strapi-plugin-magic-sessionmanager 4.2.8 → 4.2.10

package/dist/server/index.js

@@ -179,7 +179,7 @@ function encryptToken$2(token) {
     throw new Error("Failed to encrypt token");
   }
 }
-function decryptToken$4(encryptedToken) {
+function decryptToken$3(encryptedToken) {
   if (!encryptedToken) return null;
   try {
     const key = getEncryptionKey();
@@ -206,15 +206,20 @@ function generateSessionId$1(userId) {
   const userHash = crypto$1.createHash("sha256").update(userId.toString()).digest("hex").substring(0, 8);
   return `sess_${timestamp}_${userHash}_${randomBytes}`;
 }
+function hashToken$3(token) {
+  if (!token) return null;
+  return crypto$1.createHash("sha256").update(token).digest("hex");
+}
 var encryption = {
   encryptToken: encryptToken$2,
-  decryptToken: decryptToken$4,
-  generateSessionId: generateSessionId$1
+  decryptToken: decryptToken$3,
+  generateSessionId: generateSessionId$1,
+  hashToken: hashToken$3
 };
 const SESSION_UID$3 = "plugin::magic-sessionmanager.session";
-const { decryptToken: decryptToken$3 } = encryption;
+const { hashToken: hashToken$2 } = encryption;
 const lastTouchCache = /* @__PURE__ */ new Map();
-var lastSeen = ({ strapi: strapi2, sessionService }) => {
+var lastSeen = ({ strapi: strapi2 }) => {
   return async (ctx, next) => {
     const currentToken = ctx.request.headers.authorization?.replace("Bearer ", "");
     if (!currentToken) {
@@ -227,58 +232,26 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
       return;
     }
     let matchingSession = null;
-    let userId = null;
     try {
-      if (ctx.state.user && ctx.state.user.documentId) {
-        userId = ctx.state.user.documentId;
-        const activeSessions = await strapi2.documents(SESSION_UID$3).findMany({
-          filters: {
-            user: { documentId: userId },
-            isActive: true
-          }
-        });
-        if (!activeSessions || activeSessions.length === 0) {
-          strapi2.log.info(`[magic-sessionmanager] [BLOCKED] User ${userId} has no active sessions`);
-          return ctx.unauthorized("All sessions have been terminated. Please login again.");
-        }
-        for (const session2 of activeSessions) {
-          if (!session2.token) continue;
-          try {
-            const decrypted = decryptToken$3(session2.token);
-            if (decrypted === currentToken) {
-              matchingSession = session2;
-              break;
-            }
-          } catch (err) {
-          }
-        }
-        if (!matchingSession) {
-          strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Session for user ${userId} has been terminated`);
-          return ctx.unauthorized("This session has been terminated. Please login again.");
-        }
-      } else {
-        const allActiveSessions = await strapi2.documents(SESSION_UID$3).findMany({
-          filters: { isActive: true },
-          populate: { user: { fields: ["documentId"] } },
-          limit: 500
-          // Reasonable limit for performance
-        });
-        for (const session2 of allActiveSessions) {
-          if (!session2.token) continue;
-          try {
-            const decrypted = decryptToken$3(session2.token);
-            if (decrypted === currentToken) {
-              matchingSession = session2;
-              userId = session2.user?.documentId;
-              break;
-            }
-          } catch (err) {
-          }
-        }
-      }
+      const currentTokenHash = hashToken$2(currentToken);
+      matchingSession = await strapi2.documents(SESSION_UID$3).findFirst({
+        filters: {
+          tokenHash: currentTokenHash,
+          isActive: true
+        },
+        populate: { user: { fields: ["documentId"] } }
+      });
       if (matchingSession) {
         ctx.state.sessionId = matchingSession.documentId;
         ctx.state.currentSession = matchingSession;
+        if (matchingSession.user?.documentId) {
+          ctx.state.sessionUserId = matchingSession.user.documentId;
