Magic-Sessionmanager — Security Features
Refresh token blocking
The problem Magic-Sessionmanager solves:
Admin clicks "Force logout" on user
→ User's access JWT is revoked
→ BUT user's refresh token is still valid
→ User's app silently gets a new JWT
→ User is back in the system 😱Magic-Sessionmanager maintains a blocked-tokens table. When you force-logout:
- The session record is marked terminated.
- The refresh token is added to the blocklist.
- All refresh attempts for that token return
401 Unauthorized. - User must re-authenticate from scratch.
Available on all tiers (Free included).
JWT encryption at rest
Session records contain JWT/refresh tokens. By default Magic-Sessionmanager encrypts these with AES-256-GCM before storage:
# Generate encryption key
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
# Add to .env
SESSION_ENCRYPTION_KEY=your-keyEven a full database dump does not leak usable tokens.
IP geolocation (Premium)
Every session is enriched with:
- Country (ISO 3166-1 alpha-2) with flag emoji
- City
- ISP and ASN
- Coordinates (lat / lng) for mapping
Data comes from a built-in offline GeoIP database (MaxMind GeoLite2 compatible).
VPN, proxy, TOR detection (Advanced)
On the Advanced tier, IPs are additionally classified:
| Flag | Meaning |
|---|---|
isVpn | Connection from a known VPN endpoint |
isProxy | Behind an HTTP/SOCKS proxy |
isTor | TOR network exit node |
isDatacenter | Cloud / datacenter IP (AWS, GCP, etc.) |
isHosting | Hosting provider IP |
Each flag contributes to the threat score (0–100).
Threat scoring (Advanced)
Every session gets a score between 0 (benign) and 100 (dangerous). Factors:
- VPN / Proxy / TOR flags (+15-30 each)
- Known-bad IP reputation (+20-50)
- New country for this user (+10)
- Rapid country change (geo-impossible travel, +40)
- User-agent anomaly (+5-10)
Thresholds are configurable in the admin UI.
Geo-fencing (Advanced)
Country allow/block lists, optional per role:
Default policy: allow all
OR
Allow list: ['DE', 'AT', 'CH', 'US', 'GB'] // Only these countries
OR
Block list: ['CN', 'RU', 'KP'] // Block these, allow othersRejected logins are logged with reason. Configure alerts to notify admins.
Auto-blocking rules (Advanced)
Automated reactions to suspicious events:
| Trigger | Action |
|---|---|
| VPN detected | Block / alert / allow |
| Threat score > N | Block / alert / allow |
| Country not in allowlist | Block / alert |
| 5 failed logins in 10 min | Block IP for 1 hour |
Rules are evaluated on every login attempt. Blocked attempts never create a session.
Security alerts (Advanced)
Configurable notifications on:
- New country for existing user
- VPN / proxy detected
- Threat score above threshold
- Blocked login attempt
- Custom events
Delivery:
- Email (requires Magic-Mail or any Strapi email provider)
- Webhook (generic HTTPS POST)
- Slack webhook (formatted)
- Discord webhook (formatted)
Audit logging
All security-relevant events are logged:
- Login (success / failure)
- Force logout
- Refresh token block
- Rule trigger
- Config change (admin action)
Logs are queryable via the Strapi REST API and exportable to CSV/JSON for compliance reporting.
Best practices
- Enable JWT encryption — always, in production.
- Generate a unique
SESSION_ENCRYPTION_KEY— don't reuse Strapi'sJWT_SECRET. - Enable VPN detection (Advanced) if you have geographic restrictions or want to flag suspicious access.
- Tune threat thresholds based on your traffic — start with defaults, adjust after observing 1 week of data.
- Configure alerts for threat scores ≥ 80 — these are almost certainly malicious.
- Review audit logs weekly for compliance.
- Test geo-fencing with a VPN before deploying — false positives can lock out legitimate users.
Next: Geolocation details →