strapi-plugin-magic-sessionmanager 4.5.0 → 4.5.2

package/dist/server/index.js

@@ -9584,6 +9584,9 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       }
     }, 3e3);
     const sessionService = strapi2.plugin("magic-sessionmanager").service("session");
+    if (!strapi2.sessionManagerIntervals) {
+      strapi2.sessionManagerIntervals = {};
+    }
     log.info("Running initial session cleanup...");
     try {
       const settings2 = await getPluginSettings$3(strapi2);
@@ -9593,23 +9596,50 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     } catch (cleanupErr) {
       log.warn("Initial cleanup failed:", cleanupErr.message);
     }
-    const cleanupInterval = 30 * 60 * 1e3;
-    const cleanupIntervalHandle = setInterval(async () => {
+    const scheduleIdleCleanup = async () => {
+      let intervalMs = 30 * 60 * 1e3;
+      let useDbDirect = false;
       try {
-        const service = strapi2.plugin("magic-sessionmanager").service("session");
-        const settings2 = await getPluginSettings$3(strapi2).catch(() => ({}));
-        await service.cleanupInactiveSessions({
-          useDbDirect: settings2.cleanupUseDbDirect === true
-        });
-      } catch (err) {
-        log.error("Periodic cleanup error:", err);
+        const settings2 = await getPluginSettings$3(strapi2);
+        intervalMs = Math.max(5 * 60 * 1e3, settings2.cleanupInterval || intervalMs);
+        useDbDirect = settings2.cleanupUseDbDirect === true;
+      } catch {
       }
-    }, cleanupInterval);
-    log.info("[TIME] Periodic cleanup scheduled (every 30 minutes)");
-    if (!strapi2.sessionManagerIntervals) {
-      strapi2.sessionManagerIntervals = {};
-    }
-    strapi2.sessionManagerIntervals.cleanup = cleanupIntervalHandle;
+      const handle = setTimeout(async () => {
+        try {
+          const service = strapi2.plugin("magic-sessionmanager").service("session");
+          await service.cleanupInactiveSessions({ useDbDirect });
+        } catch (err) {
+          log.error("Periodic cleanup error:", err);
+        }
+        scheduleIdleCleanup();
+      }, intervalMs);
+      strapi2.sessionManagerIntervals.cleanupTimeout = handle;
+    };
+    await scheduleIdleCleanup();
+    const RETENTION_INTERVAL_MS = 24 * 60 * 60 * 1e3;
+    const scheduleRetention = async () => {
+      let useDbDirect = false;
+      try {
+        const settings2 = await getPluginSettings$3(strapi2);
+        useDbDirect = settings2.cleanupUseDbDirect === true;
+      } catch {
+      }
+      const handle = setTimeout(async () => {
+        try {
+          const service = strapi2.plugin("magic-sessionmanager").service("session");
+          await service.deleteOldSessions({ useDbDirect });
+        } catch (err) {
+          log.error("Retention cleanup error:", err);
+        }
+        scheduleRetention();
+      }, RETENTION_INTERVAL_MS);
+      strapi2.sessionManagerIntervals.retentionTimeout = handle;
+    };
+    strapi2.sessionManagerIntervals.retentionStartup = setTimeout(() => {
+      scheduleRetention();
+    }, 5 * 60 * 1e3);
+    log.info("[TIME] Dynamic cleanup + retention scheduled");
     mountPreLoginGeoGuard({ strapi: strapi2, log });
     mountFailedLoginLockout({ strapi: strapi2, log });
     mountLogoutRoute({ strapi: strapi2, log, sessionService });
@@ -10341,9 +10371,10 @@ var destroy$1 = async ({ strapi: strapi2 }) => {
       if (!handle) continue;
       try {
         clearInterval(handle);
-        log.info(`[STOP] ${name} interval stopped`);
+        clearTimeout(handle);
+        log.info(`[STOP] ${name} timer stopped`);
       } catch (err) {
-        log.warn(`Failed to stop ${name} interval:`, err.message);
+        log.warn(`Failed to stop ${name} timer:`, err.message);
       }
     }
     strapi2.sessionManagerIntervals = {};
@@ -11732,15 +11763,27 @@ var settings$1 = {
       let settings2 = await pluginStore.get({ key: "settings" });
       if (!settings2) {
         settings2 = {
+          // Timing & cleanup
           inactivityTimeout: 15,
           cleanupInterval: 30,
           lastSeenRateLimit: 30,
           retentionDays: 90,
           maxSessionAgeDays: 30,
+          // Grace window (ms) during which a freshly-issued JWT is accepted
+          // without a matching session row — see JWT-verify wrapper in bootstrap.
