mbkauthe 1.4.2 → 2.0.0

package/README.md

@@ -6,7 +6,7 @@
 [![Publish to npm](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml)
 [![CodeQL Advanced](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml)
 
-**MBKAuth** is a reusable, production-ready authentication system for Node.js applications built by MBKTechStudio. It provides secure session management, two-factor authentication (2FA), role-based access control, and multi-application support out of the box.
+**MBKAuth** is a reusable, production-ready authentication system for Node.js applications built by MBKTech.org. It provides secure session management, two-factor authentication (2FA), role-based access control, and multi-application support out of the box.
 
 ## ✨ Features
 
@@ -313,8 +313,8 @@ Found a bug or need help? Please [open an issue](https://github.com/MIbnEKhalid/
 
 - [npm Package](https://www.npmjs.com/package/mbkauthe)
 - [GitHub Repository](https://github.com/MIbnEKhalid/mbkauthe)
-- [MBKTechStudio](https://mbktechstudio.com)
+- [MBKTech.org](https://mbktech.org)
 
 ---
 
-Made with ❤️ by [MBKTechStudio](https://mbktechstudio.com)
+Made with ❤️ by [MBKTech.org](https://mbktech.org)

package/docs/api.md

@@ -328,10 +328,77 @@ Displays MBKAuthe version information and configuration.
 
 #### `GET /mbkauthe/main.js`
 
-Serves the client-side JavaScript file.
+Serves the client-side JavaScript file containing helper functions for authentication operations.
+
+**Purpose:** Provides frontend JavaScript utilities including:
+- `logout()` - Logout function with confirmation dialog and cache clearing
+- `logoutuser()` - Alias for logout function
+- `nuclearCacheClear()` - Comprehensive cache and storage clearing (preserves rememberedUsername)
+- `getCookieValue(cookieName)` - Cookie retrieval helper
+- `loadpage(url)` - Page navigation helper
+- `formatDate(date)` - Date formatting utility
+- `reloadPage()` - Page reload helper
+- `checkSession()` - Session validity checker
 
 **Response:** JavaScript file (Content-Type: application/javascript)
 
+**Usage:**
+```html
+<script src="/mbkauthe/main.js"></script>
+<button onclick="logout()">Logout</button>
+```
+
+**Main Functions:**
+
+**`logout()`**
+- Shows confirmation dialog before logout
+- Clears all caches except rememberedUsername
+- Calls `/mbkauthe/api/logout` endpoint
+- Redirects to home page on success
+
+**`nuclearCacheClear()`**
+- Clears service workers and cache storage
+- Clears localStorage and sessionStorage (preserves rememberedUsername)
+- Clears IndexedDB
+- Clears cookies
+- Forces page reload
+
+
+---
+
+#### `GET /mbkauthe/test`
+
+Test endpoint to verify authentication and display user session information.
+
+**Authentication:** Session required
+
+**Rate Limit:** 8 requests per minute
+
+**Response:** HTML page displaying:
+- Current username
+- User role
+- Logout button
+- Quick links to info and login pages
+
+**Example Response:**
+```html
+<head> 
+  <script src="/mbkauthe/main.js"></script> 
+</head>
+<p>if you are seeing this page than User is logged in.</p>
+<p>id: '${req.session.user.id}', UserName: '${req.session.user.username}', Role: '${req.session.user.role}', SessionId: '${req.session.user.sessionId}'</p>
+<button onclick="logout()">Logout</button><br>
+<a href="/mbkauthe/info">Info Page</a><br>
+<a href="/mbkauthe/login">Login Page</a><br>
+```
+
+**Usage:**
+```
+GET /mbkauthe/test
+```
+
+**Note:** This endpoint is primarily for testing and debugging authentication. It should not be used in production environments.
+
 ---
 
 ## Middleware Reference
@@ -347,7 +414,7 @@ import { validateSession } from 'mbkauthe';
 app.get('/protected', validateSession, (req, res) => {
   // User is authenticated
   const user = req.session.user;
-  // user contains: { id, username, UserName, role, Role, sessionId, allowedApps }
+  // user contains: { id, username, UserName, role, Role, sessionId }
   res.send(`Welcome ${user.username}!`);
 });
 ```
@@ -369,7 +436,6 @@ req.session.user = {
   role: "NormalUser",       // User role
   Role: "NormalUser",       // User role (alias)
   sessionId: "abc123...",   // 64-char hex session ID
-  allowedApps: ["app1"]     // Array of allowed applications
 }
 ```
 

package/env.md

@@ -54,7 +54,7 @@ DOMAIN=localhost
 **Description:** Your application's domain name.
 
 **Configuration:**
-- **Production:** Set to your actual domain (e.g., `mbktechstudio.com`)
+- **Production:** Set to your actual domain (e.g., `mbktech.com`)
 - **Development:** Use `localhost` or set `IS_DEPLOYED=false`
 - **Subdomains:** When `IS_DEPLOYED=true`, sessions are shared across all subdomains
 

package/lib/main.js

@@ -5,14 +5,14 @@ import session from "express-session";
 import pgSession from "connect-pg-simple";
 const PgSession = pgSession(session);
 import { dblogin } from "./pool.js";
-import { authenticate } from "./validateSessionAndRole.js";
+import { authenticate, validateSession, validateSessionAndRole } from "./validateSessionAndRole.js";
 import fetch from 'node-fetch';
 import cookieParser from "cookie-parser";
 import bcrypt from 'bcrypt';
 import rateLimit from 'express-rate-limit';
 import speakeasy from "speakeasy";
-//import passport from 'passport';
-//import GitHubStrategy from 'passport-github2';
+import passport from 'passport';
+import GitHubStrategy from 'passport-github2';
 
 import { createRequire } from "module";
 import fs from "fs";
@@ -36,16 +36,26 @@ router.get('/mbkauthe/main.js', (req, res) => {
 });
 
 // CSRF protection middleware
-const csrfProtection = csurf({ cookie: false });
+const csrfProtection = csurf({ cookie: true });
 
