strapi-plugin-magic-sessionmanager 4.3.1 → 4.3.3

package/dist/server/index.js

@@ -319,6 +319,8 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
           userDocId2 = await getDocumentIdFromNumericId(strapi2, ctx.state.user.id);
         }
         if (userDocId2) {
+          const config2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
+          const strictMode = config2.strictSessionEnforcement === true;
           const activeSessions = await strapi2.documents(SESSION_UID$4).findMany({
             filters: {
               user: { documentId: userDocId2 },
@@ -327,8 +329,17 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
             limit: 1
           });
           if (!activeSessions || activeSessions.length === 0) {
-            strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Request blocked - session terminated or invalid (user: ${userDocId2.substring(0, 8)}...)`);
-            return ctx.unauthorized("All sessions have been terminated. Please login again.");
+            const allSessions = await strapi2.documents(SESSION_UID$4).findMany({
+              filters: { user: { documentId: userDocId2 } },
+              limit: 1,
+              fields: ["isActive"]
+            });
+            const hasInactiveSessions = allSessions?.some((s3) => s3.isActive === false);
+            if (strictMode && hasInactiveSessions) {
+              strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Session terminated (user: ${userDocId2.substring(0, 8)}...)`);
+              return ctx.unauthorized("Session has been terminated. Please login again.");
+            }
+            strapi2.log.debug(`[magic-sessionmanager] [WARN] No active session for user ${userDocId2.substring(0, 8)}... (allowing)`);
           }
           ctx.state.userDocumentId = userDocId2;
         }
@@ -516,9 +527,20 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
           }
           let userDocId = user.documentId;
           if (!userDocId && user.id) {
-            const fullUser = await strapi2.entityService.findOne(USER_UID$2, user.id);
-            userDocId = fullUser?.documentId || user.id;
+            const fullUser = await strapi2.entityService.findOne(USER_UID$2, user.id, {
+              fields: ["documentId"]
+            });
+            userDocId = fullUser?.documentId;
+            if (!userDocId) {
+              log.error(`[ERROR] Could not get documentId for user ${user.id} - session NOT created!`);
+              return;
+            }
           }
+          if (!userDocId) {
+            log.error("[ERROR] No user documentId available - cannot create session");
+            return;
+          }
+          log.debug(`[SESSION] Creating session for user documentId: ${userDocId}`);
           const newSession = await sessionService.createSession({
             userId: userDocId,
             ip,
@@ -530,7 +552,11 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             geoData
             // Store geolocation data if available
           });
-          log.info(`[SUCCESS] Session created for user ${userDocId} (IP: ${ip})`);
+          if (newSession?.documentId) {
+            log.info(`[SUCCESS] Session ${newSession.documentId} created for user ${userDocId} (IP: ${ip})`);
+          } else {
+            log.error(`[ERROR] Session creation returned no documentId for user ${userDocId}`);
+          }
           if (geoData && (config2.enableEmailAlerts || config2.enableWebhooks)) {
             try {
               const notificationService = strapi2.plugin("magic-sessionmanager").service("notifications");
@@ -760,6 +786,8 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
       if (!decoded || !decoded.id) {
         return decoded;
       }
+      const config2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
+      const strictMode = config2.strictSessionEnforcement === true;
       try {
         let userDocId = null;
         const user = await strapi2.entityService.findOne(
@@ -769,6 +797,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
         );
         userDocId = user?.documentId;
         if (!userDocId) {
+          strapi2.log.debug("[magic-sessionmanager] [JWT] No documentId found, allowing through");
           return decoded;
         }
         const activeSessions = await strapi2.documents(SESSION_UID$3).findMany({
