dbgate-api-premium 6.5.5 → 6.6.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "dbgate-api-premium",
   "main": "src/index.js",
-  "version": "6.5.5",
+  "version": "6.6.0",
   "homepage": "https://dbgate.org/",
   "repository": {
     "type": "git",
@@ -30,10 +30,10 @@
     "compare-versions": "^3.6.0",
     "cors": "^2.8.5",
     "cross-env": "^6.0.3",
-    "dbgate-datalib": "^6.5.5",
+    "dbgate-datalib": "^6.6.0",
     "dbgate-query-splitter": "^4.11.5",
-    "dbgate-sqltree": "^6.5.5",
-    "dbgate-tools": "^6.5.5",
+    "dbgate-sqltree": "^6.6.0",
+    "dbgate-tools": "^6.6.0",
     "debug": "^4.3.4",
     "diff": "^5.0.0",
     "diff2html": "^3.4.13",
@@ -68,6 +68,7 @@
   },
   "scripts": {
     "start": "env-cmd -f .env node src/index.js --listen-api",
+    "start:debug": "env-cmd -f .env node --inspect src/index.js --listen-api",
     "start:portal": "env-cmd -f env/portal/.env node src/index.js --listen-api",
     "start:singledb": "env-cmd -f env/singledb/.env node src/index.js --listen-api",
     "start:auth": "env-cmd -f env/auth/.env node src/index.js --listen-api",
@@ -85,7 +86,7 @@
   "devDependencies": {
     "@types/fs-extra": "^9.0.11",
     "@types/lodash": "^4.14.149",
-    "dbgate-types": "^6.5.5",
+    "dbgate-types": "^6.6.0",
     "env-cmd": "^10.1.0",
     "jsdoc-to-markdown": "^9.0.5",
     "node-loader": "^1.0.2",

package/src/auth/storageAuthProvider.js

@@ -22,7 +22,7 @@ const _ = require('lodash');
 const { authProxyGetTokenFromCode, authProxyGetRedirectUrl } = require('../utility/authProxy');
 const { decryptUser } = require('../utility/crypting');
 const { sendToAuditLog } = require('../utility/auditlog');
-const { isLoginLicensed, LOGIN_LIMIT_ERROR } = require('../utility/loginchecker');
+const { isLoginLicensed, LOGIN_LIMIT_ERROR, markTokenAsLoggedIn } = require('../utility/loginchecker');
 
 async function loadPermissionsForUserId(userId) {
   const rolePermissions = sortPermissionsFromTheSameLevel(await storageReadUserRolePermissions(userId));
@@ -31,7 +31,6 @@ async function loadPermissionsForUserId(userId) {
   return [...getPredefinedPermissions('logged-user'), ...loggedUserPermissions, ...rolePermissions, ...userPermissions];
 }
 
-
 class StorageProviderBase extends AuthProviderBase {
   constructor(config) {
     super();
@@ -72,16 +71,20 @@ class AnonymousProvider extends StorageProviderBase {
       message: 'Anonymous login',
     });
 
+    const licenseUid = 'anonymous';
+    const accessToken = jwt.sign(
+      {
+        amoid: this.amoid,
+        permissions,
+        licenseUid,
+      },
+      getTokenSecret(),
+      { expiresIn: getTokenLifetime() }
+    );
+    markTokenAsLoggedIn(licenseUid, accessToken);
+
     return {
-      accessToken: jwt.sign(
-        {
-          amoid: this.amoid,
-          permissions,
-          licenseUid: 'anonymous',
-        },
-        getTokenSecret(),
-        { expiresIn: getTokenLifetime() }
-      ),
+      accessToken,
     };
   }
 }
@@ -114,18 +117,22 @@ class LocalAuthProvider extends StorageProviderBase {
         message: 'Local login successful',
       });
 
+      const licenseUid = `local:${login}`;
+      const accessToken = jwt.sign(
+        {
+          amoid: this.amoid,
+          login,
+          permissions,
+          userId,
+          licenseUid,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      );
+      markTokenAsLoggedIn(licenseUid, accessToken);
+
       return {
-        accessToken: jwt.sign(
-          {
-            amoid: this.amoid,
-            login,
-            permissions,
-            userId,
-            licenseUid: `local:${login}`,
-          },
-          getTokenSecret(),
-          { expiresIn: getTokenLifetime() }
-        ),
+        accessToken,
       };
     }
 
