mbkauthe 2.3.0 → 2.5.0

package/.env.example

@@ -1,3 +1,3 @@
-mbkautheVar={"APP_NAME":"mbkauthe","Main_SECRET_TOKEN": 123,"SESSION_SECRET_KEY":"123","IS_DEPLOYED":"true","LOGIN_DB":"postgres://","MBKAUTH_TWO_FA_ENABLE":"true","COOKIE_EXPIRE_TIME":2,"DOMAIN":"mbktech.org","loginRedirectURL":"/mbkauthe/test","GITHUB_LOGIN_ENABLED":"true","GITHUB_CLIENT_ID":"","GITHUB_CLIENT_SECRET":"","DEVICE_TRUST_DURATION_DAYS":7}
+mbkautheVar={"APP_NAME":"mbkauthe","Main_SECRET_TOKEN": 123,"SESSION_SECRET_KEY":"123","IS_DEPLOYED":"true","LOGIN_DB":"postgres://","MBKAUTH_TWO_FA_ENABLE":"true","COOKIE_EXPIRE_TIME":2,"DOMAIN":"mbktech.org","loginRedirectURL":"/mbkauthe/test","GITHUB_LOGIN_ENABLED":"true","GITHUB_CLIENT_ID":"","GITHUB_CLIENT_SECRET":"","DEVICE_TRUST_DURATION_DAYS":7,"EncPass":"false"}
 
 # See docs/env.md for more details

package/README.md

@@ -6,11 +6,21 @@
 [![Publish to npm](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml)
 [![CodeQL Advanced](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml)
 
+
+<p align="center">
+  <img height="64px" src="./public/icon.svg" alt="MBK Chat Platform" />
+</p>
+
+<p align="center">
+  <img src="https://skillicons.dev/icons?i=nodejs,express,postgres" />
+  <img height="48px" src="https://handlebarsjs.com/handlebars-icon.svg" alt="Handlebars" />
+</p>
+
 **MBKAuth** is a reusable, production-ready authentication system for Node.js applications built by MBKTech.org. It provides secure session management, two-factor authentication (2FA), role-based access control, and multi-application support out of the box.
 
 ## ✨ Features
 
-- 🔐 **Secure Authentication** - Password hashing with bcrypt
+- 🔐 **Secure Authentication** - Configurable password encryption (PBKDF2) or raw password support
 - 🔑 **Session Management** - PostgreSQL-backed session storage
 - 📱 **Two-Factor Authentication (2FA)** - Optional TOTP-based 2FA with speakeasy
 - 🔄 **GitHub OAuth Integration** - Login with GitHub accounts (passport-github2)
@@ -199,9 +209,6 @@ MBKAuth automatically adds these routes to your app:
 ### CSRF Protection
 All POST routes are protected with CSRF tokens. CSRF tokens are automatically included in rendered forms.
 
-### Password Hashing
-Passwords are hashed using bcrypt with a secure salt. Set `EncryptedPassword: "true"` in `mbkautheVar` to enable.
-
 ### Secure Cookies
 - `httpOnly` flag prevents XSS attacks
 - `sameSite: 'lax'` prevents CSRF attacks

package/docs/db.md

@@ -138,13 +138,14 @@ The GitHub login feature is now fully integrated into your mbkauthe system and r
 
   - `id` (INTEGER, auto-increment, primary key): Unique identifier for each user.
   - `UserName` (TEXT): The username of the user.
-  - `Password` (TEXT): The hashed password of the user.
+  - `Password` (TEXT): The raw password of the user (used when EncPass=false).
+  - `PasswordEnc` (TEXT): The encrypted/hashed password of the user (used when EncPass=true).
   - `Role` (ENUM): The role of the user. Possible values: `SuperAdmin`, `NormalUser`, `Guest`.
   - `Active` (BOOLEAN): Indicates whether the user account is active.
   - `HaveMailAccount` (BOOLEAN)(optional): Indicates if the user has a linked mail account.
   - `SessionId` (TEXT): The session ID associated with the user.
   - `GuestRole` (JSONB): Stores additional guest-specific role information in binary JSON format.
-  - `AllowedApps`(JSONB): 
+  - `AllowedApps`(JSONB): Array of applications the user is authorized to access.
 
 - **Schema:**
 ```sql
@@ -153,7 +154,8 @@ CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
 CREATE TABLE "Users" (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     "UserName" VARCHAR(50) NOT NULL UNIQUE,
-    "Password" VARCHAR(61) NOT NULL, -- For bcrypt hash
+    "Password" VARCHAR(61), -- For raw passwords (when EncPass=false)
+    "PasswordEnc" VARCHAR(128), -- For encrypted passwords (when EncPass=true)
     "Role" role DEFAULT 'NormalUser' NOT NULL,
     "Active" BOOLEAN DEFAULT FALSE,
     "HaveMailAccount" BOOLEAN DEFAULT FALSE,
@@ -173,6 +175,12 @@ CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" (last_login);
 CREATE INDEX IF NOT EXISTS idx_users_id_sessionid_active_role ON "Users" ("id", LOWER("SessionId"), "Active", "Role");
 ```
 
