strapi-plugin-magic-sessionmanager 4.2.9 → 4.2.11

package/README.md

@@ -390,30 +390,204 @@ Trigger a suspicious login (e.g., use a VPN) and check if the email arrives!
 
 ---
 
-## 📋 Simple API Guide
+## 📋 Content-API Endpoints (For Frontend/Apps)
 
-### Get Sessions
+All Content-API endpoints require a valid JWT token in the `Authorization` header.
+Users can only access their **own** sessions.
+
+### Get My Sessions
+
+Returns all sessions for the authenticated user.
+
+```bash
+GET /api/magic-sessionmanager/my-sessions
+Authorization: Bearer <JWT>
+```
+
+**Response:**
+```json
+{
+  "data": [
+    {
+      "id": 41,
+      "documentId": "abc123xyz",
+      "sessionId": "sess_m5k2h_8a3b1c2d_f9e8d7c6",
+      "ipAddress": "192.168.1.100",
+      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36...",
+      "loginTime": "2026-01-02T10:30:00.000Z",
+      "lastActive": "2026-01-02T13:45:00.000Z",
+      "logoutTime": null,
+      "isActive": true,
+      "deviceType": "desktop",
+      "browserName": "Chrome 143",
+      "osName": "macOS 10.15.7",
+      "geoLocation": null,
+      "securityScore": null,
+      "isCurrentSession": true,
+      "isTrulyActive": true,
+      "minutesSinceActive": 2
+    },
+    {
+      "id": 40,
+      "documentId": "def456uvw",
+      "sessionId": "sess_m5k1g_7b2a0c1d_e8d7c6b5",
+      "ipAddress": "10.0.0.50",
+      "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X)...",
+      "loginTime": "2026-01-01T08:15:00.000Z",
+      "lastActive": "2026-01-01T12:00:00.000Z",
+      "logoutTime": null,
+      "isActive": true,
+      "deviceType": "mobile",
+      "browserName": "Safari",
+      "osName": "iOS 17",
+      "geoLocation": null,
+      "securityScore": null,
+      "isCurrentSession": false,
+      "isTrulyActive": false,
+      "minutesSinceActive": 1545
+    }
+  ],
+  "meta": {
+    "count": 2,
+    "active": 1
+  }
+}
+```
+
+### Get Current Session
+
+Returns only the session associated with the current JWT token.
+
+```bash
+GET /api/magic-sessionmanager/current-session
+Authorization: Bearer <JWT>
+```
+
+**Response:**
+```json
+{
+  "data": {
+    "id": 41,
+    "documentId": "abc123xyz",
+    "sessionId": "sess_m5k2h_8a3b1c2d_f9e8d7c6",
+    "ipAddress": "192.168.1.100",
+    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36...",
+    "loginTime": "2026-01-02T10:30:00.000Z",
+    "lastActive": "2026-01-02T13:45:00.000Z",
+    "logoutTime": null,
+    "isActive": true,
+    "deviceType": "desktop",
+    "browserName": "Chrome 143",
+    "osName": "macOS 10.15.7",
+    "geoLocation": null,
+    "securityScore": null,
+    "isCurrentSession": true,
+    "isTrulyActive": true,
+    "minutesSinceActive": 2
+  }
+}
+```
+
+### Logout (Current Session)
+
+Terminates only the current session.
+
+```bash
+POST /api/magic-sessionmanager/logout
+Authorization: Bearer <JWT>
+```
+
+**Response:**
+```json
+{
+  "message": "Logged out successfully"
+}
+```
+
+### Logout All Devices
+
+Terminates ALL sessions for the authenticated user (logs out everywhere).
+
+```bash
+POST /api/magic-sessionmanager/logout-all
+Authorization: Bearer <JWT>
+```
+
+**Response:**
+```json
+{
+  "message": "Logged out from all devices successfully"
+}
+```
+
+### Terminate Specific Session
+
+Terminates a specific session (not the current one). Useful for "Log out other devices".
+
+```bash
+DELETE /api/magic-sessionmanager/my-sessions/:sessionId
+Authorization: Bearer <JWT>
+```
+
+**Response:**
+```json
+{
+  "message": "Session abc123xyz terminated successfully",
+  "success": true
+}
+```
+
+**Error (trying to terminate current session):**
+```json
+{
+  "error": {
+    "status": 400,
+    "message": "Cannot terminate current session. Use /logout instead."
+  }
+}
+```
+
+---
+
+## 📋 Admin-API Endpoints (For Admin Panel)
+
+These endpoints require admin authentication.