@@ -252,18 +259,22 @@ class OauthProvider extends StorageProviderBase {
       message: `User ${login} logged in via OAUTH`,
     });
 
+    const licenseUid = `oauth:${login}`;
+    const accessToken = jwt.sign(
+      {
+        amoid: this.amoid,
+        login,
+        permissions,
+        userId: loginRows[0]?.id,
+        licenseUid,
+      },
+      getTokenSecret(),
+      { expiresIn: getTokenLifetime() }
+    );
+    markTokenAsLoggedIn(licenseUid, accessToken);
+
     return {
-      accessToken: jwt.sign(
-        {
-          amoid: this.amoid,
-          login,
-          permissions,
-          userId: loginRows[0]?.id,
-          licenseUid: `oauth:${login}`,
-        },
-        getTokenSecret(),
-        { expiresIn: getTokenLifetime() }
-      ),
+      accessToken,
     };
   }
 
@@ -339,17 +350,21 @@ class ADProvider extends StorageProviderBase {
         message: `User ${login} logged in via AD`,
       });
 
+      const licenseUid = `ad:${login}`;
+      const accessToken = jwt.sign(
+        {
+          amoid: this.amoid,
+          login,
+          permissions,
+          licenseUid,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      );
+      markTokenAsLoggedIn(licenseUid, accessToken);
+
       return {
-        accessToken: jwt.sign(
-          {
-            amoid: this.amoid,
-            login,
-            permissions,
-            licenseUid: `ad:${login}`,
-          },
-          getTokenSecret(),
-          { expiresIn: getTokenLifetime() }
-        ),
+        accessToken,
       };
     } catch (e) {
       sendToAuditLog(req, {
@@ -422,19 +437,23 @@ class DatabaseProvider extends StorageProviderBase {
       message: `User ${login} logged in via database`,
     });
 
+    const licenseUid = `db:${login}`;
+    const accessToken = jwt.sign(
+      {
+        amoid: this.amoid,
+        login,
+        permissions,
+        userId,
+        conid,
+        licenseUid,
+      },
+      getTokenSecret(),
+      { expiresIn: getTokenLifetime() }
+    );
+    markTokenAsLoggedIn(licenseUid, accessToken);
+
     return {
-      accessToken: jwt.sign(
-        {
-          amoid: this.amoid,
-          login,
-          permissions,
-          userId,
-          conid,
-          licenseUid: `db:${login}`,
-        },
-        getTokenSecret(),
-        { expiresIn: getTokenLifetime() }
-      ),
+      accessToken,
     };
   }
 
@@ -504,19 +523,23 @@ class MsEntraProvider extends StorageProviderBase {
         message: `User ${payload.unique_name} logged in via MS Entra`,
       });
 
+      const licenseUid = `msentra:${payload.unique_name}`;
+      const accessToken = jwt.sign(
+        {
+          amoid: this.amoid,
+          permissions,
+          msentraToken: token,
+          userId: loginRows[0]?.id,
+          login: payload.unique_name,
+          licenseUid,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      );
+      markTokenAsLoggedIn(licenseUid, accessToken);
+
       return {
-        accessToken: jwt.sign(
-          {
-            amoid: this.amoid,
-            permissions,
-            msentraToken: token,
-            userId: loginRows[0]?.id,
-            login: payload.unique_name,
-            licenseUid: `msentra:${payload.unique_name}`,
-          },
-          getTokenSecret(),
-          { expiresIn: getTokenLifetime() }
-        ),
+        accessToken,
       };
     }
 

package/src/controllers/auth.js

@@ -21,7 +21,13 @@ const {
 } = require('../utility/cloudIntf');
 const socket = require('../utility/socket');
 const { sendToAuditLog } = require('../utility/auditlog');
-const { isLoginLicensed, LOGIN_LIMIT_ERROR } = require('../utility/loginchecker');
+const {
+  isLoginLicensed,
+  LOGIN_LIMIT_ERROR,
+  markTokenAsLoggedIn,
+  markUserAsActive,
+  markLoginAsLoggedOut,
+} = require('../utility/loginchecker');
 
 const logger = getLogger('auth');
 
