# 🛡️ Strapi Security Suite

### The admin security plugin that takes your sessions _personally_ — and now scales horizontally.

> **One plugin. Auto-logout. Single-session enforcement. Token revocation. Heartbeat. Multi-pod-safe.**
> Built for **Strapi v5**. Backed by your existing database. Zero new infrastructure.

---

## 🤔 What Is This?

Imagine a bouncer at a nightclub. But the nightclub is your **Strapi admin panel**, the bouncer has a _perfect memory_, never sleeps, and will physically escort your idle admins out the door after 30 minutes of doing nothing.

**That's this plugin.** And in v0.4, the bouncer works across every door of every venue in the franchise — not just the one he's standing at.

```
  🔐 Admin logs in (Pod A)
   |
   |  👀 Activity tracked → DB (visible to all pods)
   |  🫀 Client heartbeat fires every 30s on mouse/keyboard
   |
   |  😴 Admin walks away from desk...
   |
   |  ⏰ 30 minutes pass...
   |
   |  👑 Watcher leader (could be Pod C) marks session revoked → DB
   |
   🚪 Next request to ANY pod → BOOM. Logged out. Cookies cleared. Token dead.
         No coin-flip. No "depends which pod you hit." Just security.
```

---

## ✨ Features at a Glance

| Feature                    | What It Does                                               | Vibe                 |
| -------------------------- | ---------------------------------------------------------- | -------------------- |
| ⏰ **Auto-Logout**         | Kicks idle admins after configurable minutes               | "Use it or lose it"  |
| 🫀 **Activity Heartbeat**  | Form-filling counts as activity (no spurious idle-logouts) | "We see you typing"  |
| 🚫 **Single-Session Lock** | One admin = one session. Across every pod.                 | "No shadow clones"   |
| 💀 **Session Revocation**  | Per-`sessionId`. Cluster-wide. Instant.                    | "Ghosts get ghosted" |
| 🌐 **Multi-Pod Safe**      | DB-backed state, leader-elected watcher                    | "OpenShift-ready"    |
| 🔑 **Password Policy**     | Expiry + non-reusable passwords (configurable)             | "Rotate or regret"   |
| ⚙️ **Admin UI**            | Settings panel right inside Strapi                         | "Click, don't code"  |
| 🛡️ **Input Validation**    | Server-side validation on every settings save              | "Trust nobody"       |

---

## 🚀 Quick Start

### Step 1: Install it

```bash
yarn add strapi-security-suite
```

### Step 2: Enable it

Add this to your `config/plugins.js` (or `.ts`):

```javascript
module.exports = ({ env }) => ({
  'strapi-security-suite': {
    enabled: true,
  },
});
```

### Step 3: Restart Strapi

```bash
yarn develop
```

Three new tables — `sss_admin_sessions`, `sss_login_locks`, `sss_watcher_leases` — are auto-created by Strapi on first boot. No manual migration. No new dependencies. No config required.

### Step 4: Find it

Go to **Settings** → **Global** → **Security Suite**

That's it. You're done. Go get a coffee. ☕

---

## 🌐 Why Multi-Pod-Safe Matters

In v0.3 the plugin kept its session state — last-active timestamps, revoked emails, login locks — in **per-pod in-memory `Map`s and `Set`s**. On a single-pod deployment, fine. On a horizontally-scaled OpenShift / Kubernetes deployment with multiple replicas behind a load balancer, those data structures **lived independently per pod** and that broke every guarantee the plugin made:

- An admin's requests round-robined across N pods → each pod saw only ~1/N of their activity → some pod's watcher decided they'd been idle 30 min and revoked them while they were actively typing.
- Pod A revoked a session. The next request landed on Pod B → no entry → no force-reload signal → revocation became a 1/N-probability event.
- A logged-out admin's bearer kept working on every pod that hadn't seen the logout, until the JWT expired.
- Two concurrent logins for the same email hit different pods → both pods saw empty maps → both succeeded. Single-session enforcement only worked on a single pod, which is exactly when you don't need it.

**v0.4 moves all of that state into the database.** Revocation issued on any pod is visible to every other pod on the next request. The watcher is leader-elected so only one pod cluster-wide actually runs the 5-second tick. Login locks are atomic across pods via `SELECT … FOR UPDATE`. No Redis. No new infra. Your existing Postgres / MySQL / SQLite handles it.

