mbkauthe 2.0.1 → 2.2.0

package/.env.example

@@ -1,3 +1,3 @@
-mbkautheVar={"APP_NAME":"mbkauthe","Main_SECRET_TOKEN": 123,"SESSION_SECRET_KEY":"123","IS_DEPLOYED":"true","LOGIN_DB":"postgres://","MBKAUTH_TWO_FA_ENABLE":"true","COOKIE_EXPIRE_TIME":2,"DOMAIN":"mbktech.org","loginRedirectURL":"/mbkauthe/test","GITHUB_LOGIN_ENABLED":"true","GITHUB_CLIENT_ID":"","GITHUB_CLIENT_SECRET":""}
+mbkautheVar={"APP_NAME":"mbkauthe","Main_SECRET_TOKEN": 123,"SESSION_SECRET_KEY":"123","IS_DEPLOYED":"true","LOGIN_DB":"postgres://","MBKAUTH_TWO_FA_ENABLE":"true","COOKIE_EXPIRE_TIME":2,"DOMAIN":"mbktech.org","loginRedirectURL":"/mbkauthe/test","GITHUB_LOGIN_ENABLED":"true","GITHUB_CLIENT_ID":"","GITHUB_CLIENT_SECRET":"","DEVICE_TRUST_DURATION_DAYS":7}
 
-# See env.md for more details
+# See docs/env.md for more details

package/README.md

@@ -13,6 +13,8 @@
 - 🔐 **Secure Authentication** - Password hashing with bcrypt
 - 🔑 **Session Management** - PostgreSQL-backed session storage
 - 📱 **Two-Factor Authentication (2FA)** - Optional TOTP-based 2FA with speakeasy
+- 🔄 **GitHub OAuth Integration** - Login with GitHub accounts (passport-github2)
+- 🖥️ **Trusted Devices** - Remember devices to skip 2FA on trusted devices
 - 👥 **Role-Based Access Control** - SuperAdmin, NormalUser, and Guest roles
 - 🎯 **Multi-Application Support** - Control user access across multiple apps
 - 🛡️ **Security Features** - CSRF protection, rate limiting, secure cookies
@@ -37,6 +39,7 @@ Create a `.env` file in your project root:
 # Application Configuration
 APP_NAME=your-app-name
 SESSION_SECRET_KEY=your-secure-random-secret-key
+MAIN_SECRET_TOKEN=your-api-secret-token
 IS_DEPLOYED=false
 DOMAIN=localhost
 
@@ -46,9 +49,15 @@ LOGIN_DB=postgresql://username:password@localhost:5432/database_name
 # Optional Features
 MBKAUTH_TWO_FA_ENABLE=false
 COOKIE_EXPIRE_TIME=2
+DEVICE_TRUST_DURATION_DAYS=7
+
+# GitHub OAuth (Optional)
+GITHUB_LOGIN_ENABLED=false
+GITHUB_CLIENT_ID=your-github-oauth-client-id
+GITHUB_CLIENT_SECRET=your-github-oauth-client-secret
 ```
 
-For detailed environment configuration, see [Environment Configuration Guide](env.md).
+For detailed environment configuration, see [Environment Configuration Guide](docs/env.md).
 
 ### 2. Set Up Database
 
@@ -66,11 +75,15 @@ CREATE TABLE "Users" (
     "Active" BOOLEAN DEFAULT FALSE,
     "AllowedApps" JSONB DEFAULT '["mbkauthe"]',
     "SessionId" VARCHAR(213),
-    "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+    "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "last_login" TIMESTAMP WITH TIME ZONE
 );
 
 -- Session table (created automatically by connect-pg-simple)
 -- TwoFA table (optional, if 2FA is enabled)
+-- TrustedDevices table (optional, for "Remember this device" feature)
+-- user_github table (optional, for GitHub OAuth integration)
 ```
 