@@ -61,6 +67,11 @@ function authMiddleware(req, res, next) {
 
   // const isAdminPage = req.headers['x-is-admin-page'] == 'true';
 
+  if (process.env.SKIP_ALL_AUTH) {
+    // API is not authorized for basic auth
+    return next();
+  }
+
   if (process.env.BASIC_AUTH) {
     // API is not authorized for basic auth
     return next();
@@ -79,7 +90,7 @@ function authMiddleware(req, res, next) {
   try {
     const decoded = jwt.verify(token, getTokenSecret());
     req.user = decoded;
-    storage.markUserAsActive(decoded.licenseUid);
+    markUserAsActive(decoded.licenseUid, token);
 
     return next();
   } catch (err) {
@@ -124,19 +135,23 @@ module.exports = {
           message: 'Administration login successful',
         });
 
+        const licenseUid = `superadmin`;
+        const accessToken = jwt.sign(
+          {
+            login: 'superadmin',
+            permissions: await storage.loadSuperadminPermissions(),
+            roleId: -3,
+            licenseUid,
+          },
+          getTokenSecret(),
+          {
+            expiresIn: getTokenLifetime(),
+          }
+        );
+        markTokenAsLoggedIn(licenseUid, accessToken);
+
         return {
-          accessToken: jwt.sign(
-            {
-              login: 'superadmin',
-              permissions: await storage.loadSuperadminPermissions(),
-              roleId: -3,
-              licenseUid: `superadmin`,
-            },
-            getTokenSecret(),
-            {
-              expiresIn: getTokenLifetime(),
-            }
-          ),
+          accessToken,
         };
       }
 
@@ -192,5 +207,17 @@ module.exports = {
     return tokenHolder;
   },
 
+  logoutAdmin_meta: true,
+  async logoutAdmin() {
+    await markLoginAsLoggedOut('superadmin');
+    return true;
+  },
+
+  logoutUser_meta: true,
+  async logoutUser({}, req) {
+    await markLoginAsLoggedOut(req?.user?.licenseUid);
+    return true;
+  },
+
   authMiddleware,
 };

package/src/controllers/cloud.js

@@ -16,6 +16,7 @@ const { getConnectionLabel, getLogger, extractErrorLogData } = require('dbgate-t
 const logger = getLogger('cloud');
 const _ = require('lodash');
 const fs = require('fs-extra');
+const { getAiGatewayServer } = require('../utility/authProxy');
 
 module.exports = {
   publicFiles_meta: true,
@@ -276,4 +277,17 @@ module.exports = {
     const resp = await callCloudApiPost(`content-folders/remove-user/${folid}`, { email });
     return resp;
   },
+
+  getAiGateway_meta: true,
+  async getAiGateway() {
+    return getAiGatewayServer();
+  },
+
+  // chatStream_meta: {
+  //   raw: true,
+  //   method: 'post',
+  // },
+  // chatStream(req, res) {
+  //   callChatStream(req.body, res);
+  // },
 };

package/src/controllers/config.js

@@ -16,7 +16,7 @@ const connections = require('../controllers/connections');
 const { getAuthProviderFromReq } = require('../auth/authProvider');
 const { checkLicense, checkLicenseKey } = require('../utility/checkLicense');
 const storage = require('./storage');
-const { getAuthProxyUrl } = require('../utility/authProxy');
+const { getAuthProxyUrl, tryToGetRefreshedLicense } = require('../utility/authProxy');
 const { getPublicHardwareFingerprint } = require('../utility/hardwareFingerprint');
 const { extractErrorMessage } = require('dbgate-tools');
 const {
@@ -109,6 +109,7 @@ module.exports = {
       ),
       isAdminPasswordMissing,
       isInvalidToken: req?.isInvalidToken,
+      skipAllAuth: !!process.env.SKIP_ALL_AUTH,
       adminPasswordState: adminConfig?.adminPasswordState,
       storageDatabase: process.env.STORAGE_DATABASE,
       logsFilePath: getLogsFilePath(),
@@ -191,6 +192,7 @@ module.exports = {
         return {
           ...this.fillMissingSettings(JSON.parse(settingsText)),
           'other.licenseKey': platformInfo.isElectron ? await this.loadLicenseKey() : undefined,
+          // 'other.licenseKey': await this.loadLicenseKey(),
         };
       }
     } catch (err) {
@@ -208,21 +210,34 @@ module.exports = {
   },
 
