npm - strapi-security-suite - Versions diffs - 0.3.2 → 0.4.0 - Mend

strapi-security-suite 0.3.2 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +171 -132
package/dist/_chunks/{App-ConqHB2Q.js → App-B-CRozv4.js} +1 -1
package/dist/_chunks/{App-CBOxzfqu.mjs → App-CM1kp54o.mjs} +1 -1
package/dist/_chunks/{index-BGBd43He.js → index-BVsx1rse.js} +35 -3
package/dist/_chunks/{index-ZKJuPZEH.mjs → index-CrITOuMT.mjs} +35 -3
package/dist/admin/index.js +1 -1
package/dist/admin/index.mjs +1 -1
package/dist/server/index.js +589 -138
package/dist/server/index.mjs +589 -138
package/package.json +9 -2

package/dist/server/index.js CHANGED Viewed

@@ -1,36 +1,34 @@
 "use strict";
 const jwt = require("jsonwebtoken");
+const node_crypto = require("node:crypto");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const jwt__default = /* @__PURE__ */ _interopDefault(jwt);
-const revokedTokenSet = /* @__PURE__ */ new Set();
-const revokedConnectionTokens = /* @__PURE__ */ new Map();
-const TOKEN_TTL = 30 * 60 * 1e3;
-function pruneExpiredTokens() {
-  const cutoff = Date.now() - TOKEN_TTL;
-  for (const [token, revokedAt] of revokedConnectionTokens) {
-    if (revokedAt < cutoff) {
-      revokedConnectionTokens.delete(token);
-    }
-  }
-}
-const sessionActivityMap = /* @__PURE__ */ new Map();
 const PLUGIN_ID = "strapi-security-suite";
 const CONTENT_TYPES = {
-  SECURITY_SETTINGS: `plugin::${PLUGIN_ID}.security-settings`
+  SECURITY_SETTINGS: `plugin::${PLUGIN_ID}.security-settings`,
+  ADMIN_SESSION: `plugin::${PLUGIN_ID}.admin-session`,
+  LOGIN_LOCK: `plugin::${PLUGIN_ID}.login-lock`,
+  WATCHER_LEASE: `plugin::${PLUGIN_ID}.watcher-lease`
 };
 const SERVICES = {
-  AUTO_LOGOUT_CHECKER: "autoLogoutChecker"
+  AUTO_LOGOUT_CHECKER: "autoLogoutChecker",
+  STATE: "state"
 };
 const CTX_ADMIN_USER = Symbol.for("security-suite:adminUser");
+const WATCHER_LEASE_NAME = "autologout-watcher";
 const CHECK_INTERVAL = 5e3;
 const DEFAULT_AUTOLOGOUT_TIME = 30;
 const MS_PER_MINUTE = 6e4;
 const MS_PER_SECOND = 1e3;
+const ACTIVITY_FLUSH_INTERVAL_MS = 30 * MS_PER_SECOND;
+const LOGIN_LOCK_TTL_MS = 10 * MS_PER_SECOND;
+const WATCHER_LEASE_TTL_MS = 15 * MS_PER_SECOND;
 const LOGIN_PATH = "/admin/login";
 const LOGOUT_PATH = "/admin/logout";
 const ACCESS_TOKEN_PATH = "/access-token";
 const CONTENT_PATH = "/content";
 const HTTP_STATUS = {
+  NO_CONTENT: 204,
   BAD_REQUEST: 400,
   FORBIDDEN: 403,
   CONFLICT: 409
@@ -106,17 +104,22 @@ function clearSessionCookies(ctx) {
     path: "/admin",
     httpOnly: true
   });
-  ctx.cookies.set(COOKIES.JWT_TOKEN, "", {
+  const configuredSecure = strapi.config.get("admin.auth.cookie.secure");
+  const isProduction = process.env.NODE_ENV === "production";
+  const jwtClearOpts = {
     expires: /* @__PURE__ */ new Date(0),
-    path: "/",
-    httpOnly: false
-  });
+    httpOnly: false,
+    secure: typeof configuredSecure === "boolean" ? configuredSecure : isProduction,
+    domain: strapi.config.get("admin.auth.domain"),
+    overwrite: true
+  };
+  ctx.cookies.set(COOKIES.JWT_TOKEN, "", jwtClearOpts);
 }
 async function trackActivity(ctx, next) {
   const adminUser = ctx.state[CTX_ADMIN_USER];
-  let key = adminUser?.id ? `${adminUser.id}:${adminUser.email}` : null;
-  const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
-  if (bearerToken && revokedConnectionTokens.has(bearerToken)) {
+  const state2 = strapi.plugin(PLUGIN_ID).service(SERVICES.STATE);
+  if (adminUser?.sessionId && await state2.isRevoked(adminUser.sessionId)) {
+    clearSessionCookies(ctx);
     ctx.status = HTTP_STATUS.FORBIDDEN;
     ctx.body = {
       error: {
@@ -129,21 +132,23 @@ async function trackActivity(ctx, next) {
   }
   if (ctx.path.includes(LOGOUT_PATH)) {
     clearSessionCookies(ctx);
-    key = null;
+    return await next();
   }
-  if (key) {
-    sessionActivityMap.set(key, Date.now());
-    strapi.log.debug(`[${PLUGIN_ID}] Activity updated: ${key}`);
+  if (adminUser?.sessionId && adminUser?.id && adminUser?.email) {
+    await state2.touch({
+      sessionId: adminUser.sessionId,
