strapi-plugin-magic-sessionmanager 4.5.1 → 4.5.3

package/dist/server/index.js

@@ -174,7 +174,16 @@ var register$1 = async ({ strapi: strapi2 }) => {
             try {
               await strapi2.documents(SESSION_UID$6).update({
                 documentId: session2.documentId,
-                data: { isActive: false, terminatedManually: true, logoutTime: now }
+                data: {
+                  isActive: false,
+                  // Blocked users are NOT a "manual" self-logout — mark
+                  // this distinctly so the client receives a different
+                  // error message ("account blocked") rather than
+                  // "session terminated".
+                  terminatedManually: false,
+                  terminationReason: "blocked",
+                  logoutTime: now
+                }
               });
               terminated++;
             } catch (updateErr) {
@@ -304,27 +313,27 @@ function generateSessionId$1(userId) {
   const userHash = crypto$1.createHash("sha256").update(userId.toString()).digest("hex").substring(0, 8);
   return `sess_${timestamp2}_${userHash}_${randomBytes}`;
 }
-function hashToken$5(token) {
+function hashToken$6(token) {
   if (!token) return null;
   return crypto$1.createHash("sha256").update(token).digest("hex");
 }
 var encryption = {
   encryptToken: encryptToken$2,
   generateSessionId: generateSessionId$1,
-  hashToken: hashToken$5
+  hashToken: hashToken$6
 };
 const USER_UID$1 = "plugin::users-permissions.user";
-const cache = /* @__PURE__ */ new Map();
+const cache$1 = /* @__PURE__ */ new Map();
 const CACHE_TTL = 5 * 60 * 1e3;
 const CACHE_MAX_SIZE = 1e3;
 function evict() {
   const now = Date.now();
-  for (const [key, value] of cache) {
-    if (now - value.ts >= CACHE_TTL) cache.delete(key);
+  for (const [key, value] of cache$1) {
+    if (now - value.ts >= CACHE_TTL) cache$1.delete(key);
   }
-  if (cache.size >= CACHE_MAX_SIZE) {
-    const keysToDelete = [...cache.keys()].slice(0, Math.floor(CACHE_MAX_SIZE / 4));
-    keysToDelete.forEach((k2) => cache.delete(k2));
+  if (cache$1.size >= CACHE_MAX_SIZE) {
+    const keysToDelete = [...cache$1.keys()].slice(0, Math.floor(CACHE_MAX_SIZE / 4));
+    keysToDelete.forEach((k2) => cache$1.delete(k2));
   }
 }
 async function resolveUserDocumentId$5(strapi2, userId) {
@@ -334,17 +343,17 @@ async function resolveUserDocumentId$5(strapi2, userId) {
   }
   const numericId = typeof userId === "number" ? userId : parseInt(userId, 10);
   const cacheKey = `u_${numericId}`;
-  const cached2 = cache.get(cacheKey);
+  const cached2 = cache$1.get(cacheKey);
   if (cached2 && Date.now() - cached2.ts < CACHE_TTL) {
     return cached2.documentId;
   }
-  if (cache.size >= CACHE_MAX_SIZE) evict();
+  if (cache$1.size >= CACHE_MAX_SIZE) evict();
   try {
     const user = await strapi2.entityService.findOne(USER_UID$1, numericId, {
       fields: ["documentId"]
     });
     if (user?.documentId) {
-      cache.set(cacheKey, { documentId: user.documentId, ts: Date.now() });
+      cache$1.set(cacheKey, { documentId: user.documentId, ts: Date.now() });
       return user.documentId;
     }
   } catch {
@@ -405,6 +414,15 @@ function normalizeStoredSettings(stored) {
   if (stored.sessionCreationGraceMs !== void 0) {
     out.sessionCreationGraceMs = toIntInRange(stored.sessionCreationGraceMs, 5e3, 0, 3e4);
   }
+  if (stored.rateLimitWriteMax !== void 0) {
+    out.rateLimitWriteMax = toIntInRange(stored.rateLimitWriteMax, 10, 1, 1e3);
+  }
+  if (stored.rateLimitReadMax !== void 0) {
+    out.rateLimitReadMax = toIntInRange(stored.rateLimitReadMax, 120, 1, 1e4);
+  }
+  if (stored.rateLimitWindowSeconds !== void 0) {
+    out.rateLimitWindowSeconds = toIntInRange(stored.rateLimitWindowSeconds, 60, 10, 3600);
+  }
   for (const key of passthroughBooleans) {
     if (stored[key] !== void 0) out[key] = !!stored[key];
   }
@@ -428,7 +446,7 @@ function normalizeStoredSettings(stored) {
   }
   return out;
 }
-async function getPluginSettings$5(strapi2) {
+async function getPluginSettings$6(strapi2) {
   const now = Date.now();
   if (cached$1 && now - cachedAt < CACHE_TTL_MS) {
     return cached$1;
@@ -452,12 +470,12 @@ function invalidateSettingsCache$1() {
   cachedAt = 0;
 }
 var settingsLoader = {
-  getPluginSettings: getPluginSettings$5,
+  getPluginSettings: getPluginSettings$6,
   invalidateSettingsCache: invalidateSettingsCache$1
 };
 const MIN_TOKEN_LENGTH = 40;
 const MAX_TOKEN_LENGTH = 8192;
-function extractBearerToken$4(ctx) {
+function extractBearerToken$5(ctx) {
   const headers = ctx?.request?.headers || ctx?.request?.header || {};
   const raw = headers.authorization || headers.Authorization;
   if (!raw || typeof raw !== "string") return null;
@@ -467,9 +485,76 @@ function extractBearerToken$4(ctx) {
   if (!token || token.length < MIN_TOKEN_LENGTH || token.length > MAX_TOKEN_LENGTH) return null;
   return token;
 }
-var extractToken = { extractBearerToken: extractBearerToken$4 };
+var extractToken = { extractBearerToken: extractBearerToken$5 };
+const TTL_MS = 60 * 1e3;
+const MAX_ENTRIES = 1e4;
+const cache = /* @__PURE__ */ new Map();
+const prune$1 = () => {
+  const now = Date.now();
+  for (const [k2, v] of cache) {
+    if (v.expiresAt <= now) cache.delete(k2);
+  }
+};
+function setSessionRejectionReason$1(tokenHash, reason) {
+  if (!tokenHash || !reason) return;
+  if (cache.size >= MAX_ENTRIES) prune$1();
+  cache.set(tokenHash, { reason, expiresAt: Date.now() + TTL_MS });
+}
+function consumeSessionRejectionReason$2(tokenHash) {
+  if (!tokenHash) return null;
+  const entry = cache.get(tokenHash);
+  if (!entry) return null;
+  cache.delete(tokenHash);
+  if (entry.expiresAt <= Date.now()) return null;
+  return entry.reason;
+}
+var rejectionCache = {
+  setSessionRejectionReason: setSessionRejectionReason$1,
+  consumeSessionRejectionReason: consumeSessionRejectionReason$2
+};
+const { extractBearerToken: extractBearerToken$4 } = extractToken;
+const { hashToken: hashToken$5 } = encryption;
+const { consumeSessionRejectionReason: consumeSessionRejectionReason$1 } = rejectionCache;
+const HEADER = "X-Session-Terminated-Reason";
+const REASON_MESSAGES = {
+  manual: "Your session was terminated. Please log in again.",
+  idle: "Your session expired due to inactivity. Please log in again.",
+  expired: "Your session has reached its maximum age. Please log in again.",
+  blocked: "Your account has been blocked. Contact support."
