strapi-plugin-magic-sessionmanager 4.4.0 → 4.4.2

package/README.md

@@ -95,6 +95,11 @@ Track logins, monitor active users, and secure your app with one simple plugin.
 **When users logout:**
 - Plugin marks their session as "logged out"
 - They disappear from the active sessions list
+- Manual logout permanently blocks session reactivation (security feature)
+
+**Session Timeout vs Manual Logout:**
+- **Timeout:** Session can be reactivated on next request (seamless UX)
+- **Manual Logout:** Session is permanently terminated (security-first)
 
 **While users are active:**
 - Plugin updates their "last seen" time

package/dist/server/index.js

@@ -809,6 +809,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
       const config2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
       const strictMode = config2.strictSessionEnforcement === true;
       try {
+        const tokenHashValue = hashToken$2(token);
         let userDocId = null;
         const user = await strapi2.entityService.findOne(
           "plugin::users-permissions.user",
@@ -820,36 +821,25 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
           strapi2.log.debug("[magic-sessionmanager] [JWT] No documentId found, allowing through");
           return decoded;
         }
-        const activeSessions = await strapi2.documents(SESSION_UID$3).findMany({
+        const thisSession = await strapi2.documents(SESSION_UID$3).findFirst({
           filters: {
             user: { documentId: userDocId },
-            isActive: true
+            tokenHash: tokenHashValue
           },
-          limit: 1
+          fields: ["documentId", "isActive", "terminatedManually", "lastActive"]
         });
-        if (activeSessions && activeSessions.length > 0) {
-          return decoded;
-        }
-        const inactiveSessions = await strapi2.documents(SESSION_UID$3).findMany({
-          filters: {
-            user: { documentId: userDocId },
-            isActive: false
-          },
-          limit: 5,
-          fields: ["documentId", "terminatedManually", "lastActive"],
-          sort: [{ lastActive: "desc" }]
-        });
-        if (inactiveSessions && inactiveSessions.length > 0) {
-          const manuallyTerminated = inactiveSessions.find((s3) => s3.terminatedManually === true);
-          if (manuallyTerminated) {
+        if (thisSession) {
+          if (thisSession.terminatedManually === true) {
             strapi2.log.info(
-              `[magic-sessionmanager] [JWT-BLOCKED] User ${userDocId.substring(0, 8)}... was manually logged out`
+              `[magic-sessionmanager] [JWT-BLOCKED] Session was manually terminated (user: ${userDocId.substring(0, 8)}...)`
             );
             return null;
           }
-          const sessionToReactivate = inactiveSessions[0];
+          if (thisSession.isActive) {
+            return decoded;
+          }
           await strapi2.documents(SESSION_UID$3).update({
-            documentId: sessionToReactivate.documentId,
+            documentId: thisSession.documentId,
             data: {
               isActive: true,
               lastActive: /* @__PURE__ */ new Date()
@@ -860,6 +850,32 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
           );
           return decoded;
         }
