mbkauthe 2.1.0 → 2.2.0

package/lib/main.js

@@ -14,20 +14,13 @@ import speakeasy from "speakeasy";
 import passport from 'passport';
 import GitHubStrategy from 'passport-github2';
 
-import { createRequire } from "module";
 import { fileURLToPath } from "url";
 import fs from "fs";
 import path from "path";
-
-import dotenv from "dotenv";
-dotenv.config();
-const mbkautheVar = JSON.parse(process.env.mbkautheVar);
+import { mbkautheVar, cachedCookieOptions, cachedClearCookieOptions, clearSessionCookies, renderError, packageJson, generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS } from "./config.js";
 
 const router = express.Router();
 
-const require = createRequire(import.meta.url);
-const packageJson = require("../package.json");
-
 router.use(express.json());
 router.use(express.urlencoded({ extended: true }));
 router.use(cookieParser());
@@ -35,16 +28,27 @@ router.use(cookieParser());
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
 router.get('/mbkauthe/main.js', (req, res) => {
+  res.setHeader('Cache-Control', 'public, max-age=31536000');
   res.sendFile(path.join(__dirname, '..', 'public', 'main.js'));
 });
 
-router.get("/mbkauthe/bg.avif", (req, res) => {
-  const imgPath = path.join(__dirname, "..", "public", "bg.avif");
-  res.setHeader('Content-Type', 'image/avif');
+router.get('/icon.svg', (req, res) => {
+  res.setHeader('Cache-Control', 'public, max-age=31536000');
+  res.sendFile(path.join(__dirname, '..', 'public', 'icon.svg'));
+});
+
+router.get(['/favicon.ico','/icon.ico'], (req, res) => {
+  res.setHeader('Cache-Control', 'public, max-age=31536000');
+  res.sendFile(path.join(__dirname, '..', 'public', 'icon.ico'));
+});
+
+router.get("/mbkauthe/bg.webp", (req, res) => {
+  const imgPath = path.join(__dirname, "..", "public", "bg.webp");
+  res.setHeader('Content-Type', 'image/webp');
   res.setHeader('Cache-Control', 'public, max-age=31536000');
   const stream = fs.createReadStream(imgPath);
   stream.on('error', (err) => {
-    console.error('[mbkauthe] Error streaming bg.avif:', err);
+    console.error('[mbkauthe] Error streaming bg.webp:', err);
     res.status(404).send('Image not found');
   });
   stream.pipe(res);
@@ -128,14 +132,16 @@ router.use(session(sessionConfig));
 router.use(async (req, res, next) => {
   // Only restore session if not already present and sessionId cookie exists
   if (!req.session.user && req.cookies.sessionId) {
+    const sessionId = req.cookies.sessionId;
+    
+    // Early validation to avoid unnecessary processing
+    if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
+      // Clear invalid cookie to prevent repeated attempts
+      res.clearCookie('sessionId', cachedClearCookieOptions);
+      return next();
+    }
+    
     try {
-      const sessionId = req.cookies.sessionId;
-
-      // Validate sessionId format (should be 64 hex characters) and normalize to lowercase
-      if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
-        console.warn("[mbkauthe] Invalid sessionId format detected");
-        return next();
-      }
 
       const normalizedSessionId = sessionId.toLowerCase();
 
@@ -151,6 +157,7 @@ router.use(async (req, res, next) => {
           role: user.Role,
           Role: user.Role,
           sessionId: normalizedSessionId,
+          allowedApps: user.AllowedApps,
         };
       }
     } catch (err) {
@@ -160,23 +167,6 @@ router.use(async (req, res, next) => {
   next();
 });
 
