strapi-security-suite 0.3.2 → 0.4.0

package/README.md

@@ -1,43 +1,48 @@
 # 🛡️ Strapi Security Suite
 
-### The admin security plugin that takes your sessions _personally_.
+### The admin security plugin that takes your sessions _personally_ — and now scales horizontally.
 
-> **One plugin. Auto-logout. Single-session enforcement. Token revocation. Password policy.**
-> Built for **Strapi v5**. Fueled by in-memory Maps and zero tolerance for stale tokens.
+> **One plugin. Auto-logout. Single-session enforcement. Token revocation. Heartbeat. Multi-pod-safe.**
+> Built for **Strapi v5**. Backed by your existing database. Zero new infrastructure.
 
 ---
 
 ## 🤔 What Is This?
 
-Imagine a bouncer at a nightclub. But the nightclub is your **Strapi admin panel**, and the bouncer has a _perfect memory_, never sleeps, and will physically escort your idle admins out the door after 30 minutes of doing nothing.
+Imagine a bouncer at a nightclub. But the nightclub is your **Strapi admin panel**, the bouncer has a _perfect memory_, never sleeps, and will physically escort your idle admins out the door after 30 minutes of doing nothing.
 
-**That's this plugin.**
+**That's this plugin.** And in v0.4, the bouncer works across every door of every venue in the franchise — not just the one he's standing at.
 
 ```
-  🔐 Admin logs in
+  🔐 Admin logs in (Pod A)
    |
-   |  👀 Every request tracked (timestamp saved in memory)
+   |  👀 Activity tracked → DB (visible to all pods)
+   |  🫀 Client heartbeat fires every 30s on mouse/keyboard
    |
-   |  😴 Admin goes idle...
+   |  😴 Admin walks away from desk...
    |
    |  ⏰ 30 minutes pass...
    |
-   🚪 BOOM. Logged out. Cookies cleared. Token dead.
-         No arguments. No appeals. Just security.
+   |  👑 Watcher leader (could be Pod C) marks session revoked → DB
+   |
+   🚪 Next request to ANY pod → BOOM. Logged out. Cookies cleared. Token dead.
+         No coin-flip. No "depends which pod you hit." Just security.
 ```
 
 ---
 
 ## ✨ Features at a Glance
 
-| Feature                    | What It Does                                   | Vibe                 |
-| -------------------------- | ---------------------------------------------- | -------------------- |
-| ⏰ **Auto-Logout**         | Kicks idle admins after configurable minutes   | "Use it or lose it"  |
-| 🚫 **Single-Session Lock** | One admin = one session. Period.               | "No shadow clones"   |
-| 💀 **Token Revocation**    | Dead tokens stay dead. Instantly.              | "Ghosts get ghosted" |
-| 🔑 **Password Policy**     | Expiry + non-reusable passwords (configurable) | "Rotate or regret"   |
-| ⚙️ **Admin UI**            | Settings panel right inside Strapi             | "Click, don't code"  |
-| 🛡️ **Input Validation**    | Server-side validation on every settings save  | "Trust nobody"       |
+| Feature                    | What It Does                                               | Vibe                 |
+| -------------------------- | ---------------------------------------------------------- | -------------------- |
+| ⏰ **Auto-Logout**         | Kicks idle admins after configurable minutes               | "Use it or lose it"  |
+| 🫀 **Activity Heartbeat**  | Form-filling counts as activity (no spurious idle-logouts) | "We see you typing"  |
+| 🚫 **Single-Session Lock** | One admin = one session. Across every pod.                 | "No shadow clones"   |
+| 💀 **Session Revocation**  | Per-`sessionId`. Cluster-wide. Instant.                    | "Ghosts get ghosted" |
+| 🌐 **Multi-Pod Safe**      | DB-backed state, leader-elected watcher                    | "OpenShift-ready"    |
+| 🔑 **Password Policy**     | Expiry + non-reusable passwords (configurable)             | "Rotate or regret"   |
+| ⚙️ **Admin UI**            | Settings panel right inside Strapi                         | "Click, don't code"  |
+| 🛡️ **Input Validation**    | Server-side validation on every settings save              | "Trust nobody"       |
 