+**Password Storage Notes:**
+- When `EncPass=false` (default): The system uses the `Password` column to store and validate raw passwords
+- When `EncPass=true` (recommended for production): The system uses the `PasswordEnc` column to store hashed passwords using PBKDF2 with the username as salt
+- Only one password column should be populated based on your EncPass configuration
+- The PasswordEnc field stores 128-character hex strings when using PBKDF2 hashing
+
 ### Session Table
 
 - **Columns:**
@@ -255,6 +263,7 @@ CREATE INDEX IF NOT EXISTS idx_trusted_devices_expires ON "TrustedDevices"("Expi
 
 To add new users to the `Users` table, use the following SQL queries:
 
+**For Raw Password Storage (EncPass=false):**
 ```sql
         INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
         VALUES ('support', '12345678', 'SuperAdmin', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
@@ -263,8 +272,29 @@ To add new users to the `Users` table, use the following SQL queries:
         VALUES ('test', '12345678', 'NormalUser', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
 ```
 
+**For Encrypted Password Storage (EncPass=true):**
+```sql
+        -- Note: You'll need to hash the password using the hashPassword function
+        -- Example with pre-hashed password (PBKDF2 with username as salt)
+        INSERT INTO "Users" ("UserName", "PasswordEnc", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
+        VALUES ('support', 'your_hashed_password_here', 'SuperAdmin', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+
+        INSERT INTO "Users" ("UserName", "PasswordEnc", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
+        VALUES ('test', 'your_hashed_password_here', 'NormalUser', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+```
+
+**Configuration Notes:**
 - Replace `support` and `test` with the desired usernames.
-- Replace `12345678` with the actual passwords.
+- For raw passwords: Replace `12345678` with the actual plain text passwords.
+- For encrypted passwords: Use the hashPassword function to generate the hash before inserting.
 - Adjust the `Role` values as needed (`SuperAdmin`, `NormalUser`, or `Guest`).
 - Modify the `Active` and `HaveMailAccount` values as required.
-- Update the `GuestRole` JSON object if specific permissions are required(this functionality is under construction).
+- Update the `GuestRole` JSON object if specific permissions are required (this functionality is under construction).
+
+**Generating Encrypted Passwords:**
+If you're using `EncPass=true`, you can generate encrypted passwords using the hashPassword function:
+```javascript
+import { hashPassword } from './lib/config.js';
+const encryptedPassword = hashPassword('12345678', 'support');
+console.log(encryptedPassword); // Use this value for PasswordEnc column
+```

package/docs/env.md

@@ -29,6 +29,7 @@ Main_SECRET_TOKEN=your-secure-token-number
 SESSION_SECRET_KEY=your-secure-random-key-here
 IS_DEPLOYED=false
 DOMAIN=localhost
+EncPass=false
 ```
 
 #### Main_SECRET_TOKEN
@@ -80,6 +81,35 @@ DOMAIN=localhost
 IS_DEPLOYED=false
 ```
 
+#### EncPass
+**Description:** Controls whether passwords are stored and validated in encrypted format.
+
+**Values:**
+- `true` - Use encrypted password validation
+  - Passwords are hashed using PBKDF2 with the username as salt
+  - Compares against `PasswordEnc` column in Users table
+- `false` - Use raw password validation (default)
+  - Passwords are stored and compared in plain text
+  - Compares against `Password` column in Users table
+
+**Default:** `false`
+
+**Security Note:** Setting `EncPass=true` is recommended for production environments as it provides better security by storing hashed passwords instead of plain text.
+
+**Examples:**
+```env
+# Production (recommended)
+EncPass=true
+
+# Development
+EncPass=false
+```
+
+**Database Implications:**
+- When `EncPass=true`: The system uses the `PasswordEnc` column
+- When `EncPass=false`: The system uses the `Password` column
+- Ensure your database schema includes the appropriate column based on your configuration
+
 ---
 
 ## 🗄️ Database Configuration
@@ -278,6 +308,7 @@ Main_SECRET_TOKEN=dev-token-123
 SESSION_SECRET_KEY=dev-secret-key-change-in-production
 IS_DEPLOYED=false
 DOMAIN=localhost
+EncPass=false
 LOGIN_DB=postgresql://admin:password@localhost:5432/mbkauth_dev
 MBKAUTH_TWO_FA_ENABLE=false
 COOKIE_EXPIRE_TIME=7
@@ -296,6 +327,7 @@ Main_SECRET_TOKEN=your-secure-production-token
 SESSION_SECRET_KEY=your-super-secure-production-key-here
 IS_DEPLOYED=true
 DOMAIN=yourdomain.com
+EncPass=true
 LOGIN_DB=postgresql://dbuser:securepass@prod-db.example.com:5432/mbkauth_prod
 MBKAUTH_TWO_FA_ENABLE=true
 COOKIE_EXPIRE_TIME=2

package/lib/config.js

@@ -56,6 +56,11 @@ function validateConfiguration() {
         errors.push("mbkautheVar.GITHUB_LOGIN_ENABLED must be either 'true' or 'false' or 'f'");
     }
 
+    // Validate EncPass value if provided
+    if (mbkautheVar.EncPass && !['true', 'false', 'f'].includes(mbkautheVar.EncPass.toLowerCase())) {
+        errors.push("mbkautheVar.EncPass must be either 'true' or 'false' or 'f'");
+    }
+
     // Validate GitHub login configuration
     if (mbkautheVar.GITHUB_LOGIN_ENABLED === "true") {
         if (!mbkautheVar.GITHUB_CLIENT_ID || mbkautheVar.GITHUB_CLIENT_ID.trim() === '') {
@@ -156,6 +161,9 @@ try {
     packageJson = require("../package.json");
 }
 
