mbkauthe 1.0.3 → 1.0.5

package/README.md

@@ -1 +1,121 @@
-# mbkauthe
+# mbkauthe
+
+[![Publish to npm](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml) [![CodeQL Advanced](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml)
+
+## Table of Contents
+
+- [Introduction](#mbkauth)
+- [Features](#features)
+- [Installation](#installation)
+- [Usage](#usage)
+  - [Basic Setup](#basic-setup)
+- [API Endpoints](#api-endpoints)
+  - [Login](#login)
+  - [Logout](#logout)
+  - [Terminate All Sessions](#terminate-all-sessions)
+- [Database Structure](#database-structure)
+- [License](#license)
+- [Contact & Support](#contact--support)
+
+`mbkAuthe` is a reusable authentication system for Node.js applications, designed to simplify session management, user authentication, and role-based access control. It integrates seamlessly with PostgreSQL and supports features like Two-Factor Authentication (2FA), session restoration, and reCAPTCHA verification.
+
+## Features
+
+- **Session Management**: Secure session handling using `express-session` and `connect-pg-simple`.
+- **Role-Based Access Control**: Validate user roles and permissions with ease.
+- **Two-Factor Authentication (2FA)**: Optional 2FA support for enhanced security.
+- **reCAPTCHA Integration**: Protect login endpoints with Google reCAPTCHA.
+- **Cookie Management**: Configurable cookie expiration and domain settings.
+- **PostgreSQL Integration**: Uses a connection pool for efficient database interactions.
+
+## Installation
+
+Install the package via npm:
+
+```bash
+npm install mbkauthe
+```
+
+## Usage
+### Basic Setup
+1. Import and configure the router in your Express application:
+```javascript
+import express from "express";
+import mbkAuthRouter from "mbkauthe";
+
+const app = express();
+
+app.use(mbkAuthRouter);
+
+app.listen(3000, () => {
+  console.log("Server is running on port 3000");
+});
+```
+2. Ensure your ``.env` file is properly configured. Refer to the [Configuration Guide(env.md)](env.md) for details.
+
+Example `.env` file:
+```code
+RECAPTCHA_SECRET_KEY=your-recaptcha-secret-key
+SESSION_SECRET_KEY=your-session-secret-key
+LOGIN_DB=postgres://username:password@host:port/database
+DOMAIN=yourdomain.com
+IS_DEPLOYED=true
+MBKAUTH_TWO_FA_ENABLE=false
+COOKIE_EXPIRE_TIME=2
+```
+
+## API Endpoints
+
+### Login
+
+**POST** `/mbkauth/api/login`
+- Request Body:
+  - `username`: User's username.
+  - `password`: User's password.
+  - `token`: (Optional) 2FA token.
+  - `recaptcha`: reCAPTCHA response.
+
+- Response:
+  - `200`: Login successful.
+  - `400`: Missing or invalid input.
+  - `401`: Unauthorized (e.g., invalid credentials or 2FA token).
+  - `500`: Internal server error.
+
+### Logout
+
+**POST** `/mbkauth/api/logout`
+- Response:
+  - `200`: Login successful.
+  - `400`: User not logged in.
+  - `500`: Internal server error.
+
+### Terminate All Sessions
+
+**POST** `/mbkauth/api/terminateAllSessions`
+- Authentication: Requires a valid `Main_SECRET_TOKEN` in the `Authorization` header.
+- Response:
+  - `200`: All sessions terminated successfully.
+  - `500`: Internal server error.
+  - 
+  
+
+## Database Structure
+
+This project utilizes three primary tables:
+
+1. **User**: Stores the main user information.
+2. **sess**: Contains session-related data for users.
+3. **TwoFA**: Saves the Two-Factor Authentication (2FA) secrets for users.
+
+For detailed information about table columns, schema, and queries to create these tables, refer to the [Database Guide (docs/db.md)](docs/db.md).
+
+## License
+This project is licensed under the `Mozilla Public License 2.0`. See the [LICENSE](./LICENSE) file for details.
+
+
+
+## Contact & Support
+
+For questions or contributions, please contact Muhammad Bin Khalid at [mbktechstudio.com/Support](https://mbktechstudio.com/Support/), [support@mbktechstudio.com](mailto:support@mbktechstudio.com) or [chmuhammadbinkhalid28.com](mailto:chmuhammadbinkhalid28.com). 
+
+**Developed by [Muhammad Bin Khalid](https://github.com/MIbnEKhalid)**