+};
+const middleware = () => async (ctx, next) => {
+  await next();
+  if (ctx.status !== 401) return;
+  const token = extractBearerToken$4(ctx);
+  if (!token) return;
+  const reason = consumeSessionRejectionReason$1(hashToken$5(token));
+  if (!reason) return;
+  ctx.set(HEADER, reason);
+  const existing = ctx.body;
+  const friendlyMessage = REASON_MESSAGES[reason] || "Session invalid. Please log in again.";
+  if (existing && typeof existing === "object" && existing.error) {
+    existing.error.details = existing.error.details || {};
+    if (!existing.error.details.reason) {
+      existing.error.details.reason = reason;
+    }
+    if (!existing.error.message || existing.error.message === "Unauthorized") {
+      existing.error.message = friendlyMessage;
+    }
+    return;
+  }
+  ctx.body = {
+    data: null,
+    error: {
+      status: 401,
+      name: "UnauthorizedError",
+      message: friendlyMessage,
+      details: { reason }
+    }
+  };
+};
+var sessionRejectionHeaders = middleware;
 const { resolveUserDocumentId: resolveUserDocumentId$4 } = resolveUser;
-const { getPluginSettings: getPluginSettings$4 } = settingsLoader;
+const { getPluginSettings: getPluginSettings$5 } = settingsLoader;
 const { extractBearerToken: extractBearerToken$3 } = extractToken;
 const { hashToken: hashToken$4 } = encryption;
 const SESSION_UID$5 = "plugin::magic-sessionmanager.session";
@@ -490,65 +575,75 @@ function isAuthEndpoint(path2) {
 var lastSeen = ({ strapi: strapi2, sessionService }) => {
   return async (ctx, next) => {
     if (isAuthEndpoint(ctx.path)) {
-      await next();
-      return;
+      return next();
     }
-    if (ctx.state.user) {
+    if (!ctx.state.user) {
+      return next();
+    }
+    let userDocId = ctx.state.user.documentId;
+    if (!userDocId && ctx.state.user.id) {
       try {
-        let userDocId2 = ctx.state.user.documentId;
-        if (!userDocId2 && ctx.state.user.id) {
-          userDocId2 = await resolveUserDocumentId$4(strapi2, ctx.state.user.id);
-        }
-        if (userDocId2) {
-          const settings2 = await getPluginSettings$4(strapi2);
-          const strictMode = settings2.strictSessionEnforcement === true;
-          const token = extractBearerToken$3(ctx);
-          const tokenHashValue = token ? hashToken$4(token) : null;
-          const thisSession = tokenHashValue ? await strapi2.documents(SESSION_UID$5).findFirst({
-            filters: { user: { documentId: userDocId2 }, tokenHash: tokenHashValue },
-            fields: ["documentId", "isActive", "terminatedManually"]
-          }) : null;
-          if (thisSession) {
-            if (thisSession.terminatedManually === true) {
-              strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Session was manually terminated (user: ${userDocId2.substring(0, 8)}...)`);
-              return ctx.unauthorized("Session terminated. Please login again.");
-            }
-            ctx.state.userDocumentId = userDocId2;
-            ctx.state.__magicSessionId = thisSession.documentId;
-            await next();
-            if (thisSession.isActive) {
-              try {
-                await sessionService.touch({
-                  userId: userDocId2,
-                  sessionId: thisSession.documentId
-                });
-              } catch (err) {
-                strapi2.log.debug("[magic-sessionmanager] Error updating lastSeen:", err.message);
-              }
-            }
-            return;
-          }
-          if (strictMode) {
-            strapi2.log.info(`[magic-sessionmanager] [BLOCKED] No session matches this token (user: ${userDocId2.substring(0, 8)}..., strictMode)`);
-            return ctx.unauthorized("No valid session. Please login again.");
-          }
-          strapi2.log.warn(`[magic-sessionmanager] [WARN] No session for token (user: ${userDocId2.substring(0, 8)}...) - allowing in non-strict mode`);
-          ctx.state.userDocumentId = userDocId2;
-        }
+        userDocId = await resolveUserDocumentId$4(strapi2, ctx.state.user.id);
       } catch (err) {
-        strapi2.log.debug("[magic-sessionmanager] Error checking active sessions:", err.message);
+        strapi2.log.debug("[magic-sessionmanager] user doc-id lookup failed:", err.message);
+        return next();
       }
     }
-    await next();
-    const userDocId = ctx.state.userDocumentId || ctx.state.user?.documentId;
-    const sessionId = ctx.state.__magicSessionId;
-    if (userDocId && sessionId) {
+    if (!userDocId) {
+      return next();
+    }
+    const settings2 = await getPluginSettings$5(strapi2).catch(() => ({}));
+    const strictMode = settings2.strictSessionEnforcement === true;
+    const gracePeriodMs = Math.max(0, Number(settings2.sessionCreationGraceMs) || 5e3);
+    const token = extractBearerToken$3(ctx);
+    const tokenHashValue = token ? hashToken$4(token) : null;
+    let thisSession = null;
+    if (tokenHashValue) {
       try {
-        await sessionService.touch({ userId: userDocId, sessionId });
+        thisSession = await strapi2.documents(SESSION_UID$5).findFirst({
+          filters: { user: { documentId: userDocId }, tokenHash: tokenHashValue },
+          fields: ["documentId", "isActive", "terminatedManually", "terminationReason"]
+        });
+      } catch (err) {
+        strapi2.log.debug("[magic-sessionmanager] session lookup failed:", err.message);
+      }
+    }
+    if (thisSession) {
+      if (thisSession.isActive === false) {
+        return ctx.unauthorized("Session terminated. Please login again.");
+      }
+      ctx.state.userDocumentId = userDocId;
+      ctx.state.__magicSessionId = thisSession.documentId;
+      await next();
+      try {
+        await sessionService.touch({
+          userId: userDocId,
+          sessionId: thisSession.documentId
+        });
       } catch (err) {
         strapi2.log.debug("[magic-sessionmanager] Error updating lastSeen:", err.message);
       }
+      return;
     }
+    if (strictMode) {
+      const iat = ctx.state.user?.iat;
+      if (gracePeriodMs > 0 && typeof iat === "number") {
+        const ageMs = Date.now() - iat * 1e3;
+        if (ageMs >= 0 && ageMs < gracePeriodMs) {
+          ctx.state.userDocumentId = userDocId;
