mbkauthe 3.0.0 → 3.2.0

package/docs/db.md

@@ -1,7 +1,7 @@
-# GitHub Login Setup Guide
+# OAuth Login Setup Guide
 
 ## Overview
-This GitHub login feature allows users to authenticate using their GitHub account if it's already linked to their account in the system. Users must first connect their GitHub account through the regular account linking process, then they can use GitHub to log in directly.
+This OAuth login feature allows users to authenticate using their GitHub or Google account if it's already linked to their account in the system. Users must first connect their OAuth account through the regular account linking process, then they can use it to log in directly.
 
 ## Setup Instructions
 
@@ -12,6 +12,10 @@ Add these to your `.env` file:
 # GitHub OAuth App Configuration
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
+
+# Google OAuth App Configuration
+GOOGLE_CLIENT_ID=your_google_client_id
+GOOGLE_CLIENT_SECRET=your_google_client_secret
 ```
 
 ### 2. GitHub OAuth App Setup
@@ -20,10 +24,20 @@ GITHUB_CLIENT_SECRET=your_github_client_secret
 3. Set the Authorization callback URL to: `https://yourdomain.com/mbkauthe/api/github/login/callback`
 4. Copy the Client ID and Client Secret to your `.env` file
 
-### 3. Database Schema
-Ensure your `user_github` table exists with these columns:
+### 3. Google OAuth App Setup
+1. Go to Google Cloud Console (https://console.cloud.google.com/)
+2. Create a new project or select an existing one
+3. Enable the Google+ API
+4. Go to Credentials > Create Credentials > OAuth 2.0 Client ID
+5. Set the application type to "Web application"
+6. Add authorized redirect URI: `https://yourdomain.com/mbkauthe/api/google/login/callback`
+7. Copy the Client ID and Client Secret to your `.env` file
+
+### 4. Database Schema
+Ensure your OAuth tables exist with these columns:
 