+// Parent project version
+const appVersion = require("../package.json") ?.version || "unknown";
+
 // Helper function to render error pages consistently
 const renderError = (res, { code, error, message, page, pagename, details }) => {
     res.status(code);
@@ -184,6 +192,12 @@ const clearSessionCookies = (res) => {
     res.clearCookie("device_token", cachedClearCookieOptions);
 };
 
+const hashPassword = (password, username) => {
+    const salt = username;
+    // 128 characters returned
+    return crypto.pbkdf2Sync(password, salt, 100000, 64, 'sha512').toString('hex');
+};
+
 export {
     mbkautheVar,
     getCookieOptions,
@@ -193,8 +207,10 @@ export {
     renderError,
     clearSessionCookies,
     packageJson,
+    appVersion,
     DEVICE_TRUST_DURATION_DAYS,
     DEVICE_TRUST_DURATION_MS,
     generateDeviceToken,
-    getDeviceTokenCookieOptions
-};
+    getDeviceTokenCookieOptions,
+    hashPassword
+};

package/lib/main.js

@@ -8,7 +8,6 @@ import { dblogin } from "./pool.js";
 import { authenticate, validateSession, validateSessionAndRole } from "./validateSessionAndRole.js";
 import fetch from 'node-fetch';
 import cookieParser from "cookie-parser";
-import bcrypt from 'bcrypt';
 import rateLimit from 'express-rate-limit';
 import speakeasy from "speakeasy";
 import passport from 'passport';
@@ -17,7 +16,11 @@ import GitHubStrategy from 'passport-github2';
 import { fileURLToPath } from "url";
 import fs from "fs";
 import path from "path";
-import { mbkautheVar, cachedCookieOptions, cachedClearCookieOptions, clearSessionCookies, renderError, packageJson, generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS } from "./config.js";
+import {
+  mbkautheVar, cachedCookieOptions, cachedClearCookieOptions, clearSessionCookies, appVersion,
+  renderError, packageJson, generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS,
+  hashPassword
+} from "./config.js";
 
 const router = express.Router();
 
@@ -37,7 +40,7 @@ router.get('/icon.svg', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'icon.svg'));
 });
 
-router.get(['/favicon.ico','/icon.ico'], (req, res) => {
+router.get(['/favicon.ico', '/icon.ico'], (req, res) => {
   res.setHeader('Cache-Control', 'public, max-age=31536000');
   res.sendFile(path.join(__dirname, '..', 'public', 'icon.ico'));
 });
@@ -133,14 +136,14 @@ router.use(async (req, res, next) => {
   // Only restore session if not already present and sessionId cookie exists
   if (!req.session.user && req.cookies.sessionId) {
     const sessionId = req.cookies.sessionId;
-    
+
     // Early validation to avoid unnecessary processing
     if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
       // Clear invalid cookie to prevent repeated attempts
       res.clearCookie('sessionId', cachedClearCookieOptions);
       return next();
     }
-    
+
     try {
 
       const normalizedSessionId = sessionId.toLowerCase();
@@ -170,16 +173,93 @@ router.use(async (req, res, next) => {
 router.get('/mbkauthe/test', validateSession, LoginLimit, async (req, res) => {
   if (req.session?.user) {
     return res.send(`
-      <head> <script src="/mbkauthe/main.js"></script> </head>
-      <p>if you are seeing this page than User is logged in.</p>
-      <p>id: '${req.session.user.id}', UserName: '${req.session.user.username}', Role: '${req.session.user.role}', SessionId: '${req.session.user.sessionId}'</p>
-      <button onclick="logout()">Logout</button><br>
-      <a href="/mbkauthe/info">Info Page</a><br>
-      <a href="/mbkauthe/login">Login Page</a><br>
+      <head> 
+        <script src="/mbkauthe/main.js"></script> 
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; background: #f5f5f5; }
+          .card { background: white; border-radius: 8px; padding: 25px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); margin-bottom: 20px; }
+          .success { color: #16a085; border-left: 4px solid #16a085; padding-left: 15px; }
+          .user-info { background: #ecf0f1; padding: 15px; border-radius: 4px; font-family: monospace; font-size: 14px; }
+          button { background: #e74c3c; color: white; border: none; padding: 10px 20px; border-radius: 4px; cursor: pointer; margin: 10px 5px; }
+          button:hover { background: #c0392b; }
+          a { color: #3498db; text-decoration: none; margin: 0 10px; padding: 8px 12px; border: 1px solid #3498db; border-radius: 4px; display: inline-block; }
+          a:hover { background: #3498db; color: white; }
+        </style>
+      </head>
+      <div class="card">
+        <p class="success">✅ Authentication successful! User is logged in.</p>
+        <p>Welcome, <strong>${req.session.user.username}</strong>! Your role: <strong>${req.session.user.role}</strong></p>
+        <div class="user-info">
+          User ID: ${req.session.user.id}<br>
+          Session ID: ${req.session.user.sessionId.slice(0, 5)}...
+        </div>
+        <button onclick="logout()">Logout</button>
+        <a href="/mbkauthe/info">Info Page</a>
+        <a href="/mbkauthe/login">Login Page</a>
+      </div>
       `);
   }
 });
 