+        }
+      } else {
+        if (ctx.state.user && ctx.state.user.documentId) {
+          strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Session terminated for user ${ctx.state.user.documentId}`);
+          return ctx.unauthorized("This session has been terminated. Please login again.");
+        }
       }
     } catch (err) {
       strapi2.log.debug("[magic-sessionmanager] Error checking session:", err.message);
@@ -305,7 +278,7 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
   };
 };
 const getClientIp = getClientIp_1;
-const { encryptToken: encryptToken$1, decryptToken: decryptToken$2 } = encryption;
+const { encryptToken: encryptToken$1, decryptToken: decryptToken$2, hashToken: hashToken$1 } = encryption;
 const { createLogger: createLogger$3 } = logger;
 const SESSION_UID$2 = "plugin::magic-sessionmanager.session";
 const USER_UID$2 = "plugin::users-permissions.user";
@@ -313,6 +286,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
   const log = createLogger$3(strapi2);
   log.info("[START] Bootstrap starting...");
   try {
+    await ensureTokenHashIndex(strapi2, log);
     const licenseGuardService = strapi2.plugin("magic-sessionmanager").service("license-guard");
     setTimeout(async () => {
       const licenseStatus = await licenseGuardService.initialize();
@@ -589,11 +563,15 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             if (matchingSession) {
               const encryptedToken = newAccessToken ? encryptToken$1(newAccessToken) : matchingSession.token;
               const encryptedRefreshToken = newRefreshToken ? encryptToken$1(newRefreshToken) : matchingSession.refreshToken;
+              const newTokenHash = newAccessToken ? hashToken$1(newAccessToken) : matchingSession.tokenHash;
+              const newRefreshTokenHash = newRefreshToken ? hashToken$1(newRefreshToken) : matchingSession.refreshTokenHash;
               await strapi2.documents(SESSION_UID$2).update({
                 documentId: matchingSession.documentId,
                 data: {
                   token: encryptedToken,
+                  tokenHash: newTokenHash,
                   refreshToken: encryptedRefreshToken,
+                  refreshTokenHash: newRefreshTokenHash,
                   lastActive: /* @__PURE__ */ new Date()
                 }
               });
@@ -607,7 +585,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     });
     log.info("[SUCCESS] Refresh Token interceptor middleware mounted");
     strapi2.server.use(
-      lastSeen({ strapi: strapi2, sessionService })
+      lastSeen({ strapi: strapi2 })
     );
     log.info("[SUCCESS] LastSeen middleware mounted");
     await ensureContentApiPermissions(strapi2, log);
@@ -665,6 +643,46 @@ async function ensureContentApiPermissions(strapi2, log) {
     log.warn("Please manually enable plugin permissions in Settings > Users & Permissions > Roles > Authenticated");
   }
 }
+async function ensureTokenHashIndex(strapi2, log) {
+  try {
+    const knex = strapi2.db.connection;
+    const tableName = "magic_sessions";
+    const indexName = "idx_magic_sessions_token_hash";
+    const hasIndex = await knex.schema.hasTable(tableName).then(async (exists) => {
+      if (!exists) return false;
+      const dialect = strapi2.db.dialect.client;
+      if (dialect === "postgres") {
+        const result = await knex.raw(`
+          SELECT indexname FROM pg_indexes 
+          WHERE tablename = ? AND indexname = ?
+        `, [tableName, indexName]);
+        return result.rows.length > 0;
+      } else if (dialect === "mysql" || dialect === "mysql2") {
+        const result = await knex.raw(`
+          SHOW INDEX FROM ${tableName} WHERE Key_name = ?
+        `, [indexName]);
+        return result[0].length > 0;
+      } else if (dialect === "sqlite" || dialect === "better-sqlite3") {
+        const result = await knex.raw(`
+          SELECT name FROM sqlite_master 
+          WHERE type='index' AND name = ?