 // CORS and security headers
 router.use((req, res, next) => {
   const origin = req.headers.origin;
-  if (origin && origin.endsWith(`.${mbkautheVar.DOMAIN}`)) {
-    res.header('Access-Control-Allow-Origin', origin);
-    res.header('Access-Control-Allow-Credentials', 'true');
-    res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
-    res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+  if (origin) {
+    try {
+      const originUrl = new URL(origin);
+      const allowedDomain = `.${mbkautheVar.DOMAIN}`;
+      // Exact match or subdomain match (must end with .domain.com, not just domain.com)
+      if (originUrl.hostname === mbkautheVar.DOMAIN || 
+          (originUrl.hostname.endsWith(allowedDomain) && originUrl.hostname.charAt(originUrl.hostname.length - allowedDomain.length - 1) !== '.')) {
+        res.header('Access-Control-Allow-Origin', origin);
+        res.header('Access-Control-Allow-Credentials', 'true');
+        res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
+        res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+      }
+    } catch (err) {
+      // Invalid origin URL, skip CORS headers
+    }
   }
   next();
 });
@@ -71,6 +81,12 @@ const TwoFALimit = rateLimit({
   message: { success: false, message: "Too many 2FA attempts, please try again later" }
 });
 
+const GitHubOAuthLimit = rateLimit({
+  windowMs: 5 * 60 * 1000,
+  max: 10,
+  message: "Too many GitHub login attempts, please try again later"
+});
+
 const sessionConfig = {
   store: new PgSession({
     pool: dblogin,
@@ -85,7 +101,7 @@ const sessionConfig = {
     maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
     domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
     httpOnly: true,
-    secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
+    secure: mbkautheVar.IS_DEPLOYED === 'true',
     sameSite: 'lax',
     path: '/'
   },
@@ -100,14 +116,16 @@ router.use(async (req, res, next) => {
     try {
       const sessionId = req.cookies.sessionId;
 
-      // Validate sessionId format (should be 64 hex characters)
+      // Validate sessionId format (should be 64 hex characters) and normalize to lowercase
       if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
         console.warn("[mbkauthe] Invalid sessionId format detected");
         return next();
       }
 
-      const query = `SELECT id, "UserName", "Active", "Role", "SessionId", "AllowedApps" FROM "Users" WHERE "SessionId" = $1 AND "Active" = true`;
-      const result = await dblogin.query({ name: 'get-user-by-sessionid', text: query, values: [sessionId] });
+      const normalizedSessionId = sessionId.toLowerCase();
+
+      const query = `SELECT id, "UserName", "Active", "Role", "SessionId", "AllowedApps" FROM "Users" WHERE LOWER("SessionId") = $1 AND "Active" = true`;
+      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [normalizedSessionId] });
 
       if (result.rows.length > 0) {
         const user = result.rows[0];
@@ -117,8 +135,7 @@ router.use(async (req, res, next) => {
           UserName: user.UserName,
           role: user.Role,
           Role: user.Role,
-          sessionId,
-          allowedApps: user.AllowedApps,
+          sessionId: normalizedSessionId,
         };
       }
     } catch (err) {
@@ -131,7 +148,7 @@ router.use(async (req, res, next) => {
 const getCookieOptions = () => ({
   maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
   domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
-  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
+  secure: mbkautheVar.IS_DEPLOYED === 'true',
   sameSite: 'lax',
   path: '/',
   httpOnly: true
@@ -139,32 +156,64 @@ const getCookieOptions = () => ({
 
 const getClearCookieOptions = () => ({
   domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
-  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
+  secure: mbkautheVar.IS_DEPLOYED === 'true',
   sameSite: 'lax',
   path: '/',
   httpOnly: true
 });
 
+router.get('/mbkauthe/test', validateSession, LoginLimit, async(req, res) => {
+  if(req.session?.user) {
+    return res.send(`
+      <head> <script src="/mbkauthe/main.js"></script> </head>
+      <p>if you are seeing this page than User is logged in.</p>
+      <p>id: '${req.session.user.id}', UserName: '${req.session.user.username}', Role: '${req.session.user.role}', SessionId: '${req.session.user.sessionId}'</p>
+      <button onclick="logout()">Logout</button><br>
+      <a href="/mbkauthe/info">Info Page</a><br>
+      <a href="/mbkauthe/login">Login Page</a><br>
+      `);
+  }
+});
+
 async function completeLoginProcess(req, res, user, redirectUrl = null) {
   try {
+    // Ensure both username formats are available for compatibility
+    const username = user.username || user.UserName;
+    if (!username) {
+      throw new Error('Username is required in user object');
+    }
+
     // smaller session id is sufficient and faster to generate/serialize
     const sessionId = crypto.randomBytes(32).toString("hex");
-    console.log(`[mbkauthe] Generated session ID for username: ${user.username}`);
+    console.log(`[mbkauthe] Generated session ID for username: ${username}`);
+
+    // Regenerate session to prevent session fixation attacks
+    const oldSessionId = req.sessionID;
+    await new Promise((resolve, reject) => {
+      req.session.regenerate((err) => {
+        if (err) reject(err);
+        else resolve();
+      });
+    });
 
-    // Delete old session record for this user
-    await dblogin.query('DELETE FROM "session" WHERE username = $1', [user.username]);
+    // Delete all old sessions for this user from session table
+    await dblogin.query({ 
+      name: 'login-delete-old-user-sessions', 
+      text: 'DELETE FROM "session" WHERE sess::text LIKE $1', 
+      values: [`%"username":"${username}"%`] 
+    });
 
-    await dblogin.query(`UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, [
+    await dblogin.query({ name: 'login-update-session-id', text: `UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, values: [
       sessionId,
       user.id,
-    ]);
+    ] });
 
     req.session.user = {
       id: user.id,
-      username: user.username,
-      UserName: user.UserName,
-      role: user.role,
-      Role: user.role,
+      username: username,
+      UserName: username,
+      role: user.role || user.Role,
+      Role: user.role || user.Role,
       sessionId,
     };
 