---

## 🖼️ The Admin Panel

Once installed, you get a beautiful settings page with two panels:

```
┌───────────────────────────────────────────────────────┐
│            🛡️ Security & Session Settings              │
├───────────────────────────┬───────────────────────────┤
│                           │                           │
│  🕐 SESSION MANAGEMENT    │  🔑 PASSWORD MANAGEMENT    │
│                           │                           │
│  Auto Logout Time: [30]   │  Password Control: [ON]   │
│  (minutes)                │                           │
│                           │  Expiry Days: [30]        │
│  Multi-Session            │                           │
│  Control: [ON]            │  Non-Reusable: [ON]       │
│                           │                           │
├───────────────────────────┴───────────────────────────┤
│                               [ 💾 Save Settings ]    │
└───────────────────────────────────────────────────────┘
```

Settings are stored in a single-type DB record. Change a value, hit save, it takes effect immediately. No restarts. No config files.

---

## 🧠 How It Actually Works

### 🔗 The Middleware Pipeline

When any request hits your Strapi server, it passes through **5 security checkpoints** (middlewares), in this exact order:

```
  🌐 Incoming Request
       │
       ▼
  1. 🐣 seedUserInfos
  │    "Decode the JWT. Pull userId AND sessionId. Hydrate ctx.state."
  │
  ▼
  2. 🔍 interceptRenewToken
  │    "Logging out? Mark this sessionId revoked in the DB. Cluster-wide."
  │
  ▼
  3. 👣 trackActivity
  │    "If this sessionId is revoked → 403 + clear cookies. Else stamp lastActiveAt
  │     to the DB (write-coalesced to once per 30s)."
  │
  ▼
  4. ☠️ rejectRevokedTokens
  │    "Belt-and-suspenders revocation check. Sets app.admin.tk header so the
  │     frontend force-reloads. Calls sessionManager.invalidateRefreshToken."
  │
  ▼
  5. 🚫 preventMultipleSessions  (on login only)
       "Acquire cross-pod login lock. Refuse with 409 if another active session
        for this email exists anywhere in the cluster."
```

### ⏱️ The Auto-Logout Watcher (Leader-Elected)

Every pod runs a `setInterval` every 5 seconds. Inside the tick:

```
  🔄 Every 5 seconds, every pod:
     │
     ├─→ acquireWatcherLease()  (atomic UPDATE on sss_watcher_leases)
     │     │
     │     ├─→ Got it? I'm the leader. Continue.
     │     └─→ Someone else has it? Skip the rest. (1 cheap DB query, done.)
     │
     │  (Only the leader runs the body below)
     │
     ├─→ pruneExpiredLocks()   (clean up sss_login_locks where lockedUntil < now)
     │
     ├─→ listIdleSessions({ idleThresholdMs })
     │     SELECT FROM sss_admin_sessions
     │     WHERE revoked_at IS NULL AND last_active_at < (now - threshold)
     │
     └─→ For each idle session:
          • UPDATE sss_admin_sessions SET revoked_at = NOW() WHERE id = ?
          • sessionManager('admin').invalidateRefreshToken(userId)
          • Log it
```

If the leader pod dies, its lease (15s TTL) expires and another pod claims it on the next tick. Worst-case revocation lag during failover: 15 seconds.

### 🫀 The Activity Heartbeat

A new admin-side hook listens for `mousemove`, `keydown`, `scroll`, `click`, `touchstart` (passive). On any event, **throttled to once per 30 seconds**, it fires `POST /strapi-security-suite/heartbeat`. The middleware chain treats it like any other authenticated request, so `trackActivity` updates `lastActiveAt`.

This means a user filling a long form for 25 minutes — generating zero other HTTP traffic — is **not** auto-logged-out. Form-filling is correctly recognized as activity.

### 🖥️ The Frontend Interceptor

`window.fetch` is patched to watch for the `app.admin.tk` response header:

```
  🌐 Admin makes any API call
       │
       ▼
  👀 Check response headers for 'app.admin.tk'
       │
       YES → 🚨 FORCED LOGOUT 🚨  window.location.reload()
       │
       NO  → ✅ Normal response. Continue working.
```

---

## 🗃️ DB Schema (auto-created on boot)

| Table                | Purpose                       | Key columns                                                    |
| -------------------- | ----------------------------- | -------------------------------------------------------------- |
| `sss_admin_sessions` | One row per admin session     | `session_id` (unique), `email`, `last_active_at`, `revoked_at` |
| `sss_login_locks`    | Cross-pod login lock          | `email` (unique), `locked_until`                               |
| `sss_watcher_leases` | Watcher leader-election lease | `name` (unique), `holder`, `expires_at`                        |

Hidden from the content-manager and content-type-builder via `pluginOptions`. Strapi creates them on first boot the same way the existing `security-settings` singleType is created — no manual migration step.

