fix: optimize session lookups and add geolocation on-demand

Performance improvements:
- Replace O(n) token decryption loops with O(1) tokenHash lookups in logout handler
- Optimize refresh token validation using refreshTokenHash
- Optimize refresh token update handler using refreshTokenHash

Bug fixes:
- Fix session termination not blocking requests (middleware timing issue)
- Add on-demand geolocation lookup for sessions without stored geo data

Code quality:
- Remove emojis from log messages (destroy.js)
- Add lazy cache cleanup to prevent memory leaks in lastTouchCache
- Add skipPaths for auth routes in last-seen middleware

All changes follow Strapi v5 Document Service API best practices.

Author: Schero94

package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.2.12",
+  "version": "4.2.13",
   "keywords": [
     "strapi",
     "strapi-plugin",

server/src/bootstrap.js

@@ -113,25 +113,15 @@ module.exports = async ({ strapi }) => {
             return;
           }
 
-          // Find session by decrypting tokens and matching
-          // Since tokens are encrypted, we need to get all active sessions and check each one
-          const allSessions = await strapi.documents(SESSION_UID).findMany( {
+          // Find session by tokenHash - O(1) DB lookup instead of O(n) decrypt loop!
+          const tokenHashValue = hashToken(token);
+          const matchingSession = await strapi.documents(SESSION_UID).findFirst({
             filters: {
+              tokenHash: tokenHashValue,
               isActive: true,
             },
           });
 
-          // Find matching session by decrypting and comparing tokens
-          const matchingSession = allSessions.find(session => {
-            if (!session.token) return false;
-            try {
-              const decrypted = decryptToken(session.token);
-              return decrypted === token;
-            } catch (err) {
-              return false;
-            }
-          });
-
           if (matchingSession) {
             await sessionService.terminateSession({ sessionId: matchingSession.documentId });
             log.info(`[LOGOUT] Logout via /api/auth/logout - Session ${matchingSession.documentId} terminated`);
@@ -324,24 +314,15 @@ module.exports = async ({ strapi }) => {
           const refreshToken = ctx.request.body?.refreshToken;
 
           if (refreshToken) {
-            // Find session with this refresh token
-            const allSessions = await strapi.documents(SESSION_UID).findMany( {
+            // Find session by refreshTokenHash - O(1) DB lookup instead of O(n) decrypt loop!
+            const refreshTokenHashValue = hashToken(refreshToken);
+            const matchingSession = await strapi.documents(SESSION_UID).findFirst({
               filters: {
+                refreshTokenHash: refreshTokenHashValue,
                 isActive: true,
               },
             });
 
-            // Find matching session by decrypting and comparing refresh tokens
-            const matchingSession = allSessions.find(session => {
-              if (!session.refreshToken) return false;
-              try {
-                const decrypted = decryptToken(session.refreshToken);
-                return decrypted === refreshToken;
-              } catch (err) {
-                return false;
-              }
-            });
-
             if (!matchingSession) {
               // No active session with this refresh token - Block!
               log.warn('[BLOCKED] Blocked refresh token request - no active session');
@@ -375,23 +356,15 @@ module.exports = async ({ strapi }) => {
           const newRefreshToken = ctx.body.refreshToken;
 
           if (oldRefreshToken) {
-            // Find session and update with new tokens
-            const allSessions = await strapi.documents(SESSION_UID).findMany( {
+            // Find session by refreshTokenHash - O(1) DB lookup instead of O(n) decrypt loop!
+            const oldRefreshTokenHash = hashToken(oldRefreshToken);
+            const matchingSession = await strapi.documents(SESSION_UID).findFirst({
               filters: {
+                refreshTokenHash: oldRefreshTokenHash,
                 isActive: true,
               },
             });
 
-            const matchingSession = allSessions.find(session => {
-              if (!session.refreshToken) return false;
-              try {
-                const decrypted = decryptToken(session.refreshToken);
-                return decrypted === oldRefreshToken;
-              } catch (err) {
-                return false;
-              }
-            });
-
             if (matchingSession) {
               const encryptedToken = newAccessToken ? encryptToken(newAccessToken) : matchingSession.token;
               const encryptedRefreshToken = newRefreshToken ? encryptToken(newRefreshToken) : matchingSession.refreshToken;

server/src/controllers/session.js

@@ -64,6 +64,7 @@ module.exports = {
    * GET /api/magic-sessionmanager/my-sessions
    * Automatically uses the authenticated user's documentId
    * Marks which session is the current one (based on JWT token hash)
+   * Fetches geolocation data on-demand if not already stored
    */
   async getOwnSessions(ctx) {
     try {
@@ -86,9 +87,12 @@ module.exports = {
       const config = strapi.config.get('plugin::magic-sessionmanager') || {};
       const inactivityTimeout = config.inactivityTimeout || 15 * 60 * 1000;
       const now = new Date();
+      
+      // Get geolocation service for on-demand lookups
+      const geolocationService = strapi.plugin('magic-sessionmanager').service('geolocation');
 