@@ -182,7 +231,7 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
 
       const cookieOptions = getCookieOptions();
       res.cookie("sessionId", sessionId, cookieOptions);
-      console.log(`[mbkauthe] User "${user.username}" logged in successfully`);
+      console.log(`[mbkauthe] User "${username}" logged in successfully`);
 
       const responsePayload = {
         success: true,
@@ -216,8 +265,8 @@ router.use(async (req, res, next) => {
 
 router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_SECRET_TOKEN), async (req, res) => {
   try {
-    await dblogin.query(`UPDATE "Users" SET "SessionId" = NULL`);
-    await dblogin.query('DELETE FROM "session"');
+    await dblogin.query({ name: 'terminate-all-user-sessions', text: `UPDATE "Users" SET "SessionId" = NULL` });
+    await dblogin.query({ name: 'terminate-all-db-sessions', text: 'DELETE FROM "session"' });
 
     req.session.destroy((err) => {
       if (err) {
@@ -280,11 +329,11 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
 
   try {
     const userQuery = `SELECT id, "UserName", "Password", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
-    const userResult = await dblogin.query({ name: 'get-user-by-username', text: userQuery, values: [trimmedUsername] });
+    const userResult = await dblogin.query({ name: 'login-get-user', text: userQuery, values: [trimmedUsername] });
 
     if (userResult.rows.length === 0) {
-      console.log(`[mbkauthe] Username does not exist: ${trimmedUsername}`);
-      return res.status(404).json({ success: false, message: "Incorrect Username Or Password" });
+      console.log(`[mbkauthe] Login failed: invalid credentials`);
+      return res.status(401).json({ success: false, message: "Invalid credentials" });
     }
 
     const user = userResult.rows[0];
@@ -299,18 +348,18 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
       try {
         const result = await bcrypt.compare(password, user.Password);
         if (!result) {
-          console.log("[mbkauthe] Incorrect password.");
-          return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password." });
+          console.log("[mbkauthe] Login failed: invalid credentials");
+          return res.status(401).json({ success: false, errorCode: 603, message: "Invalid credentials" });
         }
-        console.log("[mbkauthe] Password matches!");
+        console.log("[mbkauthe] Password validated successfully");
       } catch (err) {
         console.error("[mbkauthe] Error comparing password:", err);
         return res.status(500).json({ success: false, errorCode: 605, message: `Internal Server Error` });
       }
     } else {
       if (user.Password !== password) {
-        console.log(`[mbkauthe] Incorrect password for username: ${trimmedUsername}`);
-        return res.status(401).json({ success: false, errorCode: 603, message: "Incorrect Username Or Password" });
+        console.log(`[mbkauthe] Login failed: invalid credentials`);
+        return res.status(401).json({ success: false, errorCode: 603, message: "Invalid credentials" });
       }
     }
 
@@ -329,7 +378,7 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
 
     if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true") {
       const query = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
-      const twoFAResult = await dblogin.query({ name: 'get-2fa-status', text: query, values: [trimmedUsername] });
+      const twoFAResult = await dblogin.query({ name: 'login-check-2fa-status', text: query, values: [trimmedUsername] });
 
       if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
         // 2FA is enabled, prompt for token on a separate page
@@ -367,6 +416,7 @@ router.get("/mbkauthe/2fa", csrfProtection, (req, res) => {
     layout: false,
     customURL: mbkautheVar.loginRedirectURL || '/home',
     csrfToken: req.csrfToken(),
+    appName: mbkautheVar.APP_NAME.toLowerCase(),
   });
 });
 
@@ -391,7 +441,7 @@ router.post("/mbkauthe/api/verify-2fa", TwoFALimit, csrfProtection, async (req,
 
   try {
     const query = `SELECT "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;
-    const twoFAResult = await dblogin.query(query, [username]);
+    const twoFAResult = await dblogin.query({ name: 'verify-2fa-secret', text: query, values: [username] });
 
     if (twoFAResult.rows.length === 0 || !twoFAResult.rows[0].TwoFASecret) {
       return res.status(500).json({ success: false, message: "2FA is not configured correctly." });
@@ -421,15 +471,15 @@ router.post("/mbkauthe/api/verify-2fa", TwoFALimit, csrfProtection, async (req,
   }
 });
 
-router.post("/mbkauthe/api/logout", LogoutLimit, csrfProtection, async (req, res) => {
+router.post("/mbkauthe/api/logout", LogoutLimit, async (req, res) => {
   if (req.session.user) {
     try {
       const { id, username } = req.session.user;
 
-      await dblogin.query(`UPDATE "Users" SET "SessionId" = NULL WHERE "id" = $1`, [id]);
+      await dblogin.query({ name: 'logout-clear-session', text: `UPDATE "Users" SET "SessionId" = NULL WHERE "id" = $1`, values: [id] });
 
       if (req.sessionID) {
-        await dblogin.query('DELETE FROM "session" WHERE sid = $1', [req.sessionID]);
+        await dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] });
       }
 
       req.session.destroy((err) => {
@@ -463,7 +513,7 @@ router.get("/mbkauthe/login", LoginLimit, csrfProtection, (req, res) => {
     userLoggedIn: !!req.session?.user,
     username: req.session?.user?.username || '',
     version: packageJson.version,
-    appName: mbkautheVar.APP_NAME.toUpperCase(),
+    appName: mbkautheVar.APP_NAME.toLowerCase(),
     csrfToken: req.csrfToken(),
   });
 });
@@ -483,9 +533,19 @@ async function getLatestVersion() {
   }
 }
 
-router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (_, res) => {
-  let latestVersion;
+router.get("/mbkauthe/bg.avif", (req, res) => {
+  res.sendFile("bg.avif", { root: path.join(process.cwd(), "public") });
+});
 
+router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (req, res) => {
+  let latestVersion;
+  const parameters = req.query;
+  let authorized = false;
+  
+  if (parameters.password && mbkautheVar.Main_SECRET_TOKEN) {
+    authorized = String(parameters.password) === String(mbkautheVar.Main_SECRET_TOKEN);
+  }
+  
   try {
     latestVersion = await getLatestVersion();
     //latestVersion = "Under Development"; // Placeholder for the latest version
@@ -499,6 +559,7 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (_, res) => {
       mbkautheVar: mbkautheVar,
       version: packageJson.version,
       latestVersion,
+      authorized: authorized,
     });
   } catch (err) {
     console.error("[mbkauthe] Error fetching version information:", err);
@@ -515,7 +576,7 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (_, res) => {
         `);
   }
 });
-/*
+
 // Configure GitHub Strategy for login
 passport.use('github-login', new GitHubStrategy({
     clientID: process.env.GITHUB_CLIENT_ID,
@@ -526,28 +587,35 @@ passport.use('github-login', new GitHubStrategy({
     async (accessToken, refreshToken, profile, done) => {
         try {
             // Check if this GitHub account is linked to any user
-            const githubUser = await dblogin.query(
-                'SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps" FROM user_github ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.github_id = $1',
-                [profile.id]
-            );
+            const githubUser = await dblogin.query({
+                name: 'github-login-get-user',
+                text: 'SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM user_github ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.github_id = $1',
+                values: [profile.id]
+            });
 
             if (githubUser.rows.length === 0) {
                 // GitHub account is not linked to any user
-                return done(new Error('GitHub account not linked to any user'));
+                const error = new Error('GitHub account not linked to any user');
+                error.code = 'GITHUB_NOT_LINKED';
+                return done(error);
             }
 
             const user = githubUser.rows[0];
             