@@ -778,15 +807,46 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
           },
           limit: 1
         });
-        if (!activeSessions || activeSessions.length === 0) {
+        if (activeSessions && activeSessions.length > 0) {
+          return decoded;
+        }
+        const allSessions = await strapi2.documents(SESSION_UID$3).findMany({
+          filters: { user: { documentId: userDocId } },
+          limit: 5,
+          fields: ["isActive", "lastActive"]
+        });
+        const totalSessions = allSessions?.length || 0;
+        const hasInactiveSessions = allSessions?.some((s3) => s3.isActive === false);
+        if (!strictMode) {
+          if (totalSessions === 0) {
+            strapi2.log.warn(
+              `[magic-sessionmanager] [JWT-WARN] No session found for user ${userDocId.substring(0, 8)}... (allowing - session may not have been created)`
+            );
+          } else if (hasInactiveSessions) {
+            strapi2.log.warn(
+              `[magic-sessionmanager] [JWT-WARN] User ${userDocId.substring(0, 8)}... has ${totalSessions} inactive sessions but no active ones (allowing - strictMode off)`
+            );
+          }
+          return decoded;
+        }
+        if (totalSessions === 0) {
+          strapi2.log.warn(
+            `[magic-sessionmanager] [JWT-ALLOW] No sessions exist for user ${userDocId.substring(0, 8)}... (allowing - possible race condition)`
+          );
+          return decoded;
+        }
+        if (hasInactiveSessions) {
           strapi2.log.info(
-            `[magic-sessionmanager] [JWT-BLOCKED] Valid JWT but no active session (user: ${userDocId.substring(0, 8)}...)`
+            `[magic-sessionmanager] [JWT-BLOCKED] User ${userDocId.substring(0, 8)}... was logged out (${totalSessions} inactive sessions)`
           );
           return null;
         }
+        strapi2.log.warn(
+          `[magic-sessionmanager] [JWT-ALLOW] Unexpected session state for user ${userDocId.substring(0, 8)}... (allowing)`
+        );
         return decoded;
       } catch (err) {
-        strapi2.log.debug("[magic-sessionmanager] [AUTH] Session check error:", err.message);
+        strapi2.log.warn("[magic-sessionmanager] [JWT] Session check error (allowing):", err.message);
         return decoded;
       }
     };
@@ -2585,7 +2645,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.3.0";
+const version$1 = "4.3.2";
 const require$$2 = {
   version: version$1
 };
@@ -17213,6 +17273,16 @@ const providerFactory = (options2 = {}) => {
     }
   };
 };
+const parallelWithOrderedErrors = async (promises) => {
+  const results = await Promise.allSettled(promises);
+  for (let i2 = 0; i2 < results.length; i2 += 1) {
+    const result = results[i2];
+    if (result.status === "rejected") {
+      throw result.reason;
+    }
+  }
+  return results.map((r) => r.value);
+};
 const traverseEntity = async (visitor2, options2, entity) => {
   const { path: path2 = {
     raw: null,
@@ -17313,15 +17383,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
       const isMorphRelation = attribute.relation.toLowerCase().startsWith("morph");
       const method = isMorphRelation ? traverseMorphRelationTarget : traverseRelationTarget(getModel(attribute.target));
       if (fp.isArray(value)) {
-        const res = new Array(value.length);
-        for (let i3 = 0; i3 < value.length; i3 += 1) {
+        copy[key] = await parallelWithOrderedErrors(value.map((item, i3) => {
           const arrayPath = {
             ...newPath,
             rawWithIndices: fp.isNil(newPath.rawWithIndices) ? `${i3}` : `${newPath.rawWithIndices}.${i3}`
           };
-          res[i3] = await method(visitor2, arrayPath, value[i3]);
-        }
-        copy[key] = res;
+          return method(visitor2, arrayPath, item);
+        }));
       } else {
         copy[key] = await method(visitor2, newPath, value);
       }
@@ -17335,15 +17403,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
         path: newPath
       };
       if (fp.isArray(value)) {
-        const res = new Array(value.length);
-        for (let i3 = 0; i3 < value.length; i3 += 1) {
+        copy[key] = await parallelWithOrderedErrors(value.map((item, i3) => {
           const arrayPath = {
             ...newPath,
             rawWithIndices: fp.isNil(newPath.rawWithIndices) ? `${i3}` : `${newPath.rawWithIndices}.${i3}`
