mbkauthe 1.1.18 → 1.2.0

package/README.md

@@ -76,7 +76,7 @@ const app = express();
 app.use(mbkAuthRouter);
 
 app.listen(3000, () => {
-  console.log("Server is running on port 3000");
+  console.log("[mbkauthe] Server is running on port 3000");
 });
 ```
 2. Ensure your `.env` file is properly configured. Refer to the [Configuration Guide(env.md)](env.md) for details.

package/index.js

@@ -35,19 +35,23 @@ if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
 
 const app = express();
 if (process.env.test === "true") {
-    console.log("Test mode is enabled. Starting server in test mode.");
+    console.log("[mbkauthe] Test mode is enabled. Starting server in test mode.");
     const port = 3000;
     app.use(router);
     app.listen(port, () => {
-        console.log(`Server running on http://localhost:${port}`);
+        console.log(`[mbkauthe] Server running on http://localhost:${port}`);
     });
 }
 
-app.set("views", path.join(__dirname, "node_modules/mbkauthe/views"));
+app.set("views", [
+  path.join(__dirname, "views"),
+  path.join(__dirname, "node_modules/mbkauthe/views")
+]);
 
 app.engine("handlebars", engine({
     defaultLayout: false,
     partialsDir: [
+        path.join(__dirname, "views"),
         path.join(__dirname, "node_modules/mbkauthe/views"),
         path.join(__dirname, "node_modules/mbkauthe/views/Error"),
     ],
@@ -60,7 +64,7 @@ const require = createRequire(import.meta.url);
 const packageJson = require("./package.json");
 const latestVersion = await getLatestVersion();
 if(latestVersion !== packageJson.version) {
-    console.warn(`Warning: The current version (${packageJson.version}) is not the latest version (${latestVersion}). Please update mbkauthe.`);
+    console.warn(`[mbkauthe] Warning: The current version (${packageJson.version}) is not the latest version (${latestVersion}). Please update mbkauthe.`);
 }
 
 export { validateSession, checkRolePermission, validateSessionAndRole, getUserData, authenticate, authapi } from "./lib/validateSessionAndRole.js";

package/lib/main.js

@@ -1,4 +1,5 @@
 import express from "express";
+import csurf from "csurf";
 import crypto from "crypto";
 import session from "express-session";
 import pgSession from "connect-pg-simple";
@@ -28,6 +29,10 @@ router.use(express.json());
 router.use(express.urlencoded({ extended: true }));
 router.use(cookieParser());
 
+// CSRF protection middleware
+const csrfProtection = csurf({ cookie: false });
+
+// CORS and security headers
 router.use((req, res, next) => {
   const origin = req.headers.origin;
   if (origin && origin.endsWith(`.${mbkautheVar.DOMAIN}`)) {
@@ -87,7 +92,7 @@ router.use(async (req, res, next) => {
         };
       }
     } catch (err) {
-      console.error("Session restoration error:", err);
+      console.error("[mbkauthe] Session restoration error:", err);
     }
   }
   next();
@@ -102,6 +107,66 @@ const getCookieOptions = () => ({
   httpOnly: true
 });
 
+async function completeLoginProcess(req, res, user, redirectUrl = null) {
+  try {
+    const sessionId = crypto.randomBytes(256).toString("hex");
+    console.log(`[mbkauthe] Generated session ID for username: ${user.username}`);
+
+    // Delete old session record for this user
+    await dblogin.query('DELETE FROM "session" WHERE username = $1', [user.username]);
+
+    await dblogin.query(`UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, [
+      sessionId,
+      user.id,
+    ]);
+
+    req.session.user = {
+      id: user.id,
+      username: user.username,
+      role: user.role,
+      sessionId,
+    };
+
+    if (req.session.preAuthUser) {
+      delete req.session.preAuthUser;
+    }
+
+    req.session.save(async (err) => {
+      if (err) {
+        console.log("[mbkauthe] Session save error:", err);
+        return res.status(500).json({ success: false, message: "Internal Server Error" });
+      }
+      try {
+        await dblogin.query(
+          'UPDATE "session" SET username = $1 WHERE sid = $2',
+          [user.username, req.sessionID]
+        );
+      } catch (e) {
+        console.log("[mbkauthe] Failed to update username in session table:", e);
+      }
+
+      const cookieOptions = getCookieOptions();
+      res.cookie("sessionId", sessionId, cookieOptions);
+      console.log(`[mbkauthe] User "${user.username}" logged in successfully`);
+
+      const responsePayload = {
+        success: true,
+        message: "Login successful",
+        sessionId,
+      };
+
+      if (redirectUrl) {
+        responsePayload.redirectUrl = redirectUrl;
+      }
+
+      res.status(200).json(responsePayload);
+    });
+  } catch (err) {
