mbkauthe 2.0.0 → 2.1.0

package/.env.example

@@ -1,12 +1,3 @@
-mbkautheVar='{
-    "APP_NAME": "MBKAUTH",
-    "SESSION_SECRET_KEY": "your-session-secret-key",
-    "IS_DEPLOYED": "true",
-    "LOGIN_DB": "postgres://username:password@host:port/database",
-    "MBKAUTH_TWO_FA_ENABLE": "false",
-    "COOKIE_EXPIRE_TIME": 2,
-    "DOMAIN": "yourdomain.com",
-    "loginRedirectURL": "/admin"
-}'
+mbkautheVar={"APP_NAME":"mbkauthe","Main_SECRET_TOKEN": 123,"SESSION_SECRET_KEY":"123","IS_DEPLOYED":"true","LOGIN_DB":"postgres://","MBKAUTH_TWO_FA_ENABLE":"true","COOKIE_EXPIRE_TIME":2,"DOMAIN":"mbktech.org","loginRedirectURL":"/mbkauthe/test","GITHUB_LOGIN_ENABLED":"true","GITHUB_CLIENT_ID":"","GITHUB_CLIENT_SECRET":""}
 
 # See env.md for more details

package/docs/db.md

@@ -12,8 +12,6 @@ Add these to your `.env` file:
 # GitHub OAuth App Configuration
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
-GITHUB_LOGIN_CALLBACK_URL=https://yourdomain.com/mbkauthe/api/github/login/callback
-BASE_URL=https://yourdomain.com
 ```
 
 ### 2. GitHub OAuth App Setup
@@ -109,10 +107,6 @@ The login page now includes:
 # Required for GitHub Login
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
-GITHUB_LOGIN_CALLBACK_URL=https://yourdomain.com/mbkauthe/api/github/login/callback
-
-# Optional (used as fallback)
-BASE_URL=https://yourdomain.com
 ```
 
 The GitHub login feature is now fully integrated into your mbkauthe system and ready to use!

package/env.md

@@ -138,6 +138,74 @@ COOKIE_EXPIRE_TIME=30  # 1 month (convenience)
 
 ---
 
+## 🐙 GitHub OAuth Authentication
+
+### GitHub Login Configuration
+```env
+GITHUB_LOGIN_ENABLED=false
+GITHUB_CLIENT_ID=your-github-client-id
+GITHUB_CLIENT_SECRET=your-github-client-secret
+```
+
+#### GITHUB_LOGIN_ENABLED
+**Description:** Enables or disables GitHub OAuth login functionality.
+
+**Values:**
+- `true` - Enable GitHub login (users can authenticate via GitHub)
+- `false` - Disable GitHub login (default)
+
+**Required:** Yes (if using GitHub authentication)
+
+#### GITHUB_CLIENT_ID
+**Description:** OAuth application client ID from GitHub.
+
+- **Purpose:** Identifies your application to GitHub's OAuth service
+- **Format:** Alphanumeric string provided by GitHub
+- **Setup:** Obtain from [GitHub Developer Settings](https://github.com/settings/developers)
+- **Required:** Yes (when `GITHUB_LOGIN_ENABLED=true`)
+
+**Example:** `GITHUB_CLIENT_ID=Iv1.a1b2c3d4e5f6g7h8`
+
+#### GITHUB_CLIENT_SECRET
+**Description:** OAuth application client secret from GitHub.
+
+- **Purpose:** Authenticates your application with GitHub's OAuth service
+- **Security:** Keep this secret secure and never commit to version control
+- **Format:** Alphanumeric string provided by GitHub
+- **Setup:** Generated when creating OAuth app in GitHub Developer Settings
+- **Required:** Yes (when `GITHUB_LOGIN_ENABLED=true`)
+
+**Example:** `GITHUB_CLIENT_SECRET=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0`
+
+### Setting Up GitHub OAuth
+
+1. **Create GitHub OAuth App:**
+   - Go to [GitHub Developer Settings](https://github.com/settings/developers)
+   - Click "New OAuth App"
+   - Fill in application details:
+     - **Application name:** Your app name
+     - **Homepage URL:** `https://yourdomain.com` (or `http://localhost:3000` for dev)
+     - **Authorization callback URL:** `https://yourdomain.com/auth/github/callback`
+   - Click "Register application"
+
+2. **Copy Credentials:**
+   - Copy the **Client ID**
+   - Generate and copy the **Client Secret**
+
+3. **Configure Environment:**
+   ```env
+   GITHUB_LOGIN_ENABLED=true
+   GITHUB_CLIENT_ID=your-copied-client-id
+   GITHUB_CLIENT_SECRET=your-copied-client-secret
+   ```
+
+**Security Notes:**
+- Use separate OAuth apps for development and production environments
+- Rotate client secrets periodically
+- Never expose client secrets in client-side code
+
+---
+
 ## 🚀 Quick Setup Examples
 