package/docs/db.md

@@ -0,0 +1,90 @@
+## Database structure
+
+[<- Back](README.md)
+
+## Table of Contents
+
+1. [Users Table](#users-table)
+2. [Session Table](#session-table)
+3. [Two-Factor Authentication Table](#two-factor-authentication-table)
+4. [Query to Add a User](#query-to-add-a-user)
+
+
+### Users Table
+
+- **Columns:**
+
+  - `id` (INTEGER, auto-increment, primary key): Unique identifier for each user.
+  - `UserName` (TEXT): The username of the user.
+  - `Password` (TEXT): The hashed password of the user.
+  - `Role` (ENUM): The role of the user. Possible values: `SuperAdmin`, `NormalUser`, `Guest`.
+  - `Active` (BOOLEAN): Indicates whether the user account is active.
+  - `HaveMailAccount` (BOOLEAN)(optional): Indicates if the user has a linked mail account.
+  - `SessionId` (TEXT): The session ID associated with the user.
+  - `GuestRole` (JSONB): Stores additional guest-specific role information in binary JSON format.
+
+- **Schema:**
+  ```sql
+  CREATE TABLE "Users" (
+      id INTEGER PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
+      "UserName" TEXT NOT NULL,
+      "Password" TEXT NOT NULL,
+      "Role" TEXT CHECK("Role" IN ('SuperAdmin', 'NormalUser', 'Guest')) NOT NULL DEFAULT 'NormalUser'::text,
+      "Active" BOOLEAN NOT NULL DEFAULT true,
+      "HaveMailAccount" BOOLEAN NOT NULL DEFAULT false,
+      "SessionId" TEXT,
+      "GuestRole" JSONB DEFAULT '{"allowPages": [""], "NotallowPages": [""]}'::jsonb
+  );
+  ```
+
+### Session Table
+
+- **Columns:**
+
+  - `sid` (VARCHAR, primary key): Unique session identifier.
+  - `sess` (JSON): Session data stored in JSON format.
+  - `expire` (TIMESTAMP): Expiration timestamp for the session.
+
+- **Schema:**
+  ```sql
+  CREATE TABLE session (
+          sid VARCHAR PRIMARY KEY,
+          sess JSON NOT NULL,
+          expire TIMESTAMP NOT NULL
+  );
+  ```
+
+### Two-Factor Authentication Table
+
+- **Columns:**
+
+  - `UserName` (TEXT): The username of the user.
+  - `TwoFAStatus` (TEXT): The status of two-factor authentication (e.g., enabled, disabled).
+  - `TwoFASecret` (TEXT): The secret key used for two-factor authentication.
+
+- **Schema:**
+  ```sql
+  CREATE TABLE "TwoFA" (
+          "UserName" TEXT NOT NULL PRIMARY KEY,
+          "TwoFAStatus" TEXT NOT NULL DEFAULT false,
+          "TwoFASecret" TEXT NOT NULL
+  );
+  ```
+
+### Query to Add a User
+
+To add new users to the `Users` table, use the following SQL queries:
+
+```sql
+        INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
+        VALUES ('support', '12345678', 'SuperAdmin', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+
+        INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
+        VALUES ('test', '12345678', 'NormalUser', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+```
+
+- Replace `support` and `test` with the desired usernames.
+- Replace `12345678` with the actual passwords.
+- Adjust the `Role` values as needed (`SuperAdmin`, `NormalUser`, or `Guest`).
+- Modify the `Active` and `HaveMailAccount` values as required.
+- Update the `GuestRole` JSON object if specific permissions are required(this functionality is under construction).