+async function checkTrustedDevice(req, username) {
+  const deviceToken = req.cookies.device_token;
+
+  if (!deviceToken || typeof deviceToken !== 'string') {
+    return null;
+  }
+
+  try {
+    const deviceQuery = `
+      SELECT td."UserName", td."LastUsed", td."ExpiresAt", u."id", u."Active", u."Role", u."AllowedApps"
+      FROM "TrustedDevices" td
+      JOIN "Users" u ON td."UserName" = u."UserName"
+      WHERE td."DeviceToken" = $1 AND td."UserName" = $2 AND td."ExpiresAt" > NOW()
+    `;
+    const deviceResult = await dblogin.query({
+      name: 'check-trusted-device',
+      text: deviceQuery,
+      values: [deviceToken, username]
+    });
+
+    if (deviceResult.rows.length > 0) {
+      const deviceUser = deviceResult.rows[0];
+
+      if (!deviceUser.Active) {
+        console.log(`[mbkauthe] Trusted device check: inactive account for username: ${username}`);
+        return null;
+      }
+
+      if (deviceUser.Role !== "SuperAdmin") {
+        const allowedApps = deviceUser.AllowedApps;
+        if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+          console.warn(`[mbkauthe] Trusted device check: User "${username}" is not authorized to use the application "${mbkautheVar.APP_NAME}"`);
+          return null;
+        }
+      }
+
+      // Update last used timestamp
+      await dblogin.query({
+        name: 'update-device-last-used',
+        text: 'UPDATE "TrustedDevices" SET "LastUsed" = NOW() WHERE "DeviceToken" = $1',
+        values: [deviceToken]
+      });
+
+      console.log(`[mbkauthe] Trusted device validated for user: ${username}`);
+      return {
+        id: deviceUser.id,
+        username: username,
+        role: deviceUser.Role,
+        Role: deviceUser.Role,
+        allowedApps: deviceUser.AllowedApps,
+      };
+    }
+  } catch (deviceErr) {
+    console.error("[mbkauthe] Error checking trusted device:", deviceErr);
+  }
+
+  return null;
+}
+
 async function completeLoginProcess(req, res, user, redirectUrl = null, trustDevice = false) {
   try {
     // Ensure both username formats are available for compatibility
@@ -209,10 +289,10 @@ async function completeLoginProcess(req, res, user, redirectUrl = null, trustDev
         text: 'DELETE FROM "session" WHERE (sess->\'user\'->>\'id\')::int = $1',
         values: [user.id]
       }),
-      // Update session ID in Users table
+      // Update session ID and last login time in Users table
       dblogin.query({
-        name: 'login-update-session-id',
-        text: `UPDATE "Users" SET "SessionId" = $1 WHERE "id" = $2`,
+        name: 'login-update-session-and-last-login',
+        text: `UPDATE "Users" SET "SessionId" = $1, "last_login" = NOW() WHERE "id" = $2`,
         values: [sessionId, user.id]
       })
     ]);
@@ -245,7 +325,7 @@ async function completeLoginProcess(req, res, user, redirectUrl = null, trustDev
       if (trustDevice) {
         try {
           const deviceToken = generateDeviceToken();
-          const deviceName = req.headers['user-agent'] ? 
+          const deviceName = req.headers['user-agent'] ?
             req.headers['user-agent'].substring(0, 255) : 'Unknown Device';
           const userAgent = req.headers['user-agent'] || 'Unknown';
           const ipAddress = req.ip || req.connection.remoteAddress || 'Unknown';
@@ -266,7 +346,7 @@ async function completeLoginProcess(req, res, user, redirectUrl = null, trustDev
         }
       }
 
-      console.log(`[mbkauthe] User "${username}" logged in successfully`);
+      console.log(`[mbkauthe] User "${username}" logged in successfully (last_login updated)`);
 
       const responsePayload = {
         success: true,
@@ -328,7 +408,7 @@ router.post("/mbkauthe/api/terminateAllSessions", authenticate(mbkautheVar.Main_
 router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
   console.log("[mbkauthe] Login request received");
 
-  const { username, password } = req.body;
+  const { username, password, redirect } = req.body;
 
   // Input validation
   if (!username || !password) {
@@ -362,79 +442,9 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
   const trimmedUsername = username.trim();
 
