strapi-plugin-magic-sessionmanager 4.5.3 → 4.5.5

package/dist/server/index.js

@@ -9981,17 +9981,28 @@ function mountFailedLoginLockout({ strapi: strapi2, log }) {
   });
   log.info("[SUCCESS] Failed-login lockout middleware mounted");
 }
+function isJwtIssuingPath(path2, method) {
+  if (!path2) return false;
+  const get2 = method === "GET";
+  const post = method === "POST";
+  if (post && path2 === "/api/auth/local") return true;
+  if (post && path2 === "/api/auth/local/register") return true;
+  if (post && path2 === "/api/auth/reset-password") return true;
+  if ((get2 || post) && path2 === "/api/auth/email-confirmation") return true;
+  if (get2 && /^\/api\/auth\/[a-z0-9-]+\/callback$/i.test(path2)) return true;
+  if ((get2 || post) && path2.startsWith("/api/magic-link/login")) return true;
+  if (post && path2 === "/api/magic-link/verify-mfa-totp") return true;
+  if (post && path2 === "/api/magic-link/otp/verify") return true;
+  if (post && path2 === "/api/magic-link/login-totp") return true;
+  if ((get2 || post) && path2.startsWith("/api/passwordless/")) return true;
+  return false;
+}
 function mountLoginInterceptor({ strapi: strapi2, log, sessionService }) {
   strapi2.server.use(async (ctx, next) => {
     await next();
-    const isAuthLocal = ctx.path === "/api/auth/local" && ctx.method === "POST";
-    const isMagicLinkLogin = ctx.path.includes("/magic-link/login") && (ctx.method === "GET" || ctx.method === "POST");
-    const isMagicLinkMFA = ctx.path.includes("/magic-link/verify-mfa-totp") && ctx.method === "POST";
-    const isMagicLinkOTP = ctx.path.includes("/magic-link/otp/verify") && ctx.method === "POST";
-    const isMagicLink = isMagicLinkLogin || isMagicLinkMFA || isMagicLinkOTP;
-    if (!((isAuthLocal || isMagicLink) && ctx.status === 200 && ctx.body && ctx.body.jwt && ctx.body.user)) {
-      return;
-    }
+    if (!isJwtIssuingPath(ctx.path, ctx.method)) return;
+    if (ctx.status !== 200) return;
+    if (!ctx.body || !ctx.body.jwt || !ctx.body.user) return;
     try {
       const user = ctx.body.user;
       const ip = getClientIp(ctx);
@@ -10192,11 +10203,19 @@ function mountRefreshTokenInterceptor({ strapi: strapi2, log }) {
   log.info("[SUCCESS] Refresh token interceptor middleware mounted");
 }
 async function ensureContentApiPermissions(strapi2, log) {
+  const PERMISSIONS_VERSION = 2;
   try {
     const pluginStore = strapi2.store({ type: "plugin", name: "magic-sessionmanager" });
-    const alreadyInitialized = await pluginStore.get({ key: "contentApiPermissionsInitialized" });
-    if (alreadyInitialized === true) {
-      log.debug("Content-API permissions already initialized (skipping auto-setup)");
+    const storedVersion = await pluginStore.get({ key: "contentApiPermissionsVersion" });
+    if (storedVersion === void 0) {
+      const legacyFlag = await pluginStore.get({ key: "contentApiPermissionsInitialized" });
+      if (legacyFlag === true) {
+        await pluginStore.set({ key: "contentApiPermissionsVersion", value: 1 });
+      }
+    }
+    const effectiveVersion = await pluginStore.get({ key: "contentApiPermissionsVersion" });
+    if (effectiveVersion >= PERMISSIONS_VERSION) {
+      log.debug("Content-API permissions already at current version (skipping auto-setup)");
       return;
     }
     const ROLE_UID = "plugin::users-permissions.role";
@@ -10214,6 +10233,7 @@ async function ensureContentApiPermissions(strapi2, log) {
     const requiredActions = [
       "plugin::magic-sessionmanager.session.logout",
       "plugin::magic-sessionmanager.session.logoutAll",
+      "plugin::magic-sessionmanager.session.logoutOthers",
       "plugin::magic-sessionmanager.session.getOwnSessions",
       "plugin::magic-sessionmanager.session.getUserSessions",
       "plugin::magic-sessionmanager.session.getCurrentSession",
@@ -10230,7 +10250,7 @@ async function ensureContentApiPermissions(strapi2, log) {
     const existingActions = existingPermissions.map((p) => p.action);
     const missingActions = requiredActions.filter((action) => !existingActions.includes(action));
     if (missingActions.length === 0) {
-      await pluginStore.set({ key: "contentApiPermissionsInitialized", value: true });
+      await pluginStore.set({ key: "contentApiPermissionsVersion", value: PERMISSIONS_VERSION });
       log.debug("Content-API permissions already configured");
       return;
     }
@@ -10240,7 +10260,7 @@ async function ensureContentApiPermissions(strapi2, log) {
       });
       log.info(`[PERMISSION] Enabled ${action} for authenticated users`);
     }
-    await pluginStore.set({ key: "contentApiPermissionsInitialized", value: true });
+    await pluginStore.set({ key: "contentApiPermissionsVersion", value: PERMISSIONS_VERSION });
     log.info("[SUCCESS] Content-API permissions configured for authenticated users");
   } catch (err) {
     log.warn("Could not auto-configure permissions:", err.message);
@@ -10699,7 +10719,17 @@ var contentApi$1 = {
       config: {
         auth: { strategies: ["users-permissions"] },
         middlewares: writeRateLimit,
-        description: "Logout from all devices (requires JWT)"
+        description: "Logout from ALL devices including the current one (requires JWT)"
+      }
+    },
+    {
+      method: "POST",
+      path: "/logout-others",