 ---
 
@@ -67,6 +72,8 @@ module.exports = ({ env }) => ({
 yarn develop
 ```
 
+Three new tables — `sss_admin_sessions`, `sss_login_locks`, `sss_watcher_leases` — are auto-created by Strapi on first boot. No manual migration. No new dependencies. No config required.
+
 ### Step 4: Find it
 
 Go to **Settings** → **Global** → **Security Suite**
@@ -75,6 +82,19 @@ That's it. You're done. Go get a coffee. ☕
 
 ---
 
+## 🌐 Why Multi-Pod-Safe Matters
+
+In v0.3 the plugin kept its session state — last-active timestamps, revoked emails, login locks — in **per-pod in-memory `Map`s and `Set`s**. On a single-pod deployment, fine. On a horizontally-scaled OpenShift / Kubernetes deployment with multiple replicas behind a load balancer, those data structures **lived independently per pod** and that broke every guarantee the plugin made:
+
+- An admin's requests round-robined across N pods → each pod saw only ~1/N of their activity → some pod's watcher decided they'd been idle 30 min and revoked them while they were actively typing.
+- Pod A revoked a session. The next request landed on Pod B → no entry → no force-reload signal → revocation became a 1/N-probability event.
+- A logged-out admin's bearer kept working on every pod that hadn't seen the logout, until the JWT expired.
+- Two concurrent logins for the same email hit different pods → both pods saw empty maps → both succeeded. Single-session enforcement only worked on a single pod, which is exactly when you don't need it.
+
+**v0.4 moves all of that state into the database.** Revocation issued on any pod is visible to every other pod on the next request. The watcher is leader-elected so only one pod cluster-wide actually runs the 5-second tick. Login locks are atomic across pods via `SELECT … FOR UPDATE`. No Redis. No new infra. Your existing Postgres / MySQL / SQLite handles it.
+
+---
+
 ## 🖼️ The Admin Panel
 
 Once installed, you get a beautiful settings page with two panels:
@@ -86,8 +106,8 @@ Once installed, you get a beautiful settings page with two panels:
 │                           │                           │
 │  🕐 SESSION MANAGEMENT    │  🔑 PASSWORD MANAGEMENT    │
 │                           │                           │
-│  Auto Logout Time: [30]  │  Password Control: [ON]   │
-│  (minutes)               │                           │
+│  Auto Logout Time: [30]   │  Password Control: [ON]   │
+│  (minutes)                │                           │
 │                           │  Expiry Days: [30]        │
 │  Multi-Session            │                           │
 │  Control: [ON]            │  Non-Reusable: [ON]       │
@@ -97,14 +117,12 @@ Once installed, you get a beautiful settings page with two panels:
 └───────────────────────────────────────────────────────┘
 ```
 
-**Everything is stored in the database.** Change a value, hit save, it takes effect immediately. No restarts. No config files. No drama.
+Settings are stored in a single-type DB record. Change a value, hit save, it takes effect immediately. No restarts. No config files.
 
 ---
 
 ## 🧠 How It Actually Works
 
-Here's the whole flow, explained like you're five (but a very smart five):
-
 ### 🔗 The Middleware Pipeline
 