       // Enhance sessions with isCurrentSession flag and parsed device info
-      const sessionsWithCurrent = allSessions.map(session => {
+      const sessionsWithCurrent = await Promise.all(allSessions.map(async (session) => {
         const lastActiveTime = session.lastActive ? new Date(session.lastActive) : new Date(session.loginTime);
         const timeSinceActive = now - lastActiveTime;
         const isTrulyActive = session.isActive && (timeSinceActive < inactivityTimeout);
@@ -115,6 +119,34 @@ module.exports = {
             geoLocation = null;
           }
         }
+        
+        // On-demand geolocation lookup if not already stored
+        if (!geoLocation && session.ipAddress) {
+          try {
+            const geoData = await geolocationService.getIpInfo(session.ipAddress);
+            if (geoData && geoData.country !== 'Unknown') {
+              geoLocation = {
+                country: geoData.country,
+                country_code: geoData.country_code,
+                country_flag: geoData.country_flag,
+                city: geoData.city,
+                region: geoData.region,
+                timezone: geoData.timezone,
+              };
+              
+              // Persist to database for future requests (fire-and-forget)
+              strapi.documents(SESSION_UID).update({
+                documentId: session.documentId,
+                data: { 
+                  geoLocation: JSON.stringify(geoLocation),
+                  securityScore: geoData.securityScore || null,
+                },
+              }).catch(() => {}); // Ignore update errors
+            }
+          } catch (geoErr) {
+            strapi.log.debug('[magic-sessionmanager] Geolocation lookup failed:', geoErr.message);
+          }
+        }
 
         // Remove sensitive token fields and internal fields
         const { 
@@ -134,7 +166,7 @@ module.exports = {
           isTrulyActive,
           minutesSinceActive: Math.floor(timeSinceActive / 1000 / 60),
         };
-      });
+      }));
 
       // Sort: current session first, then by loginTime
       sessionsWithCurrent.sort((a, b) => {
@@ -273,6 +305,7 @@ module.exports = {
    * Get current session info based on JWT token hash
    * GET /api/magic-sessionmanager/current-session
    * Returns the session associated with the current JWT token
+   * Fetches geolocation on-demand if not already stored
    */
   async getCurrentSession(ctx) {
     try {
@@ -323,6 +356,35 @@ module.exports = {
           geoLocation = null;
         }
       }
+      
+      // On-demand geolocation lookup if not already stored
+      if (!geoLocation && currentSession.ipAddress) {
+        try {
+          const geolocationService = strapi.plugin('magic-sessionmanager').service('geolocation');
+          const geoData = await geolocationService.getIpInfo(currentSession.ipAddress);
+          if (geoData && geoData.country !== 'Unknown') {
+            geoLocation = {
+              country: geoData.country,
+              country_code: geoData.country_code,
+              country_flag: geoData.country_flag,
+              city: geoData.city,
+              region: geoData.region,
+              timezone: geoData.timezone,
+            };
+            
+            // Persist to database for future requests (fire-and-forget)
+            strapi.documents(SESSION_UID).update({
+              documentId: currentSession.documentId,
+              data: { 
+                geoLocation: JSON.stringify(geoLocation),
+                securityScore: geoData.securityScore || null,
+              },
+            }).catch(() => {}); // Ignore update errors
+          }
+        } catch (geoErr) {
+          strapi.log.debug('[magic-sessionmanager] Geolocation lookup failed:', geoErr.message);
+        }
+      }
 
       // Remove sensitive token fields and internal fields
       const { 

server/src/destroy.js

@@ -8,13 +8,13 @@ module.exports = async ({ strapi }) => {
   // Stop license pinging
   if (strapi.licenseGuard && strapi.licenseGuard.pingInterval) {
     clearInterval(strapi.licenseGuard.pingInterval);
-    log.info('🛑 License pinging stopped');
+    log.info('[STOP] License pinging stopped');
   }
 
