fix: prevent old terminated sessions from blocking new magic-link logins

Two bugs caused new logins to be blocked after session termination:

1. Login interceptor only checked POST, but magic-link login is GET.
   Also missed OTP verify and MFA TOTP endpoints. Now intercepts all
   magic-link login methods (GET /login, POST /otp/verify,
   POST /verify-mfa-totp, POST /login-totp).

2. Fallback logic in JWT verify, last-seen middleware, and session-required
   policy blocked ALL JWTs when ANY old terminated session existed for the
   user. Now only the specific terminated token (matched by tokenHash) is
   blocked. Old terminated sessions no longer prevent re-login.

Author: Schero94

server/src/bootstrap.js

@@ -170,9 +170,16 @@ module.exports = async ({ strapi }) => {
 
       // Check if this was a successful login request
       const isAuthLocal = ctx.path === '/api/auth/local' && ctx.method === 'POST';
-      const isMagicLink = ctx.path.includes('/magic-link/login') && ctx.method === 'POST';
+      // Magic-link login is GET (/api/magic-link/login?loginToken=XXX)
+      // TOTP-as-primary is POST (/api/magic-link/login-totp)
+      const isMagicLinkLogin = ctx.path.includes('/magic-link/login') && (ctx.method === 'GET' || ctx.method === 'POST');
+      // MFA TOTP verification after magic link click
+      const isMagicLinkMFA = ctx.path.includes('/magic-link/verify-mfa-totp') && ctx.method === 'POST';
+      // OTP verification completes the login flow and returns a JWT
+      const isMagicLinkOTP = ctx.path.includes('/magic-link/otp/verify') && ctx.method === 'POST';
+      const isMagicLink = isMagicLinkLogin || isMagicLinkMFA || isMagicLinkOTP;
 
-      if ((isAuthLocal || isMagicLink) && ctx.status === 200 && ctx.body && ctx.body.user) {
+      if ((isAuthLocal || isMagicLink) && ctx.status === 200 && ctx.body && ctx.body.jwt && ctx.body.user) {
         try {
           const user = ctx.body.user;
 
@@ -766,23 +773,14 @@ async function registerSessionAwareAuthStrategy(strapi, log) {
           return decoded;
         }
 
-        // Check for manually terminated sessions
-        const terminatedSessions = await strapi.documents(SESSION_UID).findMany({
-          filters: { user: { documentId: userDocId }, terminatedManually: true },
-          limit: 1,
-        });
-        
-        if (terminatedSessions && terminatedSessions.length > 0) {
-          strapi.log.info(
-            `[magic-sessionmanager] [JWT-BLOCKED] User ${userDocId.substring(0, 8)}... has terminated sessions`
-          );
-          return null;
-        }
-        
-        // No sessions at all
+        // No active sessions exist for this user and no session matched this token.
+        // Old terminated sessions from PREVIOUS logins must NOT block new tokens.
+        // The token-specific terminated check (by tokenHash above) already handles
+        // blocking the exact token that was terminated. Blocking here based on
+        // unrelated old sessions would prevent re-login after session termination.
         if (strictMode) {
           strapi.log.info(
-            `[magic-sessionmanager] [JWT-BLOCKED] No sessions exist for user ${userDocId.substring(0, 8)}... (strictMode)`
+            `[magic-sessionmanager] [JWT-BLOCKED] No active sessions for user ${userDocId.substring(0, 8)}... (strictMode)`
           );
           return null;
         }

server/src/middlewares/last-seen.js

@@ -141,39 +141,43 @@ module.exports = ({ strapi, sessionService }) => {
             });
 
             if (inactiveSessions && inactiveSessions.length > 0) {
-              // Check if ANY session was manually terminated
-              const manuallyTerminated = inactiveSessions.find(s => s.terminatedManually === true);
+              // Find a session that can be reactivated (timed out, NOT manually terminated)
+              const reactivatable = inactiveSessions.find(s => s.terminatedManually !== true);
 