+      handler: "session.logoutOthers",
+      config: {
+        auth: { strategies: ["users-permissions"] },
+        middlewares: writeRateLimit,
+        description: "Logout from all OTHER devices, keep current session alive (requires JWT)"
       }
     },
     // ================== SESSION QUERIES ==================
@@ -10746,17 +10776,26 @@ var contentApi$1 = {
     }
   ]
 };
+const PLUGIN_ACCESS_ACTION = "plugin::magic-sessionmanager.access";
+const adminPolicy = () => [
+  "admin::isAuthenticatedAdmin",
+  {
+    name: "admin::hasPermissions",
+    config: { actions: [PLUGIN_ACCESS_ACTION] }
+  }
+];
 const isDevEnvironment = (() => {
   const env2 = (process.env.NODE_ENV || "development").toLowerCase();
   return env2 !== "production" && env2 !== "staging";
 })();
 const baseRoutes = [
+  // ============================ SESSIONS ============================
   {
     method: "GET",
     path: "/sessions",
     handler: "session.getAllSessionsAdmin",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Get all sessions - active and inactive (admin)"
     }
   },
@@ -10765,7 +10804,7 @@ const baseRoutes = [
     path: "/sessions/active",
     handler: "session.getActiveSessions",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Get only active sessions (admin)"
     }
   },
@@ -10774,8 +10813,8 @@ const baseRoutes = [
     path: "/user/:userId/sessions",
     handler: "session.getUserSessions",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Get user sessions (admin)"
+      policies: adminPolicy(),
+      description: "Get sessions for a specific user (admin)"
     }
   },
   {
@@ -10783,7 +10822,7 @@ const baseRoutes = [
     path: "/sessions/:sessionId/terminate",
     handler: "session.terminateSingleSession",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Terminate a specific session (admin)"
     }
   },
@@ -10792,7 +10831,7 @@ const baseRoutes = [
     path: "/sessions/:sessionId",
     handler: "session.deleteSession",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Delete a single session permanently (admin)"
     }
   },
@@ -10801,7 +10840,7 @@ const baseRoutes = [
     path: "/sessions/clean-inactive",
     handler: "session.cleanInactiveSessions",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Delete all inactive sessions from database (admin)"
     }
   },
@@ -10810,7 +10849,7 @@ const baseRoutes = [
     path: "/user/:userId/terminate-all",
     handler: "session.terminateAllUserSessions",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Terminate all sessions for a user (admin)"
     }
   },
@@ -10819,56 +10858,74 @@ const baseRoutes = [
     path: "/user/:userId/toggle-block",
     handler: "session.toggleUserBlock",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Toggle user blocked status (admin)"
     }
   },
+  // ============================ LICENSE ============================
   {
     method: "GET",
     path: "/license/status",
     handler: "license.getStatus",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Get license status (admin)"
+    }
   },
   {
     method: "POST",
     path: "/license/auto-create",
     handler: "license.autoCreate",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Auto-create license for current admin (admin)"
+    }
   },
   {
     method: "POST",
     path: "/license/create",
     handler: "license.createAndActivate",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Create and activate a new license (admin)"
+    }
   },
   {
     method: "POST",
     path: "/license/ping",
     handler: "license.ping",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Ping the license server (admin)"
+    }
   },
   {
     method: "POST",
     path: "/license/store-key",
     handler: "license.storeKey",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Store a license key (admin)"
+    }
   },
+  // ============================ GEOLOCATION ============================
   {
     method: "GET",
     path: "/geolocation/:ipAddress",
     handler: "session.getIpGeolocation",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Get IP geolocation data (Premium feature)"
+      policies: adminPolicy(),
+      description: "Get IP geolocation data (Premium feature, admin)"
     }
   },
+  // ============================ SETTINGS ============================
   {
     method: "GET",
     path: "/settings",
     handler: "settings.getSettings",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Get plugin settings"
+      policies: adminPolicy(),
+      description: "Get plugin settings (admin)"
     }
   },
   {
@@ -10876,8 +10933,8 @@ const baseRoutes = [
     path: "/settings",
     handler: "settings.updateSettings",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Update plugin settings"
+      policies: adminPolicy(),
+      description: "Update plugin settings (admin)"
     }
   }
 ];
@@ -10887,8 +10944,8 @@ const devOnlyRoutes = [
     path: "/sessions/:sessionId/simulate-timeout",
     handler: "session.simulateTimeout",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Simulate session timeout (dev-only)"
+      policies: adminPolicy(),
+      description: "Simulate session timeout (dev-only, admin)"
     }
   }
 ];
@@ -11251,7 +11308,14 @@ var session$3 = {
     }
   },
   /**
-   * Terminates all sessions of the authenticated user.