package/env.md

@@ -0,0 +1,55 @@
+# Configuration Guide
+
+[<- Back](README.md)
+
+## reCAPTCHA Settings
+```properties
+RECAPTCHA_SECRET_KEY=123
+```
+> Note: Obtain your secret key from Google reCAPTCHA Admin Console.
+
+
+## Session Settings
+```properties
+SESSION_SECRET_KEY=123
+IS_DEPLOYED=true
+DOMAIN=mbktechstudio.com
+```
+> **SESSION_SECRET_KEY**: Generate a secure key using [Generate Secret](https://generate-secret.vercel.app/32).
+
+> **IS_DEPLOYED**:
+
+> - `true`: For deployed environments. Sessions are shared across all subDOMAINs of `.mbktechstudio.com` or the DOMAIN specified in `DOMAIN`.
+
+> - `false`: For local development.
+
+> - Important: If set to `true`, login functionality will not work on `localhost`. Use a valid DOMAIN for proper operation.
+
+> **DOMAIN**:
+
+> - Set `DOMAIN` to your DOMAIN
+
+> - If you don't have a DOMAIN, set `IS_DEPLOYED=false`.
+
+
+## Database Settings
+
+```properties
+LOGIN_DB=postgresql://username:password@server.DOMAIN/db_name
+```
+> Replace the placeholder with your PostgreSQL connection string.
+
+
+## Two-Factor Authentication (2FA)
+```properties
+MBKAUTH_TWO_FA_ENABLE=false
+```
+> MBKAUTH_TWO_FA_ENABLE: Set to `true` to enable Two-Factor Authentication.
+
+
+## Cookie Settings
+
+```properties
+COOKIE_EXPIRE_TIME=5
+```
+> Cookie expiration time in days. Default is `2 days`.

package/index.js

@@ -1,6 +1,6 @@
-import router from "./lib/main.js";
 import dotenv from "dotenv";
-import Joi from "joi"; 
+import Joi from "joi";
+import router from "./lib/main.js";
 dotenv.config();
 
 const envSchema = Joi.object({
@@ -17,7 +17,7 @@ const { error } = envSchema.validate(process.env);
 if (error) {
     throw new Error(`Environment variable validation error: ${error.message}`);
 }
-
-console.log("Hello, World!");
-
+export { validateSession, checkRolePermission, validateSessionAndRole, getUserData } from "./lib/validateSessionAndRole.js";
+export { authenticate } from "./lib/auth.js";
+export { dblogin } from "./lib/pool.js";
 export default router;

package/lib/auth.js

@@ -0,0 +1,13 @@
+export const authenticate = (authentication) => {
+    return (req, res, next) => {
+      const token = req.headers["authorization"];
+      console.log(`Received token: ${token}`);
+      if (token === authentication) {
+        console.log("Authentication successful");
+        next();
+      } else {
+        console.log("Authentication failed");
+        res.status(401).send("Unauthorized");
+      }
+    };
+  };

package/lib/main.js

@@ -1,9 +1,319 @@
-import express from 'express';
+import express from "express";
+import crypto from "crypto";
+import session from "express-session";
+import pgSession from "connect-pg-simple";
+const PgSession = pgSession(session);
+import dotenv from "dotenv";
+import { dblogin } from "./pool.js";
+import { authenticate } from "./auth.js";
+import fetch from 'node-fetch';
+import cookieParser from "cookie-parser"; // Import cookie-parser
 
+dotenv.config();
 const router = express.Router();
+let COOKIE_EXPIRE_TIME = 2 * 24 * 60 * 60 * 1000; //2 days
 