 ```sql
+-- GitHub users table
 CREATE TABLE user_github (
     id SERIAL PRIMARY KEY,
     user_name VARCHAR(50) REFERENCES "Users"("UserName"),
@@ -37,57 +51,98 @@ CREATE TABLE user_github (
 -- Add indexes for performance optimization
 CREATE INDEX IF NOT EXISTS idx_user_github_github_id ON user_github (github_id);
 CREATE INDEX IF NOT EXISTS idx_user_github_user_name ON user_github (user_name);
+
+-- Google users table
+CREATE TABLE user_google (
+    id SERIAL PRIMARY KEY,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    google_id VARCHAR(255) UNIQUE,
+    google_email VARCHAR(255),
+    access_token VARCHAR(255),
+    created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
+    updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_user_google_google_id ON user_google (google_id);
+CREATE INDEX IF NOT EXISTS idx_user_google_user_name ON user_google (user_name);
 ```
 
 ## How It Works
 
-### Login Flow
-1. User clicks "Login with GitHub" on the login page
-2. User is redirected to GitHub for authentication
-3. GitHub redirects back to `/mbkauthe/api/github/login/callback`
-4. System checks if the GitHub ID exists in `user_github` table
+### Login Flow (GitHub/Google)
+1. User clicks "Login with GitHub" or "Login with Google" on the login page
+2. User is redirected to the OAuth provider for authentication
+3. Provider redirects back to `/mbkauthe/api/{provider}/login/callback`
+4. System checks if the OAuth ID exists in the respective `user_{provider}` table
 5. If found and user is active/authorized:
    - If 2FA is enabled, redirect to 2FA page
    - If no 2FA, complete login and redirect to home
 6. If not found, redirect to login page with error
 
 ### Account Linking
-Users must first link their GitHub account through your existing GitHub connection system (likely in user settings) before they can use GitHub login.
+Users must first link their OAuth account through your existing connection system (likely in user settings) before they can use OAuth login.
 
 ## API Routes Added
 
-### `/mbkauthe/api/github/login`
+### GitHub Routes
+
+#### `/mbkauthe/api/github/login`
 - **Method**: GET
 - **Description**: Initiates GitHub OAuth flow
 - **Redirects to**: GitHub authorization page
 
-### `/mbkauthe/api/github/login/callback`
+#### `/mbkauthe/api/github/login/callback`
 - **Method**: GET
 - **Description**: Handles GitHub OAuth callback
 - **Parameters**: `code` (from GitHub), `state` (optional)
 - **Success**: Redirects to home page or configured redirect URL
 - **Error**: Redirects to login page with error parameter
 
+### Google Routes
+
+#### `/mbkauthe/api/google/login`
+- **Method**: GET
+- **Description**: Initiates Google OAuth flow
+- **Redirects to**: Google authorization page
+
+#### `/mbkauthe/api/google/login/callback`
+- **Method**: GET
+- **Description**: Handles Google OAuth callback
+- **Parameters**: `code` (from Google), `state` (optional)
+- **Success**: Redirects to home page or configured redirect URL
+- **Error**: Redirects to login page with error parameter
+
 ## Error Handling
 
 The system handles various error cases:
-- `github_auth_failed`: GitHub OAuth failed
-- `user_not_found`: GitHub account not linked to any user
+- `github_auth_failed` / `google_auth_failed`: OAuth authentication failed
+- `user_not_found`: OAuth account not linked to any user
+- `account_inactive`: User account is deactivated
+- `not_authorized`: User not authorized for this app
 - `session_error`: Session save failed
 - `internal_error`: General server error
 
 ## Testing
 
+### GitHub Login
 1. Create a test user in your `Users` table
 2. Link a GitHub account to that user using your existing connection system
 3. Try logging in with GitHub using the new login button
 4. Check console logs for debugging information
 
+### Google Login
+1. Create a test user in your `Users` table
+2. Link a Google account to that user using your existing connection system
+3. Try logging in with Google using the new login button
+4. Check console logs for debugging information
+
 ## Login Page Updates
 
 The login page now includes:
 - A "Continue with GitHub" button
-- A divider ("or") between regular and GitHub login
+- A "Continue with Google" button
+- A divider ("or") between regular and OAuth login
 - Proper styling that matches your existing design
 
 ## Security Notes
@@ -96,7 +151,7 @@ The login page now includes:
 - App authorization is checked (same as regular login)
 - 2FA is respected if enabled
 - Session management is handled the same way as regular login
-- GitHub access tokens are stored securely
+- OAuth access tokens are stored securely
 
 ## Troubleshooting
 

package/docs/env.md

@@ -230,16 +230,18 @@ DEVICE_TRUST_DURATION_DAYS=30  # 30 days (convenience)
 
 ---
 
-## 🐙 GitHub OAuth Authentication
+## 🔐 OAuth Authentication
 
-### GitHub Login Configuration
+### GitHub OAuth Authentication
+
+#### GitHub Login Configuration
 ```env
 GITHUB_LOGIN_ENABLED=false
 GITHUB_CLIENT_ID=your-github-client-id
 GITHUB_CLIENT_SECRET=your-github-client-secret
 ```
 
-#### GITHUB_LOGIN_ENABLED
+##### GITHUB_LOGIN_ENABLED
 **Description:** Enables or disables GitHub OAuth login functionality.
 
 **Values:**
@@ -248,7 +250,7 @@ GITHUB_CLIENT_SECRET=your-github-client-secret
 
 **Required:** Yes (if using GitHub authentication)
 
-#### GITHUB_CLIENT_ID
+##### GITHUB_CLIENT_ID
 **Description:** OAuth application client ID from GitHub.
 
 - **Purpose:** Identifies your application to GitHub's OAuth service
@@ -258,7 +260,7 @@ GITHUB_CLIENT_SECRET=your-github-client-secret
 
 **Example:** `GITHUB_CLIENT_ID=Iv1.a1b2c3d4e5f6g7h8`
 
-#### GITHUB_CLIENT_SECRET
+##### GITHUB_CLIENT_SECRET
 **Description:** OAuth application client secret from GitHub.
 
 - **Purpose:** Authenticates your application with GitHub's OAuth service