 ### 3. Integrate with Your Express App
@@ -87,11 +100,16 @@ dotenv.config();
 process.env.mbkautheVar = JSON.stringify({
     APP_NAME: process.env.APP_NAME,
     SESSION_SECRET_KEY: process.env.SESSION_SECRET_KEY,
+    Main_SECRET_TOKEN: process.env.MAIN_SECRET_TOKEN,
     IS_DEPLOYED: process.env.IS_DEPLOYED,
     DOMAIN: process.env.DOMAIN,
     LOGIN_DB: process.env.LOGIN_DB,
     MBKAUTH_TWO_FA_ENABLE: process.env.MBKAUTH_TWO_FA_ENABLE,
     COOKIE_EXPIRE_TIME: process.env.COOKIE_EXPIRE_TIME || 2,
+    DEVICE_TRUST_DURATION_DAYS: process.env.DEVICE_TRUST_DURATION_DAYS || 7,
+    GITHUB_LOGIN_ENABLED: process.env.GITHUB_LOGIN_ENABLED,
+    GITHUB_CLIENT_ID: process.env.GITHUB_CLIENT_ID,
+    GITHUB_CLIENT_SECRET: process.env.GITHUB_CLIENT_SECRET,
     loginRedirectURL: '/dashboard' // Redirect after successful login
 });
 
@@ -165,6 +183,8 @@ MBKAuth automatically adds these routes to your app:
 - `POST /mbkauthe/api/logout` - Logout endpoint
 - `GET /mbkauthe/2fa` - Two-factor authentication page (if enabled)
 - `POST /mbkauthe/api/verify-2fa` - 2FA verification endpoint
+- `GET /mbkauthe/api/github/login` - Initiate GitHub OAuth login
+- `GET /mbkauthe/api/github/login/callback` - GitHub OAuth callback
 - `GET /mbkauthe/info` - MBKAuth version and configuration info
 - `POST /mbkauthe/api/terminateAllSessions` - Terminate all active sessions (authenticated)
 
@@ -174,6 +194,7 @@ MBKAuth automatically adds these routes to your app:
 - **Login attempts**: 8 attempts per minute
 - **Logout attempts**: 10 attempts per minute
 - **2FA attempts**: 5 attempts per minute
+- **GitHub OAuth attempts**: 10 attempts per 5 minutes
 