+   * Terminates EVERY session of the authenticated user — including the
+   * current one. After this call the caller will also be logged out on
+   * the next request (their own JWT is rejected by the JWT-verify wrapper
+   * with reason=manual).
+   *
+   * For the "log me out everywhere ELSE but keep me here" flow, use
+   * `/logout-others` below.
+   *
    * @route POST /api/magic-sessionmanager/logout-all
    */
   async logoutAll(ctx) {
@@ -11261,14 +11325,82 @@ var session$3 = {
         return ctx.unauthorized("Authentication required");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ userId: userDocId, reason: "manual" });
-      strapi.log.info(`[magic-sessionmanager] User ${userDocId} logged out from all devices`);
-      ctx.body = { message: "Logged out from all devices successfully" };
+      const { terminatedCount } = await sessionService.terminateSession({
+        userId: userDocId,
+        reason: "manual"
+      });
+      strapi.log.info(
+        `[magic-sessionmanager] User ${userDocId} logged out from all devices (${terminatedCount})`
+      );
+      ctx.body = {
+        message: "Logged out from all devices successfully",
+        terminatedCount
+      };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Logout-all error:", err);
       ctx.throw(500, "Error during logout");
     }
   },
+  /**
+   * Terminates every session of the authenticated user EXCEPT the current
+   * one. This is the "kick everyone else off my account" flow — the
+   * caller stays logged in on the device they are using.
+   *
+   * If no "current session" record can be located for the caller's JWT
+   * (edge case: user logged in before the session-manager was installed,
+   * or right at the end of the grace window) we fall back to terminating
+   * ALL sessions so the user still gets the safety effect they asked for,
+   * and we report `fellBackToLogoutAll: true` so the client can adjust
+   * its success message.
+   *
+   * @route POST /api/magic-sessionmanager/logout-others
+   */
+  async logoutOthers(ctx) {
+    try {
+      const userDocId = await resolveAuthUserDocId(ctx);
+      const token = extractBearerToken$1(ctx);
+      if (!userDocId || !token) {
+        return ctx.unauthorized("Authentication required");
+      }
+      const currentTokenHash = hashToken$2(token);
+      const currentSession = await strapi.documents(SESSION_UID$2).findFirst({
+        filters: { user: { documentId: userDocId }, tokenHash: currentTokenHash },
+        fields: ["documentId"]
+      });
+      const sessionService = strapi.plugin("magic-sessionmanager").service("session");
+      if (!currentSession) {
+        const { terminatedCount: terminatedCount2 } = await sessionService.terminateSession({
+          userId: userDocId,
+          reason: "manual"
+        });
+        strapi.log.warn(
+          `[magic-sessionmanager] logoutOthers fell back to logoutAll for user ${userDocId} (no current session match)`
+        );
+        ctx.body = {
+          message: "All sessions terminated (could not preserve current session)",
+          terminatedCount: terminatedCount2,
+          fellBackToLogoutAll: true
+        };
+        return;
+      }
+      const { terminatedCount } = await sessionService.terminateSession({
+        userId: userDocId,
+        exceptSessionId: currentSession.documentId,
+        reason: "manual"
+      });
+      strapi.log.info(
+        `[magic-sessionmanager] User ${userDocId} logged out ${terminatedCount} other device(s)`
+      );
+      ctx.body = {
+        message: terminatedCount === 0 ? "No other active sessions to terminate" : `${terminatedCount} other session(s) terminated`,
+        terminatedCount,
+        currentSessionPreserved: true
+      };
+    } catch (err) {
+      strapi.log.error("[magic-sessionmanager] Logout-others error:", err);
+      ctx.throw(500, "Error terminating other sessions");
+    }
+  },
   /**
    * Returns the session associated with the current JWT.
