mbkauthe 1.0.5 → 1.0.7

package/.env.example

@@ -0,0 +1,11 @@
+mbkautheVar='{
+    "RECAPTCHA_SECRET_KEY": "your-recaptcha-secret-key",
+    "SESSION_SECRET_KEY": "your-session-secret-key",
+    "IS_DEPLOYED": "true",
+    "LOGIN_DB": "postgres://username:password@host:port/database",
+    "MBKAUTH_TWO_FA_ENABLE": "false",
+    "COOKIE_EXPIRE_TIME": 2,
+    "DOMAIN": "yourdomain.com"
+}'
+
+# See env.md for more details

package/.github/workflows/publish.yml

@@ -4,9 +4,16 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

package/README.md

@@ -55,13 +55,15 @@ app.listen(3000, () => {
 
 Example `.env` file:
 ```code
-RECAPTCHA_SECRET_KEY=your-recaptcha-secret-key
-SESSION_SECRET_KEY=your-session-secret-key
-LOGIN_DB=postgres://username:password@host:port/database
-DOMAIN=yourdomain.com
-IS_DEPLOYED=true
-MBKAUTH_TWO_FA_ENABLE=false
-COOKIE_EXPIRE_TIME=2
+mbkautheVar='{
+    "RECAPTCHA_SECRET_KEY": "your-recaptcha-secret-key",
+    "SESSION_SECRET_KEY": "your-session-secret-key",
+    "IS_DEPLOYED": "true",
+    "LOGIN_DB": "postgres://username:password@host:port/database",
+    "MBKAUTH_TWO_FA_ENABLE": "false",
+    "COOKIE_EXPIRE_TIME": 2,
+    "DOMAIN": "yourdomain.com"
+}'
 ```
 
 ## API Endpoints

package/index.js

@@ -1,23 +1,25 @@
-import dotenv from "dotenv";
-import Joi from "joi";
 import router from "./lib/main.js";
+
+import dotenv from "dotenv";
 dotenv.config();
+const mbkautheVar = JSON.parse(process.env.mbkautheVar);
+if (!mbkautheVar) {
+    throw new Error("mbkautheVar is not defined");
+}
+const requiredKeys = ["RECAPTCHA_SECRET_KEY", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
+requiredKeys.forEach(key => {
+    if (!mbkautheVar[key]) {
+        throw new Error(`mbkautheVar.${key} is required`);
+    }
+});
+if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
+    const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
+    if (isNaN(expireTime) || expireTime <= 0) {
+        throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
+    }
+}
 
-const envSchema = Joi.object({
-    RECAPTCHA_SECRET_KEY: Joi.string().required(),
-    SESSION_SECRET_KEY: Joi.string().required(),
-    IS_DEPLOYED: Joi.string().valid("true", "false").required(),
-    LOGIN_DB: Joi.string().uri().required(),
-    MBKAUTH_TWO_FA_ENABLE: Joi.string().valid("true", "false").required(),
-    COOKIE_EXPIRE_TIME: Joi.number().integer().positive(),
-    DOMAIN: Joi.string().required(),
-}).unknown(true);
 
-const { error } = envSchema.validate(process.env);
-if (error) {
-    throw new Error(`Environment variable validation error: ${error.message}`);
-}
-export { validateSession, checkRolePermission, validateSessionAndRole, getUserData } from "./lib/validateSessionAndRole.js";
-export { authenticate } from "./lib/auth.js";
+export { validateSession, checkRolePermission, validateSessionAndRole, getUserData, authenticate } from "./lib/validateSessionAndRole.js";
 export { dblogin } from "./lib/pool.js";
 export default router;

package/lib/main.js

@@ -3,119 +3,103 @@ import crypto from "crypto";
 import session from "express-session";
 import pgSession from "connect-pg-simple";
 const PgSession = pgSession(session);
-import dotenv from "dotenv";
 import { dblogin } from "./pool.js";
-import { authenticate } from "./auth.js";
+import { authenticate } from "./validateSessionAndRole.js";
 import fetch from 'node-fetch';
-import cookieParser from "cookie-parser"; // Import cookie-parser
+import cookieParser from "cookie-parser";
+
+
 