           };
-          res[i3] = await traverseMediaTarget(visitor2, arrayPath, value[i3]);
-        }
-        copy[key] = res;
+          return traverseMediaTarget(visitor2, arrayPath, item);
+        }));
       } else {
         copy[key] = await traverseMediaTarget(visitor2, newPath, value);
       }
@@ -17358,15 +17424,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
       };
       const targetSchema = getModel(attribute.component);
       if (fp.isArray(value)) {
-        const res = new Array(value.length);
-        for (let i3 = 0; i3 < value.length; i3 += 1) {
+        copy[key] = await parallelWithOrderedErrors(value.map((item, i3) => {
           const arrayPath = {
             ...newPath,
             rawWithIndices: fp.isNil(newPath.rawWithIndices) ? `${i3}` : `${newPath.rawWithIndices}.${i3}`
           };
-          res[i3] = await traverseComponent(visitor2, arrayPath, targetSchema, value[i3]);
-        }
-        copy[key] = res;
+          return traverseComponent(visitor2, arrayPath, targetSchema, item);
+        }));
       } else {
         copy[key] = await traverseComponent(visitor2, newPath, targetSchema, value);
       }
@@ -17379,15 +17443,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
         attribute,
         path: newPath
       };
-      const res = new Array(value.length);
-      for (let i3 = 0; i3 < value.length; i3 += 1) {
+      copy[key] = await parallelWithOrderedErrors(value.map((item, i3) => {
         const arrayPath = {
           ...newPath,
           rawWithIndices: fp.isNil(newPath.rawWithIndices) ? `${i3}` : `${newPath.rawWithIndices}.${i3}`
         };
-        res[i3] = await visitDynamicZoneEntry(visitor2, arrayPath, value[i3]);
-      }
-      copy[key] = res;
+        return visitDynamicZoneEntry(visitor2, arrayPath, item);
+      }));
       continue;
     }
   }
@@ -18133,6 +18195,23 @@ const generateInstallId = (projectId, installId) => {
     return require$$1__default.default.randomUUID();
   }
 };
+const createModelCache = (getModelFn) => {
+  const cache = /* @__PURE__ */ new Map();
+  return {
+    getModel(uid) {
+      const cached2 = cache.get(uid);
+      if (cached2) {
+        return cached2;
+      }
+      const model = getModelFn(uid);
+      cache.set(uid, model);
+      return model;
+    },
+    clear() {
+      cache.clear();
+    }
+  };
+};
 var map$2;
 try {
   map$2 = Map;
@@ -38821,6 +38900,7 @@ const dist = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty
   augmentSchema,
   contentTypes: contentTypes$1,
   createContentApiRoutesFactory,
+  createModelCache,
   dates,
   env,
   errors: errors$1,
@@ -38889,6 +38969,8 @@ var sessionRequired$1 = async (policyContext, config2, { strapi: strapi2 }) => {
     if (!userDocId) {
       return true;
     }
+    const config3 = strapi2.config.get("plugin::magic-sessionmanager") || {};
+    const strictMode = config3.strictSessionEnforcement === true;
     const activeSessions = await strapi2.documents(SESSION_UID).findMany({
       filters: {
         user: { documentId: userDocId },
@@ -38896,12 +38978,24 @@ var sessionRequired$1 = async (policyContext, config2, { strapi: strapi2 }) => {
       },
       limit: 1
     });
-    if (!activeSessions || activeSessions.length === 0) {
+    if (activeSessions && activeSessions.length > 0) {
+      return true;
+    }
+    const allSessions = await strapi2.documents(SESSION_UID).findMany({
+      filters: { user: { documentId: userDocId } },
+      limit: 1,
+      fields: ["isActive"]
+    });
+    const hasInactiveSessions = allSessions?.some((s3) => s3.isActive === false);
+    if (strictMode && hasInactiveSessions) {
       strapi2.log.info(
-        `[magic-sessionmanager] [POLICY-BLOCKED] JWT valid but no active session (user: ${userDocId.substring(0, 8)}...)`
+        `[magic-sessionmanager] [POLICY-BLOCKED] Session terminated (user: ${userDocId.substring(0, 8)}...)`
       );
       throw new errors.UnauthorizedError("Session terminated. Please login again.");
     }
+    strapi2.log.debug(
+      `[magic-sessionmanager] [POLICY-WARN] No active session for user ${userDocId.substring(0, 8)}... (allowing)`
+    );
     return true;
   } catch (err) {
     if (err instanceof errors.UnauthorizedError) {

package/dist/server/index.mjs