   // Stop cleanup interval
   if (strapi.sessionManagerIntervals && strapi.sessionManagerIntervals.cleanup) {
     clearInterval(strapi.sessionManagerIntervals.cleanup);
-    log.info('🛑 Session cleanup interval stopped');
+    log.info('[STOP] Session cleanup interval stopped');
   }
 
   log.info('[SUCCESS] Plugin cleanup completed');

server/src/middlewares/last-seen.js

@@ -19,6 +19,27 @@ const { hashToken } = require('../utils/encryption');
 // In-memory cache for rate limiting (per session documentId)
 const lastTouchCache = new Map();
 
+// Cache cleanup settings
+const CACHE_MAX_SIZE = 10000; // Max entries before cleanup
+const CACHE_CLEANUP_AGE = 60 * 60 * 1000; // Remove entries older than 1 hour
+
+/**
+ * Periodically clean up old cache entries to prevent memory leaks
+ * Called lazily when cache grows too large
+ */
+function cleanupOldCacheEntries() {
+  if (lastTouchCache.size < CACHE_MAX_SIZE) return;
+  
+  const now = Date.now();
+  const cutoff = now - CACHE_CLEANUP_AGE;
+  
+  for (const [key, timestamp] of lastTouchCache.entries()) {
+    if (timestamp < cutoff) {
+      lastTouchCache.delete(key);
+    }
+  }
+}
+
 module.exports = ({ strapi }) => {
   return async (ctx, next) => {
     // Get JWT token from Authorization header
@@ -30,8 +51,20 @@ module.exports = ({ strapi }) => {
       return;
     }
 
-    // Skip internal/admin routes that don't need session tracking
-    const skipPaths = ['/admin', '/_health', '/favicon.ico'];
+    // Skip routes that don't need session validation
+    const skipPaths = [
+      '/admin',           // Admin panel routes (have their own auth)
+      '/_health',         // Health check
+      '/favicon.ico',     // Static assets
+      '/api/auth/local',  // Login endpoint
+      '/api/auth/register', // Registration endpoint
+      '/api/auth/forgot-password', // Password reset
+      '/api/auth/reset-password',  // Password reset
+      '/api/auth/logout', // Logout endpoint (handled separately)
+      '/api/auth/refresh', // Refresh token (has own validation in bootstrap.js)
+      '/api/connect',     // OAuth providers
+      '/api/magic-link',  // Magic link auth (if using magic-link plugin)
+    ];
     if (skipPaths.some(p => ctx.path.startsWith(p))) {
       await next();
       return;
@@ -63,14 +96,18 @@ module.exports = ({ strapi }) => {
           ctx.state.sessionUserId = matchingSession.user.documentId;
         }
       } else {
-        // Token exists but no active session found - check if user is authenticated
-        // Only block if we know this is an authenticated request
-        if (ctx.state.user && ctx.state.user.documentId) {
-          strapi.log.info(`[magic-sessionmanager] [BLOCKED] Session terminated for user ${ctx.state.user.documentId}`);
-          return ctx.unauthorized('This session has been terminated. Please login again.');
-        }
-        // If ctx.state.user not set, this might be a public route or JWT validation hasn't run yet
-        // Let the request continue - Strapi's auth will handle it
+        // Token exists but no active session found
+        // CRITICAL: We have a valid-looking JWT token but NO active session
+        // This means the session was terminated - MUST block the request!
+        // 
+        // Note: We cannot rely on ctx.state.user here because Strapi's JWT
+        // middleware runs AFTER our plugin middleware. So ctx.state.user
+        // is not yet set at this point.
+        //
+        // Since we have a Bearer token but no matching active session,
+        // this is definitely a terminated session - block it!
+        strapi.log.info(`[magic-sessionmanager] [BLOCKED] Request blocked - session terminated or invalid (token hash: ${currentTokenHash.substring(0, 8)}...)`);
+        return ctx.unauthorized('This session has been terminated. Please login again.');
       }
 
     } catch (err) {
@@ -94,6 +131,9 @@ module.exports = ({ strapi }) => {
           // Update cache
           lastTouchCache.set(matchingSession.documentId, now);
 
+          // Lazy cleanup: Remove old entries if cache grows too large
+          cleanupOldCacheEntries();
+          
           // Update database
           await strapi.documents(SESSION_UID).update({
             documentId: matchingSession.documentId,