+      userId: adminUser.id,
+      email: adminUser.email
+    });
+    strapi.log.debug(`[${PLUGIN_ID}] Activity touched: ${adminUser.id}:${adminUser.email}`);
   }
   await next();
 }
-const loginLocks = /* @__PURE__ */ new Set();
-function cleanupLoginState(ctx) {
+async function cleanupLoginState(ctx) {
   const email = ctx.request.body?.email;
-  loginLocks.delete(email);
-  if (email && ctx.status < 400) {
-    revokedTokenSet.delete(email);
-  }
+  if (!email) return;
+  const state2 = strapi.plugin(PLUGIN_ID).service(SERVICES.STATE);
+  await state2.releaseLoginLock({ email });
 }
 async function preventMultipleSessions(ctx, next) {
   const isLoginPost = ctx.path === LOGIN_PATH && ctx.method === "POST";
@@ -156,21 +161,32 @@ async function preventMultipleSessions(ctx, next) {
     );
     return await next();
   }
+  const { email } = ctx.request.body ?? {};
+  if (!email) {
+    strapi.log.warn(`[${PLUGIN_ID}] Email missing in login request. Skipping session lock.`);
+    return await next();
+  }
+  const state2 = strapi.plugin(PLUGIN_ID).service(SERVICES.STATE);
+  let lockAcquired = false;
   try {
-    const { email } = ctx.request.body ?? {};
-    if (!email) {
-      strapi.log.warn(`[${PLUGIN_ID}] Email missing in login request. Skipping session lock.`);
-      return await next();
-    }
     const settings = await strapi.documents(CONTENT_TYPES.SECURITY_SETTINGS).findFirst({});
     if (!settings?.multipleSessionsControl) return await next();
-    const hasActiveSession = Array.from(sessionActivityMap.keys()).some(
-      (key) => key.endsWith(`:${email}`)
-    );
-    if (hasActiveSession || loginLocks.has(email)) {
-      strapi.log.warn(
-        `[${PLUGIN_ID}] Login blocked for ${email}: already logged in or logging in.`
-      );
+    const idleThresholdMs = (settings?.autoLogoutTime ?? DEFAULT_AUTOLOGOUT_TIME) * MS_PER_MINUTE;
+    const hasActive = await state2.hasActiveSession({ email, idleThresholdMs });
+    if (hasActive) {
+      strapi.log.warn(`[${PLUGIN_ID}] Login blocked for ${email}: already logged in.`);
+      ctx.status = HTTP_STATUS.CONFLICT;
+      ctx.body = {
+        error: {
+          status: HTTP_STATUS.CONFLICT,
+          message: ERROR_MESSAGES.MULTIPLE_SESSIONS
+        }
+      };
+      return;
+    }
+    lockAcquired = await state2.acquireLoginLock({ email });
+    if (!lockAcquired) {
+      strapi.log.warn(`[${PLUGIN_ID}] Login blocked for ${email}: another login is in flight.`);
       ctx.status = HTTP_STATUS.CONFLICT;
       ctx.body = {
         error: {
@@ -180,44 +196,40 @@ async function preventMultipleSessions(ctx, next) {
       };
       return;
     }
-    loginLocks.add(email);
   } catch (err) {
     strapi.log.error(`[${PLUGIN_ID}] Error in preventMultipleSessions:`, err);
   }
   try {
     await next();
   } finally {
-    cleanupLoginState(ctx);
+    if (lockAcquired) {
+      await cleanupLoginState(ctx);
+    }
   }
 }
 async function rejectRevokedTokens(ctx, next) {
   const adminUser = ctx.state[CTX_ADMIN_USER];
-  if (!adminUser?.email) return await next();
-  const { id, email: adminEmail } = adminUser;
-  const key = id && adminEmail ? `${id}:${adminEmail}` : null;
+  if (!adminUser?.sessionId) return await next();
+  const state2 = strapi.plugin(PLUGIN_ID).service(SERVICES.STATE);
   try {
-    if (adminEmail && revokedTokenSet.has(adminEmail)) {
-      ctx.set(HEADERS.ADMIN_TOKEN_SIGNAL, adminEmail);
-      ctx.set(HEADERS.EXPOSE_HEADERS, HEADERS.ADMIN_TOKEN_SIGNAL);
-      clearSessionCookies(ctx);
-      const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
-      if (bearerToken) {
-        revokedConnectionTokens.set(bearerToken, Date.now());
-      }
-      sessionActivityMap.delete(key);
-      revokedTokenSet.delete(adminEmail);
-      strapi.plugin(PLUGIN_ID).service(SERVICES.AUTO_LOGOUT_CHECKER).clearSessionActivity(id, adminEmail);
-      try {
-        if (strapi.sessionManager) {
-          await strapi.sessionManager("admin").invalidateRefreshToken(String(id));
-        }
-      } catch (err) {