 When any request hits your Strapi server, it passes through **5 security checkpoints** (middlewares), in this exact order:
@@ -114,47 +132,65 @@ When any request hits your Strapi server, it passes through **5 security checkpo
        │
        ▼
   1. 🐣 seedUserInfos
-  │    "Who are you? Let me check your JWT and load your profile"
+  │    "Decode the JWT. Pull userId AND sessionId. Hydrate ctx.state."
   │
   ▼
   2. 🔍 interceptRenewToken
-  │    "Trying to renew your token? Let me make sure you're still welcome"
+  │    "Logging out? Mark this sessionId revoked in the DB. Cluster-wide."
   │
   ▼
   3. 👣 trackActivity
-  │    "OK you're legit. I'm writing down the time. Don't be idle."
+  │    "If this sessionId is revoked → 403 + clear cookies. Else stamp lastActiveAt
+  │     to the DB (write-coalesced to once per 30s)."
   │
   ▼
   4. ☠️ rejectRevokedTokens
-  │    "Wait... is your session revoked? GET OUT. Cookies deleted. Token dead."
+  │    "Belt-and-suspenders revocation check. Sets app.admin.tk header so the
+  │     frontend force-reloads. Calls sessionManager.invalidateRefreshToken."
   │
   ▼
   5. 🚫 preventMultipleSessions  (on login only)
-       "Already logged in somewhere else? 409 Conflict. One session only."
+       "Acquire cross-pod login lock. Refuse with 409 if another active session
+        for this email exists anywhere in the cluster."
 ```
 
-### ⏱️ The Auto-Logout Watcher
+### ⏱️ The Auto-Logout Watcher (Leader-Elected)
 
-Running in the background, checking every 5 seconds:
+Every pod runs a `setInterval` every 5 seconds. Inside the tick:
 
 ```
-  🔄 Every 5 seconds:
+  🔄 Every 5 seconds, every pod:
      │
-     │  🔍 Check each active session in memory
-     │  🕐 Compare last activity timestamp vs. configured timeout
-     │
-     │  😴 Idle too long?
-     │     │
-     │     YES → Add email to revoked set
-     │     │     → Delete session from activity map
-     │     │     → Log it: "Auto-logged out admin X after Y seconds"
+     ├─→ acquireWatcherLease()  (atomic UPDATE on sss_watcher_leases)
      │     │
-     │     NO  → Carry on, you're fine 👍
+     │     ├─→ Got it? I'm the leader. Continue.
+     │     └─→ Someone else has it? Skip the rest. (1 cheap DB query, done.)
+     │
+     │  (Only the leader runs the body below)
+     │
+     ├─→ pruneExpiredLocks()   (clean up sss_login_locks where lockedUntil < now)
+     │
+     ├─→ listIdleSessions({ idleThresholdMs })
+     │     SELECT FROM sss_admin_sessions
+     │     WHERE revoked_at IS NULL AND last_active_at < (now - threshold)
+     │
+     └─→ For each idle session:
+          • UPDATE sss_admin_sessions SET revoked_at = NOW() WHERE id = ?
+          • sessionManager('admin').invalidateRefreshToken(userId)
+          • Log it
 ```
 
+If the leader pod dies, its lease (15s TTL) expires and another pod claims it on the next tick. Worst-case revocation lag during failover: 15 seconds.
+
+### 🫀 The Activity Heartbeat
+
+A new admin-side hook listens for `mousemove`, `keydown`, `scroll`, `click`, `touchstart` (passive). On any event, **throttled to once per 30 seconds**, it fires `POST /strapi-security-suite/heartbeat`. The middleware chain treats it like any other authenticated request, so `trackActivity` updates `lastActiveAt`.
+
+This means a user filling a long form for 25 minutes — generating zero other HTTP traffic — is **not** auto-logged-out. Form-filling is correctly recognized as activity.
+
 ### 🖥️ The Frontend Interceptor
 
-On the admin panel side, `window.fetch` is patched to watch for a special header:
+`window.fetch` is patched to watch for the `app.admin.tk` response header:
 
 ```
   🌐 Admin makes any API call
@@ -162,79 +198,89 @@ On the admin panel side, `window.fetch` is patched to watch for a special header
        ▼
   👀 Check response headers for 'app.admin.tk'
        │
-       YES → 🚨 FORCED LOGOUT 🚨
-       │     window.stop()
-       │     window.location.reload()
-       │     (Session is over. Go home.)
+       YES → 🚨 FORCED LOGOUT 🚨  window.location.reload()
        │
        NO  → ✅ Normal response. Continue working.
 ```
 
 ---
 
+## 🗃️ DB Schema (auto-created on boot)
+
+| Table                | Purpose                       | Key columns                                                    |
+| -------------------- | ----------------------------- | -------------------------------------------------------------- |
+| `sss_admin_sessions` | One row per admin session     | `session_id` (unique), `email`, `last_active_at`, `revoked_at` |
+| `sss_login_locks`    | Cross-pod login lock          | `email` (unique), `locked_until`                               |
+| `sss_watcher_leases` | Watcher leader-election lease | `name` (unique), `holder`, `expires_at`                        |
+
+Hidden from the content-manager and content-type-builder via `pluginOptions`. Strapi creates them on first boot the same way the existing `security-settings` singleType is created — no manual migration step.
+
+---
+
 ## 📂 Project Structure
 
