mbkauthe 1.0.22 → 1.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/lib/main.js +14 -15
  2. package/lib/validateSessionAndRole.js +1 -1
  3. package/package.json +2 -1
  4. package/.github/workflows/apisec-scan.yml +0 -71
package/lib/main.js CHANGED
@@ -8,6 +8,7 @@ import { authenticate } from "./validateSessionAndRole.js";
8
8
  import fetch from 'node-fetch';
9
9
  import cookieParser from "cookie-parser";
10
10
  import bcrypt from 'bcrypt';
11
+ import rateLimit from 'express-rate-limit';
11
12
 
12
13
  import { createRequire } from "module";
13
14
  const require = createRequire(import.meta.url);
@@ -20,18 +21,6 @@ dotenv.config();
20
21
  const mbkautheVar = JSON.parse(process.env.mbkautheVar);
21
22
 
22
23
  const router = express.Router();
23
- let COOKIE_EXPIRE_TIME = 2 * 24 * 60 * 60 * 1000; // 2 days
24
-
25
- try {
26
- const parsedExpireTime = parseInt(mbkautheVar.COOKIE_EXPIRE_TIME, 10);
27
- if (!isNaN(parsedExpireTime) && parsedExpireTime > 0) {
28
- COOKIE_EXPIRE_TIME = parsedExpireTime * 24 * 60 * 60 * 1000;
29
- } else {
30
- console.warn("Invalid COOKIE_EXPIRE_TIME, using default value");
31
- }
32
- } catch (error) {
33
- console.log("Error parsing COOKIE_EXPIRE_TIME:", error);
34
- }
35
24
 
36
25
  // Enable CORS for subdomains
37
26
  router.use((req, res, next) => {
@@ -49,6 +38,16 @@ router.use(express.json());
49
38
  router.use(express.urlencoded({ extended: true }));
50
39
  router.use(cookieParser());
51
40
 
41
+ // Add rate limiting for sensitive operations
42
+ const LoginLimit = rateLimit({
43
+ windowMs: 1 * 60 * 1000,
44
+ max: 15,
45
+ message: 'Too many attempts, please try again later',
46
+ skip: (req) => {
47
+ return !!req.session.user;
48
+ }
49
+ });
50
+
52
51
  // Configure session with proper domain settings for cross-subdomain sharing
53
52
  const sessionConfig = {
54
53
  store: new PgSession({
@@ -61,7 +60,7 @@ const sessionConfig = {
61
60
  saveUninitialized: false,
62
61
  proxy: true, // Trust the reverse proxy
63
62
  cookie: {
64
- maxAge: COOKIE_EXPIRE_TIME,
63
+ maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
65
64
  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
66
65
  httpOnly: true,
67
66
  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false, // 'auto' respects X-Forwarded-Proto
@@ -98,7 +97,7 @@ router.use(async (req, res, next) => {
98
97
 
99
98
  // Set consistent cookie options for all cookies
100
99
  const getCookieOptions = () => ({
101
- maxAge: COOKIE_EXPIRE_TIME,
100
+ maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
102
101
  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
103
102
  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
104
103
  sameSite: 'lax',
@@ -144,7 +143,7 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_
144
143
  }
145
144
  });
146
145
 
147
- router.post("/mbkauthe/api/login", async (req, res) => {
146
+ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
148
147
  console.log("Login request received");
149
148
 
150
149
  const { username, password, token, recaptcha } = req.body;
package/lib/validateSessionAndRole.js CHANGED
@@ -3,7 +3,7 @@ const mbkautheVar = JSON.parse(process.env.mbkautheVar);
3
3
 
4
4
  // Get consistent cookie options
5
5
  const getCookieOptions = () => ({
6
- maxAge: COOKIE_EXPIRE_TIME,
6
+ maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
7
7
  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
8
8
  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
9
9
  sameSite: 'lax',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mbkauthe",
3
- "version": "1.0.22",
3
+ "version": "1.0.23",
4
4
  "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
5
5
  "main": "index.js",
6
6
  "type": "module",
@@ -31,6 +31,7 @@
31
31
  "cookie-parser": "^1.4.7",
32
32
  "dotenv": "^16.4.7",
33
33
  "express": "^5.1.0",
34
+ "express-rate-limit": "^7.5.0",
34
35
  "express-session": "^1.18.1",
35
36
  "node-fetch": "^3.3.2",
36
37
  "pg": "^8.14.1"
package/.github/workflows/apisec-scan.yml DELETED
@@ -1,71 +0,0 @@
1
- # This workflow uses actions that are not certified by GitHub.
2
- # They are provided by a third-party and are governed by
3
- # separate terms of service, privacy policy, and support
4
- # documentation.
5
-
6
- # APIsec addresses the critical need to secure APIs before they reach production.
7
- # APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
8
- # Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
9
-
10
- # How to Get Started with APIsec.ai
11
- # 1. Schedule a demo at https://www.apisec.ai/request-a-demo .
12
- #
13
- # 2. Register your account at https://cloud.apisec.ai/#/signup .
14
- #
15
- # 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly.
16
- #
17
- # 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions
18
- #
19
- # apisec-run-scan
20
- #
21
- # This action triggers the on-demand scans for projects registered in APIsec.
22
- # If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings.
23
- # Else you can view the scan results from the project home page in APIsec Platform.
24
- # The link to view the scan results is also displayed on the console on successful completion of action.
25
-
26
- # This is a starter workflow to help you get started with APIsec-Scan Actions
27
-
28
- name: APIsec
29
-
30
- # Controls when the workflow will run
31
- on:
32
- # Triggers the workflow on push or pull request events but only for the "main" branch
33
- # Customize trigger events based on your DevSecOps processes.
34
- push:
35
- branches: [ "main" ]
36
- pull_request:
37
- branches: [ "main" ]
38
- schedule:
39
- - cron: '44 15 * * 0'
40
-
41
- # Allows you to run this workflow manually from the Actions tab
42
- workflow_dispatch:
43
-
44
-
45
- permissions:
46
- contents: read
47
-
48
- jobs:
49
-
50
- Trigger_APIsec_scan:
51
- permissions:
52
- security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
53
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
54
- runs-on: ubuntu-latest
55
-
56
- steps:
57
- - name: APIsec scan
58
- uses: apisec-inc/apisec-run-scan@025432089674a28ba8fb55f8ab06c10215e772ea
59
- with:
60
- # The APIsec username with which the scans will be executed
61
- apisec-username: ${{ secrets.apisec_username }}
62
- # The Password of the APIsec user with which the scans will be executed
63
- apisec-password: ${{ secrets.apisec_password}}
64
- # The name of the project for security scan
65
- apisec-project: "VAmPI"
66
- # The name of the sarif format result file The file is written only if this property is provided.
67
- sarif-result-file: "apisec-results.sarif"
68
- - name: Import results
69
- uses: github/codeql-action/upload-sarif@v3
70
- with:
71
- sarif_file: ./apisec-results.sarif