 ### Development Environment

package/lib/main.js

@@ -15,6 +15,7 @@ import passport from 'passport';
 import GitHubStrategy from 'passport-github2';
 
 import { createRequire } from "module";
+import { fileURLToPath } from "url";
 import fs from "fs";
 import path from "path";
 
@@ -31,8 +32,22 @@ router.use(express.json());
 router.use(express.urlencoded({ extended: true }));
 router.use(cookieParser());
 
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
 router.get('/mbkauthe/main.js', (req, res) => {
-  res.sendFile(path.join(process.cwd(), 'public', 'main.js'));
+  res.sendFile(path.join(__dirname, '..', 'public', 'main.js'));
+});
+
+router.get("/mbkauthe/bg.avif", (req, res) => {
+  const imgPath = path.join(__dirname, "..", "public", "bg.avif");
+  res.setHeader('Content-Type', 'image/avif');
+  res.setHeader('Cache-Control', 'public, max-age=31536000');
+  const stream = fs.createReadStream(imgPath);
+  stream.on('error', (err) => {
+    console.error('[mbkauthe] Error streaming bg.avif:', err);
+    res.status(404).send('Image not found');
+  });
+  stream.pipe(res);
 });
 
 // CSRF protection middleware
@@ -46,8 +61,8 @@ router.use((req, res, next) => {
       const originUrl = new URL(origin);
       const allowedDomain = `.${mbkautheVar.DOMAIN}`;
       // Exact match or subdomain match (must end with .domain.com, not just domain.com)
-      if (originUrl.hostname === mbkautheVar.DOMAIN || 
-          (originUrl.hostname.endsWith(allowedDomain) && originUrl.hostname.charAt(originUrl.hostname.length - allowedDomain.length - 1) !== '.')) {
+      if (originUrl.hostname === mbkautheVar.DOMAIN ||
+        (originUrl.hostname.endsWith(allowedDomain) && originUrl.hostname.charAt(originUrl.hostname.length - allowedDomain.length - 1) !== '.')) {
         res.header('Access-Control-Allow-Origin', origin);
         res.header('Access-Control-Allow-Credentials', 'true');
         res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
@@ -162,8 +177,8 @@ const getClearCookieOptions = () => ({
   httpOnly: true
 });
 
-router.get('/mbkauthe/test', validateSession, LoginLimit, async(req, res) => {
-  if(req.session?.user) {
+router.get('/mbkauthe/test', validateSession, LoginLimit, async (req, res) => {
+  if (req.session?.user) {
     return res.send(`
       <head> <script src="/mbkauthe/main.js"></script> </head>
       <p>if you are seeing this page than User is logged in.</p>
@@ -197,16 +212,18 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
     });
 
     // Delete all old sessions for this user from session table
-    await dblogin.query({ 
-      name: 'login-delete-old-user-sessions', 
-      text: 'DELETE FROM "session" WHERE sess::text LIKE $1', 
-      values: [`%"username":"${username}"%`] 
+    await dblogin.query({
+      name: 'login-delete-old-user-sessions',
+      text: 'DELETE FROM "session" WHERE sess::text LIKE $1',
+      values: [`%"username":"${username}"%`]
     });
 