 ```
 strapi-security-suite/
 📁 admin/src/                    ← Admin panel (React)
-│   📄 index.js                    Plugin entry + fetch interceptor
-│   📄 constants.js                API paths, header names
+│   📄 index.js                    Plugin entry + fetch interceptor + heartbeat install
+│   📄 heartbeat.js                Throttled activity-heartbeat client hook
+│   📄 constants.js                API paths, header names, heartbeat throttle
 │   📄 pluginId.js                 Plugin ID constant
-│   📁 components/
-│   │   📄 Initializer.jsx         Plugin lifecycle init
+│   📁 components/Initializer.jsx  Plugin lifecycle init
 │   📁 pages/
 │   │   📄 App.jsx                 Router
-│   │   📄 HomePage.jsx            Settings UI (the pretty one)
-│   📁 translations/
-│       📄 en.json                 i18n strings
+│   │   📄 HomePage.jsx            Settings UI
+│   📁 translations/en.json        i18n strings
 │
 📁 server/src/                   ← Server-side (Node.js)
 │   📄 index.js                    Plugin entry point
 │   📄 register.js                 Middleware registration phase
-│   📄 bootstrap.js                Permissions + settings seeding
-│   📄 destroy.js                  Cleanup on shutdown
+│   📄 bootstrap.js                Permissions + settings seeding + watcher start
+│   📄 destroy.js                  Releases watcher lease, stops interval
 │   📄 constants.js                ⭐ ALL magic values live here
 │   │
 │   📁 controllers/
-│   │   📄 adminSecurityController.js   GET/POST settings (with validation!)
+│   │   📄 adminSecurityController.js   GET/POST settings + POST heartbeat
 │   │
 │   📁 services/
-│   │   📄 autoLogoutChecker.js    Background watcher (setInterval)
+│   │   📄 state.js                The DB-backed state core (replaces the in-memory globals)
+│   │   📄 autoLogoutChecker.js    Leader-elected background watcher
 │   │
 │   📁 middlewares/
-│   │   📄 seedUserInfos.js        Hydrate session from JWT
-│   │   📄 interceptRenewToken.js  Block renewal for dead sessions
-│   │   📄 trackActivity.js        Record last activity timestamp
-│   │   📄 rejectRevokedTokens.js  Nuke revoked sessions
-│   │   📄 preventMultipleSessions.js  One-session-per-admin gate
+│   │   📄 seedUserInfos.js        Decode JWT, extract userId + sessionId
+│   │   📄 interceptRenewToken.js  Revoke session on logout (DB-backed)
+│   │   📄 trackActivity.js        Persist lastActiveAt (write-coalesced)
+│   │   📄 rejectRevokedTokens.js  Force-reload signal + cookie clear
+│   │   📄 preventMultipleSessions.js  Cross-pod login lock + active-session check
 │   │
-│   📁 policies/
-│   │   📄 has-admin-permission.js  Route-level permission check
-│   │
-│   📁 globals/                  ← In-memory state (the "brain")
-│   │   📄 sessionActivityMap.js   Map<"id:email", timestamp>
-│   │   📄 revokedTokenSet.js      Set<email> of revoked sessions
-│   │   📄 loginLocks.js           Set<email> login race-condition guard
+│   📁 policies/has-admin-permission.js
 │   │
 │   📁 utils/
 │   │   📄 errors.js               PluginError, ValidationError, AuthorizationError
-│   │   📄 force-expire-admin.js   Issue a 1-second JWT to kill client token
+│   │   📄 clearSessionCookies.js  Clears koa.sess, koa.sess.sig, refresh + JWT cookies
 │   │
 │   📁 content-types/
-│   │   📁 security-settings/
-│   │       📄 schema.json          DB schema (singleType)
-│   │
-│   📁 routes/
-│   │   📄 index.js                Admin-typed routes with policies
+│   │   📁 security-settings/      Plugin config (singleType)
+│   │   📁 admin-session/          Per-session activity + revocation
+│   │   📁 login-lock/             Cross-pod login lock
+│   │   📁 watcher-lease/          Watcher leader-election lease
 │   │
-│   📁 types/
-│       📄 typedefs.js             JSDoc type definitions
+│   📁 routes/index.js             Admin-typed routes with policies
 │
-📄 eslint.config.mjs               ESLint v9 flat config
-📄 .prettierrc                     Prettier config
-📄 package.json                    Scripts, deps, lint-staged
-📁 .husky/
-    📄 pre-commit                  Runs lint-staged before every commit
+📁 tests/                        ← Vitest test suite (66 tests)
+│   📁 helpers/
+│   │   📄 strapi-fake.js          sqlite :memory: + Knex harness
+│   │   📄 mock-strapi.js          Mock-based ctx + state helpers
+│   📁 server/
+│   │   📄 state.test.js                  15 tests — touch, revocation, listIdle, hasActiveSession
+│   │   📄 state.concurrency.test.js      9 tests — multi-pod login lock + watcher lease