+
+### Get All Sessions
 
 ```bash
-# Get all active sessions
 GET /magic-sessionmanager/sessions
 ```
 
-### Logout
+### Get Active Sessions Only
 
 ```bash
-# Logout current user
-POST /api/auth/logout
+GET /magic-sessionmanager/sessions/active
 ```
 
-### Force Logout
+### Force Terminate Session
 
 ```bash
-# Admin force-logout a session
 POST /magic-sessionmanager/sessions/:sessionId/terminate
 ```
 
-**That's all you need to know!**
+### Terminate All User Sessions
+
+```bash
+POST /magic-sessionmanager/user/:userId/terminate-all
+```
+
+### Block/Unblock User
+
+```bash
+POST /magic-sessionmanager/user/:userId/toggle-block
+```
+
+### Clean Inactive Sessions
+
+```bash
+POST /magic-sessionmanager/sessions/clean-inactive
+```
 
 ---
 

package/dist/server/index.js

@@ -206,7 +206,7 @@ function generateSessionId$1(userId) {
   const userHash = crypto$1.createHash("sha256").update(userId.toString()).digest("hex").substring(0, 8);
   return `sess_${timestamp}_${userHash}_${randomBytes}`;
 }
-function hashToken$3(token) {
+function hashToken$4(token) {
   if (!token) return null;
   return crypto$1.createHash("sha256").update(token).digest("hex");
 }
@@ -214,10 +214,10 @@ var encryption = {
   encryptToken: encryptToken$2,
   decryptToken: decryptToken$3,
   generateSessionId: generateSessionId$1,
-  hashToken: hashToken$3
+  hashToken: hashToken$4
 };
 const SESSION_UID$3 = "plugin::magic-sessionmanager.session";
-const { hashToken: hashToken$2 } = encryption;
+const { hashToken: hashToken$3 } = encryption;
 const lastTouchCache = /* @__PURE__ */ new Map();
 var lastSeen = ({ strapi: strapi2 }) => {
   return async (ctx, next) => {
@@ -233,7 +233,7 @@ var lastSeen = ({ strapi: strapi2 }) => {
     }
     let matchingSession = null;
     try {
-      const currentTokenHash = hashToken$2(currentToken);
+      const currentTokenHash = hashToken$3(currentToken);
       matchingSession = await strapi2.documents(SESSION_UID$3).findFirst({
         filters: {
           tokenHash: currentTokenHash,
@@ -278,7 +278,7 @@ var lastSeen = ({ strapi: strapi2 }) => {
   };
 };
 const getClientIp = getClientIp_1;
-const { encryptToken: encryptToken$1, decryptToken: decryptToken$2, hashToken: hashToken$1 } = encryption;
+const { encryptToken: encryptToken$1, decryptToken: decryptToken$2, hashToken: hashToken$2 } = encryption;
 const { createLogger: createLogger$3 } = logger;
 const SESSION_UID$2 = "plugin::magic-sessionmanager.session";
 const USER_UID$2 = "plugin::users-permissions.user";
@@ -286,6 +286,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
   const log = createLogger$3(strapi2);
   log.info("[START] Bootstrap starting...");
   try {
+    await ensureTokenHashIndex(strapi2, log);
     const licenseGuardService = strapi2.plugin("magic-sessionmanager").service("license-guard");
     setTimeout(async () => {
       const licenseStatus = await licenseGuardService.initialize();
@@ -562,8 +563,8 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             if (matchingSession) {
               const encryptedToken = newAccessToken ? encryptToken$1(newAccessToken) : matchingSession.token;
               const encryptedRefreshToken = newRefreshToken ? encryptToken$1(newRefreshToken) : matchingSession.refreshToken;
-              const newTokenHash = newAccessToken ? hashToken$1(newAccessToken) : matchingSession.tokenHash;
-              const newRefreshTokenHash = newRefreshToken ? hashToken$1(newRefreshToken) : matchingSession.refreshTokenHash;
+              const newTokenHash = newAccessToken ? hashToken$2(newAccessToken) : matchingSession.tokenHash;
+              const newRefreshTokenHash = newRefreshToken ? hashToken$2(newRefreshToken) : matchingSession.refreshTokenHash;
               await strapi2.documents(SESSION_UID$2).update({
                 documentId: matchingSession.documentId,
                 data: {
@@ -642,6 +643,46 @@ async function ensureContentApiPermissions(strapi2, log) {
     log.warn("Please manually enable plugin permissions in Settings > Users & Permissions > Roles > Authenticated");
   }
 }
+async function ensureTokenHashIndex(strapi2, log) {
+  try {
+    const knex = strapi2.db.connection;
+    const tableName = "magic_sessions";
+    const indexName = "idx_magic_sessions_token_hash";
+    const hasIndex = await knex.schema.hasTable(tableName).then(async (exists) => {
+      if (!exists) return false;
+      const dialect = strapi2.db.dialect.client;
+      if (dialect === "postgres") {
+        const result = await knex.raw(`
+          SELECT indexname FROM pg_indexes 
+          WHERE tablename = ? AND indexname = ?
+        `, [tableName, indexName]);
+        return result.rows.length > 0;
+      } else if (dialect === "mysql" || dialect === "mysql2") {
+        const result = await knex.raw(`
+          SHOW INDEX FROM ${tableName} WHERE Key_name = ?
+        `, [indexName]);
+        return result[0].length > 0;
+      } else if (dialect === "sqlite" || dialect === "better-sqlite3") {
+        const result = await knex.raw(`
+          SELECT name FROM sqlite_master 
+          WHERE type='index' AND name = ?