+import dotenv from "dotenv";
 dotenv.config();
+const mbkautheVar = JSON.parse(process.env.mbkautheVar);
+if (!mbkautheVar) {
+  throw new Error("mbkautheVar is not defined");
+}
+const requiredKeys = ["RECAPTCHA_SECRET_KEY", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
+requiredKeys.forEach(key => {
+  if (!mbkautheVar[key]) {
+    throw new Error(`mbkautheVar.${key} is required`);
+  }
+});
+if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
+  const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
+  if (isNaN(expireTime) || expireTime <= 0) {
+    throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
+  }
+}
+
+
 const router = express.Router();
-let COOKIE_EXPIRE_TIME = 2 * 24 * 60 * 60 * 1000; //2 days
+let COOKIE_EXPIRE_TIME = 2 * 24 * 60 * 60 * 1000; // 2 days
 
 try {
-  const parsedExpireTime = parseInt(process.env.COOKIE_EXPIRE_TIME, 10);
+  const parsedExpireTime = parseInt(mbkautheVar.COOKIE_EXPIRE_TIME, 10);
   if (!isNaN(parsedExpireTime) && parsedExpireTime > 0) {
-    COOKIE_EXPIRE_TIME = parsedExpireTime * 24 * 60 * 60 * 1000; // Convert days to milliseconds
+    COOKIE_EXPIRE_TIME = parsedExpireTime * 24 * 60 * 60 * 1000;
   } else {
-    console.warn("Invalid COOKIE_EXPIRE_TIME in environment variables, using default value");
+    console.warn("Invalid COOKIE_EXPIRE_TIME, using default value");
   }
-  console.log(`Cookie expiration time set to ${COOKIE_EXPIRE_TIME} days for deployed environment`);
 } catch (error) {
   console.log("Error parsing COOKIE_EXPIRE_TIME:", error);
 }
 
-router.use(express.json());
-router.use(express.urlencoded({ extended: true }));
-
-router.use(
-  session({
-    store: new PgSession({
-      pool: dblogin, // Connection pool
-      tableName: "session", // Use another table-name than the default "session" one
-    }),
-    secret: process.env.SESSION_SECRET_KEY, // Replace with your secret key
-    resave: false,
-    saveUninitialized: false,
-    cookie: {
-      maxAge: COOKIE_EXPIRE_TIME,
-      DOMAIN: process.env.IS_DEPLOYED === 'true' ? `.${process.env.DOMAIN}` : undefined, // Use root DOMAIN for subDOMAIN sharing
-      httpOnly: true,
-      secure: process.env.IS_DEPLOYED === 'true', // Use secure cookies in production
-    },
-  })
-);
-
-
-
-router.use(cookieParser()); // Use cookie-parser middleware
-
+// Enable CORS for subdomains
 router.use((req, res, next) => {
-  if (req.session && req.session.user) {
-    const userAgent = req.headers["user-agent"];
-    const userIp =
-      req.headers["x-forwarded-for"] || req.connection.remoteAddress;
-    const formattedIp = userIp === "::1" ? "127.0.0.1" : userIp;
-
-    req.session.otherInfo = {
-      ip: formattedIp,
-      browser: userAgent,
-    };
-
-    next();
-  } else {
-    next();
+  const origin = req.headers.origin;
+  if (origin && origin.endsWith(`.${mbkautheVar.DOMAIN}`)) {
+    res.header('Access-Control-Allow-Origin', origin);
+    res.header('Access-Control-Allow-Credentials', 'true');
+    res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
+    res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
   }
+  next();
 });
 