-        strapi.log.error(`[${PLUGIN_ID}] Failed to invalidate DB session for ${adminEmail}:`, err);
+    const revoked = await state2.isRevoked(adminUser.sessionId);
+    if (!revoked) return await next();
+    ctx.set(HEADERS.ADMIN_TOKEN_SIGNAL, adminUser.email || "");
+    ctx.set(HEADERS.EXPOSE_HEADERS, HEADERS.ADMIN_TOKEN_SIGNAL);
+    clearSessionCookies(ctx);
+    try {
+      if (strapi.sessionManager && adminUser.id) {
+        await strapi.sessionManager("admin").invalidateRefreshToken(String(adminUser.id));
       }
-      strapi.log.info(`[${PLUGIN_ID}] Session revoked: ${adminEmail}`);
-      await next();
-      return;
+    } catch (err) {
+      strapi.log.error(
+        `[${PLUGIN_ID}] Failed to invalidate DB session for ${adminUser.email}:`,
+        err
+      );
     }
+    strapi.log.info(
+      `[${PLUGIN_ID}] Session revoked: ${adminUser.email} (session ${adminUser.sessionId})`
+    );
   } catch (err) {
     strapi.log.error(`[${PLUGIN_ID}] Error in rejectRevokedTokens middleware:`, err);
   }
@@ -227,15 +239,11 @@ async function interceptRenewToken(ctx, next) {
   if (ctx.path.includes(LOGOUT_PATH)) {
     const adminUser = ctx.state[CTX_ADMIN_USER];
     strapi.log.debug(`[${PLUGIN_ID}] Logout captured: ${JSON.stringify(adminUser)}`);
-    if (adminUser?.id) {
-      strapi.plugin(PLUGIN_ID).service(SERVICES.AUTO_LOGOUT_CHECKER).clearSessionActivity(adminUser.id, adminUser.email);
-      const bearerToken = ctx.get("authorization")?.split("Bearer ")[1];
-      if (bearerToken) {
-        revokedConnectionTokens.set(bearerToken, Date.now());
-      }
-      clearSessionCookies(ctx);
-      sessionActivityMap.delete(`${adminUser.id}:${adminUser.email}`);
+    if (adminUser?.sessionId) {
+      const state2 = strapi.plugin(PLUGIN_ID).service(SERVICES.STATE);
+      await state2.revokeSession({ sessionId: adminUser.sessionId });
     }
+    clearSessionCookies(ctx);
     await next();
     return;
   }
@@ -257,6 +265,7 @@ async function seedUserInfos(ctx, next) {
     if (!token) return await next();
     const decodedToken = jwt__default.default.decode(token);
     const adminId = decodedToken?.userId;
+    const sessionId = decodedToken?.sessionId;
     if (!adminId || ctx.state[CTX_ADMIN_USER]?.id) {
       return await next();
     }
@@ -270,16 +279,13 @@ async function seedUserInfos(ctx, next) {
     }
     ctx.state[CTX_ADMIN_USER] = {
       id: adminUser.id,
+      sessionId,
       email: adminUser.email,
       firstname: adminUser.firstname,
       lastname: adminUser.lastname,
       roles: adminUser.roles
     };
-    const key = `${adminUser.id}:${adminUser.email}`;
-    if (!sessionActivityMap.has(key)) {
-      sessionActivityMap.set(key, Date.now());
-    }
-    strapi.log.debug(`[${PLUGIN_ID}] Admin identified: ${adminUser.email}`);
+    strapi.log.debug(`[${PLUGIN_ID}] Admin identified: ${adminUser.email} (session ${sessionId})`);
     return await next();
   } catch (error) {
     strapi.log.error(`[${PLUGIN_ID}] Failed to decode or hydrate admin token:`, error);
@@ -336,8 +342,8 @@ async function ensureDefaultSecuritySettings(strapi2) {
     strapi2.log.error(`[${PLUGIN_ID}] Failed to ensure default security settings:`, error);
   }
 }
-const destroy = ({ strapi: strapi2 }) => {
-  strapi2.plugin(PLUGIN_ID).service(SERVICES.AUTO_LOGOUT_CHECKER).stopAutoLogoutWatcher();
+const destroy = async ({ strapi: strapi2 }) => {
+  await strapi2.plugin(PLUGIN_ID).service(SERVICES.AUTO_LOGOUT_CHECKER).stopAutoLogoutWatcher();
 };
 const register = ({ strapi: strapi2 }) => {
   strapi2.server.use(middlewares.seedUserInfos);
@@ -358,17 +364,17 @@ const config = {
   validator(_config) {
   }
 };
-const kind = "singleType";
-const info = {
+const kind$3 = "singleType";
+const info$3 = {
   singularName: "security-settings",
   pluralName: "security-settings",
   displayName: "Security Settings",
   description: "Stores security and session settings"
 };
-const options = {
+const options$3 = {
   draftAndPublish: false
 };
-const pluginOptions = {
+const pluginOptions$3 = {