-router.get('/mbkauthe/', (req, res) => {
-    res.send('Welcome to the main page!');
+try {
+  const parsedExpireTime = parseInt(process.env.COOKIE_EXPIRE_TIME, 10);
+  if (!isNaN(parsedExpireTime) && parsedExpireTime > 0) {
+    COOKIE_EXPIRE_TIME = parsedExpireTime * 24 * 60 * 60 * 1000; // Convert days to milliseconds
+  } else {
+    console.warn("Invalid COOKIE_EXPIRE_TIME in environment variables, using default value");
+  }
+  console.log(`Cookie expiration time set to ${COOKIE_EXPIRE_TIME} days for deployed environment`);
+} catch (error) {
+  console.log("Error parsing COOKIE_EXPIRE_TIME:", error);
+}
+
+router.use(express.json());
+router.use(express.urlencoded({ extended: true }));
+
+router.use(
+  session({
+    store: new PgSession({
+      pool: dblogin, // Connection pool
+      tableName: "session", // Use another table-name than the default "session" one
+    }),
+    secret: process.env.SESSION_SECRET_KEY, // Replace with your secret key
+    resave: false,
+    saveUninitialized: false,
+    cookie: {
+      maxAge: COOKIE_EXPIRE_TIME,
+      DOMAIN: process.env.IS_DEPLOYED === 'true' ? `.${process.env.DOMAIN}` : undefined, // Use root DOMAIN for subDOMAIN sharing
+      httpOnly: true,
+      secure: process.env.IS_DEPLOYED === 'true', // Use secure cookies in production
+    },
+  })
+);
+
+
+
+router.use(cookieParser()); // Use cookie-parser middleware
+
+router.use((req, res, next) => {
+  if (req.session && req.session.user) {
+    const userAgent = req.headers["user-agent"];
+    const userIp =
+      req.headers["x-forwarded-for"] || req.connection.remoteAddress;
+    const formattedIp = userIp === "::1" ? "127.0.0.1" : userIp;
+
+    req.session.otherInfo = {
+      ip: formattedIp,
+      browser: userAgent,
+    };
+
+    next();
+  } else {
+    next();
+  }
+});
+
+// Save the username in a cookie, the cookie user name is use
+// for displaying user name in profile menu. This cookie is not use anyelse where.
+// So it is safe to use.
+router.use(async (req, res, next) => {
+  if (req.session && req.session.user) {
+    try {
+
+      res.cookie("username", req.session.user.username, {
+        maxAge: COOKIE_EXPIRE_TIME,
+      });
+
+      const query = `SELECT "Role" FROM "Users" WHERE "UserName" = $1`;
+      const result = await dblogin.query(query, [req.session.user.username]);
+
+      if (result.rows.length > 0) {
+        req.session.user.role = result.rows[0].Role;
+        res.cookie("userRole", req.session.user.role, {
+          maxAge: COOKIE_EXPIRE_TIME,
+        });
+      } else {
+        req.session.user.role = null;
+      }
+    } catch (error) {
+      console.log("Error fetching user role:", error.message);
+      req.session.user.role = null; // Fallback to null role
+    }
+  }
+  next();
+});
+
+router.use(async (req, res, next) => {
+  // Check for sessionId cookie if session is not initialized
+  if (!req.session.user && req.cookies && req.cookies.sessionId) {
+    console.log("Restoring session from sessionId cookie"); // Log session restoration
+    const sessionId = req.cookies.sessionId;
+    const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
+    const result = await dblogin.query(query, [sessionId]);
+
+    if (result.rows.length > 0) {
+      const user = result.rows[0];
+      req.session.user = {
+        id: user.id,
+        username: user.UserName,
+        sessionId,
+      };
+      console.log(`Session restored for user: ${user.UserName}`); // Log successful session restoration
+    } else {
+      console.warn("No matching session found for sessionId"); // Log if no session is found
+    }
+  }
+  next();
+});
+
+//Invoke-RestMethod -Uri http://localhost:3030/terminateAllSessions -Method POST
+// Terminate all sessions route
+router.post("/mbkauthe/api/terminateAllSessions", authenticate(process.env.Main_SECRET_TOKEN), async (req, res) => {
