mbkauthe 1.0.21 → 1.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/index.js +1 -0
  2. package/lib/main.js +33 -18
  3. package/lib/validateSessionAndRole.js +1 -1
  4. package/package.json +4 -2
package/index.js CHANGED
@@ -1,3 +1,4 @@
1
+ import express from "express"; // Add this line
1
2
  import router from "./lib/main.js";
2
3
 
3
4
  import dotenv from "dotenv";
package/lib/main.js CHANGED
@@ -7,6 +7,8 @@ import { dblogin } from "./pool.js";
7
7
  import { authenticate } from "./validateSessionAndRole.js";
8
8
  import fetch from 'node-fetch';
9
9
  import cookieParser from "cookie-parser";
10
+ import bcrypt from 'bcrypt';
11
+ import rateLimit from 'express-rate-limit';
10
12
 
11
13
  import { createRequire } from "module";
12
14
  const require = createRequire(import.meta.url);
@@ -19,18 +21,6 @@ dotenv.config();
19
21
  const mbkautheVar = JSON.parse(process.env.mbkautheVar);
20
22
 
21
23
  const router = express.Router();
22
- let COOKIE_EXPIRE_TIME = 2 * 24 * 60 * 60 * 1000; // 2 days
23
-
24
- try {
25
- const parsedExpireTime = parseInt(mbkautheVar.COOKIE_EXPIRE_TIME, 10);
26
- if (!isNaN(parsedExpireTime) && parsedExpireTime > 0) {
27
- COOKIE_EXPIRE_TIME = parsedExpireTime * 24 * 60 * 60 * 1000;
28
- } else {
29
- console.warn("Invalid COOKIE_EXPIRE_TIME, using default value");
30
- }
31
- } catch (error) {
32
- console.log("Error parsing COOKIE_EXPIRE_TIME:", error);
33
- }
34
24
 
35
25
  // Enable CORS for subdomains
36
26
  router.use((req, res, next) => {
@@ -48,6 +38,16 @@ router.use(express.json());
48
38
  router.use(express.urlencoded({ extended: true }));
49
39
  router.use(cookieParser());
50
40
 
41
+ // Add rate limiting for sensitive operations
42
+ const LoginLimit = rateLimit({
43
+ windowMs: 1 * 60 * 1000,
44
+ max: 15,
45
+ message: 'Too many attempts, please try again later',
46
+ skip: (req) => {
47
+ return !!req.session.user;
48
+ }
49
+ });
50
+
51
51
  // Configure session with proper domain settings for cross-subdomain sharing
52
52
  const sessionConfig = {
53
53
  store: new PgSession({
@@ -60,7 +60,7 @@ const sessionConfig = {
60
60
  saveUninitialized: false,
61
61
  proxy: true, // Trust the reverse proxy
62
62
  cookie: {
63
- maxAge: COOKIE_EXPIRE_TIME,
63
+ maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
64
64
  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
65
65
  httpOnly: true,
66
66
  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false, // 'auto' respects X-Forwarded-Proto
@@ -97,7 +97,7 @@ router.use(async (req, res, next) => {
97
97
 
98
98
  // Set consistent cookie options for all cookies
99
99
  const getCookieOptions = () => ({
100
- maxAge: COOKIE_EXPIRE_TIME,
100
+ maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
101
101
  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
102
102
  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
103
103
  sameSite: 'lax',
@@ -143,7 +143,7 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_
143
143
  }
144
144
  });
145
145
 
146
- router.post("/mbkauthe/api/login", async (req, res) => {
146
+ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
147
147
  console.log("Login request received");
148
148
 
149
149
  const { username, password, token, recaptcha } = req.body;
@@ -195,9 +195,24 @@ router.post("/mbkauthe/api/login", async (req, res) => {
195
195
 
196
196
  const user = userResult.rows[0];
197
197
 
198
- if (user.Password !== password) {
199
- console.log(`Incorrect password for username: ${username}`);
200
- return res.status(401).json({ success: false, message: "Incorrect Username Or Password" });
198
+ if (mbkautheVar.EncryptedPassword === "true") {
199
+ try {
200
+ const result = await bcrypt.compare(password, user.Password);
201
+ if (!result) {
202
+ console.log("Incorrect password.");
203
+ return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password." });
204
+ }
205
+ console.log("Password matches!");
206
+ } catch (err) {
207
+ console.error("Error comparing password:", err);
208
+ return res.status(500).json({ success: false, errorCode: 605, message: `Internal Server Error` });
209
+ }
210
+ } else {
211
+ // Check if the password matches
212
+ if (user.Password !== password) {
213
+ console.log(`Incorrect password for username: ${username}`);
214
+ return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password" });
215
+ }
201
216
  }
202
217
 
203
218
  if (!user.Active) {
package/lib/validateSessionAndRole.js CHANGED
@@ -3,7 +3,7 @@ const mbkautheVar = JSON.parse(process.env.mbkautheVar);
3
3
 
4
4
  // Get consistent cookie options
5
5
  const getCookieOptions = () => ({
6
- maxAge: COOKIE_EXPIRE_TIME,
6
+ maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
7
7
  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
8
8
  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
9
9
  sameSite: 'lax',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mbkauthe",
3
- "version": "1.0.21",
3
+ "version": "1.0.23",
4
4
  "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
5
5
  "main": "index.js",
6
6
  "type": "module",
@@ -26,12 +26,14 @@
26
26
  },
27
27
  "homepage": "https://github.com/MIbnEKhalid/mbkauthe#readme",
28
28
  "dependencies": {
29
+ "bcrypt": "^5.1.1",
29
30
  "connect-pg-simple": "^10.0.0",
30
31
  "cookie-parser": "^1.4.7",
31
32
  "dotenv": "^16.4.7",
32
33
  "express": "^5.1.0",
34
+ "express-rate-limit": "^7.5.0",
33
35
  "express-session": "^1.18.1",
34
36
  "node-fetch": "^3.3.2",
35
37
  "pg": "^8.14.1"
36
38
  }
37
- }
39
+ }