npm - mbkauthe - Versions diffs - 1.0.6 → 1.0.8 - Mend

mbkauthe 1.0.6 → 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/.env.example +3 -0
package/README.md +18 -2
package/docs/db.md +2 -0
package/env.md +20 -2
package/index.js +12 -1
package/lib/main.js +81 -123
package/lib/pool.js +0 -16
package/lib/validateSessionAndRole.js +49 -15
package/package.json +1 -1

package/.env.example CHANGED Viewed

@@ -1,5 +1,8 @@
 mbkautheVar='{
+    "APP_NAME": "MBKAUTH",
     "RECAPTCHA_SECRET_KEY": "your-recaptcha-secret-key",
+    "RECAPTCHA_Enabled": "f",
+    "BypassUsers": ["demo","user1"],
     "SESSION_SECRET_KEY": "your-session-secret-key",
     "IS_DEPLOYED": "true",
     "LOGIN_DB": "postgres://username:password@host:port/database",

package/README.md CHANGED Viewed

@@ -8,6 +8,7 @@
 - [Features](#features)
 - [Installation](#installation)
 - [Usage](#usage)
+  - [Implementation in a Project](#implementation-in-a-project)
   - [Basic Setup](#basic-setup)
 - [API Endpoints](#api-endpoints)
   - [Login](#login)
@@ -37,6 +38,18 @@ npm install mbkauthe
 ```
 ## Usage
+### Implementation in a Project
+For a practical example of how to use this package, check out the [ProjectImplementation branch](https://github.com/MIbnEKhalid/mbkauthe/tree/ProjectImplementation) of the repository. This branch demonstrates the integration of the package, including a login page, a protected page, and logout functionality.
+You can explore the functionality of `mbkAuthe` using the following demo account on [mbkauthe.mbktechstudio.com](https://mbkauthe.mbktechstudio.com):
+- **Username**: `demo`
+- **Password**: `demo`
+This demo provides a hands-on experience with the authentication system, including login, session management, and other features.
 ### Basic Setup
 1. Import and configure the router in your Express application:
 ```javascript
@@ -51,17 +64,20 @@ app.listen(3000, () => {
   console.log("Server is running on port 3000");
 });
 ```
-2. Ensure your ``.env` file is properly configured. Refer to the [Configuration Guide(env.md)](env.md) for details.
+2. Ensure your `.env` file is properly configured. Refer to the [Configuration Guide(env.md)](env.md) for details.
 Example `.env` file:
 ```code
 mbkautheVar='{
+    "APP_NAME": "MBKAUTH",
     "RECAPTCHA_SECRET_KEY": "your-recaptcha-secret-key",
+    "RECAPTCHA_Enabled": "false",
+    "BypassUsers": ["user1","user2"],
     "SESSION_SECRET_KEY": "your-session-secret-key",
     "IS_DEPLOYED": "true",
     "LOGIN_DB": "postgres://username:password@host:port/database",
     "MBKAUTH_TWO_FA_ENABLE": "false",
-    "COOKIE_EXPIRE_TIME": 2,
+    "COOKIE_EXPIRE_TIME": "1",
     "DOMAIN": "yourdomain.com"
 }'
 ```

package/docs/db.md CHANGED Viewed

@@ -22,6 +22,7 @@
   - `HaveMailAccount` (BOOLEAN)(optional): Indicates if the user has a linked mail account.
   - `SessionId` (TEXT): The session ID associated with the user.
   - `GuestRole` (JSONB): Stores additional guest-specific role information in binary JSON format.
+  - `AllowedApps`(JSONB):
 - **Schema:**
   ```sql
@@ -34,6 +35,7 @@
       "HaveMailAccount" BOOLEAN NOT NULL DEFAULT false,
       "SessionId" TEXT,
       "GuestRole" JSONB DEFAULT '{"allowPages": [""], "NotallowPages": [""]}'::jsonb
+      "AllowedApps" JSONB DEFAULT '{"allowPages": [""], "NotallowPages": [""]}'::jsonb
   );
   ```

package/env.md CHANGED Viewed

@@ -2,11 +2,29 @@
 [<- Back](README.md)
+## Application Settings
+```properties
+APP_NAME=mbkauthe
+```
+> **APP_NAME**: Specifies the name of the application. This is used to distinguish one project from another and is critical for ensuring users are restricted to specific apps. It corresponds to the `AllowedApp` column in the Users table.
