mbkauthe 1.0.4 → 1.0.5

package/README.md

@@ -1 +1,121 @@
-# mbkauthe
+# mbkauthe
+
+[![Publish to npm](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml) [![CodeQL Advanced](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml)
+
+## Table of Contents
+
+- [Introduction](#mbkauth)
+- [Features](#features)
+- [Installation](#installation)
+- [Usage](#usage)
+  - [Basic Setup](#basic-setup)
+- [API Endpoints](#api-endpoints)
+  - [Login](#login)
+  - [Logout](#logout)
+  - [Terminate All Sessions](#terminate-all-sessions)
+- [Database Structure](#database-structure)
+- [License](#license)
+- [Contact & Support](#contact--support)
+
+`mbkAuthe` is a reusable authentication system for Node.js applications, designed to simplify session management, user authentication, and role-based access control. It integrates seamlessly with PostgreSQL and supports features like Two-Factor Authentication (2FA), session restoration, and reCAPTCHA verification.
+
+## Features
+
+- **Session Management**: Secure session handling using `express-session` and `connect-pg-simple`.
+- **Role-Based Access Control**: Validate user roles and permissions with ease.
+- **Two-Factor Authentication (2FA)**: Optional 2FA support for enhanced security.
+- **reCAPTCHA Integration**: Protect login endpoints with Google reCAPTCHA.
+- **Cookie Management**: Configurable cookie expiration and domain settings.
+- **PostgreSQL Integration**: Uses a connection pool for efficient database interactions.
+
+## Installation
+
+Install the package via npm:
+
+```bash
+npm install mbkauthe
+```
+
+## Usage
+### Basic Setup
+1. Import and configure the router in your Express application:
+```javascript
+import express from "express";
+import mbkAuthRouter from "mbkauthe";
+
+const app = express();
+
+app.use(mbkAuthRouter);
+
+app.listen(3000, () => {
+  console.log("Server is running on port 3000");
+});
+```
+2. Ensure your ``.env` file is properly configured. Refer to the [Configuration Guide(env.md)](env.md) for details.
+
+Example `.env` file:
+```code
+RECAPTCHA_SECRET_KEY=your-recaptcha-secret-key
+SESSION_SECRET_KEY=your-session-secret-key
+LOGIN_DB=postgres://username:password@host:port/database
+DOMAIN=yourdomain.com
+IS_DEPLOYED=true
+MBKAUTH_TWO_FA_ENABLE=false
+COOKIE_EXPIRE_TIME=2
+```
+
+## API Endpoints
+
+### Login
+
+**POST** `/mbkauth/api/login`
+- Request Body:
+  - `username`: User's username.
+  - `password`: User's password.
+  - `token`: (Optional) 2FA token.
+  - `recaptcha`: reCAPTCHA response.
+
+- Response:
+  - `200`: Login successful.
+  - `400`: Missing or invalid input.
+  - `401`: Unauthorized (e.g., invalid credentials or 2FA token).
+  - `500`: Internal server error.
+
+### Logout
+
+**POST** `/mbkauth/api/logout`
+- Response:
+  - `200`: Login successful.
+  - `400`: User not logged in.
+  - `500`: Internal server error.
+
+### Terminate All Sessions
+
+**POST** `/mbkauth/api/terminateAllSessions`
+- Authentication: Requires a valid `Main_SECRET_TOKEN` in the `Authorization` header.
+- Response:
+  - `200`: All sessions terminated successfully.
+  - `500`: Internal server error.
+  - 
+  
+
+## Database Structure
+
+This project utilizes three primary tables:
+
+1. **User**: Stores the main user information.
+2. **sess**: Contains session-related data for users.
+3. **TwoFA**: Saves the Two-Factor Authentication (2FA) secrets for users.
+
+For detailed information about table columns, schema, and queries to create these tables, refer to the [Database Guide (docs/db.md)](docs/db.md).
+
+## License
+This project is licensed under the `Mozilla Public License 2.0`. See the [LICENSE](./LICENSE) file for details.
+
+
+
+## Contact & Support
+
+For questions or contributions, please contact Muhammad Bin Khalid at [mbktechstudio.com/Support](https://mbktechstudio.com/Support/), [support@mbktechstudio.com](mailto:support@mbktechstudio.com) or [chmuhammadbinkhalid28.com](mailto:chmuhammadbinkhalid28.com). 
+
+**Developed by [Muhammad Bin Khalid](https://github.com/MIbnEKhalid)**