+    console.log("[mbkauthe] Error during login completion:", err);
+    res.status(500).json({ success: false, message: "Internal Server Error" });
+  }
+}
+
 router.use(async (req, res, next) => {
   if (req.session && req.session.user) {
     const cookieOptions = getCookieOptions();
@@ -118,7 +183,7 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_
 
     req.session.destroy((err) => {
       if (err) {
-        console.log("Error destroying session:", err);
+        console.log("[mbkauthe] Error destroying session:", err);
         return res.status(500).json({ success: false, message: "Failed to terminate sessions" });
       }
 
@@ -127,26 +192,26 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_
       res.clearCookie("sessionId", cookieOptions);
       res.clearCookie("username", cookieOptions);
 
-      console.log("All sessions terminated successfully");
+      console.log("[mbkauthe] All sessions terminated successfully");
       res.status(200).json({
         success: true,
         message: "All sessions terminated successfully",
       });
     });
   } catch (err) {
-    console.log("Database query error during session termination:", err);
+    console.log("[mbkauthe] Database query error during session termination:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });
 
 router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
-  console.log("Login request received");
+  console.log("[mbkauthe] Login request received");
 
-  const { username, password, token } = req.body;
-  console.log(`Login attempt for username: ${username}`);
+  const { username, password } = req.body;
+  console.log(`[mbkauthe] Login attempt for username: ${username}`);
 
   if (!username || !password) {
-    console.log("Missing username or password");
+    console.log("[mbkauthe] Missing username or password");
     return res.status(400).json({
       success: false,
       message: "Username and password are required",
@@ -158,7 +223,7 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
     const userResult = await dblogin.query(userQuery, [username]);
 
     if (userResult.rows.length === 0) {
-      console.log(`Username does not exist: ${username}`);
+      console.log(`[mbkauthe] Username does not exist: ${username}`);
       return res.status(404).json({ success: false, message: "Incorrect Username Or Password" });
     }
 
@@ -168,114 +233,115 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
       try {
         const result = await bcrypt.compare(password, user.Password);
         if (!result) {
-          console.log("Incorrect password.");
+          console.log("[mbkauthe] Incorrect password.");
           return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password." });
         }
-        console.log("Password matches!");
+        console.log("[mbkauthe] Password matches!");
       } catch (err) {
-        console.error("Error comparing password:", err);
+        console.error("[mbkauthe] Error comparing password:", err);
         return res.status(500).json({ success: false, errorCode: 605, message: `Internal Server Error` });
       }
     } else {
       if (user.Password !== password) {
-        console.log(`Incorrect password for username: ${username}`);
+        console.log(`[mbkauthe] Incorrect password for username: ${username}`);
         return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password" });
       }
     }
 
     if (!user.Active) {
-      console.log(`Inactive account for username: ${username}`);
+      console.log(`[mbkauthe] Inactive account for username: ${username}`);
       return res.status(403).json({ success: false, message: "Account is inactive" });
     }
 
     if (user.Role !== "SuperAdmin") {
       const allowedApps = user.AllowedApps;
       if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
-        console.warn(`User \"${user.UserName}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
+        console.warn(`[mbkauthe] User \"${user.UserName}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
         return res.status(403).json({ success: false, message: `You Are Not Authorized To Use The Application \"${mbkautheVar.APP_NAME}\"` });
       }
     }
 
     if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true") {
-      let sharedSecret;
-      const query = `SELECT "TwoFAStatus", "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;
+      const query = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
       const twoFAResult = await dblogin.query(query, [username]);
-      console.log("TwoFA query result:", twoFAResult.rows);
-
-      sharedSecret = twoFAResult.rows[0]?.TwoFASecret;