 ### CSRF Protection
 All POST routes are protected with CSRF tokens. CSRF tokens are automatically included in rendered forms.
@@ -212,6 +233,103 @@ CREATE TABLE "TwoFA" (
 );
 ```
 
+## 🔄 GitHub OAuth Integration
+
+### Overview
+Users can log in using their GitHub accounts if they have previously linked their GitHub account to their MBKAuth account.
+
+### Setup
+
+1. **Create GitHub OAuth App**:
+   - Go to GitHub Settings > Developer settings > OAuth Apps
+   - Create a new OAuth App
+   - Set callback URL: `https://yourdomain.com/mbkauthe/api/github/login/callback`
+   - Copy Client ID and Client Secret
+
+2. **Configure Environment**:
+```env
+GITHUB_LOGIN_ENABLED=true
+GITHUB_CLIENT_ID=your_github_client_id
+GITHUB_CLIENT_SECRET=your_github_client_secret
+```
+
+3. **Database Setup**:
+```sql
+CREATE TABLE user_github (
+    id SERIAL PRIMARY KEY,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    github_id VARCHAR(255) UNIQUE,
+    github_username VARCHAR(255),
+    access_token VARCHAR(255),
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+);
+
+CREATE INDEX idx_user_github_github_id ON user_github (github_id);
+CREATE INDEX idx_user_github_user_name ON user_github (user_name);
+```
+
+### How It Works
+
+1. User clicks "Login with GitHub" on the login page
+2. User authenticates with GitHub
+3. System verifies the GitHub account is linked to an active user
+4. If 2FA is enabled, user is prompted for 2FA code
+5. Session is established upon successful authentication
+
+### Routes
+
+- `GET /mbkauthe/api/github/login` - Initiates GitHub OAuth flow
+- `GET /mbkauthe/api/github/login/callback` - Handles OAuth callback
+
+## 🖥️ Trusted Devices (Remember Device)
+
+### Overview
+The "Remember this device" feature allows users to skip 2FA verification on trusted devices for a configurable duration.
+
+### Configuration
+
+```env
+# Duration in days before device trust expires (default: 7 days)
+DEVICE_TRUST_DURATION_DAYS=7
+```
+
+### Database Setup
+
+```sql
+CREATE TABLE "TrustedDevices" (
+    "id" SERIAL PRIMARY KEY,
+    "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+    "DeviceToken" VARCHAR(64) UNIQUE NOT NULL,
+    "DeviceName" VARCHAR(255),
+    "UserAgent" TEXT,
+    "IpAddress" VARCHAR(45),
+    "CreatedAt" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "ExpiresAt" TIMESTAMP WITH TIME ZONE NOT NULL,
+    "LastUsed" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX idx_trusted_devices_token ON "TrustedDevices"("DeviceToken");
+CREATE INDEX idx_trusted_devices_username ON "TrustedDevices"("UserName");
+CREATE INDEX idx_trusted_devices_expires ON "TrustedDevices"("ExpiresAt");
+```
+
+### How It Works
+
+1. After successful login and 2FA verification, user can check "Remember this device"
+2. A secure device token is generated and stored in cookies
+3. On subsequent logins from the same device, 2FA is skipped
+4. Device trust expires after configured duration
+5. Users can manage trusted devices through their account settings
+
+### Security Notes
+
+- Device tokens are cryptographically secure (64-byte random tokens)
+- Tokens automatically expire after the configured duration
+- Last used timestamp is tracked for auditing
+- IP address and user agent are stored for security monitoring
+- Devices can be manually revoked by users
+
 ## 🎨 Customization
 
 ### Custom Login Redirect
@@ -266,19 +384,22 @@ Add `vercel.json`:
 ### Production Checklist
 
 - [ ] Set `IS_DEPLOYED=true`
-- [ ] Use a strong `SESSION_SECRET_KEY`
+- [ ] Use a strong `SESSION_SECRET_KEY` and `Main_SECRET_TOKEN`
 - [ ] Enable HTTPS
 - [ ] Set correct `DOMAIN`
 - [ ] Enable 2FA for sensitive applications
-- [ ] Use environment variables for secrets
+- [ ] Configure `DEVICE_TRUST_DURATION_DAYS` appropriately
+- [ ] Set up GitHub OAuth if using GitHub login
+- [ ] Use environment variables for all secrets
 - [ ] Set appropriate `COOKIE_EXPIRE_TIME`
-- [ ] Configure PostgreSQL with proper security
+- [ ] Configure PostgreSQL with proper security and indexes
 - [ ] Enable password hashing with bcrypt
+- [ ] Regularly audit and clean up expired trusted devices
 
 ## 📚 Documentation
 
 - [API Documentation](docs/api.md) - Complete API reference and examples
-- [Environment Configuration Guide](env.md) - Environment variables and setup
+- [Environment Configuration Guide](docs/env.md) - Environment variables and setup
 - [Database Structure](docs/db.md) - Database schemas and tables
 
 ## 🔄 Version Check
@@ -302,7 +423,7 @@ This project is licensed under the Mozilla Public License 2.0 - see the [LICENSE
 ## 👨‍💻 Author
 
 **Muhammad Bin Khalid**  
-Email: [support@mbktechstudio.com](support@mbktechstudio.com) or [chmuhammadbinkhalid28@gmail.com](mailto:chmuhammadbinkhalid28@gmail.com)
+Email: [support@mbktech.org](support@mbktech.org) or [chmuhammadbinkhalid28@gmail.com](mailto:chmuhammadbinkhalid28@gmail.com)
 GitHub: [@MIbnEKhalid](https://github.com/MIbnEKhalid)
 
 ## 🐛 Issues & Support

package/docs/api.md

@@ -364,6 +364,53 @@ Serves the client-side JavaScript file containing helper functions for authentic
 - Forces page reload
 
 
+---
+
+#### `GET /icon.svg`
+
+Serves the application's SVG icon file.
+
+**Response:** SVG image file (Content-Type: image/svg+xml)
+
+**Cache:** Cached for 1 year (max-age=31536000)
+
+**Usage:**
+```html
+<img src="/icon.svg" alt="App Icon">
+```
+
+---
+
+#### `GET /favicon.ico`
+
+Serves the application's favicon.
+
+**Aliases:** `/icon.ico`
+
+**Response:** ICO image file (Content-Type: image/x-icon)
+
+**Cache:** Cached for 1 year (max-age=31536000)
+
+**Usage:**
+```html
+<link rel="icon" type="image/x-icon" href="/favicon.ico">
+```
+
+---
+
+#### `GET /mbkauthe/bg.webp`
+
+Serves the background image for authentication pages.
+
+**Response:** WEBP image file (Content-Type: image/webp)
+
+**Cache:** Cached for 1 year (max-age=31536000)
+
+**Usage:**
+```css
+background-image: url('/mbkauthe/bg.webp');
+```
+
 ---
 
 #### `GET /mbkauthe/test`
@@ -896,7 +943,7 @@ Rate limits are applied per IP address.
 For issues, questions, or contributions:
 
 - **GitHub Issues:** [https://github.com/MIbnEKhalid/mbkauthe/issues](https://github.com/MIbnEKhalid/mbkauthe/issues)
-- **Email:** support@mbktechstudio.com
+- **Email:** support@mbktech.org
 - **Documentation:** [https://github.com/MIbnEKhalid/mbkauthe](https://github.com/MIbnEKhalid/mbkauthe)
 
 ---

package/docs/db.md

@@ -33,6 +33,10 @@ CREATE TABLE user_github (
     created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
     updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
 );
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_user_github_github_id ON user_github (github_id);
+CREATE INDEX IF NOT EXISTS idx_user_github_user_name ON user_github (user_name);
 ```
 