+          return next();
+        }
+      }
+      strapi2.log.info(
+        `[magic-sessionmanager] [BLOCKED] No session matches this token (user: ${userDocId.substring(0, 8)}..., strictMode)`
+      );
+      return ctx.unauthorized("No valid session. Please login again.");
+    }
+    strapi2.log.debug(
+      `[magic-sessionmanager] [WARN] No session for token (user: ${userDocId.substring(0, 8)}...) - allowing in non-strict mode`
+    );
+    ctx.state.userDocumentId = userDocId;
+    return next();
   };
 };
 var jsonwebtoken = { exports: {} };
@@ -9515,8 +9610,12 @@ const getClientIp = getClientIp_1;
 const { encryptToken: encryptToken$1, hashToken: hashToken$3 } = encryption;
 const { createLogger: createLogger$3 } = logger;
 const { resolveUserDocumentId: resolveUserDocumentId$3 } = resolveUser;
-const { getPluginSettings: getPluginSettings$3 } = settingsLoader;
+const { getPluginSettings: getPluginSettings$4 } = settingsLoader;
 const { extractBearerToken: extractBearerToken$2 } = extractToken;
+const {
+  setSessionRejectionReason,
+  consumeSessionRejectionReason
+} = rejectionCache;
 const SESSION_UID$4 = "plugin::magic-sessionmanager.session";
 const JWT_WRAPPED_FLAG = Symbol.for("magic-sessionmanager.jwt.wrapped");
 const LOGIN_PATHS = /* @__PURE__ */ new Set([
@@ -9584,37 +9683,71 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       }
     }, 3e3);
     const sessionService = strapi2.plugin("magic-sessionmanager").service("session");
+    if (!strapi2.sessionManagerIntervals) {
+      strapi2.sessionManagerIntervals = {};
+    }
     log.info("Running initial session cleanup...");
     try {
-      const settings2 = await getPluginSettings$3(strapi2);
+      const settings2 = await getPluginSettings$4(strapi2);
       await sessionService.cleanupInactiveSessions({
         useDbDirect: settings2.cleanupUseDbDirect === true
       });
     } catch (cleanupErr) {
       log.warn("Initial cleanup failed:", cleanupErr.message);
     }
-    const cleanupInterval = 30 * 60 * 1e3;
-    const cleanupIntervalHandle = setInterval(async () => {
+    const scheduleIdleCleanup = async () => {
+      let intervalMs = 30 * 60 * 1e3;
+      let useDbDirect = false;
       try {
-        const service = strapi2.plugin("magic-sessionmanager").service("session");
-        const settings2 = await getPluginSettings$3(strapi2).catch(() => ({}));
-        await service.cleanupInactiveSessions({
-          useDbDirect: settings2.cleanupUseDbDirect === true
-        });
-      } catch (err) {
-        log.error("Periodic cleanup error:", err);
+        const settings2 = await getPluginSettings$4(strapi2);
+        intervalMs = Math.max(5 * 60 * 1e3, settings2.cleanupInterval || intervalMs);
+        useDbDirect = settings2.cleanupUseDbDirect === true;
+      } catch {
       }
-    }, cleanupInterval);
-    log.info("[TIME] Periodic cleanup scheduled (every 30 minutes)");
-    if (!strapi2.sessionManagerIntervals) {
-      strapi2.sessionManagerIntervals = {};
-    }
-    strapi2.sessionManagerIntervals.cleanup = cleanupIntervalHandle;
+      const handle = setTimeout(async () => {
+        try {
+          const service = strapi2.plugin("magic-sessionmanager").service("session");
+          await service.cleanupInactiveSessions({ useDbDirect });
+        } catch (err) {
+          log.error("Periodic cleanup error:", err);
+        }
+        scheduleIdleCleanup();
+      }, intervalMs);
+      strapi2.sessionManagerIntervals.cleanupTimeout = handle;
+    };
+    await scheduleIdleCleanup();
+    const RETENTION_INTERVAL_MS = 24 * 60 * 60 * 1e3;
+    const scheduleRetention = async () => {
+      let useDbDirect = false;
+      try {
+        const settings2 = await getPluginSettings$4(strapi2);
+        useDbDirect = settings2.cleanupUseDbDirect === true;
+      } catch {
+      }
+      const handle = setTimeout(async () => {
+        try {
+          const service = strapi2.plugin("magic-sessionmanager").service("session");
+          await service.deleteOldSessions({ useDbDirect });
+        } catch (err) {
+          log.error("Retention cleanup error:", err);
+        }
+        scheduleRetention();
+      }, RETENTION_INTERVAL_MS);
+      strapi2.sessionManagerIntervals.retentionTimeout = handle;
+    };
+    strapi2.sessionManagerIntervals.retentionStartup = setTimeout(() => {
+      scheduleRetention();
+    }, 5 * 60 * 1e3);
+    log.info("[TIME] Dynamic cleanup + retention scheduled");
     mountPreLoginGeoGuard({ strapi: strapi2, log });
     mountFailedLoginLockout({ strapi: strapi2, log });
     mountLogoutRoute({ strapi: strapi2, log, sessionService });
     mountLoginInterceptor({ strapi: strapi2, log, sessionService });
     mountRefreshTokenInterceptor({ strapi: strapi2, log });
+    strapi2.server.use(
+      sessionRejectionHeaders({}, { strapi: strapi2 })
+    );
+    log.info("[SUCCESS] Session-rejection-headers middleware mounted");
     strapi2.server.use(
       lastSeen({ strapi: strapi2, sessionService })
     );
@@ -9633,7 +9766,7 @@ function mountPreLoginGeoGuard({ strapi: strapi2, log }) {
     }
     let settings2 = {};
     try {
-      settings2 = await getPluginSettings$3(strapi2);
+      settings2 = await getPluginSettings$4(strapi2);
     } catch {
       settings2 = {};
     }
@@ -9809,7 +9942,7 @@ function mountFailedLoginLockout({ strapi: strapi2, log }) {
     if (!isLoginPath(ctx.path, ctx.method)) return next();
     let maxFailed = 0;
     try {
-      const settings2 = await getPluginSettings$3(strapi2);
+      const settings2 = await getPluginSettings$4(strapi2);
       maxFailed = Number(settings2.maxFailedLogins) || 0;
     } catch {
       maxFailed = 0;
@@ -9888,7 +10021,7 @@ function mountLoginInterceptor({ strapi: strapi2, log, sessionService }) {
       }
       log.info(`[SUCCESS] Session ${newSession.documentId} created for user ${userDocId} (IP: ${ip})`);
       try {
-        const settings2 = await getPluginSettings$3(strapi2);
+        const settings2 = await getPluginSettings$4(strapi2);
         if (!geoData || !(settings2.enableEmailAlerts || settings2.enableWebhooks)) {
           return;
         }
@@ -10205,7 +10338,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