+        `, [indexName]);
+        return result.length > 0;
+      }
+      return false;
+    });
+    if (hasIndex) {
+      log.debug("[INDEX] tokenHash index already exists");
+      return;
+    }
+    await knex.schema.alterTable(tableName, (table) => {
+      table.index(["token_hash", "is_active"], indexName);
+    });
+    log.info("[INDEX] Created tokenHash index for O(1) session lookup");
+  } catch (err) {
+    log.debug("[INDEX] Could not create tokenHash index (will retry on next startup):", err.message);
+  }
+}
 const { createLogger: createLogger$2 } = logger;
 var destroy$1 = async ({ strapi: strapi2 }) => {
   const log = createLogger$2(strapi2);
@@ -722,7 +763,8 @@ const attributes = {
   },
   tokenHash: {
     type: "string",
-    configurable: false
+    configurable: false,
+    unique: false
   },
   refreshToken: {
     type: "text",
@@ -1000,7 +1042,91 @@ var routes$1 = {
   admin,
   "content-api": contentApi
 };
-const { decryptToken: decryptToken$1 } = encryption;
+function parseUserAgent$2(userAgent) {
+  if (!userAgent) {
+    return {
+      deviceType: "unknown",
+      browserName: "unknown",
+      browserVersion: null,
+      osName: "unknown",
+      osVersion: null
+    };
+  }
+  userAgent.toLowerCase();
+  let deviceType = "desktop";
+  if (/mobile|android.*mobile|iphone|ipod|blackberry|iemobile|opera mini|opera mobi/i.test(userAgent)) {
+    deviceType = "mobile";
+  } else if (/tablet|ipad|android(?!.*mobile)|kindle|silk/i.test(userAgent)) {
+    deviceType = "tablet";
+  } else if (/bot|crawl|spider|slurp|mediapartners/i.test(userAgent)) {
+    deviceType = "bot";
+  }
+  let browserName = "unknown";
+  let browserVersion = null;
+  if (/edg\//i.test(userAgent)) {
+    browserName = "Edge";
+    browserVersion = extractVersion(userAgent, /edg\/(\d+[\.\d]*)/i);
+  } else if (/opr\//i.test(userAgent) || /opera/i.test(userAgent)) {
+    browserName = "Opera";
+    browserVersion = extractVersion(userAgent, /(?:opr|opera)[\s\/](\d+[\.\d]*)/i);
+  } else if (/chrome|crios/i.test(userAgent) && !/edg/i.test(userAgent)) {
+    browserName = "Chrome";
+    browserVersion = extractVersion(userAgent, /(?:chrome|crios)\/(\d+[\.\d]*)/i);
+  } else if (/firefox|fxios/i.test(userAgent)) {
+    browserName = "Firefox";
+    browserVersion = extractVersion(userAgent, /(?:firefox|fxios)\/(\d+[\.\d]*)/i);
+  } else if (/safari/i.test(userAgent) && !/chrome|chromium/i.test(userAgent)) {
+    browserName = "Safari";
+    browserVersion = extractVersion(userAgent, /version\/(\d+[\.\d]*)/i);
+  } else if (/msie|trident/i.test(userAgent)) {
+    browserName = "Internet Explorer";
+    browserVersion = extractVersion(userAgent, /(?:msie |rv:)(\d+[\.\d]*)/i);
+  }
+  let osName = "unknown";
+  let osVersion = null;
+  if (/windows nt/i.test(userAgent)) {
+    osName = "Windows";
+    const winVersion = extractVersion(userAgent, /windows nt (\d+[\.\d]*)/i);
+    const winVersionMap = {
+      "10.0": "10/11",
+      "6.3": "8.1",
+      "6.2": "8",
+      "6.1": "7",
+      "6.0": "Vista",
+      "5.1": "XP"
+    };
+    osVersion = winVersionMap[winVersion] || winVersion;
+  } else if (/mac os x/i.test(userAgent)) {
+    osName = "macOS";
+    osVersion = extractVersion(userAgent, /mac os x (\d+[_\.\d]*)/i)?.replace(/_/g, ".");
+  } else if (/iphone|ipad|ipod/i.test(userAgent)) {
+    osName = "iOS";
+    osVersion = extractVersion(userAgent, /os (\d+[_\.\d]*)/i)?.replace(/_/g, ".");
+  } else if (/android/i.test(userAgent)) {
+    osName = "Android";
+    osVersion = extractVersion(userAgent, /android (\d+[\.\d]*)/i);
+  } else if (/linux/i.test(userAgent)) {
+    osName = "Linux";
+  } else if (/cros/i.test(userAgent)) {
+    osName = "Chrome OS";
+  }
+  return {
+    deviceType,
+    browserName,
+    browserVersion,
+    osName,
+    osVersion
+  };
+}
+function extractVersion(userAgent, regex) {
+  const match = userAgent.match(regex);
+  return match ? match[1] : null;
+}
+var userAgentParser = {
+  parseUserAgent: parseUserAgent$2
+};
+const { decryptToken: decryptToken$1, hashToken: hashToken$1 } = encryption;
+const { parseUserAgent: parseUserAgent$1 } = userAgentParser;
 const SESSION_UID$1 = "plugin::magic-sessionmanager.session";
 const USER_UID$1 = "plugin::users-permissions.user";
 var session$3 = {
@@ -1046,12 +1172,13 @@ var session$3 = {
    * Get own sessions (authenticated user)
    * GET /api/magic-sessionmanager/my-sessions
    * Automatically uses the authenticated user's documentId
-   * Marks which session is the current one (based on JWT token)
+   * Marks which session is the current one (based on JWT token hash)
    */
   async getOwnSessions(ctx) {
     try {
       const userId = ctx.state.user?.documentId;
       const currentToken = ctx.request.headers.authorization?.replace("Bearer ", "");
+      const currentTokenHash = currentToken ? hashToken$1(currentToken) : null;
       if (!userId) {
         return ctx.throw(401, "Unauthorized");
       }
@@ -1066,17 +1193,26 @@ var session$3 = {
         const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
         const timeSinceActive = now - lastActiveTime;
         const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-        let isCurrentSession = false;
-        if (session2.token && currentToken) {
-          try {
-            const decrypted = decryptToken$1(session2.token);
-            isCurrentSession = decrypted === currentToken;
-          } catch (err) {
-          }
-        }
-        const { token, refreshToken, ...sessionWithoutTokens } = session2;
+        const isCurrentSession = currentTokenHash && session2.tokenHash === currentTokenHash;
+        const parsedUA = parseUserAgent$1(session2.userAgent);
+        const deviceType = session2.deviceType || parsedUA.deviceType;
+        const browserName = session2.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+        const osName = session2.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+        const {