   saveLicenseKey_meta: true,
-  async saveLicenseKey({ licenseKey }) {
-    const decoded = jwt.decode(licenseKey?.trim());
-    if (!decoded) {
-      return {
-        status: 'error',
-        errorMessage: 'Invalid license key',
-      };
-    }
+  async saveLicenseKey({ licenseKey, forceSave = false, tryToRenew = false }) {
+    if (!forceSave) {
+      const decoded = jwt.decode(licenseKey?.trim());
+      if (!decoded) {
+        return {
+          status: 'error',
+          errorMessage: 'Invalid license key',
+        };
+      }
 
-    const { exp } = decoded;
-    if (exp * 1000 < Date.now()) {
-      return {
-        status: 'error',
-        errorMessage: 'License key is expired',
-      };
+      const { exp } = decoded;
+      if (exp * 1000 < Date.now()) {
+        let renewed = false;
+        if (tryToRenew) {
+          const newLicenseKey = await tryToGetRefreshedLicense(licenseKey);
+          if (newLicenseKey.status == 'ok') {
+            licenseKey = newLicenseKey.token;
+            renewed = true;
+          }
+        }
+
+        if (!renewed) {
+          return {
+            status: 'error',
+            errorMessage: 'License key is expired',
+          };
+        }
+      }
     }
 
     try {
@@ -297,7 +312,7 @@ module.exports = {
           // this.settingsValue = updated;
 
           if (currentValue['other.licenseKey'] != values['other.licenseKey']) {
-            await this.saveLicenseKey({ licenseKey: values['other.licenseKey'] });
+            await this.saveLicenseKey({ licenseKey: values['other.licenseKey'], forceSave: true });
             socket.emitChanged(`config-changed`);
           }
         }
@@ -327,6 +342,16 @@ module.exports = {
     return resp;
   },
 
+  getNewLicense_meta: true,
+  async getNewLicense({ oldLicenseKey }) {
+    const newLicenseKey = await tryToGetRefreshedLicense(oldLicenseKey);
+    const res = await checkLicenseKey(newLicenseKey.token);
+    if (res.status == 'ok') {
+      res.licenseKey = newLicenseKey.token;
+    }
+    return res;
+  },
+
   recryptDatabaseForExport(db) {
     const encryptionKey = generateTransportEncryptionKey();
     const transportEncryptor = createTransportEncryptor(encryptionKey);

package/src/controllers/storage.js

@@ -40,7 +40,6 @@ const crypto = require('crypto');
 const dataReplicator = require('../shell/dataReplicator');
 const storageReplicatorItems = require('../utility/storageReplicatorItems');
 const { sendToAuditLog } = require('../utility/auditlog');
-const { markUserAsActive } = require('../utility/loginchecker');
 
 const logger = getLogger('storage');
 
@@ -881,8 +880,4 @@ module.exports = {
     sendToAuditLog(req, props);
     return null;
   },
-
-  markUserAsActive(licenseUid) {
-    markUserAsActive(licenseUid);
-  },
 };

package/src/currentVersion.js

@@ -1,5 +1,5 @@
 
 module.exports = { 
-  version: '6.5.5',
-  buildTime: '2025-07-04T07:10:42.669Z'
+  version: '6.6.0',
+  buildTime: '2025-07-25T07:23:41.045Z'
 };

