strapi-plugin-magic-sessionmanager 4.5.2 → 4.5.4

package/dist/server/index.mjs

@@ -161,7 +161,16 @@ var register$1 = async ({ strapi: strapi2 }) => {
             try {
               await strapi2.documents(SESSION_UID$6).update({
                 documentId: session2.documentId,
-                data: { isActive: false, terminatedManually: true, logoutTime: now }
+                data: {
+                  isActive: false,
+                  // Blocked users are NOT a "manual" self-logout — mark
+                  // this distinctly so the client receives a different
+                  // error message ("account blocked") rather than
+                  // "session terminated".
+                  terminatedManually: false,
+                  terminationReason: "blocked",
+                  logoutTime: now
+                }
               });
               terminated++;
             } catch (updateErr) {
@@ -291,27 +300,27 @@ function generateSessionId$1(userId) {
   const userHash = crypto$1.createHash("sha256").update(userId.toString()).digest("hex").substring(0, 8);
   return `sess_${timestamp2}_${userHash}_${randomBytes}`;
 }
-function hashToken$5(token) {
+function hashToken$6(token) {
   if (!token) return null;
   return crypto$1.createHash("sha256").update(token).digest("hex");
 }
 var encryption = {
   encryptToken: encryptToken$2,
   generateSessionId: generateSessionId$1,
-  hashToken: hashToken$5
+  hashToken: hashToken$6
 };
 const USER_UID$1 = "plugin::users-permissions.user";
-const cache = /* @__PURE__ */ new Map();
+const cache$1 = /* @__PURE__ */ new Map();
 const CACHE_TTL = 5 * 60 * 1e3;
 const CACHE_MAX_SIZE = 1e3;
 function evict() {
   const now = Date.now();
-  for (const [key, value] of cache) {
-    if (now - value.ts >= CACHE_TTL) cache.delete(key);
+  for (const [key, value] of cache$1) {
+    if (now - value.ts >= CACHE_TTL) cache$1.delete(key);
   }
-  if (cache.size >= CACHE_MAX_SIZE) {
-    const keysToDelete = [...cache.keys()].slice(0, Math.floor(CACHE_MAX_SIZE / 4));
-    keysToDelete.forEach((k2) => cache.delete(k2));
+  if (cache$1.size >= CACHE_MAX_SIZE) {
+    const keysToDelete = [...cache$1.keys()].slice(0, Math.floor(CACHE_MAX_SIZE / 4));
+    keysToDelete.forEach((k2) => cache$1.delete(k2));
   }
 }
 async function resolveUserDocumentId$5(strapi2, userId) {
@@ -321,17 +330,17 @@ async function resolveUserDocumentId$5(strapi2, userId) {
   }
   const numericId = typeof userId === "number" ? userId : parseInt(userId, 10);
   const cacheKey = `u_${numericId}`;
-  const cached2 = cache.get(cacheKey);
+  const cached2 = cache$1.get(cacheKey);
   if (cached2 && Date.now() - cached2.ts < CACHE_TTL) {
     return cached2.documentId;
   }
-  if (cache.size >= CACHE_MAX_SIZE) evict();
+  if (cache$1.size >= CACHE_MAX_SIZE) evict();
   try {
     const user = await strapi2.entityService.findOne(USER_UID$1, numericId, {
       fields: ["documentId"]
     });
     if (user?.documentId) {
-      cache.set(cacheKey, { documentId: user.documentId, ts: Date.now() });
+      cache$1.set(cacheKey, { documentId: user.documentId, ts: Date.now() });
       return user.documentId;
     }
   } catch {
@@ -392,6 +401,15 @@ function normalizeStoredSettings(stored) {
   if (stored.sessionCreationGraceMs !== void 0) {
     out.sessionCreationGraceMs = toIntInRange(stored.sessionCreationGraceMs, 5e3, 0, 3e4);
   }
+  if (stored.rateLimitWriteMax !== void 0) {
+    out.rateLimitWriteMax = toIntInRange(stored.rateLimitWriteMax, 10, 1, 1e3);
+  }
+  if (stored.rateLimitReadMax !== void 0) {
+    out.rateLimitReadMax = toIntInRange(stored.rateLimitReadMax, 120, 1, 1e4);
+  }
+  if (stored.rateLimitWindowSeconds !== void 0) {
+    out.rateLimitWindowSeconds = toIntInRange(stored.rateLimitWindowSeconds, 60, 10, 3600);
+  }
   for (const key of passthroughBooleans) {
     if (stored[key] !== void 0) out[key] = !!stored[key];
   }
@@ -415,7 +433,7 @@ function normalizeStoredSettings(stored) {
   }
   return out;
 }
-async function getPluginSettings$5(strapi2) {
+async function getPluginSettings$6(strapi2) {
   const now = Date.now();
   if (cached$1 && now - cachedAt < CACHE_TTL_MS) {
     return cached$1;
@@ -439,12 +457,12 @@ function invalidateSettingsCache$1() {
   cachedAt = 0;
 }
 var settingsLoader = {
-  getPluginSettings: getPluginSettings$5,
+  getPluginSettings: getPluginSettings$6,
   invalidateSettingsCache: invalidateSettingsCache$1
 };
 const MIN_TOKEN_LENGTH = 40;
 const MAX_TOKEN_LENGTH = 8192;
-function extractBearerToken$4(ctx) {
+function extractBearerToken$5(ctx) {
   const headers = ctx?.request?.headers || ctx?.request?.header || {};
   const raw = headers.authorization || headers.Authorization;
   if (!raw || typeof raw !== "string") return null;
@@ -454,9 +472,76 @@ function extractBearerToken$4(ctx) {
   if (!token || token.length < MIN_TOKEN_LENGTH || token.length > MAX_TOKEN_LENGTH) return null;
   return token;
 }
-var extractToken = { extractBearerToken: extractBearerToken$4 };
+var extractToken = { extractBearerToken: extractBearerToken$5 };
+const TTL_MS = 60 * 1e3;
+const MAX_ENTRIES = 1e4;
+const cache = /* @__PURE__ */ new Map();
+const prune$1 = () => {
+  const now = Date.now();
+  for (const [k2, v] of cache) {
+    if (v.expiresAt <= now) cache.delete(k2);
+  }
+};
+function setSessionRejectionReason$1(tokenHash, reason) {
+  if (!tokenHash || !reason) return;
+  if (cache.size >= MAX_ENTRIES) prune$1();
+  cache.set(tokenHash, { reason, expiresAt: Date.now() + TTL_MS });
+}
+function consumeSessionRejectionReason$2(tokenHash) {
+  if (!tokenHash) return null;
+  const entry = cache.get(tokenHash);
+  if (!entry) return null;
+  cache.delete(tokenHash);
+  if (entry.expiresAt <= Date.now()) return null;
+  return entry.reason;
+}
+var rejectionCache = {
+  setSessionRejectionReason: setSessionRejectionReason$1,
+  consumeSessionRejectionReason: consumeSessionRejectionReason$2
+};
+const { extractBearerToken: extractBearerToken$4 } = extractToken;
+const { hashToken: hashToken$5 } = encryption;
+const { consumeSessionRejectionReason: consumeSessionRejectionReason$1 } = rejectionCache;
+const HEADER = "X-Session-Terminated-Reason";
+const REASON_MESSAGES = {
+  manual: "Your session was terminated. Please log in again.",
+  idle: "Your session expired due to inactivity. Please log in again.",
+  expired: "Your session has reached its maximum age. Please log in again.",
+  blocked: "Your account has been blocked. Contact support."