   "content-manager": {
     visible: false
   },
@@ -376,7 +382,7 @@ const pluginOptions = {
     visible: false
   }
 };
-const attributes = {
+const attributes$3 = {
   autoLogoutTime: {
     type: "integer",
     required: true,
@@ -400,18 +406,157 @@ const attributes = {
     "default": true
   }
 };
+const schema$3 = {
+  kind: kind$3,
+  info: info$3,
+  options: options$3,
+  pluginOptions: pluginOptions$3,
+  attributes: attributes$3
+};
+const securitySettings = {
+  schema: schema$3
+};
+const kind$2 = "collectionType";
+const collectionName$2 = "sss_admin_sessions";
+const info$2 = {
+  singularName: "admin-session",
+  pluralName: "admin-sessions",
+  displayName: "Admin Session",
+  description: "Per-session activity and revocation state for admin users (managed by strapi-security-suite)."
+};
+const options$2 = {
+  draftAndPublish: false
+};
+const pluginOptions$2 = {
+  "content-manager": {
+    visible: false
+  },
+  "content-type-builder": {
+    visible: false
+  }
+};
+const attributes$2 = {
+  sessionId: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  userId: {
+    type: "integer",
+    required: true
+  },
+  email: {
+    type: "string",
+    required: true
+  },
+  lastActiveAt: {
+    type: "datetime",
+    required: true
+  },
+  revokedAt: {
+    type: "datetime"
+  }
+};
+const schema$2 = {
+  kind: kind$2,
+  collectionName: collectionName$2,
+  info: info$2,
+  options: options$2,
+  pluginOptions: pluginOptions$2,
+  attributes: attributes$2
+};
+const adminSession = {
+  schema: schema$2
+};
+const kind$1 = "collectionType";
+const collectionName$1 = "sss_login_locks";
+const info$1 = {
+  singularName: "login-lock",
+  pluralName: "login-locks",
+  displayName: "Login Lock",
+  description: "Cross-pod login lock keyed by email (managed by strapi-security-suite)."
+};
+const options$1 = {
+  draftAndPublish: false
+};
+const pluginOptions$1 = {
+  "content-manager": {
+    visible: false
+  },
+  "content-type-builder": {
+    visible: false
+  }
+};
+const attributes$1 = {
+  email: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  lockedUntil: {
+    type: "datetime",
+    required: true
+  }
+};
+const schema$1 = {
+  kind: kind$1,
+  collectionName: collectionName$1,
+  info: info$1,
+  options: options$1,
+  pluginOptions: pluginOptions$1,
+  attributes: attributes$1
+};
+const loginLock = {
+  schema: schema$1
+};
+const kind = "collectionType";
+const collectionName = "sss_watcher_leases";
+const info = {
+  singularName: "watcher-lease",
+  pluralName: "watcher-leases",
+  displayName: "Watcher Lease",
+  description: "Cross-pod leader-election lease for the auto-logout watcher (managed by strapi-security-suite)."
+};
+const options = {
+  draftAndPublish: false
+};
+const pluginOptions = {
+  "content-manager": {
+    visible: false
+  },
+  "content-type-builder": {
+    visible: false
+  }
+};
+const attributes = {
+  name: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  holder: {
+    type: "string"
+  },
+  expiresAt: {
+    type: "datetime"
+  }
+};
 const schema = {
   kind,
+  collectionName,
   info,
   options,
   pluginOptions,
   attributes
 };
-const securitySettings = {
+const watcherLease = {
   schema
 };
 const contentTypes = {
-  "security-settings": securitySettings
+  "security-settings": securitySettings,
+  "admin-session": adminSession,
+  "login-lock": loginLock,
+  "watcher-lease": watcherLease
 };
 const validateSettingsPayload = (body) => {
   if (!body || typeof body !== "object" || Array.isArray(body)) {
@@ -490,6 +635,18 @@ const adminSecurityController = ({ strapi: strapi2 }) => ({
         err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR
       );
     }
+  },
+  /**
+   * Lightweight keep-alive endpoint hit by the admin client while the user
+   * is actively interacting with the UI (mouse / keyboard). The middleware
+   * chain (`seedUserInfos` → `trackActivity`) does the actual work of
+   * persisting `lastActiveAt` for the current session, so the handler
+   * itself only needs to return 204.
