mbkauthe 2.5.0 → 3.1.0

package/lib/routes/misc.js

@@ -0,0 +1,263 @@
+import express from "express";
+import fetch from 'node-fetch';
+import rateLimit from 'express-rate-limit';
+import { mbkautheVar, packageJson, appVersion } from "../config/index.js";
+import { renderError } from "../utils/response.js";
+import { authenticate, validateSession } from "../middleware/auth.js";
+import { ErrorCodes, ErrorMessages } from "../utils/errors.js";
+import { dblogin } from "../database/pool.js";
+import { clearSessionCookies } from "../config/cookies.js";
+import { fileURLToPath } from "url";
+import path from "path";
+import fs from "fs";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+
+const router = express.Router();
+// Rate limiter for info/test routes
+const LoginLimit = rateLimit({
+  windowMs: 1 * 60 * 1000,
+  max: 8,
+  message: { success: false, message: "Too many attempts, please try again later" },
+  skip: (req) => {
+    return !!req.session.user;
+  }
+});
+
+// Static file routes
+router.get('/main.js', (req, res) => {
+  res.setHeader('Cache-Control', 'public, max-age=31536000');
+  res.sendFile(path.join(__dirname, '..', '..', 'public', 'main.js'));
+});
+
+router.get("/bg.webp", (req, res) => {
+  const imgPath = path.join(__dirname, "..", "..", "public", "bg.webp");
+  res.setHeader('Content-Type', 'image/webp');
+  res.setHeader('Cache-Control', 'public, max-age=31536000');
+  const stream = fs.createReadStream(imgPath);
+  stream.on('error', (err) => {
+    console.error('[mbkauthe] Error streaming bg.webp:', err);
+    res.status(404).send('Image not found');
+  });
+  stream.pipe(res);
+});
+
+// Test route
+router.get('/test', validateSession, LoginLimit, async (req, res) => {
+  if (req.session?.user) {
+    return res.send(`
+      <head> 
+        <script src="/mbkauthe/main.js"></script> 
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; background: #f5f5f5; }
+          .card { background: white; border-radius: 8px; padding: 25px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); margin-bottom: 20px; }
+          .success { color: #16a085; border-left: 4px solid #16a085; padding-left: 15px; }
+          .user-info { background: #ecf0f1; padding: 15px; border-radius: 4px; font-family: monospace; font-size: 14px; }
+          button { background: #e74c3c; color: white; border: none; padding: 10px 20px; border-radius: 4px; cursor: pointer; margin: 10px 5px; }
+          button:hover { background: #c0392b; }
+          a { color: #3498db; text-decoration: none; margin: 0 10px; padding: 8px 12px; border: 1px solid #3498db; border-radius: 4px; display: inline-block; }
+          a:hover { background: #3498db; color: white; }
+        </style>
+      </head>
+      <div class="card">
+        <p class="success">✅ Authentication successful! User is logged in.</p>
+        <p>Welcome, <strong>${req.session.user.username}</strong>! Your role: <strong>${req.session.user.role}</strong></p>
+        <div class="user-info">
+          User ID: ${req.session.user.id}<br>
+          Session ID: ${req.session.user.sessionId.slice(0, 5)}...