+};
+const middleware = () => async (ctx, next) => {
+  await next();
+  if (ctx.status !== 401) return;
+  const token = extractBearerToken$4(ctx);
+  if (!token) return;
+  const reason = consumeSessionRejectionReason$1(hashToken$5(token));
+  if (!reason) return;
+  ctx.set(HEADER, reason);
+  const existing = ctx.body;
+  const friendlyMessage = REASON_MESSAGES[reason] || "Session invalid. Please log in again.";
+  if (existing && typeof existing === "object" && existing.error) {
+    existing.error.details = existing.error.details || {};
+    if (!existing.error.details.reason) {
+      existing.error.details.reason = reason;
+    }
+    if (!existing.error.message || existing.error.message === "Unauthorized") {
+      existing.error.message = friendlyMessage;
+    }
+    return;
+  }
+  ctx.body = {
+    data: null,
+    error: {
+      status: 401,
+      name: "UnauthorizedError",
+      message: friendlyMessage,
+      details: { reason }
+    }
+  };
+};
+var sessionRejectionHeaders = middleware;
 const { resolveUserDocumentId: resolveUserDocumentId$4 } = resolveUser;
-const { getPluginSettings: getPluginSettings$4 } = settingsLoader;
+const { getPluginSettings: getPluginSettings$5 } = settingsLoader;
 const { extractBearerToken: extractBearerToken$3 } = extractToken;
 const { hashToken: hashToken$4 } = encryption;
 const SESSION_UID$5 = "plugin::magic-sessionmanager.session";
@@ -477,65 +562,75 @@ function isAuthEndpoint(path2) {
 var lastSeen = ({ strapi: strapi2, sessionService }) => {
   return async (ctx, next) => {
     if (isAuthEndpoint(ctx.path)) {
-      await next();
-      return;
+      return next();
+    }
+    if (!ctx.state.user) {
+      return next();
     }
-    if (ctx.state.user) {
+    let userDocId = ctx.state.user.documentId;
+    if (!userDocId && ctx.state.user.id) {
       try {
-        let userDocId2 = ctx.state.user.documentId;
-        if (!userDocId2 && ctx.state.user.id) {
-          userDocId2 = await resolveUserDocumentId$4(strapi2, ctx.state.user.id);
-        }
-        if (userDocId2) {
-          const settings2 = await getPluginSettings$4(strapi2);
-          const strictMode = settings2.strictSessionEnforcement === true;
-          const token = extractBearerToken$3(ctx);
-          const tokenHashValue = token ? hashToken$4(token) : null;
-          const thisSession = tokenHashValue ? await strapi2.documents(SESSION_UID$5).findFirst({
-            filters: { user: { documentId: userDocId2 }, tokenHash: tokenHashValue },
-            fields: ["documentId", "isActive", "terminatedManually"]
-          }) : null;
-          if (thisSession) {
-            if (thisSession.terminatedManually === true) {
-              strapi2.log.info(`[magic-sessionmanager] [BLOCKED] Session was manually terminated (user: ${userDocId2.substring(0, 8)}...)`);
-              return ctx.unauthorized("Session terminated. Please login again.");
-            }
-            ctx.state.userDocumentId = userDocId2;
-            ctx.state.__magicSessionId = thisSession.documentId;
-            await next();
-            if (thisSession.isActive) {
-              try {
-                await sessionService.touch({
-                  userId: userDocId2,
-                  sessionId: thisSession.documentId
-                });
-              } catch (err) {
-                strapi2.log.debug("[magic-sessionmanager] Error updating lastSeen:", err.message);
-              }
-            }
-            return;
-          }
-          if (strictMode) {
-            strapi2.log.info(`[magic-sessionmanager] [BLOCKED] No session matches this token (user: ${userDocId2.substring(0, 8)}..., strictMode)`);
-            return ctx.unauthorized("No valid session. Please login again.");
-          }
-          strapi2.log.warn(`[magic-sessionmanager] [WARN] No session for token (user: ${userDocId2.substring(0, 8)}...) - allowing in non-strict mode`);
-          ctx.state.userDocumentId = userDocId2;
-        }
+        userDocId = await resolveUserDocumentId$4(strapi2, ctx.state.user.id);
       } catch (err) {
-        strapi2.log.debug("[magic-sessionmanager] Error checking active sessions:", err.message);
+        strapi2.log.debug("[magic-sessionmanager] user doc-id lookup failed:", err.message);
+        return next();
       }
     }
-    await next();
-    const userDocId = ctx.state.userDocumentId || ctx.state.user?.documentId;
-    const sessionId = ctx.state.__magicSessionId;
-    if (userDocId && sessionId) {
+    if (!userDocId) {
+      return next();
+    }
+    const settings2 = await getPluginSettings$5(strapi2).catch(() => ({}));
+    const strictMode = settings2.strictSessionEnforcement === true;
+    const gracePeriodMs = Math.max(0, Number(settings2.sessionCreationGraceMs) || 5e3);
+    const token = extractBearerToken$3(ctx);
+    const tokenHashValue = token ? hashToken$4(token) : null;
+    let thisSession = null;
+    if (tokenHashValue) {
+      try {
+        thisSession = await strapi2.documents(SESSION_UID$5).findFirst({
+          filters: { user: { documentId: userDocId }, tokenHash: tokenHashValue },
+          fields: ["documentId", "isActive", "terminatedManually", "terminationReason"]
+        });
+      } catch (err) {
+        strapi2.log.debug("[magic-sessionmanager] session lookup failed:", err.message);
+      }
+    }
+    if (thisSession) {
+      if (thisSession.isActive === false) {
+        return ctx.unauthorized("Session terminated. Please login again.");
+      }
+      ctx.state.userDocumentId = userDocId;
+      ctx.state.__magicSessionId = thisSession.documentId;
+      await next();
       try {
-        await sessionService.touch({ userId: userDocId, sessionId });
+        await sessionService.touch({
+          userId: userDocId,
+          sessionId: thisSession.documentId
+        });
       } catch (err) {
         strapi2.log.debug("[magic-sessionmanager] Error updating lastSeen:", err.message);
       }
+      return;
+    }
+    if (strictMode) {
+      const iat = ctx.state.user?.iat;
+      if (gracePeriodMs > 0 && typeof iat === "number") {
+        const ageMs = Date.now() - iat * 1e3;
+        if (ageMs >= 0 && ageMs < gracePeriodMs) {
+          ctx.state.userDocumentId = userDocId;
+          return next();
+        }
+      }
+      strapi2.log.info(
+        `[magic-sessionmanager] [BLOCKED] No session matches this token (user: ${userDocId.substring(0, 8)}..., strictMode)`
+      );
+      return ctx.unauthorized("No valid session. Please login again.");
     }
+    strapi2.log.debug(
+      `[magic-sessionmanager] [WARN] No session for token (user: ${userDocId.substring(0, 8)}...) - allowing in non-strict mode`
+    );
+    ctx.state.userDocumentId = userDocId;
+    return next();
   };
 };
 var jsonwebtoken = { exports: {} };
@@ -9502,8 +9597,12 @@ const getClientIp = getClientIp_1;
 const { encryptToken: encryptToken$1, hashToken: hashToken$3 } = encryption;
 const { createLogger: createLogger$3 } = logger;
 const { resolveUserDocumentId: resolveUserDocumentId$3 } = resolveUser;
-const { getPluginSettings: getPluginSettings$3 } = settingsLoader;
+const { getPluginSettings: getPluginSettings$4 } = settingsLoader;
 const { extractBearerToken: extractBearerToken$2 } = extractToken;
