mbkauthe 1.4.1 → 2.0.0

package/lib/validateSessionAndRole.js

@@ -1,11 +1,10 @@
 import { dblogin } from "./pool.js";
 const mbkautheVar = JSON.parse(process.env.mbkautheVar);
-let pool = dblogin;
 
 const getCookieOptions = () => ({
   maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
   domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
-  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
+  secure: mbkautheVar.IS_DEPLOYED === 'true',
   sameSite: 'lax',
   path: '/',
   httpOnly: true
@@ -13,44 +12,13 @@ const getCookieOptions = () => ({
 
 const getClearCookieOptions = () => ({
   domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
-  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
+  secure: mbkautheVar.IS_DEPLOYED === 'true',
   sameSite: 'lax',
   path: '/',
   httpOnly: true
 });
 
 async function validateSession(req, res, next) {
-  if (!req.session.user && req.cookies.sessionId) {
-    try {
-      const sessionId = req.cookies.sessionId;
-
-      // Validate sessionId format (should be 64 hex characters)
-      if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
-        console.warn("[mbkauthe] Invalid sessionId format detected");
-        return next();
-      }
-
-      const query = `SELECT id, "UserName", "Active", "Role", "SessionId", "AllowedApps" FROM "Users" WHERE "SessionId" = $1 AND "Active" = true`;
-      const result = await dblogin.query({ name: 'get-user-by-sessionid', text: query, values: [sessionId] });
-
-      if (result.rows.length > 0) {
-        const user = result.rows[0];
-        req.session.user = {
-          id: user.id,
-          username: user.UserName,
-          UserName: user.UserName,
-          role: user.Role,
-          Role: user.Role,
-          sessionId,
-          allowedApps: user.AllowedApps,
-        };
-      }
-    } catch (err) {
-      console.error("[mbkauthe] Session validation error:", err);
-      return res.status(500).json({ success: false, message: "Internal Server Error" });
-    }
-  }
-
   if (!req.session.user) {
     console.log("[mbkauthe] User not authenticated");
     console.log("[mbkauthe]: ", req.session.user);
@@ -67,11 +35,14 @@ async function validateSession(req, res, next) {
   try {
     const { id, sessionId, role, allowedApps } = req.session.user;
 
-    // Fetch only SessionId and Active status for validation (reduced query)
+    // Normalize sessionId to lowercase for consistent comparison
+    const normalizedSessionId = sessionId.toLowerCase();
+
+    // Single optimized query to validate session
     const query = `SELECT "SessionId", "Active" FROM "Users" WHERE "id" = $1`;
-    const result = await dblogin.query({ name: 'get-user-by-id', text: query, values: [id] });
+    const result = await dblogin.query({ name: 'validate-user-session', text: query, values: [id] });
 
-    if (result.rows.length === 0 || result.rows[0].SessionId !== sessionId) {
+    if (result.rows.length === 0 || result.rows[0].SessionId.toLowerCase() !== normalizedSessionId) {
       console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
       req.session.destroy();
       const cookieOptions = getClearCookieOptions();
@@ -101,7 +72,7 @@ async function validateSession(req, res, next) {
         error: "Account Inactive",
         message: "Your Account Is Inactive. Please Contact Support.",
         pagename: "Support",
-        page: "https://mbktechstudio.com/Support",
+        page: "https://mbktech.org/Support",
       });
     }
 
@@ -131,12 +102,11 @@ async function validateSession(req, res, next) {
   }
 }
 
-const checkRolePermission = (requiredRole, notAllowed) => {
+const checkRolePermission = (requiredRoles, notAllowed) => {
   return async (req, res, next) => {
     try {
       if (!req.session || !req.session.user || !req.session.user.id) {
         console.log("[mbkauthe] User not authenticated");
-        console.log("[mbkauthe]: ", req.session);
         return res.render("Error/dError.handlebars", {
           layout: false,
           code: 401,
@@ -150,10 +120,10 @@ const checkRolePermission = (requiredRole, notAllowed) => {
       const userId = req.session.user.id;
 