+   *
+   * @param {import('koa').Context} ctx - Koa context
+   */
+  heartbeat(ctx) {
+    ctx.status = HTTP_STATUS.NO_CONTENT;
   }
 });
 const controllers = {
@@ -518,11 +675,11 @@ const policies = {
 };
 const admin = [
   {
-    method: "GET",
-    path: "/health",
-    handler: "adminSecurityController.getSettings",
+    method: "POST",
+    path: "/heartbeat",
+    handler: "adminSecurityController.heartbeat",
     config: {
-      auth: false
+      // No policy: any authenticated admin may keep their session alive
     }
   },
   {
@@ -561,74 +718,368 @@ const routes = {
 let interval = null;
 const autoLogoutChecker = ({ strapi: strapi2 }) => ({
   /**
-   * Starts the auto-logout watcher interval.
-   *
-   * Runs every {@link CHECK_INTERVAL} ms, reads the configured `autoLogoutTime`
-   * from the database, and revokes tokens for sessions that have been idle
-   * beyond the threshold.
+   * Starts the auto-logout watcher interval. Idempotent — calling twice
+   * leaves the existing interval intact.
    */
   startAutoLogoutWatcher() {
     if (interval) {
       strapi2.log.warn(`[${PLUGIN_ID}] AutoLogoutWatcher already running.`);
       return;
     }
+    const state2 = strapi2.plugin(PLUGIN_ID).service(SERVICES.STATE);
     interval = setInterval(async () => {
       try {
-        pruneExpiredTokens();
+        const isLeader = await state2.acquireWatcherLease();
+        if (!isLeader) return;
+        await state2.pruneExpiredLocks();
         const settings = await strapi2.documents(CONTENT_TYPES.SECURITY_SETTINGS).findFirst({});
-        const autoLogoutTime = (settings?.autoLogoutTime ?? DEFAULT_AUTOLOGOUT_TIME) * MS_PER_MINUTE;
-        const now = Date.now();
-        for (const [key, lastActive] of sessionActivityMap.entries()) {
-          const [adminId, email] = key.split(":");
-          const idleDuration = now - lastActive;
-          if (idleDuration <= autoLogoutTime || revokedTokenSet.has(email)) continue;
-          revokedTokenSet.add(email);
-          sessionActivityMap.delete(key);
-          if (strapi2.sessionManager) {
-            await strapi2.sessionManager("admin").invalidateRefreshToken(String(adminId)).catch(
-              (e) => strapi2.log.error(`[${PLUGIN_ID}] Failed to invalidate DB session for ${email}:`, e)
+        const idleThresholdMs = (settings?.autoLogoutTime ?? DEFAULT_AUTOLOGOUT_TIME) * MS_PER_MINUTE;
+        const idleSessions = await state2.listIdleSessions({ idleThresholdMs });
+        if (idleSessions.length === 0) return;
+        for (const session of idleSessions) {
+          await state2.revokeSession({ sessionId: session.sessionId });
+          if (strapi2.sessionManager && session.userId) {
+            await strapi2.sessionManager("admin").invalidateRefreshToken(String(session.userId)).catch(
+              (e) => strapi2.log.error(
+                `[${PLUGIN_ID}] Failed to invalidate DB session for ${session.email}:`,
+                e
+              )
             );
           }
+          const idleSeconds = Math.floor(
+            (Date.now() - new Date(session.lastActiveAt).getTime()) / MS_PER_SECOND
+          );
           strapi2.log.info(
-            `[${PLUGIN_ID}] Auto-logged out admin "${email}" after ${Math.floor(idleDuration / MS_PER_SECOND)}s of inactivity.`
+            `[${PLUGIN_ID}] Auto-logged out admin "${session.email}" after ${idleSeconds}s of inactivity.`
           );
         }
       } catch (err) {
-        strapi2.log.error(`[${PLUGIN_ID}] AutoLogoutWatcher failed:`, err);
+        strapi2.log.error(`[${PLUGIN_ID}] AutoLogoutWatcher tick failed:`, err);
       }
     }, CHECK_INTERVAL);
   },
   /**
-   * Stops the auto-logout watcher interval and releases the timer reference.
-   */
-  stopAutoLogoutWatcher() {
-    if (interval) {
-      clearInterval(interval);
-      interval = null;
-      strapi2.log.info(`[${PLUGIN_ID}] AutoLogoutWatcher stopped.`);
-    }
-  },
-  /**
-   * Manually clears session activity and revoked state for a user.