+          token,
+          tokenHash,
+          refreshToken,
+          refreshTokenHash,
+          locale,
+          publishedAt,
+          // Remove Strapi internal fields
+          ...sessionWithoutTokens
+        } = session2;
         return {
           ...sessionWithoutTokens,
+          deviceType,
+          browserName,
+          osName,
           isCurrentSession,
           isTrulyActive,
           minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
@@ -1138,21 +1274,14 @@ var session$3 = {
         return ctx.throw(401, "Unauthorized");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      const sessions = await strapi.documents(SESSION_UID$1).findMany({
+      const currentTokenHash = hashToken$1(token);
+      const matchingSession = await strapi.documents(SESSION_UID$1).findFirst({
         filters: {
           user: { documentId: userId },
+          tokenHash: currentTokenHash,
           isActive: true
         }
       });
-      const matchingSession = sessions.find((session2) => {
-        if (!session2.token) return false;
-        try {
-          const decrypted = decryptToken$1(session2.token);
-          return decrypted === token;
-        } catch (err) {
-          return false;
-        }
-      });
       if (matchingSession) {
         await sessionService.terminateSession({ sessionId: matchingSession.documentId });
         strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${matchingSession.documentId})`);
@@ -1187,7 +1316,7 @@ var session$3 = {
     }
   },
   /**
-   * Get current session info based on JWT token
+   * Get current session info based on JWT token hash
    * GET /api/magic-sessionmanager/current-session
    * Returns the session associated with the current JWT token
    */
@@ -1198,21 +1327,14 @@ var session$3 = {
       if (!userId || !token) {
         return ctx.throw(401, "Unauthorized");
       }
-      const sessions = await strapi.documents(SESSION_UID$1).findMany({
+      const currentTokenHash = hashToken$1(token);
+      const currentSession = await strapi.documents(SESSION_UID$1).findFirst({
         filters: {
           user: { documentId: userId },
+          tokenHash: currentTokenHash,
           isActive: true
         }
       });
-      const currentSession = sessions.find((session2) => {
-        if (!session2.token) return false;
-        try {
-          const decrypted = decryptToken$1(session2.token);
-          return decrypted === token;
-        } catch (err) {
-          return false;
-        }
-      });
       if (!currentSession) {
         return ctx.notFound("Current session not found");
       }
@@ -1221,10 +1343,25 @@ var session$3 = {
       const now = /* @__PURE__ */ new Date();
       const lastActiveTime = currentSession.lastActive ? new Date(currentSession.lastActive) : new Date(currentSession.loginTime);
       const timeSinceActive = now - lastActiveTime;
-      const { token: _, refreshToken: __, ...sessionWithoutTokens } = currentSession;
+      const parsedUA = parseUserAgent$1(currentSession.userAgent);
+      const deviceType = currentSession.deviceType || parsedUA.deviceType;
+      const browserName = currentSession.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+      const osName = currentSession.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+      const {
+        token: _,
+        tokenHash: _th,
+        refreshToken: __,
+        refreshTokenHash: _rth,
+        locale: _l,
+        publishedAt: _p,
+        ...sessionWithoutTokens
+      } = currentSession;
       ctx.body = {
         data: {
           ...sessionWithoutTokens,
+          deviceType,
+          browserName,
+          osName,
           isCurrentSession: true,
           isTrulyActive: timeSinceActive < inactivityTimeout,
           minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
@@ -1245,6 +1382,7 @@ var session$3 = {
       const userId = ctx.state.user?.documentId;
       const { sessionId } = ctx.params;
       const currentToken = ctx.request.headers.authorization?.replace("Bearer ", "");
+      const currentTokenHash = currentToken ? hashToken$1(currentToken) : null;
       if (!userId) {
         return ctx.throw(401, "Unauthorized");
       }
@@ -1263,14 +1401,8 @@ var session$3 = {
         strapi.log.warn(`[magic-sessionmanager] Security: User ${userId} tried to terminate session ${sessionId} of user ${sessionUserId}`);
         return ctx.forbidden("You can only terminate your own sessions");
       }
-      if (sessionToTerminate.token && currentToken) {
-        try {
-          const decrypted = decryptToken$1(sessionToTerminate.token);
-          if (decrypted === currentToken) {
-            return ctx.badRequest("Cannot terminate current session. Use /logout instead.");
-          }
-        } catch (err) {
-        }
+      if (currentTokenHash && sessionToTerminate.tokenHash === currentTokenHash) {
+        return ctx.badRequest("Cannot terminate current session. Use /logout instead.");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
       await sessionService.terminateSession({ sessionId });
@@ -1765,6 +1897,7 @@ var controllers$1 = {
 };
 const { encryptToken, decryptToken, generateSessionId, hashToken } = encryption;
 const { createLogger: createLogger$1 } = logger;
+const { parseUserAgent } = userAgentParser;
 const SESSION_UID = "plugin::magic-sessionmanager.session";
 const USER_UID = "plugin::users-permissions.user";
 var session$1 = ({ strapi: strapi2 }) => {
@@ -1879,9 +2012,24 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
+          const parsedUA = parseUserAgent(session2.userAgent);
+          const deviceType = session2.deviceType || parsedUA.deviceType;
+          const browserName = session2.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+          const osName = session2.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+          const {
+            token,
+            tokenHash,
+            refreshToken,