 ## reCAPTCHA Settings
 ```properties
-RECAPTCHA_SECRET_KEY=123
+RECAPTCHA_ENABLED=true
+RECAPTCHA_SECRET_KEY=your-secret-key
+BYPASS_USERS=["demo", "user1"]
 ```
-> Note: Obtain your secret key from Google reCAPTCHA Admin Console.
+> **RECAPTCHA_ENABLED**: Set to `true` to enable reCAPTCHA verification.
+> **RECAPTCHA_SECRET_KEY**: Provide the secret key obtained from the [Google reCAPTCHA Admin Console](https://www.google.com/recaptcha/admin).
+> **BYPASS_USERS**: Specify an array of usernames (e.g., `["demo", "user1"]`) that will bypass reCAPTCHA verification.
+> **Note**: Ensure `RECAPTCHA_SECRET_KEY` is set when `RECAPTCHA_ENABLED=true`.
 ## Session Settings

package/index.js CHANGED Viewed

@@ -6,18 +6,29 @@ const mbkautheVar = JSON.parse(process.env.mbkautheVar);
 if (!mbkautheVar) {
     throw new Error("mbkautheVar is not defined");
 }
-const requiredKeys = ["RECAPTCHA_SECRET_KEY", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
+const requiredKeys = ["APP_NAME", "RECAPTCHA_Enabled", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
 requiredKeys.forEach(key => {
     if (!mbkautheVar[key]) {
         throw new Error(`mbkautheVar.${key} is required`);
     }
 });
+if (mbkautheVar.RECAPTCHA_Enabled === "true") {
+    if (mbkautheVar.RECAPTCHA_SECRET_KEY === undefined) {
+        throw new Error("mbkautheVar.RECAPTCHA_SECRET_KEY is required");
+    }
+}
 if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
     const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
     if (isNaN(expireTime) || expireTime <= 0) {
         throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
     }
 }
+if (mbkautheVar.BypassUsers !== undefined) {
+    if (!Array.isArray(mbkautheVar.BypassUsers)) {
+        throw new Error("mbkautheVar.BypassUsers must be a valid array");
+    }
+    const BypassUsers = mbkautheVar.BypassUsers;
+}
 export { validateSession, checkRolePermission, validateSessionAndRole, getUserData, authenticate } from "./lib/validateSessionAndRole.js";

package/lib/main.js CHANGED Viewed

@@ -8,134 +8,80 @@ import { authenticate } from "./validateSessionAndRole.js";
 import fetch from 'node-fetch';
 import cookieParser from "cookie-parser";
 import dotenv from "dotenv";
 dotenv.config();
 const mbkautheVar = JSON.parse(process.env.mbkautheVar);
-if (!mbkautheVar) {
-  throw new Error("mbkautheVar is not defined");
-}
-const requiredKeys = ["RECAPTCHA_SECRET_KEY", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
-requiredKeys.forEach(key => {
-  if (!mbkautheVar[key]) {
-    throw new Error(`mbkautheVar.${key} is required`);
-  }
-});
-if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
-  const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
-  if (isNaN(expireTime) || expireTime <= 0) {
-    throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
-  }
-}
 const router = express.Router();
-let COOKIE_EXPIRE_TIME = 2 * 24 * 60 * 60 * 1000; //2 days
+let COOKIE_EXPIRE_TIME = 2 * 24 * 60 * 60 * 1000; // 2 days
 try {
   const parsedExpireTime = parseInt(mbkautheVar.COOKIE_EXPIRE_TIME, 10);
   if (!isNaN(parsedExpireTime) && parsedExpireTime > 0) {
-    COOKIE_EXPIRE_TIME = parsedExpireTime * 24 * 60 * 60 * 1000; // Convert days to milliseconds
+    COOKIE_EXPIRE_TIME = parsedExpireTime * 24 * 60 * 60 * 1000;
   } else {
-    console.warn("Invalid COOKIE_EXPIRE_TIME in environment variables, using default value");
+    console.warn("Invalid COOKIE_EXPIRE_TIME, using default value");
   }
-  console.log(`Cookie expiration time set to ${COOKIE_EXPIRE_TIME / (24 * 60 * 60 * 1000)} days for deployed environment`);
 } catch (error) {
   console.log("Error parsing COOKIE_EXPIRE_TIME:", error);
 }
-router.use(express.json());
-router.use(express.urlencoded({ extended: true }));
-router.use(
-  session({
-    store: new PgSession({
-      pool: dblogin, // Connection pool
-      tableName: "session", // Use another table-name than the default "session" one
-    }),
-    secret: mbkautheVar.SESSION_SECRET_KEY, // Replace with your secret key