+        </div>
+        <button onclick="logout()">Logout</button>
+        <a href="/mbkauthe/info">Info Page</a>
+        <a href="/mbkauthe/login">Login Page</a>
+      </div>
+      `);
+  }
+});
+
+// Error codes page
+router.get("/ErrorCode", (req, res) => {
+  try {
+    // Helper function to get error name from ErrorCodes
+    const getErrorName = (code) => {
+      return Object.keys(ErrorCodes).find(key => ErrorCodes[key] === code) || 'UNKNOWN_ERROR';
+    };
+
+    // Dynamically organize errors by category based on code ranges
+    const errorCategories = [
+      {
+        name: 'Authentication Errors',
+        icon: '🔑',
+        range: '(600-699)',
+        category: 'authentication',
+        codes: [601, 602, 603, 604, 605]
+      },
+      {
+        name: 'Two-Factor Authentication Errors',
+        icon: '📱',
+        range: '(700-799)',
+        category: '2fa',
+        codes: [701, 702, 703, 704]
+      },
+      {
+        name: 'Session Management Errors',
+        icon: '🔄',
+        range: '(800-899)',
+        category: 'session',
+        codes: [801, 802, 803]
+      },
+      {
+        name: 'Authorization Errors',
+        icon: '🛡️',
+        range: '(900-999)',
+        category: 'authorization',
+        codes: [901, 902]
+      },
+      {
+        name: 'Input Validation Errors',
+        icon: '✏️',
+        range: '(1000-1099)',
+        category: 'validation',
+        codes: [1001, 1002, 1003, 1004]
+      },
+      {
+        name: 'Rate Limiting Errors',
+        icon: '⏱️',
+        range: '(1100-1199)',
+        category: 'ratelimit',
+        codes: [1101]
+      },
+      {
+        name: 'Server Errors',
+        icon: '⚠️',
+        range: '(1200-1299)',
+        category: 'server',
+        codes: [1201, 1202, 1203]
+      },
+      {
+        name: 'OAuth Errors',
+        icon: '🔗',
+        range: '(1300-1399)',
+        category: 'oauth',
+        codes: [1301, 1302, 1303]
+      }
+    ];
+
+    // Build error data from ErrorMessages
+    const categoriesWithErrors = errorCategories.map(category => ({
+      ...category,
+      errors: category.codes
+        .filter(code => ErrorMessages[code]) // Only include if message exists
+        .map(code => ({
+          code,
+          name: getErrorName(code),
+          ...ErrorMessages[code]
+        }))
+    })).filter(category => category.errors.length > 0); // Remove empty categories
+
+    res.render("errorCodes.handlebars", {
+      layout: false,
+      pageTitle: 'Error Codes',
+      appName: mbkautheVar.APP_NAME,
+      errorCategories: categoriesWithErrors
+    });
+  } catch (err) {
+    console.error("[mbkauthe] Error rendering error codes page:", err);
+    return renderError(res, {
+      layout: false,
+      code: 500,
+      error: "Internal Server Error",
+      message: "Could not load error codes page.",
+      pagename: "Error Codes",
+      page: "/mbkauthe/info",
+    });
+  }
+});
+
+// Fetch latest version from GitHub
+export async function getLatestVersion() {
+  try {
+    const response = await fetch('https://raw.githubusercontent.com/MIbnEKhalid/mbkauthe/main/package.json');
+    if (!response.ok) {
+      console.error(`[mbkauthe] GitHub API responded with status ${response.status}`);
+      return "0.0.0";
+    }
+    const latestPackageJson = await response.json();
+    return latestPackageJson.version;
+  } catch (error) {
+    console.error('[mbkauthe] Error fetching latest version from GitHub:', error);
+    return null;
+  }
+}
+
+// Info page
+router.get(["/info", "/i"], LoginLimit, async (req, res) => {
+  let latestVersion;
+  const parameters = req.query;
+  let authorized = false;
+
+  if (parameters.password && mbkautheVar.Main_SECRET_TOKEN) {
+    authorized = String(parameters.password) === String(mbkautheVar.Main_SECRET_TOKEN);
+  }
+
+  try {
+    latestVersion = await getLatestVersion();
+  } catch (err) {
+    console.error("[mbkauthe] Error fetching package-lock.json:", err);
+  }
+
+  try {
+    res.render("info.handlebars", {
+      layout: false,
+      mbkautheVar: mbkautheVar,
+      version: packageJson.version,
+      APP_VERSION: appVersion,
+      latestVersion,
+      authorized: authorized,
+    });
+  } catch (err) {
+    console.error("[mbkauthe] Error fetching version information:", err);
+    res.status(500).send(`