@@ -306,6 +306,8 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
           userDocId2 = await getDocumentIdFromNumericId(strapi2, ctx.state.user.id);
         }
         if (userDocId2) {
+          const config2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
+          const strictMode = config2.strictSessionEnforcement === true;
           const activeSessions = await strapi2.documents(SESSION_UID$4).findMany({
             filters: {
               user: { documentId: userDocId2 },
@@ -314,8 +316,17 @@ var lastSeen = ({ strapi: strapi2, sessionService }) => {
             limit: 1
           });
           if (!activeSessions || activeSessions.length === 0) {
-            strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Request blocked - session terminated or invalid (user: ${userDocId2.substring(0, 8)}...)`);
-            return ctx.unauthorized("All sessions have been terminated. Please login again.");
+            const allSessions = await strapi2.documents(SESSION_UID$4).findMany({
+              filters: { user: { documentId: userDocId2 } },
+              limit: 1,
+              fields: ["isActive"]
+            });
+            const hasInactiveSessions = allSessions?.some((s3) => s3.isActive === false);
+            if (strictMode && hasInactiveSessions) {
+              strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Session terminated (user: ${userDocId2.substring(0, 8)}...)`);
+              return ctx.unauthorized("Session has been terminated. Please login again.");
+            }
+            strapi2.log.debug(`[magic-sessionmanager] [WARN] No active session for user ${userDocId2.substring(0, 8)}... (allowing)`);
           }
           ctx.state.userDocumentId = userDocId2;
         }
@@ -503,9 +514,20 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
           }
           let userDocId = user.documentId;
           if (!userDocId && user.id) {
-            const fullUser = await strapi2.entityService.findOne(USER_UID$2, user.id);
-            userDocId = fullUser?.documentId || user.id;
+            const fullUser = await strapi2.entityService.findOne(USER_UID$2, user.id, {
+              fields: ["documentId"]
+            });
+            userDocId = fullUser?.documentId;
+            if (!userDocId) {
+              log.error(`[ERROR] Could not get documentId for user ${user.id} - session NOT created!`);
+              return;
+            }
           }
+          if (!userDocId) {
+            log.error("[ERROR] No user documentId available - cannot create session");
+            return;
+          }
+          log.debug(`[SESSION] Creating session for user documentId: ${userDocId}`);
           const newSession = await sessionService.createSession({
             userId: userDocId,
             ip,
@@ -517,7 +539,11 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
             geoData
             // Store geolocation data if available
           });
-          log.info(`[SUCCESS] Session created for user ${userDocId} (IP: ${ip})`);
+          if (newSession?.documentId) {
+            log.info(`[SUCCESS] Session ${newSession.documentId} created for user ${userDocId} (IP: ${ip})`);
+          } else {
+            log.error(`[ERROR] Session creation returned no documentId for user ${userDocId}`);
+          }
           if (geoData && (config2.enableEmailAlerts || config2.enableWebhooks)) {
             try {
               const notificationService = strapi2.plugin("magic-sessionmanager").service("notifications");
@@ -747,6 +773,8 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
       if (!decoded || !decoded.id) {
         return decoded;
       }
+      const config2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
+      const strictMode = config2.strictSessionEnforcement === true;
       try {
         let userDocId = null;
         const user = await strapi2.entityService.findOne(
@@ -756,6 +784,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
         );
         userDocId = user?.documentId;
         if (!userDocId) {
+          strapi2.log.debug("[magic-sessionmanager] [JWT] No documentId found, allowing through");
           return decoded;
         }
         const activeSessions = await strapi2.documents(SESSION_UID$3).findMany({
@@ -765,15 +794,46 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