package/docs/db.md

@@ -0,0 +1,90 @@
+## Database structure
+
+[<- Back](README.md)
+
+## Table of Contents
+
+1. [Users Table](#users-table)
+2. [Session Table](#session-table)
+3. [Two-Factor Authentication Table](#two-factor-authentication-table)
+4. [Query to Add a User](#query-to-add-a-user)
+
+
+### Users Table
+
+- **Columns:**
+
+  - `id` (INTEGER, auto-increment, primary key): Unique identifier for each user.
+  - `UserName` (TEXT): The username of the user.
+  - `Password` (TEXT): The hashed password of the user.
+  - `Role` (ENUM): The role of the user. Possible values: `SuperAdmin`, `NormalUser`, `Guest`.
+  - `Active` (BOOLEAN): Indicates whether the user account is active.
+  - `HaveMailAccount` (BOOLEAN)(optional): Indicates if the user has a linked mail account.
+  - `SessionId` (TEXT): The session ID associated with the user.
+  - `GuestRole` (JSONB): Stores additional guest-specific role information in binary JSON format.
+
+- **Schema:**
+  ```sql
+  CREATE TABLE "Users" (
+      id INTEGER PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
+      "UserName" TEXT NOT NULL,
+      "Password" TEXT NOT NULL,
+      "Role" TEXT CHECK("Role" IN ('SuperAdmin', 'NormalUser', 'Guest')) NOT NULL DEFAULT 'NormalUser'::text,
+      "Active" BOOLEAN NOT NULL DEFAULT true,
+      "HaveMailAccount" BOOLEAN NOT NULL DEFAULT false,
+      "SessionId" TEXT,
+      "GuestRole" JSONB DEFAULT '{"allowPages": [""], "NotallowPages": [""]}'::jsonb
+  );
+  ```
+
+### Session Table
+
+- **Columns:**
+
+  - `sid` (VARCHAR, primary key): Unique session identifier.
+  - `sess` (JSON): Session data stored in JSON format.
+  - `expire` (TIMESTAMP): Expiration timestamp for the session.
+
+- **Schema:**
+  ```sql
+  CREATE TABLE session (
+          sid VARCHAR PRIMARY KEY,
+          sess JSON NOT NULL,
+          expire TIMESTAMP NOT NULL
+  );
+  ```
+
+### Two-Factor Authentication Table
+
+- **Columns:**
+
+  - `UserName` (TEXT): The username of the user.
+  - `TwoFAStatus` (TEXT): The status of two-factor authentication (e.g., enabled, disabled).
+  - `TwoFASecret` (TEXT): The secret key used for two-factor authentication.
+
+- **Schema:**
+  ```sql
+  CREATE TABLE "TwoFA" (
+          "UserName" TEXT NOT NULL PRIMARY KEY,
+          "TwoFAStatus" TEXT NOT NULL DEFAULT false,
+          "TwoFASecret" TEXT NOT NULL
+  );
+  ```
+
+### Query to Add a User
+
+To add new users to the `Users` table, use the following SQL queries:
+
+```sql
+        INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
+        VALUES ('support', '12345678', 'SuperAdmin', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+
+        INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
+        VALUES ('test', '12345678', 'NormalUser', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+```
+
+- Replace `support` and `test` with the desired usernames.
+- Replace `12345678` with the actual passwords.
+- Adjust the `Role` values as needed (`SuperAdmin`, `NormalUser`, or `Guest`).
+- Modify the `Active` and `HaveMailAccount` values as required.
+- Update the `GuestRole` JSON object if specific permissions are required(this functionality is under construction).