       }
       let settings2;
       try {
-        settings2 = await getPluginSettings$3(strapi2);
+        settings2 = await getPluginSettings$4(strapi2);
       } catch {
         settings2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
       }
@@ -10230,6 +10363,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
             strapi2.log.info(
               `[magic-sessionmanager] [JWT-BLOCKED] User is blocked (user: ${userDocId.substring(0, 8)}...)`
             );
+            setSessionRejectionReason(hashToken$3(token), "blocked");
             return null;
           }
         } catch {
@@ -10240,7 +10374,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
             user: { documentId: userDocId },
             tokenHash: tokenHashValue
           },
-          fields: ["documentId", "isActive", "terminatedManually", "lastActive", "loginTime"]
+          fields: ["documentId", "isActive", "terminatedManually", "terminationReason", "lastActive", "loginTime"]
         });
         if (thisSession) {
           if (isSessionExpired(thisSession, maxSessionAgeDays)) {
@@ -10249,15 +10383,25 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
             );
             await strapi2.documents(SESSION_UID$4).update({
               documentId: thisSession.documentId,
-              data: { isActive: false, terminatedManually: true, logoutTime: /* @__PURE__ */ new Date() }
+              data: {
+                isActive: false,
+                terminatedManually: false,
+                terminationReason: "expired",
+                logoutTime: /* @__PURE__ */ new Date()
+              }
             });
+            setSessionRejectionReason(tokenHashValue, "expired");
             return null;
           }
-          if (thisSession.terminatedManually === true) {
-            strapi2.log.info(
-              `[magic-sessionmanager] [JWT-BLOCKED] Session was manually terminated (user: ${userDocId.substring(0, 8)}...)`
-            );
-            return null;
+          if (thisSession.isActive === false) {
+            const reason = thisSession.terminationReason || (thisSession.terminatedManually === true ? "manual" : null);
+            if (reason) {
+              strapi2.log.info(
+                `[magic-sessionmanager] [JWT-REJECTED] Session inactive (reason: ${reason}) for user ${userDocId.substring(0, 8)}...`
+              );
+              setSessionRejectionReason(tokenHashValue, reason);
+              return null;
+            }
           }
           if (thisSession.isActive) {
             resetErrorCounter();
@@ -10272,8 +10416,13 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
             );
             await strapi2.documents(SESSION_UID$4).update({
               documentId: thisSession.documentId,
-              data: { terminatedManually: true, logoutTime: /* @__PURE__ */ new Date() }
+              data: {
+                terminatedManually: false,
+                terminationReason: "idle",
+                logoutTime: /* @__PURE__ */ new Date()
+              }
             });
+            setSessionRejectionReason(tokenHashValue, "idle");
             return null;
           }
           await strapi2.documents(SESSION_UID$4).update({
@@ -10341,9 +10490,10 @@ var destroy$1 = async ({ strapi: strapi2 }) => {
       if (!handle) continue;
       try {
         clearInterval(handle);
-        log.info(`[STOP] ${name} interval stopped`);
+        clearTimeout(handle);
+        log.info(`[STOP] ${name} timer stopped`);
       } catch (err) {
-        log.warn(`Failed to stop ${name} interval:`, err.message);
+        log.warn(`Failed to stop ${name} timer:`, err.message);
       }
     }
     strapi2.sessionManagerIntervals = {};
@@ -10474,6 +10624,16 @@ const attributes = {
     "default": false,
     required: false
   },
+  terminationReason: {
+    type: "enumeration",
+    "enum": [
+      "manual",
+      "idle",
+      "expired",
+      "blocked"
+    ],
+    required: false
+  },
   geoLocation: {
     type: "json"
   },
@@ -10507,10 +10667,16 @@ var contentTypes$2 = {
   }
 };
 const writeRateLimit = [
-  { name: "plugin::magic-sessionmanager.rate-limit", config: { max: 10, window: 6e4 } }
+  {
+    name: "plugin::magic-sessionmanager.rate-limit",
+    config: { profile: "write", max: 10, window: 6e4 }
+  }
 ];
 const readRateLimit = [
-  { name: "plugin::magic-sessionmanager.rate-limit", config: { max: 120, window: 6e4 } }
+  {
+    name: "plugin::magic-sessionmanager.rate-limit",
+    config: { profile: "read", max: 120, window: 6e4 }
+  }
 ];
 var contentApi$1 = {
   type: "content-api",
@@ -10913,15 +11079,22 @@ var enhanceSession_1 = { enhanceSession: enhanceSession$1, enhanceSessions: enha
 const { hashToken: hashToken$2 } = encryption;
 const { enhanceSessions: enhanceSessions$1, enhanceSession } = enhanceSession_1;
 const { resolveUserDocumentId: resolveUserDocumentId$2 } = resolveUser;
-const { getPluginSettings: getPluginSettings$2 } = settingsLoader;
+const { getPluginSettings: getPluginSettings$3 } = settingsLoader;
 const { extractBearerToken: extractBearerToken$1 } = extractToken;
 const SESSION_UID$2 = "plugin::magic-sessionmanager.session";
 const USER_UID = "plugin::users-permissions.user";
+const OWN_SESSIONS_LIMIT = 200;
+async function resolveAuthUserDocId(ctx) {
+  const u2 = ctx.state.user;
+  if (!u2) return null;
+  if (u2.documentId) return u2.documentId;
+  if (u2.id) return resolveUserDocumentId$2(strapi, u2.id);
+  return null;
+}
 var session$3 = {
   /**
    * Lists all sessions (active + inactive) for admin overviews.
    * @route GET /magic-sessionmanager/sessions
-   * @returns {object} `{ data, meta }`
    */
   async getAllSessionsAdmin(ctx) {
     try {
@@ -10943,7 +11116,6 @@ var session$3 = {
   /**
    * Lists currently-active sessions only.
    * @route GET /magic-sessionmanager/sessions/active
-   * @returns {object} `{ data, meta }`
    */
   async getActiveSessions(ctx) {
     try {
@@ -10959,35 +11131,33 @@ var session$3 = {
     }
   },
   /**
-   * Returns the authenticated user's own sessions, with the current session
-   * flagged via `isCurrentSession`.
-   *
+   * Returns the authenticated user's own sessions, current session flagged.