+│   │   📄 seedUserInfos.test.js          6 tests — JWT decode, ctx hydration
+│   │   📄 trackActivity.test.js          4 tests — touch, revocation rejection
+│   │   📄 rejectRevokedTokens.test.js    4 tests — header signal, sessionManager
+│   │   📄 preventMultipleSessions.test.js  8 tests — login lock flow
+│   │   📄 interceptRenewToken.test.js    3 tests — logout revocation
+│   │   📄 autoLogoutChecker.test.js      8 tests — leader election + idle revocation
+│   │   📄 adminSecurityController.test.js  9 tests — heartbeat + settings validation
 ```
 
 ---
@@ -267,16 +313,14 @@ All settings live in a **single-type** content-type in the database:
 
 All routes are **admin-typed** (Strapi handles auth automatically):
 
-| Method | Path                                    | Auth     | Permission       | Description     |
-| ------ | --------------------------------------- | -------- | ---------------- | --------------- |
-| `GET`  | `/strapi-security-suite/health`         | 🔓 None  | —                | Health check    |
-| `GET`  | `/strapi-security-suite/admin/settings` | 🔒 Admin | `view-configs`   | Read settings   |
-| `POST` | `/strapi-security-suite/admin/settings` | 🔒 Admin | `manage-configs` | Update settings |
+| Method | Path                                    | Auth     | Permission       | Description                       |
+| ------ | --------------------------------------- | -------- | ---------------- | --------------------------------- |
+| `POST` | `/strapi-security-suite/heartbeat`      | 🔒 Admin | —                | Activity keep-alive (returns 204) |
+| `GET`  | `/strapi-security-suite/admin/settings` | 🔒 Admin | `view-configs`   | Read security settings            |
+| `POST` | `/strapi-security-suite/admin/settings` | 🔒 Admin | `manage-configs` | Update security settings          |
 
 ### 🔐 Permissions
 
-The plugin registers three permission actions:
-
 | Permission                                     | What It Allows           |
 | ---------------------------------------------- | ------------------------ |
 | `plugin::strapi-security-suite.access`         | Access the settings page |
@@ -285,69 +329,61 @@ The plugin registers three permission actions:
 
 ---
 
-## ✅ Engineering Standards Compliance
+## 💡 Recommended Host-App Configuration
 
-This plugin follows the **STANDARDS.md** operating protocol:
+The plugin works out of the box with Strapi defaults, but for **tighter revocation latency** consider lowering the access-token TTL in your host app's `config/admin.js`:
 
-| Standard                      | Status | Details                                                               |
-| ----------------------------- | ------ | --------------------------------------------------------------------- |
-| 💬 **ES6+ JavaScript**        | ✅     | Arrow functions, destructuring, template literals, native ESM         |
-| 📄 **Full JSDoc**             | ✅     | Every export documented with `@param`, `@returns`, `@module`          |
-| 🔢 **No Magic Values**        | ✅     | All values in `constants.js` (status codes, cookies, headers, timing) |
-| 🚨 **Custom Error Hierarchy** | ✅     | `PluginError` → `ValidationError`, `AuthorizationError`               |
-| 🛡️ **Input Validation**       | ✅     | `saveSettings` validates keys, types, and shape                       |
-| 🔍 **ESLint**                 | ✅     | v9 flat config with jsdoc plugin + Prettier compat                    |
-| 🎨 **Prettier**               | ✅     | Single quotes, 100 print width, trailing commas                       |
-| 🪝 **Husky + lint-staged**    | ✅     | Pre-commit: ESLint fix + Prettier on staged files                     |
-| 🏗️ **Architecture**           | ✅     | Routes → Controllers → Services → Data (proper layering)              |
-| 🔐 **Security-First**         | ✅     | Auth/AuthZ separated, input validated, no secrets in logs             |
+```javascript
+module.exports = ({ env }) => ({
+  auth: {
+    secret: env('ADMIN_JWT_SECRET'),
+    options: {
+      expiresIn: '2m', // ← short access tokens, refreshed transparently by the admin frontend
+    },
+  },
+});
+```
+
+With a 2-minute access-token TTL, a revoked admin loses access within ~2 minutes even if no other request is made (next refresh attempt fails because the refresh token is also invalidated). With the default 30-minute TTL, revocation is enforced on the next request the admin makes (via the `app.admin.tk` force-reload signal) — instant for active admins, up to 30 min for an idle one whose tab is open.
 
 ---
 
 ## 🛠️ Development
 