+const {
+  setSessionRejectionReason,
+  consumeSessionRejectionReason
+} = rejectionCache;
 const SESSION_UID$4 = "plugin::magic-sessionmanager.session";
 const JWT_WRAPPED_FLAG = Symbol.for("magic-sessionmanager.jwt.wrapped");
 const LOGIN_PATHS = /* @__PURE__ */ new Set([
@@ -9576,7 +9675,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     }
     log.info("Running initial session cleanup...");
     try {
-      const settings2 = await getPluginSettings$3(strapi2);
+      const settings2 = await getPluginSettings$4(strapi2);
       await sessionService.cleanupInactiveSessions({
         useDbDirect: settings2.cleanupUseDbDirect === true
       });
@@ -9587,7 +9686,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
       let intervalMs = 30 * 60 * 1e3;
       let useDbDirect = false;
       try {
-        const settings2 = await getPluginSettings$3(strapi2);
+        const settings2 = await getPluginSettings$4(strapi2);
         intervalMs = Math.max(5 * 60 * 1e3, settings2.cleanupInterval || intervalMs);
         useDbDirect = settings2.cleanupUseDbDirect === true;
       } catch {
@@ -9608,7 +9707,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     const scheduleRetention = async () => {
       let useDbDirect = false;
       try {
-        const settings2 = await getPluginSettings$3(strapi2);
+        const settings2 = await getPluginSettings$4(strapi2);
         useDbDirect = settings2.cleanupUseDbDirect === true;
       } catch {
       }
@@ -9632,6 +9731,10 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     mountLogoutRoute({ strapi: strapi2, log, sessionService });
     mountLoginInterceptor({ strapi: strapi2, log, sessionService });
     mountRefreshTokenInterceptor({ strapi: strapi2, log });
+    strapi2.server.use(
+      sessionRejectionHeaders({}, { strapi: strapi2 })
+    );
+    log.info("[SUCCESS] Session-rejection-headers middleware mounted");
     strapi2.server.use(
       lastSeen({ strapi: strapi2, sessionService })
     );
@@ -9650,7 +9753,7 @@ function mountPreLoginGeoGuard({ strapi: strapi2, log }) {
     }
     let settings2 = {};
     try {
-      settings2 = await getPluginSettings$3(strapi2);
+      settings2 = await getPluginSettings$4(strapi2);
     } catch {
       settings2 = {};
     }
@@ -9826,7 +9929,7 @@ function mountFailedLoginLockout({ strapi: strapi2, log }) {
     if (!isLoginPath(ctx.path, ctx.method)) return next();
     let maxFailed = 0;
     try {
-      const settings2 = await getPluginSettings$3(strapi2);
+      const settings2 = await getPluginSettings$4(strapi2);
       maxFailed = Number(settings2.maxFailedLogins) || 0;
     } catch {
       maxFailed = 0;
@@ -9865,17 +9968,28 @@ function mountFailedLoginLockout({ strapi: strapi2, log }) {
   });
   log.info("[SUCCESS] Failed-login lockout middleware mounted");
 }
+function isJwtIssuingPath(path2, method) {
+  if (!path2) return false;
+  const get2 = method === "GET";
+  const post = method === "POST";
+  if (post && path2 === "/api/auth/local") return true;
+  if (post && path2 === "/api/auth/local/register") return true;
+  if (post && path2 === "/api/auth/reset-password") return true;
+  if ((get2 || post) && path2 === "/api/auth/email-confirmation") return true;
+  if (get2 && /^\/api\/auth\/[a-z0-9-]+\/callback$/i.test(path2)) return true;
+  if ((get2 || post) && path2.startsWith("/api/magic-link/login")) return true;
+  if (post && path2 === "/api/magic-link/verify-mfa-totp") return true;
+  if (post && path2 === "/api/magic-link/otp/verify") return true;
+  if (post && path2 === "/api/magic-link/login-totp") return true;
+  if ((get2 || post) && path2.startsWith("/api/passwordless/")) return true;
+  return false;
+}
 function mountLoginInterceptor({ strapi: strapi2, log, sessionService }) {
   strapi2.server.use(async (ctx, next) => {
     await next();
-    const isAuthLocal = ctx.path === "/api/auth/local" && ctx.method === "POST";
-    const isMagicLinkLogin = ctx.path.includes("/magic-link/login") && (ctx.method === "GET" || ctx.method === "POST");
-    const isMagicLinkMFA = ctx.path.includes("/magic-link/verify-mfa-totp") && ctx.method === "POST";
-    const isMagicLinkOTP = ctx.path.includes("/magic-link/otp/verify") && ctx.method === "POST";
-    const isMagicLink = isMagicLinkLogin || isMagicLinkMFA || isMagicLinkOTP;
-    if (!((isAuthLocal || isMagicLink) && ctx.status === 200 && ctx.body && ctx.body.jwt && ctx.body.user)) {
-      return;
-    }
+    if (!isJwtIssuingPath(ctx.path, ctx.method)) return;
+    if (ctx.status !== 200) return;
+    if (!ctx.body || !ctx.body.jwt || !ctx.body.user) return;
     try {
       const user = ctx.body.user;
       const ip = getClientIp(ctx);
@@ -9905,7 +10019,7 @@ function mountLoginInterceptor({ strapi: strapi2, log, sessionService }) {
       }
       log.info(`[SUCCESS] Session ${newSession.documentId} created for user ${userDocId} (IP: ${ip})`);
       try {
-        const settings2 = await getPluginSettings$3(strapi2);
+        const settings2 = await getPluginSettings$4(strapi2);
         if (!geoData || !(settings2.enableEmailAlerts || settings2.enableWebhooks)) {
           return;
         }
@@ -10076,11 +10190,19 @@ function mountRefreshTokenInterceptor({ strapi: strapi2, log }) {
   log.info("[SUCCESS] Refresh token interceptor middleware mounted");
 }
 async function ensureContentApiPermissions(strapi2, log) {
+  const PERMISSIONS_VERSION = 2;
   try {
     const pluginStore = strapi2.store({ type: "plugin", name: "magic-sessionmanager" });
-    const alreadyInitialized = await pluginStore.get({ key: "contentApiPermissionsInitialized" });
-    if (alreadyInitialized === true) {
-      log.debug("Content-API permissions already initialized (skipping auto-setup)");
+    const storedVersion = await pluginStore.get({ key: "contentApiPermissionsVersion" });
+    if (storedVersion === void 0) {
+      const legacyFlag = await pluginStore.get({ key: "contentApiPermissionsInitialized" });
+      if (legacyFlag === true) {
+        await pluginStore.set({ key: "contentApiPermissionsVersion", value: 1 });
+      }
+    }
+    const effectiveVersion = await pluginStore.get({ key: "contentApiPermissionsVersion" });
+    if (effectiveVersion >= PERMISSIONS_VERSION) {
+      log.debug("Content-API permissions already at current version (skipping auto-setup)");
       return;
     }
     const ROLE_UID = "plugin::users-permissions.role";
@@ -10098,6 +10220,7 @@ async function ensureContentApiPermissions(strapi2, log) {
     const requiredActions = [
       "plugin::magic-sessionmanager.session.logout",
       "plugin::magic-sessionmanager.session.logoutAll",
+      "plugin::magic-sessionmanager.session.logoutOthers",
       "plugin::magic-sessionmanager.session.getOwnSessions",
       "plugin::magic-sessionmanager.session.getUserSessions",
       "plugin::magic-sessionmanager.session.getCurrentSession",
@@ -10114,7 +10237,7 @@ async function ensureContentApiPermissions(strapi2, log) {
     const existingActions = existingPermissions.map((p) => p.action);
     const missingActions = requiredActions.filter((action) => !existingActions.includes(action));
     if (missingActions.length === 0) {
-      await pluginStore.set({ key: "contentApiPermissionsInitialized", value: true });