-const getCookieOptions = () => ({
-  maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
-  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
-  secure: mbkautheVar.IS_DEPLOYED === 'true',
-  sameSite: 'lax',
-  path: '/',
-  httpOnly: true
-});
-
-const getClearCookieOptions = () => ({
-  domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
-  secure: mbkautheVar.IS_DEPLOYED === 'true',
-  sameSite: 'lax',
-  path: '/',
-  httpOnly: true
-});
-
 router.get('/mbkauthe/test', validateSession, LoginLimit, async (req, res) => {
   if (req.session?.user) {
     return res.send(`
@@ -190,7 +180,7 @@ router.get('/mbkauthe/test', validateSession, LoginLimit, async (req, res) => {
   }
 });
 
-async function completeLoginProcess(req, res, user, redirectUrl = null) {
+async function completeLoginProcess(req, res, user, redirectUrl = null, trustDevice = false) {
   try {
     // Ensure both username formats are available for compatibility
     const username = user.username || user.UserName;
@@ -211,19 +201,21 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
       });
     });
 
-    // Delete all old sessions for this user from session table
-    await dblogin.query({
-      name: 'login-delete-old-user-sessions',
-      text: 'DELETE FROM "session" WHERE sess::text LIKE $1',
-      values: [`%"username":"${username}"%`]
-    });
-
-    await dblogin.query({
-      name: 'login-update-session-id', text: `UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`, values: [
-        sessionId,
-        user.id,
-      ]
-    });
+    // Run both queries in parallel for better performance
+    await Promise.all([
+      // Delete old sessions using indexed lookup on sess->'user'->>'id'
+      dblogin.query({
+        name: 'login-delete-old-user-sessions',
+        text: 'DELETE FROM "session" WHERE (sess->\'user\'->>\'id\')::int = $1',
+        values: [user.id]
+      }),
+      // Update session ID in Users table
+      dblogin.query({
+        name: 'login-update-session-id',
+        text: `UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`,
+        values: [sessionId, user.id]
+      })
+    ]);
 
     req.session.user = {
       id: user.id,
@@ -232,6 +224,7 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
       role: user.role || user.Role,
       Role: user.role || user.Role,
       sessionId,
+      allowedApps: user.allowedApps || user.AllowedApps,
     };
 
     if (req.session.preAuthUser) {
@@ -246,8 +239,33 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
       // avoid writing back into the session table here to reduce DB writes;
       // the pg session store will already persist the session data.
 
-      const cookieOptions = getCookieOptions();
-      res.cookie("sessionId", sessionId, cookieOptions);
+      res.cookie("sessionId", sessionId, cachedCookieOptions);
+
+      // Handle trusted device if requested
+      if (trustDevice) {
+        try {
+          const deviceToken = generateDeviceToken();
+          const deviceName = req.headers['user-agent'] ? 
+            req.headers['user-agent'].substring(0, 255) : 'Unknown Device';
+          const userAgent = req.headers['user-agent'] || 'Unknown';
+          const ipAddress = req.ip || req.connection.remoteAddress || 'Unknown';
+          const expiresAt = new Date(Date.now() + DEVICE_TRUST_DURATION_MS);
+
+          await dblogin.query({
+            name: 'insert-trusted-device',
+            text: `INSERT INTO "TrustedDevices" ("UserName", "DeviceToken", "DeviceName", "UserAgent", "IpAddress", "ExpiresAt") 
+                   VALUES ($1, $2, $3, $4, $5, $6)`,
+            values: [username, deviceToken, deviceName, userAgent, ipAddress, expiresAt]
+          });
+
+          res.cookie("device_token", deviceToken, getDeviceTokenCookieOptions());
+          console.log(`[mbkauthe] Trusted device token created for user: ${username}`);
+        } catch (deviceErr) {
+          console.error("[mbkauthe] Error creating trusted device:", deviceErr);
+          // Continue with login even if device trust fails
+        }
+      }
+
       console.log(`[mbkauthe] User "${username}" logged in successfully`);
 
       const responsePayload = {
@@ -270,11 +288,10 @@ async function completeLoginProcess(req, res, user, redirectUrl = null) {
 