 ```bash
-# Install dependencies
-yarn install
-
-# Build the plugin
-yarn build
-
-# Watch mode (auto-rebuild on changes)
-yarn watch
-
-# Lint everything
-yarn lint
-
-# Lint + auto-fix
-yarn lint:fix
-
-# Check formatting
-yarn format:check
-
-# Auto-format everything
-yarn format
-
-# Verify plugin exports
-yarn verify
+yarn install          # Install dependencies
+yarn build            # Build the plugin
+yarn watch            # Auto-rebuild on changes
+yarn lint             # ESLint
+yarn lint:fix         # ESLint --fix
+yarn format           # Prettier
+yarn format:check     # Check formatting
+yarn verify           # Verify plugin exports
+yarn test             # Run the full test suite (66 tests)
+yarn test:watch       # Vitest in watch mode
+yarn test:coverage    # Coverage report
 ```
 
+The state-service tests run against a real sqlite `:memory:` DB via Knex — they exercise the actual SQL the plugin issues, including the `SELECT … FOR UPDATE` paths and `ON CONFLICT` behaviors. Two simulated pods cover the cross-pod concurrency cases.
+
 ---
 
 ## 🔮 Roadmap
 
 | Feature                       | Status            |
 | ----------------------------- | ----------------- |
-| ⏰ Auto-Logout                | ✅ Shipped        |
-| 🚫 Single-Session Enforcement | ✅ Shipped        |
-| 💀 Token Revocation Pipeline  | ✅ Shipped        |
-| ⚙️ Admin Settings UI          | ✅ Shipped        |
+| ⏰ Auto-Logout                | ✅ Shipped (v0.1) |
+| 🚫 Single-Session Enforcement | ✅ Shipped (v0.1) |
+| 💀 Session Revocation         | ✅ Shipped (v0.1) |
+| ⚙️ Admin Settings UI          | ✅ Shipped (v0.1) |
+| 🌐 **Multi-Pod-Safe State**   | ✅ Shipped (v0.4) |
+| 🫀 **Activity Heartbeat**     | ✅ Shipped (v0.4) |
+| 🧪 **Test Suite (66 tests)**  | ✅ Shipped (v0.4) |
 | 🔑 Password Expiry            | 🚧 In Development |
 | 🔄 Non-Reusable Passwords     | 🚧 In Development |
 | 📝 Admin Activity Logs        | 🔜 Planned        |
 | 📊 Security Dashboard         | 🔜 Planned        |
 | 👊 Brute Force Detection      | 🔜 Planned        |
-| 👁️ Real-time Session Viewer   | 🔜 Planned        |
 
 ---
 
@@ -362,6 +398,9 @@ yarn verify
 > "I left my desk for coffee and came back logged out. Respect."
 > — Someone who now understands security
 
+> "We scaled to 8 pods on OpenShift and the plugin… just kept working. Sessions, revocations, locks — all consistent."
+> — A platform engineer in v0.4
+
 ---
 
 ## 👥 Author
@@ -380,9 +419,9 @@ yarn verify
 
 Security should be:
 
-- **Fast** — In-memory. No database lookups on every request.
+- **Correct under load** — Multi-pod deployments shouldn't degrade the security model into a coin flip.
+- **Cheap to operate** — DB-backed state with write-coalescing. No Redis. No new infra.
 - **Unforgiving** — Idle? Gone. Revoked? Dead. Duplicated? Blocked.
-- **Elegant** — Clean constants, typed errors, layered architecture.
 - **Mildly judgmental** — This plugin _will_ side-eye your stale sessions.
 
