mbkauthe 1.3.4 → 1.4.0

package/docs/db.md

@@ -28,12 +28,12 @@ Ensure your `user_github` table exists with these columns:
 ```sql
 CREATE TABLE user_github (
     id SERIAL PRIMARY KEY,
-    user_name VARCHAR(255) REFERENCES "Users"("UserName"),
-    github_id VARCHAR(255) UNIQUE NOT NULL,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    github_id VARCHAR(255) UNIQUE,
     github_username VARCHAR(255),
-    access_token TEXT,
-    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+    access_token VARCHAR(255),
+    created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
+    updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
 );
 ```
 
@@ -149,18 +149,32 @@ The GitHub login feature is now fully integrated into your mbkauthe system and r
   - `AllowedApps`(JSONB): 
 
 - **Schema:**
-  ```sql
-  CREATE TABLE "Users" (
-      id INTEGER PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
-      "UserName" TEXT NOT NULL,
-      "Password" TEXT NOT NULL,
-      "Role" TEXT CHECK("Role" IN ('SuperAdmin', 'NormalUser', 'Guest')) NOT NULL DEFAULT 'NormalUser'::text,
-      "Active" BOOLEAN NOT NULL DEFAULT true,
-      "HaveMailAccount" BOOLEAN NOT NULL DEFAULT false,
-      "SessionId" TEXT,
-      "AllowedApps" JSONB DEFAULT '["mbkauthe"]'::jsonb
-  );
-  ```
+```sql
+CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
+
+CREATE TABLE "Users" (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    "UserName" VARCHAR(50) NOT NULL UNIQUE,
+    "Password" VARCHAR(61) NOT NULL, -- For bcrypt hash
+    "Role" role DEFAULT 'NormalUser' NOT NULL,
+    "Active" BOOLEAN DEFAULT FALSE,
+    "HaveMailAccount" BOOLEAN DEFAULT FALSE,
+    "AllowedApps" JSONB DEFAULT '["mbkauthe", "portal"]',
+    "SessionId" VARCHAR(213),
+    "IsOnline" BOOLEAN DEFAULT FALSE,
+    "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "last_login" TIMESTAMP WITH TIME ZONE
+);
+
+-- Add indexes for Users table
+CREATE INDEX IF NOT EXISTS idx_users_session_id ON "Users" ("SessionId")
+CREATE INDEX idx_users_username ON "Users" USING BTREE ("UserName");
+CREATE INDEX idx_users_role ON "Users" USING BTREE ("Role");
+CREATE INDEX idx_users_active ON "Users" USING BTREE ("Active");
+CREATE INDEX idx_users_isonline ON "Users" USING BTREE ("IsOnline");
+CREATE INDEX idx_users_last_login ON "Users" USING BTREE (last_login);
+```
 
 ### Session Table
 
@@ -171,13 +185,20 @@ The GitHub login feature is now fully integrated into your mbkauthe system and r
   - `expire` (TIMESTAMP): Expiration timestamp for the session.
 
 - **Schema:**
-  ```sql
-  CREATE TABLE session (
-          sid VARCHAR PRIMARY KEY,
-          sess JSON NOT NULL,
-          expire TIMESTAMP NOT NULL
-  );
-  ```
+```sql
+CREATE TABLE "session" (
+    sid VARCHAR(33) PRIMARY KEY NOT NULL,
+    sess JSONB NOT NULL,
+    expire TimeStamp WITH TIME ZONE Not Null,
+    "UserName" VARCHAR(50) REFERENCES "Users"("UserName"),
+    last_activity TimeStamp WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Add indexes for session table
+CREATE INDEX idx_session_expire ON "session" USING BTREE (expire);
+CREATE INDEX idx_session_username ON "session" USING BTREE ("UserName");
+CREATE INDEX idx_session_last_activity ON "session" USING BTREE (last_activity);
+```
 
 ### Two-Factor Authentication Table
 
@@ -188,13 +209,15 @@ The GitHub login feature is now fully integrated into your mbkauthe system and r
   - `TwoFASecret` (TEXT): The secret key used for two-factor authentication.
 