+        const anyActiveSessions = await strapi2.documents(SESSION_UID$3).findMany({
+          filters: {
+            user: { documentId: userDocId },
+            isActive: true
+          },
+          limit: 1
+        });
+        if (anyActiveSessions && anyActiveSessions.length > 0) {
+          strapi2.log.debug(
+            `[magic-sessionmanager] [JWT] No session for token but user has other active sessions (allowing)`
+          );
+          return decoded;
+        }
+        const terminatedSessions = await strapi2.documents(SESSION_UID$3).findMany({
+          filters: {
+            user: { documentId: userDocId },
+            terminatedManually: true
+          },
+          limit: 1
+        });
+        if (terminatedSessions && terminatedSessions.length > 0) {
+          strapi2.log.info(
+            `[magic-sessionmanager] [JWT-BLOCKED] User ${userDocId.substring(0, 8)}... has terminated sessions`
+          );
+          return null;
+        }
         if (strictMode) {
           strapi2.log.info(
             `[magic-sessionmanager] [JWT-BLOCKED] No sessions exist for user ${userDocId.substring(0, 8)}... (strictMode)`
@@ -1131,6 +1147,15 @@ var admin$1 = {
         description: "Terminate a specific session (admin)"
       }
     },
+    {
+      method: "POST",
+      path: "/sessions/:sessionId/simulate-timeout",
+      handler: "session.simulateTimeout",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"],
+        description: "Simulate session timeout for testing (sets isActive: false, terminatedManually: false)"
+      }
+    },
     {
       method: "DELETE",
       path: "/sessions/:sessionId",
@@ -1712,6 +1737,40 @@ var session$3 = {
       ctx.throw(500, "Error terminating session");
     }
   },
+  /**
+   * Simulate session timeout for testing (Admin action)
+   * POST /magic-sessionmanager/sessions/:sessionId/simulate-timeout
+   * Sets isActive: false, terminatedManually: false (as if cleanup job ran)
+   * This allows testing session reactivation behavior
+   */
+  async simulateTimeout(ctx) {
+    try {
+      const { sessionId } = ctx.params;
+      const session2 = await strapi.documents(SESSION_UID$2).findOne({
+        documentId: sessionId
+      });
+      if (!session2) {
+        return ctx.notFound("Session not found");
+      }
+      await strapi.documents(SESSION_UID$2).update({
+        documentId: sessionId,
+        data: {
+          isActive: false,
+          terminatedManually: false
+          // This allows reactivation!
+        }
+      });
+      strapi.log.info(`[magic-sessionmanager] [TEST] Session ${sessionId} simulated timeout (terminatedManually: false)`);
+      ctx.body = {
+        message: `Session ${sessionId} marked as timed out (reactivatable)`,
+        success: true,
+        terminatedManually: false
+      };
+    } catch (err) {
+      strapi.log.error("[magic-sessionmanager] Error simulating timeout:", err);
+      ctx.throw(500, "Error simulating session timeout");
+    }
+  },
   /**
    * Terminate a single session (Admin action)
    * POST /magic-sessionmanager/sessions/:sessionId/terminate
@@ -2681,7 +2740,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.3.4";
+const version$1 = "4.5.0";
 const require$$2 = {
   version: version$1
 };