       const query = `SELECT "Role" FROM "Users" WHERE "id" = $1`;
-      const result = await dblogin.query({ name: 'get-role-by-id', text: query, values: [userId] });
+      const result = await dblogin.query({ name: 'check-role-permission', text: query, values: [userId] });
 
       if (result.rows.length === 0) {
-        return res.status(401).json({ success: false, message: "User not found" });
+        return res.status(401).json({ success: false, message: "Authentication failed" });
       }
 
       const userRole = result.rows[0].Role;
@@ -164,22 +134,27 @@ const checkRolePermission = (requiredRole, notAllowed) => {
           layout: false,
           code: 403,
           error: "Access Denied",
-          message: `You are not allowed to access this resource with role: ${notAllowed}`,
+          message: "You are not allowed to access this resource",
           pagename: "Home",
           page: `/${mbkautheVar.loginRedirectURL}`
         });
       }
 
-      if (requiredRole === "Any" || requiredRole === "any") {
+      // Convert to array if single role provided
+      const rolesArray = Array.isArray(requiredRoles) ? requiredRoles : [requiredRoles];
+
+      // Check for "Any" or "any" role
+      if (rolesArray.includes("Any") || rolesArray.includes("any")) {
         return next();
       }
 
-      if (userRole !== requiredRole) {
+      // Check if user role is in allowed roles
+      if (!rolesArray.includes(userRole)) {
         return res.render("Error/dError.handlebars", {
           layout: false,
           code: 403,
           error: "Access Denied",
-          message: `You do not have permission to access this resource. Required role: ${requiredRole}`,
+          message: "You do not have permission to access this resource",
           pagename: "Home",
           page: `/${mbkautheVar.loginRedirectURL}`
         });
@@ -253,7 +228,7 @@ const authapi = (requiredRole = []) => {
           LIMIT 1
         `;
 
-        const result = await pool.query(jointQuery, [token]);
+        const result = await dblogin.query({ name: 'validate-api-key', text: jointQuery, values: [token] });
 
         if (result.rows.length === 0) {
           console.warn("[mbkauthe] [authapi] Invalid token or associated user inactive");

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "mbkauthe",
-  "version": "1.4.1",
-  "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
+  "version": "2.0.0",
+  "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",
   "scripts": {
-    "dev": "set test=dev&& nodemon index.js"
+    "dev": "cross-env test=dev nodemon index.js"
   },
   "repository": {
     "type": "git",
@@ -41,12 +41,15 @@
     "express-session": "^1.18.1",
     "marked": "^15.0.11",
     "node-fetch": "^3.3.2",
+    "passport": "^0.7.0",
+    "passport-github2": "^0.1.12",
     "path": "^0.12.7",
     "pg": "^8.14.1",
     "speakeasy": "^2.0.0",
     "url": "^0.11.4"
   },
   "devDependencies": {
+    "cross-env": "^7.0.3",
     "nodemon": "^3.1.11"
   }
 }

package/public/main.js

@@ -5,9 +5,7 @@ async function logout() {
   }
 
   try {
-    // Clear all caches before logging out (except rememberedUsername)
-    await nuclearCacheClear();
-
+    // First, logout from server
     const response = await fetch("/mbkauthe/api/logout", {
       method: "POST",
       headers: {
@@ -20,15 +18,15 @@ async function logout() {
     const result = await response.json();
 
     if (response.ok) {
-      alert(result.message);
-      // Force a full page reload with cache bypass
-      window.location.href = window.location.origin;
+      // Then clear all caches after successful logout (except rememberedUsername)
+      await nuclearCacheClear();
+      // nuclearCacheClear already redirects, so no need for additional redirect
     } else {
       alert(result.message);
     }
   } catch (error) {
     console.error("Error during logout:", error);
-    alert("Logout failed");
+    alert(`Logout failed: ${error.message}`);
   }
 }
 