             // Check if the user account is active
             if (!user.Active) {
-                return done(new Error('Account is inactive'));
+                const error = new Error('Account is inactive');
+                error.code = 'ACCOUNT_INACTIVE';
+                return done(error);
             }
 
             // Check if user is authorized for this app (same logic as regular login)
             if (user.Role !== "SuperAdmin") {
                 const allowedApps = user.AllowedApps;
                 if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
-                    return done(new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`));
+                    const error = new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`);
+                    error.code = 'NOT_AUTHORIZED';
+                    return done(error);
                 }
             }
 
@@ -561,6 +629,7 @@ passport.use('github-login', new GitHubStrategy({
             });
         } catch (err) {
             console.error('[mbkauthe] GitHub login error:', err);
+            err.code = err.code || 'GITHUB_AUTH_ERROR';
             return done(err);
         }
     }
@@ -580,25 +649,128 @@ router.use(passport.initialize());
 router.use(passport.session());
 
 // GitHub login initiation
-router.get('/mbkauthe/api/github/login', passport.authenticate('github-login'));
+router.get('/mbkauthe/api/github/login', GitHubOAuthLimit, (req, res, next) => {
+    // Store redirect parameter in session before OAuth flow (validate to prevent open redirect)
+    const redirect = req.query.redirect;
+    if (redirect && typeof redirect === 'string') {
+        // Only allow relative URLs or same-origin URLs to prevent open redirect attacks
+        if (redirect.startsWith('/') && !redirect.startsWith('//')) {
+            req.session.oauthRedirect = redirect;
+        } else {
+            console.warn(`[mbkauthe] Invalid redirect parameter rejected: ${redirect}`);
+        }
+    }
+    passport.authenticate('github-login')(req, res, next);
+});
 
 // GitHub login callback
 router.get('/mbkauthe/api/github/login/callback',
-    passport.authenticate('github-login', { 
-        failureRedirect: '/mbkauthe/login?error=github_auth_failed',
-        session: false // We'll handle session manually
-    }),
+    GitHubOAuthLimit,
+    (req, res, next) => {
+        passport.authenticate('github-login', { 
+            session: false // We'll handle session manually
+        }, (err, user, info) => {
+            // Custom error handling for passport authentication
+            if (err) {
+                console.error('[mbkauthe] GitHub authentication error:', err);
+                
+                // Map error codes to user-friendly messages
+                switch(err.code) {
+                    case 'GITHUB_NOT_LINKED':
+                        return res.status(403).render('Error/dError.handlebars', {
+                            layout: false,
+                            code: '403',
+                            error: 'GitHub Account Not Linked',
+                            message: 'Your GitHub account is not linked to any user in our system. To link your GitHub account, a User must connect their GitHub account to mbktech account through the user settings.',
+                            page: '/mbkauthe/login',
+                            pagename: 'Login',
+                            version: packageJson.version,
+                            app: mbkautheVar.APP_NAME
+                        });
+                    
+                    case 'ACCOUNT_INACTIVE':
+                        return res.status(403).render('Error/dError.handlebars', {
+                            layout: false,
+                            code: '403',
+                            error: 'Account Inactive',
+                            message: 'Your account has been deactivated. Please contact your administrator.',
+                            page: '/mbkauthe/login',
+                            pagename: 'Login',
+                            version: packageJson.version,
+                            app: mbkautheVar.APP_NAME
+                        });
+                    
+                    case 'NOT_AUTHORIZED':
+                        return res.status(403).render('Error/dError.handlebars', {
+                            layout: false,
+                            code: '403',
+                            error: 'Not Authorized',
+                            message: `You are not authorized to access ${mbkautheVar.APP_NAME}. Please contact your administrator.`,
+                            page: '/mbkauthe/login',
+                            pagename: 'Login',
+                            version: packageJson.version,
+                            app: mbkautheVar.APP_NAME
+                        });
+                    
+                    default:
+                        return res.status(500).render('Error/dError.handlebars', {
+                            layout: false,
+                            code: '500',
+                            error: 'Authentication Error',
+                            message: 'An error occurred during GitHub authentication. Please try again.',
+                            page: '/mbkauthe/login',
+                            pagename: 'Login',
+                            version: packageJson.version,
+                            app: mbkautheVar.APP_NAME,
+                            details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
+                        });
+                }
+            }
+            
+            if (!user) {
+                console.error('[mbkauthe] GitHub callback: No user data received');
+                return res.status(401).render('Error/dError.handlebars', {
+                    layout: false,
+                    code: '401',
+                    error: 'Authentication Failed',
+                    message: 'GitHub authentication failed. Please try again.',
+                    page: '/mbkauthe/login',
+                    pagename: 'Login',
+                    version: packageJson.version,
+                    app: mbkautheVar.APP_NAME
+                });
+            }
+            
+            // Authentication successful, attach user to request
+            req.user = user;
+            next();
+        })(req, res, next);
+    },
     async (req, res) => {
         try {
             const githubUser = req.user;
             