-    resave: false,
-    saveUninitialized: false,
-    cookie: {
-      maxAge: COOKIE_EXPIRE_TIME,
-      DOMAIN: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined, // Use root DOMAIN for subDOMAIN sharing
-      httpOnly: true,
-      secure: mbkautheVar.IS_DEPLOYED === 'true', // Use secure cookies in production
-    },
-  })
-);
-router.use(cookieParser()); // Use cookie-parser middleware
+// Enable CORS for subdomains
 router.use((req, res, next) => {
-  if (req.session && req.session.user) {
-    const userAgent = req.headers["user-agent"];
-    const userIp =
-      req.headers["x-forwarded-for"] || req.connection.remoteAddress;
-    const formattedIp = userIp === "::1" ? "127.0.0.1" : userIp;
-    req.session.otherInfo = {
-      ip: formattedIp,
-      browser: userAgent,
-    };
-    next();
-  } else {
-    next();
+  const origin = req.headers.origin;
+  if (origin && origin.endsWith(`.${mbkautheVar.DOMAIN}`)) {
+    res.header('Access-Control-Allow-Origin', origin);
+    res.header('Access-Control-Allow-Credentials', 'true');
+    res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
+    res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
   }
+  next();
 });
-// Save the username in a cookie, the cookie user name is use
-// for displaying user name in profile menu. This cookie is not use anyelse where.
-// So it is safe to use.
+router.use(express.json());
+router.use(express.urlencoded({ extended: true }));
+router.use(cookieParser());
+// Configure session with proper domain settings
+const sessionConfig = {
+  store: new PgSession({
+    pool: dblogin,
+    tableName: "session",
+  }),
+  secret: mbkautheVar.SESSION_SECRET_KEY,
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    maxAge: COOKIE_EXPIRE_TIME,
+    domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
+    httpOnly: true,
+    secure: mbkautheVar.IS_DEPLOYED === 'true',
+    sameSite: 'lax',
+  },
+  name: 'mbkauthe.sid' // Unique session cookie name
+};
+router.use(session(sessionConfig));
+// Middleware to handle session restoration from sessionId cookie
 router.use(async (req, res, next) => {
-  if (req.session && req.session.user) {
+  if (!req.session.user && req.cookies.sessionId) {
     try {
-      res.cookie("username", req.session.user.username, {
-        maxAge: COOKIE_EXPIRE_TIME,
-      });
-      const query = `SELECT "Role" FROM "Users" WHERE "UserName" = $1`;
-      const result = await dblogin.query(query, [req.session.user.username]);
+      const sessionId = req.cookies.sessionId;
+      const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
+      const result = await dblogin.query(query, [sessionId]);
       if (result.rows.length > 0) {
-        req.session.user.role = result.rows[0].Role;
-        res.cookie("userRole", req.session.user.role, {
-          maxAge: COOKIE_EXPIRE_TIME,
-        });
-      } else {
-        req.session.user.role = null;
+        const user = result.rows[0];
+        req.session.user = {
+          id: user.id,
+          username: user.UserName,
+          sessionId,
+        };
+        console.log(`Session restored for user: ${user.UserName}`);
       }
-    } catch (error) {
-      console.log("Error fetching user role:", error.message);
-      req.session.user.role = null; // Fallback to null role
-    }
-  }
-  next();
-});
-router.use(async (req, res, next) => {
-  // Check for sessionId cookie if session is not initialized
-  if (!req.session.user && req.cookies && req.cookies.sessionId) {
-    console.log("Restoring session from sessionId cookie"); // Log session restoration
-    const sessionId = req.cookies.sessionId;
-    const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
-    const result = await dblogin.query(query, [sessionId]);
-    if (result.rows.length > 0) {
-      const user = result.rows[0];
-      req.session.user = {
-        id: user.id,
-        username: user.UserName,
-        sessionId,
-      };