 - **Schema:**
-  ```sql
-  CREATE TABLE "TwoFA" (
-          "UserName" TEXT NOT NULL PRIMARY KEY,
-          "TwoFAStatus" TEXT NOT NULL DEFAULT false,
-          "TwoFASecret" TEXT NOT NULL
-  );
-  ```
+```sql
+CREATE TABLE "TwoFA" (
+    "UserName" VARCHAR(50) primary key REFERENCES "Users"("UserName"),
+    "TwoFAStatus" boolean NOT NULL,
+    "TwoFASecret" TEXT
+    );
+
+CREATE INDEX IF NOT EXISTS idx_twofa_username ON "TwoFA" ("UserName")
+```
 
 ### Query to Add a User
 

package/index.js

@@ -34,10 +34,21 @@ if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
 }
 
 const app = express();
-if (process.env.test === "true") {
-    console.log("[mbkauthe] Test mode is enabled. Starting server in test mode.");
+if (process.env.test === "dev") {
+    console.log("[mbkauthe] Dev mode is enabled. Starting server in dev mode.");
     const port = 5555;
     app.use(router);
+    app.use((req, res) => {
+        console.log(`Path not found: ${req.method} ${req.url}`);
+        return res.status(404).render("Error/dError.handlebars", {
+            layout: false,
+            code: 404,
+            error: "Not Found",
+            message: "The requested page was not found.",
+            pagename: "Home",
+            page: "/mbkauthe/login",
+        });
+    });
     app.listen(port, () => {
         console.log(`[mbkauthe] Server running on http://localhost:${port}`);
     });

package/lib/main.js

@@ -31,6 +31,10 @@ router.use(express.json());
 router.use(express.urlencoded({ extended: true }));
 router.use(cookieParser());
 
+router.get('/mbkauthe/main.js', (req, res) => {
+  res.sendFile(path.join(process.cwd(), 'public', 'main.js'));
+});
+
 // CSRF protection middleware
 const csrfProtection = csurf({ cookie: false });
 
@@ -55,6 +59,18 @@ const LoginLimit = rateLimit({
   }
 });
 
+const LogoutLimit = rateLimit({
+  windowMs: 1 * 60 * 1000,
+  max: 10,
+  message: { success: false, message: "Too many logout attempts, please try again later" }
+});
+
+const TwoFALimit = rateLimit({
+  windowMs: 1 * 60 * 1000,
+  max: 5,
+  message: { success: false, message: "Too many 2FA attempts, please try again later" }
+});
+
 const sessionConfig = {
   store: new PgSession({
     pool: dblogin,
@@ -79,11 +95,19 @@ const sessionConfig = {
 router.use(session(sessionConfig));
 
 router.use(async (req, res, next) => {
+  // Only restore session if not already present and sessionId cookie exists
   if (!req.session.user && req.cookies.sessionId) {
     try {
       const sessionId = req.cookies.sessionId;
-      const query = `SELECT * FROM "Users" WHERE "SessionId" = $1`;
-      const result = await dblogin.query(query, [sessionId]);
+
+      // Validate sessionId format (should be 64 hex characters)
+      if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
+        console.warn("[mbkauthe] Invalid sessionId format detected");
+        return next();
+      }
+
+      const query = `SELECT id, "UserName", "Active", "Role", "SessionId", "AllowedApps" FROM "Users" WHERE "SessionId" = $1 AND "Active" = true`;
+      const result = await dblogin.query({ name: 'get-user-by-sessionid', text: query, values: [sessionId] });
 
       if (result.rows.length > 0) {
         const user = result.rows[0];
@@ -91,7 +115,10 @@ router.use(async (req, res, next) => {
           id: user.id,
           username: user.UserName,
           UserName: user.UserName,
+          role: user.Role,
+          Role: user.Role,
           sessionId,
+          allowedApps: user.AllowedApps,
         };
       }
     } catch (err) {
@@ -110,9 +137,18 @@ const getCookieOptions = () => ({
   httpOnly: true
 });
 