---

## 📂 Project Structure

```
strapi-security-suite/
📁 admin/src/                    ← Admin panel (React)
│   📄 index.js                    Plugin entry + fetch interceptor + heartbeat install
│   📄 heartbeat.js                Throttled activity-heartbeat client hook
│   📄 constants.js                API paths, header names, heartbeat throttle
│   📄 pluginId.js                 Plugin ID constant
│   📁 components/Initializer.jsx  Plugin lifecycle init
│   📁 pages/
│   │   📄 App.jsx                 Router
│   │   📄 HomePage.jsx            Settings UI
│   📁 translations/en.json        i18n strings
│
📁 server/src/                   ← Server-side (Node.js)
│   📄 index.js                    Plugin entry point
│   📄 register.js                 Middleware registration phase
│   📄 bootstrap.js                Permissions + settings seeding + watcher start
│   📄 destroy.js                  Releases watcher lease, stops interval
│   📄 constants.js                ⭐ ALL magic values live here
│   │
│   📁 controllers/
│   │   📄 adminSecurityController.js   GET/POST settings + POST heartbeat
│   │
│   📁 services/
│   │   📄 state.js                The DB-backed state core (replaces the in-memory globals)
│   │   📄 autoLogoutChecker.js    Leader-elected background watcher
│   │
│   📁 middlewares/
│   │   📄 seedUserInfos.js        Decode JWT, extract userId + sessionId
│   │   📄 interceptRenewToken.js  Revoke session on logout (DB-backed)
│   │   📄 trackActivity.js        Persist lastActiveAt (write-coalesced)
│   │   📄 rejectRevokedTokens.js  Force-reload signal + cookie clear
│   │   📄 preventMultipleSessions.js  Cross-pod login lock + active-session check
│   │
│   📁 policies/has-admin-permission.js
│   │
│   📁 utils/
│   │   📄 errors.js               PluginError, ValidationError, AuthorizationError
│   │   📄 clearSessionCookies.js  Clears koa.sess, koa.sess.sig, refresh + JWT cookies
│   │
│   📁 content-types/
│   │   📁 security-settings/      Plugin config (singleType)
│   │   📁 admin-session/          Per-session activity + revocation
│   │   📁 login-lock/             Cross-pod login lock
│   │   📁 watcher-lease/          Watcher leader-election lease
│   │
│   📁 routes/index.js             Admin-typed routes with policies
│
📁 tests/                        ← Vitest test suite (66 tests)
│   📁 helpers/
│   │   📄 strapi-fake.js          sqlite :memory: + Knex harness
│   │   📄 mock-strapi.js          Mock-based ctx + state helpers
│   📁 server/
│   │   📄 state.test.js                  15 tests — touch, revocation, listIdle, hasActiveSession
│   │   📄 state.concurrency.test.js      9 tests — multi-pod login lock + watcher lease
│   │   📄 seedUserInfos.test.js          6 tests — JWT decode, ctx hydration
│   │   📄 trackActivity.test.js          4 tests — touch, revocation rejection
│   │   📄 rejectRevokedTokens.test.js    4 tests — header signal, sessionManager
│   │   📄 preventMultipleSessions.test.js  8 tests — login lock flow
│   │   📄 interceptRenewToken.test.js    3 tests — logout revocation
│   │   📄 autoLogoutChecker.test.js      8 tests — leader election + idle revocation
│   │   📄 adminSecurityController.test.js  9 tests — heartbeat + settings validation
```

---

## 🔧 Configuration Schema

All settings live in a **single-type** content-type in the database:

```json
{
  "autoLogoutTime": 30,
  "multipleSessionsControl": true,
  "passwordExpiryDays": 30,
  "nonReusablePassword": true,
  "enablePasswordManagement": true
}
```

| Field                      | Type      | Default | What It Does                             |
| -------------------------- | --------- | ------- | ---------------------------------------- |
| `autoLogoutTime`           | `integer` | `30`    | Minutes of inactivity before auto-logout |
| `multipleSessionsControl`  | `boolean` | `true`  | Block concurrent sessions for same admin |
| `passwordExpiryDays`       | `integer` | `30`    | Days before password must be changed     |
| `nonReusablePassword`      | `boolean` | `true`  | Prevent reuse of previous passwords      |
| `enablePasswordManagement` | `boolean` | `true`  | Master switch for password features      |