+      await pluginStore.set({ key: "contentApiPermissionsVersion", value: PERMISSIONS_VERSION });
       log.debug("Content-API permissions already configured");
       return;
     }
@@ -10124,7 +10247,7 @@ async function ensureContentApiPermissions(strapi2, log) {
       });
       log.info(`[PERMISSION] Enabled ${action} for authenticated users`);
     }
-    await pluginStore.set({ key: "contentApiPermissionsInitialized", value: true });
+    await pluginStore.set({ key: "contentApiPermissionsVersion", value: PERMISSIONS_VERSION });
     log.info("[SUCCESS] Content-API permissions configured for authenticated users");
   } catch (err) {
     log.warn("Could not auto-configure permissions:", err.message);
@@ -10222,7 +10345,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
       }
       let settings2;
       try {
-        settings2 = await getPluginSettings$3(strapi2);
+        settings2 = await getPluginSettings$4(strapi2);
       } catch {
         settings2 = strapi2.config.get("plugin::magic-sessionmanager") || {};
       }
@@ -10247,6 +10370,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
             strapi2.log.info(
               `[magic-sessionmanager] [JWT-BLOCKED] User is blocked (user: ${userDocId.substring(0, 8)}...)`
             );
+            setSessionRejectionReason(hashToken$3(token), "blocked");
             return null;
           }
         } catch {
@@ -10257,7 +10381,7 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
             user: { documentId: userDocId },
             tokenHash: tokenHashValue
           },
-          fields: ["documentId", "isActive", "terminatedManually", "lastActive", "loginTime"]
+          fields: ["documentId", "isActive", "terminatedManually", "terminationReason", "lastActive", "loginTime"]
         });
         if (thisSession) {
           if (isSessionExpired(thisSession, maxSessionAgeDays)) {
@@ -10266,15 +10390,25 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
             );
             await strapi2.documents(SESSION_UID$4).update({
               documentId: thisSession.documentId,
-              data: { isActive: false, terminatedManually: true, logoutTime: /* @__PURE__ */ new Date() }
+              data: {
+                isActive: false,
+                terminatedManually: false,
+                terminationReason: "expired",
+                logoutTime: /* @__PURE__ */ new Date()
+              }
             });
+            setSessionRejectionReason(tokenHashValue, "expired");
             return null;
           }
-          if (thisSession.terminatedManually === true) {
-            strapi2.log.info(
-              `[magic-sessionmanager] [JWT-BLOCKED] Session was manually terminated (user: ${userDocId.substring(0, 8)}...)`
-            );
-            return null;
+          if (thisSession.isActive === false) {
+            const reason = thisSession.terminationReason || (thisSession.terminatedManually === true ? "manual" : null);
+            if (reason) {
+              strapi2.log.info(
+                `[magic-sessionmanager] [JWT-REJECTED] Session inactive (reason: ${reason}) for user ${userDocId.substring(0, 8)}...`
+              );
+              setSessionRejectionReason(tokenHashValue, reason);
+              return null;
+            }
           }
           if (thisSession.isActive) {
             resetErrorCounter();
@@ -10289,8 +10423,13 @@ async function registerSessionAwareAuthStrategy(strapi2, log) {
             );
             await strapi2.documents(SESSION_UID$4).update({
               documentId: thisSession.documentId,
-              data: { terminatedManually: true, logoutTime: /* @__PURE__ */ new Date() }
+              data: {
+                terminatedManually: false,
+                terminationReason: "idle",
+                logoutTime: /* @__PURE__ */ new Date()
+              }
             });
+            setSessionRejectionReason(tokenHashValue, "idle");
             return null;
           }
           await strapi2.documents(SESSION_UID$4).update({
@@ -10492,6 +10631,16 @@ const attributes = {
     "default": false,
     required: false
   },
+  terminationReason: {
+    type: "enumeration",
+    "enum": [
+      "manual",
+      "idle",
+      "expired",
+      "blocked"
+    ],
+    required: false
+  },
   geoLocation: {
     type: "json"
   },
@@ -10525,10 +10674,16 @@ var contentTypes$2 = {
   }
 };
 const writeRateLimit = [
-  { name: "plugin::magic-sessionmanager.rate-limit", config: { max: 10, window: 6e4 } }
+  {
+    name: "plugin::magic-sessionmanager.rate-limit",
+    config: { profile: "write", max: 10, window: 6e4 }
+  }
 ];
 const readRateLimit = [
-  { name: "plugin::magic-sessionmanager.rate-limit", config: { max: 120, window: 6e4 } }
+  {
+    name: "plugin::magic-sessionmanager.rate-limit",
+    config: { profile: "read", max: 120, window: 6e4 }
+  }
 ];
 var contentApi$1 = {
   type: "content-api",
@@ -10551,7 +10706,17 @@ var contentApi$1 = {
       config: {
         auth: { strategies: ["users-permissions"] },
         middlewares: writeRateLimit,
-        description: "Logout from all devices (requires JWT)"
+        description: "Logout from ALL devices including the current one (requires JWT)"
+      }
+    },
+    {
+      method: "POST",
+      path: "/logout-others",
+      handler: "session.logoutOthers",
+      config: {
+        auth: { strategies: ["users-permissions"] },
+        middlewares: writeRateLimit,
+        description: "Logout from all OTHER devices, keep current session alive (requires JWT)"
       }
     },
     // ================== SESSION QUERIES ==================
@@ -10931,15 +11096,22 @@ var enhanceSession_1 = { enhanceSession: enhanceSession$1, enhanceSessions: enha
 const { hashToken: hashToken$2 } = encryption;
 const { enhanceSessions: enhanceSessions$1, enhanceSession } = enhanceSession_1;
 const { resolveUserDocumentId: resolveUserDocumentId$2 } = resolveUser;
-const { getPluginSettings: getPluginSettings$2 } = settingsLoader;
+const { getPluginSettings: getPluginSettings$3 } = settingsLoader;
 const { extractBearerToken: extractBearerToken$1 } = extractToken;
 const SESSION_UID$2 = "plugin::magic-sessionmanager.session";
 const USER_UID = "plugin::users-permissions.user";
+const OWN_SESSIONS_LIMIT = 200;
+async function resolveAuthUserDocId(ctx) {
+  const u2 = ctx.state.user;
+  if (!u2) return null;
+  if (u2.documentId) return u2.documentId;
+  if (u2.id) return resolveUserDocumentId$2(strapi, u2.id);
+  return null;
+}
 var session$3 = {
   /**
    * Lists all sessions (active + inactive) for admin overviews.
    * @route GET /magic-sessionmanager/sessions
-   * @returns {object} `{ data, meta }`
    */
   async getAllSessionsAdmin(ctx) {
     try {
@@ -10961,7 +11133,6 @@ var session$3 = {
   /**
    * Lists currently-active sessions only.
    * @route GET /magic-sessionmanager/sessions/active
-   * @returns {object} `{ data, meta }`
    */
   async getActiveSessions(ctx) {
     try {
@@ -10977,35 +11148,33 @@ var session$3 = {
     }
   },
   /**
-   * Returns the authenticated user's own sessions, with the current session
-   * flagged via `isCurrentSession`.
-   *
+   * Returns the authenticated user's own sessions, current session flagged.