-    await dblogin.query({ name: 'login-update-session-id', text: `UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, values: [
-      sessionId,
-      user.id,
-    ] });
+    await dblogin.query({
+      name: 'login-update-session-id', text: `UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, values: [
+        sessionId,
+        user.id,
+      ]
+    });
 
     req.session.user = {
       id: user.id,
@@ -533,19 +550,15 @@ async function getLatestVersion() {
   }
 }
 
-router.get("/mbkauthe/bg.avif", (req, res) => {
-  res.sendFile("bg.avif", { root: path.join(process.cwd(), "public") });
-});
-
 router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (req, res) => {
   let latestVersion;
   const parameters = req.query;
   let authorized = false;
-  
+
   if (parameters.password && mbkautheVar.Main_SECRET_TOKEN) {
     authorized = String(parameters.password) === String(mbkautheVar.Main_SECRET_TOKEN);
   }
-  
+
   try {
     latestVersion = await getLatestVersion();
     //latestVersion = "Under Development"; // Placeholder for the latest version
@@ -579,69 +592,69 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (req, res) => {
 
 // Configure GitHub Strategy for login
 passport.use('github-login', new GitHubStrategy({
-    clientID: process.env.GITHUB_CLIENT_ID,
-    clientSecret: process.env.GITHUB_CLIENT_SECRET,
-    callbackURL: '/mbkauthe/api/github/login/callback',
-    scope: ['user:email']
+  clientID: mbkautheVar.GITHUB_CLIENT_ID,
+  clientSecret: mbkautheVar.GITHUB_CLIENT_SECRET,
+  callbackURL: '/mbkauthe/api/github/login/callback',
+  scope: ['user:email']
 },
-    async (accessToken, refreshToken, profile, done) => {
-        try {
-            // Check if this GitHub account is linked to any user
-            const githubUser = await dblogin.query({
-                name: 'github-login-get-user',
-                text: 'SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM user_github ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.github_id = $1',
-                values: [profile.id]
-            });
+  async (accessToken, refreshToken, profile, done) => {
+    try {
+      // Check if this GitHub account is linked to any user
+      const githubUser = await dblogin.query({
+        name: 'github-login-get-user',
+        text: 'SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM user_github ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.github_id = $1',
+        values: [profile.id]
+      });
 
-            if (githubUser.rows.length === 0) {
-                // GitHub account is not linked to any user
-                const error = new Error('GitHub account not linked to any user');
-                error.code = 'GITHUB_NOT_LINKED';
-                return done(error);
-            }
-
-            const user = githubUser.rows[0];
-            
-            // Check if the user account is active
-            if (!user.Active) {
-                const error = new Error('Account is inactive');
-                error.code = 'ACCOUNT_INACTIVE';
-                return done(error);
-            }
-
-            // Check if user is authorized for this app (same logic as regular login)
-            if (user.Role !== "SuperAdmin") {
-                const allowedApps = user.AllowedApps;
-                if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
-                    const error = new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`);
-                    error.code = 'NOT_AUTHORIZED';
-                    return done(error);
-                }
-            }
-
-            // Return user data for login
-            return done(null, {
-                id: user.id, // This should be the user ID from the Users table
-                username: user.UserName,
-                role: user.Role,
-                githubId: user.github_id,
-                githubUsername: user.github_username
-            });
-        } catch (err) {
-            console.error('[mbkauthe] GitHub login error:', err);
-            err.code = err.code || 'GITHUB_AUTH_ERROR';
-            return done(err);
+      if (githubUser.rows.length === 0) {
+        // GitHub account is not linked to any user
+        const error = new Error('GitHub account not linked to any user');
+        error.code = 'GITHUB_NOT_LINKED';
+        return done(error);
+      }
+
+      const user = githubUser.rows[0];
+
+      // Check if the user account is active
+      if (!user.Active) {
+        const error = new Error('Account is inactive');
+        error.code = 'ACCOUNT_INACTIVE';
+        return done(error);
+      }
+
+      // Check if user is authorized for this app (same logic as regular login)
+      if (user.Role !== "SuperAdmin") {
+        const allowedApps = user.AllowedApps;
+        if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+          const error = new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`);
+          error.code = 'NOT_AUTHORIZED';
+          return done(error);
         }
+      }
+
+      // Return user data for login
+      return done(null, {
+        id: user.id, // This should be the user ID from the Users table
+        username: user.UserName,
+        role: user.Role,
+        githubId: user.github_id,
+        githubUsername: user.github_username
+      });
+    } catch (err) {
+      console.error('[mbkauthe] GitHub login error:', err);
+      err.code = err.code || 'GITHUB_AUTH_ERROR';
+      return done(err);
     }
+  }
 ));
 