+          sessionCreationGraceMs: 5e3,
+          // Opt-in: use a single SQL UPDATE for idle-session cleanup
+          // (bypasses Document Service lifecycle, required for very large installs).
+          cleanupUseDbDirect: false,
+          // Geo / security
           enableGeolocation: true,
           enableSecurityScoring: true,
           blockSuspiciousSessions: false,
           maxFailedLogins: 5,
+          enableGeofencing: false,
+          allowedCountries: [],
+          blockedCountries: [],
+          // Notifications
           enableEmailAlerts: false,
           alertOnSuspiciousLogin: true,
           alertOnNewLocation: true,
@@ -11748,11 +11791,10 @@ var settings$1 = {
           enableWebhooks: false,
           discordWebhookUrl: "",
           slackWebhookUrl: "",
-          enableGeofencing: false,
-          allowedCountries: [],
-          blockedCountries: [],
+          // Session policy
           strictSessionEnforcement: false,
           trustedProxies: false,
+          // Email templates
           emailTemplates: {
             suspiciousLogin: { subject: "", html: "", text: "" },
             newLocation: { subject: "", html: "", text: "" },
@@ -11785,16 +11827,26 @@ var settings$1 = {
         type: "plugin",
         name: "magic-sessionmanager"
       });
+      const graceRaw = body.sessionCreationGraceMs;
+      const grace = Number.isFinite(parseInt(graceRaw)) ? Math.max(0, Math.min(parseInt(graceRaw), 3e4)) : 5e3;
       const sanitizedSettings = {
+        // Timing & cleanup
         inactivityTimeout: Math.max(1, Math.min(parseInt(body.inactivityTimeout) || 15, 1440)),
         cleanupInterval: Math.max(5, Math.min(parseInt(body.cleanupInterval) || 30, 1440)),
         lastSeenRateLimit: Math.max(5, Math.min(parseInt(body.lastSeenRateLimit) || 30, 300)),
         retentionDays: Math.max(1, Math.min(parseInt(body.retentionDays) || 90, 365)),
         maxSessionAgeDays: Math.max(1, Math.min(parseInt(body.maxSessionAgeDays) || 30, 365)),
+        sessionCreationGraceMs: grace,
+        cleanupUseDbDirect: !!body.cleanupUseDbDirect,
+        // Geo / security
         enableGeolocation: !!body.enableGeolocation,
         enableSecurityScoring: !!body.enableSecurityScoring,
         blockSuspiciousSessions: !!body.blockSuspiciousSessions,
         maxFailedLogins: Math.max(1, Math.min(parseInt(body.maxFailedLogins) || 5, 100)),
+        enableGeofencing: !!body.enableGeofencing,
+        allowedCountries: sanitizeCountryList(body.allowedCountries),
+        blockedCountries: sanitizeCountryList(body.blockedCountries),
+        // Notifications
         enableEmailAlerts: !!body.enableEmailAlerts,
         alertOnSuspiciousLogin: !!body.alertOnSuspiciousLogin,
         alertOnNewLocation: !!body.alertOnNewLocation,
@@ -11802,11 +11854,10 @@ var settings$1 = {
         enableWebhooks: !!body.enableWebhooks,
         discordWebhookUrl: sanitizeWebhookUrl(body.discordWebhookUrl, "discord"),
         slackWebhookUrl: sanitizeWebhookUrl(body.slackWebhookUrl, "slack"),
-        enableGeofencing: !!body.enableGeofencing,
-        allowedCountries: sanitizeCountryList(body.allowedCountries),
-        blockedCountries: sanitizeCountryList(body.blockedCountries),
+        // Session policy
         strictSessionEnforcement: !!body.strictSessionEnforcement,
         trustedProxies: !!body.trustedProxies,
+        // Email templates
         emailTemplates: sanitizeEmailTemplates(body.emailTemplates)
       };
       await pluginStore.set({
@@ -12190,6 +12241,81 @@ var session$1 = ({ strapi: strapi2 }) => {
         throw err;
       }
     },
+    /**
+     * Permanently deletes sessions that have been inactive past the
+     * configured retention window. Distinct from `deleteInactiveSessions`
+     * (which deletes ALL inactive sessions) — this only drops rows older
+     * than `retentionDays`, so recently-terminated sessions stay queryable
+     * for audits.