---

## 🧪 API Endpoints

All routes are **admin-typed** (Strapi handles auth automatically):

| Method | Path                                    | Auth     | Permission       | Description                       |
| ------ | --------------------------------------- | -------- | ---------------- | --------------------------------- |
| `POST` | `/strapi-security-suite/heartbeat`      | 🔒 Admin | —                | Activity keep-alive (returns 204) |
| `GET`  | `/strapi-security-suite/admin/settings` | 🔒 Admin | `view-configs`   | Read security settings            |
| `POST` | `/strapi-security-suite/admin/settings` | 🔒 Admin | `manage-configs` | Update security settings          |

### 🔐 Permissions

| Permission                                     | What It Allows           |
| ---------------------------------------------- | ------------------------ |
| `plugin::strapi-security-suite.access`         | Access the settings page |
| `plugin::strapi-security-suite.view-configs`   | Read security settings   |
| `plugin::strapi-security-suite.manage-configs` | Modify security settings |

---

## 💡 Recommended Host-App Configuration

The plugin works out of the box with Strapi defaults, but for **tighter revocation latency** consider lowering the access-token TTL in your host app's `config/admin.js`:

```javascript
module.exports = ({ env }) => ({
  auth: {
    secret: env('ADMIN_JWT_SECRET'),
    options: {
      expiresIn: '2m', // ← short access tokens, refreshed transparently by the admin frontend
    },
  },
});
```

With a 2-minute access-token TTL, a revoked admin loses access within ~2 minutes even if no other request is made (next refresh attempt fails because the refresh token is also invalidated). With the default 30-minute TTL, revocation is enforced on the next request the admin makes (via the `app.admin.tk` force-reload signal) — instant for active admins, up to 30 min for an idle one whose tab is open.

---

## 🛠️ Development

```bash
yarn install          # Install dependencies
yarn build            # Build the plugin
yarn watch            # Auto-rebuild on changes
yarn lint             # ESLint
yarn lint:fix         # ESLint --fix
yarn format           # Prettier
yarn format:check     # Check formatting
yarn verify           # Verify plugin exports
yarn test             # Run the full test suite (66 tests)
yarn test:watch       # Vitest in watch mode
yarn test:coverage    # Coverage report
```

The state-service tests run against a real sqlite `:memory:` DB via Knex — they exercise the actual SQL the plugin issues, including the `SELECT … FOR UPDATE` paths and `ON CONFLICT` behaviors. Two simulated pods cover the cross-pod concurrency cases.

---

## 🔮 Roadmap

| Feature                       | Status            |
| ----------------------------- | ----------------- |
| ⏰ Auto-Logout                | ✅ Shipped (v0.1) |
| 🚫 Single-Session Enforcement | ✅ Shipped (v0.1) |
| 💀 Session Revocation         | ✅ Shipped (v0.1) |
| ⚙️ Admin Settings UI          | ✅ Shipped (v0.1) |
| 🌐 **Multi-Pod-Safe State**   | ✅ Shipped (v0.4) |
| 🫀 **Activity Heartbeat**     | ✅ Shipped (v0.4) |
| 🧪 **Test Suite (66 tests)**  | ✅ Shipped (v0.4) |
| 🔑 Password Expiry            | 🚧 In Development |
| 🔄 Non-Reusable Passwords     | 🚧 In Development |
| 📝 Admin Activity Logs        | 🔜 Planned        |
| 📊 Security Dashboard         | 🔜 Planned        |
| 👊 Brute Force Detection      | 🔜 Planned        |

---

## 🗣️ Real Talk

> "We installed this and now our interns can't share logins anymore."
> — A CTO, probably

> "Our admin panel feels like it _judges_ us now. I love it."
> — That one developer who actually cares

> "I left my desk for coffee and came back logged out. Respect."
> — Someone who now understands security

> "We scaled to 8 pods on OpenShift and the plugin… just kept working. Sessions, revocations, locks — all consistent."
> — A platform engineer in v0.4

---

## 👥 Author

**[LPIX-11](mailto:mohamed.johnson@orange-sonatel.com)** — Orange / Sonatel

---

## ⚖️ License

**MIT** — Do whatever you want. Just don't blame us if you turn off all the features and get breached. That's on you.

---

## 💡 Philosophy

Security should be:

- **Correct under load** — Multi-pod deployments shouldn't degrade the security model into a coin flip.
- **Cheap to operate** — DB-backed state with write-coalescing. No Redis. No new infra.
- **Unforgiving** — Idle? Gone. Revoked? Dead. Duplicated? Blocked.
- **Mildly judgmental** — This plugin _will_ side-eye your stale sessions.

> _"The meta-principle: make the right thing the default thing. Discipline compounds. Shortcuts compound too, just in the wrong direction."_