package/views/2fa.handlebars

@@ -5,13 +5,13 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="description"
-        content="Log in to portal.mbktechstudio.com to access your resources and manage projects securely.">
+        content="Log in to portal.mbktech.org to access your resources and manage projects securely.">
     <meta name="keywords" content="MBK Tech Studio, Web-Portal, Web, Portal, Admin-Panel, Admin, login">
     <meta property="og:title" content="Login | MBK Tech Studio" />
-    <meta property="og:image" content="https://www.mbktechstudio.com/Assets/Images/Icon/logo.png" />
+    <meta property="og:image" content="https://mbktech.org/Assets/Images/Icon/logo.png" />
     <meta property="og:url" content="/mbkauthe/2fa">
     <title>2FA | MBK Tech Studio Portal</title>
-    <link rel="icon" type="image/x-icon" href="https://mbktechstudio.com/Assets/Images/Icon/dgicon.svg">
+    <link rel="icon" type="image/x-icon" href="https://mbktech.org/Assets/Images/Icon/dgicon.svg">
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
     {{> sharedStyles}}
 </head>
@@ -28,7 +28,7 @@
                         </path>
                     </g>
                 </svg>
-                <span class="logo-text">{{appName}} <span class="logo-comp">MBKTECHStudio</span></span>
+                <span class="logo-text">{{appName}} <span class="logo-comp">mbktech</span></span>
             </a>
         </div>
     </header>
@@ -63,10 +63,10 @@
 
                 <p class="terms-info">
                     By logging in, you agree to our
-                    <a href="https://portal.mbktechstudio.com/info/Terms&Conditions" target="_blank"
+                    <a href="https://portal.mbktech.org/info/Terms&Conditions" target="_blank"
                         class="terms-link">Terms & Conditions</a>
                     and
-                    <a href="https://portal.mbktechstudio.com/info/PrivacyPolicy" target="_blank"
+                    <a href="https://portal.mbktech.org/info/PrivacyPolicy" target="_blank"
                         class="terms-link">Privacy Policy</a>.
                 </p>
             </form>

package/views/Error/dError.handlebars

@@ -5,7 +5,7 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>{{code}} - {{error}}</title>
-  <link rel="icon" type="image/x-icon" href="https://mbktechstudio.com/Assets/Images/Icon/dgicon.svg">
+  <link rel="icon" type="image/x-icon" href="https://mbktech.org/Assets/Images/Icon/dgicon.svg">
   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
   {{> sharedStyles}}
   <style>
@@ -186,8 +186,8 @@
             </path>
           </g>
         </svg>
-        <span class="logo-text">{{#if app}}{{app}}{{else}}MBK Authe{{/if}} <span
-            class="logo-comp">MBKTECHStudio</span></span>
+        <span class="logo-text">{{#if app}}{{app}}{{else}}mbkauthe{{/if}} <span
+            class="logo-comp">mbktech</span></span>
       </a>
     </div>
   </header>

package/views/info.handlebars

@@ -5,7 +5,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Version and Configuration Information</title>
-    <link rel="icon" type="image/x-icon" href="https://mbktechstudio.com/Assets/Images/Icon/dgicon.svg">
+    <link rel="icon" type="image/x-icon" href="https://mbktech.org/Assets/Images/Icon/dgicon.svg">
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
     {{> sharedStyles}}
     <style>
@@ -184,7 +184,7 @@
                         </path>
                     </g>
                 </svg>
-                <span class="logo-text">{{mbkautheVar.APP_NAME}} <span class="logo-comp">MBKTECHStudio</span></span>
+                <span class="logo-text">{{mbkautheVar.APP_NAME}} <span class="logo-comp">mbktech</span></span>
             </a>
         </div>
     </header>
@@ -224,6 +224,16 @@
                     <div class="info-value">{{mbkautheVar.APP_NAME}}</div>
                 </div>
                 <div class="info-row">
+                    <div class="info-label">Domain:</div>
+                    <div class="info-value">{{mbkautheVar.DOMAIN}}</div>
+                </div>
+                <div class="info-row">
+                    <div class="info-label">Login Redirect URL:</div>
+                    <div class="info-value">{{mbkautheVar.loginRedirectURL}}</div>
+                </div>
+                {{#if authorized}}
+                
+                 <div class="info-row">
                     <div class="info-label">Two Factor Authentication:</div>
                     <div class="info-value">{{mbkautheVar.MBKAUTH_TWO_FA_ENABLE}}</div>
                 </div>
@@ -235,14 +245,7 @@
                     <div class="info-label">Deployment Status:</div>
                     <div class="info-value">{{mbkautheVar.IS_DEPLOYED}}</div>
                 </div>
-                <div class="info-row">
-                    <div class="info-label">Domain:</div>
-                    <div class="info-value">{{mbkautheVar.DOMAIN}}</div>
-                </div>
-                <div class="info-row">
-                    <div class="info-label">Login Redirect URL:</div>
-                    <div class="info-value">{{mbkautheVar.loginRedirectURL}}</div>
-                </div>
+                {{/if}}
             </div>
         </div>
     </section>