+     *
+     * @param {Object} [options]
+     * @param {number} [options.retentionDays]    Overrides the stored setting.
+     * @param {boolean} [options.useDbDirect]     Fast-path via single SQL
+     *   DELETE. Bypasses lifecycle hooks; use only when necessary.
+     * @returns {Promise<number>} Number of sessions deleted
+     */
+    async deleteOldSessions({ retentionDays, useDbDirect } = {}) {
+      try {
+        const settings2 = await getPluginSettings$1(strapi2);
+        const effectiveDays = Number.isFinite(retentionDays) ? retentionDays : settings2.retentionDays || 90;
+        if (effectiveDays === -1) {
+          log.debug("[RETENTION] retentionDays=-1 (forever) — skipping");
+          return 0;
+        }
+        const cutoffDate = new Date(Date.now() - effectiveDays * 24 * 60 * 60 * 1e3);
+        const wantDbDirect = useDbDirect ?? settings2.cleanupUseDbDirect === true;
+        log.info(`[RETENTION] Deleting inactive sessions older than ${effectiveDays} days (before ${cutoffDate.toISOString()})`);
+        if (wantDbDirect) {
+          try {
+            const deleted = await strapi2.db.connection("magic_sessions").where("is_active", false).andWhere(function whereOldEnough() {
+              this.where("logout_time", "<", cutoffDate).orWhere(function whereNullLogout() {
+                this.whereNull("logout_time").andWhere(function whereOldByActivity() {
+                  this.where("last_active", "<", cutoffDate).orWhere(function whereNullActivity() {
+                    this.whereNull("last_active").andWhere("login_time", "<", cutoffDate);
+                  });
+                });
+              });
+            }).del();
+            log.info(`[SUCCESS] Retention (db-direct) deleted ${deleted} old session(s)`);
+            return deleted;
+          } catch (err) {
+            log.warn("[RETENTION] DB-direct delete failed, falling back to Document Service:", err.message);
+          }
+        }
+        let deletedCount = 0;
+        const BATCH = 200;
+        while (true) {
+          const batch = await strapi2.documents(SESSION_UID$1).findMany({
+            filters: {
+              isActive: false,
+              $or: [
+                { logoutTime: { $lt: cutoffDate } },
+                { logoutTime: { $null: true }, lastActive: { $lt: cutoffDate } },
+                { logoutTime: { $null: true }, lastActive: { $null: true }, loginTime: { $lt: cutoffDate } }
+              ]
+            },
+            fields: ["documentId"],
+            sort: { loginTime: "asc" },
+            limit: BATCH
+          });
+          if (!batch || batch.length === 0) break;
+          for (const session2 of batch) {
+            try {
+              await strapi2.documents(SESSION_UID$1).delete({ documentId: session2.documentId });
+              deletedCount++;
+            } catch (err) {
+              log.debug(`[RETENTION] Failed to delete session ${session2.documentId}:`, err.message);
+            }
+          }
+          if (batch.length < BATCH) break;
+        }
+        log.info(`[SUCCESS] Retention deleted ${deletedCount} old session(s)`);
+        return deletedCount;
+      } catch (err) {
+        log.error("Error in retention cleanup:", err);
+        return 0;
+      }
+    },
     /**
      * Permanently deletes all inactive sessions.
      * Uses an inner scan loop that tolerates partial failures.