 router.use(async (req, res, next) => {
   if (req.session && req.session.user) {
-    const cookieOptions = getCookieOptions();
     // Only set cookies if they're missing or different
     if (req.cookies.sessionId !== req.session.user.sessionId) {
-      res.cookie("username", req.session.user.username, { ...cookieOptions, httpOnly: false });
-      res.cookie("sessionId", req.session.user.sessionId, cookieOptions);
+      res.cookie("username", req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
+      res.cookie("sessionId", req.session.user.sessionId, cachedCookieOptions);
     }
   }
   next();
@@ -282,8 +299,11 @@ router.use(async (req, res, next) => {
 
 router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_SECRET_TOKEN), async (req, res) => {
   try {
-    await dblogin.query({ name: 'terminate-all-user-sessions', text: `UPDATE "Users" SET "SessionId" = NULL` });
-    await dblogin.query({ name: 'terminate-all-db-sessions', text: 'DELETE FROM "session"' });
+    // Run both operations in parallel for better performance
+    await Promise.all([
+      dblogin.query({ name: 'terminate-all-user-sessions', text: `UPDATE "Users" SET "SessionId" = NULL` }),
+      dblogin.query({ name: 'terminate-all-db-sessions', text: 'DELETE FROM "session"' })
+    ]);
 
     req.session.destroy((err) => {
       if (err) {
@@ -291,10 +311,7 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_
         return res.status(500).json({ success: false, message: "Failed to terminate sessions" });
       }
 
-      const cookieOptions = getClearCookieOptions();
-      res.clearCookie("mbkauthe.sid", cookieOptions);
-      res.clearCookie("sessionId", cookieOptions);
-      res.clearCookie("username", cookieOptions);
+      clearSessionCookies(res);
 
       console.log("[mbkauthe] All sessions terminated successfully");
       res.status(200).json({
@@ -345,7 +362,84 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
   const trimmedUsername = username.trim();
 
   try {
-    const userQuery = `SELECT id, "UserName", "Password", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
+    // Check for trusted device token first
+    const deviceToken = req.cookies.device_token;
+    if (deviceToken && typeof deviceToken === 'string') {
+      try {
+        const deviceQuery = `
+          SELECT td."UserName", td."LastUsed", td."ExpiresAt", u."id", u."Password", u."Active", u."Role", u."AllowedApps"
+          FROM "TrustedDevices" td
+          JOIN "Users" u ON td."UserName" = u."UserName"
+          WHERE td."DeviceToken" = $1 AND td."UserName" = $2 AND td."ExpiresAt" > NOW()
+        `;
+        const deviceResult = await dblogin.query({
+          name: 'login-check-trusted-device',
+          text: deviceQuery,
+          values: [deviceToken, trimmedUsername]
+        });
+
+        if (deviceResult.rows.length > 0) {
+          const deviceUser = deviceResult.rows[0];
+
+          // Validate password even with trusted device
+          let passwordValid = false;
+          if (mbkautheVar.EncryptedPassword === "true") {
+            passwordValid = await bcrypt.compare(password, deviceUser.Password);
+          } else {
+            passwordValid = deviceUser.Password === password;
+          }
+
+          if (!passwordValid) {
+            console.log("[mbkauthe] Login failed: invalid credentials (trusted device)");
+            return res.status(401).json({ success: false, message: "Invalid credentials" });
+          }
+
+          if (!deviceUser.Active) {
+            console.log(`[mbkauthe] Inactive account for username: ${trimmedUsername}`);
+            return res.status(403).json({ success: false, message: "Account is inactive" });
+          }
+
+          if (deviceUser.Role !== "SuperAdmin") {
+            const allowedApps = deviceUser.AllowedApps;
+            if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+              console.warn(`[mbkauthe] User \"${trimmedUsername}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
+              return res.status(403).json({ success: false, message: `You Are Not Authorized To Use The Application \"${mbkautheVar.APP_NAME}\"` });
+            }
+          }
+
+          // Update last used timestamp
+          await dblogin.query({
+            name: 'login-update-device-last-used',
+            text: 'UPDATE "TrustedDevices" SET "LastUsed" = NOW() WHERE "DeviceToken" = $1',
+            values: [deviceToken]
+          });
+
+          console.log(`[mbkauthe] Trusted device login for user: ${trimmedUsername}, skipping 2FA`);
+
+          // Skip 2FA and complete login
+          const userForSession = {
+            id: deviceUser.id,
+            username: trimmedUsername,
+            role: deviceUser.Role,
+            Role: deviceUser.Role,
+            allowedApps: deviceUser.AllowedApps,
+          };
+          return await completeLoginProcess(req, res, userForSession);
+        }
+      } catch (deviceErr) {
+        console.error("[mbkauthe] Error checking trusted device:", deviceErr);
+        // Continue with normal login flow if device check fails
+      }
+    }
+
+    // Combined query: fetch user data and 2FA status in one query
+    const userQuery = `
+      SELECT u.id, u."UserName", u."Password", u."Active", u."Role", u."AllowedApps",
+             tfa."TwoFAStatus"
+      FROM "Users" u
+      LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
+      WHERE u."UserName" = $1
+    `;
     const userResult = await dblogin.query({ name: 'login-get-user', text: userQuery, values: [trimmedUsername] });
 