package/dist/server/index.mjs

@@ -796,6 +796,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
       const config2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
       const strictMode = config2.strictSessionEnforcement === true;
       try {
+        const tokenHashValue = hashToken$2(token);
         let userDocId = null;
         const user = await strapi2.entityService.findOne(
           "plugin::users-permissions.user",
@@ -807,36 +808,25 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
           strapi2.log.debug("[magic-sessionmanager] [JWT] No documentId found, allowing through");
           return decoded;
         }
-        const activeSessions = await strapi2.documents(SESSION_UID$3).findMany({
+        const thisSession = await strapi2.documents(SESSION_UID$3).findFirst({
           filters: {
             user: { documentId: userDocId },
-            isActive: true
+            tokenHash: tokenHashValue
           },
-          limit: 1
+          fields: ["documentId", "isActive", "terminatedManually", "lastActive"]
         });
-        if (activeSessions && activeSessions.length > 0) {
-          return decoded;
-        }
-        const inactiveSessions = await strapi2.documents(SESSION_UID$3).findMany({
-          filters: {
-            user: { documentId: userDocId },
-            isActive: false
-          },
-          limit: 5,
-          fields: ["documentId", "terminatedManually", "lastActive"],
-          sort: [{ lastActive: "desc" }]
-        });
-        if (inactiveSessions && inactiveSessions.length > 0) {
-          const manuallyTerminated = inactiveSessions.find((s3) => s3.terminatedManually === true);
-          if (manuallyTerminated) {
+        if (thisSession) {
+          if (thisSession.terminatedManually === true) {
             strapi2.log.info(
-              `[magic-sessionmanager] [JWT-BLOCKED] User ${userDocId.substring(0, 8)}... was manually logged out`
+              `[magic-sessionmanager] [JWT-BLOCKED] Session was manually terminated (user: ${userDocId.substring(0, 8)}...)`
             );
             return null;
           }
-          const sessionToReactivate = inactiveSessions[0];
+          if (thisSession.isActive) {
+            return decoded;
+          }
           await strapi2.documents(SESSION_UID$3).update({
-            documentId: sessionToReactivate.documentId,
+            documentId: thisSession.documentId,
             data: {
               isActive: true,
               lastActive: /* @__PURE__ */ new Date()
@@ -847,6 +837,32 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
           );
           return decoded;
         }
+        const anyActiveSessions = await strapi2.documents(SESSION_UID$3).findMany({
+          filters: {
+            user: { documentId: userDocId },
+            isActive: true
+          },
+          limit: 1
+        });
+        if (anyActiveSessions && anyActiveSessions.length > 0) {
+          strapi2.log.debug(
+            `[magic-sessionmanager] [JWT] No session for token but user has other active sessions (allowing)`
+          );
+          return decoded;
+        }
+        const terminatedSessions = await strapi2.documents(SESSION_UID$3).findMany({
+          filters: {
+            user: { documentId: userDocId },
+            terminatedManually: true
+          },
+          limit: 1
+        });
+        if (terminatedSessions && terminatedSessions.length > 0) {
+          strapi2.log.info(
+            `[magic-sessionmanager] [JWT-BLOCKED] User ${userDocId.substring(0, 8)}... has terminated sessions`
+          );
+          return null;
+        }
         if (strictMode) {
           strapi2.log.info(
             `[magic-sessionmanager] [JWT-BLOCKED] No sessions exist for user ${userDocId.substring(0, 8)}... (strictMode)`
@@ -1118,6 +1134,15 @@ var admin$1 = {
         description: "Terminate a specific session (admin)"
       }
     },
+    {
+      method: "POST",
+      path: "/sessions/:sessionId/simulate-timeout",
+      handler: "session.simulateTimeout",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"],
+        description: "Simulate session timeout for testing (sets isActive: false, terminatedManually: false)"
+      }
+    },
     {
       method: "DELETE",
       path: "/sessions/:sessionId",
@@ -1699,6 +1724,40 @@ var session$3 = {
       ctx.throw(500, "Error terminating session");
     }
   },
+  /**
+   * Simulate session timeout for testing (Admin action)
+   * POST /magic-sessionmanager/sessions/:sessionId/simulate-timeout
+   * Sets isActive: false, terminatedManually: false (as if cleanup job ran)
+   * This allows testing session reactivation behavior
+   */
+  async simulateTimeout(ctx) {
+    try {
+      const { sessionId } = ctx.params;
+      const session2 = await strapi.documents(SESSION_UID$2).findOne({
+        documentId: sessionId
+      });
+      if (!session2) {
+        return ctx.notFound("Session not found");
+      }
+      await strapi.documents(SESSION_UID$2).update({
+        documentId: sessionId,
+        data: {
+          isActive: false,
+          terminatedManually: false
+          // This allows reactivation!
+        }
+      });
+      strapi.log.info(`[magic-sessionmanager] [TEST] Session ${sessionId} simulated timeout (terminatedManually: false)`);
+      ctx.body = {
+        message: `Session ${sessionId} marked as timed out (reactivatable)`,
+        success: true,
+        terminatedManually: false
+      };
+    } catch (err) {
+      strapi.log.error("[magic-sessionmanager] Error simulating timeout:", err);
+      ctx.throw(500, "Error simulating session timeout");
+    }
+  },
   /**
    * Terminate a single session (Admin action)
    * POST /magic-sessionmanager/sessions/:sessionId/terminate
@@ -2668,7 +2727,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.3.4";
+const version$1 = "4.5.0";
 const require$$2 = {
   version: version$1
 };

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.4.0",
+  "version": "4.4.2",
   "keywords": [
     "strapi",
     "strapi-plugin",