@@ -12235,7 +12361,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.5.0";
+const version$1 = "4.5.1";
 const require$$2 = {
   version: version$1
 };

package/dist/server/index.mjs

@@ -9571,6 +9571,9 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       }
     }, 3e3);
     const sessionService = strapi2.plugin("magic-sessionmanager").service("session");
+    if (!strapi2.sessionManagerIntervals) {
+      strapi2.sessionManagerIntervals = {};
+    }
     log.info("Running initial session cleanup...");
     try {
       const settings2 = await getPluginSettings$3(strapi2);
@@ -9580,23 +9583,50 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     } catch (cleanupErr) {
       log.warn("Initial cleanup failed:", cleanupErr.message);
     }
-    const cleanupInterval = 30 * 60 * 1e3;
-    const cleanupIntervalHandle = setInterval(async () => {
+    const scheduleIdleCleanup = async () => {
+      let intervalMs = 30 * 60 * 1e3;
+      let useDbDirect = false;
       try {
-        const service = strapi2.plugin("magic-sessionmanager").service("session");
-        const settings2 = await getPluginSettings$3(strapi2).catch(() => ({}));
-        await service.cleanupInactiveSessions({
-          useDbDirect: settings2.cleanupUseDbDirect === true
-        });
-      } catch (err) {
-        log.error("Periodic cleanup error:", err);
+        const settings2 = await getPluginSettings$3(strapi2);
+        intervalMs = Math.max(5 * 60 * 1e3, settings2.cleanupInterval || intervalMs);
+        useDbDirect = settings2.cleanupUseDbDirect === true;
+      } catch {
       }
-    }, cleanupInterval);
-    log.info("[TIME] Periodic cleanup scheduled (every 30 minutes)");
-    if (!strapi2.sessionManagerIntervals) {
-      strapi2.sessionManagerIntervals = {};
-    }
-    strapi2.sessionManagerIntervals.cleanup = cleanupIntervalHandle;
+      const handle = setTimeout(async () => {
+        try {
+          const service = strapi2.plugin("magic-sessionmanager").service("session");
+          await service.cleanupInactiveSessions({ useDbDirect });
+        } catch (err) {
+          log.error("Periodic cleanup error:", err);
+        }
+        scheduleIdleCleanup();
+      }, intervalMs);
+      strapi2.sessionManagerIntervals.cleanupTimeout = handle;
+    };
+    await scheduleIdleCleanup();
+    const RETENTION_INTERVAL_MS = 24 * 60 * 60 * 1e3;
+    const scheduleRetention = async () => {
+      let useDbDirect = false;
+      try {
+        const settings2 = await getPluginSettings$3(strapi2);
+        useDbDirect = settings2.cleanupUseDbDirect === true;
+      } catch {
+      }
+      const handle = setTimeout(async () => {
+        try {
+          const service = strapi2.plugin("magic-sessionmanager").service("session");
+          await service.deleteOldSessions({ useDbDirect });
+        } catch (err) {
+          log.error("Retention cleanup error:", err);
+        }
+        scheduleRetention();
+      }, RETENTION_INTERVAL_MS);
+      strapi2.sessionManagerIntervals.retentionTimeout = handle;
+    };
+    strapi2.sessionManagerIntervals.retentionStartup = setTimeout(() => {
+      scheduleRetention();
+    }, 5 * 60 * 1e3);
+    log.info("[TIME] Dynamic cleanup + retention scheduled");
     mountPreLoginGeoGuard({ strapi: strapi2, log });
     mountFailedLoginLockout({ strapi: strapi2, log });
     mountLogoutRoute({ strapi: strapi2, log, sessionService });
@@ -10328,9 +10358,10 @@ var destroy$1 = async ({ strapi: strapi2 }) => {
       if (!handle) continue;
       try {
         clearInterval(handle);
-        log.info(`[STOP] ${name} interval stopped`);
+        clearTimeout(handle);
+        log.info(`[STOP] ${name} timer stopped`);
       } catch (err) {
-        log.warn(`Failed to stop ${name} interval:`, err.message);
+        log.warn(`Failed to stop ${name} timer:`, err.message);
       }
     }
     strapi2.sessionManagerIntervals = {};
@@ -11719,15 +11750,27 @@ var settings$1 = {
       let settings2 = await pluginStore.get({ key: "settings" });
       if (!settings2) {
         settings2 = {
+          // Timing & cleanup
           inactivityTimeout: 15,
           cleanupInterval: 30,
           lastSeenRateLimit: 30,
           retentionDays: 90,
           maxSessionAgeDays: 30,
+          // Grace window (ms) during which a freshly-issued JWT is accepted
+          // without a matching session row — see JWT-verify wrapper in bootstrap.