     if (userResult.rows.length === 0) {
@@ -393,21 +487,16 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
       }
     }
 
-    if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true") {
-      const query = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
-      const twoFAResult = await dblogin.query({ name: 'login-check-2fa-status', text: query, values: [trimmedUsername] });
-
-      if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
-        // 2FA is enabled, prompt for token on a separate page
-        req.session.preAuthUser = {
-          id: user.id,
-          username: user.UserName,
-          role: user.Role,
-          Role: user.Role,
-        };
-        console.log(`[mbkauthe] 2FA required for user: ${trimmedUsername}`);
-        return res.json({ success: true, twoFactorRequired: true });
-      }
+    if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true" && user.TwoFAStatus) {
+      // 2FA is enabled, prompt for token on a separate page
+      req.session.preAuthUser = {
+        id: user.id,
+        username: user.UserName,
+        role: user.Role,
+        Role: user.Role,
+      };
+      console.log(`[mbkauthe] 2FA required for user: ${trimmedUsername}`);
+      return res.json({ success: true, twoFactorRequired: true });
     }
 
     // If 2FA is not enabled, proceed with login
@@ -416,6 +505,7 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
       username: user.UserName,
       role: user.Role,
       Role: user.Role,
+      allowedApps: user.AllowedApps,
     };
     await completeLoginProcess(req, res, userForSession);
 
@@ -431,9 +521,10 @@ router.get("/mbkauthe/2fa", csrfProtection, (req, res) => {
   }
   res.render("2fa.handlebars", {
     layout: false,
-    customURL: mbkautheVar.loginRedirectURL || '/home',
+    customURL: mbkautheVar.loginRedirectURL || '/dashboard',
     csrfToken: req.csrfToken(),
     appName: mbkautheVar.APP_NAME.toLowerCase(),
+    DEVICE_TRUST_DURATION_DAYS: mbkautheVar.DEVICE_TRUST_DURATION_DAYS
   });
 });
 
@@ -442,7 +533,7 @@ router.post("/mbkauthe/api/verify-2fa", TwoFALimit, csrfProtection, async (req,
     return res.status(401).json({ success: false, message: "Not authorized. Please login first." });
   }
 
-  const { token } = req.body;
+  const { token, trustDevice } = req.body;
   const { username, id, role } = req.session.preAuthUser;
 
   // Validate 2FA token
@@ -456,8 +547,11 @@ router.post("/mbkauthe/api/verify-2fa", TwoFALimit, csrfProtection, async (req,
     return res.status(400).json({ success: false, message: "Invalid 2FA token format" });
   }
 