 > _"The meta-principle: make the right thing the default thing. Discipline compounds. Shortcuts compound too, just in the wrong direction."_

package/dist/_chunks/{App-ConqHB2Q.js → App-B-CRozv4.js}

@@ -5,7 +5,7 @@ const admin = require("@strapi/strapi/admin");
 const reactRouterDom = require("react-router-dom");
 const react = require("react");
 const designSystem = require("@strapi/design-system");
-const index = require("./index-BGBd43He.js");
+const index = require("./index-BVsx1rse.js");
 const HomePage = () => {
   const client = admin.useFetchClient();
   const [config, setConfig] = react.useState({

package/dist/_chunks/{App-CBOxzfqu.mjs → App-CM1kp54o.mjs}

@@ -3,7 +3,7 @@ import { useFetchClient, Page } from "@strapi/strapi/admin";
 import { Routes, Route } from "react-router-dom";
 import { useState, useEffect } from "react";
 import { Box, Typography, Alert, Flex, Divider, NumberInput, Switch, Button } from "@strapi/design-system";
-import { A as API_BASE_PATH, S as SUCCESS_ALERT_DURATION } from "./index-ZKJuPZEH.mjs";
+import { A as API_BASE_PATH, S as SUCCESS_ALERT_DURATION } from "./index-CrITOuMT.mjs";
 const HomePage = () => {
   const client = useFetchClient();
   const [config, setConfig] = useState({

package/dist/_chunks/{index-BGBd43He.js → index-BVsx1rse.js}

@@ -28,11 +28,42 @@ const SERVER_PLUGIN_NAME = "strapi-security-suite";
 const API_BASE_PATH = `/${SERVER_PLUGIN_NAME}`;
 const ADMIN_TOKEN_HEADER = "app.admin.tk";
 const SUCCESS_ALERT_DURATION = 3e3;
+const HEARTBEAT_INTERVAL_MS = 3e4;
 const getTrad = (id) => `${PLUGIN_ID}.${id}`;
+const HEARTBEAT_PATH = `${API_BASE_PATH}/heartbeat`;
+const ACTIVITY_EVENTS = ["mousemove", "keydown", "scroll", "click", "touchstart"];
+const installHeartbeat = () => {
+  if (typeof window === "undefined" || window.__sssHeartbeatInstalled) return;
+  window.__sssHeartbeatInstalled = true;
+  let lastFiredAt = 0;
+  let inFlight = false;
+  const fire = async () => {
+    const now = Date.now();
+    if (inFlight) return;
+    if (now - lastFiredAt < HEARTBEAT_INTERVAL_MS) return;
+    if (typeof document !== "undefined" && document.hidden) return;
+    lastFiredAt = now;
+    inFlight = true;
+    try {
+      await window.fetch(HEARTBEAT_PATH, {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" }
+      });
+    } catch {
+    } finally {
+      inFlight = false;
+    }
+  };
+  for (const evt of ACTIVITY_EVENTS) {
+    window.addEventListener(evt, fire, { passive: true });
+  }
+};
 const index = {
   /**
-   * Registers the plugin with the Strapi admin app and patches
-   * `window.fetch` to intercept forced-logout signal headers.
+   * Registers the plugin with the Strapi admin app, patches `window.fetch`
+   * to intercept forced-logout signal headers, and installs the activity
+   * heartbeat listener.
    *
    * @param {Object} app - Strapi admin application instance
    */
@@ -56,6 +87,7 @@ const index = {
       };
       window.__secureFetchPatched = true;
     }
+    installHeartbeat();
   },
   /**