    * @route GET /api/magic-sessionmanager/my-sessions
-   * @returns {object} `{ data, meta }`
-   * @throws {UnauthorizedError} When user is not authenticated
    */
   async getOwnSessions(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
+      const userDocId = await resolveAuthUserDocId(ctx);
+      if (!userDocId) {
+        return ctx.unauthorized("Authentication required");
+      }
       const currentToken = extractBearerToken$1(ctx);
       const currentTokenHash = currentToken ? hashToken$2(currentToken) : null;
-      if (!userId) {
-        return ctx.throw(401, "Unauthorized");
-      }
       const allSessions = await strapi.documents(SESSION_UID$2).findMany({
-        filters: { user: { documentId: userId } },
+        filters: { user: { documentId: userDocId } },
         sort: { loginTime: "desc" },
-        limit: 200
+        limit: OWN_SESSIONS_LIMIT + 1
       });
-      const settings2 = await getPluginSettings$2(strapi);
+      const hasMore = allSessions.length > OWN_SESSIONS_LIMIT;
+      const paged = hasMore ? allSessions.slice(0, OWN_SESSIONS_LIMIT) : allSessions;
+      const settings2 = await getPluginSettings$3(strapi);
       const enhanceOpts = {
         inactivityTimeout: settings2.inactivityTimeout || 15 * 60 * 1e3,
         geolocationService: strapi.plugin("magic-sessionmanager").service("geolocation"),
         strapi
       };
-      const sessionsWithCurrent = await enhanceSessions$1(allSessions, enhanceOpts, 20);
+      const sessionsWithCurrent = await enhanceSessions$1(paged, enhanceOpts, 20);
       for (const s3 of sessionsWithCurrent) {
-        s3.isCurrentSession = !!(currentTokenHash && allSessions.find(
+        s3.isCurrentSession = !!(currentTokenHash && paged.find(
           (raw) => raw.documentId === s3.documentId && raw.tokenHash === currentTokenHash
         ));
       }
@@ -11018,7 +11187,9 @@ var session$3 = {
         data: sessionsWithCurrent,
         meta: {
           count: sessionsWithCurrent.length,
-          active: sessionsWithCurrent.filter((s3) => s3.isTrulyActive).length
+          active: sessionsWithCurrent.filter((s3) => s3.isTrulyActive).length,
+          hasMore,
+          limit: OWN_SESSIONS_LIMIT
         }
       };
     } catch (err) {
@@ -11027,18 +11198,14 @@ var session$3 = {
     }
   },
   /**
-   * Get a specific user's sessions. Admins may query any user; Content-API
+   * Get a specific user's sessions. Admins can query any user; content-api
    * users can only query themselves.
-   *
-   * @route GET /magic-sessionmanager/user/:userId/sessions (admin)
-   * @route GET /api/magic-sessionmanager/user/:userId/sessions (content-api)
-   * @throws {ForbiddenError} When a non-admin requests another user's sessions
    */
   async getUserSessions(ctx) {
     try {
       const { userId } = ctx.params;
       const isAdminRequest = !!(ctx.state.userAbility || ctx.state.admin);
-      const requestingUserDocId = ctx.state.user?.documentId;
+      const requestingUserDocId = await resolveAuthUserDocId(ctx);
       if (!isAdminRequest) {
         if (!requestingUserDocId) {
           strapi.log.warn(`[magic-sessionmanager] Security: Request without documentId tried to access sessions of user ${userId}`);
@@ -11067,73 +11234,177 @@ var session$3 = {
    */
   async logout(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
+      const userDocId = await resolveAuthUserDocId(ctx);
       const token = extractBearerToken$1(ctx);
-      if (!userId || !token) {
-        return ctx.throw(401, "Unauthorized");
+      if (!userDocId || !token) {
+        return ctx.unauthorized("Authentication required");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
       const currentTokenHash = hashToken$2(token);
       const matchingSession = await strapi.documents(SESSION_UID$2).findFirst({
         filters: {
-          user: { documentId: userId },
+          user: { documentId: userDocId },
           tokenHash: currentTokenHash,
           isActive: true
         },
         fields: ["documentId"]
       });
+      let terminated = false;
       if (matchingSession) {
-        await sessionService.terminateSession({ sessionId: matchingSession.documentId });
-        strapi.log.info(`[magic-sessionmanager] User ${userId} logged out (session ${matchingSession.documentId})`);
+        await sessionService.terminateSession({
+          sessionId: matchingSession.documentId,
+          reason: "manual"
+        });
+        terminated = true;
+        strapi.log.info(`[magic-sessionmanager] User ${userDocId} logged out (session ${matchingSession.documentId})`);
       }
-      ctx.body = { message: "Logged out successfully" };
+      ctx.body = {
+        message: "Logged out successfully",
+        terminated
+      };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Logout error:", err);
       ctx.throw(500, "Error during logout");
     }
   },
   /**
-   * Terminates all sessions of the authenticated user.
+   * Terminates EVERY session of the authenticated user — including the
+   * current one. After this call the caller will also be logged out on
+   * the next request (their own JWT is rejected by the JWT-verify wrapper
+   * with reason=manual).
+   *
+   * For the "log me out everywhere ELSE but keep me here" flow, use
+   * `/logout-others` below.
+   *
    * @route POST /api/magic-sessionmanager/logout-all
    */
   async logoutAll(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
-      if (!userId) {
-        return ctx.throw(401, "Unauthorized");
+      const userDocId = await resolveAuthUserDocId(ctx);
+      if (!userDocId) {
+        return ctx.unauthorized("Authentication required");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ userId });
-      strapi.log.info(`[magic-sessionmanager] User ${userId} logged out from all devices`);
-      ctx.body = { message: "Logged out from all devices successfully" };
+      const { terminatedCount } = await sessionService.terminateSession({
+        userId: userDocId,
+        reason: "manual"
+      });
+      strapi.log.info(
+        `[magic-sessionmanager] User ${userDocId} logged out from all devices (${terminatedCount})`
+      );
+      ctx.body = {
+        message: "Logged out from all devices successfully",
+        terminatedCount
+      };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Logout-all error:", err);
       ctx.throw(500, "Error during logout");
     }
   },
+  /**
+   * Terminates every session of the authenticated user EXCEPT the current
+   * one. This is the "kick everyone else off my account" flow — the
+   * caller stays logged in on the device they are using.
+   *
+   * If no "current session" record can be located for the caller's JWT
+   * (edge case: user logged in before the session-manager was installed,
+   * or right at the end of the grace window) we fall back to terminating
+   * ALL sessions so the user still gets the safety effect they asked for,
+   * and we report `fellBackToLogoutAll: true` so the client can adjust
+   * its success message.
+   *
+   * @route POST /api/magic-sessionmanager/logout-others
+   */
+  async logoutOthers(ctx) {
+    try {
+      const userDocId = await resolveAuthUserDocId(ctx);
+      const token = extractBearerToken$1(ctx);
+      if (!userDocId || !token) {
+        return ctx.unauthorized("Authentication required");
+      }
+      const currentTokenHash = hashToken$2(token);
+      const currentSession = await strapi.documents(SESSION_UID$2).findFirst({
+        filters: { user: { documentId: userDocId }, tokenHash: currentTokenHash },
+        fields: ["documentId"]
+      });
+      const sessionService = strapi.plugin("magic-sessionmanager").service("session");
+      if (!currentSession) {
+        const { terminatedCount: terminatedCount2 } = await sessionService.terminateSession({
+          userId: userDocId,
+          reason: "manual"
+        });
+        strapi.log.warn(
+          `[magic-sessionmanager] logoutOthers fell back to logoutAll for user ${userDocId} (no current session match)`
+        );
+        ctx.body = {
+          message: "All sessions terminated (could not preserve current session)",
+          terminatedCount: terminatedCount2,
+          fellBackToLogoutAll: true
+        };
+        return;
+      }
+      const { terminatedCount } = await sessionService.terminateSession({
+        userId: userDocId,
+        exceptSessionId: currentSession.documentId,
+        reason: "manual"
+      });
+      strapi.log.info(
+        `[magic-sessionmanager] User ${userDocId} logged out ${terminatedCount} other device(s)`
+      );
+      ctx.body = {
+        message: terminatedCount === 0 ? "No other active sessions to terminate" : `${terminatedCount} other session(s) terminated`,
+        terminatedCount,
+        currentSessionPreserved: true
+      };
+    } catch (err) {
+      strapi.log.error("[magic-sessionmanager] Logout-others error:", err);
+      ctx.throw(500, "Error terminating other sessions");
+    }
+  },
   /**
    * Returns the session associated with the current JWT.