   try {
-    // Check for trusted device token first
-    const deviceToken = req.cookies.device_token;
-    if (deviceToken && typeof deviceToken === 'string') {
-      try {
-        const deviceQuery = `
-          SELECT td."UserName", td."LastUsed", td."ExpiresAt", u."id", u."Password", u."Active", u."Role", u."AllowedApps"
-          FROM "TrustedDevices" td
-          JOIN "Users" u ON td."UserName" = u."UserName"
-          WHERE td."DeviceToken" = $1 AND td."UserName" = $2 AND td."ExpiresAt" > NOW()
-        `;
-        const deviceResult = await dblogin.query({
-          name: 'login-check-trusted-device',
-          text: deviceQuery,
-          values: [deviceToken, trimmedUsername]
-        });
-
-        if (deviceResult.rows.length > 0) {
-          const deviceUser = deviceResult.rows[0];
-
-          // Validate password even with trusted device
-          let passwordValid = false;
-          if (mbkautheVar.EncryptedPassword === "true") {
-            passwordValid = await bcrypt.compare(password, deviceUser.Password);
-          } else {
-            passwordValid = deviceUser.Password === password;
-          }
-
-          if (!passwordValid) {
-            console.log("[mbkauthe] Login failed: invalid credentials (trusted device)");
-            return res.status(401).json({ success: false, message: "Invalid credentials" });
-          }
-
-          if (!deviceUser.Active) {
-            console.log(`[mbkauthe] Inactive account for username: ${trimmedUsername}`);
-            return res.status(403).json({ success: false, message: "Account is inactive" });
-          }
-
-          if (deviceUser.Role !== "SuperAdmin") {
-            const allowedApps = deviceUser.AllowedApps;
-            if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
-              console.warn(`[mbkauthe] User \"${trimmedUsername}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
-              return res.status(403).json({ success: false, message: `You Are Not Authorized To Use The Application \"${mbkautheVar.APP_NAME}\"` });
-            }
-          }
-
-          // Update last used timestamp
-          await dblogin.query({
-            name: 'login-update-device-last-used',
-            text: 'UPDATE "TrustedDevices" SET "LastUsed" = NOW() WHERE "DeviceToken" = $1',
-            values: [deviceToken]
-          });
-
-          console.log(`[mbkauthe] Trusted device login for user: ${trimmedUsername}, skipping 2FA`);
-
-          // Skip 2FA and complete login
-          const userForSession = {
-            id: deviceUser.id,
-            username: trimmedUsername,
-            role: deviceUser.Role,
-            Role: deviceUser.Role,
-            allowedApps: deviceUser.AllowedApps,
-          };
-          return await completeLoginProcess(req, res, userForSession);
-        }
-      } catch (deviceErr) {
-        console.error("[mbkauthe] Error checking trusted device:", deviceErr);
-        // Continue with normal login flow if device check fails
-      }
-    }
-
     // Combined query: fetch user data and 2FA status in one query
     const userQuery = `
-      SELECT u.id, u."UserName", u."Password", u."Active", u."Role", u."AllowedApps",
+      SELECT u.id, u."UserName", u."Password", u."PasswordEnc", u."Active", u."Role", u."AllowedApps",
              tfa."TwoFAStatus"
       FROM "Users" u
       LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
@@ -450,30 +460,33 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
     const user = userResult.rows[0];
 
     // Validate user has password field
-    if (!user.Password) {
+    if (!user.Password && !user.PasswordEnc) {
       console.error("[mbkauthe] User account has no password set");
       return res.status(500).json({ success: false, message: "Internal Server Error" });
     }
 
-    if (mbkautheVar.EncryptedPassword === "true") {
-      try {
-        const result = await bcrypt.compare(password, user.Password);
-        if (!result) {
-          console.log("[mbkauthe] Login failed: invalid credentials");
-          return res.status(401).json({ success: false, errorCode: 603, message: "Invalid credentials" });
-        }
-        console.log("[mbkauthe] Password validated successfully");
-      } catch (err) {
-        console.error("[mbkauthe] Error comparing password:", err);
-        return res.status(500).json({ success: false, errorCode: 605, message: `Internal Server Error` });
+    // Check password based on EncPass configuration - ALWAYS validate password first
+    let passwordMatches = false;
+    console.log(`mbkautheVar.EncPass is set to: ${mbkautheVar.EncPass}`);
+    console.log(mbkautheVar.EncPass === "true" || mbkautheVar.EncPass === true);
+    if (mbkautheVar.EncPass === "true" || mbkautheVar.EncPass === true) {
+      // Use encrypted password comparison
+      if (user.PasswordEnc) {
+        const hashedInputPassword = hashPassword(password, user.UserName);
+        passwordMatches = user.PasswordEnc === hashedInputPassword;
       }
     } else {
-      if (user.Password !== password) {
-        console.log(`[mbkauthe] Login failed: invalid credentials`);
-        return res.status(401).json({ success: false, errorCode: 603, message: "Invalid credentials" });
+      // Use raw password comparison
+      if (user.Password) {
+        passwordMatches = user.Password === password;
       }
     }
 
+    if (!passwordMatches) {
+      console.log("[mbkauthe] Login failed: invalid credentials");
+      return res.status(401).json({ success: false, errorCode: 603, message: "Invalid credentials" });
+    }
+
     if (!user.Active) {
       console.log(`[mbkauthe] Inactive account for username: ${trimmedUsername}`);
       return res.status(403).json({ success: false, message: "Account is inactive" });
@@ -481,22 +494,41 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
 
     if (user.Role !== "SuperAdmin") {
       const allowedApps = user.AllowedApps;
-      if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+      if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
         console.warn(`[mbkauthe] User \"${user.UserName}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
         return res.status(403).json({ success: false, message: `You Are Not Authorized To Use The Application \"${mbkautheVar.APP_NAME}\"` });
       }
     }
 
