npm - mbkauthe - Versions diffs - 2.0.0 → 2.0.1 - Mend

mbkauthe 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.env.example +1 -10
package/docs/db.md +0 -6
package/env.md +68 -0
package/lib/main.js +273 -257
package/package.json +1 -1
package/views/loginmbkauthe.handlebars +5 -1

package/.env.example CHANGED Viewed

@@ -1,12 +1,3 @@
-mbkautheVar='{
-    "APP_NAME": "MBKAUTH",
-    "SESSION_SECRET_KEY": "your-session-secret-key",
-    "IS_DEPLOYED": "true",
-    "LOGIN_DB": "postgres://username:password@host:port/database",
-    "MBKAUTH_TWO_FA_ENABLE": "false",
-    "COOKIE_EXPIRE_TIME": 2,
-    "DOMAIN": "yourdomain.com",
-    "loginRedirectURL": "/admin"
-}'
+mbkautheVar={"APP_NAME":"mbkauthe","Main_SECRET_TOKEN": 123,"SESSION_SECRET_KEY":"123","IS_DEPLOYED":"true","LOGIN_DB":"postgres://","MBKAUTH_TWO_FA_ENABLE":"true","COOKIE_EXPIRE_TIME":2,"DOMAIN":"mbktech.org","loginRedirectURL":"/mbkauthe/test","GITHUB_LOGIN_ENABLED":"true","GITHUB_CLIENT_ID":"","GITHUB_CLIENT_SECRET":""}
 # See env.md for more details

package/docs/db.md CHANGED Viewed

@@ -12,8 +12,6 @@ Add these to your `.env` file:
 # GitHub OAuth App Configuration
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
-GITHUB_LOGIN_CALLBACK_URL=https://yourdomain.com/mbkauthe/api/github/login/callback
-BASE_URL=https://yourdomain.com
 ```
 ### 2. GitHub OAuth App Setup
@@ -109,10 +107,6 @@ The login page now includes:
 # Required for GitHub Login
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
-GITHUB_LOGIN_CALLBACK_URL=https://yourdomain.com/mbkauthe/api/github/login/callback
-# Optional (used as fallback)
-BASE_URL=https://yourdomain.com
 ```
 The GitHub login feature is now fully integrated into your mbkauthe system and ready to use!

package/env.md CHANGED Viewed

@@ -138,6 +138,74 @@ COOKIE_EXPIRE_TIME=30  # 1 month (convenience)
 ---
+## 🐙 GitHub OAuth Authentication
+### GitHub Login Configuration
+```env
+GITHUB_LOGIN_ENABLED=false
+GITHUB_CLIENT_ID=your-github-client-id
+GITHUB_CLIENT_SECRET=your-github-client-secret
+```
+#### GITHUB_LOGIN_ENABLED
+**Description:** Enables or disables GitHub OAuth login functionality.
+**Values:**
+- `true` - Enable GitHub login (users can authenticate via GitHub)
+- `false` - Disable GitHub login (default)
+**Required:** Yes (if using GitHub authentication)
+#### GITHUB_CLIENT_ID
+**Description:** OAuth application client ID from GitHub.
+- **Purpose:** Identifies your application to GitHub's OAuth service
+- **Format:** Alphanumeric string provided by GitHub
+- **Setup:** Obtain from [GitHub Developer Settings](https://github.com/settings/developers)
+- **Required:** Yes (when `GITHUB_LOGIN_ENABLED=true`)
+**Example:** `GITHUB_CLIENT_ID=Iv1.a1b2c3d4e5f6g7h8`
+#### GITHUB_CLIENT_SECRET
+**Description:** OAuth application client secret from GitHub.