package/src/storageModel.js

@@ -519,6 +519,12 @@ module.exports = {
           "dataType": "int",
           "notNull": false
         },
+        {
+          "pureName": "connections",
+          "columnName": "useSeparateSchemas",
+          "dataType": "int",
+          "notNull": false
+        },
         {
           "pureName": "connections",
           "columnName": "defaultDatabase",
@@ -668,6 +674,12 @@ module.exports = {
           "columnName": "awsRegion",
           "dataType": "varchar(250)",
           "notNull": false
+        },
+        {
+          "pureName": "connections",
+          "columnName": "connectionDefinition",
+          "dataType": "text",
+          "notNull": false
         }
       ],
       "foreignKeys": [],
@@ -682,6 +694,49 @@ module.exports = {
         ]
       }
     },
+    {
+      "pureName": "roles",
+      "columns": [
+        {
+          "pureName": "roles",
+          "columnName": "id",
+          "dataType": "int",
+          "autoIncrement": true,
+          "notNull": true
+        },
+        {
+          "pureName": "roles",
+          "columnName": "name",
+          "dataType": "varchar(250)",
+          "notNull": false
+        }
+      ],
+      "foreignKeys": [],
+      "primaryKey": {
+        "pureName": "roles",
+        "constraintType": "primaryKey",
+        "constraintName": "PK_roles",
+        "columns": [
+          {
+            "columnName": "id"
+          }
+        ]
+      },
+      "preloadedRows": [
+        {
+          "id": -1,
+          "name": "anonymous-user"
+        },
+        {
+          "id": -2,
+          "name": "logged-user"
+        },
+        {
+          "id": -3,
+          "name": "superadmin"
+        }
+      ]
+    },
     {
       "pureName": "role_connections",
       "columns": [
@@ -794,47 +849,45 @@ module.exports = {
       }
     },
     {
-      "pureName": "roles",
+      "pureName": "users",
       "columns": [
         {
-          "pureName": "roles",
+          "pureName": "users",
           "columnName": "id",
           "dataType": "int",
           "autoIncrement": true,
           "notNull": true
         },
         {
-          "pureName": "roles",
-          "columnName": "name",
+          "pureName": "users",
+          "columnName": "login",
+          "dataType": "varchar(250)",
+          "notNull": false
+        },
+        {
+          "pureName": "users",
+          "columnName": "password",
+          "dataType": "varchar(250)",
+          "notNull": false
+        },
+        {
+          "pureName": "users",
+          "columnName": "email",
           "dataType": "varchar(250)",
           "notNull": false
         }
       ],
       "foreignKeys": [],
       "primaryKey": {
-        "pureName": "roles",
+        "pureName": "users",
         "constraintType": "primaryKey",
-        "constraintName": "PK_roles",
+        "constraintName": "PK_users",
         "columns": [
           {
             "columnName": "id"
           }
         ]
-      },
-      "preloadedRows": [
-        {
-          "id": -1,
-          "name": "anonymous-user"
-        },
-        {
-          "id": -2,
-          "name": "logged-user"
-        },
-        {
-          "id": -3,
-          "name": "superadmin"
-        }
-      ]
+      }
     },
     {
       "pureName": "user_connections",
@@ -1008,47 +1061,6 @@ module.exports = {
           }
         ]
       }
-    },
-    {
-      "pureName": "users",
-      "columns": [
-        {
-          "pureName": "users",
-          "columnName": "id",
-          "dataType": "int",
-          "autoIncrement": true,
-          "notNull": true
-        },
-        {
-          "pureName": "users",
-          "columnName": "login",
-          "dataType": "varchar(250)",
-          "notNull": false
-        },
-        {
-          "pureName": "users",
-          "columnName": "password",
-          "dataType": "varchar(250)",
-          "notNull": false
-        },
-        {
-          "pureName": "users",
-          "columnName": "email",
-          "dataType": "varchar(250)",
-          "notNull": false
-        }
-      ],
-      "foreignKeys": [],
-      "primaryKey": {
-        "pureName": "users",
-        "constraintType": "primaryKey",
-        "constraintName": "PK_users",
-        "columns": [
-          {
-            "columnName": "id"
-          }
-        ]
-      }
     }
   ],
   "collections": [],