    * @route GET /api/magic-sessionmanager/my-sessions
-   * @returns {object} `{ data, meta }`
-   * @throws {UnauthorizedError} When user is not authenticated
    */
   async getOwnSessions(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
+      const userDocId = await resolveAuthUserDocId(ctx);
+      if (!userDocId) {
+        return ctx.unauthorized("Authentication required");
+      }
       const currentToken = extractBearerToken$1(ctx);
       const currentTokenHash = currentToken ? hashToken$2(currentToken) : null;
-      if (!userId) {
-        return ctx.throw(401, "Unauthorized");
-      }
       const allSessions = await strapi.documents(SESSION_UID$2).findMany({
-        filters: { user: { documentId: userId } },
+        filters: { user: { documentId: userDocId } },
         sort: { loginTime: "desc" },
-        limit: 200
+        limit: OWN_SESSIONS_LIMIT + 1
       });
-      const settings2 = await getPluginSettings$2(strapi);
+      const hasMore = allSessions.length > OWN_SESSIONS_LIMIT;
+      const paged = hasMore ? allSessions.slice(0, OWN_SESSIONS_LIMIT) : allSessions;
+      const settings2 = await getPluginSettings$3(strapi);
       const enhanceOpts = {
         inactivityTimeout: settings2.inactivityTimeout || 15 * 60 * 1e3,
         geolocationService: strapi.plugin("magic-sessionmanager").service("geolocation"),
         strapi
       };
-      const sessionsWithCurrent = await enhanceSessions$1(allSessions, enhanceOpts, 20);
+      const sessionsWithCurrent = await enhanceSessions$1(paged, enhanceOpts, 20);
       for (const s3 of sessionsWithCurrent) {
-        s3.isCurrentSession = !!(currentTokenHash && allSessions.find(
+        s3.isCurrentSession = !!(currentTokenHash && paged.find(
           (raw) => raw.documentId === s3.documentId && raw.tokenHash === currentTokenHash
         ));
       }
@@ -11000,7 +11170,9 @@ var session$3 = {
         data: sessionsWithCurrent,
         meta: {
           count: sessionsWithCurrent.length,
-          active: sessionsWithCurrent.filter((s3) => s3.isTrulyActive).length
+          active: sessionsWithCurrent.filter((s3) => s3.isTrulyActive).length,
+          hasMore,
+          limit: OWN_SESSIONS_LIMIT
         }
       };
     } catch (err) {
@@ -11009,18 +11181,14 @@ var session$3 = {
     }
   },
   /**
-   * Get a specific user's sessions. Admins may query any user; Content-API
+   * Get a specific user's sessions. Admins can query any user; content-api
    * users can only query themselves.
-   *
-   * @route GET /magic-sessionmanager/user/:userId/sessions (admin)
-   * @route GET /api/magic-sessionmanager/user/:userId/sessions (content-api)
-   * @throws {ForbiddenError} When a non-admin requests another user's sessions
    */
   async getUserSessions(ctx) {
     try {
       const { userId } = ctx.params;
       const isAdminRequest = !!(ctx.state.userAbility || ctx.state.admin);
-      const requestingUserDocId = ctx.state.user?.documentId;
+      const requestingUserDocId = await resolveAuthUserDocId(ctx);
       if (!isAdminRequest) {
         if (!requestingUserDocId) {
           strapi.log.warn(`[magic-sessionmanager] Security: Request without documentId tried to access sessions of user ${userId}`);
@@ -11049,26 +11217,34 @@ var session$3 = {
    */
   async logout(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
+      const userDocId = await resolveAuthUserDocId(ctx);
       const token = extractBearerToken$1(ctx);
-      if (!userId || !token) {
-        return ctx.throw(401, "Unauthorized");
+      if (!userDocId || !token) {
+        return ctx.unauthorized("Authentication required");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
       const currentTokenHash = hashToken$2(token);
       const matchingSession = await strapi.documents(SESSION_UID$2).findFirst({
         filters: {
-          user: { documentId: userId },
+          user: { documentId: userDocId },
           tokenHash: currentTokenHash,
           isActive: true
         },
         fields: ["documentId"]
       });
+      let terminated = false;
       if (matchingSession) {
-        await sessionService.terminateSession({ sessionId: matchingSession.documentId });
-        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${matchingSession.documentId})`);
+        await sessionService.terminateSession({
+          sessionId: matchingSession.documentId,
+          reason: "manual"
+        });
+        terminated = true;
+        strapi.log.info(`[magic-sessionmanager] User ${userDocId} logged out (session ${matchingSession.documentId})`);
       }
-      ctx.body = { message: "Logged out successfully" };
+      ctx.body = {
+        message: "Logged out successfully",
+        terminated
+      };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Logout error:", err);
       ctx.throw(500, "Error during logout");
@@ -11080,13 +11256,13 @@ var session$3 = {
    */
   async logoutAll(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
-      if (!userId) {
-        return ctx.throw(401, "Unauthorized");
+      const userDocId = await resolveAuthUserDocId(ctx);
+      if (!userDocId) {
+        return ctx.unauthorized("Authentication required");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ userId });
-      strapi.log.info(`[magic-sessionmanager] User ${userId} logged out from all devices`);
+      await sessionService.terminateSession({ userId: userDocId, reason: "manual" });
+      strapi.log.info(`[magic-sessionmanager] User ${userDocId} logged out from all devices`);
       ctx.body = { message: "Logged out from all devices successfully" };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Logout-all error:", err);
@@ -11095,27 +11271,48 @@ var session$3 = {
   },
   /**
    * Returns the session associated with the current JWT.
+   *
+   * During the post-login grace window the session-create write may not
+   * yet be visible. In that case we return 202 Accepted with
+   * `{ pending: true }` so the client knows to retry shortly instead of
+   * interpreting a 404 as "no session at all".
+   *
    * @route GET /api/magic-sessionmanager/current-session
    */
   async getCurrentSession(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
+      const userDocId = await resolveAuthUserDocId(ctx);
       const token = extractBearerToken$1(ctx);
-      if (!userId || !token) {
-        return ctx.throw(401, "Unauthorized");
+      if (!userDocId || !token) {
+        return ctx.unauthorized("Authentication required");
       }
       const currentTokenHash = hashToken$2(token);
       const currentSession = await strapi.documents(SESSION_UID$2).findFirst({
         filters: {
-          user: { documentId: userId },
+          user: { documentId: userDocId },
           tokenHash: currentTokenHash,
           isActive: true
         }
       });
       if (!currentSession) {
+        const settings3 = await getPluginSettings$3(strapi);
+        const gracePeriodMs = Math.max(0, Number(settings3.sessionCreationGraceMs) || 5e3);
+        const iat = ctx.state.user?.iat || ctx.state.auth?.credentials?.iat || null;
+        if (gracePeriodMs > 0 && typeof iat === "number") {
+          const ageMs = Date.now() - iat * 1e3;
+          if (ageMs >= 0 && ageMs < gracePeriodMs) {
+            ctx.status = 202;
+            ctx.body = {
+              data: null,
+              meta: { pending: true, retryAfterMs: gracePeriodMs - ageMs },
+              message: "Session is still being created — please retry shortly."
+            };
+            return;
+          }
+        }
         return ctx.notFound("Current session not found");
       }
-      const settings2 = await getPluginSettings$2(strapi);
+      const settings2 = await getPluginSettings$3(strapi);
       const enhanced = await enhanceSession(currentSession, {
         inactivityTimeout: settings2.inactivityTimeout || 15 * 60 * 1e3,
         geolocationService: strapi.plugin("magic-sessionmanager").service("geolocation"),
@@ -11131,17 +11328,17 @@ var session$3 = {
     }
   },
   /**
-   * Terminates one of the authenticated user's OWN sessions (not the current one).
+   * Terminates one of the authenticated user's OWN sessions (not current).