+   * Stops the auto-logout watcher interval and releases the lease so another
+   * pod can pick it up immediately rather than waiting for TTL expiry.
    *
-   * @param {string} adminId - Admin user ID
-   * @param {string} email - Admin email address
-   * @param {string} [reason='manual'] - Reason for clearing (used in log messages)
+   * @returns {Promise<void>}
    */
-  clearSessionActivity(adminId, email, reason = "manual") {
-    const key = `${adminId}:${email}`;
-    if (sessionActivityMap.has(key)) {
-      sessionActivityMap.delete(key);
-      strapi2.log.info(`[${PLUGIN_ID}] Session cleared for ${key} (${reason})`);
-    }
-    if (revokedTokenSet.has(email)) {
-      revokedTokenSet.delete(email);
-      strapi2.log.info(`[${PLUGIN_ID}] Revoked token cleared for ${email}`);
-    }
+  async stopAutoLogoutWatcher() {
+    if (!interval) return;
+    clearInterval(interval);
+    interval = null;
+    const state2 = strapi2.plugin(PLUGIN_ID).service(SERVICES.STATE);
+    await state2.releaseWatcherLease();
+    strapi2.log.info(`[${PLUGIN_ID}] AutoLogoutWatcher stopped.`);
   }
 });
+const lastDbWriteAt = /* @__PURE__ */ new Map();
+const POD_ID = `${process.env.HOSTNAME ?? "pod"}-${node_crypto.randomUUID()}`;
+const isUniqueConstraintError = (err) => {
+  if (!err) return false;
+  const msg = String(err.message ?? "");
+  return err.code === "23505" || err.code === "ER_DUP_ENTRY" || err.errno === 1062 || err.errno === 19 || /unique/i.test(msg) || /duplicate/i.test(msg);
+};
+const columnFor = (strapi2, uid, attribute) => {
+  try {
+    const metadata = strapi2.db.metadata.get(uid);
+    const attr = metadata?.attributes?.[attribute];
+    if (attr?.columnName) return attr.columnName;
+  } catch {
+  }
+  return attribute.replace(/[A-Z]/g, (c) => `_${c.toLowerCase()}`);
+};
+const state = ({ strapi: strapi2 }) => {
+  const sessionUid = CONTENT_TYPES.ADMIN_SESSION;
+  const lockUid = CONTENT_TYPES.LOGIN_LOCK;
+  const leaseUid = CONTENT_TYPES.WATCHER_LEASE;
+  const tableOf = (uid) => strapi2.db.metadata.get(uid).tableName;
+  return {
+    /** Stable per-pod identifier; exposed for diagnostics. */
+    POD_ID,
+    /**
+     * Persists the user's last-active timestamp, write-coalesced to once
+     * per {@link ACTIVITY_FLUSH_INTERVAL_MS} per session.
+     *
+     * On first call for a session, performs an INSERT; subsequent calls
+     * UPDATE the existing row. A unique-constraint conflict (two pods
+     * inserting concurrently) falls back to UPDATE.
+     *
+     * @param {object} params
+     * @param {string} params.sessionId - JWT sessionId
+     * @param {number|string} params.userId - Admin user ID
+     * @param {string} params.email - Admin email
+     * @returns {Promise<void>}
+     */
+    async touch({ sessionId, userId, email }) {
+      if (!sessionId || !userId || !email) return;
+      const now = Date.now();
+      const lastWrite = lastDbWriteAt.get(sessionId) ?? 0;
+      if (now - lastWrite < ACTIVITY_FLUSH_INTERVAL_MS) return;
+      lastDbWriteAt.set(sessionId, now);
+      const lastActiveAt = new Date(now);
+      try {
+        const existing = await strapi2.db.query(sessionUid).findOne({ where: { sessionId }, select: ["id"] });
+        if (existing) {
+          await strapi2.db.query(sessionUid).update({
+            where: { id: existing.id },
+            data: { lastActiveAt }
+          });
+          return;
+        }
+        await strapi2.db.query(sessionUid).create({
+          data: { sessionId, userId, email, lastActiveAt }
+        });
+      } catch (err) {
+        if (isUniqueConstraintError(err)) {
+          await strapi2.db.query(sessionUid).update({ where: { sessionId }, data: { lastActiveAt } }).catch((e) => strapi2.log.error(`[${PLUGIN_ID}] touch fallback update failed:`, e));
+          return;
+        }
+        strapi2.log.error(`[${PLUGIN_ID}] touch failed for ${email}:`, err);
+      }
+    },
+    /**
+     * Returns true if the given session has been revoked.