+- **Purpose:** Authenticates your application with GitHub's OAuth service
+- **Security:** Keep this secret secure and never commit to version control
+- **Format:** Alphanumeric string provided by GitHub
+- **Setup:** Generated when creating OAuth app in GitHub Developer Settings
+- **Required:** Yes (when `GITHUB_LOGIN_ENABLED=true`)
+**Example:** `GITHUB_CLIENT_SECRET=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0`
+### Setting Up GitHub OAuth
+1. **Create GitHub OAuth App:**
+   - Go to [GitHub Developer Settings](https://github.com/settings/developers)
+   - Click "New OAuth App"
+   - Fill in application details:
+     - **Application name:** Your app name
+     - **Homepage URL:** `https://yourdomain.com` (or `http://localhost:3000` for dev)
+     - **Authorization callback URL:** `https://yourdomain.com/auth/github/callback`
+   - Click "Register application"
+2. **Copy Credentials:**
+   - Copy the **Client ID**
+   - Generate and copy the **Client Secret**
+3. **Configure Environment:**
+   ```env
+   GITHUB_LOGIN_ENABLED=true
+   GITHUB_CLIENT_ID=your-copied-client-id
+   GITHUB_CLIENT_SECRET=your-copied-client-secret
+   ```
+**Security Notes:**
+- Use separate OAuth apps for development and production environments
+- Rotate client secrets periodically
+- Never expose client secrets in client-side code
+---
 ## 🚀 Quick Setup Examples
 ### Development Environment

package/lib/main.js CHANGED Viewed

@@ -46,8 +46,8 @@ router.use((req, res, next) => {
       const originUrl = new URL(origin);
       const allowedDomain = `.${mbkautheVar.DOMAIN}`;
       // Exact match or subdomain match (must end with .domain.com, not just domain.com)
-      if (originUrl.hostname === mbkautheVar.DOMAIN ||
-          (originUrl.hostname.endsWith(allowedDomain) && originUrl.hostname.charAt(originUrl.hostname.length - allowedDomain.length - 1) !== '.')) {
+      if (originUrl.hostname === mbkautheVar.DOMAIN ||
+        (originUrl.hostname.endsWith(allowedDomain) && originUrl.hostname.charAt(originUrl.hostname.length - allowedDomain.length - 1) !== '.')) {
         res.header('Access-Control-Allow-Origin', origin);
         res.header('Access-Control-Allow-Credentials', 'true');
         res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
@@ -162,8 +162,8 @@ const getClearCookieOptions = () => ({
   httpOnly: true
 });
-router.get('/mbkauthe/test', validateSession, LoginLimit, async(req, res) => {
-  if(req.session?.user) {
+router.get('/mbkauthe/test', validateSession, LoginLimit, async (req, res) => {
+  if (req.session?.user) {
     return res.send(`
       <head> <script src="/mbkauthe/main.js"></script> </head>
       <p>if you are seeing this page than User is logged in.</p>
@@ -197,16 +197,18 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
     });
     // Delete all old sessions for this user from session table
-    await dblogin.query({
-      name: 'login-delete-old-user-sessions',
-      text: 'DELETE FROM "session" WHERE sess::text LIKE $1',
-      values: [`%"username":"${username}"%`]
+    await dblogin.query({
+      name: 'login-delete-old-user-sessions',
+      text: 'DELETE FROM "session" WHERE sess::text LIKE $1',
+      values: [`%"username":"${username}"%`]
     });
-    await dblogin.query({ name: 'login-update-session-id', text: `UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, values: [
-      sessionId,
-      user.id,
-    ] });
+    await dblogin.query({
+      name: 'login-update-session-id', text: `UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, values: [
+        sessionId,
+        user.id,
+      ]
+    });
     req.session.user = {
       id: user.id,
@@ -541,11 +543,11 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (req, res) => {
   let latestVersion;
   const parameters = req.query;
   let authorized = false;
   if (parameters.password && mbkautheVar.Main_SECRET_TOKEN) {
     authorized = String(parameters.password) === String(mbkautheVar.Main_SECRET_TOKEN);
   }
   try {
     latestVersion = await getLatestVersion();
     //latestVersion = "Under Development"; // Placeholder for the latest version
@@ -579,69 +581,69 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (req, res) => {
 // Configure GitHub Strategy for login
 passport.use('github-login', new GitHubStrategy({
-    clientID: process.env.GITHUB_CLIENT_ID,
-    clientSecret: process.env.GITHUB_CLIENT_SECRET,
-    callbackURL: '/mbkauthe/api/github/login/callback',
-    scope: ['user:email']
+  clientID: mbkautheVar.GITHUB_CLIENT_ID,
+  clientSecret: mbkautheVar.GITHUB_CLIENT_SECRET,
+  callbackURL: '/mbkauthe/api/github/login/callback',
+  scope: ['user:email']
 },
-    async (accessToken, refreshToken, profile, done) => {
-        try {
-            // Check if this GitHub account is linked to any user
-            const githubUser = await dblogin.query({
-                name: 'github-login-get-user',
-                text: 'SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM user_github ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.github_id = $1',
-                values: [profile.id]
-            });
+  async (accessToken, refreshToken, profile, done) => {
+    try {
+      // Check if this GitHub account is linked to any user
+      const githubUser = await dblogin.query({
+        name: 'github-login-get-user',
+        text: 'SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM user_github ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.github_id = $1',