+            refreshTokenHash,
+            locale,
+            publishedAt,
+            ...safeSession
+          } = session2;
           return {
             ...safeSession,
+            deviceType,
+            browserName,
+            osName,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -1910,9 +2058,24 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = timeSinceActive < inactivityTimeout;
-          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
+          const parsedUA = parseUserAgent(session2.userAgent);
+          const deviceType = session2.deviceType || parsedUA.deviceType;
+          const browserName = session2.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+          const osName = session2.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+          const {
+            token,
+            tokenHash,
+            refreshToken,
+            refreshTokenHash,
+            locale,
+            publishedAt,
+            ...safeSession
+          } = session2;
           return {
             ...safeSession,
+            deviceType,
+            browserName,
+            osName,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -1949,9 +2112,24 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
+          const parsedUA = parseUserAgent(session2.userAgent);
+          const deviceType = session2.deviceType || parsedUA.deviceType;
+          const browserName = session2.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+          const osName = session2.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+          const {
+            token,
+            tokenHash,
+            refreshToken,
+            refreshTokenHash,
+            locale,
+            publishedAt,
+            ...safeSession
+          } = session2;
           return {
             ...safeSession,
+            deviceType,
+            browserName,
+            osName,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -2068,7 +2246,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version = "4.2.8";
+const version = "4.2.10";
 const require$$2 = {
   version
 };

package/dist/server/index.mjs

@@ -202,7 +202,7 @@ function generateSessionId$1(userId) {
   const userHash = crypto$1.createHash("sha256").update(userId.toString()).digest("hex").substring(0, 8);
   return `sess_${timestamp}_${userHash}_${randomBytes}`;
 }
-function hashToken$3(token) {
+function hashToken$4(token) {
   if (!token) return null;
   return crypto$1.createHash("sha256").update(token).digest("hex");
 }
@@ -210,10 +210,10 @@ var encryption = {
   encryptToken: encryptToken$2,
   decryptToken: decryptToken$3,
   generateSessionId: generateSessionId$1,
-  hashToken: hashToken$3
+  hashToken: hashToken$4
 };
 const SESSION_UID$3 = "plugin::magic-sessionmanager.session";
-const { hashToken: hashToken$2 } = encryption;
+const { hashToken: hashToken$3 } = encryption;
 const lastTouchCache = /* @__PURE__ */ new Map();
 var lastSeen = ({ strapi: strapi2 }) => {
   return async (ctx, next) => {
@@ -229,7 +229,7 @@ var lastSeen = ({ strapi: strapi2 }) => {
     }
     let matchingSession = null;
     try {
-      const currentTokenHash = hashToken$2(currentToken);
+      const currentTokenHash = hashToken$3(currentToken);
       matchingSession = await strapi2.documents(SESSION_UID$3).findFirst({
         filters: {
           tokenHash: currentTokenHash,
@@ -274,7 +274,7 @@ var lastSeen = ({ strapi: strapi2 }) => {
   };
 };
 const getClientIp = getClientIp_1;
-const { encryptToken: encryptToken$1, decryptToken: decryptToken$2, hashToken: hashToken$1 } = encryption;
+const { encryptToken: encryptToken$1, decryptToken: decryptToken$2, hashToken: hashToken$2 } = encryption;
 const { createLogger: createLogger$3 } = logger;
 const SESSION_UID$2 = "plugin::magic-sessionmanager.session";
 const USER_UID$2 = "plugin::users-permissions.user";
@@ -282,6 +282,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
   const log = createLogger$3(strapi2);
   log.info("[START] Bootstrap starting...");
   try {
+    await ensureTokenHashIndex(strapi2, log);
     const licenseGuardService = strapi2.plugin("magic-sessionmanager").service("license-guard");
     setTimeout(async () => {
       const licenseStatus = await licenseGuardService.initialize();
@@ -558,8 +559,8 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             if (matchingSession) {
               const encryptedToken = newAccessToken ? encryptToken$1(newAccessToken) : matchingSession.token;
               const encryptedRefreshToken = newRefreshToken ? encryptToken$1(newRefreshToken) : matchingSession.refreshToken;
-              const newTokenHash = newAccessToken ? hashToken$1(newAccessToken) : matchingSession.tokenHash;
-              const newRefreshTokenHash = newRefreshToken ? hashToken$1(newRefreshToken) : matchingSession.refreshTokenHash;
+              const newTokenHash = newAccessToken ? hashToken$2(newAccessToken) : matchingSession.tokenHash;
+              const newRefreshTokenHash = newRefreshToken ? hashToken$2(newRefreshToken) : matchingSession.refreshTokenHash;
               await strapi2.documents(SESSION_UID$2).update({
                 documentId: matchingSession.documentId,
                 data: {
@@ -638,6 +639,46 @@ async function ensureContentApiPermissions(strapi2, log) {
     log.warn("Please manually enable plugin permissions in Settings > Users & Permissions > Roles > Authenticated");
   }
 }
+async function ensureTokenHashIndex(strapi2, log) {
+  try {
+    const knex = strapi2.db.connection;
+    const tableName = "magic_sessions";
+    const indexName = "idx_magic_sessions_token_hash";
+    const hasIndex = await knex.schema.hasTable(tableName).then(async (exists) => {
+      if (!exists) return false;
+      const dialect = strapi2.db.dialect.client;
+      if (dialect === "postgres") {
+        const result = await knex.raw(`
+          SELECT indexname FROM pg_indexes 
+          WHERE tablename = ? AND indexname = ?