-// Save the username in a cookie, the cookie user name is use
-// for displaying user name in profile menu. This cookie is not use anyelse where.
-// So it is safe to use.
+router.use(express.json());
+router.use(express.urlencoded({ extended: true }));
+router.use(cookieParser());
+
+// Configure session with proper domain settings
+const sessionConfig = {
+  store: new PgSession({
+    pool: dblogin,
+    tableName: "session",
+  }),
+  secret: mbkautheVar.SESSION_SECRET_KEY,
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    maxAge: COOKIE_EXPIRE_TIME,
+    domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
+    httpOnly: true,
+    secure: mbkautheVar.IS_DEPLOYED === 'true',
+    sameSite: 'lax',
+  },
+  name: 'mbkauthe.sid' // Unique session cookie name
+};
+
+router.use(session(sessionConfig));
+
+// Middleware to handle session restoration from sessionId cookie
 router.use(async (req, res, next) => {
-  if (req.session && req.session.user) {
+  if (!req.session.user && req.cookies.sessionId) {
     try {
-
-      res.cookie("username", req.session.user.username, {
-        maxAge: COOKIE_EXPIRE_TIME,
-      });
-
-      const query = `SELECT "Role" FROM "Users" WHERE "UserName" = $1`;
-      const result = await dblogin.query(query, [req.session.user.username]);
+      const sessionId = req.cookies.sessionId;
+      const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
+      const result = await dblogin.query(query, [sessionId]);
 
       if (result.rows.length > 0) {
-        req.session.user.role = result.rows[0].Role;
-        res.cookie("userRole", req.session.user.role, {
-          maxAge: COOKIE_EXPIRE_TIME,
-        });
-      } else {
-        req.session.user.role = null;
+        const user = result.rows[0];
+        req.session.user = {
+          id: user.id,
+          username: user.UserName,
+          sessionId,
+        };
+        console.log(`Session restored for user: ${user.UserName}`);
       }
-    } catch (error) {
-      console.log("Error fetching user role:", error.message);
-      req.session.user.role = null; // Fallback to null role
-    }
-  }
-  next();
-});
-
-router.use(async (req, res, next) => {
-  // Check for sessionId cookie if session is not initialized
-  if (!req.session.user && req.cookies && req.cookies.sessionId) {
-    console.log("Restoring session from sessionId cookie"); // Log session restoration
-    const sessionId = req.cookies.sessionId;
-    const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
-    const result = await dblogin.query(query, [sessionId]);
-
-    if (result.rows.length > 0) {
-      const user = result.rows[0];
-      req.session.user = {
-        id: user.id,
-        username: user.UserName,
-        sessionId,
-      };
-      console.log(`Session restored for user: ${user.UserName}`); // Log successful session restoration
-    } else {
-      console.warn("No matching session found for sessionId"); // Log if no session is found
+    } catch (err) {
+      console.error("Session restoration error:", err);
     }
   }
   next();
@@ -123,7 +107,7 @@ router.use(async (req, res, next) => {
 
 //Invoke-RestMethod -Uri http://localhost:3030/terminateAllSessions -Method POST
 // Terminate all sessions route
-router.post("/mbkauthe/api/terminateAllSessions", authenticate(process.env.Main_SECRET_TOKEN), async (req, res) => {
+router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_SECRET_TOKEN), async (req, res) => {
   try {
     await dblogin.query(`UPDATE "Users" SET "SessionId" = NULL`);
 
@@ -159,11 +143,17 @@ router.post("/mbkauthe/api/login", async (req, res) => {
   const { username, password, token, recaptcha } = req.body;
   console.log(`Login attempt for username: ${username}`); // Log username
 
-  const secretKey = process.env.RECAPTCHA_SECRET_KEY;
+  const secretKey = mbkautheVar.RECAPTCHA_SECRET_KEY;
   const verificationUrl = `https://www.google.com/recaptcha/api/siteverify?secret=${secretKey}&response=${recaptcha}`;
 