+        values: [profile.id]
+      });
-            if (githubUser.rows.length === 0) {
-                // GitHub account is not linked to any user
-                const error = new Error('GitHub account not linked to any user');
-                error.code = 'GITHUB_NOT_LINKED';
-                return done(error);
-            }
-            const user = githubUser.rows[0];
-            // Check if the user account is active
-            if (!user.Active) {
-                const error = new Error('Account is inactive');
-                error.code = 'ACCOUNT_INACTIVE';
-                return done(error);
-            }
-            // Check if user is authorized for this app (same logic as regular login)
-            if (user.Role !== "SuperAdmin") {
-                const allowedApps = user.AllowedApps;
-                if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
-                    const error = new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`);
-                    error.code = 'NOT_AUTHORIZED';
-                    return done(error);
-                }
-            }
-            // Return user data for login
-            return done(null, {
-                id: user.id, // This should be the user ID from the Users table
-                username: user.UserName,
-                role: user.Role,
-                githubId: user.github_id,
-                githubUsername: user.github_username
-            });
-        } catch (err) {
-            console.error('[mbkauthe] GitHub login error:', err);
-            err.code = err.code || 'GITHUB_AUTH_ERROR';
-            return done(err);
+      if (githubUser.rows.length === 0) {
+        // GitHub account is not linked to any user
+        const error = new Error('GitHub account not linked to any user');
+        error.code = 'GITHUB_NOT_LINKED';
+        return done(error);
+      }
+      const user = githubUser.rows[0];
+      // Check if the user account is active
+      if (!user.Active) {
+        const error = new Error('Account is inactive');
+        error.code = 'ACCOUNT_INACTIVE';
+        return done(error);
+      }
+      // Check if user is authorized for this app (same logic as regular login)
+      if (user.Role !== "SuperAdmin") {
+        const allowedApps = user.AllowedApps;
+        if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+          const error = new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`);
+          error.code = 'NOT_AUTHORIZED';
+          return done(error);
         }
+      }
+      // Return user data for login
+      return done(null, {
+        id: user.id, // This should be the user ID from the Users table
+        username: user.UserName,
+        role: user.Role,
+        githubId: user.github_id,
+        githubUsername: user.github_username
+      });
+    } catch (err) {
+      console.error('[mbkauthe] GitHub login error:', err);
+      err.code = err.code || 'GITHUB_AUTH_ERROR';
+      return done(err);
     }
+  }
 ));
 // Serialize/Deserialize user for GitHub login
 passport.serializeUser((user, done) => {
-    done(null, user);
+  done(null, user);
 });
 passport.deserializeUser((user, done) => {
-    done(null, user);
+  done(null, user);
 });
 // Initialize passport
@@ -650,212 +652,226 @@ router.use(passport.session());
 // GitHub login initiation
 router.get('/mbkauthe/api/github/login', GitHubOAuthLimit, (req, res, next) => {
+  if (mbkautheVar.GITHUB_LOGIN_ENABLED) {
     // Store redirect parameter in session before OAuth flow (validate to prevent open redirect)
     const redirect = req.query.redirect;
     if (redirect && typeof redirect === 'string') {
-        // Only allow relative URLs or same-origin URLs to prevent open redirect attacks
-        if (redirect.startsWith('/') && !redirect.startsWith('//')) {
-            req.session.oauthRedirect = redirect;
-        } else {
-            console.warn(`[mbkauthe] Invalid redirect parameter rejected: ${redirect}`);
-        }
+      // Only allow relative URLs or same-origin URLs to prevent open redirect attacks
+      if (redirect.startsWith('/') && !redirect.startsWith('//')) {
+        req.session.oauthRedirect = redirect;
+      } else {
+        console.warn(`[mbkauthe] Invalid redirect parameter rejected: ${redirect}`);
+      }
     }
     passport.authenticate('github-login')(req, res, next);
+  }
+  else {
+    res.status(403).render('Error/dError.handlebars', {
+      layout: false,
+      code: '403',
+      error: 'GitHub Login Disabled',
+      message: 'GitHub login is currently disabled. Please use your username and password to log in.',
+      page: '/mbkauthe/login',
+      pagename: 'Login',
+      version: packageJson.version,
+      app: mbkautheVar.APP_NAME
+    });
+  }
 });
 // GitHub login callback
 router.get('/mbkauthe/api/github/login/callback',
-    GitHubOAuthLimit,
-    (req, res, next) => {
-        passport.authenticate('github-login', {
-            session: false // We'll handle session manually
-        }, (err, user, info) => {
-            // Custom error handling for passport authentication
-            if (err) {
-                console.error('[mbkauthe] GitHub authentication error:', err);
-                // Map error codes to user-friendly messages
-                switch(err.code) {
-                    case 'GITHUB_NOT_LINKED':
-                        return res.status(403).render('Error/dError.handlebars', {
-                            layout: false,