package/env.md

@@ -0,0 +1,55 @@
+# Configuration Guide
+
+[<- Back](README.md)
+
+## reCAPTCHA Settings
+```properties
+RECAPTCHA_SECRET_KEY=123
+```
+> Note: Obtain your secret key from Google reCAPTCHA Admin Console.
+
+
+## Session Settings
+```properties
+SESSION_SECRET_KEY=123
+IS_DEPLOYED=true
+DOMAIN=mbktechstudio.com
+```
+> **SESSION_SECRET_KEY**: Generate a secure key using [Generate Secret](https://generate-secret.vercel.app/32).
+
+> **IS_DEPLOYED**:
+
+> - `true`: For deployed environments. Sessions are shared across all subDOMAINs of `.mbktechstudio.com` or the DOMAIN specified in `DOMAIN`.
+
+> - `false`: For local development.
+
+> - Important: If set to `true`, login functionality will not work on `localhost`. Use a valid DOMAIN for proper operation.
+
+> **DOMAIN**:
+
+> - Set `DOMAIN` to your DOMAIN
+
+> - If you don't have a DOMAIN, set `IS_DEPLOYED=false`.
+
+
+## Database Settings
+
+```properties
+LOGIN_DB=postgresql://username:password@server.DOMAIN/db_name
+```
+> Replace the placeholder with your PostgreSQL connection string.
+
+
+## Two-Factor Authentication (2FA)
+```properties
+MBKAUTH_TWO_FA_ENABLE=false
+```
+> MBKAUTH_TWO_FA_ENABLE: Set to `true` to enable Two-Factor Authentication.
+
+
+## Cookie Settings
+
+```properties
+COOKIE_EXPIRE_TIME=5
+```
+> Cookie expiration time in days. Default is `2 days`.

package/lib/main.js

@@ -20,25 +20,11 @@ try {
   } else {
     console.warn("Invalid COOKIE_EXPIRE_TIME in environment variables, using default value");
   }
-  WriteConsoleLogs(`Cookie expiration time set to ${COOKIE_EXPIRE_TIME} days for deployed environment`);
+  console.log(`Cookie expiration time set to ${COOKIE_EXPIRE_TIME} days for deployed environment`);
 } catch (error) {
-  WriteConsoleLogs("Error parsing COOKIE_EXPIRE_TIME:", error);
+  console.log("Error parsing COOKIE_EXPIRE_TIME:", error);
 }
 
-async function WriteConsoleLogs(message) {
-    const appName = process.env.AppName;
-    try {
-      const query = `
-        INSERT INTO mbkauthlogs (app_name, message)
-        VALUES ($1, $2)
-      `;
-      await dblogin.query(query, [appName, message]);
-      console.log(`Logged message: ${message}`);
-    } catch (error) {
-      console.error("Error logging message:", error.message);
-    }
-  }
-
 router.use(express.json());
 router.use(express.urlencoded({ extended: true }));
 
@@ -105,7 +91,7 @@ router.use(async (req, res, next) => {
         req.session.user.role = null;
       }
     } catch (error) {
-      WriteConsoleLogs("Error fetching user role:", error.message);
+      console.log("Error fetching user role:", error.message);
       req.session.user.role = null; // Fallback to null role
     }
   }
@@ -115,7 +101,7 @@ router.use(async (req, res, next) => {
 router.use(async (req, res, next) => {
   // Check for sessionId cookie if session is not initialized
   if (!req.session.user && req.cookies && req.cookies.sessionId) {
-    WriteConsoleLogs("Restoring session from sessionId cookie"); // Log session restoration
+    console.log("Restoring session from sessionId cookie"); // Log session restoration
     const sessionId = req.cookies.sessionId;
     const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
     const result = await dblogin.query(query, [sessionId]);
@@ -127,7 +113,7 @@ router.use(async (req, res, next) => {
         username: user.UserName,
         sessionId,
       };
-      WriteConsoleLogs(`Session restored for user: ${user.UserName}`); // Log successful session restoration
+      console.log(`Session restored for user: ${user.UserName}`); // Log successful session restoration
     } else {
       console.warn("No matching session found for sessionId"); // Log if no session is found
     }
@@ -147,19 +133,19 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(process.env.Main_
     // Destroy all sessions on the server
     req.session.destroy((err) => {
       if (err) {
-        WriteConsoleLogs("Error destroying session:", err);
+        console.log("Error destroying session:", err);
         return res
           .status(500)
           .json({ success: false, message: "Failed to terminate sessions" });
       }
-      WriteConsoleLogs("All sessions terminated successfully");
+      console.log("All sessions terminated successfully");
       res.status(200).json({
         success: true,
         message: "All sessions terminated successfully",
       });
     });
   } catch (err) {
-    WriteConsoleLogs("Database query error during session termination:", err);
+    console.log("Database query error during session termination:", err);
     res
       .status(500)
       .json({ success: false, message: "Internal Server Error" });
@@ -168,10 +154,10 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(process.env.Main_
 );
 
 router.post("/mbkauthe/api/login", async (req, res) => {
-  WriteConsoleLogs("Login request received"); // Log when login is initiated
+  console.log("Login request received"); // Log when login is initiated
 