+  let BypassUsers = ["ibnekhalid", "maaz.waheed", "support"];
+
   // Bypass recaptcha for specific users
-  if (username !== "ibnekhalid" && username !== "maaz.waheed" && username !== "support") {
+  if (!BypassUsers.includes(username)) {
+    if (!recaptcha) {
+      console.log("Missing reCAPTCHA token");
+      return res.status(400).json({ success: false, message: "Please complete the reCAPTCHA" });
+    }
     try {
       const response = await fetch(verificationUrl, { method: 'POST' });
       const body = await response.json();
@@ -187,14 +177,6 @@ router.post("/mbkauthe/api/login", async (req, res) => {
     });
   }
 
-  console.log("RECAPTCHA_SECRET_KEY:", process.env.RECAPTCHA_SECRET_KEY); // Log reCAPTCHA secret key
-  console.log("SESSION_SECRET_KEY:", process.env.SESSION_SECRET_KEY); // Log reCAPTCHA secret key
-  console.log("LOGIN_DB:", process.env.LOGIN_DB); // Log reCAPTCHA secret key
-  console.log("COOKIE_EXPIRE_TIME:", process.env.COOKIE_EXPIRE_TIME); // Log reCAPTCHA secret key
-  console.log("DOMAIN:", process.env.DOMAIN); // Log reCAPTCHA secret key
-  console.log("IS_DEPLOYED:", process.env.IS_DEPLOYED); // Log reCAPTCHA secret key
-  console.log("MBKAUTH_TWO_FA_ENABLE:", process.env.MBKAUTH_TWO_FA_ENABLE); // Log reCAPTCHA secret key
-
   try {
     // Query to check if the username exists
     const userQuery = `SELECT * FROM "Users" WHERE "UserName" = $1`;
@@ -220,7 +202,7 @@ router.post("/mbkauthe/api/login", async (req, res) => {
       return res.status(403).json({ success: false, message: "Account is inactive" });
     }
 
-    if ((process.env.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true") {
+    if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true") {
       let sharedSecret;
       const query = `SELECT "TwoFAStatus", "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;
       const twoFAResult = await dblogin.query(query, [username]);
@@ -267,9 +249,9 @@ router.post("/mbkauthe/api/login", async (req, res) => {
     // Set a cookie accessible across subDOMAINs
     res.cookie("sessionId", sessionId, {
       maxAge: COOKIE_EXPIRE_TIME,
-      DOMAIN: process.env.IS_DEPLOYED === 'true' ? `.${process.env.DOMAIN}` : undefined, // Use DOMAIN only in production
+      DOMAIN: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined, // Use DOMAIN only in production
       httpOnly: true,
-      secure: process.env.IS_DEPLOYED === 'true', // Use secure cookies in production
+      secure: mbkautheVar.IS_DEPLOYED === 'true', // Use secure cookies in production
     });
     console.log(`Cookie set for user: ${user.UserName}, sessionId: ${sessionId}`); // Log cookie setting
 

package/lib/pool.js

@@ -1,12 +1,29 @@
 import pkg from "pg";
 const { Pool } = pkg;
-import dotenv from "dotenv";
 
+
+import dotenv from "dotenv";
 dotenv.config();
+const mbkautheVar = JSON.parse(process.env.mbkautheVar);
+if (!mbkautheVar) {
+  throw new Error("mbkautheVar is not defined");
+}
+const requiredKeys = ["RECAPTCHA_SECRET_KEY", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
+requiredKeys.forEach(key => {
+  if (!mbkautheVar[key]) {
+    throw new Error(`mbkautheVar.${key} is required`);
+  }
+});
+if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
+  const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
+  if (isNaN(expireTime) || expireTime <= 0) {
+    throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
+  }
+}
 