 // Serialize/Deserialize user for GitHub login
 passport.serializeUser((user, done) => {
-    done(null, user);
+  done(null, user);
 });
 
 passport.deserializeUser((user, done) => {
-    done(null, user);
+  done(null, user);
 });
 
 // Initialize passport
@@ -650,212 +663,226 @@ router.use(passport.session());
 
 // GitHub login initiation
 router.get('/mbkauthe/api/github/login', GitHubOAuthLimit, (req, res, next) => {
+  if (mbkautheVar.GITHUB_LOGIN_ENABLED) {
     // Store redirect parameter in session before OAuth flow (validate to prevent open redirect)
     const redirect = req.query.redirect;
     if (redirect && typeof redirect === 'string') {
-        // Only allow relative URLs or same-origin URLs to prevent open redirect attacks
-        if (redirect.startsWith('/') && !redirect.startsWith('//')) {
-            req.session.oauthRedirect = redirect;
-        } else {
-            console.warn(`[mbkauthe] Invalid redirect parameter rejected: ${redirect}`);
-        }
+      // Only allow relative URLs or same-origin URLs to prevent open redirect attacks
+      if (redirect.startsWith('/') && !redirect.startsWith('//')) {
+        req.session.oauthRedirect = redirect;
+      } else {
+        console.warn(`[mbkauthe] Invalid redirect parameter rejected: ${redirect}`);
+      }
     }
     passport.authenticate('github-login')(req, res, next);
+  }
+  else {
+    res.status(403).render('Error/dError.handlebars', {
+      layout: false,
+      code: '403',
+      error: 'GitHub Login Disabled',
+      message: 'GitHub login is currently disabled. Please use your username and password to log in.',
+      page: '/mbkauthe/login',
+      pagename: 'Login',
+      version: packageJson.version,
+      app: mbkautheVar.APP_NAME
+    });
+  }
 });
 