           },
           limit: 1
         });
-        if (!activeSessions || activeSessions.length === 0) {
+        if (activeSessions && activeSessions.length > 0) {
+          return decoded;
+        }
+        const allSessions = await strapi2.documents(SESSION_UID$3).findMany({
+          filters: { user: { documentId: userDocId } },
+          limit: 5,
+          fields: ["isActive", "lastActive"]
+        });
+        const totalSessions = allSessions?.length || 0;
+        const hasInactiveSessions = allSessions?.some((s3) => s3.isActive === false);
+        if (!strictMode) {
+          if (totalSessions === 0) {
+            strapi2.log.warn(
+              `[magic-sessionmanager] [JWT-WARN] No session found for user ${userDocId.substring(0, 8)}... (allowing - session may not have been created)`
+            );
+          } else if (hasInactiveSessions) {
+            strapi2.log.warn(
+              `[magic-sessionmanager] [JWT-WARN] User ${userDocId.substring(0, 8)}... has ${totalSessions} inactive sessions but no active ones (allowing - strictMode off)`
+            );
+          }
+          return decoded;
+        }
+        if (totalSessions === 0) {
+          strapi2.log.warn(
+            `[magic-sessionmanager] [JWT-ALLOW] No sessions exist for user ${userDocId.substring(0, 8)}... (allowing - possible race condition)`
+          );
+          return decoded;
+        }
+        if (hasInactiveSessions) {
           strapi2.log.info(
-            `[magic-sessionmanager] [JWT-BLOCKED] Valid JWT but no active session (user: ${userDocId.substring(0, 8)}...)`
+            `[magic-sessionmanager] [JWT-BLOCKED] User ${userDocId.substring(0, 8)}... was logged out (${totalSessions} inactive sessions)`
           );
           return null;
         }
+        strapi2.log.warn(
+          `[magic-sessionmanager] [JWT-ALLOW] Unexpected session state for user ${userDocId.substring(0, 8)}... (allowing)`
+        );
         return decoded;
       } catch (err) {
-        strapi2.log.debug("[magic-sessionmanager] [AUTH] Session check error:", err.message);
+        strapi2.log.warn("[magic-sessionmanager] [JWT] Session check error (allowing):", err.message);
         return decoded;
       }
     };
@@ -2572,7 +2632,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.3.0";
+const version$1 = "4.3.2";
 const require$$2 = {
   version: version$1
 };
@@ -17200,6 +17260,16 @@ const providerFactory = (options2 = {}) => {
     }
   };
 };
+const parallelWithOrderedErrors = async (promises) => {
+  const results = await Promise.allSettled(promises);
+  for (let i2 = 0; i2 < results.length; i2 += 1) {
+    const result = results[i2];
+    if (result.status === "rejected") {
+      throw result.reason;
+    }
+  }
+  return results.map((r) => r.value);
+};
 const traverseEntity = async (visitor2, options2, entity) => {
   const { path: path2 = {
     raw: null,
@@ -17300,15 +17370,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
       const isMorphRelation = attribute.relation.toLowerCase().startsWith("morph");
       const method = isMorphRelation ? traverseMorphRelationTarget : traverseRelationTarget(getModel(attribute.target));
       if (fp.isArray(value)) {
-        const res = new Array(value.length);
-        for (let i3 = 0; i3 < value.length; i3 += 1) {
+        copy[key] = await parallelWithOrderedErrors(value.map((item, i3) => {
           const arrayPath = {
             ...newPath,
             rawWithIndices: fp.isNil(newPath.rawWithIndices) ? `${i3}` : `${newPath.rawWithIndices}.${i3}`
           };
-          res[i3] = await method(visitor2, arrayPath, value[i3]);
-        }
-        copy[key] = res;
+          return method(visitor2, arrayPath, item);
+        }));
       } else {
         copy[key] = await method(visitor2, newPath, value);
       }
@@ -17322,15 +17390,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
         path: newPath
       };
       if (fp.isArray(value)) {
-        const res = new Array(value.length);
-        for (let i3 = 0; i3 < value.length; i3 += 1) {
+        copy[key] = await parallelWithOrderedErrors(value.map((item, i3) => {
           const arrayPath = {
             ...newPath,
             rawWithIndices: fp.isNil(newPath.rawWithIndices) ? `${i3}` : `${newPath.rawWithIndices}.${i3}`
           };