+        `, [indexName]);
+        return result.length > 0;
+      }
+      return false;
+    });
+    if (hasIndex) {
+      log.debug("[INDEX] tokenHash index already exists");
+      return;
+    }
+    await knex.schema.alterTable(tableName, (table) => {
+      table.index(["token_hash", "is_active"], indexName);
+    });
+    log.info("[INDEX] Created tokenHash index for O(1) session lookup");
+  } catch (err) {
+    log.debug("[INDEX] Could not create tokenHash index (will retry on next startup):", err.message);
+  }
+}
 const { createLogger: createLogger$2 } = logger;
 var destroy$1 = async ({ strapi: strapi2 }) => {
   const log = createLogger$2(strapi2);
@@ -743,10 +761,19 @@ const attributes = {
     type: "text",
     "private": true
   },
+  tokenHash: {
+    type: "string",
+    configurable: false,
+    unique: false
+  },
   refreshToken: {
     type: "text",
     "private": true
   },
+  refreshTokenHash: {
+    type: "string",
+    configurable: false
+  },
   loginTime: {
     type: "datetime",
     required: true
@@ -1778,7 +1805,7 @@ var controllers$1 = {
   license,
   settings
 };
-const { encryptToken, decryptToken, generateSessionId } = encryption;
+const { encryptToken, decryptToken, generateSessionId, hashToken } = encryption;
 const { createLogger: createLogger$1 } = logger;
 const SESSION_UID = "plugin::magic-sessionmanager.session";
 const USER_UID = "plugin::users-permissions.user";
@@ -1796,6 +1823,8 @@ var session$1 = ({ strapi: strapi2 }) => {
         const sessionId = generateSessionId(userId);
         const encryptedToken = token ? encryptToken(token) : null;
         const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
+        const tokenHashValue = token ? hashToken(token) : null;
+        const refreshTokenHashValue = refreshToken ? hashToken(refreshToken) : null;
         const session2 = await strapi2.documents(SESSION_UID).create({
           data: {
             user: userId,
@@ -1806,11 +1835,15 @@ var session$1 = ({ strapi: strapi2 }) => {
             lastActive: now,
             isActive: true,
             token: encryptedToken,
-            // [SUCCESS] Encrypted Access Token
+            // Encrypted Access Token
+            tokenHash: tokenHashValue,
+            // SHA-256 hash for fast lookup
             refreshToken: encryptedRefreshToken,
-            // [SUCCESS] Encrypted Refresh Token
+            // Encrypted Refresh Token
+            refreshTokenHash: refreshTokenHashValue,
+            // SHA-256 hash for fast lookup
             sessionId
-            // [SUCCESS] Unique identifier
+            // Unique identifier
           }
         });
         log.info(`[SUCCESS] Session ${session2.documentId} (${sessionId}) created for user ${userId}`);
@@ -1888,9 +1921,9 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-          const { token, ...sessionWithoutToken } = session2;
+          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
           return {
-            ...sessionWithoutToken,
+            ...safeSession,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -1919,9 +1952,9 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = timeSinceActive < inactivityTimeout;
-          const { token, ...sessionWithoutToken } = session2;
+          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
           return {
-            ...sessionWithoutToken,
+            ...safeSession,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -1958,9 +1991,9 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-          const { token, ...sessionWithoutToken } = session2;
+          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
           return {
-            ...sessionWithoutToken,
+            ...safeSession,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -2077,7 +2110,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version = "4.2.7";
+const version = "4.2.9";
 const require$$2 = {
   version
 };

package/dist/server/index.mjs

@@ -175,7 +175,7 @@ function encryptToken$2(token) {
     throw new Error("Failed to encrypt token");
   }
 }
-function decryptToken$4(encryptedToken) {
+function decryptToken$3(encryptedToken) {
   if (!encryptedToken) return null;
   try {
     const key = getEncryptionKey();
@@ -202,15 +202,20 @@ function generateSessionId$1(userId) {
   const userHash = crypto$1.createHash("sha256").update(userId.toString()).digest("hex").substring(0, 8);
   return `sess_${timestamp}_${userHash}_${randomBytes}`;
 }
+function hashToken$3(token) {
+  if (!token) return null;
+  return crypto$1.createHash("sha256").update(token).digest("hex");
+}
 var encryption = {
   encryptToken: encryptToken$2,
-  decryptToken: decryptToken$4,
-  generateSessionId: generateSessionId$1
+  decryptToken: decryptToken$3,
+  generateSessionId: generateSessionId$1,
+  hashToken: hashToken$3
 };
 const SESSION_UID$3 = "plugin::magic-sessionmanager.session";
-const { decryptToken: decryptToken$3 } = encryption;
+const { hashToken: hashToken$2 } = encryption;
 const lastTouchCache = /* @__PURE__ */ new Map();
-var lastSeen = ({ strapi: strapi2, sessionService }) => {
+var lastSeen = ({ strapi: strapi2 }) => {
   return async (ctx, next) => {
     const currentToken = ctx.request.headers.authorization?.replace("Bearer ", "");
     if (!currentToken) {
@@ -223,58 +228,26 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
       return;
     }
     let matchingSession = null;
-    let userId = null;
     try {
-      if (ctx.state.user && ctx.state.user.documentId) {
-        userId = ctx.state.user.documentId;
-        const activeSessions = await strapi2.documents(SESSION_UID$3).findMany({
-          filters: {