-                            code: '403',
-                            error: 'GitHub Account Not Linked',
-                            message: 'Your GitHub account is not linked to any user in our system. To link your GitHub account, a User must connect their GitHub account to mbktech account through the user settings.',
-                            page: '/mbkauthe/login',
-                            pagename: 'Login',
-                            version: packageJson.version,
-                            app: mbkautheVar.APP_NAME
-                        });
-                    case 'ACCOUNT_INACTIVE':
-                        return res.status(403).render('Error/dError.handlebars', {
-                            layout: false,
-                            code: '403',
-                            error: 'Account Inactive',
-                            message: 'Your account has been deactivated. Please contact your administrator.',
-                            page: '/mbkauthe/login',
-                            pagename: 'Login',
-                            version: packageJson.version,
-                            app: mbkautheVar.APP_NAME
-                        });
-                    case 'NOT_AUTHORIZED':
-                        return res.status(403).render('Error/dError.handlebars', {
-                            layout: false,
-                            code: '403',
-                            error: 'Not Authorized',
-                            message: `You are not authorized to access ${mbkautheVar.APP_NAME}. Please contact your administrator.`,
-                            page: '/mbkauthe/login',
-                            pagename: 'Login',
-                            version: packageJson.version,
-                            app: mbkautheVar.APP_NAME
-                        });
-                    default:
-                        return res.status(500).render('Error/dError.handlebars', {
-                            layout: false,
-                            code: '500',
-                            error: 'Authentication Error',
-                            message: 'An error occurred during GitHub authentication. Please try again.',
-                            page: '/mbkauthe/login',
-                            pagename: 'Login',
-                            version: packageJson.version,
-                            app: mbkautheVar.APP_NAME,
-                            details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
-                        });
-                }
-            }
-            if (!user) {
-                console.error('[mbkauthe] GitHub callback: No user data received');
-                return res.status(401).render('Error/dError.handlebars', {
-                    layout: false,
-                    code: '401',
-                    error: 'Authentication Failed',
-                    message: 'GitHub authentication failed. Please try again.',
-                    page: '/mbkauthe/login',
-                    pagename: 'Login',
-                    version: packageJson.version,
-                    app: mbkautheVar.APP_NAME
-                });
-            }
-            // Authentication successful, attach user to request
-            req.user = user;
-            next();
-        })(req, res, next);
-    },
-    async (req, res) => {
-        try {
-            const githubUser = req.user;
-            // Find the actual user record with named query
-            const userQuery = `SELECT id, "UserName", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
-            const userResult = await dblogin.query({
-                name: 'github-callback-get-user',
-                text: userQuery,
-                values: [githubUser.username]
+  GitHubOAuthLimit,
+  (req, res, next) => {
+    passport.authenticate('github-login', {
+      session: false // We'll handle session manually
+    }, (err, user, info) => {
+      // Custom error handling for passport authentication
+      if (err) {
+        console.error('[mbkauthe] GitHub authentication error:', err);
+        // Map error codes to user-friendly messages
+        switch (err.code) {
+          case 'GITHUB_NOT_LINKED':
+            return res.status(403).render('Error/dError.handlebars', {
+              layout: false,
+              code: '403',
+              error: 'GitHub Account Not Linked',
+              message: 'Your GitHub account is not linked to any user in our system. To link your GitHub account, a User must connect their GitHub account to mbktech account through the user settings.',
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              version: packageJson.version,
+              app: mbkautheVar.APP_NAME
+            });
+          case 'ACCOUNT_INACTIVE':
+            return res.status(403).render('Error/dError.handlebars', {
+              layout: false,
+              code: '403',
+              error: 'Account Inactive',
+              message: 'Your account has been deactivated. Please contact your administrator.',
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              version: packageJson.version,
+              app: mbkautheVar.APP_NAME
             });
-            if (userResult.rows.length === 0) {
-                console.error(`[mbkauthe] GitHub login: User not found: ${githubUser.username}`);
-                return res.status(404).render('Error/dError.handlebars', {
-                    layout: false,
-                    code: '404',