 ## How It Works
@@ -155,19 +159,18 @@ CREATE TABLE "Users" (
     "HaveMailAccount" BOOLEAN DEFAULT FALSE,
     "AllowedApps" JSONB DEFAULT '["mbkauthe", "portal"]',
     "SessionId" VARCHAR(213),
-    "IsOnline" BOOLEAN DEFAULT FALSE,
     "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     "last_login" TIMESTAMP WITH TIME ZONE
 );
 
--- Add indexes for Users table
-CREATE INDEX IF NOT EXISTS idx_users_session_id ON "Users" ("SessionId")
-CREATE INDEX idx_users_username ON "Users" USING BTREE ("UserName");
-CREATE INDEX idx_users_role ON "Users" USING BTREE ("Role");
-CREATE INDEX idx_users_active ON "Users" USING BTREE ("Active");
-CREATE INDEX idx_users_isonline ON "Users" USING BTREE ("IsOnline");
-CREATE INDEX idx_users_last_login ON "Users" USING BTREE (last_login);
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_users_sessionid ON "Users" (LOWER("SessionId"));
+CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" ("Active");
+CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" ("Role");
+CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" (last_login);
+CREATE INDEX IF NOT EXISTS idx_users_id_sessionid_active_role ON "Users" ("id", LOWER("SessionId"), "Active", "Role");
 ```
 
 ### Session Table
@@ -184,14 +187,13 @@ CREATE TABLE "session" (
     sid VARCHAR(33) PRIMARY KEY NOT NULL,
     sess JSONB NOT NULL,
     expire TimeStamp WITH TIME ZONE Not Null,
-    "UserName" VARCHAR(50) REFERENCES "Users"("UserName"),
     last_activity TimeStamp WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
 );
 
--- Add indexes for session table
-CREATE INDEX idx_session_expire ON "session" USING BTREE (expire);
-CREATE INDEX idx_session_username ON "session" USING BTREE ("UserName");
-CREATE INDEX idx_session_last_activity ON "session" USING BTREE (last_activity);
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_session_expire ON "session" ("expire");
+CREATE INDEX IF NOT EXISTS idx_session_last_activity ON "session" (last_activity);
+CREATE INDEX IF NOT EXISTS idx_session_user_id ON "session" ((sess->'user'->>'id'));
 ```
 