 // GitHub login callback
 router.get('/mbkauthe/api/github/login/callback',
-    GitHubOAuthLimit,
-    (req, res, next) => {
-        passport.authenticate('github-login', { 
-            session: false // We'll handle session manually
-        }, (err, user, info) => {
-            // Custom error handling for passport authentication
-            if (err) {
-                console.error('[mbkauthe] GitHub authentication error:', err);
-                
-                // Map error codes to user-friendly messages
-                switch(err.code) {
-                    case 'GITHUB_NOT_LINKED':
-                        return res.status(403).render('Error/dError.handlebars', {
-                            layout: false,
-                            code: '403',
-                            error: 'GitHub Account Not Linked',
-                            message: 'Your GitHub account is not linked to any user in our system. To link your GitHub account, a User must connect their GitHub account to mbktech account through the user settings.',
-                            page: '/mbkauthe/login',
-                            pagename: 'Login',
-                            version: packageJson.version,
-                            app: mbkautheVar.APP_NAME
-                        });
-                    
-                    case 'ACCOUNT_INACTIVE':
-                        return res.status(403).render('Error/dError.handlebars', {
-                            layout: false,
-                            code: '403',
-                            error: 'Account Inactive',
-                            message: 'Your account has been deactivated. Please contact your administrator.',
-                            page: '/mbkauthe/login',
-                            pagename: 'Login',
-                            version: packageJson.version,
-                            app: mbkautheVar.APP_NAME
-                        });
-                    
-                    case 'NOT_AUTHORIZED':
-                        return res.status(403).render('Error/dError.handlebars', {
-                            layout: false,
-                            code: '403',
-                            error: 'Not Authorized',
-                            message: `You are not authorized to access ${mbkautheVar.APP_NAME}. Please contact your administrator.`,
-                            page: '/mbkauthe/login',
-                            pagename: 'Login',
-                            version: packageJson.version,
-                            app: mbkautheVar.APP_NAME
-                        });
-                    
-                    default:
-                        return res.status(500).render('Error/dError.handlebars', {
-                            layout: false,
-                            code: '500',
-                            error: 'Authentication Error',
-                            message: 'An error occurred during GitHub authentication. Please try again.',
-                            page: '/mbkauthe/login',
-                            pagename: 'Login',
-                            version: packageJson.version,
-                            app: mbkautheVar.APP_NAME,
-                            details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
-                        });
-                }
-            }
-            
-            if (!user) {
-                console.error('[mbkauthe] GitHub callback: No user data received');
-                return res.status(401).render('Error/dError.handlebars', {
-                    layout: false,
-                    code: '401',
-                    error: 'Authentication Failed',
-                    message: 'GitHub authentication failed. Please try again.',
-                    page: '/mbkauthe/login',
-                    pagename: 'Login',
-                    version: packageJson.version,
-                    app: mbkautheVar.APP_NAME
-                });
-            }
-            
-            // Authentication successful, attach user to request
-            req.user = user;
-            next();
-        })(req, res, next);
-    },
-    async (req, res) => {
-        try {
-            const githubUser = req.user;
-            
-            // Find the actual user record with named query
-            const userQuery = `SELECT id, "UserName", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
-            const userResult = await dblogin.query({
-                name: 'github-callback-get-user',
-                text: userQuery,
-                values: [githubUser.username]
+  GitHubOAuthLimit,
+  (req, res, next) => {
+    passport.authenticate('github-login', {
+      session: false // We'll handle session manually
+    }, (err, user, info) => {
+      // Custom error handling for passport authentication
+      if (err) {
+        console.error('[mbkauthe] GitHub authentication error:', err);
+
+        // Map error codes to user-friendly messages
+        switch (err.code) {
+          case 'GITHUB_NOT_LINKED':
+            return res.status(403).render('Error/dError.handlebars', {
+              layout: false,
+              code: '403',
+              error: 'GitHub Account Not Linked',
+              message: 'Your GitHub account is not linked to any user in our system. To link your GitHub account, a User must connect their GitHub account to mbktech account through the user settings.',
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              version: packageJson.version,
+              app: mbkautheVar.APP_NAME
+            });
+
+          case 'ACCOUNT_INACTIVE':
+            return res.status(403).render('Error/dError.handlebars', {
+              layout: false,
+              code: '403',
+              error: 'Account Inactive',
+              message: 'Your account has been deactivated. Please contact your administrator.',
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              version: packageJson.version,
+              app: mbkautheVar.APP_NAME
             });
 
