strapi-security-suite

# 🛡️ Strapi Security Suite (Beta) ## **The Last Plugin You’ll Ever Need to Sleep at Night** A high-performance, in-memory security enhancement plugin for **Strapi v5**, Session-obsessed. Built for the **chaotic genius admin** who refuses to get breached by a stale token.\ Powered by **rage, memory maps, and accountability.** --- ## ✨ Why This Exists Because “just trusting sessions” is how *breaches happen*.\ Because the admin panel deserves better.\ Because your team deserves **a real security layer**, not a checkbox. --- ## ⚔️ Features That Slap ### 🔒 Auto Logout (with taste) Kick idle admins like it’s office closing time. - 🔍 Tracks every request - ⏲️ Custom inactivity timeout from DB - 🧠 Memory-first with `sessionActivityMap` - 💨 Triggers soft or *nuclear* logout depending on your vibe - 💾 Graceful 440s, JS responses, and gentle redirects ### 🚷 Multi-Session Lock One admin = one session. No shadow clones allowed. - 💥 First login wins, others are denied - 🧹 Cleans old sessions like a digital janitor ### 🧄 Session Exorcism Layer™ Revoked tokens get ghosted *instantly*.\ Even if Strapi tries to pretend they’re still cute. - 🔪 Middleware blocks - 🪦 Session cookie wipeout - 📩 Headers set for frontend rejections - 🗑️ `isLoggedIn` purged with prejudice ### 🧠 Smart Middleware Stack - `trackActivity`: Updates timestamps on every move - `rejectRevokedTokens`: Blocks dead sessions like a haunted firewall - `interceptRenewToken`: Stops Strapi’s clingy `/renew-token` requests from reviving zombies --- ## 🧪 Configuration Schema ```json { "autoLogoutTime": 30, "multipleSessionsControl": true, "passwordExpiryDays": 30, "nonReusablePassword": true, "enablePasswordManagement": true } ``` Defined in the content-type:\ `plugin::strapi-security-suite.security_settings` --- ## 🧠 Architecture You’ll Brag About - 🧬 In-memory tracking via `Map()` - ⏱️ `startAutoLogoutWatcher()` with 5s intervals - 🔄 Frontend fetch interceptor for 440s - 🧹 JS logout payload injected server-side to destroy sessions, cookies, and self-respect --- ## ⚙️ Admin Panel UI - 🎛️ Control timeouts, session logic, and password rules - 📜 Planned audit logs, charts, and drama - 🌌 Future dashboard: all your infra sins visualized --- ## 🔐 Frontend Catch Logic - Fetch wrapper intercepts `440` - Purges local/session storage - Sends you crying to `/session-expired` - Optionally calls `/admin/logout` for drama --- ## 📦 Installation ```bash yarn add strapi-security-suite ``` or ```bash npm install strapi-security-suite ``` ### 🔹 `config/plugins.js` Add the following entry inside your `config/plugins.js` file: ```javascript module.exports = ({ env }) => ({ 'strapi-security-suite': { enabled: true, }, }); ``` --- ## 🔮 Upcoming | Feature | Status | | ------------------------------- | -------------- | | Password Expiry | 🛠️ In Dev | | Non-Reusable Passwords | 🛠️ In Dev | | Admin Activity Logs | 🔜 | | Security Dashboard | 🔜 | | Brute Force Detection | 🔜 | | Real-time Session Visualization | 🔜 (and spicy) | --- ## 💥 Real-World Impact > “We installed this and now our interns can’t share logins anymore.”\ > — CTO, probably > “Our admin panel feels like it judges us now. I love it.”\ > — That one developer who cares --- ## 🧑‍💻 Author [LPIX-11](mohamed.johnson@orange-sonatel.com) --- ## 💡 Philosophy Security should be: - Fast - Unforgiving - Elegant - **Mildly judgmental** --- ## ⚠️ Legal Drama > This plugin is in **Beta**.\ > You break it, it breaks you back, but we’ll still love you.\ > Not liable for insecure vibes.