+            <html>
+                <head>
+                    <title>Error</title>
+                </head>
+                <body>
+                    <h1>Error</h1>
+                    <p>Failed to fetch version information. Please try again later.</p>
+                </body>
+            </html>
+        `);
+  }
+});
+
+// Terminate all sessions (admin endpoint)
+router.post("/api/terminateAllSessions", authenticate(mbkautheVar.Main_SECRET_TOKEN), async (req, res) => {
+  try {
+    // Run both operations in parallel for better performance
+    await Promise.all([
+      dblogin.query({ name: 'terminate-all-user-sessions', text: `UPDATE "Users" SET "SessionId" = NULL` }),
+      dblogin.query({ name: 'terminate-all-db-sessions', text: 'DELETE FROM "session"' })
+    ]);
+
+    req.session.destroy((err) => {
+      if (err) {
+        console.log("[mbkauthe] Error destroying session:", err);
+        return res.status(500).json({ success: false, message: "Failed to terminate sessions" });
+      }
+
+      clearSessionCookies(res);
+
+      console.log("[mbkauthe] All sessions terminated successfully");
+      res.status(200).json({
+        success: true,
+        message: "All sessions terminated successfully",
+      });
+    });
+  } catch (err) {
+    console.error("[mbkauthe] Database query error during session termination:", err);
+    res.status(500).json({ success: false, message: "Internal Server Error" });
+  }
+});
+
+export default router;

package/lib/routes/oauth.js

@@ -0,0 +1,325 @@
+import express from "express";
+import passport from 'passport';
+import GitHubStrategy from 'passport-github2';
+import rateLimit from 'express-rate-limit';
+import { dblogin } from "../database/pool.js";
+import { mbkautheVar } from "../config/index.js";
+import { renderError } from "../utils/response.js";
+import { checkTrustedDevice, completeLoginProcess } from "./auth.js";
+
+const router = express.Router();
+
+// Rate limiter for OAuth routes
+const GitHubOAuthLimit = rateLimit({
+  windowMs: 5 * 60 * 1000,
+  max: 10,
+  message: "Too many GitHub login attempts, please try again later"
+});
+
+// Configure GitHub Strategy for login
+passport.use('github-login', new GitHubStrategy({
+  clientID: mbkautheVar.GITHUB_CLIENT_ID,
+  clientSecret: mbkautheVar.GITHUB_CLIENT_SECRET,
+  callbackURL: '/mbkauthe/api/github/login/callback',
+  scope: ['user:email']
+},
+  async (accessToken, refreshToken, profile, done) => {
+    try {
+      // Check if this GitHub account is linked to any user
+      const githubUser = await dblogin.query({
+        name: 'github-login-get-user',
+        text: 'SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM user_github ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.github_id = $1',
+        values: [profile.id]
+      });
+
+      if (githubUser.rows.length === 0) {
+        // GitHub account is not linked to any user
+        const error = new Error('GitHub account not linked to any user');
+        error.code = 'GITHUB_NOT_LINKED';
+        return done(error);
+      }
+
+      const user = githubUser.rows[0];
+
+      // Check if the user account is active
+      if (!user.Active) {
+        const error = new Error('Account is inactive');
+        error.code = 'ACCOUNT_INACTIVE';
+        return done(error);
+      }
+
+      // Check if user is authorized for this app (same logic as regular login)
+      if (user.Role !== "SuperAdmin") {
+        const allowedApps = user.AllowedApps;
+        if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+          const error = new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`);
+          error.code = 'NOT_AUTHORIZED';
+          return done(error);
+        }
+      }
+
+      // Return user data for login
+      return done(null, {
+        id: user.id,
+        username: user.UserName,
+        role: user.Role,
+        githubId: user.github_id,
+        githubUsername: user.github_username
+      });
+    } catch (err) {
+      console.error('[mbkauthe] GitHub login error:', err);
+      err.code = err.code || 'GITHUB_AUTH_ERROR';
+      return done(err);
+    }
+  }
+));
+
+// Serialize/Deserialize user for GitHub login
+passport.serializeUser((user, done) => {
+  done(null, user);
+});
+
+passport.deserializeUser((user, done) => {
+  done(null, user);
+});
+
+// GitHub login initiation