    *
@@ -12123,9 +12255,9 @@ var session$1 = ({ strapi: strapi2 }) => {
       }
     },
     /**
-     * Terminates a single session or all sessions of a user with a typed
-     * reason so the JWT-verify wrapper and downstream middleware can
-     * communicate the cause to the client (and we can show sensible UI).
+     * Terminates a single session, all sessions of a user, or all sessions
+     * of a user EXCEPT one with a typed reason so the JWT-verify wrapper
+     * can communicate the cause to the client.
      *
      * Supported reasons:
      *   - 'manual':   user clicked logout, or admin terminated a session
@@ -12139,12 +12271,18 @@ var session$1 = ({ strapi: strapi2 }) => {
      * to work, while new code relies on `terminationReason`.
      *
      * @param {Object} params
-     * @param {string} [params.sessionId]
-     * @param {string|number} [params.userId]
+     * @param {string} [params.sessionId]        Terminate exactly this session
+     * @param {string|number} [params.userId]    Terminate every active session
+     *                                           of this user …
+     * @param {string} [params.exceptSessionId]  … except for this one. Only
+     *                                           meaningful together with
+     *                                           `userId`. Used by
+     *                                           /logout-other-devices so
+     *                                           the caller stays logged in.
      * @param {'manual'|'idle'|'expired'|'blocked'} [params.reason='manual']
-     * @returns {Promise<void>}
+     * @returns {Promise<{terminatedCount: number}>}
      */
-    async terminateSession({ sessionId, userId, reason = "manual" }) {
+    async terminateSession({ sessionId, userId, exceptSessionId = null, reason = "manual" }) {
       try {
         const now = /* @__PURE__ */ new Date();
         const validReasons = ["manual", "idle", "expired", "blocked"];
@@ -12162,29 +12300,46 @@ var session$1 = ({ strapi: strapi2 }) => {
           });
           if (!existing) {
             log.warn(`Session ${sessionId} not found for termination`);
-            return;
+            return { terminatedCount: 0 };
           }
           await strapi2.documents(SESSION_UID$1).update({
             documentId: sessionId,
             data: updateData
           });
           log.info(`Session ${sessionId} terminated (reason: ${finalReason})`);
-        } else if (userId) {
+          return { terminatedCount: 1 };
+        }
+        if (userId) {
           const userDocumentId = await resolveUserDocumentId$1(strapi2, userId);
-          if (!userDocumentId) return;
+          if (!userDocumentId) return { terminatedCount: 0 };
+          const filters2 = { user: { documentId: userDocumentId }, isActive: true };
+          if (exceptSessionId) {
+            filters2.documentId = { $ne: exceptSessionId };
+          }
           const activeSessions = await strapi2.documents(SESSION_UID$1).findMany({
-            filters: { user: { documentId: userDocumentId }, isActive: true },
+            filters: filters2,
             fields: ["documentId"],
             limit: MAX_SESSIONS_QUERY
           });
+          let terminatedCount = 0;
           for (const session2 of activeSessions) {
-            await strapi2.documents(SESSION_UID$1).update({
-              documentId: session2.documentId,
-              data: updateData
-            });
+            try {
+              await strapi2.documents(SESSION_UID$1).update({
+                documentId: session2.documentId,
+                data: updateData
+              });
+              terminatedCount++;
+            } catch (err) {
+              log.debug(`Failed to terminate session ${session2.documentId}:`, err.message);
+            }
           }
-          log.info(`All sessions terminated for user ${userDocumentId} (reason: ${finalReason})`);
+          const label = exceptSessionId ? "OTHER sessions" : "ALL sessions";
+          log.info(
+            `${label} terminated for user ${userDocumentId} (reason: ${finalReason}, count: ${terminatedCount})`
+          );
+          return { terminatedCount };
         }
+        return { terminatedCount: 0 };
       } catch (err) {
         log.error("Error terminating session:", err);
         throw err;
@@ -12544,7 +12699,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.5.2";
+const version$1 = "4.5.4";
 const require$$2 = {
   version: version$1
 };

package/dist/server/index.mjs

@@ -9968,17 +9968,28 @@ function mountFailedLoginLockout({ strapi: strapi2, log }) {
   });
   log.info("[SUCCESS] Failed-login lockout middleware mounted");
 }
+function isJwtIssuingPath(path2, method) {
+  if (!path2) return false;
+  const get2 = method === "GET";
+  const post = method === "POST";
+  if (post && path2 === "/api/auth/local") return true;
+  if (post && path2 === "/api/auth/local/register") return true;
+  if (post && path2 === "/api/auth/reset-password") return true;
+  if ((get2 || post) && path2 === "/api/auth/email-confirmation") return true;