+  // Validate trustDevice parameter if provided
+  const shouldTrustDevice = trustDevice === true || trustDevice === 'true';
+
   try {
-    const query = `SELECT "TwoFASecret" FROM "TwoFA" WHERE "UserName" = $1`;
+    const query = `SELECT tfa."TwoFASecret", u."AllowedApps" FROM "TwoFA" tfa JOIN "Users" u ON tfa."UserName" = u."UserName" WHERE tfa."UserName" = $1`;
     const twoFAResult = await dblogin.query({ name: 'verify-2fa-secret', text: query, values: [username] });
 
     if (twoFAResult.rows.length === 0 || !twoFAResult.rows[0].TwoFASecret) {
@@ -465,6 +559,7 @@ router.post("/mbkauthe/api/verify-2fa", TwoFALimit, csrfProtection, async (req,
     }
 
     const sharedSecret = twoFAResult.rows[0].TwoFASecret;
+    const allowedApps = twoFAResult.rows[0].AllowedApps;
     const tokenValidates = speakeasy.totp.verify({
       secret: sharedSecret,
       encoding: "base32",
@@ -477,10 +572,10 @@ router.post("/mbkauthe/api/verify-2fa", TwoFALimit, csrfProtection, async (req,
       return res.status(401).json({ success: false, message: "Invalid 2FA code" });
     }
 
-    // 2FA successful, complete login
-    const userForSession = { id, username, role };
-    const redirectUrl = mbkautheVar.loginRedirectURL || '/home';
-    await completeLoginProcess(req, res, userForSession, redirectUrl);
+    // 2FA successful, complete login with optional device trust
+    const userForSession = { id, username, role, allowedApps };
+    const redirectUrl = mbkautheVar.loginRedirectURL || '/dashboard';
+    await completeLoginProcess(req, res, userForSession, redirectUrl, shouldTrustDevice);
 
   } catch (err) {
     console.error("[mbkauthe] Error during 2FA verification:", err);
@@ -493,11 +588,18 @@ router.post("/mbkauthe/api/logout", LogoutLimit, async (req, res) => {
     try {
       const { id, username } = req.session.user;
 
-      await dblogin.query({ name: 'logout-clear-session', text: `UPDATE "Users" SET "SessionId" = NULL WHERE "id" = $1`, values: [id] });
-
+      // Run both database operations in parallel
+      const operations = [
+        dblogin.query({ name: 'logout-clear-session', text: `UPDATE "Users" SET "SessionId" = NULL WHERE "id" = $1`, values: [id] })
+      ];
+      
       if (req.sessionID) {
-        await dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] });
+        operations.push(
+          dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] })
+        );
       }
+      
+      await Promise.all(operations);
 
       req.session.destroy((err) => {
         if (err) {
@@ -505,10 +607,7 @@ router.post("/mbkauthe/api/logout", LogoutLimit, async (req, res) => {
           return res.status(500).json({ success: false, message: "Logout failed" });
         }
 
-        const cookieOptions = getClearCookieOptions();
-        res.clearCookie("mbkauthe.sid", cookieOptions);
-        res.clearCookie("sessionId", cookieOptions);
-        res.clearCookie("username", cookieOptions);
+        clearSessionCookies(res);
 