-      if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus && !token) {
-        console.log("2FA code required but not provided");
-        return res.status(401).json({ success: false, message: "Please Enter 2FA code" });
-      }
-
-      if (token && twoFAResult.rows[0]?.TwoFAStatus) {
-        const tokenValidates = speakeasy.totp.verify({
-          secret: sharedSecret,
-          encoding: "base32",
-          token: token,
-          window: 1,
-        });
 
-        if (!tokenValidates) {
-          console.log(`Invalid 2FA code for username: ${username}`);
-          return res.status(401).json({ success: false, message: "Invalid 2FA code" });
-        }
+      if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
+        // 2FA is enabled, prompt for token on a separate page
+        req.session.preAuthUser = {
+          id: user.id,
+          username: user.UserName,
+          role: user.Role,
+        };
+        console.log(`[mbkauthe] 2FA required for user: ${username}`);
+        return res.json({ success: true, twoFactorRequired: true });
       }
     }
 
-    const sessionId = crypto.randomBytes(256).toString("hex");
-    console.log(`Generated session ID for username: ${username}`);
-
-    // Delete old session record for this user
-    if (user.SessionId) {
-      await dblogin.query('DELETE FROM "session" WHERE username = $1', [user.UserName]);
-    }
-
-    await dblogin.query(`UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, [
-      sessionId,
-      user.id,
-    ]);
-
-    req.session.user = {
+    // If 2FA is not enabled, proceed with login
+    const userForSession = {
       id: user.id,
       username: user.UserName,
       role: user.Role,
-      sessionId,
     };
+    await completeLoginProcess(req, res, userForSession);
 
-    const cookieOptions = getCookieOptions();
-    res.cookie("sessionId", sessionId, cookieOptions);
-    console.log(req.session.user);
+  } catch (err) {
+    console.log("[mbkauthe] Error during login process:", err);
+    res.status(500).json({ success: false, message: "Internal Server Error" });
+  }
+});
 
+router.get("/mbkauthe/2fa", csrfProtection, (req, res) => {
+  if (!req.session.preAuthUser) {
+    return res.redirect("/mbkauthe/login");
+  }
+  res.render("2fa.handlebars", {
+    layout: false,
+    customURL: mbkautheVar.loginRedirectURL || '/home',
+    csrfToken: req.csrfToken(),
+  });
+});
 
-    // Save session and update username in session table
-    req.session.save(async (err) => {
-      if (err) {
-        console.log("Session save error:", err);
-        return res.status(500).json({ success: false, message: "Internal Server Error" });
-      }
-      try {
-        await dblogin.query(
-          'UPDATE "session" SET username = $1 WHERE sid = $2',
-          [user.UserName, req.sessionID]
-        );
-      } catch (e) {
-        console.log("Failed to update username in session table:", e);
-      }
+router.post("/mbkauthe/api/verify-2fa", async (req, res) => {
+  if (!req.session.preAuthUser) {
+    return res.status(401).json({ success: false, message: "Not authorized. Please login first." });
+  }
 
-      const cookieOptions = getCookieOptions();
-      res.cookie("sessionId", sessionId, cookieOptions);
-      console.log(req.session.user);
+  const { token } = req.body;
+  const { username, id, role } = req.session.preAuthUser;
 
-      console.log(`User "${username}" logged in successfully`);
-      res.status(200).json({
-        success: true,
-        message: "Login successful",
-        sessionId,
-      });
+  if (!token) {
+    return res.status(400).json({ success: false, message: "2FA token is required" });
+  }
+
+  try {
+    const query = `SELECT "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;
+    const twoFAResult = await dblogin.query(query, [username]);
+
+    if (twoFAResult.rows.length === 0 || !twoFAResult.rows[0].TwoFASecret) {
+      return res.status(500).json({ success: false, message: "2FA is not configured correctly." });
+    }
+
+    const sharedSecret = twoFAResult.rows[0].TwoFASecret;
+    const tokenValidates = speakeasy.totp.verify({
+      secret: sharedSecret,
+      encoding: "base32",
+      token: token,
+      window: 1,
     });
+
+    if (!tokenValidates) {
+      console.log(`[mbkauthe] Invalid 2FA code for username: ${username}`);
+      return res.status(401).json({ success: false, message: "Invalid 2FA code" });
+    }
+
+    // 2FA successful, complete login
+    const userForSession = { id, username, role };
+    const redirectUrl = mbkautheVar.loginRedirectURL || '/home';
+    await completeLoginProcess(req, res, userForSession, redirectUrl);
+
   } catch (err) {