    * @route DELETE /api/magic-sessionmanager/my-sessions/:sessionId
    */
   async terminateOwnSession(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
+      const userDocId = await resolveAuthUserDocId(ctx);
       const { sessionId } = ctx.params;
       const currentToken = extractBearerToken$1(ctx);
       const currentTokenHash = currentToken ? hashToken$2(currentToken) : null;
-      if (!userId) {
-        return ctx.throw(401, "Unauthorized");
+      if (!userDocId) {
+        return ctx.unauthorized("Authentication required");
       }
       if (!sessionId) {
         return ctx.badRequest("Session ID is required");
@@ -11154,19 +11351,23 @@ var session$3 = {
         return ctx.notFound("Session not found");
       }
       const sessionUserId = sessionToTerminate.user?.documentId;
-      if (sessionUserId !== userId) {
-        strapi.log.warn(`[magic-sessionmanager] Security: User ${userId} tried to terminate session ${sessionId} of user ${sessionUserId}`);
+      if (sessionUserId !== userDocId) {
+        strapi.log.warn(`[magic-sessionmanager] Security: User ${userDocId} tried to terminate session ${sessionId} of user ${sessionUserId}`);
         return ctx.forbidden("You can only terminate your own sessions");
       }
       if (currentTokenHash && sessionToTerminate.tokenHash === currentTokenHash) {
-        return ctx.badRequest("Cannot terminate current session. Use /logout instead.");
+        return ctx.badRequest("Cannot terminate the current session. Use /logout instead.");
+      }
+      const alreadyTerminated = sessionToTerminate.isActive === false;
+      if (!alreadyTerminated) {
+        const sessionService = strapi.plugin("magic-sessionmanager").service("session");
+        await sessionService.terminateSession({ sessionId, reason: "manual" });
+        strapi.log.info(`[magic-sessionmanager] User ${userDocId} terminated own session ${sessionId}`);
       }
-      const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ sessionId });
-      strapi.log.info(`[magic-sessionmanager] User ${userId} terminated own session ${sessionId}`);
       ctx.body = {
-        message: `Session ${sessionId} terminated successfully`,
-        success: true
+        message: alreadyTerminated ? `Session ${sessionId} was already terminated` : `Session ${sessionId} terminated successfully`,
+        success: true,
+        alreadyTerminated
       };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Error terminating own session:", err);
@@ -11174,9 +11375,7 @@ var session$3 = {
     }
   },
   /**
-   * Sets isActive:false + terminatedManually:false on a session, simulating
-   * a cleanup timeout. Available only outside of production/staging.
-   *
+   * Simulates an inactivity timeout on a session. Dev-only.
    * @route POST /magic-sessionmanager/sessions/:sessionId/simulate-timeout
    */
   async simulateTimeout(ctx) {
@@ -11195,13 +11394,16 @@ var session$3 = {
       }
       await strapi.documents(SESSION_UID$2).update({
         documentId: sessionId,
-        data: { isActive: false, terminatedManually: false }
+        data: {
+          isActive: false,
+          terminatedManually: false,
+          terminationReason: "idle"
+        }
       });
-      strapi.log.info(`[magic-sessionmanager] [TEST] Session ${sessionId} simulated timeout (terminatedManually: false)`);
+      strapi.log.info(`[magic-sessionmanager] [TEST] Session ${sessionId} simulated timeout`);
       ctx.body = {
-        message: `Session ${sessionId} marked as timed out (reactivatable)`,
-        success: true,
-        terminatedManually: false
+        message: `Session ${sessionId} marked as timed out`,
+        success: true
       };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Error simulating timeout:", err);
@@ -11210,13 +11412,12 @@ var session$3 = {
   },
   /**
    * Terminates a specific session (admin action).
-   * @route POST /magic-sessionmanager/sessions/:sessionId/terminate
    */
   async terminateSingleSession(ctx) {
     try {
       const { sessionId } = ctx.params;
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ sessionId });
+      await sessionService.terminateSession({ sessionId, reason: "manual" });
       ctx.body = {
         message: `Session ${sessionId} terminated`,
         success: true
@@ -11228,13 +11429,12 @@ var session$3 = {
   },
   /**
    * Terminates ALL sessions for a specific user (admin action).
-   * @route POST /magic-sessionmanager/user/:userId/terminate-all
    */
   async terminateAllUserSessions(ctx) {
     try {
       const { userId } = ctx.params;
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ userId });
+      await sessionService.terminateSession({ userId, reason: "manual" });
       ctx.body = {
         message: `All sessions terminated for user ${userId}`,
         success: true
@@ -11246,9 +11446,6 @@ var session$3 = {
   },
   /**
    * Returns geolocation data for a specific IP address (Premium feature).
-   *
-   * @route GET /magic-sessionmanager/geolocation/:ipAddress
-   * @throws {ForbiddenError} When no premium license is active
    */
   async getIpGeolocation(ctx) {
     try {
@@ -11275,10 +11472,7 @@ var session$3 = {
         return ctx.badRequest("Invalid IP address format");
       }
       const licenseGuard2 = strapi.plugin("magic-sessionmanager").service("license-guard");
-      const pluginStore = strapi.store({
-        type: "plugin",
-        name: "magic-sessionmanager"
-      });
+      const pluginStore = strapi.store({ type: "plugin", name: "magic-sessionmanager" });
       const licenseKey = await pluginStore.get({ key: "licenseKey" });
       if (!licenseKey) {
         return ctx.forbidden("Premium license required for geolocation features");
@@ -11300,7 +11494,6 @@ var session$3 = {
   },
   /**
    * Permanently deletes a session (admin action).
-   * @route DELETE /magic-sessionmanager/sessions/:sessionId
    */
   async deleteSession(ctx) {
     try {
@@ -11318,7 +11511,6 @@ var session$3 = {
   },
   /**
    * Deletes all inactive sessions (admin action).
-   * @route POST /magic-sessionmanager/sessions/clean-inactive
    */
   async cleanInactiveSessions(ctx) {
     try {
@@ -11336,9 +11528,6 @@ var session$3 = {
   },
   /**
    * Toggles a user's blocked status and terminates their sessions on block.