+const getClearCookieOptions = () => ({
+  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
+  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
+  sameSite: 'lax',
+  path: '/',
+  httpOnly: true
+});
+
 async function completeLoginProcess(req, res, user, redirectUrl = null) {
   try {
-    const sessionId = crypto.randomBytes(256).toString("hex");
+    // smaller session id is sufficient and faster to generate/serialize
+    const sessionId = crypto.randomBytes(32).toString("hex");
     console.log(`[mbkauthe] Generated session ID for username: ${user.username}`);
 
     // Delete old session record for this user
@@ -138,17 +174,11 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
 
     req.session.save(async (err) => {
       if (err) {
-        console.log("[mbkauthe] Session save error:", err);
+        console.error("[mbkauthe] Session save error:", err);
         return res.status(500).json({ success: false, message: "Internal Server Error" });
       }
-      try {
-        await dblogin.query(
-          'UPDATE "session" SET username = $1 WHERE sid = $2',
-          [user.username, req.sessionID]
-        );
-      } catch (e) {
-        console.log("[mbkauthe] Failed to update username in session table:", e);
-      }
+      // avoid writing back into the session table here to reduce DB writes;
+      // the pg session store will already persist the session data.
 
       const cookieOptions = getCookieOptions();
       res.cookie("sessionId", sessionId, cookieOptions);
@@ -167,7 +197,7 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
       res.status(200).json(responsePayload);
     });
   } catch (err) {
-    console.log("[mbkauthe] Error during login completion:", err);
+    console.error("[mbkauthe] Error during login completion:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 }
@@ -175,8 +205,11 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
 router.use(async (req, res, next) => {
   if (req.session && req.session.user) {
     const cookieOptions = getCookieOptions();
-    res.cookie("username", req.session.user.username, { ...cookieOptions, httpOnly: false });
-    res.cookie("sessionId", req.session.user.sessionId, cookieOptions);
+    // Only set cookies if they're missing or different
+    if (req.cookies.sessionId !== req.session.user.sessionId) {
+      res.cookie("username", req.session.user.username, { ...cookieOptions, httpOnly: false });
+      res.cookie("sessionId", req.session.user.sessionId, cookieOptions);
+    }
   }
   next();
 });
@@ -192,7 +225,7 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_
         return res.status(500).json({ success: false, message: "Failed to terminate sessions" });
       }
 
-      const cookieOptions = getCookieOptions();
+      const cookieOptions = getClearCookieOptions();
       res.clearCookie("mbkauthe.sid", cookieOptions);
       res.clearCookie("sessionId", cookieOptions);
       res.clearCookie("username", cookieOptions);
@@ -204,7 +237,7 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_
       });
     });
   } catch (err) {
-    console.log("[mbkauthe] Database query error during session termination:", err);
+    console.error("[mbkauthe] Database query error during session termination:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });
@@ -213,8 +246,8 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
   console.log("[mbkauthe] Login request received");
 
   const { username, password } = req.body;
-  console.log(`[mbkauthe] Login attempt for username: ${username}`);
 
+  // Input validation
   if (!username || !password) {
     console.log("[mbkauthe] Missing username or password");
     return res.status(400).json({
@@ -223,17 +256,45 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
     });
   }
 
+  // Validate username format and length
+  if (typeof username !== 'string' || username.trim().length === 0 || username.length > 255) {
+    console.warn("[mbkauthe] Invalid username format");
+    return res.status(400).json({
+      success: false,
+      message: "Invalid username format",
+    });
+  }
+
+  // Validate password length
+  if (typeof password !== 'string' || password.length < 8 || password.length > 255) {
+    console.warn("[mbkauthe] Invalid password length");
+    return res.status(400).json({
+      success: false,
+      message: "Password must be at least 8 characters long",
+    });
+  }
+
+  console.log(`[mbkauthe] Login attempt for username: ${username.trim()}`);
+
+  const trimmedUsername = username.trim();
+
   try {
-    const userQuery = `SELECT * FROM "Users" WHERE "UserName" = $1`;
-    const userResult = await dblogin.query(userQuery, [username]);
+    const userQuery = `SELECT id, "UserName", "Password", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
+    const userResult = await dblogin.query({ name: 'get-user-by-username', text: userQuery, values: [trimmedUsername] });
 