   const { username, password, token, recaptcha } = req.body;
-  WriteConsoleLogs(`Login attempt for username: ${username}`); // Log username
+  console.log(`Login attempt for username: ${username}`); // Log username
 
   const secretKey = process.env.RECAPTCHA_SECRET_KEY;
   const verificationUrl = `https://www.google.com/recaptcha/api/siteverify?secret=${secretKey}&response=${recaptcha}`;
@@ -181,42 +167,42 @@ router.post("/mbkauthe/api/login", async (req, res) => {
     try {
       const response = await fetch(verificationUrl, { method: 'POST' });
       const body = await response.json();
-      WriteConsoleLogs("reCAPTCHA verification response:", body); // Log reCAPTCHA response
+      console.log("reCAPTCHA verification response:", body); // Log reCAPTCHA response
 
       if (!body.success) {
-        WriteConsoleLogs("Failed reCAPTCHA verification");
+        console.log("Failed reCAPTCHA verification");
         return res.status(400).json({ success: false, message: "Failed reCAPTCHA verification" });
       }
     } catch (err) {
-      WriteConsoleLogs("Error during reCAPTCHA verification:", err);
+      console.log("Error during reCAPTCHA verification:", err);
       return res.status(500).json({ success: false, message: "Internal Server Error" });
     }
   }
 
   if (!username || !password) {
-    WriteConsoleLogs("Missing username or password");
+    console.log("Missing username or password");
     return res.status(400).json({
       success: false,
       message: "Username and password are required",
     });
   }
 
-  WriteConsoleLogs("RECAPTCHA_SECRET_KEY:", process.env.RECAPTCHA_SECRET_KEY); // Log reCAPTCHA secret key
-  WriteConsoleLogs("SESSION_SECRET_KEY:", process.env.SESSION_SECRET_KEY); // Log reCAPTCHA secret key
-  WriteConsoleLogs("LOGIN_DB:", process.env.LOGIN_DB); // Log reCAPTCHA secret key
-  WriteConsoleLogs("COOKIE_EXPIRE_TIME:", process.env.COOKIE_EXPIRE_TIME); // Log reCAPTCHA secret key
-  WriteConsoleLogs("DOMAIN:", process.env.DOMAIN); // Log reCAPTCHA secret key
-  WriteConsoleLogs("IS_DEPLOYED:", process.env.IS_DEPLOYED); // Log reCAPTCHA secret key
-  WriteConsoleLogs("MBKAUTH_TWO_FA_ENABLE:", process.env.MBKAUTH_TWO_FA_ENABLE); // Log reCAPTCHA secret key
+  console.log("RECAPTCHA_SECRET_KEY:", process.env.RECAPTCHA_SECRET_KEY); // Log reCAPTCHA secret key
+  console.log("SESSION_SECRET_KEY:", process.env.SESSION_SECRET_KEY); // Log reCAPTCHA secret key
+  console.log("LOGIN_DB:", process.env.LOGIN_DB); // Log reCAPTCHA secret key
+  console.log("COOKIE_EXPIRE_TIME:", process.env.COOKIE_EXPIRE_TIME); // Log reCAPTCHA secret key
+  console.log("DOMAIN:", process.env.DOMAIN); // Log reCAPTCHA secret key
+  console.log("IS_DEPLOYED:", process.env.IS_DEPLOYED); // Log reCAPTCHA secret key
+  console.log("MBKAUTH_TWO_FA_ENABLE:", process.env.MBKAUTH_TWO_FA_ENABLE); // Log reCAPTCHA secret key
 
   try {
     // Query to check if the username exists
     const userQuery = `SELECT * FROM "Users" WHERE "UserName" = $1`;
     const userResult = await dblogin.query(userQuery, [username]);
-    WriteConsoleLogs("User query result:", userResult.rows); // Log user query result
+    console.log("User query result:", userResult.rows); // Log user query result
 
     if (userResult.rows.length === 0) {
-      WriteConsoleLogs(`Username does not exist: ${username}`);
+      console.log(`Username does not exist: ${username}`);
       return res.status(404).json({ success: false, message: "Username does not exist" });
     }
 
@@ -224,13 +210,13 @@ router.post("/mbkauthe/api/login", async (req, res) => {
 
     // Check if the password matches
     if (user.Password !== password) {
-      WriteConsoleLogs(`Incorrect password for username: ${username}`);
+      console.log(`Incorrect password for username: ${username}`);
       return res.status(401).json({ success: false, message: "Incorrect password" });
     }
 