         console.log(`[mbkauthe] User "${username}" logged out successfully`);
         res.status(200).json({ success: true, message: "Logout successful" });
@@ -526,7 +625,7 @@ router.get("/mbkauthe/login", LoginLimit, csrfProtection, (req, res) => {
   return res.render("loginmbkauthe.handlebars", {
     layout: false,
     githubLoginEnabled: mbkautheVar.GITHUB_LOGIN_ENABLED,
-    customURL: mbkautheVar.loginRedirectURL || '/home',
+    customURL: mbkautheVar.loginRedirectURL || '/dashboard',
     userLoggedIn: !!req.session?.user,
     username: req.session?.user?.username || '',
     version: packageJson.version,
@@ -677,16 +776,13 @@ router.get('/mbkauthe/api/github/login', GitHubOAuthLimit, (req, res, next) => {
     passport.authenticate('github-login')(req, res, next);
   }
   else {
-    res.status(403).render('Error/dError.handlebars', {
-      layout: false,
+    return res.status(403).send(renderError(res, {
       code: '403',
       error: 'GitHub Login Disabled',
       message: 'GitHub login is currently disabled. Please use your username and password to log in.',
       page: '/mbkauthe/login',
       pagename: 'Login',
-      version: packageJson.version,
-      app: mbkautheVar.APP_NAME
-    });
+    }).render());
   }
 });
 
@@ -704,68 +800,53 @@ router.get('/mbkauthe/api/github/login/callback',
         // Map error codes to user-friendly messages
         switch (err.code) {
           case 'GITHUB_NOT_LINKED':
-            return res.status(403).render('Error/dError.handlebars', {
-              layout: false,
+            return res.status(403).send(renderError(res, {
               code: '403',
               error: 'GitHub Account Not Linked',
               message: 'Your GitHub account is not linked to any user in our system. To link your GitHub account, a User must connect their GitHub account to mbktech account through the user settings.',
               page: '/mbkauthe/login',
-              pagename: 'Login',
-              version: packageJson.version,
-              app: mbkautheVar.APP_NAME
-            });
+              pagename: 'Login'
+            }).render());
 
           case 'ACCOUNT_INACTIVE':
-            return res.status(403).render('Error/dError.handlebars', {
-              layout: false,
+            return res.status(403).send(renderError(res, {
               code: '403',
               error: 'Account Inactive',
               message: 'Your account has been deactivated. Please contact your administrator.',
               page: '/mbkauthe/login',
-              pagename: 'Login',
-              version: packageJson.version,
-              app: mbkautheVar.APP_NAME
-            });
+              pagename: 'Login'
+            }).render());
 
           case 'NOT_AUTHORIZED':
-            return res.status(403).render('Error/dError.handlebars', {
-              layout: false,
+            return res.status(403).send(renderError(res, {
               code: '403',
               error: 'Not Authorized',
               message: `You are not authorized to access ${mbkautheVar.APP_NAME}. Please contact your administrator.`,
               page: '/mbkauthe/login',
-              pagename: 'Login',
-              version: packageJson.version,
-              app: mbkautheVar.APP_NAME
-            });
+              pagename: 'Login'
+            }).render());
 
           default:
-            return res.status(500).render('Error/dError.handlebars', {
-              layout: false,
+            return res.status(500).send(renderError(res, {
               code: '500',
               error: 'Authentication Error',
               message: 'An error occurred during GitHub authentication. Please try again.',
               page: '/mbkauthe/login',
               pagename: 'Login',
-              version: packageJson.version,
-              app: mbkautheVar.APP_NAME,
               details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
-            });
+            }).render());
         }
       }
 
       if (!user) {
         console.error('[mbkauthe] GitHub callback: No user data received');
-        return res.status(401).render('Error/dError.handlebars', {
-          layout: false,
+        return res.status(401).send(renderError(res, {
           code: '401',
           error: 'Authentication Failed',
           message: 'GitHub authentication failed. Please try again.',
           page: '/mbkauthe/login',
-          pagename: 'Login',
-          version: packageJson.version,
-          app: mbkautheVar.APP_NAME
-        });
+          pagename: 'Login'
+        }).render());
       }
 
       // Authentication successful, attach user to request
@@ -777,8 +858,14 @@ router.get('/mbkauthe/api/github/login/callback',
     try {
       const githubUser = req.user;
 