-          res[i3] = await traverseMediaTarget(visitor2, arrayPath, value[i3]);
-        }
-        copy[key] = res;
+          return traverseMediaTarget(visitor2, arrayPath, item);
+        }));
       } else {
         copy[key] = await traverseMediaTarget(visitor2, newPath, value);
       }
@@ -17345,15 +17411,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
       };
       const targetSchema = getModel(attribute.component);
       if (fp.isArray(value)) {
-        const res = new Array(value.length);
-        for (let i3 = 0; i3 < value.length; i3 += 1) {
+        copy[key] = await parallelWithOrderedErrors(value.map((item, i3) => {
           const arrayPath = {
             ...newPath,
             rawWithIndices: fp.isNil(newPath.rawWithIndices) ? `${i3}` : `${newPath.rawWithIndices}.${i3}`
           };
-          res[i3] = await traverseComponent(visitor2, arrayPath, targetSchema, value[i3]);
-        }
-        copy[key] = res;
+          return traverseComponent(visitor2, arrayPath, targetSchema, item);
+        }));
       } else {
         copy[key] = await traverseComponent(visitor2, newPath, targetSchema, value);
       }
@@ -17366,15 +17430,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
         attribute,
         path: newPath
       };
-      const res = new Array(value.length);
-      for (let i3 = 0; i3 < value.length; i3 += 1) {
+      copy[key] = await parallelWithOrderedErrors(value.map((item, i3) => {
         const arrayPath = {
           ...newPath,
           rawWithIndices: fp.isNil(newPath.rawWithIndices) ? `${i3}` : `${newPath.rawWithIndices}.${i3}`
         };
-        res[i3] = await visitDynamicZoneEntry(visitor2, arrayPath, value[i3]);
-      }
-      copy[key] = res;
+        return visitDynamicZoneEntry(visitor2, arrayPath, item);
+      }));
       continue;
     }
   }
@@ -18120,6 +18182,23 @@ const generateInstallId = (projectId, installId) => {
     return require$$1.randomUUID();
   }
 };
+const createModelCache = (getModelFn) => {
+  const cache = /* @__PURE__ */ new Map();
+  return {
+    getModel(uid) {
+      const cached2 = cache.get(uid);
+      if (cached2) {
+        return cached2;
+      }
+      const model = getModelFn(uid);
+      cache.set(uid, model);
+      return model;
+    },
+    clear() {
+      cache.clear();
+    }
+  };
+};
 var map$2;
 try {
   map$2 = Map;
@@ -38808,6 +38887,7 @@ const dist = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty
   augmentSchema,
   contentTypes: contentTypes$1,
   createContentApiRoutesFactory,
+  createModelCache,
   dates,
   env,
   errors: errors$1,
@@ -38876,6 +38956,8 @@ var sessionRequired$1 = async (policyContext, config2, { strapi: strapi2 }) => {
     if (!userDocId) {
       return true;
     }
+    const config3 = strapi2.config.get("plugin::magic-sessionmanager") || {};
+    const strictMode = config3.strictSessionEnforcement === true;
     const activeSessions = await strapi2.documents(SESSION_UID).findMany({
       filters: {
         user: { documentId: userDocId },
@@ -38883,12 +38965,24 @@ var sessionRequired$1 = async (policyContext, config2, { strapi: strapi2 }) => {
       },
       limit: 1
     });
-    if (!activeSessions || activeSessions.length === 0) {
+    if (activeSessions && activeSessions.length > 0) {
+      return true;
+    }
+    const allSessions = await strapi2.documents(SESSION_UID).findMany({
+      filters: { user: { documentId: userDocId } },
+      limit: 1,
+      fields: ["isActive"]
+    });
+    const hasInactiveSessions = allSessions?.some((s3) => s3.isActive === false);
+    if (strictMode && hasInactiveSessions) {
       strapi2.log.info(
-        `[magic-sessionmanager] [POLICY-BLOCKED] JWT valid but no active session (user: ${userDocId.substring(0, 8)}...)`
+        `[magic-sessionmanager] [POLICY-BLOCKED] Session terminated (user: ${userDocId.substring(0, 8)}...)`
       );
       throw new errors.UnauthorizedError("Session terminated. Please login again.");
     }
+    strapi2.log.debug(
+      `[magic-sessionmanager] [POLICY-WARN] No active session for user ${userDocId.substring(0, 8)}... (allowing)`
+    );
     return true;
   } catch (err) {
     if (err instanceof errors.UnauthorizedError) {

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.3.1",
+  "version": "4.3.3",
   "keywords": [
     "strapi",
     "strapi-plugin",