mbkauthe 1.0.23 → 1.0.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/main.js +95 -9
- package/lib/validateSessionAndRole.js +1 -1
- package/package.json +5 -2
- package/vercel.json +15 -0
package/lib/main.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import express from "express";
|
|
1
|
+
import express, { json } from "express";
|
|
2
2
|
import crypto from "crypto";
|
|
3
3
|
import session from "express-session";
|
|
4
4
|
import pgSession from "connect-pg-simple";
|
|
@@ -41,13 +41,43 @@ router.use(cookieParser());
|
|
|
41
41
|
// Add rate limiting for sensitive operations
|
|
42
42
|
const LoginLimit = rateLimit({
|
|
43
43
|
windowMs: 1 * 60 * 1000,
|
|
44
|
-
max:
|
|
45
|
-
message:
|
|
44
|
+
max: 8,
|
|
45
|
+
message: { success: false, message: "Too many attempts, please try again later" },
|
|
46
46
|
skip: (req) => {
|
|
47
47
|
return !!req.session.user;
|
|
48
48
|
}
|
|
49
49
|
});
|
|
50
50
|
|
|
51
|
+
router.use((req, res, next) => {
|
|
52
|
+
// Don't allow embedding in iframes
|
|
53
|
+
res.setHeader('X-Frame-Options', 'DENY');
|
|
54
|
+
|
|
55
|
+
// Prevent MIME type sniffing
|
|
56
|
+
res.setHeader('X-Content-Type-Options', 'nosniff');
|
|
57
|
+
|
|
58
|
+
// Enable XSS protection
|
|
59
|
+
res.setHeader('X-XSS-Protection', '1; mode=block');
|
|
60
|
+
|
|
61
|
+
// Referrer policy
|
|
62
|
+
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
63
|
+
|
|
64
|
+
// Content Security Policy
|
|
65
|
+
const csp = [
|
|
66
|
+
"default-src 'self'",
|
|
67
|
+
"script-src 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com",
|
|
68
|
+
"style-src 'self' 'unsafe-inline'",
|
|
69
|
+
"img-src 'self' data:",
|
|
70
|
+
"connect-src 'self' https://www.google.com",
|
|
71
|
+
"frame-src https://www.google.com",
|
|
72
|
+
"form-action 'self'"
|
|
73
|
+
].join('; ');
|
|
74
|
+
|
|
75
|
+
res.setHeader('Content-Security-Policy', csp);
|
|
76
|
+
|
|
77
|
+
next();
|
|
78
|
+
});
|
|
79
|
+
|
|
80
|
+
|
|
51
81
|
// Configure session with proper domain settings for cross-subdomain sharing
|
|
52
82
|
const sessionConfig = {
|
|
53
83
|
store: new PgSession({
|
|
@@ -60,7 +90,7 @@ const sessionConfig = {
|
|
|
60
90
|
saveUninitialized: false,
|
|
61
91
|
proxy: true, // Trust the reverse proxy
|
|
62
92
|
cookie: {
|
|
63
|
-
maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
|
|
93
|
+
maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
|
|
64
94
|
domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
|
|
65
95
|
httpOnly: true,
|
|
66
96
|
secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false, // 'auto' respects X-Forwarded-Proto
|
|
@@ -97,7 +127,7 @@ router.use(async (req, res, next) => {
|
|
|
97
127
|
|
|
98
128
|
// Set consistent cookie options for all cookies
|
|
99
129
|
const getCookieOptions = () => ({
|
|
100
|
-
maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
|
|
130
|
+
maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
|
|
101
131
|
domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
|
|
102
132
|
secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
|
|
103
133
|
sameSite: 'lax',
|
|
@@ -324,13 +354,69 @@ router.post("/mbkauthe/api/logout", async (req, res) => {
|
|
|
324
354
|
});
|
|
325
355
|
|
|
326
356
|
// Return package.json data of mbkauthe
|
|
327
|
-
router.get("/mbkauthe/package", (_, res) => {
|
|
328
|
-
|
|
357
|
+
router.get("/mbkauthe/package", async (_, res) => {
|
|
358
|
+
try {
|
|
359
|
+
const response = await fetch("https://mbkauthe.mbktechstudio.com/mbkauthe/package");
|
|
360
|
+
const latestPackageData = await response.json();
|
|
361