package/src/utility/authProxy.js

@@ -185,6 +185,27 @@ async function obtainRefreshedLicense() {
   }
 }
 
+async function tryToGetRefreshedLicense(oldLicenseKey) {
+  try {
+    const respToken = await axios.default.post(
+      `${AUTH_PROXY_URL}/refresh-license`,
+      {},
+      {
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${oldLicenseKey}`,
+        },
+      }
+    );
+    return respToken.data;
+  } catch (err) {
+    return {
+      status: 'error',
+      message: err.message,
+    };
+  }
+}
+
 /**
  * @param {import('dbgate-types').DatabaseInfo} structure
  * @returns {import('dbgate-types').DatabaseInfoTiny}
@@ -289,6 +310,32 @@ async function callRefactorSqlQueryApi(query, task, structure, dialect) {
   return resp.data;
 }
 
+// async function callChatStream({ input, tools }, res) {
+//   const resp = await axios.default.post(
+//     `${AI_GATEWAY_URL}/chat-stream`,
+//     {
+//       input,
+//       tools,
+//     },
+//     getAxiosParamsWithLicense()
+//   );
+
+//   res.set(resp.headers);
+//   res.status(resp.status);
+//   resp.data.pipe(res);
+// }
+
+function getAiGatewayServer() {
+  return {
+    url: AI_GATEWAY_URL,
+    headers: {
+      Authorization:
+        licenseKey ?? process.env.DBGATE_LICENSE ? `Bearer ${licenseKey ?? process.env.DBGATE_LICENSE}` : undefined,
+      ...getE2ETestHeaders(),
+    },
+  };
+}
+
 module.exports = {
   isAuthProxySupported,
   authProxyGetRedirectUrl,
@@ -303,4 +350,7 @@ module.exports = {
   callCompleteOnCursorApi,
   callRefactorSqlQueryApi,
   getLicenseHttpHeaders,
+  tryToGetRefreshedLicense,
+  getAiGatewayServer,
+  // callChatStream,
 };

package/src/utility/checkLicense.js

@@ -161,6 +161,7 @@ function checkLicenseKey(licenseKey) {
             status: 'error',
             isExpired: true,
             errorMessage: 'License key is expired',
+            expiration: exp * 1000,
           };
         }
       }

package/src/utility/cloudIntf.js

@@ -1,4 +1,5 @@
 const axios = require('axios');
+const crypto = require('crypto');
 const fs = require('fs-extra');
 const _ = require('lodash');
 const path = require('path');
@@ -216,7 +217,7 @@ async function updateCloudFiles(isRefresh) {
     {
       headers: {
         ...getLicenseHttpHeaders(),
-        ...(await getCloudSigninHeaders()),
+        ...(await getCloudInstanceHeaders()),
         'x-app-version': currentVersion.version,
       },
     }
@@ -300,6 +301,17 @@ async function callCloudApiGet(endpoint, signinHolder = null, additionalHeaders
   return resp.data;
 }
 
+async function getCloudInstanceHeaders() {
+  if (!(await fs.exists(path.join(datadir(), 'cloud-instance.txt')))) {
+    const newInstanceId = crypto.randomUUID();
+    await fs.writeFile(path.join(datadir(), 'cloud-instance.txt'), newInstanceId);
+  }
+  const instanceId = await fs.readFile(path.join(datadir(), 'cloud-instance.txt'), 'utf-8');
+  return {
+    'x-cloud-instance': instanceId,
+  };
+}
+
 async function callCloudApiPost(endpoint, body, signinHolder = null) {
   if (!signinHolder) {
     signinHolder = await getCloudSigninHolder();

package/src/utility/crypting.js

@@ -101,24 +101,26 @@ function decryptObjectPasswordField(obj, field, encryptor = null) {
   return obj;
 }
 
+const fieldsToEncrypt = ['password', 'sshPassword', 'sshKeyfilePassword', 'connectionDefinition'];
+
 function encryptConnection(connection, encryptor = null) {
   if (connection.passwordMode != 'saveRaw') {
-    connection = encryptObjectPasswordField(connection, 'password', encryptor);
-    connection = encryptObjectPasswordField(connection, 'sshPassword', encryptor);
-    connection = encryptObjectPasswordField(connection, 'sshKeyfilePassword', encryptor);
+    for (const field of fieldsToEncrypt) {
+      connection = encryptObjectPasswordField(connection, field, encryptor);
+    }
   }
   return connection;
 }
 
 function maskConnection(connection) {
   if (!connection) return connection;
-  return _.omit(connection, ['password', 'sshPassword', 'sshKeyfilePassword']);
+  return _.omit(connection, fieldsToEncrypt);
 }
 