+  if (get2 && /^\/api\/auth\/[a-z0-9-]+\/callback$/i.test(path2)) return true;
+  if ((get2 || post) && path2.startsWith("/api/magic-link/login")) return true;
+  if (post && path2 === "/api/magic-link/verify-mfa-totp") return true;
+  if (post && path2 === "/api/magic-link/otp/verify") return true;
+  if (post && path2 === "/api/magic-link/login-totp") return true;
+  if ((get2 || post) && path2.startsWith("/api/passwordless/")) return true;
+  return false;
+}
 function mountLoginInterceptor({ strapi: strapi2, log, sessionService }) {
   strapi2.server.use(async (ctx, next) => {
     await next();
-    const isAuthLocal = ctx.path === "/api/auth/local" && ctx.method === "POST";
-    const isMagicLinkLogin = ctx.path.includes("/magic-link/login") && (ctx.method === "GET" || ctx.method === "POST");
-    const isMagicLinkMFA = ctx.path.includes("/magic-link/verify-mfa-totp") && ctx.method === "POST";
-    const isMagicLinkOTP = ctx.path.includes("/magic-link/otp/verify") && ctx.method === "POST";
-    const isMagicLink = isMagicLinkLogin || isMagicLinkMFA || isMagicLinkOTP;
-    if (!((isAuthLocal || isMagicLink) && ctx.status === 200 && ctx.body && ctx.body.jwt && ctx.body.user)) {
-      return;
-    }
+    if (!isJwtIssuingPath(ctx.path, ctx.method)) return;
+    if (ctx.status !== 200) return;
+    if (!ctx.body || !ctx.body.jwt || !ctx.body.user) return;
     try {
       const user = ctx.body.user;
       const ip = getClientIp(ctx);
@@ -10179,11 +10190,19 @@ function mountRefreshTokenInterceptor({ strapi: strapi2, log }) {
   log.info("[SUCCESS] Refresh token interceptor middleware mounted");
 }
 async function ensureContentApiPermissions(strapi2, log) {
+  const PERMISSIONS_VERSION = 2;
   try {
     const pluginStore = strapi2.store({ type: "plugin", name: "magic-sessionmanager" });
-    const alreadyInitialized = await pluginStore.get({ key: "contentApiPermissionsInitialized" });
-    if (alreadyInitialized === true) {
-      log.debug("Content-API permissions already initialized (skipping auto-setup)");
+    const storedVersion = await pluginStore.get({ key: "contentApiPermissionsVersion" });
+    if (storedVersion === void 0) {
+      const legacyFlag = await pluginStore.get({ key: "contentApiPermissionsInitialized" });
+      if (legacyFlag === true) {
+        await pluginStore.set({ key: "contentApiPermissionsVersion", value: 1 });
+      }
+    }
+    const effectiveVersion = await pluginStore.get({ key: "contentApiPermissionsVersion" });
+    if (effectiveVersion >= PERMISSIONS_VERSION) {
+      log.debug("Content-API permissions already at current version (skipping auto-setup)");
       return;
     }
     const ROLE_UID = "plugin::users-permissions.role";
@@ -10201,6 +10220,7 @@ async function ensureContentApiPermissions(strapi2, log) {
     const requiredActions = [
       "plugin::magic-sessionmanager.session.logout",
       "plugin::magic-sessionmanager.session.logoutAll",
+      "plugin::magic-sessionmanager.session.logoutOthers",
       "plugin::magic-sessionmanager.session.getOwnSessions",
       "plugin::magic-sessionmanager.session.getUserSessions",
       "plugin::magic-sessionmanager.session.getCurrentSession",
@@ -10217,7 +10237,7 @@ async function ensureContentApiPermissions(strapi2, log) {
     const existingActions = existingPermissions.map((p) => p.action);
     const missingActions = requiredActions.filter((action) => !existingActions.includes(action));
     if (missingActions.length === 0) {
-      await pluginStore.set({ key: "contentApiPermissionsInitialized", value: true });
+      await pluginStore.set({ key: "contentApiPermissionsVersion", value: PERMISSIONS_VERSION });
       log.debug("Content-API permissions already configured");
       return;
     }
@@ -10227,7 +10247,7 @@ async function ensureContentApiPermissions(strapi2, log) {
       });
       log.info(`[PERMISSION] Enabled ${action} for authenticated users`);
     }
-    await pluginStore.set({ key: "contentApiPermissionsInitialized", value: true });
+    await pluginStore.set({ key: "contentApiPermissionsVersion", value: PERMISSIONS_VERSION });
     log.info("[SUCCESS] Content-API permissions configured for authenticated users");
   } catch (err) {
     log.warn("Could not auto-configure permissions:", err.message);
@@ -10686,7 +10706,17 @@ var contentApi$1 = {
       config: {
         auth: { strategies: ["users-permissions"] },
         middlewares: writeRateLimit,
-        description: "Logout from all devices (requires JWT)"
+        description: "Logout from ALL devices including the current one (requires JWT)"
+      }
+    },
+    {
+      method: "POST",
+      path: "/logout-others",
+      handler: "session.logoutOthers",
+      config: {
+        auth: { strategies: ["users-permissions"] },
+        middlewares: writeRateLimit,
+        description: "Logout from all OTHER devices, keep current session alive (requires JWT)"
       }
     },
     // ================== SESSION QUERIES ==================
@@ -10733,17 +10763,26 @@ var contentApi$1 = {
     }
   ]
 };