-                    error: 'User Not Found',
-                    message: 'Your GitHub account is linked, but the user account no longer exists in our system.',
-                    page: '/mbkauthe/login',
-                    pagename: 'Login',
-                    version: packageJson.version,
-                    app: mbkautheVar.APP_NAME,
-                    details: `GitHub username: ${githubUser.username}\nPlease contact your administrator.`
-                });
-            }
-            const user = userResult.rows[0];
-            // Check 2FA if enabled
-            if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true") {
-                const twoFAQuery = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
-                const twoFAResult = await dblogin.query({
-                    name: 'github-check-2fa-status',
-                    text: twoFAQuery,
-                    values: [githubUser.username]
-                });
-                if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
-                    // 2FA is enabled, store pre-auth user and redirect to 2FA
-                    req.session.preAuthUser = {
-                        id: user.id,
-                        username: user.UserName,
-                        UserName: user.UserName,
-                        role: user.Role,
-                        Role: user.Role,
-                        loginMethod: 'github'
-                    };
-                    console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
-                    return res.redirect('/mbkauthe/2fa');
-                }
-            }
-            // Complete login process using the shared function
-            const userForSession = {
-                id: user.id,
-                username: user.UserName,
-                UserName: user.UserName,
-                role: user.Role,
-                Role: user.Role
-            };
-            // For OAuth redirect flow, we need to handle redirect differently
-            // Store the redirect URL before calling completeLoginProcess
-            const oauthRedirect = req.session.oauthRedirect;
-            delete req.session.oauthRedirect;
-            // Custom response handler for OAuth flow - wrap the response object
-            const originalJson = res.json.bind(res);
-            const originalStatus = res.status.bind(res);
-            let statusCode = 200;
-            res.status = function(code) {
-                statusCode = code;
-                return originalStatus(code);
-            };
-            res.json = function(data) {
-                if (data.success && statusCode === 200) {
-                    // If login successful, redirect instead of sending JSON
-                    const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/home';
-                    console.log(`[mbkauthe] GitHub login: Redirecting to ${redirectUrl}`);
-                    // Restore original methods before redirect
-                    res.json = originalJson;
-                    res.status = originalStatus;
-                    return res.redirect(redirectUrl);
-                }
-                // Restore original methods for error responses
-                res.json = originalJson;
-                res.status = originalStatus;
-                return originalJson(data);
-            };
-            await completeLoginProcess(req, res, userForSession);
-        } catch (err) {
-            console.error('[mbkauthe] GitHub login callback error:', err);
+          case 'NOT_AUTHORIZED':
+            return res.status(403).render('Error/dError.handlebars', {
+              layout: false,
+              code: '403',
+              error: 'Not Authorized',
+              message: `You are not authorized to access ${mbkautheVar.APP_NAME}. Please contact your administrator.`,
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              version: packageJson.version,
+              app: mbkautheVar.APP_NAME
+            });
+          default:
             return res.status(500).render('Error/dError.handlebars', {
-                layout: false,
-                code: '500',
-                error: 'Internal Server Error',
-                message: 'An error occurred during GitHub authentication. Please try again.',
-                page: '/mbkauthe/login',
-                pagename: 'Login',
-                version: packageJson.version,
-                app: mbkautheVar.APP_NAME,
-                details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
+              layout: false,
+              code: '500',
+              error: 'Authentication Error',
+              message: 'An error occurred during GitHub authentication. Please try again.',
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              version: packageJson.version,
+              app: mbkautheVar.APP_NAME,
+              details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
             });
         }
+      }
+      if (!user) {
+        console.error('[mbkauthe] GitHub callback: No user data received');
+        return res.status(401).render('Error/dError.handlebars', {
+          layout: false,
+          code: '401',
+          error: 'Authentication Failed',
+          message: 'GitHub authentication failed. Please try again.',
+          page: '/mbkauthe/login',
+          pagename: 'Login',
+          version: packageJson.version,
+          app: mbkautheVar.APP_NAME
+        });
+      }