+  try {
+    await dblogin.query(`UPDATE "Users" SET "SessionId" = NULL`);
+
+    // Clear the session table
+    await dblogin.query('DELETE FROM "session"');
+
+    // Destroy all sessions on the server
+    req.session.destroy((err) => {
+      if (err) {
+        console.log("Error destroying session:", err);
+        return res
+          .status(500)
+          .json({ success: false, message: "Failed to terminate sessions" });
+      }
+      console.log("All sessions terminated successfully");
+      res.status(200).json({
+        success: true,
+        message: "All sessions terminated successfully",
+      });
+    });
+  } catch (err) {
+    console.log("Database query error during session termination:", err);
+    res
+      .status(500)
+      .json({ success: false, message: "Internal Server Error" });
+  }
+}
+);
+
+router.post("/mbkauthe/api/login", async (req, res) => {
+  console.log("Login request received"); // Log when login is initiated
+
+  const { username, password, token, recaptcha } = req.body;
+  console.log(`Login attempt for username: ${username}`); // Log username
+
+  const secretKey = process.env.RECAPTCHA_SECRET_KEY;
+  const verificationUrl = `https://www.google.com/recaptcha/api/siteverify?secret=${secretKey}&response=${recaptcha}`;
+
+  // Bypass recaptcha for specific users
+  if (username !== "ibnekhalid" && username !== "maaz.waheed" && username !== "support") {
+    try {
+      const response = await fetch(verificationUrl, { method: 'POST' });
+      const body = await response.json();
+      console.log("reCAPTCHA verification response:", body); // Log reCAPTCHA response
+
+      if (!body.success) {
+        console.log("Failed reCAPTCHA verification");
+        return res.status(400).json({ success: false, message: "Failed reCAPTCHA verification" });
+      }
+    } catch (err) {
+      console.log("Error during reCAPTCHA verification:", err);
+      return res.status(500).json({ success: false, message: "Internal Server Error" });
+    }
+  }
+
+  if (!username || !password) {
+    console.log("Missing username or password");
+    return res.status(400).json({
+      success: false,
+      message: "Username and password are required",
+    });
+  }
+
+  console.log("RECAPTCHA_SECRET_KEY:", process.env.RECAPTCHA_SECRET_KEY); // Log reCAPTCHA secret key
+  console.log("SESSION_SECRET_KEY:", process.env.SESSION_SECRET_KEY); // Log reCAPTCHA secret key
+  console.log("LOGIN_DB:", process.env.LOGIN_DB); // Log reCAPTCHA secret key
+  console.log("COOKIE_EXPIRE_TIME:", process.env.COOKIE_EXPIRE_TIME); // Log reCAPTCHA secret key
+  console.log("DOMAIN:", process.env.DOMAIN); // Log reCAPTCHA secret key
+  console.log("IS_DEPLOYED:", process.env.IS_DEPLOYED); // Log reCAPTCHA secret key
+  console.log("MBKAUTH_TWO_FA_ENABLE:", process.env.MBKAUTH_TWO_FA_ENABLE); // Log reCAPTCHA secret key
+
+  try {
+    // Query to check if the username exists
+    const userQuery = `SELECT * FROM "Users" WHERE "UserName" = $1`;
+    const userResult = await dblogin.query(userQuery, [username]);
+    console.log("User query result:", userResult.rows); // Log user query result
+
+    if (userResult.rows.length === 0) {
+      console.log(`Username does not exist: ${username}`);
+      return res.status(404).json({ success: false, message: "Username does not exist" });
+    }
+
+    const user = userResult.rows[0];
+
+    // Check if the password matches
+    if (user.Password !== password) {
+      console.log(`Incorrect password for username: ${username}`);
+      return res.status(401).json({ success: false, message: "Incorrect password" });
+    }
+
+    // Check if the account is inactive
+    if (!user.Active) {
+      console.log(`Inactive account for username: ${username}`);