+const PLUGIN_ACCESS_ACTION = "plugin::magic-sessionmanager.access";
+const adminPolicy = () => [
+  "admin::isAuthenticatedAdmin",
+  {
+    name: "admin::hasPermissions",
+    config: { actions: [PLUGIN_ACCESS_ACTION] }
+  }
+];
 const isDevEnvironment = (() => {
   const env2 = (process.env.NODE_ENV || "development").toLowerCase();
   return env2 !== "production" && env2 !== "staging";
 })();
 const baseRoutes = [
+  // ============================ SESSIONS ============================
   {
     method: "GET",
     path: "/sessions",
     handler: "session.getAllSessionsAdmin",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Get all sessions - active and inactive (admin)"
     }
   },
@@ -10752,7 +10791,7 @@ const baseRoutes = [
     path: "/sessions/active",
     handler: "session.getActiveSessions",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Get only active sessions (admin)"
     }
   },
@@ -10761,8 +10800,8 @@ const baseRoutes = [
     path: "/user/:userId/sessions",
     handler: "session.getUserSessions",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Get user sessions (admin)"
+      policies: adminPolicy(),
+      description: "Get sessions for a specific user (admin)"
     }
   },
   {
@@ -10770,7 +10809,7 @@ const baseRoutes = [
     path: "/sessions/:sessionId/terminate",
     handler: "session.terminateSingleSession",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Terminate a specific session (admin)"
     }
   },
@@ -10779,7 +10818,7 @@ const baseRoutes = [
     path: "/sessions/:sessionId",
     handler: "session.deleteSession",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Delete a single session permanently (admin)"
     }
   },
@@ -10788,7 +10827,7 @@ const baseRoutes = [
     path: "/sessions/clean-inactive",
     handler: "session.cleanInactiveSessions",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Delete all inactive sessions from database (admin)"
     }
   },
@@ -10797,7 +10836,7 @@ const baseRoutes = [
     path: "/user/:userId/terminate-all",
     handler: "session.terminateAllUserSessions",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Terminate all sessions for a user (admin)"
     }
   },
@@ -10806,56 +10845,74 @@ const baseRoutes = [
     path: "/user/:userId/toggle-block",
     handler: "session.toggleUserBlock",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
+      policies: adminPolicy(),
       description: "Toggle user blocked status (admin)"
     }
   },
+  // ============================ LICENSE ============================
   {
     method: "GET",
     path: "/license/status",
     handler: "license.getStatus",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Get license status (admin)"
+    }
   },
   {
     method: "POST",
     path: "/license/auto-create",
     handler: "license.autoCreate",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Auto-create license for current admin (admin)"
+    }
   },
   {
     method: "POST",
     path: "/license/create",
     handler: "license.createAndActivate",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Create and activate a new license (admin)"
+    }
   },
   {
     method: "POST",
     path: "/license/ping",
     handler: "license.ping",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Ping the license server (admin)"
+    }
   },
   {
     method: "POST",
     path: "/license/store-key",
     handler: "license.storeKey",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
+    config: {
+      policies: adminPolicy(),
+      description: "Store a license key (admin)"
+    }
   },
+  // ============================ GEOLOCATION ============================
   {
     method: "GET",
     path: "/geolocation/:ipAddress",
     handler: "session.getIpGeolocation",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Get IP geolocation data (Premium feature)"
+      policies: adminPolicy(),
+      description: "Get IP geolocation data (Premium feature, admin)"
     }
   },
+  // ============================ SETTINGS ============================
   {
     method: "GET",
     path: "/settings",
     handler: "settings.getSettings",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Get plugin settings"
+      policies: adminPolicy(),
+      description: "Get plugin settings (admin)"
     }
   },
   {
@@ -10863,8 +10920,8 @@ const baseRoutes = [
     path: "/settings",
     handler: "settings.updateSettings",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Update plugin settings"
+      policies: adminPolicy(),
+      description: "Update plugin settings (admin)"
     }
   }
 ];
@@ -10874,8 +10931,8 @@ const devOnlyRoutes = [
     path: "/sessions/:sessionId/simulate-timeout",
     handler: "session.simulateTimeout",
     config: {
-      policies: ["admin::isAuthenticatedAdmin"],
-      description: "Simulate session timeout (dev-only)"
+      policies: adminPolicy(),
+      description: "Simulate session timeout (dev-only, admin)"
     }
   }
 ];
@@ -11238,7 +11295,14 @@ var session$3 = {
     }
   },
   /**
-   * Terminates all sessions of the authenticated user.