     if (userResult.rows.length === 0) {
-      console.log(`[mbkauthe] Username does not exist: ${username}`);
+      console.log(`[mbkauthe] Username does not exist: ${trimmedUsername}`);
       return res.status(404).json({ success: false, message: "Incorrect Username Or Password" });
     }
 
     const user = userResult.rows[0];
 
+    // Validate user has password field
+    if (!user.Password) {
+      console.error("[mbkauthe] User account has no password set");
+      return res.status(500).json({ success: false, message: "Internal Server Error" });
+    }
+
     if (mbkautheVar.EncryptedPassword === "true") {
       try {
         const result = await bcrypt.compare(password, user.Password);
@@ -248,13 +309,13 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
       }
     } else {
       if (user.Password !== password) {
-        console.log(`[mbkauthe] Incorrect password for username: ${username}`);
+        console.log(`[mbkauthe] Incorrect password for username: ${trimmedUsername}`);
         return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password" });
       }
     }
 
     if (!user.Active) {
-      console.log(`[mbkauthe] Inactive account for username: ${username}`);
+      console.log(`[mbkauthe] Inactive account for username: ${trimmedUsername}`);
       return res.status(403).json({ success: false, message: "Account is inactive" });
     }
 
@@ -268,7 +329,7 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
 
     if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true") {
       const query = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
-      const twoFAResult = await dblogin.query(query, [username]);
+      const twoFAResult = await dblogin.query({ name: 'get-2fa-status', text: query, values: [trimmedUsername] });
 
       if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
         // 2FA is enabled, prompt for token on a separate page
@@ -276,9 +337,9 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
           id: user.id,
           username: user.UserName,
           role: user.Role,
-          Role: user.role,
+          Role: user.Role,
         };
-        console.log(`[mbkauthe] 2FA required for user: ${username}`);
+        console.log(`[mbkauthe] 2FA required for user: ${trimmedUsername}`);
         return res.json({ success: true, twoFactorRequired: true });
       }
     }
@@ -288,12 +349,12 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
       id: user.id,
       username: user.UserName,
       role: user.Role,
-      Role: user.role,
+      Role: user.Role,
     };
     await completeLoginProcess(req, res, userForSession);
 
   } catch (err) {
-    console.log("[mbkauthe] Error during login process:", err);
+    console.error("[mbkauthe] Error during login process:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });
@@ -309,7 +370,7 @@ router.get("/mbkauthe/2fa", csrfProtection, (req, res) => {
   });
 });
 
-router.post("/mbkauthe/api/verify-2fa", async (req, res) => {
+router.post("/mbkauthe/api/verify-2fa", TwoFALimit, csrfProtection, async (req, res) => {
   if (!req.session.preAuthUser) {
     return res.status(401).json({ success: false, message: "Not authorized. Please login first." });
   }
@@ -317,10 +378,17 @@ router.post("/mbkauthe/api/verify-2fa", async (req, res) => {
   const { token } = req.body;
   const { username, id, role } = req.session.preAuthUser;
 
-  if (!token) {
+  // Validate 2FA token
+  if (!token || typeof token !== 'string') {
     return res.status(400).json({ success: false, message: "2FA token is required" });
   }
 
+  // Validate token format (should be 6 digits)
+  const sanitizedToken = token.trim();
+  if (!/^\d{6}$/.test(sanitizedToken)) {
+    return res.status(400).json({ success: false, message: "Invalid 2FA token format" });
+  }
+
   try {
     const query = `SELECT "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;
     const twoFAResult = await dblogin.query(query, [username]);
@@ -333,7 +401,7 @@ router.post("/mbkauthe/api/verify-2fa", async (req, res) => {
     const tokenValidates = speakeasy.totp.verify({
       secret: sharedSecret,
       encoding: "base32",
-      token: token,
+      token: sanitizedToken,
       window: 1,
     });
 