-    console.log("Error during login process:", err);
+    console.log("[mbkauthe] Error during 2FA verification:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });
@@ -293,7 +359,7 @@ router.post("/mbkauthe/api/logout", async (req, res) => {
 
       req.session.destroy((err) => {
         if (err) {
-          console.log("Error destroying session:", err);
+          console.log("[mbkauthe] Error destroying session:", err);
           return res.status(500).json({ success: false, message: "Logout failed" });
         }
 
@@ -302,11 +368,11 @@ router.post("/mbkauthe/api/logout", async (req, res) => {
         res.clearCookie("sessionId", cookieOptions);
         res.clearCookie("username", cookieOptions);
 
-        console.log(`User "${username}" logged out successfully`);
+        console.log(`[mbkauthe] User "${username}" logged out successfully`);
         res.status(200).json({ success: true, message: "Logout successful" });
       });
     } catch (err) {
-      console.log("Database query error during logout:", err);
+      console.log("[mbkauthe] Database query error during logout:", err);
       res.status(500).json({ success: false, message: "Internal Server Error" });
     }
   } else {
@@ -314,7 +380,7 @@ router.post("/mbkauthe/api/logout", async (req, res) => {
   }
 });
 
-router.get("/mbkauthe/login", LoginLimit, (req, res) => {
+router.get("/mbkauthe/login", LoginLimit, csrfProtection, (req, res) => {
   return res.render("loginmbkauthe.handlebars", {
     layout: false,
     customURL: mbkautheVar.loginRedirectURL || '/home',
@@ -322,6 +388,7 @@ router.get("/mbkauthe/login", LoginLimit, (req, res) => {
     username: req.session?.user?.username || '',
     version: packageJson.version,
     appName: mbkautheVar.APP_NAME.toUpperCase(),
+    csrfToken: req.csrfToken(),
   });
 });
 
@@ -334,7 +401,7 @@ async function getLatestVersion() {
     const latestPackageJson = await response.json();
     return latestPackageJson.version;
   } catch (error) {
-    console.error('Error fetching latest version from GitHub:', error);
+    console.error('[mbkauthe] Error fetching latest version from GitHub:', error);
     return null;
   }
 }
@@ -345,7 +412,7 @@ async function getPackageLock() {
   return new Promise((resolve, reject) => {
     fs.readFile(packageLockPath, "utf8", (err, data) => {
       if (err) {
-        console.error("Error reading package-lock.json:", err);
+        console.error("[mbkauthe] Error reading package-lock.json:", err);
         return reject({ success: false, message: "Failed to read package-lock.json" });
       }
       try {
@@ -361,7 +428,7 @@ async function getPackageLock() {
         const rootDependency = packageLock.dependencies?.mbkauthe || {};
         resolve({ mbkautheData, rootDependency });
       } catch (parseError) {
-        console.error("Error parsing package-lock.json:", parseError);
+        console.error("[mbkauthe] Error parsing package-lock.json:", parseError);
         reject("Error parsing package-lock.json");
       }
     });
@@ -409,7 +476,7 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (_, res) => {
     latestVersion = await getLatestVersion();
     //latestVersion = "Under Development"; // Placeholder for the latest version
   } catch (err) {
-    console.error("Error fetching package-lock.json:", err);
+    console.error("[mbkauthe] Error fetching package-lock.json:", err);
     pkgl = { error: "Failed to fetch package-lock.json" };
   }
 
@@ -781,7 +848,7 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (_, res) => {
               btn.innerHTML = '<span class="tooltiptext">Copy to clipboard</span>' + originalText.replace('✓ Copied', 'Copy JSON');
             }, 2000);
           }).catch(err => {
-            console.error('Failed to copy text: ', err);
+            console.error('[mbkauthe] Failed to copy text: ', err);
           });
         }
       </script>
@@ -789,7 +856,7 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (_, res) => {
   </html>
         `);
   } catch (err) {
-    console.error("Error fetching version information:", err);
+    console.error("[mbkauthe] Error fetching version information:", err);
     res.status(500).send(`
             <html>
                 <head>

package/lib/pool.js

@@ -39,9 +39,8 @@ export const dblogin = new Pool(poolConfig);
 (async () => {
   try {
     const client = await dblogin.connect();
-    console.log("Connected to  PostgreSQL database (pool)!");
     client.release();
   } catch (err) {
-    console.error("Database connection error (pool):", err);
+    console.error("[mbkauthe] Database connection error (pool):", err);
   }
 })();