+        `, [tableName, indexName]);
+        return result.rows.length > 0;
+      } else if (dialect === "mysql" || dialect === "mysql2") {
+        const result = await knex.raw(`
+          SHOW INDEX FROM ${tableName} WHERE Key_name = ?
+        `, [indexName]);
+        return result[0].length > 0;
+      } else if (dialect === "sqlite" || dialect === "better-sqlite3") {
+        const result = await knex.raw(`
+          SELECT name FROM sqlite_master 
+          WHERE type='index' AND name = ?
+        `, [indexName]);
+        return result.length > 0;
+      }
+      return false;
+    });
+    if (hasIndex) {
+      log.debug("[INDEX] tokenHash index already exists");
+      return;
+    }
+    await knex.schema.alterTable(tableName, (table) => {
+      table.index(["token_hash", "is_active"], indexName);
+    });
+    log.info("[INDEX] Created tokenHash index for O(1) session lookup");
+  } catch (err) {
+    log.debug("[INDEX] Could not create tokenHash index (will retry on next startup):", err.message);
+  }
+}
 const { createLogger: createLogger$2 } = logger;
 var destroy$1 = async ({ strapi: strapi2 }) => {
   const log = createLogger$2(strapi2);
@@ -718,7 +759,8 @@ const attributes = {
   },
   tokenHash: {
     type: "string",
-    configurable: false
+    configurable: false,
+    unique: false
   },
   refreshToken: {
     type: "text",
@@ -996,7 +1038,91 @@ var routes$1 = {
   admin,
   "content-api": contentApi
 };
-const { decryptToken: decryptToken$1 } = encryption;
+function parseUserAgent$2(userAgent) {
+  if (!userAgent) {
+    return {
+      deviceType: "unknown",
+      browserName: "unknown",
+      browserVersion: null,
+      osName: "unknown",
+      osVersion: null
+    };
+  }
+  userAgent.toLowerCase();
+  let deviceType = "desktop";
+  if (/mobile|android.*mobile|iphone|ipod|blackberry|iemobile|opera mini|opera mobi/i.test(userAgent)) {
+    deviceType = "mobile";
+  } else if (/tablet|ipad|android(?!.*mobile)|kindle|silk/i.test(userAgent)) {
+    deviceType = "tablet";
+  } else if (/bot|crawl|spider|slurp|mediapartners/i.test(userAgent)) {
+    deviceType = "bot";
+  }
+  let browserName = "unknown";
+  let browserVersion = null;
+  if (/edg\//i.test(userAgent)) {
+    browserName = "Edge";
+    browserVersion = extractVersion(userAgent, /edg\/(\d+[\.\d]*)/i);
+  } else if (/opr\//i.test(userAgent) || /opera/i.test(userAgent)) {
+    browserName = "Opera";
+    browserVersion = extractVersion(userAgent, /(?:opr|opera)[\s\/](\d+[\.\d]*)/i);
+  } else if (/chrome|crios/i.test(userAgent) && !/edg/i.test(userAgent)) {
+    browserName = "Chrome";
+    browserVersion = extractVersion(userAgent, /(?:chrome|crios)\/(\d+[\.\d]*)/i);
+  } else if (/firefox|fxios/i.test(userAgent)) {
+    browserName = "Firefox";
+    browserVersion = extractVersion(userAgent, /(?:firefox|fxios)\/(\d+[\.\d]*)/i);
+  } else if (/safari/i.test(userAgent) && !/chrome|chromium/i.test(userAgent)) {
+    browserName = "Safari";
+    browserVersion = extractVersion(userAgent, /version\/(\d+[\.\d]*)/i);
+  } else if (/msie|trident/i.test(userAgent)) {
+    browserName = "Internet Explorer";
+    browserVersion = extractVersion(userAgent, /(?:msie |rv:)(\d+[\.\d]*)/i);
+  }
+  let osName = "unknown";
+  let osVersion = null;
+  if (/windows nt/i.test(userAgent)) {
+    osName = "Windows";
+    const winVersion = extractVersion(userAgent, /windows nt (\d+[\.\d]*)/i);
+    const winVersionMap = {
+      "10.0": "10/11",
+      "6.3": "8.1",
+      "6.2": "8",
+      "6.1": "7",
+      "6.0": "Vista",
+      "5.1": "XP"
+    };
+    osVersion = winVersionMap[winVersion] || winVersion;
+  } else if (/mac os x/i.test(userAgent)) {
+    osName = "macOS";
+    osVersion = extractVersion(userAgent, /mac os x (\d+[_\.\d]*)/i)?.replace(/_/g, ".");
+  } else if (/iphone|ipad|ipod/i.test(userAgent)) {
+    osName = "iOS";
+    osVersion = extractVersion(userAgent, /os (\d+[_\.\d]*)/i)?.replace(/_/g, ".");
+  } else if (/android/i.test(userAgent)) {
+    osName = "Android";
+    osVersion = extractVersion(userAgent, /android (\d+[\.\d]*)/i);
+  } else if (/linux/i.test(userAgent)) {
+    osName = "Linux";
+  } else if (/cros/i.test(userAgent)) {
+    osName = "Chrome OS";
+  }
+  return {
+    deviceType,
+    browserName,
+    browserVersion,
+    osName,
+    osVersion
+  };
+}
+function extractVersion(userAgent, regex) {
+  const match = userAgent.match(regex);
+  return match ? match[1] : null;
+}
+var userAgentParser = {
+  parseUserAgent: parseUserAgent$2
+};
+const { decryptToken: decryptToken$1, hashToken: hashToken$1 } = encryption;
+const { parseUserAgent: parseUserAgent$1 } = userAgentParser;
 const SESSION_UID$1 = "plugin::magic-sessionmanager.session";
 const USER_UID$1 = "plugin::users-permissions.user";
 var session$3 = {
@@ -1042,12 +1168,13 @@ var session$3 = {
    * Get own sessions (authenticated user)
    * GET /api/magic-sessionmanager/my-sessions
    * Automatically uses the authenticated user's documentId
-   * Marks which session is the current one (based on JWT token)