-            // Find the actual user record
-            const userQuery = `SELECT * FROM "Users" WHERE "UserName" = $1`;
-            const userResult = await dblogin.query(userQuery, [githubUser.username]);
+            // Find the actual user record with named query
+            const userQuery = `SELECT id, "UserName", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
+            const userResult = await dblogin.query({
+                name: 'github-callback-get-user',
+                text: userQuery,
+                values: [githubUser.username]
+            });
 
             if (userResult.rows.length === 0) {
-                console.log(`[mbkauthe] GitHub login: User not found: ${githubUser.username}`);
-                return res.redirect('/mbkauthe/login?error=user_not_found');
+                console.error(`[mbkauthe] GitHub login: User not found: ${githubUser.username}`);
+                return res.status(404).render('Error/dError.handlebars', {
+                    layout: false,
+                    code: '404',
+                    error: 'User Not Found',
+                    message: 'Your GitHub account is linked, but the user account no longer exists in our system.',
+                    page: '/mbkauthe/login',
+                    pagename: 'Login',
+                    version: packageJson.version,
+                    app: mbkautheVar.APP_NAME,
+                    details: `GitHub username: ${githubUser.username}\nPlease contact your administrator.`
+                });
             }
 
             const user = userResult.rows[0];
@@ -606,14 +778,20 @@ router.get('/mbkauthe/api/github/login/callback',
             // Check 2FA if enabled
             if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true") {
                 const twoFAQuery = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
-                const twoFAResult = await dblogin.query(twoFAQuery, [githubUser.username]);
+                const twoFAResult = await dblogin.query({
+                    name: 'github-check-2fa-status',
+                    text: twoFAQuery,
+                    values: [githubUser.username]
+                });
 
                 if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
                     // 2FA is enabled, store pre-auth user and redirect to 2FA
                     req.session.preAuthUser = {
                         id: user.id,
                         username: user.UserName,
+                        UserName: user.UserName,
                         role: user.Role,
+                        Role: user.Role,
                         loginMethod: 'github'
                     };
                     console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
@@ -621,62 +799,64 @@ router.get('/mbkauthe/api/github/login/callback',
                 }
             }
 
-            // Complete login process
+            // Complete login process using the shared function
             const userForSession = {
                 id: user.id,
                 username: user.UserName,
+                UserName: user.UserName,
                 role: user.Role,
+                Role: user.Role
             };
 
-            // Generate session and complete login
-            const sessionId = crypto.randomBytes(32).toString("hex");
-            console.log(`[mbkauthe] GitHub login: Generated session ID for username: ${user.UserName}`);
-
-            // Delete old session record for this user
-            await dblogin.query('DELETE FROM "session" WHERE username = $1', [user.UserName]);
+            // For OAuth redirect flow, we need to handle redirect differently
+            // Store the redirect URL before calling completeLoginProcess
+            const oauthRedirect = req.session.oauthRedirect;
+            delete req.session.oauthRedirect;
 
-            await dblogin.query(`UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, [
-                sessionId,
-                user.id,
-            ]);
-
-            req.session.user = {
-                id: user.id,
-                username: user.UserName,
-                role: user.Role,
-                sessionId,
+            // Custom response handler for OAuth flow - wrap the response object
+            const originalJson = res.json.bind(res);
+            const originalStatus = res.status.bind(res);
+            let statusCode = 200;
+            
+            res.status = function(code) {
+                statusCode = code;
+                return originalStatus(code);
             };
-
-            req.session.save(async (err) => {
-                if (err) {
-                    console.log("[mbkauthe] GitHub login session save error:", err);
-                    return res.redirect('/mbkauthe/login?error=session_error');
-                }
-                
-                try {
-                    await dblogin.query(
-                        'UPDATE "session" SET username = $1 WHERE sid = $2',
-                        [user.UserName, req.sessionID]
-                    );
-                } catch (e) {
-                    console.log("[mbkauthe] GitHub login: Failed to update username in session table:", e);
+            
+            res.json = function(data) {
+                if (data.success && statusCode === 200) {
+                    // If login successful, redirect instead of sending JSON
+                    const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/home';
+                    console.log(`[mbkauthe] GitHub login: Redirecting to ${redirectUrl}`);
+                    // Restore original methods before redirect
+                    res.json = originalJson;
+                    res.status = originalStatus;
+                    return res.redirect(redirectUrl);
                 }
+                // Restore original methods for error responses
+                res.json = originalJson;
+                res.status = originalStatus;
+                return originalJson(data);
+            };
 
-                const cookieOptions = getCookieOptions();
-                res.cookie("sessionId", sessionId, cookieOptions);
-                console.log(`[mbkauthe] GitHub login: User "${user.UserName}" logged in successfully`);
-
-                // Redirect to the configured URL or home
-                const redirectUrl = mbkautheVar.loginRedirectURL || '/home';
-                res.redirect(redirectUrl);
-            });
+            await completeLoginProcess(req, res, userForSession);
 
         } catch (err) {
             console.error('[mbkauthe] GitHub login callback error:', err);
-            res.redirect('/mbkauthe/login?error=internal_error');
+            return res.status(500).render('Error/dError.handlebars', {
+                layout: false,
+                code: '500',
+                error: 'Internal Server Error',
+                message: 'An error occurred during GitHub authentication. Please try again.',
+                page: '/mbkauthe/login',
+                pagename: 'Login',
+                version: packageJson.version,
+                app: mbkautheVar.APP_NAME,
+                details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
+            });
         }
     }
 );
-*/
+
 export { getLatestVersion };
 export default router;

package/lib/pool.js

@@ -36,8 +36,8 @@ const poolConfig = {
   // - keep max small to avoid exhausting DB connections
   // - reduce idle time so connections are returned sooner
   // - set a short connection timeout to fail fast
-  max: 10,
-  idleTimeoutMillis: 50000,
+  max: 20,
+  idleTimeoutMillis: 10000,
   connectionTimeoutMillis: 5000,
 };
 

package/lib/validateSessionAndRole.js

@@ -1,11 +1,10 @@
 import { dblogin } from "./pool.js";
 const mbkautheVar = JSON.parse(process.env.mbkautheVar);
-let pool = dblogin;
 
 const getCookieOptions = () => ({
   maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
   domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
-  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
+  secure: mbkautheVar.IS_DEPLOYED === 'true',
   sameSite: 'lax',
   path: '/',
   httpOnly: true
@@ -13,44 +12,13 @@ const getCookieOptions = () => ({
 
 const getClearCookieOptions = () => ({
   domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
-  secure: mbkautheVar.IS_DEPLOYED === 'true' ? 'auto' : false,
+  secure: mbkautheVar.IS_DEPLOYED === 'true',
   sameSite: 'lax',
   path: '/',
   httpOnly: true
 });
 