+      // Authentication successful, attach user to request
+      req.user = user;
+      next();
+    })(req, res, next);
+  },
+  async (req, res) => {
+    try {
+      const githubUser = req.user;
+      // Find the actual user record with named query
+      const userQuery = `SELECT id, "UserName", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
+      const userResult = await dblogin.query({
+        name: 'github-callback-get-user',
+        text: userQuery,
+        values: [githubUser.username]
+      });
+      if (userResult.rows.length === 0) {
+        console.error(`[mbkauthe] GitHub login: User not found: ${githubUser.username}`);
+        return res.status(404).render('Error/dError.handlebars', {
+          layout: false,
+          code: '404',
+          error: 'User Not Found',
+          message: 'Your GitHub account is linked, but the user account no longer exists in our system.',
+          page: '/mbkauthe/login',
+          pagename: 'Login',
+          version: packageJson.version,
+          app: mbkautheVar.APP_NAME,
+          details: `GitHub username: ${githubUser.username}\nPlease contact your administrator.`
+        });
+      }
+      const user = userResult.rows[0];
+      // Check 2FA if enabled
+      if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true") {
+        const twoFAQuery = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
+        const twoFAResult = await dblogin.query({
+          name: 'github-check-2fa-status',
+          text: twoFAQuery,
+          values: [githubUser.username]
+        });
+        if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
+          // 2FA is enabled, store pre-auth user and redirect to 2FA
+          req.session.preAuthUser = {
+            id: user.id,
+            username: user.UserName,
+            UserName: user.UserName,
+            role: user.Role,
+            Role: user.Role,
+            loginMethod: 'github'
+          };
+          console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
+          return res.redirect('/mbkauthe/2fa');
+        }
+      }
+      // Complete login process using the shared function
+      const userForSession = {
+        id: user.id,
+        username: user.UserName,
+        UserName: user.UserName,
+        role: user.Role,
+        Role: user.Role
+      };
+      // For OAuth redirect flow, we need to handle redirect differently
+      // Store the redirect URL before calling completeLoginProcess
+      const oauthRedirect = req.session.oauthRedirect;
+      delete req.session.oauthRedirect;
+      // Custom response handler for OAuth flow - wrap the response object
+      const originalJson = res.json.bind(res);
+      const originalStatus = res.status.bind(res);
+      let statusCode = 200;
+      res.status = function (code) {
+        statusCode = code;
+        return originalStatus(code);
+      };
+      res.json = function (data) {
+        if (data.success && statusCode === 200) {
+          // If login successful, redirect instead of sending JSON
+          const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/home';
+          console.log(`[mbkauthe] GitHub login: Redirecting to ${redirectUrl}`);
+          // Restore original methods before redirect
+          res.json = originalJson;
+          res.status = originalStatus;
+          return res.redirect(redirectUrl);
+        }
+        // Restore original methods for error responses
+        res.json = originalJson;
+        res.status = originalStatus;
+        return originalJson(data);
+      };
+      await completeLoginProcess(req, res, userForSession);
+    } catch (err) {
+      console.error('[mbkauthe] GitHub login callback error:', err);
+      return res.status(500).render('Error/dError.handlebars', {
+        layout: false,
+        code: '500',
+        error: 'Internal Server Error',
+        message: 'An error occurred during GitHub authentication. Please try again.',
+        page: '/mbkauthe/login',
+        pagename: 'Login',
+        version: packageJson.version,
+        app: mbkautheVar.APP_NAME,
+        details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
+      });
     }
+  }
 );
 export { getLatestVersion };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/views/loginmbkauthe.handlebars CHANGED Viewed

@@ -68,6 +68,7 @@
                 <button type="submit" class="btn-login" id="loginButton">
                     <span id="loginButtonText">Login</span>
                 </button>
+                {{#if githubLoginEnabled }}
                 <div class="social-login">
                     <div class="divider">
                         <span>or</span>
@@ -78,7 +79,7 @@
                         <span>Continue with GitHub</span>
                     </a>
                 </div>
+                {{/if }}
                 <div class="remember-me">
                     <input type="checkbox" id="rememberMe" name="rememberMe">
                     <label for="rememberMe">Remember me</label>
@@ -272,6 +273,8 @@
             }
         });
+        {{#if githubLoginEnabled }}
         // GitHub login: Attempt to POST redirect to backend, fallback to direct navigation
         async function startGithubLogin() {
             const urlParams = new URLSearchParams(window.location.search);
@@ -310,6 +313,7 @@
         const githubBtn = document.getElementById('githubLoginBtn');
         if (githubBtn) githubBtn.addEventListener('click', startGithubLogin);
+        {{/if }}
     </script>
 </body>