|
+
res.status(200).send(`
|
|
362
|
+
<html>
|
|
363
|
+
<head>
|
|
364
|
+
<title>Package Information</title>
|
|
365
|
+
</head>
|
|
366
|
+
<body>
|
|
367
|
+
<h1>Package Information</h1>
|
|
368
|
+
<p><strong>Current Version:</strong> ${JSON.stringify(packageJson, null, 2)}</p>
|
|
369
|
+
<p><strong>Latest Version:</strong> ${JSON.stringify(latestPackageData, null, 2)}</p>
|
|
370
|
+
</body>
|
|
371
|
+
</html>
|
|
372
|
+
`);
|
|
373
|
+
} catch (err) {
|
|
374
|
+
res.status(200).send(`
|
|
375
|
+
<html>
|
|
376
|
+
<head>
|
|
377
|
+
<title>Package Information</title>
|
|
378
|
+
</head>
|
|
379
|
+
<body>
|
|
380
|
+
<h1>Package Information</h1>
|
|
381
|
+
<p><strong>Current Version:</strong> ${JSON.stringify(packageJson, null, 2)}</p>
|
|
382
|
+
<p><strong>Latest Version:</strong> Failed to fetch latest package data, Erro:${err.message}</p>
|
|
383
|
+
</body>
|
|
384
|
+
</html>
|
|
385
|
+
`);
|
|
386
|
+
}
|
|
329
387
|
});
|
|
330
388
|
|
|
331
389
|
// Return version number of mbkauthe
|
|
332
|
-
router.get(["/mbkauthe/version", "/mbkauthe/v"], (_, res) => {
|
|
333
|
-
|
|
390
|
+
router.get(["/mbkauthe/version", "/mbkauthe/v"], async(_, res) => {
|
|
391
|
+
try {
|
|
392
|
+
const response = await fetch("https://mbkauthe.mbktechstudio.com/mbkauthe/version");
|
|
393
|
+
const latestPackageData = await response.json();
|
|
394
|
+
res.status(200).send(`
|
|
395
|
+
<html>
|
|
396
|
+
<head>
|
|
397
|
+
<title>Version Information</title>
|
|
398
|
+
</head>
|
|
399
|
+
<body>
|
|
400
|
+
<h1>Package Information</h1>
|
|
401
|
+
<p><strong>Current Version:</strong> ${JSON.stringify(packageJson.version, null, 2)}</p>
|
|
402
|
+
<p><strong>Latest Version:</strong> ${JSON.stringify(latestPackageData, null, 2)}</p>
|
|
403
|
+
</body>
|
|
404
|
+
</html>
|
|
405
|
+
`);
|
|
406
|
+
} catch (err) {
|
|
407
|
+
res.status(200).send(`
|
|
408
|
+
<html>
|
|
409
|
+
<head>
|
|
410
|
+
<title>Package Information</title>
|
|
411
|
+
</head>
|
|
412
|
+
<body>
|
|
413
|
+
<h1>Package Information</h1>
|
|
414
|
+
<p><strong>Current Version:</strong> ${JSON.stringify(packageJson.version, null, 2)}</p>
|
|
415
|
+
<p><strong>Latest Version:</strong> Failed to fetch latest package data, Erro:${err.message}</p>
|
|
416
|
+
</body>
|
|
417
|
+
</html>
|
|
418
|
+
`);
|
|
419
|
+
}
|
|
334
420
|
});
|
|
335
421
|
|
|
336
422
|
// Return package-lock.json data of mbkauthe from project the package is installed in
|
|
@@ -3,7 +3,7 @@ const mbkautheVar = JSON.parse(process.env.mbkautheVar);
|
|
|
3
3
|
|
|
4
4
|
// Get consistent cookie options
|
|
5
5
|
const getCookieOptions = () => ({
|
|
6
|
-
maxAge: mbkautheVar.COOKIE_EXPIRE_TIME,
|
|
6
|
+
maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
|
|
7
7
|
domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
|
|
8
8
|
secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
|
|
9
9
|
sameSite: 'lax',
|
package/package.json
CHANGED
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "mbkauthe",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.25",
|
|
4
4
|
"description": "MBKTechStudio's reusable authentication system for Node.js applications.",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"scripts": {
|
|
8
|
-
"test": "set test=true&&
|
|
8
|
+
"test": "set test=true&& nodemon index.js"
|
|
9
9
|
},
|
|
10
10
|
"repository": {
|
|
11
11
|
"type": "git",
|
|
@@ -35,5 +35,8 @@
|
|
|
35
35
|
"express-session": "^1.18.1",
|
|
36
36
|
"node-fetch": "^3.3.2",
|
|
37
37
|
"pg": "^8.14.1"
|
|
38
|
+
},
|
|
39
|
+
"devDependencies": {
|
|
40
|
+
"nodemon": "^2.0.22"
|
|
38
41
|
}
|
|
39
42
|
}
|