package/views/loginmbkauthe.handlebars

@@ -5,13 +5,13 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="description"
-        content="Log in to portal.mbktechstudio.com to access your resources and manage projects securely.">
+        content="Log in to portal.mbktech.org to access your resources and manage projects securely.">
     <meta name="keywords" content="MBK Tech Studio, Web-Portal, Web, Portal, Admin-Panel, Admin, login">
     <meta property="og:title" content="Login | MBK Tech Studio" />
-    <meta property="og:image" content="https://www.mbktechstudio.com/Assets/Images/Icon/logo.png" />
+    <meta property="og:image" content="https://mbktech.org/Assets/Images/Icon/logo.png" />
     <meta property="og:url" content="/mbkauthe/login">
     <title>Login | MBK Tech Studio Portal</title>
-    <link rel="icon" type="image/x-icon" href="https://mbktechstudio.com/Assets/Images/Icon/dgicon.svg">
+    <link rel="icon" type="image/x-icon" href="https://mbktech.org/Assets/Images/Icon/dgicon.svg">
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
     {{> sharedStyles}}
 </head>
@@ -28,7 +28,7 @@
                         </path>
                     </g>
                 </svg>
-                <span class="logo-text">{{appName}} <span class="logo-comp">MBKTECHStudio</span></span>
+                <span class="logo-text">{{appName}} <span class="logo-comp">mbktech</span></span>
             </a>
         </div>
     </header>
@@ -68,17 +68,16 @@
                 <button type="submit" class="btn-login" id="loginButton">
                     <span id="loginButtonText">Login</span>
                 </button>
-                {{#if githubLoginEnabled }}
                 <div class="social-login">
                     <div class="divider">
                         <span>or</span>
                     </div>
-                    <a href="/mbkauthe/api/github/login" class="btn-github">
+                    <!-- Use JS to initiate GitHub login and pass redirect param to backend -->
+                    <a type="button" id="githubLoginBtn" class="btn-github">
                         <i class="fab fa-github"></i>
                         <span>Continue with GitHub</span>
                     </a>
                 </div>
-                {{/if }}
 
                 <div class="remember-me">
                     <input type="checkbox" id="rememberMe" name="rememberMe">
@@ -94,16 +93,16 @@
                 {{/if }}
 
                 <div class="login-links">
-                    <a href="https://portal.mbktechstudio.com/forgot-password" class="login-link">Forgot Password?</a>
-                    <a href="https://www.mbktechstudio.com/Support" target="_blank" class="login-link">Need Help?</a>
+                    <a href="https://portal.mbktech.org/forgot-password" class="login-link">Forgot Password?</a>
+                    <a href="https://mbktech.org/Support" target="_blank" class="login-link">Need Help?</a>
                 </div>
 