+   * Terminates EVERY session of the authenticated user — including the
+   * current one. After this call the caller will also be logged out on
+   * the next request (their own JWT is rejected by the JWT-verify wrapper
+   * with reason=manual).
+   *
+   * For the "log me out everywhere ELSE but keep me here" flow, use
+   * `/logout-others` below.
+   *
    * @route POST /api/magic-sessionmanager/logout-all
    */
   async logoutAll(ctx) {
@@ -11248,14 +11312,82 @@ var session$3 = {
         return ctx.unauthorized("Authentication required");
       }
       const sessionService = strapi.plugin("magic-sessionmanager").service("session");
-      await sessionService.terminateSession({ userId: userDocId, reason: "manual" });
-      strapi.log.info(`[magic-sessionmanager] User ${userDocId} logged out from all devices`);
-      ctx.body = { message: "Logged out from all devices successfully" };
+      const { terminatedCount } = await sessionService.terminateSession({
+        userId: userDocId,
+        reason: "manual"
+      });
+      strapi.log.info(
+        `[magic-sessionmanager] User ${userDocId} logged out from all devices (${terminatedCount})`
+      );
+      ctx.body = {
+        message: "Logged out from all devices successfully",
+        terminatedCount
+      };
     } catch (err) {
       strapi.log.error("[magic-sessionmanager] Logout-all error:", err);
       ctx.throw(500, "Error during logout");
     }
   },
+  /**
+   * Terminates every session of the authenticated user EXCEPT the current
+   * one. This is the "kick everyone else off my account" flow — the
+   * caller stays logged in on the device they are using.
+   *
+   * If no "current session" record can be located for the caller's JWT
+   * (edge case: user logged in before the session-manager was installed,
+   * or right at the end of the grace window) we fall back to terminating
+   * ALL sessions so the user still gets the safety effect they asked for,
+   * and we report `fellBackToLogoutAll: true` so the client can adjust
+   * its success message.
+   *
+   * @route POST /api/magic-sessionmanager/logout-others
+   */
+  async logoutOthers(ctx) {
+    try {
+      const userDocId = await resolveAuthUserDocId(ctx);
+      const token = extractBearerToken$1(ctx);
+      if (!userDocId || !token) {
+        return ctx.unauthorized("Authentication required");
+      }
+      const currentTokenHash = hashToken$2(token);
+      const currentSession = await strapi.documents(SESSION_UID$2).findFirst({
+        filters: { user: { documentId: userDocId }, tokenHash: currentTokenHash },
+        fields: ["documentId"]
+      });
+      const sessionService = strapi.plugin("magic-sessionmanager").service("session");
+      if (!currentSession) {
+        const { terminatedCount: terminatedCount2 } = await sessionService.terminateSession({
+          userId: userDocId,
+          reason: "manual"
+        });
+        strapi.log.warn(
+          `[magic-sessionmanager] logoutOthers fell back to logoutAll for user ${userDocId} (no current session match)`
+        );
+        ctx.body = {
+          message: "All sessions terminated (could not preserve current session)",
+          terminatedCount: terminatedCount2,
+          fellBackToLogoutAll: true
+        };
+        return;
+      }
+      const { terminatedCount } = await sessionService.terminateSession({
+        userId: userDocId,
+        exceptSessionId: currentSession.documentId,
+        reason: "manual"
+      });
+      strapi.log.info(
+        `[magic-sessionmanager] User ${userDocId} logged out ${terminatedCount} other device(s)`
+      );
+      ctx.body = {
+        message: terminatedCount === 0 ? "No other active sessions to terminate" : `${terminatedCount} other session(s) terminated`,
+        terminatedCount,
+        currentSessionPreserved: true
+      };
+    } catch (err) {
+      strapi.log.error("[magic-sessionmanager] Logout-others error:", err);
+      ctx.throw(500, "Error terminating other sessions");
+    }
+  },
   /**
    * Returns the session associated with the current JWT.