-      console.log(`Session restored for user: ${user.UserName}`); // Log successful session restoration
-    } else {
-      console.warn("No matching session found for sessionId"); // Log if no session is found
+    } catch (err) {
+      console.error("Session restoration error:", err);
     }
   }
   next();
@@ -182,26 +128,26 @@ router.post("/mbkauthe/api/login", async (req, res) => {
   const secretKey = mbkautheVar.RECAPTCHA_SECRET_KEY;
   const verificationUrl = `https://www.google.com/recaptcha/api/siteverify?secret=${secretKey}&response=${recaptcha}`;
-  let BypassUsers = ["ibnekhalid", "maaz.waheed", "support"];
-  // Bypass recaptcha for specific users
-  if (!BypassUsers.includes(username)) {
-    if (!recaptcha) {
-      console.log("Missing reCAPTCHA token");
-      return res.status(400).json({ success: false, message: "Please complete the reCAPTCHA" });
-    }
-    try {
-      const response = await fetch(verificationUrl, { method: 'POST' });
-      const body = await response.json();
-      console.log("reCAPTCHA verification response:", body); // Log reCAPTCHA response
-      if (!body.success) {
-        console.log("Failed reCAPTCHA verification");
-        return res.status(400).json({ success: false, message: "Failed reCAPTCHA verification" });
+  let BypassUsers = [mbkautheVar.BypassUsers];
+  if (mbkautheVar.RECAPTCHA_Enabled === "true") {
+    if (!BypassUsers.includes(username)) {
+      if (!recaptcha) {
+        console.log("Missing reCAPTCHA token");
+        return res.status(400).json({ success: false, message: "Please complete the reCAPTCHA" });
+      }
+      try {
+        const response = await fetch(verificationUrl, { method: 'POST' });
+        const body = await response.json();
+        console.log("reCAPTCHA verification response:", body); // Log reCAPTCHA response
+        if (!body.success) {
+          console.log("Failed reCAPTCHA verification");
+          return res.status(400).json({ success: false, message: "Failed reCAPTCHA verification" });
+        }
+      } catch (err) {
+        console.log("Error during reCAPTCHA verification:", err);
+        return res.status(500).json({ success: false, message: "Internal Server Error" });
       }
-    } catch (err) {
-      console.log("Error during reCAPTCHA verification:", err);
-      return res.status(500).json({ success: false, message: "Internal Server Error" });
     }
   }
@@ -238,6 +184,18 @@ router.post("/mbkauthe/api/login", async (req, res) => {
       return res.status(403).json({ success: false, message: "Account is inactive" });
     }
+    if (mbkautheVar.test === "true") {
+      // Check if the user is authorized to use the application
+      if (result.rows[0].Role !== "SuperAdmin") {
+        const allowedApps = result.rows[0].AllowedApps;
+        if (!allowedApps || !allowedApps.includes(mbkautheVar.APP_NAME)) {
+          console.warn(`User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
+          return res.status(403).json({ success: false, message: `You are not authorized to use the application \"${mbkautheVar.APP_NAME}\"` });
+        }
+      }
+    }
     if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true") {
       let sharedSecret;
       const query = `SELECT "TwoFAStatus", "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;

package/lib/pool.js CHANGED Viewed

@@ -1,25 +1,9 @@
 import pkg from "pg";
 const { Pool } = pkg;
 import dotenv from "dotenv";
 dotenv.config();
 const mbkautheVar = JSON.parse(process.env.mbkautheVar);
-if (!mbkautheVar) {
-  throw new Error("mbkautheVar is not defined");
-}
-const requiredKeys = ["RECAPTCHA_SECRET_KEY", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
-requiredKeys.forEach(key => {
-  if (!mbkautheVar[key]) {
-    throw new Error(`mbkautheVar.${key} is required`);
-  }
-});
-if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
-  const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
-  if (isNaN(expireTime) || expireTime <= 0) {
-    throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