+   *
+   * During the post-login grace window the session-create write may not
+   * yet be visible. In that case we return 202 Accepted with
+   * `{ pending: true }` so the client knows to retry shortly instead of
+   * interpreting a 404 as "no session at all".
+   *
    * @route GET /api/magic-sessionmanager/current-session
    */
   async getCurrentSession(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
+      const userDocId = await resolveAuthUserDocId(ctx);
       const token = extractBearerToken$1(ctx);
-      if (!userId || !token) {
-        return ctx.throw(401, "Unauthorized");
+      if (!userDocId || !token) {
+        return ctx.unauthorized("Authentication required");
       }
       const currentTokenHash = hashToken$2(token);
       const currentSession = await strapi.documents(SESSION_UID$2).findFirst({
         filters: {
-          user: { documentId: userId },
+          user: { documentId: userDocId },
           tokenHash: currentTokenHash,
           isActive: true
         }
       });
       if (!currentSession) {
+        const settings3 = await getPluginSettings$3(strapi);
+        const gracePeriodMs = Math.max(0, Number(settings3.sessionCreationGraceMs) || 5e3);
+        const iat = ctx.state.user?.iat || ctx.state.auth?.credentials?.iat || null;
+        if (gracePeriodMs > 0 && typeof iat === "number") {
+          const ageMs = Date.now() - iat * 1e3;
+          if (ageMs >= 0 && ageMs < gracePeriodMs) {
+            ctx.status = 202;
+            ctx.body = {
+              data: null,
+              meta: { pending: true, retryAfterMs: gracePeriodMs - ageMs },
+              message: "Session is still being created — please retry shortly."
+            };
+            return;
+          }
+        }
         return ctx.notFound("Current session not found");
       }
-      const settings2 = await getPluginSettings$2(strapi);
+      const settings2 = await getPluginSettings$3(strapi);
       const enhanced = await enhanceSession(currentSession, {
         inactivityTimeout: settings2.inactivityTimeout || 15 * 60 * 1e3,
         geolocationService: strapi.plugin("magic-sessionmanager").service("geolocation"),
@@ -11149,17 +11420,17 @@ var session$3 = {
     }
   },
   /**
-   * Terminates one of the authenticated user's OWN sessions (not the current one).
+   * Terminates one of the authenticated user's OWN sessions (not current).
    * @route DELETE /api/magic-sessionmanager/my-sessions/:sessionId
    */
   async terminateOwnSession(ctx) {
     try {
-      const userId = ctx.state.user?.documentId;
+      const userDocId = await resolveAuthUserDocId(ctx);
       const { sessionId } = ctx.params;
       const currentToken = extractBearerToken$1(ctx);
       const currentTokenHash = currentToken ? hashToken$2(currentToken) : null;
-      if (!userId) {
-        return ctx.throw(401, "Unauthorized");
+      if (!userDocId) {
+        return ctx.unauthorized("Authentication required");
       }
       if (!sessionId) {
         return ctx.badRequest("Session ID is required");
@@ -11172,19 +11443,23 @@ var session$3 = {
         return ctx.notFound("Session not found");
       }
       const sessionUserId = sessionToTerminate.user?.documentId;
-      if (sessionUserId !== userId) {
-        strapi.log.warn(`[magic-sessionmanager] Security: User ${userId} tried to terminate session ${sessionId} of user ${sessionUserId}`);
+      if (sessionUserId !== userDocId) {
+        strapi.log.warn(`[magic-sessionmanager] Security: User ${userDocId} tried to terminate session ${sessionId} of user ${sessionUserId}`);
         return ctx.forbidden("You can only terminate your own sessions");
       }
       if (currentTokenHash && sessionToTerminate.tokenHash === currentTokenHash) {
-        return ctx.badRequest("Cannot terminate current session. Use /logout instead.");
+        return ctx.badRequest("Cannot terminate the current session. Use /logout instead.");
+      }
+      const alreadyTerminated = sessionToTerminate.isActive === false;
+      if (!alreadyTerminated) {
+        const sessionService = strapi.plugin("magic-sessionmanager").service("session");
+        await sessionService.terminateSession({ sessionId, reason: "manual" });
+        strapi.log.info(`[magic-sessionmanager] User ${userDocId} terminated own session ${sessionId}`);
       }
-      const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ sessionId });
-      strapi.log.info(`[magic-sessionmanager] User ${userId} terminated own session ${sessionId}`);
       ctx.body = {
-        message: `Session ${sessionId} terminated successfully`,
-        success: true
+        message: alreadyTerminated ? `Session ${sessionId} was already terminated` : `Session ${sessionId} terminated successfully`,
+        success: true,
+        alreadyTerminated
       };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Error terminating own session:", err);
@@ -11192,9 +11467,7 @@ var session$3 = {
     }
   },
   /**
-   * Sets isActive:false + terminatedManually:false on a session, simulating
-   * a cleanup timeout. Available only outside of production/staging.
-   *
+   * Simulates an inactivity timeout on a session. Dev-only.
    * @route POST /magic-sessionmanager/sessions/:sessionId/simulate-timeout
    */
   async simulateTimeout(ctx) {
@@ -11213,13 +11486,16 @@ var session$3 = {
       }
       await strapi.documents(SESSION_UID$2).update({
         documentId: sessionId,
-        data: { isActive: false, terminatedManually: false }
+        data: {
+          isActive: false,
+          terminatedManually: false,
+          terminationReason: "idle"
+        }
       });
-      strapi.log.info(`[magic-sessionmanager] [TEST] Session ${sessionId} simulated timeout (terminatedManually: false)`);
+      strapi.log.info(`[magic-sessionmanager] [TEST] Session ${sessionId} simulated timeout`);
       ctx.body = {
-        message: `Session ${sessionId} marked as timed out (reactivatable)`,
-        success: true,
-        terminatedManually: false
+        message: `Session ${sessionId} marked as timed out`,
+        success: true
       };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Error simulating timeout:", err);
@@ -11228,13 +11504,12 @@ var session$3 = {
   },
   /**
    * Terminates a specific session (admin action).
-   * @route POST /magic-sessionmanager/sessions/:sessionId/terminate
    */
   async terminateSingleSession(ctx) {
     try {
       const { sessionId } = ctx.params;
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ sessionId });
+      await sessionService.terminateSession({ sessionId, reason: "manual" });
       ctx.body = {
         message: `Session ${sessionId} terminated`,
         success: true
@@ -11246,13 +11521,12 @@ var session$3 = {
   },
   /**
    * Terminates ALL sessions for a specific user (admin action).