@@ -348,12 +416,12 @@ router.post("/mbkauthe/api/verify-2fa", async (req, res) => {
     await completeLoginProcess(req, res, userForSession, redirectUrl);
 
   } catch (err) {
-    console.log("[mbkauthe] Error during 2FA verification:", err);
+    console.error("[mbkauthe] Error during 2FA verification:", err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });
 
-router.post("/mbkauthe/api/logout", async (req, res) => {
+router.post("/mbkauthe/api/logout", LogoutLimit, csrfProtection, async (req, res) => {
   if (req.session.user) {
     try {
       const { id, username } = req.session.user;
@@ -366,11 +434,11 @@ router.post("/mbkauthe/api/logout", async (req, res) => {
 
       req.session.destroy((err) => {
         if (err) {
-          console.log("[mbkauthe] Error destroying session:", err);
+          console.error("[mbkauthe] Error destroying session:", err);
           return res.status(500).json({ success: false, message: "Logout failed" });
         }
 
-        const cookieOptions = getCookieOptions();
+        const cookieOptions = getClearCookieOptions();
         res.clearCookie("mbkauthe.sid", cookieOptions);
         res.clearCookie("sessionId", cookieOptions);
         res.clearCookie("username", cookieOptions);
@@ -379,7 +447,7 @@ router.post("/mbkauthe/api/logout", async (req, res) => {
         res.status(200).json({ success: true, message: "Logout successful" });
       });
     } catch (err) {
-      console.log("[mbkauthe] Database query error during logout:", err);
+      console.error("[mbkauthe] Database query error during logout:", err);
       res.status(500).json({ success: false, message: "Internal Server Error" });
     }
   } else {
@@ -404,7 +472,7 @@ async function getLatestVersion() {
   try {
     const response = await fetch('https://raw.githubusercontent.com/MIbnEKhalid/mbkauthe/main/package.json');
     if (!response.ok) {
-      console.Error(`GitHub API responded with status ${response.status}`);
+      console.error(`GitHub API responded with status ${response.status}`);
       return "0.0.0";
     }
     const latestPackageJson = await response.json();
@@ -561,7 +629,7 @@ router.get('/mbkauthe/api/github/login/callback',
             };
 
             // Generate session and complete login
-            const sessionId = crypto.randomBytes(256).toString("hex");
+            const sessionId = crypto.randomBytes(32).toString("hex");
             console.log(`[mbkauthe] GitHub login: Generated session ID for username: ${user.UserName}`);
 
             // Delete old session record for this user

package/lib/pool.js

@@ -15,15 +15,15 @@ if (!mbkautheVar) {
 }
 const requiredKeys = ["APP_NAME", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
 requiredKeys.forEach(key => {
-    if (!mbkautheVar[key]) {
-        throw new Error(`mbkautheVar.${key} is required`);
-    }
+  if (!mbkautheVar[key]) {
+    throw new Error(`mbkautheVar.${key} is required`);
+  }
 });
 if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
-    const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
-    if (isNaN(expireTime) || expireTime <= 0) {
-        throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
-    }
+  const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
+  if (isNaN(expireTime) || expireTime <= 0) {
+    throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
+  }
 }
 
 const poolConfig = {
@@ -32,6 +32,13 @@ const poolConfig = {
     rejectUnauthorized: true,
   },
 
+  // Connection pool tuning for serverless/ephemeral environments (Vercel)
+  // - keep max small to avoid exhausting DB connections
+  // - reduce idle time so connections are returned sooner
+  // - set a short connection timeout to fail fast
+  max: 10,
+  idleTimeoutMillis: 50000,
+  connectionTimeoutMillis: 5000,
 };
 
 export const dblogin = new Pool(poolConfig);