-      // Find the actual user record with named query
-      const userQuery = `SELECT id, "UserName", "Active", "Role", "AllowedApps" FROM "Users" WHERE "UserName" = $1`;
+      // Combined query: fetch user data and 2FA status in one query
+      const userQuery = `
+        SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps",
+               tfa."TwoFAStatus"
+        FROM "Users" u
+        LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
+        WHERE u."UserName" = $1
+      `;
       const userResult = await dblogin.query({
         name: 'github-callback-get-user',
         text: userQuery,
@@ -787,43 +874,31 @@ router.get('/mbkauthe/api/github/login/callback',
 
       if (userResult.rows.length === 0) {
         console.error(`[mbkauthe] GitHub login: User not found: ${githubUser.username}`);
-        return res.status(404).render('Error/dError.handlebars', {
-          layout: false,
+        return res.status(404).send(renderError(res, {
           code: '404',
           error: 'User Not Found',
           message: 'Your GitHub account is linked, but the user account no longer exists in our system.',
           page: '/mbkauthe/login',
           pagename: 'Login',
-          version: packageJson.version,
-          app: mbkautheVar.APP_NAME,
           details: `GitHub username: ${githubUser.username}\nPlease contact your administrator.`
-        });
+        }).render());
       }
 
       const user = userResult.rows[0];
 
       // Check 2FA if enabled
-      if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true") {
-        const twoFAQuery = `SELECT "TwoFAStatus" FROM "TwoFA" WHERE "UserName" = $1`;
-        const twoFAResult = await dblogin.query({
-          name: 'github-check-2fa-status',
-          text: twoFAQuery,
-          values: [githubUser.username]
-        });
-
-        if (twoFAResult.rows.length > 0 && twoFAResult.rows[0].TwoFAStatus) {
-          // 2FA is enabled, store pre-auth user and redirect to 2FA
-          req.session.preAuthUser = {
-            id: user.id,
-            username: user.UserName,
-            UserName: user.UserName,
-            role: user.Role,
-            Role: user.Role,
-            loginMethod: 'github'
-          };
-          console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
-          return res.redirect('/mbkauthe/2fa');
-        }
+      if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true" && user.TwoFAStatus) {
+        // 2FA is enabled, store pre-auth user and redirect to 2FA
+        req.session.preAuthUser = {
+          id: user.id,
+          username: user.UserName,
+          UserName: user.UserName,
+          role: user.Role,
+          Role: user.Role,
+          loginMethod: 'github'
+        };
+        console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
+        return res.redirect('/mbkauthe/2fa');
       }
 
       // Complete login process using the shared function
@@ -832,7 +907,8 @@ router.get('/mbkauthe/api/github/login/callback',
         username: user.UserName,
         UserName: user.UserName,
         role: user.Role,
-        Role: user.Role
+        Role: user.Role,
+        allowedApps: user.AllowedApps,
       };
 
       // For OAuth redirect flow, we need to handle redirect differently
@@ -853,7 +929,7 @@ router.get('/mbkauthe/api/github/login/callback',
       res.json = function (data) {
         if (data.success && statusCode === 200) {
           // If login successful, redirect instead of sending JSON
-          const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/home';
+          const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/dashboard';
           console.log(`[mbkauthe] GitHub login: Redirecting to ${redirectUrl}`);
           // Restore original methods before redirect
           res.json = originalJson;
@@ -870,17 +946,14 @@ router.get('/mbkauthe/api/github/login/callback',
 
     } catch (err) {
       console.error('[mbkauthe] GitHub login callback error:', err);
-      return res.status(500).render('Error/dError.handlebars', {
-        layout: false,
+      return res.status(500).send(renderError(res, {
         code: '500',
         error: 'Internal Server Error',
         message: 'An error occurred during GitHub authentication. Please try again.',
         page: '/mbkauthe/login',
         pagename: 'Login',
-        version: packageJson.version,
-        app: mbkautheVar.APP_NAME,
         details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
-      });
+      }).render());
     }
   }
 );