-            if (userResult.rows.length === 0) {
-                console.error(`[mbkauthe] GitHub login: User not found: ${githubUser.username}`);
-                return res.status(404).render('Error/dError.handlebars', {
-                    layout: false,
-                    code: '404',
-                    error: 'User Not Found',
-                    message: 'Your GitHub account is linked, but the user account no longer exists in our system.',
-                    page: '/mbkauthe/login',
-                    pagename: 'Login',
-                    version: packageJson.version,
-                    app: mbkautheVar.APP_NAME,
-                    details: `GitHub username: ${githubUser.username}\nPlease contact your administrator.`
-                });
-            }
-
-            const user = userResult.rows[0];
-
-            // Check 2FA if enabled
-            if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true") {
-                const twoFAQuery = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
-                const twoFAResult = await dblogin.query({
-                    name: 'github-check-2fa-status',
-                    text: twoFAQuery,
-                    values: [githubUser.username]
-                });
-
-                if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
-                    // 2FA is enabled, store pre-auth user and redirect to 2FA
-                    req.session.preAuthUser = {
-                        id: user.id,
-                        username: user.UserName,
-                        UserName: user.UserName,
-                        role: user.Role,
-                        Role: user.Role,
-                        loginMethod: 'github'
-                    };
-                    console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
-                    return res.redirect('/mbkauthe/2fa');
-                }
-            }
-
-            // Complete login process using the shared function
-            const userForSession = {
-                id: user.id,
-                username: user.UserName,
-                UserName: user.UserName,
-                role: user.Role,
-                Role: user.Role
-            };
-
-            // For OAuth redirect flow, we need to handle redirect differently
-            // Store the redirect URL before calling completeLoginProcess
-            const oauthRedirect = req.session.oauthRedirect;
-            delete req.session.oauthRedirect;
-
-            // Custom response handler for OAuth flow - wrap the response object
-            const originalJson = res.json.bind(res);
-            const originalStatus = res.status.bind(res);
-            let statusCode = 200;
-            
-            res.status = function(code) {
-                statusCode = code;
-                return originalStatus(code);
-            };
-            
-            res.json = function(data) {
-                if (data.success && statusCode === 200) {
-                    // If login successful, redirect instead of sending JSON
-                    const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/home';
-                    console.log(`[mbkauthe] GitHub login: Redirecting to ${redirectUrl}`);
-                    // Restore original methods before redirect
-                    res.json = originalJson;
-                    res.status = originalStatus;
-                    return res.redirect(redirectUrl);
-                }
-                // Restore original methods for error responses
-                res.json = originalJson;
-                res.status = originalStatus;
-                return originalJson(data);
-            };
-
-            await completeLoginProcess(req, res, userForSession);
-
-        } catch (err) {
-            console.error('[mbkauthe] GitHub login callback error:', err);
+          case 'NOT_AUTHORIZED':
+            return res.status(403).render('Error/dError.handlebars', {
+              layout: false,
+              code: '403',
+              error: 'Not Authorized',
+              message: `You are not authorized to access ${mbkautheVar.APP_NAME}. Please contact your administrator.`,
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              version: packageJson.version,
+              app: mbkautheVar.APP_NAME
+            });
+
+          default:
             return res.status(500).render('Error/dError.handlebars', {
-                layout: false,
-                code: '500',
-                error: 'Internal Server Error',
-                message: 'An error occurred during GitHub authentication. Please try again.',
-                page: '/mbkauthe/login',
-                pagename: 'Login',
-                version: packageJson.version,
-                app: mbkautheVar.APP_NAME,
-                details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
+              layout: false,
+              code: '500',
+              error: 'Authentication Error',
+              message: 'An error occurred during GitHub authentication. Please try again.',
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              version: packageJson.version,
+              app: mbkautheVar.APP_NAME,
+              details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
             });
         }
+      }
+
+      if (!user) {
+        console.error('[mbkauthe] GitHub callback: No user data received');
+        return res.status(401).render('Error/dError.handlebars', {
+          layout: false,
+          code: '401',
+          error: 'Authentication Failed',
+          message: 'GitHub authentication failed. Please try again.',
+          page: '/mbkauthe/login',
+          pagename: 'Login',
+          version: packageJson.version,
+          app: mbkautheVar.APP_NAME
+        });
+      }
+
+      // Authentication successful, attach user to request
+      req.user = user;
+      next();
+    })(req, res, next);
+  },
+  async (req, res) => {
+    try {
+      const githubUser = req.user;
+
+      // Find the actual user record with named query
+      const userQuery = `SELECT id, "UserName", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
+      const userResult = await dblogin.query({
+        name: 'github-callback-get-user',
+        text: userQuery,
+        values: [githubUser.username]
+      });
+
+      if (userResult.rows.length === 0) {
+        console.error(`[mbkauthe] GitHub login: User not found: ${githubUser.username}`);
+        return res.status(404).render('Error/dError.handlebars', {
+          layout: false,
+          code: '404',
+          error: 'User Not Found',
+          message: 'Your GitHub account is linked, but the user account no longer exists in our system.',
+          page: '/mbkauthe/login',
+          pagename: 'Login',
+          version: packageJson.version,
+          app: mbkautheVar.APP_NAME,
+          details: `GitHub username: ${githubUser.username}\nPlease contact your administrator.`
+        });
+      }
+
+      const user = userResult.rows[0];
+
+      // Check 2FA if enabled
+      if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true") {
+        const twoFAQuery = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
+        const twoFAResult = await dblogin.query({
+          name: 'github-check-2fa-status',
+          text: twoFAQuery,
+          values: [githubUser.username]
+        });
+
+        if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
+          // 2FA is enabled, store pre-auth user and redirect to 2FA
+          req.session.preAuthUser = {
+            id: user.id,
+            username: user.UserName,
+            UserName: user.UserName,
+            role: user.Role,
+            Role: user.Role,
+            loginMethod: 'github'
+          };
+          console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
+          return res.redirect('/mbkauthe/2fa');
+        }
+      }
+
+      // Complete login process using the shared function
+      const userForSession = {
+        id: user.id,
+        username: user.UserName,
+        UserName: user.UserName,
+        role: user.Role,
+        Role: user.Role
+      };
+
+      // For OAuth redirect flow, we need to handle redirect differently
+      // Store the redirect URL before calling completeLoginProcess
+      const oauthRedirect = req.session.oauthRedirect;
+      delete req.session.oauthRedirect;
+
+      // Custom response handler for OAuth flow - wrap the response object
+      const originalJson = res.json.bind(res);
+      const originalStatus = res.status.bind(res);
+      let statusCode = 200;
+
+      res.status = function (code) {
+        statusCode = code;
+        return originalStatus(code);
+      };
+
+      res.json = function (data) {
+        if (data.success && statusCode === 200) {
+          // If login successful, redirect instead of sending JSON
+          const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/home';
+          console.log(`[mbkauthe] GitHub login: Redirecting to ${redirectUrl}`);
+          // Restore original methods before redirect
+          res.json = originalJson;
+          res.status = originalStatus;
+          return res.redirect(redirectUrl);
+        }
+        // Restore original methods for error responses
+        res.json = originalJson;
+        res.status = originalStatus;
+        return originalJson(data);
+      };
+
+      await completeLoginProcess(req, res, userForSession);
+
+    } catch (err) {
+      console.error('[mbkauthe] GitHub login callback error:', err);
+      return res.status(500).render('Error/dError.handlebars', {
+        layout: false,
+        code: '500',
+        error: 'Internal Server Error',
+        message: 'An error occurred during GitHub authentication. Please try again.',
+        page: '/mbkauthe/login',
+        pagename: 'Login',
+        version: packageJson.version,
+        app: mbkautheVar.APP_NAME,
+        details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
+      });
     }
+  }
 );
 