                 <p class="terms-info">
                     By logging in, you agree to our
-                    <a href="https://portal.mbktechstudio.com/info/Terms&Conditions" target="_blank"
+                    <a href="https://portal.mbktech.org/info/Terms&Conditions" target="_blank"
                         class="terms-link">Terms & Conditions</a>
                     and
-                    <a href="https://portal.mbktechstudio.com/info/PrivacyPolicy" target="_blank"
+                    <a href="https://portal.mbktech.org/info/PrivacyPolicy" target="_blank"
                         class="terms-link">Privacy Policy</a>.
                 </p>
             </form>
@@ -128,13 +127,13 @@
         });
 
         function fpass() {
-            showMessage(`If you have forgotten your password, please contact support at <a href="https://www.mbktechstudio.com/Support" target="_blank">https://www.mbktechstudio.com/Support</a> to reset it.`, `Forgot Password`);
+            showMessage(`If you have forgotten your password, please contact support at <a href="https://mbktech.org/Support" target="_blank">https://mbktech.org/Support</a> to reset it.`, `Forgot Password`);
         }
 
         // Info dialogs
         function usernameinfo() {
-            showMessage(`Your username is the part of your MBK Tech Studio email before the @ (e.g., abc.xyz@mbktechstudio.com
- → abc.xyz). For guests or if you’ve forgotten your credentials, contact <a href="https://mbktechstudio.com/Support">Support</a>.`, `What is my username?`);
+            showMessage(`Your username is the part of your MBK Tech Studio email before the @ (e.g., abc.xyz@mbktech.org
+ → abc.xyz). For guests or if you’ve forgotten your credentials, contact <a href="https://mbktech.org/Support">Support</a>.`, `What is my username?`);
         }
 
         function tokeninfo() {
@@ -272,6 +271,45 @@
                 document.getElementById('loginPassword').focus();
             }
         });
+
+        // GitHub login: Attempt to POST redirect to backend, fallback to direct navigation
+        async function startGithubLogin() {
+            const urlParams = new URLSearchParams(window.location.search);
+            const redirect = urlParams.get('redirect') || '{{customURL}}';
+
+            try {
+                // Try POSTing to the backend so it can establish any session state
+                const resp = await fetch('/mbkauthe/api/github/login', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    credentials: 'include',
+                    body: JSON.stringify({ redirect })
+                });
+
+                // If backend responds with a JSON containing redirectUrl, navigate there
+                if (resp.ok) {
+                    // If server redirected directly (resp.redirected), follow the final URL
+                    if (resp.redirected) {
+                        window.location.href = resp.url;
+                        return;
+                    }
+                    const data = await resp.json().catch(() => null);
+                    if (data && data.redirectUrl) {
+                        window.location.href = data.redirectUrl;
+                        return;
+                    }
+                }
+            } catch (error) {
+                // swallow and fallback to direct navigation
+                console.warn('[mbkauthe] GitHub login POST failed, falling back to direct redirect', error);
+            }
+
+            // Fallback: navigate to the backend GET endpoint with redirect query
+            window.location.href = `/mbkauthe/api/github/login?redirect=${encodeURIComponent(redirect)}`;
+        }
+
+        const githubBtn = document.getElementById('githubLoginBtn');
+        if (githubBtn) githubBtn.addEventListener('click', startGithubLogin);
     </script>
 </body>
 

package/views/sharedStyles.handlebars

@@ -98,7 +98,7 @@
             left: 0;
             width: 100%;
             height: 100%;
-            background: url(https://images.unsplash.com/photo-1555066931-4365d14bab8c?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=2070&q=80) center/cover no-repeat;
+            background: url(/mbkauthe/bg.avif) center/cover no-repeat;
             opacity: .1;
             z-index: 0;
         }

package/views/showmessage.handlebars

@@ -20,7 +20,7 @@
             document.querySelector(".showmessageWindow .error-code").style.display = "none";
         }
         
-        document.querySelector(".showmessageWindow .error-code").href = `https://mbktechstudio.com/ErrorCode/#${errorCode}`;
+        document.querySelector(".showmessageWindow .error-code").href = `https://mbktech.org/ErrorCode/#${errorCode}`;
        */
         document
             .querySelector(".showMessageblurWindow")