+      return res.status(403).json({ success: false, message: "Account is inactive" });
+    }
+
+    if ((process.env.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true") {
+      let sharedSecret;
+      const query = `SELECT "TwoFAStatus", "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;
+      const twoFAResult = await dblogin.query(query, [username]);
+      console.log("TwoFA query result:", twoFAResult.rows); // Log TwoFA query result
+
+      sharedSecret = twoFAResult.rows[0]?.TwoFASecret;
+      if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus && !token) {
+        console.log("2FA code required but not provided");
+        return res.status(401).json({ success: false, message: "Please Enter 2FA code" });
+      }
+
+      if (token && twoFAResult.rows[0]?.TwoFAStatus) {
+        const tokenValidates = speakeasy.totp.verify({
+          secret: sharedSecret,
+          encoding: "base32",
+          token: token,
+          window: 1, // Allows a margin for clock drift, optional
+        });
+
+        if (!tokenValidates) {
+          console.log(`Invalid 2FA code for username: ${username}`);
+          return res.status(401).json({ success: false, message: "Invalid 2FA code" });
+        }
+      }
+    }
+
+    // Generate session ID
+    const sessionId = crypto.randomBytes(256).toString("hex");
+    console.log(`Generated session ID for username: ${username}`); // Log session ID
+
+    await dblogin.query(`UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, [
+      sessionId,
+      user.id,
+    ]);
+
+    // Store session ID in session
+    req.session.user = {
+      id: user.id,
+      username: user.UserName,
+      sessionId,
+    };
+    console.log(`Session stored for user: ${user.UserName}, sessionId: ${sessionId}`); // Log session storage
+
+    // Set a cookie accessible across subDOMAINs
+    res.cookie("sessionId", sessionId, {
+      maxAge: COOKIE_EXPIRE_TIME,
+      DOMAIN: process.env.IS_DEPLOYED === 'true' ? `.${process.env.DOMAIN}` : undefined, // Use DOMAIN only in production
+      httpOnly: true,
+      secure: process.env.IS_DEPLOYED === 'true', // Use secure cookies in production
+    });
+    console.log(`Cookie set for user: ${user.UserName}, sessionId: ${sessionId}`); // Log cookie setting
+
+    console.log(`User "${username}" logged in successfully`);
+    res.status(200).json({
+      success: true,
+      message: "Login successful",
+      sessionId,
+    });
+  } catch (err) {
+    console.log("Error during login process:", err);
+    res.status(500).json({ success: false, message: "Internal Server Error" });
+  }
+});
+
+router.post("/mbkauthe/api/logout", async (req, res) => {
+  if (req.session.user) {
+    try {
+      const { id, username } = req.session.user;
+      const query = `SELECT "Active" FROM "Users" WHERE "id" = $1`;
+      const result = await dblogin.query(query, [id]);
+
+      if (result.rows.length > 0 && !result.rows[0].Active) {
+        console.log("Account is inactive during logout");
+      }
+
+      req.session.destroy((err) => {
+        if (err) {
+          console.log("Error destroying session:", err);
+          return res.status(500).json({ success: false, message: "Logout failed" });
+        }
+        // Clear both session cookies
+        res.clearCookie("connect.sid");
+        res.clearCookie("sessionId"); // Clear the sessionId cookie used for restoration
+        console.log(`User "${username}" logged out successfully`);
+        res.status(200).json({ success: true, message: "Logout successful" });
+      });
+    } catch (err) {
+      console.log("Database query error during logout:", err);
+      res.status(500).json({ success: false, message: "Internal Server Error" });
+    }
+  } else {
+    res.status(400).json({ success: false, message: "Not logged in" });
+  }
 });
 