+     *
+     * @param {string} sessionId - JWT sessionId
+     * @returns {Promise<boolean>}
+     */
+    async isRevoked(sessionId) {
+      if (!sessionId) return false;
+      const row = await strapi2.db.query(sessionUid).findOne({ where: { sessionId }, select: ["revokedAt"] });
+      return Boolean(row?.revokedAt);
+    },
+    /**
+     * Marks a session as revoked.
+     *
+     * @param {object} params
+     * @param {string} params.sessionId - JWT sessionId
+     * @returns {Promise<void>}
+     */
+    async revokeSession({ sessionId }) {
+      if (!sessionId) return;
+      lastDbWriteAt.delete(sessionId);
+      await strapi2.db.query(sessionUid).updateMany({ where: { sessionId }, data: { revokedAt: /* @__PURE__ */ new Date() } });
+    },
+    /**
+     * Marks all sessions belonging to the given email as revoked.
+     * Used by the auto-logout watcher and email-level revocation paths.
+     *
+     * @param {object} params
+     * @param {string} params.email - Admin email
+     * @returns {Promise<number>} Number of sessions revoked
+     */
+    async revokeAllForEmail({ email }) {
+      if (!email) return 0;
+      const result = await strapi2.db.query(sessionUid).updateMany({
+        where: { email, revokedAt: { $null: true } },
+        data: { revokedAt: /* @__PURE__ */ new Date() }
+      });
+      return result?.count ?? 0;
+    },
+    /**
+     * Returns true if the email has an active (non-revoked, recent) session.
+     * Used by preventMultipleSessions.
+     *
+     * @param {object} params
+     * @param {string} params.email - Admin email
+     * @param {number} params.idleThresholdMs - Idle threshold in milliseconds
+     * @returns {Promise<boolean>}
+     */
+    async hasActiveSession({ email, idleThresholdMs }) {
+      if (!email) return false;
+      const cutoff = new Date(Date.now() - idleThresholdMs);
+      const row = await strapi2.db.query(sessionUid).findOne({
+        where: {
+          email,
+          revokedAt: { $null: true },
+          lastActiveAt: { $gte: cutoff }
+        },
+        select: ["id"]
+      });
+      return Boolean(row);
+    },
+    /**
+     * Lists session rows that have been idle past the given threshold and
+     * are not yet revoked. Returns a small projection only.
+     *
+     * @param {object} params
+     * @param {number} params.idleThresholdMs - Idle threshold in milliseconds
+     * @returns {Promise<Array<{ id: number, sessionId: string, userId: number, email: string, lastActiveAt: Date }>>}
+     */
+    async listIdleSessions({ idleThresholdMs }) {
+      const cutoff = new Date(Date.now() - idleThresholdMs);
+      return strapi2.db.query(sessionUid).findMany({
+        where: {
+          revokedAt: { $null: true },
+          lastActiveAt: { $lt: cutoff }
+        },
+        select: ["id", "sessionId", "userId", "email", "lastActiveAt"]
+      });
+    },
+    /**
+     * Atomically attempts to acquire a login lock for the given email.
+     * Returns true on success, false if another pod holds an unexpired lock.
+     *
+     * Uses `SELECT … FOR UPDATE` inside a transaction for cross-DB
+     * mutual exclusion (Postgres / MySQL / SQLite).
+     *
+     * @param {object} params
+     * @param {string} params.email - Admin email
+     * @returns {Promise<boolean>} True if the lock was acquired
+     */
+    async acquireLoginLock({ email }) {
+      if (!email) return true;
+      const tableName = tableOf(lockUid);
+      const emailCol = columnFor(strapi2, lockUid, "email");
+      const lockedUntilCol = columnFor(strapi2, lockUid, "lockedUntil");
+      const documentIdCol = "document_id";
+      const createdAtCol = "created_at";
+      const updatedAtCol = "updated_at";
+      const now = /* @__PURE__ */ new Date();
+      const lockedUntil = new Date(now.getTime() + LOGIN_LOCK_TTL_MS);
+      const knex = strapi2.db.connection;
+      try {
+        return await knex.transaction(async (trx) => {
+          const row = await trx(tableName).where({ [emailCol]: email }).first().forUpdate();
+          if (!row) {
+            try {
+              await trx(tableName).insert({
+                [documentIdCol]: node_crypto.randomUUID(),
+                [emailCol]: email,
+                [lockedUntilCol]: lockedUntil,
+                [createdAtCol]: now,
+                [updatedAtCol]: now
+              });
+              return true;
+            } catch (err) {
+              if (isUniqueConstraintError(err)) return false;
+              throw err;
+            }
+          }
+          const heldUntil = row[lockedUntilCol] ? new Date(row[lockedUntilCol]) : null;
+          if (heldUntil && heldUntil > now) return false;
+          await trx(tableName).where({ id: row.id }).update({ [lockedUntilCol]: lockedUntil, [updatedAtCol]: now });
+          return true;
+        });
+      } catch (err) {
+        strapi2.log.error(`[${PLUGIN_ID}] acquireLoginLock failed for ${email}:`, err);
+        return false;
+      }
+    },
+    /**
+     * Releases the login lock for the given email. Idempotent.