+   * Marks which session is the current one (based on JWT token hash)
    */
   async getOwnSessions(ctx) {
     try {
       const userId = ctx.state.user?.documentId;
       const currentToken = ctx.request.headers.authorization?.replace("Bearer ", "");
+      const currentTokenHash = currentToken ? hashToken$1(currentToken) : null;
       if (!userId) {
         return ctx.throw(401, "Unauthorized");
       }
@@ -1062,17 +1189,26 @@ var session$3 = {
         const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
         const timeSinceActive = now - lastActiveTime;
         const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-        let isCurrentSession = false;
-        if (session2.token && currentToken) {
-          try {
-            const decrypted = decryptToken$1(session2.token);
-            isCurrentSession = decrypted === currentToken;
-          } catch (err) {
-          }
-        }
-        const { token, refreshToken, ...sessionWithoutTokens } = session2;
+        const isCurrentSession = currentTokenHash && session2.tokenHash === currentTokenHash;
+        const parsedUA = parseUserAgent$1(session2.userAgent);
+        const deviceType = session2.deviceType || parsedUA.deviceType;
+        const browserName = session2.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+        const osName = session2.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+        const {
+          token,
+          tokenHash,
+          refreshToken,
+          refreshTokenHash,
+          locale,
+          publishedAt,
+          // Remove Strapi internal fields
+          ...sessionWithoutTokens
+        } = session2;
         return {
           ...sessionWithoutTokens,
+          deviceType,
+          browserName,
+          osName,
           isCurrentSession,
           isTrulyActive,
           minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
@@ -1134,21 +1270,14 @@ var session$3 = {
         return ctx.throw(401, "Unauthorized");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      const sessions = await strapi.documents(SESSION_UID$1).findMany({
+      const currentTokenHash = hashToken$1(token);
+      const matchingSession = await strapi.documents(SESSION_UID$1).findFirst({
         filters: {
           user: { documentId: userId },
+          tokenHash: currentTokenHash,
           isActive: true
         }
       });
-      const matchingSession = sessions.find((session2) => {
-        if (!session2.token) return false;
-        try {
-          const decrypted = decryptToken$1(session2.token);
-          return decrypted === token;
-        } catch (err) {
-          return false;
-        }
-      });
       if (matchingSession) {
         await sessionService.terminateSession({ sessionId: matchingSession.documentId });
         strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${matchingSession.documentId})`);
@@ -1183,7 +1312,7 @@ var session$3 = {
     }
   },
   /**
-   * Get current session info based on JWT token
+   * Get current session info based on JWT token hash
    * GET /api/magic-sessionmanager/current-session
    * Returns the session associated with the current JWT token
    */
@@ -1194,21 +1323,14 @@ var session$3 = {
       if (!userId || !token) {
         return ctx.throw(401, "Unauthorized");
       }
-      const sessions = await strapi.documents(SESSION_UID$1).findMany({
+      const currentTokenHash = hashToken$1(token);
+      const currentSession = await strapi.documents(SESSION_UID$1).findFirst({
         filters: {
           user: { documentId: userId },
+          tokenHash: currentTokenHash,
           isActive: true
         }
       });
-      const currentSession = sessions.find((session2) => {
-        if (!session2.token) return false;
-        try {
-          const decrypted = decryptToken$1(session2.token);
-          return decrypted === token;
-        } catch (err) {
-          return false;
-        }
-      });
       if (!currentSession) {
         return ctx.notFound("Current session not found");
       }
@@ -1217,10 +1339,25 @@ var session$3 = {
       const now = /* @__PURE__ */ new Date();
       const lastActiveTime = currentSession.lastActive ? new Date(currentSession.lastActive) : new Date(currentSession.loginTime);
       const timeSinceActive = now - lastActiveTime;
-      const { token: _, refreshToken: __, ...sessionWithoutTokens } = currentSession;
+      const parsedUA = parseUserAgent$1(currentSession.userAgent);
+      const deviceType = currentSession.deviceType || parsedUA.deviceType;
+      const browserName = currentSession.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+      const osName = currentSession.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+      const {
+        token: _,
+        tokenHash: _th,
+        refreshToken: __,
+        refreshTokenHash: _rth,
+        locale: _l,
+        publishedAt: _p,
+        ...sessionWithoutTokens
+      } = currentSession;
       ctx.body = {
         data: {
           ...sessionWithoutTokens,
+          deviceType,
+          browserName,