-   *
-   * @route POST /magic-sessionmanager/user/:userId/toggle-block
-   * @throws {NotFoundError} When the user cannot be found
    */
   async toggleUserBlock(ctx) {
     try {
@@ -11354,11 +11543,11 @@ var session$3 = {
         }
       }
       if (!userDocumentId) {
-        return ctx.throw(404, "User not found");
+        return ctx.notFound("User not found");
       }
       const user = await strapi.documents(USER_UID).findOne({ documentId: userDocumentId });
       if (!user) {
-        return ctx.throw(404, "User not found");
+        return ctx.notFound("User not found");
       }
       const newBlockedStatus = !user.blocked;
       await strapi.documents(USER_UID).update({
@@ -11367,7 +11556,7 @@ var session$3 = {
       });
       if (newBlockedStatus) {
         const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-        await sessionService.terminateSession({ userId: userDocumentId });
+        await sessionService.terminateSession({ userId: userDocumentId, reason: "blocked" });
       }
       ctx.body = {
         message: `User ${newBlockedStatus ? "blocked" : "unblocked"} successfully`,
@@ -11859,13 +12048,13 @@ const { createLogger: createLogger$1 } = logger;
 const { parseUserAgent } = userAgentParser;
 const { resolveUserDocumentId: resolveUserDocumentId$1 } = resolveUser;
 const { enhanceSessions } = enhanceSession_1;
-const { getPluginSettings: getPluginSettings$1 } = settingsLoader;
+const { getPluginSettings: getPluginSettings$2 } = settingsLoader;
 const SESSION_UID$1 = "plugin::magic-sessionmanager.session";
 const MAX_SESSIONS_QUERY = 1e3;
 var session$1 = ({ strapi: strapi2 }) => {
   const log = createLogger$1(strapi2);
   async function getEnhanceOpts() {
-    const settings2 = await getPluginSettings$1(strapi2);
+    const settings2 = await getPluginSettings$2(strapi2);
     return {
       inactivityTimeout: settings2.inactivityTimeout || 15 * 60 * 1e3,
       geolocationService: strapi2.plugin("magic-sessionmanager").service("geolocation"),
@@ -11934,15 +12123,38 @@ var session$1 = ({ strapi: strapi2 }) => {
       }
     },
     /**
-     * Terminates a single session or all sessions of a user.
+     * Terminates a single session or all sessions of a user with a typed
+     * reason so the JWT-verify wrapper and downstream middleware can
+     * communicate the cause to the client (and we can show sensible UI).
+     *
+     * Supported reasons:
+     *   - 'manual':   user clicked logout, or admin terminated a session
+     *   - 'idle':     inactivity timeout cleanup
+     *   - 'expired':  maxSessionAgeDays exceeded
+     *   - 'blocked':  the owning user was marked blocked
+     *
+     * For backwards compatibility `terminatedManually` is still set true
+     * only when reason === 'manual'; idle/expired/blocked paths set it
+     * false so reporting dashboards that queried that boolean continue
+     * to work, while new code relies on `terminationReason`.
+     *
      * @param {Object} params
      * @param {string} [params.sessionId]
      * @param {string|number} [params.userId]
+     * @param {'manual'|'idle'|'expired'|'blocked'} [params.reason='manual']
      * @returns {Promise<void>}
      */
-    async terminateSession({ sessionId, userId }) {
+    async terminateSession({ sessionId, userId, reason = "manual" }) {
       try {
         const now = /* @__PURE__ */ new Date();
+        const validReasons = ["manual", "idle", "expired", "blocked"];
+        const finalReason = validReasons.includes(reason) ? reason : "manual";
+        const updateData = {
+          isActive: false,
+          terminatedManually: finalReason === "manual",
+          terminationReason: finalReason,
+          logoutTime: now
+        };
         if (sessionId) {
           const existing = await strapi2.documents(SESSION_UID$1).findOne({
             documentId: sessionId,
@@ -11954,9 +12166,9 @@ var session$1 = ({ strapi: strapi2 }) => {
           }
           await strapi2.documents(SESSION_UID$1).update({
             documentId: sessionId,
-            data: { isActive: false, terminatedManually: true, logoutTime: now }
+            data: updateData
           });
-          log.info(`Session ${sessionId} terminated (manual)`);
+          log.info(`Session ${sessionId} terminated (reason: ${finalReason})`);
         } else if (userId) {
           const userDocumentId = await resolveUserDocumentId$1(strapi2, userId);
           if (!userDocumentId) return;
@@ -11968,10 +12180,10 @@ var session$1 = ({ strapi: strapi2 }) => {
           for (const session2 of activeSessions) {
             await strapi2.documents(SESSION_UID$1).update({
               documentId: session2.documentId,
-              data: { isActive: false, terminatedManually: true, logoutTime: now }
+              data: updateData
             });
           }
-          log.info(`All sessions terminated (manual) for user ${userDocumentId}`);
+          log.info(`All sessions terminated for user ${userDocumentId} (reason: ${finalReason})`);
         }
       } catch (err) {
         log.error("Error terminating session:", err);
@@ -12056,7 +12268,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     async touch({ userId, sessionId, token }) {
       try {
         const now = /* @__PURE__ */ new Date();
-        const settings2 = await getPluginSettings$1(strapi2);
+        const settings2 = await getPluginSettings$2(strapi2);
         const rateLimit2 = settings2.lastSeenRateLimit || 3e4;
         let session2 = null;
         let sessionDocId = sessionId;
@@ -12125,7 +12337,7 @@ var session$1 = ({ strapi: strapi2 }) => {
      */
     async cleanupInactiveSessions({ useDbDirect = false } = {}) {
       try {
-        const settings2 = await getPluginSettings$1(strapi2);
+        const settings2 = await getPluginSettings$2(strapi2);
         const inactivityTimeout = settings2.inactivityTimeout || 15 * 60 * 1e3;
         const now = /* @__PURE__ */ new Date();
         const cutoffTime = new Date(now.getTime() - inactivityTimeout);
@@ -12138,7 +12350,8 @@ var session$1 = ({ strapi: strapi2 }) => {
               });
             }).update({
               is_active: false,
-              terminated_manually: true,
+              terminated_manually: false,
+              termination_reason: "idle",
               logout_time: now
             });
             log.info(`[SUCCESS] Cleanup (db-direct) complete: ${deactivated} sessions deactivated`);
@@ -12179,7 +12392,8 @@ var session$1 = ({ strapi: strapi2 }) => {
               documentId,
               data: {
                 isActive: false,
-                terminatedManually: true,
+                terminatedManually: false,
+                terminationReason: "idle",
                 logoutTime: now
               }
             });
@@ -12210,6 +12424,81 @@ var session$1 = ({ strapi: strapi2 }) => {
         throw err;
       }
     },
+    /**
+     * Permanently deletes sessions that have been inactive past the
+     * configured retention window. Distinct from `deleteInactiveSessions`
+     * (which deletes ALL inactive sessions) — this only drops rows older
+     * than `retentionDays`, so recently-terminated sessions stay queryable
+     * for audits.
+     *
+     * @param {Object} [options]
+     * @param {number} [options.retentionDays]    Overrides the stored setting.
+     * @param {boolean} [options.useDbDirect]     Fast-path via single SQL
+     *   DELETE. Bypasses lifecycle hooks; use only when necessary.