-   * @route POST /magic-sessionmanager/user/:userId/terminate-all
    */
   async terminateAllUserSessions(ctx) {
     try {
       const { userId } = ctx.params;
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ userId });
+      await sessionService.terminateSession({ userId, reason: "manual" });
       ctx.body = {
         message: `All sessions terminated for user ${userId}`,
         success: true
@@ -11264,9 +11538,6 @@ var session$3 = {
   },
   /**
    * Returns geolocation data for a specific IP address (Premium feature).
-   *
-   * @route GET /magic-sessionmanager/geolocation/:ipAddress
-   * @throws {ForbiddenError} When no premium license is active
    */
   async getIpGeolocation(ctx) {
     try {
@@ -11293,10 +11564,7 @@ var session$3 = {
         return ctx.badRequest("Invalid IP address format");
       }
       const licenseGuard2 = strapi.plugin("magic-sessionmanager").service("license-guard");
-      const pluginStore = strapi.store({
-        type: "plugin",
-        name: "magic-sessionmanager"
-      });
+      const pluginStore = strapi.store({ type: "plugin", name: "magic-sessionmanager" });
       const licenseKey = await pluginStore.get({ key: "licenseKey" });
       if (!licenseKey) {
         return ctx.forbidden("Premium license required for geolocation features");
@@ -11318,7 +11586,6 @@ var session$3 = {
   },
   /**
    * Permanently deletes a session (admin action).
-   * @route DELETE /magic-sessionmanager/sessions/:sessionId
    */
   async deleteSession(ctx) {
     try {
@@ -11336,7 +11603,6 @@ var session$3 = {
   },
   /**
    * Deletes all inactive sessions (admin action).
-   * @route POST /magic-sessionmanager/sessions/clean-inactive
    */
   async cleanInactiveSessions(ctx) {
     try {
@@ -11354,9 +11620,6 @@ var session$3 = {
   },
   /**
    * Toggles a user's blocked status and terminates their sessions on block.
-   *
-   * @route POST /magic-sessionmanager/user/:userId/toggle-block
-   * @throws {NotFoundError} When the user cannot be found
    */
   async toggleUserBlock(ctx) {
     try {
@@ -11372,11 +11635,11 @@ var session$3 = {
         }
       }
       if (!userDocumentId) {
-        return ctx.throw(404, "User not found");
+        return ctx.notFound("User not found");
       }
       const user = await strapi.documents(USER_UID).findOne({ documentId: userDocumentId });
       if (!user) {
-        return ctx.throw(404, "User not found");
+        return ctx.notFound("User not found");
       }
       const newBlockedStatus = !user.blocked;
       await strapi.documents(USER_UID).update({
@@ -11385,7 +11648,7 @@ var session$3 = {
       });
       if (newBlockedStatus) {
         const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-        await sessionService.terminateSession({ userId: userDocumentId });
+        await sessionService.terminateSession({ userId: userDocumentId, reason: "blocked" });
       }
       ctx.body = {
         message: `User ${newBlockedStatus ? "blocked" : "unblocked"} successfully`,
@@ -11877,13 +12140,13 @@ const { createLogger: createLogger$1 } = logger;
 const { parseUserAgent } = userAgentParser;
 const { resolveUserDocumentId: resolveUserDocumentId$1 } = resolveUser;
 const { enhanceSessions } = enhanceSession_1;
-const { getPluginSettings: getPluginSettings$1 } = settingsLoader;
+const { getPluginSettings: getPluginSettings$2 } = settingsLoader;
 const SESSION_UID$1 = "plugin::magic-sessionmanager.session";
 const MAX_SESSIONS_QUERY = 1e3;
 var session$1 = ({ strapi: strapi2 }) => {
   const log = createLogger$1(strapi2);
   async function getEnhanceOpts() {
-    const settings2 = await getPluginSettings$1(strapi2);
+    const settings2 = await getPluginSettings$2(strapi2);
     return {
       inactivityTimeout: settings2.inactivityTimeout || 15 * 60 * 1e3,
       geolocationService: strapi2.plugin("magic-sessionmanager").service("geolocation"),
@@ -11952,15 +12215,44 @@ var session$1 = ({ strapi: strapi2 }) => {
       }
     },
     /**
-     * Terminates a single session or all sessions of a user.
+     * Terminates a single session, all sessions of a user, or all sessions
+     * of a user EXCEPT one with a typed reason so the JWT-verify wrapper
+     * can communicate the cause to the client.
+     *
+     * Supported reasons:
+     *   - 'manual':   user clicked logout, or admin terminated a session
+     *   - 'idle':     inactivity timeout cleanup
+     *   - 'expired':  maxSessionAgeDays exceeded
+     *   - 'blocked':  the owning user was marked blocked
+     *
+     * For backwards compatibility `terminatedManually` is still set true
+     * only when reason === 'manual'; idle/expired/blocked paths set it
+     * false so reporting dashboards that queried that boolean continue
+     * to work, while new code relies on `terminationReason`.
+     *
      * @param {Object} params
-     * @param {string} [params.sessionId]
-     * @param {string|number} [params.userId]
-     * @returns {Promise<void>}
+     * @param {string} [params.sessionId]        Terminate exactly this session
+     * @param {string|number} [params.userId]    Terminate every active session
+     *                                           of this user …
+     * @param {string} [params.exceptSessionId]  … except for this one. Only
+     *                                           meaningful together with
+     *                                           `userId`. Used by
+     *                                           /logout-other-devices so
+     *                                           the caller stays logged in.
+     * @param {'manual'|'idle'|'expired'|'blocked'} [params.reason='manual']
+     * @returns {Promise<{terminatedCount: number}>}
      */
-    async terminateSession({ sessionId, userId }) {
+    async terminateSession({ sessionId, userId, exceptSessionId = null, reason = "manual" }) {
       try {
         const now = /* @__PURE__ */ new Date();
+        const validReasons = ["manual", "idle", "expired", "blocked"];
+        const finalReason = validReasons.includes(reason) ? reason : "manual";
+        const updateData = {
+          isActive: false,
+          terminatedManually: finalReason === "manual",
+          terminationReason: finalReason,
+          logoutTime: now
+        };
         if (sessionId) {
           const existing = await strapi2.documents(SESSION_UID$1).findOne({
             documentId: sessionId,
@@ -11968,29 +12260,46 @@ var session$1 = ({ strapi: strapi2 }) => {
           });
           if (!existing) {
             log.warn(`Session ${sessionId} not found for termination`);
-            return;
+            return { terminatedCount: 0 };
           }
           await strapi2.documents(SESSION_UID$1).update({
             documentId: sessionId,
-            data: { isActive: false, terminatedManually: true, logoutTime: now }
+            data: updateData
           });
-          log.info(`Session ${sessionId} terminated (manual)`);
-        } else if (userId) {
+          log.info(`Session ${sessionId} terminated (reason: ${finalReason})`);
+          return { terminatedCount: 1 };
+        }
+        if (userId) {
           const userDocumentId = await resolveUserDocumentId$1(strapi2, userId);
-          if (!userDocumentId) return;
+          if (!userDocumentId) return { terminatedCount: 0 };
+          const filters2 = { user: { documentId: userDocumentId }, isActive: true };
+          if (exceptSessionId) {
+            filters2.documentId = { $ne: exceptSessionId };
+          }