    *
@@ -12110,9 +12242,9 @@ var session$1 = ({ strapi: strapi2 }) => {
       }
     },
     /**
-     * Terminates a single session or all sessions of a user with a typed
-     * reason so the JWT-verify wrapper and downstream middleware can
-     * communicate the cause to the client (and we can show sensible UI).
+     * Terminates a single session, all sessions of a user, or all sessions
+     * of a user EXCEPT one with a typed reason so the JWT-verify wrapper
+     * can communicate the cause to the client.
      *
      * Supported reasons:
      *   - 'manual':   user clicked logout, or admin terminated a session
@@ -12126,12 +12258,18 @@ var session$1 = ({ strapi: strapi2 }) => {
      * to work, while new code relies on `terminationReason`.
      *
      * @param {Object} params
-     * @param {string} [params.sessionId]
-     * @param {string|number} [params.userId]
+     * @param {string} [params.sessionId]        Terminate exactly this session
+     * @param {string|number} [params.userId]    Terminate every active session
+     *                                           of this user …
+     * @param {string} [params.exceptSessionId]  … except for this one. Only
+     *                                           meaningful together with
+     *                                           `userId`. Used by
+     *                                           /logout-other-devices so
+     *                                           the caller stays logged in.
      * @param {'manual'|'idle'|'expired'|'blocked'} [params.reason='manual']
-     * @returns {Promise<void>}
+     * @returns {Promise<{terminatedCount: number}>}
      */
-    async terminateSession({ sessionId, userId, reason = "manual" }) {
+    async terminateSession({ sessionId, userId, exceptSessionId = null, reason = "manual" }) {
       try {
         const now = /* @__PURE__ */ new Date();
         const validReasons = ["manual", "idle", "expired", "blocked"];
@@ -12149,29 +12287,46 @@ var session$1 = ({ strapi: strapi2 }) => {
           });
           if (!existing) {
             log.warn(`Session ${sessionId} not found for termination`);
-            return;
+            return { terminatedCount: 0 };
           }
           await strapi2.documents(SESSION_UID$1).update({
             documentId: sessionId,
             data: updateData
           });
           log.info(`Session ${sessionId} terminated (reason: ${finalReason})`);
-        } else if (userId) {
+          return { terminatedCount: 1 };
+        }
+        if (userId) {
           const userDocumentId = await resolveUserDocumentId$1(strapi2, userId);
-          if (!userDocumentId) return;
+          if (!userDocumentId) return { terminatedCount: 0 };
+          const filters2 = { user: { documentId: userDocumentId }, isActive: true };
+          if (exceptSessionId) {
+            filters2.documentId = { $ne: exceptSessionId };
+          }
           const activeSessions = await strapi2.documents(SESSION_UID$1).findMany({
-            filters: { user: { documentId: userDocumentId }, isActive: true },
+            filters: filters2,
             fields: ["documentId"],
             limit: MAX_SESSIONS_QUERY
           });
+          let terminatedCount = 0;
           for (const session2 of activeSessions) {
-            await strapi2.documents(SESSION_UID$1).update({
-              documentId: session2.documentId,
-              data: updateData
-            });
+            try {
+              await strapi2.documents(SESSION_UID$1).update({
+                documentId: session2.documentId,
+                data: updateData
+              });
+              terminatedCount++;
+            } catch (err) {
+              log.debug(`Failed to terminate session ${session2.documentId}:`, err.message);
+            }
           }
-          log.info(`All sessions terminated for user ${userDocumentId} (reason: ${finalReason})`);
+          const label = exceptSessionId ? "OTHER sessions" : "ALL sessions";
+          log.info(
+            `${label} terminated for user ${userDocumentId} (reason: ${finalReason}, count: ${terminatedCount})`
+          );
+          return { terminatedCount };
         }
+        return { terminatedCount: 0 };
       } catch (err) {
         log.error("Error terminating session:", err);
         throw err;
@@ -12531,7 +12686,7 @@ var session$1 = ({ strapi: strapi2 }) => {
     }
   };
 };
-const version$1 = "4.5.2";
+const version$1 = "4.5.4";
 const require$$2 = {
   version: version$1
 };

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.5.3",
+  "version": "4.5.5",
   "keywords": [
     "strapi",
     "strapi-plugin",