-            user: { documentId: userId },
-            isActive: true
-          }
-        });
-        if (!activeSessions || activeSessions.length === 0) {
-          strapi2.log.info(`[magic-sessionmanager] [BLOCKED] User ${userId} has no active sessions`);
-          return ctx.unauthorized("All sessions have been terminated. Please login again.");
-        }
-        for (const session2 of activeSessions) {
-          if (!session2.token) continue;
-          try {
-            const decrypted = decryptToken$3(session2.token);
-            if (decrypted === currentToken) {
-              matchingSession = session2;
-              break;
-            }
-          } catch (err) {
-          }
-        }
-        if (!matchingSession) {
-          strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Session for user ${userId} has been terminated`);
-          return ctx.unauthorized("This session has been terminated. Please login again.");
-        }
-      } else {
-        const allActiveSessions = await strapi2.documents(SESSION_UID$3).findMany({
-          filters: { isActive: true },
-          populate: { user: { fields: ["documentId"] } },
-          limit: 500
-          // Reasonable limit for performance
-        });
-        for (const session2 of allActiveSessions) {
-          if (!session2.token) continue;
-          try {
-            const decrypted = decryptToken$3(session2.token);
-            if (decrypted === currentToken) {
-              matchingSession = session2;
-              userId = session2.user?.documentId;
-              break;
-            }
-          } catch (err) {
-          }
-        }
-      }
+      const currentTokenHash = hashToken$2(currentToken);
+      matchingSession = await strapi2.documents(SESSION_UID$3).findFirst({
+        filters: {
+          tokenHash: currentTokenHash,
+          isActive: true
+        },
+        populate: { user: { fields: ["documentId"] } }
+      });
       if (matchingSession) {
         ctx.state.sessionId = matchingSession.documentId;
         ctx.state.currentSession = matchingSession;
+        if (matchingSession.user?.documentId) {
+          ctx.state.sessionUserId = matchingSession.user.documentId;
+        }
+      } else {
+        if (ctx.state.user && ctx.state.user.documentId) {
+          strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Session terminated for user ${ctx.state.user.documentId}`);
+          return ctx.unauthorized("This session has been terminated. Please login again.");
+        }
       }
     } catch (err) {
       strapi2.log.debug("[magic-sessionmanager] Error checking session:", err.message);
@@ -301,7 +274,7 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
   };
 };
 const getClientIp = getClientIp_1;
-const { encryptToken: encryptToken$1, decryptToken: decryptToken$2 } = encryption;
+const { encryptToken: encryptToken$1, decryptToken: decryptToken$2, hashToken: hashToken$1 } = encryption;
 const { createLogger: createLogger$3 } = logger;
 const SESSION_UID$2 = "plugin::magic-sessionmanager.session";
 const USER_UID$2 = "plugin::users-permissions.user";
@@ -309,6 +282,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
   const log = createLogger$3(strapi2);
   log.info("[START] Bootstrap starting...");
   try {
+    await ensureTokenHashIndex(strapi2, log);
     const licenseGuardService = strapi2.plugin("magic-sessionmanager").service("license-guard");
     setTimeout(async () => {
       const licenseStatus = await licenseGuardService.initialize();
@@ -585,11 +559,15 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             if (matchingSession) {
               const encryptedToken = newAccessToken ? encryptToken$1(newAccessToken) : matchingSession.token;
               const encryptedRefreshToken = newRefreshToken ? encryptToken$1(newRefreshToken) : matchingSession.refreshToken;
+              const newTokenHash = newAccessToken ? hashToken$1(newAccessToken) : matchingSession.tokenHash;
+              const newRefreshTokenHash = newRefreshToken ? hashToken$1(newRefreshToken) : matchingSession.refreshTokenHash;
               await strapi2.documents(SESSION_UID$2).update({
                 documentId: matchingSession.documentId,
                 data: {
                   token: encryptedToken,
+                  tokenHash: newTokenHash,
                   refreshToken: encryptedRefreshToken,
+                  refreshTokenHash: newRefreshTokenHash,
                   lastActive: /* @__PURE__ */ new Date()
                 }
               });
@@ -603,7 +581,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     });
     log.info("[SUCCESS] Refresh Token interceptor middleware mounted");
     strapi2.server.use(
-      lastSeen({ strapi: strapi2, sessionService })
+      lastSeen({ strapi: strapi2 })
     );
     log.info("[SUCCESS] LastSeen middleware mounted");
     await ensureContentApiPermissions(strapi2, log);
@@ -661,6 +639,46 @@ async function ensureContentApiPermissions(strapi2, log) {
     log.warn("Please manually enable plugin permissions in Settings > Users & Permissions > Roles > Authenticated");
   }
 }
+async function ensureTokenHashIndex(strapi2, log) {
+  try {
+    const knex = strapi2.db.connection;
+    const tableName = "magic_sessions";
+    const indexName = "idx_magic_sessions_token_hash";
+    const hasIndex = await knex.schema.hasTable(tableName).then(async (exists) => {
+      if (!exists) return false;
+      const dialect = strapi2.db.dialect.client;
+      if (dialect === "postgres") {
+        const result = await knex.raw(`
+          SELECT indexname FROM pg_indexes 
+          WHERE tablename = ? AND indexname = ?