+    // Check for trusted device AFTER password validation - trusted devices should only skip 2FA, not password
+    const trustedDeviceUser = await checkTrustedDevice(req, trimmedUsername);
+    if (trustedDeviceUser && (mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true" && user.TwoFAStatus) {
+      console.log(`[mbkauthe] Trusted device login for user: ${trimmedUsername}, skipping 2FA only`);
+
+      // Skip only 2FA, password was already validated above
+      const userForSession = {
+        id: user.id,
+        username: user.UserName,
+        role: user.Role,
+        Role: user.Role,
+        allowedApps: user.AllowedApps,
+      };
+      const requestedRedirect = typeof redirect === 'string' && redirect.startsWith('/') && !redirect.startsWith('//') ? redirect : null;
+      return await completeLoginProcess(req, res, userForSession, requestedRedirect);
+    }
+
     if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true" && user.TwoFAStatus) {
       // 2FA is enabled, prompt for token on a separate page
+      const requestedRedirect = typeof redirect === 'string' && redirect.startsWith('/') && !redirect.startsWith('//') ? redirect : null;
       req.session.preAuthUser = {
         id: user.id,
         username: user.UserName,
         role: user.Role,
         Role: user.Role,
+        redirectUrl: requestedRedirect
       };
       console.log(`[mbkauthe] 2FA required for user: ${trimmedUsername}`);
-      return res.json({ success: true, twoFactorRequired: true });
+      return res.json({ success: true, twoFactorRequired: true, redirectUrl: requestedRedirect });
     }
 
     // If 2FA is not enabled, proceed with login
@@ -507,7 +539,8 @@ router.post("/mbkauthe/api/login", LoginLimit, async (req, res) => {
       Role: user.Role,
       allowedApps: user.AllowedApps,
     };
-    await completeLoginProcess(req, res, userForSession);
+    const requestedRedirect = typeof redirect === 'string' && redirect.startsWith('/') && !redirect.startsWith('//') ? redirect : null;
+    await completeLoginProcess(req, res, userForSession, requestedRedirect);
 
   } catch (err) {
     console.error("[mbkauthe] Error during login process:", err);
@@ -519,9 +552,19 @@ router.get("/mbkauthe/2fa", csrfProtection, (req, res) => {
   if (!req.session.preAuthUser) {
     return res.redirect("/mbkauthe/login");
   }
+
+  // Prefer explicit redirect from query string, else from session preAuthUser redirectUrl, else fallback value
+  let redirectFromQuery = req.query && typeof req.query.redirect === 'string' ? req.query.redirect : null;
+  let redirectToUse = redirectFromQuery || req.session.preAuthUser.redirectUrl || (mbkautheVar.loginRedirectURL || '/dashboard');
+
+  // Validate redirectToUse to prevent open redirect attacks
+  if (redirectToUse && !(typeof redirectToUse === 'string' && redirectToUse.startsWith('/') && !redirectToUse.startsWith('//'))) {
+    redirectToUse = mbkautheVar.loginRedirectURL || '/dashboard';
+  }
+
   res.render("2fa.handlebars", {
     layout: false,
-    customURL: mbkautheVar.loginRedirectURL || '/dashboard',
+    customURL: redirectToUse,
     csrfToken: req.csrfToken(),
     appName: mbkautheVar.APP_NAME.toLowerCase(),
     DEVICE_TRUST_DURATION_DAYS: mbkautheVar.DEVICE_TRUST_DURATION_DAYS
@@ -574,7 +617,14 @@ router.post("/mbkauthe/api/verify-2fa", TwoFALimit, csrfProtection, async (req,
 
     // 2FA successful, complete login with optional device trust
     const userForSession = { id, username, role, allowedApps };
-    const redirectUrl = mbkautheVar.loginRedirectURL || '/dashboard';
+    // Prefer redirect stored in preAuthUser or in query/body, fallback to configured default
+    let redirectFromSession = req.session.preAuthUser && req.session.preAuthUser.redirectUrl ? req.session.preAuthUser.redirectUrl : null;
+    if (redirectFromSession && (!(typeof redirectFromSession === 'string') || !redirectFromSession.startsWith('/') || redirectFromSession.startsWith('//'))) {
+      redirectFromSession = null;
+    }
+    const redirectUrl = redirectFromSession || mbkautheVar.loginRedirectURL || '/dashboard';
+    // Clear preAuthUser after successful login
+    if (req.session.preAuthUser) delete req.session.preAuthUser;
     await completeLoginProcess(req, res, userForSession, redirectUrl, shouldTrustDevice);
 
   } catch (err) {
@@ -592,13 +642,13 @@ router.post("/mbkauthe/api/logout", LogoutLimit, async (req, res) => {
       const operations = [
         dblogin.query({ name: 'logout-clear-session', text: `UPDATE "Users" SET "SessionId" = NULL WHERE "id" = $1`, values: [id] })
       ];
-      
+
       if (req.sessionID) {
         operations.push(
           dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] })
         );
       }
-      
+
       await Promise.all(operations);
 
       req.session.destroy((err) => {
@@ -670,6 +720,7 @@ router.get(["/mbkauthe/info", "/mbkauthe/i"], LoginLimit, async (req, res) => {
       layout: false,
       mbkautheVar: mbkautheVar,
       version: packageJson.version,
+      APP_VERSION: appVersion,
       latestVersion,
       authorized: authorized,
     });
@@ -724,7 +775,7 @@ passport.use('github-login', new GitHubStrategy({
       // Check if user is authorized for this app (same logic as regular login)
       if (user.Role !== "SuperAdmin") {
         const allowedApps = user.AllowedApps;
-        if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+        if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
           const error = new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`);
           error.code = 'NOT_AUTHORIZED';
           return done(error);
@@ -886,16 +937,69 @@ router.get('/mbkauthe/api/github/login/callback',
 
       const user = userResult.rows[0];
 