 async function validateSession(req, res, next) {
-  if (!req.session.user && req.cookies.sessionId) {
-    try {
-      const sessionId = req.cookies.sessionId;
-
-      // Validate sessionId format (should be 64 hex characters)
-      if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
-        console.warn("[mbkauthe] Invalid sessionId format detected");
-        return next();
-      }
-
-      const query = `SELECT id, "UserName", "Active", "Role", "SessionId", "AllowedApps" FROM "Users" WHERE "SessionId" = $1 AND "Active" = true`;
-      const result = await dblogin.query({ name: 'get-user-by-sessionid', text: query, values: [sessionId] });
-
-      if (result.rows.length > 0) {
-        const user = result.rows[0];
-        req.session.user = {
-          id: user.id,
-          username: user.UserName,
-          UserName: user.UserName,
-          role: user.Role,
-          Role: user.Role,
-          sessionId,
-          allowedApps: user.AllowedApps,
-        };
-      }
-    } catch (err) {
-      console.error("[mbkauthe] Session validation error:", err);
-      return res.status(500).json({ success: false, message: "Internal Server Error" });
-    }
-  }
-
   if (!req.session.user) {
     console.log("[mbkauthe] User not authenticated");
     console.log("[mbkauthe]: ", req.session.user);
@@ -67,11 +35,14 @@ async function validateSession(req, res, next) {
   try {
     const { id, sessionId, role, allowedApps } = req.session.user;
 
-    // Fetch only SessionId and Active status for validation (reduced query)
+    // Normalize sessionId to lowercase for consistent comparison
+    const normalizedSessionId = sessionId.toLowerCase();
+
+    // Single optimized query to validate session
     const query = `SELECT "SessionId", "Active" FROM "Users" WHERE "id" = $1`;
-    const result = await dblogin.query({ name: 'get-user-by-id', text: query, values: [id] });
+    const result = await dblogin.query({ name: 'validate-user-session', text: query, values: [id] });
 
-    if (result.rows.length === 0 || result.rows[0].SessionId !== sessionId) {
+    if (result.rows.length === 0 || result.rows[0].SessionId.toLowerCase() !== normalizedSessionId) {
       console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
       req.session.destroy();
       const cookieOptions = getClearCookieOptions();
@@ -101,7 +72,7 @@ async function validateSession(req, res, next) {
         error: "Account Inactive",
         message: "Your Account Is Inactive. Please Contact Support.",
         pagename: "Support",
-        page: "https://mbktechstudio.com/Support",
+        page: "https://mbktech.org/Support",
       });
     }
 
@@ -131,12 +102,11 @@ async function validateSession(req, res, next) {
   }
 }
 
-const checkRolePermission = (requiredRole, notAllowed) => {
+const checkRolePermission = (requiredRoles, notAllowed) => {
   return async (req, res, next) => {
     try {
       if (!req.session || !req.session.user || !req.session.user.id) {
         console.log("[mbkauthe] User not authenticated");
-        console.log("[mbkauthe]: ", req.session);
         return res.render("Error/dError.handlebars", {
           layout: false,
           code: 401,
@@ -150,10 +120,10 @@ const checkRolePermission = (requiredRole, notAllowed) => {
       const userId = req.session.user.id;
 
       const query = `SELECT "Role" FROM "Users" WHERE "id" = $1`;
-      const result = await dblogin.query({ name: 'get-role-by-id', text: query, values: [userId] });
+      const result = await dblogin.query({ name: 'check-role-permission', text: query, values: [userId] });
 
       if (result.rows.length === 0) {
-        return res.status(401).json({ success: false, message: "User not found" });
+        return res.status(401).json({ success: false, message: "Authentication failed" });
       }
 
       const userRole = result.rows[0].Role;
@@ -164,22 +134,27 @@ const checkRolePermission = (requiredRole, notAllowed) => {
           layout: false,
           code: 403,
           error: "Access Denied",
-          message: `You are not allowed to access this resource with role: ${notAllowed}`,
+          message: "You are not allowed to access this resource",
           pagename: "Home",
           page: `/${mbkautheVar.loginRedirectURL}`
         });
       }
 
-      if (requiredRole === "Any" || requiredRole === "any") {
+      // Convert to array if single role provided
+      const rolesArray = Array.isArray(requiredRoles) ? requiredRoles : [requiredRoles];
+
+      // Check for "Any" or "any" role
+      if (rolesArray.includes("Any") || rolesArray.includes("any")) {
         return next();
       }
 
-      if (userRole !== requiredRole) {
+      // Check if user role is in allowed roles
+      if (!rolesArray.includes(userRole)) {
         return res.render("Error/dError.handlebars", {
           layout: false,
           code: 403,
           error: "Access Denied",
-          message: `You do not have permission to access this resource. Required role: ${requiredRole}`,
+          message: "You do not have permission to access this resource",
           pagename: "Home",
           page: `/${mbkautheVar.loginRedirectURL}`
         });
@@ -253,7 +228,7 @@ const authapi = (requiredRole = []) => {
           LIMIT 1
         `;
 
-        const result = await pool.query(jointQuery, [token]);
+        const result = await dblogin.query({ name: 'validate-api-key', text: jointQuery, values: [token] });
 
         if (result.rows.length === 0) {
           console.warn("[mbkauthe] [authapi] Invalid token or associated user inactive");

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "mbkauthe",
-  "version": "1.4.2",
-  "description": "MBKTechStudio's reusable authentication system for Node.js applications.",
+  "version": "2.0.0",
+  "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",
   "scripts": {
-    "dev": "set test=dev&& nodemon index.js"
+    "dev": "cross-env test=dev nodemon index.js"
   },
   "repository": {
     "type": "git",
@@ -41,12 +41,15 @@
     "express-session": "^1.18.1",
     "marked": "^15.0.11",
     "node-fetch": "^3.3.2",
+    "passport": "^0.7.0",
+    "passport-github2": "^0.1.12",
     "path": "^0.12.7",
     "pg": "^8.14.1",
     "speakeasy": "^2.0.0",
     "url": "^0.11.4"
   },
   "devDependencies": {
+    "cross-env": "^7.0.3",
     "nodemon": "^3.1.11"
   }
 }

package/public/main.js

@@ -5,9 +5,7 @@ async function logout() {
   }
 
   try {
-    // Clear all caches before logging out (except rememberedUsername)
-    await nuclearCacheClear();
-
+    // First, logout from server
     const response = await fetch("/mbkauthe/api/logout", {
       method: "POST",
       headers: {
@@ -20,15 +18,15 @@ async function logout() {
     const result = await response.json();
 