-function decryptConnection(connection, encryptor = null) {
-  connection = decryptObjectPasswordField(connection, 'password', encryptor);
-  connection = decryptObjectPasswordField(connection, 'sshPassword', encryptor);
-  connection = decryptObjectPasswordField(connection, 'sshKeyfilePassword', encryptor);
+function decryptConnection(connection) {
+  for (const field of fieldsToEncrypt) {
+    connection = decryptObjectPasswordField(connection, field);
+  }
   return connection;
 }
 
@@ -188,9 +190,9 @@ function recryptObjectPasswordFieldInPlace(obj, field, decryptEncryptor, encrypt
 }
 
 function recryptConnection(connection, decryptEncryptor, encryptEncryptor) {
-  connection = recryptObjectPasswordField(connection, 'password', decryptEncryptor, encryptEncryptor);
-  connection = recryptObjectPasswordField(connection, 'sshPassword', decryptEncryptor, encryptEncryptor);
-  connection = recryptObjectPasswordField(connection, 'sshKeyfilePassword', decryptEncryptor, encryptEncryptor);
+  for (const field of fieldsToEncrypt) {
+    connection = recryptObjectPasswordField(connection, field, decryptEncryptor, encryptEncryptor);
+  }
   return connection;
 }
 

package/src/utility/loginchecker.js

@@ -4,22 +4,32 @@ const _ = require('lodash');
 const { sendToAuditLog } = require('./auditlog');
 const { checkLicense } = require('./checkLicense');
 const LOGIN_LIMIT_ERROR = 'Your limit of concurrent logins has been reached';
+const jwt = require('jsonwebtoken');
 
 // map string (user key) => time to expiration
 let activeLoggedUsers = {};
 
-function markUserAsActive(licenseUid) {
+// map string (user key) => token expiration time
+let activeLoggedTokens = {};
+
+function markUserAsActive(licenseUid, accessToken) {
   activeLoggedUsers[licenseUid] = Date.now() + 60 * 1000; // mark user as active for 1 minute
 }
 
 async function isLoginLicensed(req, licenseUid) {
   const license = await checkLicense();
   activeLoggedUsers = _.pickBy(activeLoggedUsers, value => value > Date.now());
+  activeLoggedTokens = _.pickBy(activeLoggedTokens, value => value > Date.now());
   if (licenseUid in activeLoggedUsers) {
     return true;
   }
+  if (licenseUid in activeLoggedTokens) {
+    return true;
+  }
   if (license.licenseId == 'f0346efe-ebc2-4822-9a83-4b4668a897e5' && license?.users != null) {
-    const currentUserCount = Object.keys(activeLoggedUsers).length;
+    const uniqUsers = _.uniq([...Object.keys(activeLoggedUsers), ...Object.keys(activeLoggedTokens)]);
+    const currentUserCount = uniqUsers.length;
+
     if (currentUserCount >= license?.users) {
       sendToAuditLog(req, {
         category: 'auth',
@@ -37,8 +47,23 @@ async function isLoginLicensed(req, licenseUid) {
   return true;
 }
 
+function markTokenAsLoggedIn(licenseUid, token) {
+  if (licenseUid != 'anonymous') {
+    const decoded = jwt.decode(token);
+    activeLoggedTokens[licenseUid] = decoded.exp * 1000;
+  }
+  activeLoggedUsers[licenseUid] = Date.now() + 60 * 1000; // mark user as active for 1 minute
+}
+
+function markLoginAsLoggedOut(licenseUid) {
+  delete activeLoggedUsers[licenseUid];
+  delete activeLoggedTokens[licenseUid];
+}
+
 module.exports = {
   markUserAsActive,
+  markTokenAsLoggedIn,
   isLoginLicensed,
   LOGIN_LIMIT_ERROR,
+  markLoginAsLoggedOut,
 };