 export default router;

package/lib/pool.js

@@ -0,0 +1,27 @@
+import pkg from "pg";
+const { Pool } = pkg;
+import dotenv from "dotenv";
+
+dotenv.config();
+
+// PostgreSQL connection pool for pool
+const poolConfig = {
+  connectionString: process.env.LOGIN_DB,
+  ssl: {
+    rejectUnauthorized: true,
+  },
+
+};
+
+export const dblogin = new Pool(poolConfig);
+
+// Test connection for pool
+(async () => {
+  try {
+    const client = await dblogin.connect();
+    console.log("Connected to  PostgreSQL database (pool)!");
+    client.release();
+  } catch (err) {
+    console.error("Database connection error (pool):", err);
+  }
+})();

package/lib/validateSessionAndRole.js

@@ -0,0 +1,152 @@
+import { dblogin } from "./pool.js";
+
+async function validateSession(req, res, next) {
+  if (!req.session.user) {
+    return res.render("templates/Error/NotLoggedIn.handlebars", {
+      currentUrl: req.originalUrl,
+    });
+  }
+
+  try {
+    const { id, sessionId } = req.session.user;
+    const query = `SELECT "SessionId", "Active" FROM "Users" WHERE "id" = $1`;
+    const result = await dblogin.query(query, [id]);
+
+    // Check if user exists and session ID matches
+    if (result.rows.length === 0 || result.rows[0].SessionId !== sessionId) {
+      console.log(
+        `Session invalidated for user \"${req.session.user.username}\"`
+      );
+      req.session.destroy();
+      // ...existing code...
+      return res.render("templates/Error/SessionExpire.handlebars", {
+        currentUrl: req.originalUrl,
+      });
+      // ...existing code...
+    }
+
+    // Check if the user account is inactive
+    if (!result.rows[0].Active) {
+      console.log(
+        `Account is inactive for user \"${req.session.user.username}\"`
+      );
+      req.session.destroy();
+      res.clearCookie("connect.sid");
+      return res.render("templates/Error/AccountInactive.handlebars", {
+        currentUrl: req.originalUrl,
+      });
+    }
+
+    next(); // Proceed if everything is valid
+  } catch (err) {
+    console.error("Session validation error:", err);
+    res.status(500).json({ success: false, message: "Internal Server Error" });
+  }
+}   
+
+const checkRolePermission = (requiredRole) => {
+  return async (req, res, next) => {
+    try {
+      if (!req.session || !req.session.user || !req.session.user.id) {
+        console.log("User not authenticated");
+        console.log(req.session);
+        return res.render("templates/Error/NotLoggedIn.handlebars", {
+          currentUrl: req.originalUrl,
+        });
+      }
+
+      if (requiredRole === "Any" || requiredRole === "any") {
+        return next();
+      }
+
+      const userId = req.session.user.id;
+
+      const query = `SELECT "Role" FROM "Users" WHERE "id" = $1`;
+      const result = await dblogin.query(query, [userId]);
+
+      if (result.rows.length === 0) {
+        return res
+          .status(401)
+          .json({ success: false, message: "User not found" });
+      }
+
+      const userRole = result.rows[0].Role;
+      if (userRole !== requiredRole) {
+        return res.render("templates/Error/AccessDenied.handlebars", {
+          currentRole: userRole,
+          requiredRole: requiredRole,
+        });
+      }
+
+      next();
+    } catch (err) {
+      console.error("Permission check error:", err);
+      res
+        .status(500)
+        .json({ success: false, message: "Internal Server Error" });
+    }
+  };
+}; 
+
+const validateSessionAndRole = (requiredRole) => {
+  return async (req, res, next) => {
+    await validateSession(req, res, async () => {
+      await checkRolePermission(requiredRole)(req, res, next);
+    });
+  };
+};
+
+async function getUserData(UserName, parameters) {
+  try {
+    if (!parameters || parameters.length === 0) {
+      throw new Error("Parameters are required to fetch user data");
+    }
+
+    // Dynamically select fields from Users table based on `parameters`
+    const userFields = [
+      "Password", "UserName", "Role", "Active", "GuestRole", "HaveMailAccount",
+    ];
+    const profileFields = [
+      "FullName", "email", "Image", "ProjectLinks", "SocialAccounts", "Bio",
+    ];
+
+    let userParameters = [];
+    let profileParameters = [];
+
+    if (parameters === "profiledata") {
+      userParameters = userFields.filter(field => field !== "Password");
+      profileParameters = profileFields;
+    } else {
+      userParameters = userFields.filter(field => parameters.includes(field));
+      profileParameters = profileFields.filter(field => parameters.includes(field));
+    }
+
+    // Prepare queries based on required fields
+    let userResult = {};
+    if (userParameters.length > 0) {
+      const userQuery = `SELECT ${userParameters.map(field => `"${field}"`).join(", ")} 
+                         FROM "Users" WHERE "UserName" = $1`;
+      const userQueryResult = await dblogin.query(userQuery, [UserName]);
+      if (userQueryResult.rows.length === 0) return { error: "User not found" };
+      userResult = userQueryResult.rows[0];
+    }
+
+    let profileResult = {};
+    if (profileParameters.length > 0) {
+      const profileQuery = `SELECT ${profileParameters.map(field => `"${field}"`).join(", ")} 
+                            FROM profiledata WHERE "UserName" = $1`;
+      const profileQueryResult = await dblogin.query(profileQuery, [UserName]);
+      if (profileQueryResult.rows.length === 0) return { error: "Profile data not found" };
+      profileResult = profileQueryResult.rows[0];
+    }
+
+    // Combine results
+    const combinedResult = { ...userResult, ...profileResult };
+    return combinedResult;
+  } catch (err) {
+    console.error("Error fetching user data:", err.message);
+    throw err;
+  }
+}
+
+export { validateSession, checkRolePermission, validateSessionAndRole, getUserData };

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "mbkauthe",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
   "main": "index.js",
+  "type": "module",
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "node index.js"
   },
   "repository": {
     "type": "git",