-              if (manuallyTerminated) {
-                // User was explicitly logged out -> BLOCK
-                strapi.log.info(`[magic-sessionmanager] [BLOCKED] User ${userDocId.substring(0, 8)}... was manually logged out`);
-                return ctx.unauthorized('Session has been terminated. Please login again.');
+              if (reactivatable) {
+                // SECURITY: Check maxSessionAge to prevent indefinite reactivation
+                const maxAgeDays = config.maxSessionAgeDays || 30;
+                const loginTime = reactivatable.loginTime 
+                  ? new Date(reactivatable.loginTime).getTime() 
+                  : (reactivatable.lastActive ? new Date(reactivatable.lastActive).getTime() : 0);
+                const maxAgeMs = maxAgeDays * 24 * 60 * 60 * 1000;
+                const isExpired = loginTime > 0 && (Date.now() - loginTime) > maxAgeMs;
+                
+                if (isExpired) {
+                  strapi.log.info(`[magic-sessionmanager] [BLOCKED] Session exceeded max age of ${maxAgeDays} days (user: ${userDocId.substring(0, 8)}...)`);
+                  return ctx.unauthorized('Session expired. Please login again.');
+                }
+                
+                await strapi.documents(SESSION_UID).update({
+                  documentId: reactivatable.documentId,
+                  data: {
+                    isActive: true,
+                    lastActive: new Date(),
+                  },
+                });
+                strapi.log.info(`[magic-sessionmanager] [REACTIVATED] Session reactivated for user ${userDocId.substring(0, 8)}...`);
+                // Continue - session is now active
+              } else {
+                // Only terminated sessions exist - do NOT block here.
+                // Old terminated sessions from previous logins must not prevent
+                // new logins (e.g., user got a new magic link after being terminated).
+                // The JWT verify wrapper already blocks the specific terminated token.
+                if (strictMode) {
+                  strapi.log.info(`[magic-sessionmanager] [BLOCKED] No active session for user ${userDocId.substring(0, 8)}... (strictMode)`);
+                  return ctx.unauthorized('No valid session. Please login again.');
+                }
+                strapi.log.warn(`[magic-sessionmanager] [WARN] No active session for user ${userDocId.substring(0, 8)}... (allowing)`);
               }
-              
-              // Session was deactivated by timeout -> REACTIVATE most recent one
-              // SECURITY: Check maxSessionAge to prevent indefinite reactivation
-              const sessionToReactivate = inactiveSessions[0];
-              const maxAgeDays = config.maxSessionAgeDays || 30;
-              const loginTime = sessionToReactivate.loginTime 
-                ? new Date(sessionToReactivate.loginTime).getTime() 
-                : (sessionToReactivate.lastActive ? new Date(sessionToReactivate.lastActive).getTime() : 0);
-              const maxAgeMs = maxAgeDays * 24 * 60 * 60 * 1000;
-              const isExpired = loginTime > 0 && (Date.now() - loginTime) > maxAgeMs;
-              
-              if (isExpired) {
-                strapi.log.info(`[magic-sessionmanager] [BLOCKED] Session exceeded max age of ${maxAgeDays} days (user: ${userDocId.substring(0, 8)}...)`);
-                return ctx.unauthorized('Session expired. Please login again.');
-              }
-              
-              await strapi.documents(SESSION_UID).update({
-                documentId: sessionToReactivate.documentId,
-                data: {
-                  isActive: true,
-                  lastActive: new Date(),
-                },
-              });
-              strapi.log.info(`[magic-sessionmanager] [REACTIVATED] Session reactivated for user ${userDocId.substring(0, 8)}...`);
-              // Continue - session is now active
             } else {
               // No sessions exist at all - session was never created
               if (strictMode) {

server/src/policies/session-required.js

@@ -69,28 +69,35 @@ module.exports = async (policyContext, _policyConfig, { strapi }) => {
     });
 
     if (inactiveSessions && inactiveSessions.length > 0) {
-      // Check if ANY session was manually terminated
-      const manuallyTerminated = inactiveSessions.find(s => s.terminatedManually === true);
+      // Find a session that can be reactivated (timed out, NOT manually terminated)
+      const reactivatable = inactiveSessions.find(s => s.terminatedManually !== true);
 
-      if (manuallyTerminated) {
-        // User was explicitly logged out → BLOCK
+      if (reactivatable) {
+        await strapi.documents(SESSION_UID).update({
+          documentId: reactivatable.documentId,
+          data: {
+            isActive: true,
+            lastActive: new Date(),
+          },
+        });
         strapi.log.info(
-          `[magic-sessionmanager] [POLICY-BLOCKED] User ${userDocId.substring(0, 8)}... was manually logged out`
+          `[magic-sessionmanager] [POLICY-REACTIVATED] Session reactivated for user ${userDocId.substring(0, 8)}...`
         );
-        throw new errors.UnauthorizedError('Session terminated. Please login again.');
+        return true;
       }
 
-      // Session was deactivated by timeout → REACTIVATE most recent one
-      const sessionToReactivate = inactiveSessions[0];
-      await strapi.documents(SESSION_UID).update({
-        documentId: sessionToReactivate.documentId,
-        data: {
-          isActive: true,
-          lastActive: new Date(),
-        },
-      });
-      strapi.log.info(
-        `[magic-sessionmanager] [POLICY-REACTIVATED] Session reactivated for user ${userDocId.substring(0, 8)}...`
+      // Only terminated sessions exist - do NOT block here.
+      // Old terminated sessions from previous logins must not prevent
+      // new logins. The JWT verify wrapper already blocks the specific terminated token.
+      if (strictMode) {
+        strapi.log.info(
+          `[magic-sessionmanager] [POLICY-BLOCKED] No active session for user ${userDocId.substring(0, 8)}... (strictMode)`
+        );
+        throw new errors.UnauthorizedError('No valid session. Please login again.');
+      }
+      
+      strapi.log.warn(
+        `[magic-sessionmanager] [POLICY-WARN] No active session for user ${userDocId.substring(0, 8)}... (allowing)`
       );
       return true;
     }