+      // Check for trusted device after OAuth authentication - should only skip 2FA, not OAuth validation
+      const trustedDeviceUser = await checkTrustedDevice(req, user.UserName);
+      if (trustedDeviceUser && (mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true" && user.TwoFAStatus) {
+        console.log(`[mbkauthe] GitHub trusted device login for user: ${user.UserName}, skipping 2FA only`);
+
+        // Complete login process using the shared function
+        const userForSession = {
+          id: user.id,
+          username: user.UserName,
+          UserName: user.UserName,
+          role: user.Role,
+          Role: user.Role,
+          allowedApps: user.AllowedApps,
+        };
+
+        // For OAuth redirect flow, we need to handle redirect differently
+        // Store the redirect URL before calling completeLoginProcess
+        const oauthRedirect = req.session.oauthRedirect;
+        delete req.session.oauthRedirect;
+
+        // Custom response handler for OAuth flow - wrap the response object
+        const originalJson = res.json.bind(res);
+        const originalStatus = res.status.bind(res);
+        let statusCode = 200;
+
+        res.status = function (code) {
+          statusCode = code;
+          return originalStatus(code);
+        };
+
+        res.json = function (data) {
+          if (data.success && statusCode === 200) {
+            // If login successful, redirect instead of sending JSON
+            const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/dashboard';
+            console.log(`[mbkauthe] GitHub trusted device login: Redirecting to ${redirectUrl}`);
+            // Restore original methods before redirect
+            res.json = originalJson;
+            res.status = originalStatus;
+            return res.redirect(redirectUrl);
+          }
+          // Restore original methods for error responses
+          res.json = originalJson;
+          res.status = originalStatus;
+          return originalJson(data);
+        };
+
+        return await completeLoginProcess(req, res, userForSession);
+      }
+
       // Check 2FA if enabled
       if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true" && user.TwoFAStatus) {
         // 2FA is enabled, store pre-auth user and redirect to 2FA
+        // If this was an oauth flow, use oauthRedirect set earlier
+        const oauthRedirect = req.session.oauthRedirect;
+        if (oauthRedirect) delete req.session.oauthRedirect;
         req.session.preAuthUser = {
           id: user.id,
           username: user.UserName,
           UserName: user.UserName,
           role: user.Role,
           Role: user.Role,
-          loginMethod: 'github'
+          loginMethod: 'github',
+          redirectUrl: oauthRedirect || null
         };
         console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
         return res.redirect('/mbkauthe/2fa');

package/lib/validateSessionAndRole.js

@@ -17,6 +17,20 @@ async function validateSession(req, res, next) {
   try {
     const { id, sessionId, role, allowedApps } = req.session.user;
 
+    // Defensive checks for sessionId and allowedApps
+    if (!sessionId) {
+      console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
+      req.session.destroy();
+      clearSessionCookies(res);
+      return renderError(res, {
+        code: 401,
+        error: "Session Expired",
+        message: "Your Session Has Expired. Please Log In Again.",
+        pagename: "Login",
+        page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
+      });
+    }
+
     // Normalize sessionId to lowercase for consistent comparison
     const normalizedSessionId = sessionId.toLowerCase();
 
@@ -24,7 +38,11 @@ async function validateSession(req, res, next) {
     const query = `SELECT "SessionId", "Active", "Role" FROM "Users" WHERE "id" = $1`;
     const result = await dblogin.query({ name: 'validate-user-session', text: query, values: [id] });
 
-    if (result.rows.length === 0 || result.rows[0].SessionId.toLowerCase() !== normalizedSessionId) {
+    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
+    if (!dbSessionId || dbSessionId !== normalizedSessionId) {
+      if (result.rows.length > 0 && !result.rows[0].SessionId) {
+        console.warn(`[mbkauthe] DB sessionId is null for user "${req.session.user.username}"`);
+      }
       console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
@@ -51,7 +69,9 @@ async function validateSession(req, res, next) {
     }
 
     if (role !== "SuperAdmin") {
-      if (!allowedApps || !allowedApps.some(app => app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+      // If allowedApps is not provided or not an array, treat as no access
+      const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
+      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
         console.warn(`[mbkauthe] User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
         req.session.destroy();
         clearSessionCookies(res);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "2.3.0",
+  "version": "2.5.0",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",
@@ -52,4 +52,4 @@
     "cross-env": "^7.0.3",
     "nodemon": "^3.1.11"
   }
-}
+}

package/views/2fa.handlebars

@@ -87,7 +87,7 @@
                 const data = await response.json();
                 if (data.success) {
                     loginButtonText.textContent = 'Success! Redirecting...';
-                    window.location.href = data.redirectUrl || '{{{ customURL }}}';
+                    window.location.href = data.redirectUrl || '{{ customURL }}';
                 } else {
                     loginButton.disabled = false;
                     loginButtonText.textContent = 'Verify';

package/views/info.handlebars

@@ -201,6 +201,10 @@
                     <div class="info-label">APP_NAME:</div>
                     <div class="info-value">{{mbkautheVar.APP_NAME}}</div>
                 </div>
+                <div class="info-row">
+                    <div class="info-label">APP_Version:</div>
+                    <div class="info-value">{{APP_VERSION}}</div>
+                </div>
                 <div class="info-row">
                     <div class="info-label">Domain:</div>
                     <div class="info-value">{{mbkautheVar.DOMAIN}}</div>