+router.get('/api/github/login', GitHubOAuthLimit, (req, res, next) => {
+  if (mbkautheVar.GITHUB_LOGIN_ENABLED) {
+    // Store redirect parameter in session before OAuth flow (validate to prevent open redirect)
+    const redirect = req.query.redirect;
+    if (redirect && typeof redirect === 'string') {
+      // Only allow relative URLs or same-origin URLs to prevent open redirect attacks
+      if (redirect.startsWith('/') && !redirect.startsWith('//')) {
+        req.session.oauthRedirect = redirect;
+      } else {
+        console.warn(`[mbkauthe] Invalid redirect parameter rejected: ${redirect}`);
+      }
+    }
+    passport.authenticate('github-login')(req, res, next);
+  }
+  else {
+    return renderError(res, {
+      code: '403',
+      error: 'GitHub Login Disabled',
+      message: 'GitHub login is currently disabled. Please use your username and password to log in.',
+      page: '/mbkauthe/login',
+      pagename: 'Login',
+    });
+  }
+});
+
+// GitHub login callback
+router.get('/api/github/login/callback',
+  GitHubOAuthLimit,
+  (req, res, next) => {
+    passport.authenticate('github-login', {
+      session: false // We'll handle session manually
+    }, (err, user, info) => {
+      // Custom error handling for passport authentication
+      if (err) {
+        console.error('[mbkauthe] GitHub authentication error:', err);
+
+        // Map error codes to user-friendly messages
+        switch (err.code) {
+          case 'GITHUB_NOT_LINKED':
+            return renderError(res, {
+              code: '403',
+              error: 'GitHub Account Not Linked',
+              message: 'Your GitHub account is not linked to any user in our system. To link your GitHub account, a User must connect their GitHub account to mbktech account through the user settings.',
+              page: '/mbkauthe/login',
+              pagename: 'Login'
+            });
+
+          case 'ACCOUNT_INACTIVE':
+            return renderError(res, {
+              code: '403',
+              error: 'Account Inactive',
+              message: 'Your account has been deactivated. Please contact your administrator.',
+              page: '/mbkauthe/login',
+              pagename: 'Login'
+            });
+
+          case 'NOT_AUTHORIZED':
+            return renderError(res, {
+              code: '403',
+              error: 'Not Authorized',
+              message: `You are not authorized to access ${mbkautheVar.APP_NAME}. Please contact your administrator.`,
+              page: '/mbkauthe/login',
+              pagename: 'Login'
+            });
+
+          default:
+            return renderError(res, {
+              code: '500',
+              error: 'Authentication Error',
+              message: 'An error occurred during GitHub authentication. Please try again.',
+              page: '/mbkauthe/login',
+              pagename: 'Login',
+              details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
+            });
+        }
+      }
+
+      if (!user) {
+        console.error('[mbkauthe] GitHub callback: No user data received');
+        return renderError(res, {
+          code: '401',
+          error: 'Authentication Failed',
+          message: 'GitHub authentication failed. Please try again.',
+          page: '/mbkauthe/login',
+          pagename: 'Login'
+        });
+      }
+
+      // Authentication successful, attach user to request
+      req.user = user;
+      next();
+    })(req, res, next);
+  },
+  async (req, res) => {
+    try {
+      const githubUser = req.user;
+
+      // Combined query: fetch user data and 2FA status in one query
+      const userQuery = `
+        SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps",
+               tfa."TwoFAStatus"
+        FROM "Users" u
+        LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
+        WHERE u."UserName" = $1
+      `;
+      const userResult = await dblogin.query({
+        name: 'github-callback-get-user',
+        text: userQuery,
+        values: [githubUser.username]
+      });
+
+      if (userResult.rows.length === 0) {
+        console.error(`[mbkauthe] GitHub login: User not found: ${githubUser.username}`);
+        return renderError(res, {
+          code: '404',
+          error: 'User Not Found',
+          message: 'Your GitHub account is linked, but the user account no longer exists in our system.',
