# 🛡️ Strapi Security Suite (Beta)

## **The Last Plugin You’ll Ever Need to Sleep at Night**

A high-performance, in-memory security enhancement plugin for **Strapi v5**, Session-obsessed. Built for the **chaotic genius admin** who refuses to get breached by a stale token.\
Powered by **rage, memory maps, and accountability.**

---

## ✨ Why This Exists

Because “just trusting sessions” is how *breaches happen*.\
Because the admin panel deserves better.\
Because your team deserves **a real security layer**, not a checkbox.

---

## ⚔️ Features That Slap

### 🔒 Auto Logout (with taste)

Kick idle admins like it’s office closing time.

- 🔍 Tracks every request
- ⏲️ Custom inactivity timeout from DB
- 🧠 Memory-first with `sessionActivityMap`
- 💨 Triggers soft or *nuclear* logout depending on your vibe
- 💾 Graceful 440s, JS responses, and gentle redirects

### 🚷 Multi-Session Lock

One admin = one session. No shadow clones allowed.

- 💥 First login wins, others are denied
- 🧹 Cleans old sessions like a digital janitor

### 🧄 Session Exorcism Layer™

Revoked tokens get ghosted *instantly*.\
Even if Strapi tries to pretend they’re still cute.

- 🔪 Middleware blocks
- 🪦 Session cookie wipeout
- 📩 Headers set for frontend rejections
- 🗑️ `isLoggedIn` purged with prejudice

### 🧠 Smart Middleware Stack

- `trackActivity`: Updates timestamps on every move
- `rejectRevokedTokens`: Blocks dead sessions like a haunted firewall
- `interceptRenewToken`: Stops Strapi’s clingy `/renew-token` requests from reviving zombies

---

## 🧪 Configuration Schema

```json
{
  "autoLogoutTime": 30,
  "multipleSessionsControl": true,
  "passwordExpiryDays": 30,
  "nonReusablePassword": true,
  "enablePasswordManagement": true
}
```

Defined in the content-type:\
`plugin::strapi-security-suite.security_settings`

---

## 🧠 Architecture You’ll Brag About

- 🧬 In-memory tracking via `Map()`
- ⏱️ `startAutoLogoutWatcher()` with 5s intervals
- 🔄 Frontend fetch interceptor for 440s
- 🧹 JS logout payload injected server-side to destroy sessions, cookies, and self-respect

---

## ⚙️ Admin Panel UI

- 🎛️ Control timeouts, session logic, and password rules
- 📜 Planned audit logs, charts, and drama
- 🌌 Future dashboard: all your infra sins visualized

---

## 🔐 Frontend Catch Logic

- Fetch wrapper intercepts `440`
- Purges local/session storage
- Sends you crying to `/session-expired`
- Optionally calls `/admin/logout` for drama

---

## 📦 Installation

```bash
yarn add strapi-security-suite
```
or
```bash
npm install strapi-security-suite
```

### 🔹 `config/plugins.js`
Add the following entry inside your `config/plugins.js` file:

```javascript
module.exports = ({ env }) => ({
  'strapi-security-suite': {
    enabled: true,
  },
});
```

---

## 🔮 Upcoming

| Feature                         | Status         |
| ------------------------------- | -------------- |
| Password Expiry                 | 🛠️ In Dev     |
| Non-Reusable Passwords          | 🛠️ In Dev     |
| Admin Activity Logs             | 🔜             |
| Security Dashboard              | 🔜             |
| Brute Force Detection           | 🔜             |
| Real-time Session Visualization | 🔜 (and spicy) |

---

## 💥 Real-World Impact

> “We installed this and now our interns can’t share logins anymore.”\
> — CTO, probably

> “Our admin panel feels like it judges us now. I love it.”\
> — That one developer who cares

---

## 🧑‍💻 Author

[LPIX-11](mohamed.johnson@orange-sonatel.com)

---

## 💡 Philosophy

Security should be:

- Fast
- Unforgiving
- Elegant
- **Mildly judgmental**

---

## ⚠️ Legal Drama

> This plugin is in **Beta**.\
> You break it, it breaks you back, but we’ll still love you.\
> Not liable for insecure vibes.