     if (response.ok) {
-      alert(result.message);
-      // Force a full page reload with cache bypass
-      window.location.href = window.location.origin;
+      // Then clear all caches after successful logout (except rememberedUsername)
+      await nuclearCacheClear();
+      // nuclearCacheClear already redirects, so no need for additional redirect
     } else {
       alert(result.message);
     }
   } catch (error) {
     console.error("Error during logout:", error);
-    alert("Logout failed");
+    alert(`Logout failed: ${error.message}`);
   }
 }
 

package/views/2fa.handlebars

@@ -5,13 +5,13 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="description"
-        content="Log in to portal.mbktechstudio.com to access your resources and manage projects securely.">
+        content="Log in to portal.mbktech.org to access your resources and manage projects securely.">
     <meta name="keywords" content="MBK Tech Studio, Web-Portal, Web, Portal, Admin-Panel, Admin, login">
     <meta property="og:title" content="Login | MBK Tech Studio" />
-    <meta property="og:image" content="https://www.mbktechstudio.com/Assets/Images/Icon/logo.png" />
+    <meta property="og:image" content="https://mbktech.org/Assets/Images/Icon/logo.png" />
     <meta property="og:url" content="/mbkauthe/2fa">
     <title>2FA | MBK Tech Studio Portal</title>
-    <link rel="icon" type="image/x-icon" href="https://mbktechstudio.com/Assets/Images/Icon/dgicon.svg">
+    <link rel="icon" type="image/x-icon" href="https://mbktech.org/Assets/Images/Icon/dgicon.svg">
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
     {{> sharedStyles}}
 </head>
@@ -28,7 +28,7 @@
                         </path>
                     </g>
                 </svg>
-                <span class="logo-text">{{appName}} <span class="logo-comp">MBKTECHStudio</span></span>
+                <span class="logo-text">{{appName}} <span class="logo-comp">mbktech</span></span>
             </a>
         </div>
     </header>
@@ -63,10 +63,10 @@
 
                 <p class="terms-info">
                     By logging in, you agree to our
-                    <a href="https://portal.mbktechstudio.com/info/Terms&Conditions" target="_blank"
+                    <a href="https://portal.mbktech.org/info/Terms&Conditions" target="_blank"
                         class="terms-link">Terms & Conditions</a>
                     and
-                    <a href="https://portal.mbktechstudio.com/info/PrivacyPolicy" target="_blank"
+                    <a href="https://portal.mbktech.org/info/PrivacyPolicy" target="_blank"
                         class="terms-link">Privacy Policy</a>.
                 </p>
             </form>

package/views/Error/dError.handlebars

@@ -5,7 +5,7 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>{{code}} - {{error}}</title>
-  <link rel="icon" type="image/x-icon" href="https://mbktechstudio.com/Assets/Images/Icon/dgicon.svg">
+  <link rel="icon" type="image/x-icon" href="https://mbktech.org/Assets/Images/Icon/dgicon.svg">
   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
   {{> sharedStyles}}
   <style>
@@ -186,8 +186,8 @@
             </path>
           </g>
         </svg>
-        <span class="logo-text">{{#if app}}{{app}}{{else}}MBK Authe{{/if}} <span
-            class="logo-comp">MBKTECHStudio</span></span>
+        <span class="logo-text">{{#if app}}{{app}}{{else}}mbkauthe{{/if}} <span
+            class="logo-comp">mbktech</span></span>
       </a>
     </div>
   </header>

package/views/info.handlebars

@@ -5,7 +5,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Version and Configuration Information</title>
-    <link rel="icon" type="image/x-icon" href="https://mbktechstudio.com/Assets/Images/Icon/dgicon.svg">
+    <link rel="icon" type="image/x-icon" href="https://mbktech.org/Assets/Images/Icon/dgicon.svg">
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
     {{> sharedStyles}}
     <style>
@@ -184,7 +184,7 @@
                         </path>
                     </g>
                 </svg>
-                <span class="logo-text">{{mbkautheVar.APP_NAME}} <span class="logo-comp">MBKTECHStudio</span></span>
+                <span class="logo-text">{{mbkautheVar.APP_NAME}} <span class="logo-comp">mbktech</span></span>
             </a>
         </div>
     </header>
@@ -224,6 +224,16 @@
                     <div class="info-value">{{mbkautheVar.APP_NAME}}</div>
                 </div>
                 <div class="info-row">
+                    <div class="info-label">Domain:</div>
+                    <div class="info-value">{{mbkautheVar.DOMAIN}}</div>
+                </div>
+                <div class="info-row">
+                    <div class="info-label">Login Redirect URL:</div>
+                    <div class="info-value">{{mbkautheVar.loginRedirectURL}}</div>
+                </div>
+                {{#if authorized}}
+                
+                 <div class="info-row">
                     <div class="info-label">Two Factor Authentication:</div>
                     <div class="info-value">{{mbkautheVar.MBKAUTH_TWO_FA_ENABLE}}</div>
                 </div>
@@ -235,14 +245,7 @@
                     <div class="info-label">Deployment Status:</div>
                     <div class="info-value">{{mbkautheVar.IS_DEPLOYED}}</div>
                 </div>
-                <div class="info-row">
-                    <div class="info-label">Domain:</div>
-                    <div class="info-value">{{mbkautheVar.DOMAIN}}</div>
-                </div>
-                <div class="info-row">
-                    <div class="info-label">Login Redirect URL:</div>
-                    <div class="info-value">{{mbkautheVar.loginRedirectURL}}</div>
-                </div>
+                {{/if}}
             </div>
         </div>
     </section>