+          page: '/mbkauthe/login',
+          pagename: 'Login',
+          details: `GitHub username: ${githubUser.username}\nPlease contact your administrator.`
+        });
+      }
+
+      const user = userResult.rows[0];
+
+      // Check for trusted device after OAuth authentication
+      const trustedDeviceUser = await checkTrustedDevice(req, user.UserName);
+      if (trustedDeviceUser && (mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true" && user.TwoFAStatus) {
+        console.log(`[mbkauthe] GitHub trusted device login for user: ${user.UserName}, skipping 2FA only`);
+
+        const userForSession = {
+          id: user.id,
+          username: user.UserName,
+          UserName: user.UserName,
+          role: user.Role,
+          Role: user.Role,
+          allowedApps: user.AllowedApps,
+        };
+
+        // For OAuth redirect flow
+        const oauthRedirect = req.session.oauthRedirect;
+        delete req.session.oauthRedirect;
+
+        // Custom response handler for OAuth flow
+        const originalJson = res.json.bind(res);
+        const originalStatus = res.status.bind(res);
+        let statusCode = 200;
+
+        res.status = function (code) {
+          statusCode = code;
+          return originalStatus(code);
+        };
+
+        res.json = function (data) {
+          if (data.success && statusCode === 200) {
+            const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/dashboard';
+            console.log(`[mbkauthe] GitHub trusted device login: Redirecting to ${redirectUrl}`);
+            res.json = originalJson;
+            res.status = originalStatus;
+            return res.redirect(redirectUrl);
+          }
+          res.json = originalJson;
+          res.status = originalStatus;
+          return originalJson(data);
+        };
+
+        return await completeLoginProcess(req, res, userForSession);
+      }
+
+      // Check 2FA if enabled
+      if ((mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true" && user.TwoFAStatus) {
+        const oauthRedirect = req.session.oauthRedirect;
+        if (oauthRedirect) delete req.session.oauthRedirect;
+        req.session.preAuthUser = {
+          id: user.id,
+          username: user.UserName,
+          UserName: user.UserName,
+          role: user.Role,
+          Role: user.Role,
+          loginMethod: 'github',
+          redirectUrl: oauthRedirect || null
+        };
+        console.log(`[mbkauthe] GitHub login: 2FA required for user: ${githubUser.username}`);
+        return res.redirect('/mbkauthe/2fa');
+      }
+
+      // Complete login process
+      const userForSession = {
+        id: user.id,
+        username: user.UserName,
+        UserName: user.UserName,
+        role: user.Role,
+        Role: user.Role,
+        allowedApps: user.AllowedApps,
+      };
+
+      const oauthRedirect = req.session.oauthRedirect;
+      delete req.session.oauthRedirect;
+
+      // Custom response handler for OAuth flow
+      const originalJson = res.json.bind(res);
+      const originalStatus = res.status.bind(res);
+      let statusCode = 200;
+
+      res.status = function (code) {
+        statusCode = code;
+        return originalStatus(code);
+      };
+
+      res.json = function (data) {
+        if (data.success && statusCode === 200) {
+          const redirectUrl = oauthRedirect || mbkautheVar.loginRedirectURL || '/dashboard';
+          console.log(`[mbkauthe] GitHub login: Redirecting to ${redirectUrl}`);
+          res.json = originalJson;
+          res.status = originalStatus;
+          return res.redirect(redirectUrl);
+        }
+        res.json = originalJson;
+        res.status = originalStatus;
+        return originalJson(data);
+      };
+
+      await completeLoginProcess(req, res, userForSession);
+
+    } catch (err) {
+      console.error('[mbkauthe] GitHub login callback error:', err);
+      return renderError(res, {
+        code: '500',
+        error: 'Internal Server Error',
+        message: 'An error occurred during GitHub authentication. Please try again.',
+        page: '/mbkauthe/login',
+        pagename: 'Login',
+        details: process.env.NODE_ENV === 'development' ? `${err.message}\n${err.stack}` : 'Error details hidden in production'
+      });
+    }
+  }
+);
+
+export default router;