+          osName,
           isCurrentSession: true,
           isTrulyActive: timeSinceActive < inactivityTimeout,
           minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
@@ -1241,6 +1378,7 @@ var session$3 = {
       const userId = ctx.state.user?.documentId;
       const { sessionId } = ctx.params;
       const currentToken = ctx.request.headers.authorization?.replace("Bearer ", "");
+      const currentTokenHash = currentToken ? hashToken$1(currentToken) : null;
       if (!userId) {
         return ctx.throw(401, "Unauthorized");
       }
@@ -1259,14 +1397,8 @@ var session$3 = {
         strapi.log.warn(`[magic-sessionmanager] Security: User ${userId} tried to terminate session ${sessionId} of user ${sessionUserId}`);
         return ctx.forbidden("You can only terminate your own sessions");
       }
-      if (sessionToTerminate.token && currentToken) {
-        try {
-          const decrypted = decryptToken$1(sessionToTerminate.token);
-          if (decrypted === currentToken) {
-            return ctx.badRequest("Cannot terminate current session. Use /logout instead.");
-          }
-        } catch (err) {
-        }
+      if (currentTokenHash && sessionToTerminate.tokenHash === currentTokenHash) {
+        return ctx.badRequest("Cannot terminate current session. Use /logout instead.");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
       await sessionService.terminateSession({ sessionId });
@@ -1761,6 +1893,7 @@ var controllers$1 = {
 };
 const { encryptToken, decryptToken, generateSessionId, hashToken } = encryption;
 const { createLogger: createLogger$1 } = logger;
+const { parseUserAgent } = userAgentParser;
 const SESSION_UID = "plugin::magic-sessionmanager.session";
 const USER_UID = "plugin::users-permissions.user";
 var session$1 = ({ strapi: strapi2 }) => {
@@ -1875,9 +2008,24 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
+          const parsedUA = parseUserAgent(session2.userAgent);
+          const deviceType = session2.deviceType || parsedUA.deviceType;
+          const browserName = session2.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+          const osName = session2.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+          const {
+            token,
+            tokenHash,
+            refreshToken,
+            refreshTokenHash,
+            locale,
+            publishedAt,
+            ...safeSession
+          } = session2;
           return {
             ...safeSession,
+            deviceType,
+            browserName,
+            osName,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -1906,9 +2054,24 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = timeSinceActive < inactivityTimeout;
-          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
+          const parsedUA = parseUserAgent(session2.userAgent);
+          const deviceType = session2.deviceType || parsedUA.deviceType;
+          const browserName = session2.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+          const osName = session2.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+          const {
+            token,
+            tokenHash,
+            refreshToken,
+            refreshTokenHash,
+            locale,
+            publishedAt,
+            ...safeSession
+          } = session2;
           return {
             ...safeSession,
+            deviceType,
+            browserName,
+            osName,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -1945,9 +2108,24 @@ var session$1 = ({ strapi: strapi2 }) => {
           const lastActiveTime = session2.lastActive ? new Date(session2.lastActive) : new Date(session2.loginTime);
           const timeSinceActive = now - lastActiveTime;
           const isTrulyActive = session2.isActive && timeSinceActive < inactivityTimeout;
-          const { token, tokenHash, refreshToken, refreshTokenHash, ...safeSession } = session2;
+          const parsedUA = parseUserAgent(session2.userAgent);
+          const deviceType = session2.deviceType || parsedUA.deviceType;
+          const browserName = session2.browserName || (parsedUA.browserVersion ? `${parsedUA.browserName} ${parsedUA.browserVersion}` : parsedUA.browserName);
+          const osName = session2.osName || (parsedUA.osVersion ? `${parsedUA.osName} ${parsedUA.osVersion}` : parsedUA.osName);
+          const {
+            token,
+            tokenHash,
+            refreshToken,
+            refreshTokenHash,
+            locale,
+            publishedAt,
+            ...safeSession
+          } = session2;
           return {
             ...safeSession,
+            deviceType,
+            browserName,
+            osName,
             isTrulyActive,
             minutesSinceActive: Math.floor(timeSinceActive / 1e3 / 60)
           };
@@ -2064,7 +2242,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version = "4.2.8";
+const version = "4.2.10";
 const require$$2 = {
   version
 };

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.2.9",
+  "version": "4.2.11",
   "keywords": [
     "strapi",
     "strapi-plugin",