           const activeSessions = await strapi2.documents(SESSION_UID$1).findMany({
-            filters: { user: { documentId: userDocumentId }, isActive: true },
+            filters: filters2,
             fields: ["documentId"],
             limit: MAX_SESSIONS_QUERY
           });
+          let terminatedCount = 0;
           for (const session2 of activeSessions) {
-            await strapi2.documents(SESSION_UID$1).update({
-              documentId: session2.documentId,
-              data: { isActive: false, terminatedManually: true, logoutTime: now }
-            });
+            try {
+              await strapi2.documents(SESSION_UID$1).update({
+                documentId: session2.documentId,
+                data: updateData
+              });
+              terminatedCount++;
+            } catch (err) {
+              log.debug(`Failed to terminate session ${session2.documentId}:`, err.message);
+            }
           }
-          log.info(`All sessions terminated (manual) for user ${userDocumentId}`);
+          const label = exceptSessionId ? "OTHER sessions" : "ALL sessions";
+          log.info(
+            `${label} terminated for user ${userDocumentId} (reason: ${finalReason}, count: ${terminatedCount})`
+          );
+          return { terminatedCount };
         }
+        return { terminatedCount: 0 };
       } catch (err) {
         log.error("Error terminating session:", err);
         throw err;
@@ -12074,7 +12383,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     async touch({ userId, sessionId, token }) {
       try {
         const now = /* @__PURE__ */ new Date();
-        const settings2 = await getPluginSettings$1(strapi2);
+        const settings2 = await getPluginSettings$2(strapi2);
         const rateLimit2 = settings2.lastSeenRateLimit || 3e4;
         let session2 = null;
         let sessionDocId = sessionId;
@@ -12143,7 +12452,7 @@ var session$1 = ({ strapi: strapi2 }) => {
      */
     async cleanupInactiveSessions({ useDbDirect = false } = {}) {
       try {
-        const settings2 = await getPluginSettings$1(strapi2);
+        const settings2 = await getPluginSettings$2(strapi2);
         const inactivityTimeout = settings2.inactivityTimeout || 15 * 60 * 1e3;
         const now = /* @__PURE__ */ new Date();
         const cutoffTime = new Date(now.getTime() - inactivityTimeout);
@@ -12156,7 +12465,8 @@ var session$1 = ({ strapi: strapi2 }) => {
               });
             }).update({
               is_active: false,
-              terminated_manually: true,
+              terminated_manually: false,
+              termination_reason: "idle",
               logout_time: now
             });
             log.info(`[SUCCESS] Cleanup (db-direct) complete: ${deactivated} sessions deactivated`);
@@ -12197,7 +12507,8 @@ var session$1 = ({ strapi: strapi2 }) => {
               documentId,
               data: {
                 isActive: false,
-                terminatedManually: true,
+                terminatedManually: false,
+                terminationReason: "idle",
                 logoutTime: now
               }
             });
@@ -12243,7 +12554,7 @@ var session$1 = ({ strapi: strapi2 }) => {
      */
     async deleteOldSessions({ retentionDays, useDbDirect } = {}) {
       try {
-        const settings2 = await getPluginSettings$1(strapi2);
+        const settings2 = await getPluginSettings$2(strapi2);
         const effectiveDays = Number.isFinite(retentionDays) ? retentionDays : settings2.retentionDays || 90;
         if (effectiveDays === -1) {
           log.debug("[RETENTION] retentionDays=-1 (forever) — skipping");
@@ -12348,7 +12659,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.5.1";
+const version$1 = "4.5.3";
 const require$$2 = {
   version: version$1
 };
@@ -13306,6 +13617,7 @@ var services$1 = {
   geolocation,
   notifications
 };
+const { getPluginSettings: getPluginSettings$1 } = settingsLoader;
 const buckets = /* @__PURE__ */ new Map();
 const prune = (now) => {
   for (const [key, entry] of buckets) {
@@ -13319,10 +13631,45 @@ const callerKey = (ctx) => {
   if (tokenId) return `t:${String(tokenId).slice(-16)}`;
   return `ip:${ctx.request.ip || ctx.ip || "unknown"}`;
 };
+const RESOLVED_TTL_MS = 3e4;
+let resolvedCache = null;
+let resolvedAt = 0;
+async function resolveLimits({ profile, routeMax, routeWindowMs, strapi: strapi2 }) {
+  const now = Date.now();
+  if (resolvedCache && now - resolvedAt < RESOLVED_TTL_MS) {
+    const p = resolvedCache[profile];
+    if (p) {
+      return { max: p.max, windowMs: p.windowMs };
+    }
+  }
+  let settings2 = {};
+  try {
+    settings2 = await getPluginSettings$1(strapi2);
+  } catch {
+    settings2 = {};
+  }
+  const windowSec = Number.isFinite(settings2.rateLimitWindowSeconds) ? settings2.rateLimitWindowSeconds : Math.round(routeWindowMs / 1e3);
+  const windowMs = Math.max(1e4, windowSec * 1e3);
+  const resolvedWrite = {
+    max: Math.min(routeMax, Number.isFinite(settings2.rateLimitWriteMax) ? settings2.rateLimitWriteMax : routeMax),
+    windowMs
+  };
+  const resolvedRead = {
+    max: Math.max(routeMax, Number.isFinite(settings2.rateLimitReadMax) ? settings2.rateLimitReadMax : routeMax),
+    windowMs
+  };
+  resolvedCache = { read: resolvedRead, write: resolvedWrite };
+  resolvedAt = now;
+  if (profile === "read") return resolvedRead;
+  if (profile === "write") return resolvedWrite;
+  return { max: routeMax, windowMs };
+}
 const rateLimit = (cfg = {}, { strapi: strapi2 }) => {
-  const max = Number.isFinite(cfg.max) ? cfg.max : 30;
-  const windowMs = Number.isFinite(cfg.window) ? cfg.window : 6e4;
+  const routeMax = Number.isFinite(cfg.max) ? cfg.max : 30;
+  const routeWindowMs = Number.isFinite(cfg.window) ? cfg.window : 6e4;
+  const profile = cfg.profile === "read" || cfg.profile === "write" ? cfg.profile : null;
   return async (ctx, next) => {
+    const { max, windowMs } = profile ? await resolveLimits({ profile, routeMax, routeWindowMs, strapi: strapi2 }) : { max: routeMax, windowMs: routeWindowMs };
     const key = `${ctx.path}::${callerKey(ctx)}`;
     const now = Date.now();
     if (buckets.size > 5e3) prune(now);
@@ -13356,7 +13703,8 @@ const rateLimit = (cfg = {}, { strapi: strapi2 }) => {
 var rateLimit_1 = rateLimit;
 var middlewares$1 = {
   "last-seen": lastSeen,
-  "rate-limit": rateLimit_1
+  "rate-limit": rateLimit_1,
+  "session-rejection-headers": sessionRejectionHeaders
 };
 var lodashExports = requireLodash();
 const ___default = /* @__PURE__ */ getDefaultExportFromCjs(lodashExports);
@@ -51437,18 +51785,18 @@ const CSP_DEFAULTS = {
     "blob:"
   ]
 };
-const extendMiddlewareConfiguration = (middlewares2, middleware) => {
+const extendMiddlewareConfiguration = (middlewares2, middleware2) => {
   return middlewares2.map((currentMiddleware) => {
-    if (typeof currentMiddleware === "string" && currentMiddleware === middleware.name) {
-      return middleware;
+    if (typeof currentMiddleware === "string" && currentMiddleware === middleware2.name) {
+      return middleware2;
     }
-    if (typeof currentMiddleware === "object" && currentMiddleware.name === middleware.name) {
+    if (typeof currentMiddleware === "object" && currentMiddleware.name === middleware2.name) {
       return fp.mergeWith((objValue, srcValue) => {
         if (Array.isArray(objValue)) {
           return Array.from(new Set(objValue.concat(srcValue)));
         }
         return void 0;
-      }, currentMiddleware, middleware);
+      }, currentMiddleware, middleware2);
     }
     return currentMiddleware;
   });