+        `, [tableName, indexName]);
+        return result.rows.length > 0;
+      } else if (dialect === "mysql" || dialect === "mysql2") {
+        const result = await knex.raw(`
+          SHOW INDEX FROM ${tableName} WHERE Key_name = ?
+        `, [indexName]);
+        return result[0].length > 0;
+      } else if (dialect === "sqlite" || dialect === "better-sqlite3") {
+        const result = await knex.raw(`
+          SELECT name FROM sqlite_master 
+          WHERE type='index' AND name = ?
+        `, [indexName]);
+        return result.length > 0;
+      }
+      return false;
+    });
+    if (hasIndex) {
+      log.debug("[INDEX] tokenHash index already exists");
+      return;
+    }
+    await knex.schema.alterTable(tableName, (table) => {
+      table.index(["token_hash", "is_active"], indexName);
+    });
+    log.info("[INDEX] Created tokenHash index for O(1) session lookup");
+  } catch (err) {
+    log.debug("[INDEX] Could not create tokenHash index (will retry on next startup):", err.message);
+  }
+}
 const { createLogger: createLogger$2 } = logger;
 var destroy$1 = async ({ strapi: strapi2 }) => {
   const log = createLogger$2(strapi2);
@@ -739,10 +757,19 @@ const attributes = {
     type: "text",
     "private": true
   },
+  tokenHash: {
+    type: "string",
+    configurable: false,
+    unique: false
+  },
   refreshToken: {
     type: "text",
     "private": true
   },
+  refreshTokenHash: {
+    type: "string",
+    configurable: false
+  },
   loginTime: {
     type: "datetime",
     required: true
@@ -1774,7 +1801,7 @@ var controllers$1 = {
   license,
   settings
 };
-const { encryptToken, decryptToken, generateSessionId } = encryption;
+const { encryptToken, decryptToken, generateSessionId, hashToken } = encryption;
 const { createLogger: createLogger$1 } = logger;
 const SESSION_UID = "plugin::magic-sessionmanager.session";
 const USER_UID = "plugin::users-permissions.user";
@@ -1792,6 +1819,8 @@ var session$1 = ({ strapi: strapi2 }) => {
         const sessionId = generateSessionId(userId);
         const encryptedToken = token ? encryptToken(token) : null;
         const encryptedRefreshToken = refreshToken ? encryptToken(refreshToken) : null;
+        const tokenHashValue = token ? hashToken(token) : null;
+        const refreshTokenHashValue = refreshToken ? hashToken(refreshToken) : null;
         const session2 = await strapi2.documents(SESSION_UID).create({
           data: {
             user: userId,
@@ -1802,11 +1831,15 @@ var session$1 = ({ strapi: strapi2 }) => {
             lastActive: now,
             isActive: true,
             token: encryptedToken,
-            // [SUCCESS] Encrypted Access Token
+            // Encrypted Access Token
+            tokenHash: tokenHashValue,
+            // SHA-256 hash for fast lookup
             refreshToken: encryptedRefreshToken,
-            // [SUCCESS] Encrypted Refresh Token
+            // Encrypted Refresh Token
+            refreshTokenHash: refreshTokenHashValue,
+            // SHA-256 hash for fast lookup
             sessionId
-            // [SUCCESS] Unique identifier
+            // Unique identifier
           }
         });
         log.info(`[SUCCESS] Session ${session2.documentId} (${sessionId}) created for user ${userId}`);
@@ -1884,9 +1917,9 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-          const { token, ...sessionWithoutToken } = session2;
+          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
           return {
-            ...sessionWithoutToken,
+            ...safeSession,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -1915,9 +1948,9 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = timeSinceActive < inactivityTimeout;
-          const { token, ...sessionWithoutToken } = session2;
+          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
           return {
-            ...sessionWithoutToken,
+            ...safeSession,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -1954,9 +1987,9 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-          const { token, ...sessionWithoutToken } = session2;
+          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
           return {
-            ...sessionWithoutToken,
+            ...safeSession,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -2073,7 +2106,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version = "4.2.7";
+const version = "4.2.9";
 const require$$2 = {
   version
 };

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.2.8",
+  "version": "4.2.10",
   "keywords": [
     "strapi",
     "strapi-plugin",