 // PostgreSQL connection pool for pool
 const poolConfig = {
-  connectionString: process.env.LOGIN_DB,
+  connectionString: mbkautheVar.LOGIN_DB,
   ssl: {
     rejectUnauthorized: true,
   },

package/lib/validateSessionAndRole.js

@@ -1,6 +1,27 @@
 import { dblogin } from "./pool.js";
 
 async function validateSession(req, res, next) {
+  // First check if we have a session cookie
+  if (!req.session.user && req.cookies.sessionId) {
+    try {
+      const sessionId = req.cookies.sessionId;
+      const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
+      const result = await dblogin.query(query, [sessionId]);
+
+      if (result.rows.length > 0) {
+        const user = result.rows[0];
+        req.session.user = {
+          id: user.id,
+          username: user.UserName,
+          sessionId,
+        };
+      }
+    } catch (err) {
+      console.error("Session validation error:", err);
+      return res.status(500).json({ success: false, message: "Internal Server Error" });
+    }
+  }
+
   if (!req.session.user) {
     return res.render("templates/Error/NotLoggedIn.handlebars", {
       currentUrl: req.originalUrl,
@@ -12,37 +33,32 @@ async function validateSession(req, res, next) {
     const query = `SELECT "SessionId", "Active" FROM "Users" WHERE "id" = $1`;
     const result = await dblogin.query(query, [id]);
 
-    // Check if user exists and session ID matches
     if (result.rows.length === 0 || result.rows[0].SessionId !== sessionId) {
-      console.log(
-        `Session invalidated for user \"${req.session.user.username}\"`
-      );
+      console.log(`Session invalidated for user "${req.session.user.username}"`);
       req.session.destroy();
-      // ...existing code...
+      res.clearCookie("mbkauthe.sid", { domain: `.${mbkautheVar.DOMAIN}` });
+      res.clearCookie("sessionId", { domain: `.${mbkautheVar.DOMAIN}` });
       return res.render("templates/Error/SessionExpire.handlebars", {
         currentUrl: req.originalUrl,
       });
-      // ...existing code...
     }
 
-    // Check if the user account is inactive
     if (!result.rows[0].Active) {
-      console.log(
-        `Account is inactive for user \"${req.session.user.username}\"`
-      );
+      console.log(`Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
-      res.clearCookie("connect.sid");
+      res.clearCookie("mbkauthe.sid", { domain: `.${mbkautheVar.DOMAIN}` });
+      res.clearCookie("sessionId", { domain: `.${mbkautheVar.DOMAIN}` });
       return res.render("templates/Error/AccountInactive.handlebars", {
         currentUrl: req.originalUrl,
       });
     }
 
-    next(); // Proceed if everything is valid
+    next();
   } catch (err) {
     console.error("Session validation error:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
-}   
+}
 
 const checkRolePermission = (requiredRole) => {
   return async (req, res, next) => {
@@ -86,7 +102,7 @@ const checkRolePermission = (requiredRole) => {
         .json({ success: false, message: "Internal Server Error" });
     }
   };
-}; 
+};
 
 const validateSessionAndRole = (requiredRole) => {
   return async (req, res, next) => {
@@ -149,4 +165,18 @@ async function getUserData(UserName, parameters) {
   }
 }
 
-export { validateSession, checkRolePermission, validateSessionAndRole, getUserData };
+const authenticate = (authentication) => {
+  return (req, res, next) => {
+    const token = req.headers["authorization"];
+    console.log(`Received token: ${token}`);
+    if (token === authentication) {
+      console.log("Authentication successful");
+      next();
+    } else {
+      console.log("Authentication failed");
+      res.status(401).send("Unauthorized");
+    }
+  };
+};
+
+export { validateSession, checkRolePermission, validateSessionAndRole, getUserData, authenticate };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",
@@ -31,7 +31,6 @@
     "dotenv": "^16.4.7",
     "express": "^5.1.0",
     "express-session": "^1.18.1",
-    "joi": "^17.13.3",
     "node-fetch": "^3.3.2",
     "pg": "^8.14.1"
   }

package/lib/auth.js

@@ -1,13 +0,0 @@
-export const authenticate = (authentication) => {
-    return (req, res, next) => {
-      const token = req.headers["authorization"];
-      console.log(`Received token: ${token}`);
-      if (token === authentication) {
-        console.log("Authentication successful");
-        next();
-      } else {
-        console.log("Authentication failed");
-        res.status(401).send("Unauthorized");
-      }
-    };
-  };