 export { getLatestVersion };

package/lib/pool.js

@@ -36,9 +36,9 @@ const poolConfig = {
   // - keep max small to avoid exhausting DB connections
   // - reduce idle time so connections are returned sooner
   // - set a short connection timeout to fail fast
-  max: 20,
+  max: 10,
   idleTimeoutMillis: 10000,
-  connectionTimeoutMillis: 5000,
+  connectionTimeoutMillis: 25000,
 };
 
 export const dblogin = new Pool(poolConfig);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/views/loginmbkauthe.handlebars

@@ -68,6 +68,7 @@
                 <button type="submit" class="btn-login" id="loginButton">
                     <span id="loginButtonText">Login</span>
                 </button>
+                {{#if githubLoginEnabled }}
                 <div class="social-login">
                     <div class="divider">
                         <span>or</span>
@@ -78,7 +79,7 @@
                         <span>Continue with GitHub</span>
                     </a>
                 </div>
-
+                {{/if }}
                 <div class="remember-me">
                     <input type="checkbox" id="rememberMe" name="rememberMe">
                     <label for="rememberMe">Remember me</label>
@@ -272,6 +273,8 @@
             }
         });
 
+        {{#if githubLoginEnabled }}
+
         // GitHub login: Attempt to POST redirect to backend, fallback to direct navigation
         async function startGithubLogin() {
             const urlParams = new URLSearchParams(window.location.search);
@@ -310,6 +313,7 @@
 
         const githubBtn = document.getElementById('githubLoginBtn');
         if (githubBtn) githubBtn.addEventListener('click', startGithubLogin);
+        {{/if }}
     </script>
 </body>