: iv:authTag:encryptedData
-    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
-  } catch (err) {
-    console.error('[magic-sessionmanager/encryption] Encryption failed:', err);
-    throw new Error('Failed to encrypt token');
-  }
-}
-
-/**
- * Decrypt JWT token from database
- * @param {string} encryptedToken - Encrypted token from database
- * @returns {string} Decrypted JWT token
- */
-function decryptToken(encryptedToken) {
-  if (!encryptedToken) return null;
-  
-  try {
-    const key = getEncryptionKey();
-    
-    // Parse: iv:authTag:encryptedData
-    const parts = encryptedToken.split(':');
-    
-    if (parts.length !== 3) {
-      throw new Error('Invalid encrypted token format');
-    }
-    
-    const iv = Buffer.from(parts[0], 'hex');
-    const authTag = Buffer.from(parts[1], 'hex');
-    const encrypted = parts[2];
-    
-    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
-    decipher.setAuthTag(authTag);
-    
-    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
-    decrypted += decipher.final('utf8');
-    
-    return decrypted;
-  } catch (err) {
-    console.error('[magic-sessionmanager/encryption] Decryption failed:', err);
-    return null; // Return null if decryption fails (invalid/tampered token)
-  }
-}
-
-/**
- * Generate unique session ID
- * Combines timestamp + random bytes + user ID for uniqueness
- * @param {number} userId - User ID
- * @returns {string} Unique session identifier
- */
-function generateSessionId(userId) {
-  const timestamp = Date.now().toString(36);
-  const randomBytes = crypto.randomBytes(8).toString('hex');
-  const userHash = crypto.createHash('sha256').update(userId.toString()).digest('hex').substring(0, 8);
-  
-  return `sess_${timestamp}_${userHash}_${randomBytes}`;
-}
-
-module.exports = {
-  encryptToken,
-  decryptToken,
-  generateSessionId,
-};
-

package/server/src/utils/getClientIp.js

@@ -1,118 +0,0 @@
-/**
- * Extract real client IP address from request
- * Handles proxies, load balancers, and various header formats
- * 
- * Priority order:
- * 1. CF-Connecting-IP (Cloudflare)
- * 2. True-Client-IP (Akamai, Cloudflare)
- * 3. X-Real-IP (nginx)
- * 4. X-Forwarded-For (standard proxy header)
- * 5. X-Client-IP
- * 6. X-Cluster-Client-IP
- * 7. ctx.request.ip (Koa default)
- */
-
-const getClientIp = (ctx) => {
-  try {
-    const headers = ctx.request.headers || ctx.request.header || {};
-    
-    // 1. Cloudflare
-    if (headers['cf-connecting-ip']) {
-      return cleanIp(headers['cf-connecting-ip']);
-    }
-    
-    // 2. True-Client-IP (Akamai, Cloudflare Enterprise)
-    if (headers['true-client-ip']) {
-      return cleanIp(headers['true-client-ip']);
-    }
-    
-    // 3. X-Real-IP (nginx proxy_pass)
-    if (headers['x-real-ip']) {
-      return cleanIp(headers['x-real-ip']);
-    }
-    
-    // 4. X-Forwarded-For (most common)
-    // Format: "client, proxy1, proxy2"
-    // We want the FIRST IP (the actual client)
-    if (headers['x-forwarded-for']) {
-      const forwardedIps = headers['x-forwarded-for'].split(',');
-      const clientIp = forwardedIps[0].trim();
-      if (clientIp && !isPrivateIp(clientIp)) {
-        return cleanIp(clientIp);
-      }
-    }
-    
-    // 5. X-Client-IP
-    if (headers['x-client-ip']) {
-      return cleanIp(headers['x-client-ip']);
-    }
-    
-    // 6. X-Cluster-Client-IP (Rackspace, Riverbed)
-    if (headers['x-cluster-client-ip']) {
-      return cleanIp(headers['x-cluster-client-ip']);
-    }
-    
-    // 7. Forwarded (RFC 7239)
-    if (headers['forwarded']) {
-      const match = headers['forwarded'].match(/for=([^;,\s]+)/);
-      if (match && match[1]) {
-        return cleanIp(match[1].replace(/"/g, ''));
-      }
-    }
-    
-    // 8. Fallback to Koa's ctx.request.ip
-    if (ctx.request.ip) {
-      return cleanIp(ctx.request.ip);
-    }
-    
-    // 9. Last resort
-    return 'unknown';
-    
-  } catch (error) {
-    console.error('[getClientIp] Error extracting IP:', error);
-    return 'unknown';
-  }
-};
-
-/**
- * Clean IP address (remove IPv6 prefix, port, etc.)
- */
-const cleanIp = (ip) => {
-  if (!ip) return 'unknown';
-  
-  // Remove port if present
-  ip = ip.split(':')[0];
-  
-  // Remove IPv6 prefix (::ffff:)
-  if (ip.startsWith('::ffff:')) {
-    ip = ip.substring(7);
-  }
-  
-  // Trim whitespace
-  ip = ip.trim();
-  
-  return ip || 'unknown';
-};
-
-/**
- * Check if IP is private/local
- */
-const isPrivateIp = (ip) => {
-  if (!ip) return true;
-  
-  // Private IP ranges
-  if (ip === '127.0.0.1' || ip === 'localhost' || ip === '::1') return true;
-  if (ip.startsWith('192.168.')) return true;
-  if (ip.startsWith('10.')) return true;
-  if (ip.startsWith('172.')) {
-    const second = parseInt(ip.split('.')[1]);
-    if (second >= 16 && second <= 31) return true;
-  }
-  if (ip.startsWith('fc00:') || ip.startsWith('fd00:')) return true;
-  if (ip.startsWith('fe80:')) return true;
-  
-  return false;
-};
-
-module.exports = getClientIp;
-