package/views/loginmbkauthe.handlebars

@@ -5,13 +5,13 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="description"
-        content="Log in to portal.mbktechstudio.com to access your resources and manage projects securely.">
+        content="Log in to portal.mbktech.org to access your resources and manage projects securely.">
     <meta name="keywords" content="MBK Tech Studio, Web-Portal, Web, Portal, Admin-Panel, Admin, login">
     <meta property="og:title" content="Login | MBK Tech Studio" />
-    <meta property="og:image" content="https://www.mbktechstudio.com/Assets/Images/Icon/logo.png" />
+    <meta property="og:image" content="https://mbktech.org/Assets/Images/Icon/logo.png" />
     <meta property="og:url" content="/mbkauthe/login">
     <title>Login | MBK Tech Studio Portal</title>
-    <link rel="icon" type="image/x-icon" href="https://mbktechstudio.com/Assets/Images/Icon/dgicon.svg">
+    <link rel="icon" type="image/x-icon" href="https://mbktech.org/Assets/Images/Icon/dgicon.svg">
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
     {{> sharedStyles}}
 </head>
@@ -28,7 +28,7 @@
                         </path>
                     </g>
                 </svg>
-                <span class="logo-text">{{appName}} <span class="logo-comp">MBKTECHStudio</span></span>
+                <span class="logo-text">{{appName}} <span class="logo-comp">mbktech</span></span>
             </a>
         </div>
     </header>
@@ -68,17 +68,16 @@
                 <button type="submit" class="btn-login" id="loginButton">
                     <span id="loginButtonText">Login</span>
                 </button>
-                {{#if githubLoginEnabled }}
                 <div class="social-login">
                     <div class="divider">
                         <span>or</span>
                     </div>
-                    <a href="/mbkauthe/api/github/login" class="btn-github">
+                    <!-- Use JS to initiate GitHub login and pass redirect param to backend -->
+                    <a type="button" id="githubLoginBtn" class="btn-github">
                         <i class="fab fa-github"></i>
                         <span>Continue with GitHub</span>
                     </a>
                 </div>
-                {{/if }}
 
                 <div class="remember-me">
                     <input type="checkbox" id="rememberMe" name="rememberMe">
@@ -94,16 +93,16 @@
                 {{/if }}
 
                 <div class="login-links">
-                    <a href="https://portal.mbktechstudio.com/forgot-password" class="login-link">Forgot Password?</a>
-                    <a href="https://www.mbktechstudio.com/Support" target="_blank" class="login-link">Need Help?</a>
+                    <a href="https://portal.mbktech.org/forgot-password" class="login-link">Forgot Password?</a>
+                    <a href="https://mbktech.org/Support" target="_blank" class="login-link">Need Help?</a>
                 </div>
 
                 <p class="terms-info">
                     By logging in, you agree to our
-                    <a href="https://portal.mbktechstudio.com/info/Terms&Conditions" target="_blank"
+                    <a href="https://portal.mbktech.org/info/Terms&Conditions" target="_blank"
                         class="terms-link">Terms & Conditions</a>
                     and
-                    <a href="https://portal.mbktechstudio.com/info/PrivacyPolicy" target="_blank"
+                    <a href="https://portal.mbktech.org/info/PrivacyPolicy" target="_blank"
                         class="terms-link">Privacy Policy</a>.
                 </p>
             </form>
@@ -128,13 +127,13 @@
         });
 
         function fpass() {
-            showMessage(`If you have forgotten your password, please contact support at <a href="https://www.mbktechstudio.com/Support" target="_blank">https://www.mbktechstudio.com/Support</a> to reset it.`, `Forgot Password`);
+            showMessage(`If you have forgotten your password, please contact support at <a href="https://mbktech.org/Support" target="_blank">https://mbktech.org/Support</a> to reset it.`, `Forgot Password`);
         }
 
         // Info dialogs
         function usernameinfo() {
-            showMessage(`Your username is the part of your MBK Tech Studio email before the @ (e.g., abc.xyz@mbktechstudio.com
- → abc.xyz). For guests or if you’ve forgotten your credentials, contact <a href="https://mbktechstudio.com/Support">Support</a>.`, `What is my username?`);
+            showMessage(`Your username is the part of your MBK Tech Studio email before the @ (e.g., abc.xyz@mbktech.org
+ → abc.xyz). For guests or if you’ve forgotten your credentials, contact <a href="https://mbktech.org/Support">Support</a>.`, `What is my username?`);
         }
 
         function tokeninfo() {
@@ -272,6 +271,45 @@
                 document.getElementById('loginPassword').focus();
             }
         });
+
+        // GitHub login: Attempt to POST redirect to backend, fallback to direct navigation
+        async function startGithubLogin() {
+            const urlParams = new URLSearchParams(window.location.search);
+            const redirect = urlParams.get('redirect') || '{{customURL}}';
+
+            try {
+                // Try POSTing to the backend so it can establish any session state
+                const resp = await fetch('/mbkauthe/api/github/login', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    credentials: 'include',
+                    body: JSON.stringify({ redirect })
+                });
+
+                // If backend responds with a JSON containing redirectUrl, navigate there
+                if (resp.ok) {
+                    // If server redirected directly (resp.redirected), follow the final URL
+                    if (resp.redirected) {
+                        window.location.href = resp.url;
+                        return;
+                    }
+                    const data = await resp.json().catch(() => null);
+                    if (data && data.redirectUrl) {
+                        window.location.href = data.redirectUrl;
+                        return;
+                    }
+                }
+            } catch (error) {
+                // swallow and fallback to direct navigation
+                console.warn('[mbkauthe] GitHub login POST failed, falling back to direct redirect', error);
+            }
+
+            // Fallback: navigate to the backend GET endpoint with redirect query
+            window.location.href = `/mbkauthe/api/github/login?redirect=${encodeURIComponent(redirect)}`;
+        }
+
+        const githubBtn = document.getElementById('githubLoginBtn');
+        if (githubBtn) githubBtn.addEventListener('click', startGithubLogin);
     </script>
 </body>
 

package/views/sharedStyles.handlebars

@@ -98,7 +98,7 @@
             left: 0;
             width: 100%;
             height: 100%;
-            background: url(https://images.unsplash.com/photo-1555066931-4365d14bab8c?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=2070&q=80) center/cover no-repeat;
+            background: url(/mbkauthe/bg.avif) center/cover no-repeat;
             opacity: .1;
             z-index: 0;
         }

package/views/showmessage.handlebars

@@ -20,7 +20,7 @@
             document.querySelector(".showmessageWindow .error-code").style.display = "none";
         }
         
-        document.querySelector(".showmessageWindow .error-code").href = `https://mbktechstudio.com/ErrorCode/#${errorCode}`;
+        document.querySelector(".showmessageWindow .error-code").href = `https://mbktech.org/ErrorCode/#${errorCode}`;
        */
         document
             .querySelector(".showMessageblurWindow")