package/views/loginmbkauthe.handlebars

@@ -98,8 +98,7 @@
 
         // Info dialogs
         function usernameinfo() {
-            showMessage(`Your username is the part of your MBKTech.org email before the @ (e.g., abc.xyz@mbktech.org
- → abc.xyz). For guests or if you’ve forgotten your credentials, contact <a href="https://mbktech.org/Support">Support</a>.`, `What is my username?`);
+            showMessage(`Your username is the part of your MBKTech.org email before the @ (e.g., abc.xyz@mbktech.org → abc.xyz). For guests or if you’ve forgotten your credentials, contact <a href="https://mbktech.org/Support">Support</a>.`, `What is my username?`);
         }
 
         function tokeninfo() {
@@ -130,6 +129,8 @@
             loginButton.disabled = true;
             loginButtonText.textContent = 'Authenticating...';
 
+            // Pass redirect query param through to server so it can be used by 2FA flow
+            const pageRedirect = new URLSearchParams(window.location.search).get('redirect');
             fetch('/mbkauthe/api/login', {
                 method: 'POST',
                 headers: {
@@ -138,14 +139,17 @@
                 body: JSON.stringify({
                     username,
                     password
+                    , redirect: pageRedirect || null
                 })
             })
                 .then(response => response.json())
                 .then(data => {
                     if (data.success) {
                         if (data.twoFactorRequired) {
-                            // Redirect to 2FA page
-                            window.location.href = '/mbkauthe/2fa';
+                            // Redirect to 2FA page (= pass along redirect target)
+                            const redirectTarget = data.redirectUrl || pageRedirect;
+                            const redirectQuery = redirectTarget ? `?redirect=${encodeURIComponent(redirectTarget)}` : '';
+                            window.location.href = `/mbkauthe/2fa${redirectQuery}`;
                         } else {
                             loginButtonText.textContent = 'Success! Redirecting...';
                             sessionStorage.setItem('sessionId', data.sessionId);
@@ -240,39 +244,12 @@
 
         {{#if githubLoginEnabled }}
 
-        // GitHub login: Attempt to POST redirect to backend, fallback to direct navigation
+        // GitHub login: Navigate directly to GitHub OAuth flow
         async function startGithubLogin() {
             const urlParams = new URLSearchParams(window.location.search);
             const redirect = urlParams.get('redirect') || '{{customURL}}';
 
-            try {
-                // Try POSTing to the backend so it can establish any session state
-                const resp = await fetch('/mbkauthe/api/github/login', {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    credentials: 'include',
-                    body: JSON.stringify({ redirect })
-                });
-
-                // If backend responds with a JSON containing redirectUrl, navigate there
-                if (resp.ok) {
-                    // If server redirected directly (resp.redirected), follow the final URL
-                    if (resp.redirected) {
-                        window.location.href = resp.url;
-                        return;
-                    }
-                    const data = await resp.json().catch(() => null);
-                    if (data && data.redirectUrl) {
-                        window.location.href = data.redirectUrl;
-                        return;
-                    }
-                }
-            } catch (error) {
-                // swallow and fallback to direct navigation
-                console.warn('[mbkauthe] GitHub login POST failed, falling back to direct redirect', error);
-            }
-
-            // Fallback: navigate to the backend GET endpoint with redirect query
+            // Navigate directly to the backend GET endpoint with redirect query
             window.location.href = `/mbkauthe/api/github/login?redirect=${encodeURIComponent(redirect)}`;
         }
 

package/views/sharedStyles.handlebars

@@ -279,19 +279,18 @@
             width: 100%;
             padding: 12px 20px;
             border-radius: var(--border-radius);
-            background: #24292e;
+            background: #262b30;
             color: white;
-            font-weight: 500;
-            font-size: 0.95rem;
+            border: solid 0.13rem #262b30;
+            font-weight: 700;
+            font-size: 1rem;
             text-decoration: none;
             transition: var(--transition);
-            box-shadow: var(--box-shadow);
         }
 
         .btn-github:hover {
-            background: #3b4045;
-            box-shadow: 0 6px 15px rgba(0, 0, 0, 0.2);
-            transform: translateY(-2px);
+            background: transparent;
+            box-shadow: var(--box-shadow);
         }
 
         .btn-github i {

package/views/showmessage.handlebars

@@ -22,24 +22,15 @@
         
         document.querySelector(".showmessageWindow .error-code").href = `https://mbktech.org/ErrorCode/#${errorCode}`;
        */
-        document
-            .querySelector(".showMessageblurWindow")
-            .classList
-            .add("active");
-        document
-            .body
-            .classList
-            .add("blur-active");
+        document.querySelector(".showMessageblurWindow").classList.add("active");
+        document.body.classList.add("blur-active");
     }
     function hideMessage() {
         const blurWindow = document.querySelector(".showMessageblurWindow");
         blurWindow.classList.add("fade-out");
         setTimeout(() => {
             blurWindow.classList.remove("active", "fade-out");
-            document
-                .body
-                .classList
-                .remove("blur-active");
+            document.body.classList.remove("blur-active");
         }, 500);
     }
 </script>