    * Adds the Security Suite settings link under Settings > Global.
@@ -70,7 +102,7 @@ const index = {
         id: getTrad("settings.title"),
         defaultMessage: "Security Suite"
       },
-      Component: () => Promise.resolve().then(() => require("./App-ConqHB2Q.js")),
+      Component: () => Promise.resolve().then(() => require("./App-B-CRozv4.js")),
       permissions: [
         {
           action: "plugin::strapi-security-suite.access",

package/dist/_chunks/{index-ZKJuPZEH.mjs → index-CrITOuMT.mjs}

@@ -27,11 +27,42 @@ const SERVER_PLUGIN_NAME = "strapi-security-suite";
 const API_BASE_PATH = `/${SERVER_PLUGIN_NAME}`;
 const ADMIN_TOKEN_HEADER = "app.admin.tk";
 const SUCCESS_ALERT_DURATION = 3e3;
+const HEARTBEAT_INTERVAL_MS = 3e4;
 const getTrad = (id) => `${PLUGIN_ID}.${id}`;
+const HEARTBEAT_PATH = `${API_BASE_PATH}/heartbeat`;
+const ACTIVITY_EVENTS = ["mousemove", "keydown", "scroll", "click", "touchstart"];
+const installHeartbeat = () => {
+  if (typeof window === "undefined" || window.__sssHeartbeatInstalled) return;
+  window.__sssHeartbeatInstalled = true;
+  let lastFiredAt = 0;
+  let inFlight = false;
+  const fire = async () => {
+    const now = Date.now();
+    if (inFlight) return;
+    if (now - lastFiredAt < HEARTBEAT_INTERVAL_MS) return;
+    if (typeof document !== "undefined" && document.hidden) return;
+    lastFiredAt = now;
+    inFlight = true;
+    try {
+      await window.fetch(HEARTBEAT_PATH, {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" }
+      });
+    } catch {
+    } finally {
+      inFlight = false;
+    }
+  };
+  for (const evt of ACTIVITY_EVENTS) {
+    window.addEventListener(evt, fire, { passive: true });
+  }
+};
 const index = {
   /**
-   * Registers the plugin with the Strapi admin app and patches
-   * `window.fetch` to intercept forced-logout signal headers.
+   * Registers the plugin with the Strapi admin app, patches `window.fetch`
+   * to intercept forced-logout signal headers, and installs the activity
+   * heartbeat listener.
    *
    * @param {Object} app - Strapi admin application instance
    */
@@ -55,6 +86,7 @@ const index = {
       };
       window.__secureFetchPatched = true;
     }
+    installHeartbeat();
   },
   /**
    * Adds the Security Suite settings link under Settings > Global.
@@ -69,7 +101,7 @@ const index = {
         id: getTrad("settings.title"),
         defaultMessage: "Security Suite"
       },
-      Component: () => import("./App-CBOxzfqu.mjs"),
+      Component: () => import("./App-CM1kp54o.mjs"),
       permissions: [
         {
           action: "plugin::strapi-security-suite.access",

package/dist/admin/index.js

@@ -1,3 +1,3 @@
 "use strict";
-const index = require("../_chunks/index-BGBd43He.js");
+const index = require("../_chunks/index-BVsx1rse.js");
 module.exports = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "../_chunks/index-ZKJuPZEH.mjs";
+import { i } from "../_chunks/index-CrITOuMT.mjs";
 export {
   i as default
 };