+     * @returns {Promise<number>} Number of sessions deleted
+     */
+    async deleteOldSessions({ retentionDays, useDbDirect } = {}) {
+      try {
+        const settings2 = await getPluginSettings$2(strapi2);
+        const effectiveDays = Number.isFinite(retentionDays) ? retentionDays : settings2.retentionDays || 90;
+        if (effectiveDays === -1) {
+          log.debug("[RETENTION] retentionDays=-1 (forever) — skipping");
+          return 0;
+        }
+        const cutoffDate = new Date(Date.now() - effectiveDays * 24 * 60 * 60 * 1e3);
+        const wantDbDirect = useDbDirect ?? settings2.cleanupUseDbDirect === true;
+        log.info(`[RETENTION] Deleting inactive sessions older than ${effectiveDays} days (before ${cutoffDate.toISOString()})`);
+        if (wantDbDirect) {
+          try {
+            const deleted = await strapi2.db.connection("magic_sessions").where("is_active", false).andWhere(function whereOldEnough() {
+              this.where("logout_time", "<", cutoffDate).orWhere(function whereNullLogout() {
+                this.whereNull("logout_time").andWhere(function whereOldByActivity() {
+                  this.where("last_active", "<", cutoffDate).orWhere(function whereNullActivity() {
+                    this.whereNull("last_active").andWhere("login_time", "<", cutoffDate);
+                  });
+                });
+              });
+            }).del();
+            log.info(`[SUCCESS] Retention (db-direct) deleted ${deleted} old session(s)`);
+            return deleted;
+          } catch (err) {
+            log.warn("[RETENTION] DB-direct delete failed, falling back to Document Service:", err.message);
+          }
+        }
+        let deletedCount = 0;
+        const BATCH = 200;
+        while (true) {
+          const batch = await strapi2.documents(SESSION_UID$1).findMany({
+            filters: {
+              isActive: false,
+              $or: [
+                { logoutTime: { $lt: cutoffDate } },
+                { logoutTime: { $null: true }, lastActive: { $lt: cutoffDate } },
+                { logoutTime: { $null: true }, lastActive: { $null: true }, loginTime: { $lt: cutoffDate } }
+              ]
+            },
+            fields: ["documentId"],
+            sort: { loginTime: "asc" },
+            limit: BATCH
+          });
+          if (!batch || batch.length === 0) break;
+          for (const session2 of batch) {
+            try {
+              await strapi2.documents(SESSION_UID$1).delete({ documentId: session2.documentId });
+              deletedCount++;
+            } catch (err) {
+              log.debug(`[RETENTION] Failed to delete session ${session2.documentId}:`, err.message);
+            }
+          }
+          if (batch.length < BATCH) break;
+        }
+        log.info(`[SUCCESS] Retention deleted ${deletedCount} old session(s)`);
+        return deletedCount;
+      } catch (err) {
+        log.error("Error in retention cleanup:", err);
+        return 0;
+      }
+    },
     /**
      * Permanently deletes all inactive sessions.
      * Uses an inner scan loop that tolerates partial failures.
@@ -12255,7 +12544,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.5.0";
+const version$1 = "4.5.2";
 const require$$2 = {
   version: version$1
 };
@@ -13213,6 +13502,7 @@ var services$1 = {
   geolocation,
   notifications
 };
+const { getPluginSettings: getPluginSettings$1 } = settingsLoader;
 const buckets = /* @__PURE__ */ new Map();
 const prune = (now) => {
   for (const [key, entry] of buckets) {
@@ -13226,10 +13516,45 @@ const callerKey = (ctx) => {
   if (tokenId) return `t:${String(tokenId).slice(-16)}`;
   return `ip:${ctx.request.ip || ctx.ip || "unknown"}`;
 };
+const RESOLVED_TTL_MS = 3e4;
+let resolvedCache = null;
+let resolvedAt = 0;
+async function resolveLimits({ profile, routeMax, routeWindowMs, strapi: strapi2 }) {
+  const now = Date.now();
+  if (resolvedCache && now - resolvedAt < RESOLVED_TTL_MS) {
+    const p = resolvedCache[profile];
+    if (p) {
+      return { max: p.max, windowMs: p.windowMs };
+    }
+  }
+  let settings2 = {};
+  try {
+    settings2 = await getPluginSettings$1(strapi2);
+  } catch {
+    settings2 = {};
+  }
+  const windowSec = Number.isFinite(settings2.rateLimitWindowSeconds) ? settings2.rateLimitWindowSeconds : Math.round(routeWindowMs / 1e3);
+  const windowMs = Math.max(1e4, windowSec * 1e3);
+  const resolvedWrite = {
+    max: Math.min(routeMax, Number.isFinite(settings2.rateLimitWriteMax) ? settings2.rateLimitWriteMax : routeMax),
+    windowMs
+  };
+  const resolvedRead = {
+    max: Math.max(routeMax, Number.isFinite(settings2.rateLimitReadMax) ? settings2.rateLimitReadMax : routeMax),
+    windowMs
+  };
+  resolvedCache = { read: resolvedRead, write: resolvedWrite };
+  resolvedAt = now;
+  if (profile === "read") return resolvedRead;
+  if (profile === "write") return resolvedWrite;
+  return { max: routeMax, windowMs };
+}
 const rateLimit = (cfg = {}, { strapi: strapi2 }) => {
-  const max = Number.isFinite(cfg.max) ? cfg.max : 30;
-  const windowMs = Number.isFinite(cfg.window) ? cfg.window : 6e4;
+  const routeMax = Number.isFinite(cfg.max) ? cfg.max : 30;
+  const routeWindowMs = Number.isFinite(cfg.window) ? cfg.window : 6e4;
+  const profile = cfg.profile === "read" || cfg.profile === "write" ? cfg.profile : null;
   return async (ctx, next) => {
+    const { max, windowMs } = profile ? await resolveLimits({ profile, routeMax, routeWindowMs, strapi: strapi2 }) : { max: routeMax, windowMs: routeWindowMs };
     const key = `${ctx.path}::${callerKey(ctx)}`;
     const now = Date.now();
     if (buckets.size > 5e3) prune(now);
@@ -13263,7 +13588,8 @@ const rateLimit = (cfg = {}, { strapi: strapi2 }) => {
 var rateLimit_1 = rateLimit;
 var middlewares$1 = {
   "last-seen": lastSeen,
-  "rate-limit": rateLimit_1
+  "rate-limit": rateLimit_1,
+  "session-rejection-headers": sessionRejectionHeaders
 };
 var lodashExports = requireLodash();
 const ___default = /* @__PURE__ */ getDefaultExportFromCjs(lodashExports);
@@ -51344,18 +51670,18 @@ const CSP_DEFAULTS = {
     "blob:"
   ]
 };
-const extendMiddlewareConfiguration = (middlewares2, middleware) => {
+const extendMiddlewareConfiguration = (middlewares2, middleware2) => {
   return middlewares2.map((currentMiddleware) => {
-    if (typeof currentMiddleware === "string" && currentMiddleware === middleware.name) {
-      return middleware;
+    if (typeof currentMiddleware === "string" && currentMiddleware === middleware2.name) {
+      return middleware2;
     }
-    if (typeof currentMiddleware === "object" && currentMiddleware.name === middleware.name) {
+    if (typeof currentMiddleware === "object" && currentMiddleware.name === middleware2.name) {
       return fp.mergeWith((objValue, srcValue) => {
         if (Array.isArray(objValue)) {
           return Array.from(new Set(objValue.concat(srcValue)));
         }
         return void 0;
-      }, currentMiddleware, middleware);
+      }, currentMiddleware, middleware2);
     }
     return currentMiddleware;
   });