 ### Two-Factor Authentication Table
@@ -208,9 +210,45 @@ CREATE TABLE "TwoFA" (
     "UserName" VARCHAR(50) primary key REFERENCES "Users"("UserName"),
     "TwoFAStatus" boolean NOT NULL,
     "TwoFASecret" TEXT
-    );
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_twofa_username ON "TwoFA" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_twofa_username_status ON "TwoFA" ("UserName", "TwoFAStatus");
+```
+
+### Trusted Devices Table (Remember 2FA Device)
+
+- **Columns:**
+
+  - `id` (INTEGER, auto-increment, primary key): Unique identifier for each trusted device.
+  - `UserName` (VARCHAR): The username of the device owner (foreign key to Users).
+  - `DeviceToken` (VARCHAR): Unique token identifying the trusted device.
+  - `DeviceName` (VARCHAR): Optional friendly name for the device.
+  - `UserAgent` (TEXT): Browser/client user agent string.
+  - `IpAddress` (VARCHAR): IP address when device was trusted.
+  - `CreatedAt` (TIMESTAMP): When the device was first trusted.
+  - `ExpiresAt` (TIMESTAMP): When the device trust expires.
+  - `LastUsed` (TIMESTAMP): Last time this device was used for login.
+
+- **Schema:**
+```sql
+CREATE TABLE "TrustedDevices" (
+    "id" SERIAL PRIMARY KEY,
+    "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+    "DeviceToken" VARCHAR(64) UNIQUE NOT NULL,
+    "DeviceName" VARCHAR(255),
+    "UserAgent" TEXT,
+    "IpAddress" VARCHAR(45),
+    "CreatedAt" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "ExpiresAt" TIMESTAMP WITH TIME ZONE NOT NULL,
+    "LastUsed" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
 