+     *
+     * @param {object} params
+     * @param {string} params.email - Admin email
+     * @returns {Promise<void>}
+     */
+    async releaseLoginLock({ email }) {
+      if (!email) return;
+      try {
+        await strapi2.db.query(lockUid).deleteMany({ where: { email } });
+      } catch (err) {
+        strapi2.log.error(`[${PLUGIN_ID}] releaseLoginLock failed for ${email}:`, err);
+      }
+    },
+    /**
+     * Removes login-lock rows whose `lockedUntil` has passed.
+     *
+     * @returns {Promise<number>} Number of rows deleted
+     */
+    async pruneExpiredLocks() {
+      const result = await strapi2.db.query(lockUid).deleteMany({
+        where: { lockedUntil: { $lt: /* @__PURE__ */ new Date() } }
+      });
+      return result?.count ?? 0;
+    },
+    /**
+     * Atomically attempts to acquire (or renew) the auto-logout watcher lease.
+     * Only the holding pod runs the periodic watcher body cluster-wide.
+     *
+     * @returns {Promise<boolean>} True if this pod now holds the lease
+     */
+    async acquireWatcherLease() {
+      const tableName = tableOf(leaseUid);
+      const nameCol = columnFor(strapi2, leaseUid, "name");
+      const holderCol = columnFor(strapi2, leaseUid, "holder");
+      const expiresAtCol = columnFor(strapi2, leaseUid, "expiresAt");
+      const documentIdCol = "document_id";
+      const createdAtCol = "created_at";
+      const updatedAtCol = "updated_at";
+      const now = /* @__PURE__ */ new Date();
+      const expiresAt = new Date(now.getTime() + WATCHER_LEASE_TTL_MS);
+      const knex = strapi2.db.connection;
+      try {
+        return await knex.transaction(async (trx) => {
+          const row = await trx(tableName).where({ [nameCol]: WATCHER_LEASE_NAME }).first().forUpdate();
+          if (!row) {
+            try {
+              await trx(tableName).insert({
+                [documentIdCol]: node_crypto.randomUUID(),
+                [nameCol]: WATCHER_LEASE_NAME,
+                [holderCol]: POD_ID,
+                [expiresAtCol]: expiresAt,
+                [createdAtCol]: now,
+                [updatedAtCol]: now
+              });
+              return true;
+            } catch (err) {
+              if (isUniqueConstraintError(err)) return false;
+              throw err;
+            }
+          }
+          const heldUntil = row[expiresAtCol] ? new Date(row[expiresAtCol]) : null;
+          const isOwner = row[holderCol] === POD_ID;
+          const expired = !heldUntil || heldUntil <= now;
+          if (!isOwner && !expired) return false;
+          await trx(tableName).where({ id: row.id }).update({
+            [holderCol]: POD_ID,
+            [expiresAtCol]: expiresAt,
+            [updatedAtCol]: now
+          });
+          return true;
+        });
+      } catch (err) {
+        strapi2.log.error(`[${PLUGIN_ID}] acquireWatcherLease failed:`, err);
+        return false;
+      }
+    },
+    /**
+     * Releases the watcher lease, but only if this pod currently holds it.
+     *
+     * @returns {Promise<void>}
+     */
+    async releaseWatcherLease() {
+      const tableName = tableOf(leaseUid);
+      const nameCol = columnFor(strapi2, leaseUid, "name");
+      const holderCol = columnFor(strapi2, leaseUid, "holder");
+      const expiresAtCol = columnFor(strapi2, leaseUid, "expiresAt");
+      const updatedAtCol = "updated_at";
+      try {
+        await strapi2.db.connection(tableName).where({ [nameCol]: WATCHER_LEASE_NAME, [holderCol]: POD_ID }).update({
+          [holderCol]: "",
+          [expiresAtCol]: /* @__PURE__ */ new Date(0),
+          [updatedAtCol]: /* @__PURE__ */ new Date()
+        });
+      } catch (err) {
+        strapi2.log.error(`[${PLUGIN_ID}] releaseWatcherLease failed:`, err);
+      }
+    },
+    /**
+     * Test-only: clears the per-pod write-coalescing cache.
+     * Exposed for unit tests so each test starts from a clean slate.
+     *
+     * @returns {void}
+     */
+    _resetActivityCache() {
+      lastDbWriteAt.clear();
+    }
+  };
+};
 const services = {
-  autoLogoutChecker
+  autoLogoutChecker,
+  state
 };
 const index = {
   bootstrap,