+          sessionCreationGraceMs: 5e3,
+          // Opt-in: use a single SQL UPDATE for idle-session cleanup
+          // (bypasses Document Service lifecycle, required for very large installs).
+          cleanupUseDbDirect: false,
+          // Geo / security
           enableGeolocation: true,
           enableSecurityScoring: true,
           blockSuspiciousSessions: false,
           maxFailedLogins: 5,
+          enableGeofencing: false,
+          allowedCountries: [],
+          blockedCountries: [],
+          // Notifications
           enableEmailAlerts: false,
           alertOnSuspiciousLogin: true,
           alertOnNewLocation: true,
@@ -11735,11 +11778,10 @@ var settings$1 = {
           enableWebhooks: false,
           discordWebhookUrl: "",
           slackWebhookUrl: "",
-          enableGeofencing: false,
-          allowedCountries: [],
-          blockedCountries: [],
+          // Session policy
           strictSessionEnforcement: false,
           trustedProxies: false,
+          // Email templates
           emailTemplates: {
             suspiciousLogin: { subject: "", html: "", text: "" },
             newLocation: { subject: "", html: "", text: "" },
@@ -11772,16 +11814,26 @@ var settings$1 = {
         type: "plugin",
         name: "magic-sessionmanager"
       });
+      const graceRaw = body.sessionCreationGraceMs;
+      const grace = Number.isFinite(parseInt(graceRaw)) ? Math.max(0, Math.min(parseInt(graceRaw), 3e4)) : 5e3;
       const sanitizedSettings = {
+        // Timing & cleanup
         inactivityTimeout: Math.max(1, Math.min(parseInt(body.inactivityTimeout) || 15, 1440)),
         cleanupInterval: Math.max(5, Math.min(parseInt(body.cleanupInterval) || 30, 1440)),
         lastSeenRateLimit: Math.max(5, Math.min(parseInt(body.lastSeenRateLimit) || 30, 300)),
         retentionDays: Math.max(1, Math.min(parseInt(body.retentionDays) || 90, 365)),
         maxSessionAgeDays: Math.max(1, Math.min(parseInt(body.maxSessionAgeDays) || 30, 365)),
+        sessionCreationGraceMs: grace,
+        cleanupUseDbDirect: !!body.cleanupUseDbDirect,
+        // Geo / security
         enableGeolocation: !!body.enableGeolocation,
         enableSecurityScoring: !!body.enableSecurityScoring,
         blockSuspiciousSessions: !!body.blockSuspiciousSessions,
         maxFailedLogins: Math.max(1, Math.min(parseInt(body.maxFailedLogins) || 5, 100)),
+        enableGeofencing: !!body.enableGeofencing,
+        allowedCountries: sanitizeCountryList(body.allowedCountries),
+        blockedCountries: sanitizeCountryList(body.blockedCountries),
+        // Notifications
         enableEmailAlerts: !!body.enableEmailAlerts,
         alertOnSuspiciousLogin: !!body.alertOnSuspiciousLogin,
         alertOnNewLocation: !!body.alertOnNewLocation,
@@ -11789,11 +11841,10 @@ var settings$1 = {
         enableWebhooks: !!body.enableWebhooks,
         discordWebhookUrl: sanitizeWebhookUrl(body.discordWebhookUrl, "discord"),
         slackWebhookUrl: sanitizeWebhookUrl(body.slackWebhookUrl, "slack"),
-        enableGeofencing: !!body.enableGeofencing,
-        allowedCountries: sanitizeCountryList(body.allowedCountries),
-        blockedCountries: sanitizeCountryList(body.blockedCountries),
+        // Session policy
         strictSessionEnforcement: !!body.strictSessionEnforcement,
         trustedProxies: !!body.trustedProxies,
+        // Email templates
         emailTemplates: sanitizeEmailTemplates(body.emailTemplates)
       };
       await pluginStore.set({
@@ -12177,6 +12228,81 @@ var session$1 = ({ strapi: strapi2 }) => {
         throw err;
       }
     },
+    /**
+     * Permanently deletes sessions that have been inactive past the
+     * configured retention window. Distinct from `deleteInactiveSessions`
+     * (which deletes ALL inactive sessions) — this only drops rows older
+     * than `retentionDays`, so recently-terminated sessions stay queryable
+     * for audits.