-  }
-}
 // PostgreSQL connection pool for pool
 const poolConfig = {

package/lib/validateSessionAndRole.js CHANGED Viewed

@@ -1,6 +1,28 @@
 import { dblogin } from "./pool.js";
+const mbkautheVar = JSON.parse(process.env.mbkautheVar);
 async function validateSession(req, res, next) {
+  // First check if we have a session cookie
+  if (!req.session.user && req.cookies.sessionId) {
+    try {
+      const sessionId = req.cookies.sessionId;
+      const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
+      const result = await dblogin.query(query, [sessionId]);
+      if (result.rows.length > 0) {
+        const user = result.rows[0];
+        req.session.user = {
+          id: user.id,
+          username: user.UserName,
+          sessionId,
+        };
+      }
+    } catch (err) {
+      console.error("Session validation error:", err);
+      return res.status(500).json({ success: false, message: "Internal Server Error" });
+    }
+  }
   if (!req.session.user) {
     return res.render("templates/Error/NotLoggedIn.handlebars", {
       currentUrl: req.originalUrl,
@@ -12,37 +34,49 @@ async function validateSession(req, res, next) {
     const query = `SELECT "SessionId", "Active" FROM "Users" WHERE "id" = $1`;
     const result = await dblogin.query(query, [id]);
-    // Check if user exists and session ID matches
     if (result.rows.length === 0 || result.rows[0].SessionId !== sessionId) {
-      console.log(
-        `Session invalidated for user \"${req.session.user.username}\"`
-      );
+      console.log(`Session invalidated for user "${req.session.user.username}"`);
       req.session.destroy();
-      // ...existing code...
+      res.clearCookie("mbkauthe.sid", { domain: `.${mbkautheVar.DOMAIN}` });
+      res.clearCookie("sessionId", { domain: `.${mbkautheVar.DOMAIN}` });
       return res.render("templates/Error/SessionExpire.handlebars", {
         currentUrl: req.originalUrl,
       });
-      // ...existing code...
     }
-    // Check if the user account is inactive
     if (!result.rows[0].Active) {
-      console.log(
-        `Account is inactive for user \"${req.session.user.username}\"`
-      );
+      console.log(`Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
-      res.clearCookie("connect.sid");
+      res.clearCookie("mbkauthe.sid", { domain: `.${mbkautheVar.DOMAIN}` });
+      res.clearCookie("sessionId", { domain: `.${mbkautheVar.DOMAIN}` });
       return res.render("templates/Error/AccountInactive.handlebars", {
         currentUrl: req.originalUrl,
       });
     }
-    next(); // Proceed if everything is valid
+    if (mbkautheVar.test === "true") {
+      if (result.rows[0].Role !== "SuperAdmin") {
+        const allowedApps = result.rows[0].AllowedApps;
+        if (!allowedApps || !allowedApps.includes(mbkautheVar.APP_NAME)) {
+          console.warn(
+            `User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`
+          );
+          req.session.destroy();
+          res.clearCookie("connect.sid");
+          return res.render("templates/Error/AccountInactive.handlebars", {
+            currentUrl: req.originalUrl,
+          });
+        }
+      }
+    }
+    next();
   } catch (err) {
     console.error("Session validation error:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
-}
+}
 const checkRolePermission = (requiredRole) => {
   return async (req, res, next) => {
@@ -86,7 +120,7 @@ const checkRolePermission = (requiredRole) => {
         .json({ success: false, message: "Internal Server Error" });
     }
   };
-};
+};
 const validateSessionAndRole = (requiredRole) => {
   return async (req, res, next) => {
@@ -163,4 +197,4 @@ const authenticate = (authentication) => {
   };
 };
-export { validateSession, checkRolePermission, validateSessionAndRole, getUserData , authenticate};
+export { validateSession, checkRolePermission, validateSessionAndRole, getUserData, authenticate };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",