     // Check if the account is inactive
     if (!user.Active) {
-      WriteConsoleLogs(`Inactive account for username: ${username}`);
+      console.log(`Inactive account for username: ${username}`);
       return res.status(403).json({ success: false, message: "Account is inactive" });
     }
 
@@ -238,11 +224,11 @@ router.post("/mbkauthe/api/login", async (req, res) => {
       let sharedSecret;
       const query = `SELECT "TwoFAStatus", "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;
       const twoFAResult = await dblogin.query(query, [username]);
-      WriteConsoleLogs("TwoFA query result:", twoFAResult.rows); // Log TwoFA query result
+      console.log("TwoFA query result:", twoFAResult.rows); // Log TwoFA query result
 
       sharedSecret = twoFAResult.rows[0]?.TwoFASecret;
       if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus && !token) {
-        WriteConsoleLogs("2FA code required but not provided");
+        console.log("2FA code required but not provided");
         return res.status(401).json({ success: false, message: "Please Enter 2FA code" });
       }
 
@@ -255,7 +241,7 @@ router.post("/mbkauthe/api/login", async (req, res) => {
         });
 
         if (!tokenValidates) {
-          WriteConsoleLogs(`Invalid 2FA code for username: ${username}`);
+          console.log(`Invalid 2FA code for username: ${username}`);
           return res.status(401).json({ success: false, message: "Invalid 2FA code" });
         }
       }
@@ -263,7 +249,7 @@ router.post("/mbkauthe/api/login", async (req, res) => {
 
     // Generate session ID
     const sessionId = crypto.randomBytes(256).toString("hex");
-    WriteConsoleLogs(`Generated session ID for username: ${username}`); // Log session ID
+    console.log(`Generated session ID for username: ${username}`); // Log session ID
 
     await dblogin.query(`UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, [
       sessionId,
@@ -276,7 +262,7 @@ router.post("/mbkauthe/api/login", async (req, res) => {
       username: user.UserName,
       sessionId,
     };
-    WriteConsoleLogs(`Session stored for user: ${user.UserName}, sessionId: ${sessionId}`); // Log session storage
+    console.log(`Session stored for user: ${user.UserName}, sessionId: ${sessionId}`); // Log session storage
 
     // Set a cookie accessible across subDOMAINs
     res.cookie("sessionId", sessionId, {
@@ -285,16 +271,16 @@ router.post("/mbkauthe/api/login", async (req, res) => {
       httpOnly: true,
       secure: process.env.IS_DEPLOYED === 'true', // Use secure cookies in production
     });
-    WriteConsoleLogs(`Cookie set for user: ${user.UserName}, sessionId: ${sessionId}`); // Log cookie setting
+    console.log(`Cookie set for user: ${user.UserName}, sessionId: ${sessionId}`); // Log cookie setting
 
-    WriteConsoleLogs(`User "${username}" logged in successfully`);
+    console.log(`User "${username}" logged in successfully`);
     res.status(200).json({
       success: true,
       message: "Login successful",
       sessionId,
     });
   } catch (err) {
-    WriteConsoleLogs("Error during login process:", err);
+    console.log("Error during login process:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });
@@ -307,22 +293,22 @@ router.post("/mbkauthe/api/logout", async (req, res) => {
       const result = await dblogin.query(query, [id]);
 
       if (result.rows.length > 0 && !result.rows[0].Active) {
-        WriteConsoleLogs("Account is inactive during logout");
+        console.log("Account is inactive during logout");
       }
 
       req.session.destroy((err) => {
         if (err) {
-          WriteConsoleLogs("Error destroying session:", err);
+          console.log("Error destroying session:", err);
           return res.status(500).json({ success: false, message: "Logout failed" });
         }
         // Clear both session cookies
         res.clearCookie("connect.sid");
         res.clearCookie("sessionId"); // Clear the sessionId cookie used for restoration
-        WriteConsoleLogs(`User "${username}" logged out successfully`);
+        console.log(`User "${username}" logged out successfully`);
         res.status(200).json({ success: true, message: "Logout successful" });
       });
     } catch (err) {
-      WriteConsoleLogs("Database query error during logout:", err);
+      console.log("Database query error during logout:", err);
       res.status(500).json({ success: false, message: "Internal Server Error" });
     }
   } else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",