+     *
+     * @param {Object} [options]
+     * @param {number} [options.retentionDays]    Overrides the stored setting.
+     * @param {boolean} [options.useDbDirect]     Fast-path via single SQL
+     *   DELETE. Bypasses lifecycle hooks; use only when necessary.
+     * @returns {Promise<number>} Number of sessions deleted
+     */
+    async deleteOldSessions({ retentionDays, useDbDirect } = {}) {
+      try {
+        const settings2 = await getPluginSettings$1(strapi2);
+        const effectiveDays = Number.isFinite(retentionDays) ? retentionDays : settings2.retentionDays || 90;
+        if (effectiveDays === -1) {
+          log.debug("[RETENTION] retentionDays=-1 (forever) — skipping");
+          return 0;
+        }
+        const cutoffDate = new Date(Date.now() - effectiveDays * 24 * 60 * 60 * 1e3);
+        const wantDbDirect = useDbDirect ?? settings2.cleanupUseDbDirect === true;
+        log.info(`[RETENTION] Deleting inactive sessions older than ${effectiveDays} days (before ${cutoffDate.toISOString()})`);
+        if (wantDbDirect) {
+          try {
+            const deleted = await strapi2.db.connection("magic_sessions").where("is_active", false).andWhere(function whereOldEnough() {
+              this.where("logout_time", "<", cutoffDate).orWhere(function whereNullLogout() {
+                this.whereNull("logout_time").andWhere(function whereOldByActivity() {
+                  this.where("last_active", "<", cutoffDate).orWhere(function whereNullActivity() {
+                    this.whereNull("last_active").andWhere("login_time", "<", cutoffDate);
+                  });
+                });
+              });
+            }).del();
+            log.info(`[SUCCESS] Retention (db-direct) deleted ${deleted} old session(s)`);
+            return deleted;
+          } catch (err) {
+            log.warn("[RETENTION] DB-direct delete failed, falling back to Document Service:", err.message);
+          }
+        }
+        let deletedCount = 0;
+        const BATCH = 200;
+        while (true) {
+          const batch = await strapi2.documents(SESSION_UID$1).findMany({
+            filters: {
+              isActive: false,
+              $or: [
+                { logoutTime: { $lt: cutoffDate } },
+                { logoutTime: { $null: true }, lastActive: { $lt: cutoffDate } },
+                { logoutTime: { $null: true }, lastActive: { $null: true }, loginTime: { $lt: cutoffDate } }
+              ]
+            },
+            fields: ["documentId"],
+            sort: { loginTime: "asc" },
+            limit: BATCH
+          });
+          if (!batch || batch.length === 0) break;
+          for (const session2 of batch) {
+            try {
+              await strapi2.documents(SESSION_UID$1).delete({ documentId: session2.documentId });
+              deletedCount++;
+            } catch (err) {
+              log.debug(`[RETENTION] Failed to delete session ${session2.documentId}:`, err.message);
+            }
+          }
+          if (batch.length < BATCH) break;
+        }
+        log.info(`[SUCCESS] Retention deleted ${deletedCount} old session(s)`);
+        return deletedCount;
+      } catch (err) {
+        log.error("Error in retention cleanup:", err);
+        return 0;
+      }
+    },
     /**
      * Permanently deletes all inactive sessions.
      * Uses an inner scan loop that tolerates partial failures.
@@ -12222,7 +12348,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.5.0";
+const version$1 = "4.5.1";
 const require$$2 = {
   version: version$1
 };

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.5.0",
+  "version": "4.5.2",
   "keywords": [
     "strapi",
     "strapi-plugin",