mbkauthe 1.0.21 → 1.0.22

package/.github/workflows/apisec-scan.yml

@@ -0,0 +1,71 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# APIsec addresses the critical need to secure APIs before they reach production.
+# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
+# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
+
+# How to Get Started with APIsec.ai
+# 1. Schedule a demo at https://www.apisec.ai/request-a-demo .
+#
+# 2. Register your account at https://cloud.apisec.ai/#/signup .
+#
+# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly.
+#
+# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions
+#
+# apisec-run-scan
+#
+# This action triggers the on-demand scans for projects registered in APIsec.
+# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings.
+# Else you can view the scan results from the project home page in APIsec Platform.
+# The link to view the scan results is also displayed on the console on successful completion of action.
+
+# This is a starter workflow to help you get started with APIsec-Scan Actions
+
+name: APIsec
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the "main" branch
+  # Customize trigger events based on your DevSecOps processes.
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '44 15 * * 0'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+
+permissions:
+  contents: read
+
+jobs:
+
+  Trigger_APIsec_scan:
+    permissions:
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+
+    steps:
+       - name: APIsec scan
+         uses: apisec-inc/apisec-run-scan@025432089674a28ba8fb55f8ab06c10215e772ea
+         with:
+          # The APIsec username with which the scans will be executed
+          apisec-username: ${{ secrets.apisec_username }}
+          # The Password of the APIsec user with which the scans will be executed
+          apisec-password: ${{ secrets.apisec_password}}
+          # The name of the project for security scan
+          apisec-project: "VAmPI"
+          # The name of the sarif format result file The file is written only if this property is provided.
+          sarif-result-file: "apisec-results.sarif"
+       - name: Import results
+         uses: github/codeql-action/upload-sarif@v3
+         with:
+          sarif_file: ./apisec-results.sarif

package/index.js

@@ -1,3 +1,4 @@
+import express from "express"; // Add this line
 import router from "./lib/main.js";
 
 import dotenv from "dotenv";

package/lib/main.js

@@ -7,6 +7,7 @@ import { dblogin } from "./pool.js";
 import { authenticate } from "./validateSessionAndRole.js";
 import fetch from 'node-fetch';
 import cookieParser from "cookie-parser";
+import bcrypt from 'bcrypt';
 
 import { createRequire } from "module";
 const require = createRequire(import.meta.url);
@@ -195,9 +196,24 @@ router.post("/mbkauthe/api/login", async (req, res) => {
 
     const user = userResult.rows[0];
 
-    if (user.Password !== password) {
-      console.log(`Incorrect password for username: ${username}`);
-      return res.status(401).json({ success: false, message: "Incorrect Username Or Password" });
+    if (mbkautheVar.EncryptedPassword === "true") {
+      try {
+        const result = await bcrypt.compare(password, user.Password);
+        if (!result) {
+          console.log("Incorrect password.");
+          return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password." });
+        }
+        console.log("Password matches!");
+      } catch (err) {
+        console.error("Error comparing password:", err);
+        return res.status(500).json({ success: false, errorCode: 605, message: `Internal Server Error` });
+      }
+    } else {
+      // Check if the password matches
+      if (user.Password !== password) {
+        console.log(`Incorrect password for username: ${username}`);
+        return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password" });
+      }
     }
 
     if (!user.Active) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "1.0.21",
+  "version": "1.0.22",
   "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",
@@ -26,6 +26,7 @@
   },
   "homepage": "https://github.com/MIbnEKhalid/mbkauthe#readme",
   "dependencies": {
+    "bcrypt": "^5.1.1",
     "connect-pg-simple": "^10.0.0",
     "cookie-parser": "^1.4.7",
     "dotenv": "^16.4.7",
@@ -34,4 +35,4 @@
     "node-fetch": "^3.3.2",
     "pg": "^8.14.1"
   }
-}
+}