-CREATE INDEX IF NOT EXISTS idx_twofa_username ON "TwoFA" ("UserName")
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_token ON "TrustedDevices"("DeviceToken");
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_username ON "TrustedDevices"("UserName");
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_expires ON "TrustedDevices"("ExpiresAt");
 ```
 
 ### Query to Add a User

package/{env.md → docs/env.md}

@@ -25,11 +25,22 @@ APP_NAME=mbkauthe
 
 ### Session Configuration
 ```env
+Main_SECRET_TOKEN=your-secure-token-number
 SESSION_SECRET_KEY=your-secure-random-key-here
 IS_DEPLOYED=false
 DOMAIN=localhost
 ```
 
+#### Main_SECRET_TOKEN
+**Description:** Primary authentication token for secure operations.
+
+- **Security:** Use a secure numeric or alphanumeric token
+- **Purpose:** Used for internal authentication and validation processes
+- **Format:** Numeric or string value
+- **Required:** Yes
+
+**Example:** `Main_SECRET_TOKEN=123456789`
+
 #### SESSION_SECRET_KEY
 **Description:** Cryptographic key for session security.
 
@@ -115,6 +126,37 @@ MBKAUTH_TWO_FA_ENABLE=false
 
 ---
 
+## 🔄 Redirect Configuration
+
+### Login Redirect URL
+```env
+loginRedirectURL=/mbkauthe/test
+```
+
+**Description:** Specifies the URL path where users are redirected after successful authentication.
+
+- **Purpose:** Controls post-login navigation flow
+- **Format:** URL path (relative or absolute)
+- **Default:** `/` (root path if not specified)
+- **Required:** No (optional configuration)
+
+**Examples:**
+```env
+# Redirect to dashboard
+loginRedirectURL=/dashboard
+
+# Redirect to specific app section
+loginRedirectURL=/mbkauthe/test
+
+# Redirect to home page
+loginRedirectURL=/
+
+# Redirect to external URL (if supported)
+loginRedirectURL=https://example.com/app
+```
+
+---
+
 ## 🍪 Cookie Settings
 
 ### Cookie Expiration
@@ -132,8 +174,28 @@ COOKIE_EXPIRE_TIME=2
 **Examples:**
 ```env
 COOKIE_EXPIRE_TIME=1   # 1 day (high security)
-COOKIE_EXPIRE_TIME=7   # 1 week (balanced)
-COOKIE_EXPIRE_TIME=30  # 1 month (convenience)
+COOKIE_EXPIRE_TIME=7   # 7 days (balanced)
+COOKIE_EXPIRE_TIME=30  # 30 days (convenience)
+```
+
+### Device Trust Duration
+```env
+DEVICE_TRUST_DURATION_DAYS=7
+```
+
+**Description:** Sets how long a device remains trusted after successful authentication.
+
+- **Unit:** Days
+- **Default:** `7` days
+- **Purpose:** Controls device recognition and trust persistence
+- **Range:** 1-365 days (recommended)
+- **Behavior:** Trusted devices may skip certain authentication steps (like 2FA) during this period
+
+**Examples:**
+```env
+DEVICE_TRUST_DURATION_DAYS=1   # 1 day (high security)
+DEVICE_TRUST_DURATION_DAYS=7   # 1 week (balanced)
+DEVICE_TRUST_DURATION_DAYS=30  # 30 days (convenience)
 ```
 
 ---
@@ -212,24 +274,36 @@ GITHUB_CLIENT_SECRET=your-github-client-secret
 ```env
 # .env file for local development
 APP_NAME=mbkauthe
+Main_SECRET_TOKEN=dev-token-123
 SESSION_SECRET_KEY=dev-secret-key-change-in-production
 IS_DEPLOYED=false
 DOMAIN=localhost
 LOGIN_DB=postgresql://admin:password@localhost:5432/mbkauth_dev
 MBKAUTH_TWO_FA_ENABLE=false
 COOKIE_EXPIRE_TIME=7
+DEVICE_TRUST_DURATION_DAYS=7
+loginRedirectURL=/dashboard
+GITHUB_LOGIN_ENABLED=false
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
 ```
 
 ### Production Environment
 ```env
 # .env file for production deployment
 APP_NAME=mbkauthe
+Main_SECRET_TOKEN=your-secure-production-token
 SESSION_SECRET_KEY=your-super-secure-production-key-here
 IS_DEPLOYED=true
 DOMAIN=yourdomain.com
 LOGIN_DB=postgresql://dbuser:securepass@prod-db.example.com:5432/mbkauth_prod
 MBKAUTH_TWO_FA_ENABLE=true
 COOKIE_EXPIRE_TIME=2
+DEVICE_TRUST_DURATION_DAYS=7
+loginRedirectURL=/dashboard
+GITHUB_LOGIN_ENABLED=false
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
 ```
 
 ---

package/index.js

@@ -2,36 +2,12 @@ import express from "express"; // Add this line
 import router from "./lib/main.js";
 import { getLatestVersion } from "./lib/main.js";
 import { engine } from "express-handlebars";
-import dotenv from "dotenv";
 import path from "path";
 import { fileURLToPath } from "url";
-
-dotenv.config();
+import { renderError, packageJson } from "./lib/config.js";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-let mbkautheVar;
-
-try {
-    mbkautheVar = JSON.parse(process.env.mbkautheVar);
-} catch (error) {
-    throw new Error("Invalid JSON in process.env.mbkautheVar");
-}
-if (!mbkautheVar) {
-    throw new Error("mbkautheVar is not defined");
-}
-const requiredKeys = ["APP_NAME", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
-requiredKeys.forEach(key => {
-    if (!mbkautheVar[key]) {
-        throw new Error(`mbkautheVar.${key} is required`);
-    }
-});
-if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
-    const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
-    if (isNaN(expireTime) || expireTime <= 0) {
-        throw new Error("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
-    }
-}
 
 const app = express();
 if (process.env.test === "dev") {
@@ -61,12 +37,18 @@ app.set("views", [
 
 app.engine("handlebars", engine({
     defaultLayout: false,
+    cache: true,
     partialsDir: [
         path.join(__dirname, "views"),
         path.join(__dirname, "node_modules/mbkauthe/views"),
         path.join(__dirname, "node_modules/mbkauthe/views/Error"),
     ],
     helpers: {
+        concat: function (...args) {
+            // Remove the handlebars options object from args
+            args.pop();
+            return args.join('');
+        },
         eq: function (a, b) {
             return a === b;
         },
@@ -92,14 +74,12 @@ app.engine("handlebars", engine({
 
 app.set("view engine", "handlebars");
 
-import { createRequire } from "module";
-const require = createRequire(import.meta.url);
-const packageJson = require("./package.json");
 const latestVersion = await getLatestVersion();
 if (latestVersion !== packageJson.version) {
     console.warn(`[mbkauthe] Warning: The current version (${packageJson.version}) is not the latest version (${latestVersion}). Please update mbkauthe.`);
 }
 
-export { validateSession, checkRolePermission, validateSessionAndRole, authenticate, authapi } from "./lib/validateSessionAndRole.js";
+export { validateSession, checkRolePermission, validateSessionAndRole, authenticate } from "./lib/validateSessionAndRole.js";
+export { renderError } from "./lib/config.js";
 export { dblogin } from "./lib/pool.js";
 export default router;