@@ -269,7 +271,7 @@ GITHUB_CLIENT_SECRET=your-github-client-secret
 
 **Example:** `GITHUB_CLIENT_SECRET=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0`
 
-### Setting Up GitHub OAuth
+#### Setting Up GitHub OAuth
 
 1. **Create GitHub OAuth App:**
    - Go to [GitHub Developer Settings](https://github.com/settings/developers)
@@ -277,7 +279,7 @@ GITHUB_CLIENT_SECRET=your-github-client-secret
    - Fill in application details:
      - **Application name:** Your app name
      - **Homepage URL:** `https://yourdomain.com` (or `http://localhost:3000` for dev)
-     - **Authorization callback URL:** `https://yourdomain.com/auth/github/callback`
+     - **Authorization callback URL:** `https://yourdomain.com/mbkauthe/api/github/login/callback`
    - Click "Register application"
 
 2. **Copy Credentials:**
@@ -291,10 +293,91 @@ GITHUB_CLIENT_SECRET=your-github-client-secret
    GITHUB_CLIENT_SECRET=your-copied-client-secret
    ```
 
-**Security Notes:**
+---
+
+### Google OAuth Authentication
+
+#### Google Login Configuration
+```env
+GOOGLE_LOGIN_ENABLED=false
+GOOGLE_CLIENT_ID=your-google-client-id
+GOOGLE_CLIENT_SECRET=your-google-client-secret
+```
+
+##### GOOGLE_LOGIN_ENABLED
+**Description:** Enables or disables Google OAuth login functionality.
+
+**Values:**
+- `true` - Enable Google login (users can authenticate via Google)
+- `false` - Disable Google login (default)
+
+**Required:** Yes (if using Google authentication)
+
+##### GOOGLE_CLIENT_ID
+**Description:** OAuth 2.0 client ID from Google Cloud Console.
+
+- **Purpose:** Identifies your application to Google's OAuth service
+- **Format:** String ending in `.apps.googleusercontent.com`
+- **Setup:** Obtain from [Google Cloud Console](https://console.cloud.google.com/)
+- **Required:** Yes (when `GOOGLE_LOGIN_ENABLED=true`)
+
+**Example:** `GOOGLE_CLIENT_ID=123456789-abc123def456.apps.googleusercontent.com`
+
+##### GOOGLE_CLIENT_SECRET
+**Description:** OAuth 2.0 client secret from Google Cloud Console.
+
+- **Purpose:** Authenticates your application with Google's OAuth service
+- **Security:** Keep this secret secure and never commit to version control
+- **Format:** Alphanumeric string provided by Google
+- **Setup:** Generated when creating OAuth credentials in Google Cloud Console
+- **Required:** Yes (when `GOOGLE_LOGIN_ENABLED=true`)
+
+**Example:** `GOOGLE_CLIENT_SECRET=GOCSPX-abc123def456ghi789jkl012mno`
+
+#### Setting Up Google OAuth
+
+1. **Create Google Cloud Project:**
+   - Go to [Google Cloud Console](https://console.cloud.google.com/)
+   - Create a new project or select an existing one
+   - Enable the Google+ API (or People API)
+
+2. **Configure OAuth Consent Screen:**
+   - Navigate to "OAuth consent screen" in the sidebar
+   - Choose "External" user type (or "Internal" for Google Workspace)
+   - Fill in required app information
+   - Add your domain to authorized domains
+   - Save and continue
+
+3. **Create OAuth Credentials:**
+   - Navigate to "Credentials" in the sidebar
+   - Click "Create Credentials" > "OAuth 2.0 Client ID"
+   - Choose "Web application" as application type
+   - Add authorized JavaScript origins:
+     - `https://yourdomain.com`
+     - `http://localhost:3000` (for development)
+   - Add authorized redirect URIs:
+     - `https://yourdomain.com/mbkauthe/api/google/login/callback`
+     - `http://localhost:3000/mbkauthe/api/google/login/callback` (for development)
+   - Click "Create"
+
+4. **Copy Credentials:**
+   - Copy the **Client ID**
+   - Copy the **Client Secret**
+
+5. **Configure Environment:**
+   ```env
+   GOOGLE_LOGIN_ENABLED=true
+   GOOGLE_CLIENT_ID=your-copied-client-id
+   GOOGLE_CLIENT_SECRET=your-copied-client-secret
+   ```
+
+### OAuth Security Notes
+
 - Use separate OAuth apps for development and production environments
 - Rotate client secrets periodically
 - Never expose client secrets in client-side code
+- Ensure callback URLs match exactly with OAuth provider configuration
+- Users must link their OAuth accounts before they can use OAuth login
 
 ---
 

package/index.d.ts

@@ -5,6 +5,44 @@
 import { Request, Response, NextFunction, Router } from 'express';
 import { Pool } from 'pg';
 
+// Global augmentations must be at the top level, outside any declare module blocks
+declare global {
+  namespace Express {
+    interface Request {
+      user?: {
+        username: string;
+        UserName: string;
+        role: 'SuperAdmin' | 'NormalUser' | 'Guest';
+        Role: 'SuperAdmin' | 'NormalUser' | 'Guest';
+      };
+      userRole?: 'SuperAdmin' | 'NormalUser' | 'Guest';
+    }
+
+    interface Session {
+      user?: {
+        id: number;
+        username: string;
+        UserName: string;
+        role: 'SuperAdmin' | 'NormalUser' | 'Guest';
+        Role: 'SuperAdmin' | 'NormalUser' | 'Guest';
+        sessionId: string;
+        allowedApps?: string[];
+      };
+      preAuthUser?: {
+        id: number;
+        username: string;
+        UserName?: string;
+        role: 'SuperAdmin' | 'NormalUser' | 'Guest';
+        Role?: 'SuperAdmin' | 'NormalUser' | 'Guest';
+        loginMethod?: 'password' | 'github' | 'google';
+        redirectUrl?: string | null;
+      };
+      oauthRedirect?: string;
+      oauthCsrfToken?: string;
+    }
+  }
+}
+
 declare module 'mbkauthe' {
   // Configuration Types
   export interface MBKAuthConfig {
@@ -20,10 +58,22 @@ declare module 'mbkauthe' {
     GITHUB_LOGIN_ENABLED?: 'true' | 'false' | 'f';
     GITHUB_CLIENT_ID?: string;
     GITHUB_CLIENT_SECRET?: string;
+    GOOGLE_LOGIN_ENABLED?: 'true' | 'false' | 'f';
+    GOOGLE_CLIENT_ID?: string;
+    GOOGLE_CLIENT_SECRET?: string;
     loginRedirectURL?: string;
     EncPass?: 'true' | 'false' | 'f';
   }
 
+  export interface OAuthConfig {
+    GITHUB_LOGIN_ENABLED?: 'true' | 'false' | 'f';
+    GITHUB_CLIENT_ID?: string;
+    GITHUB_CLIENT_SECRET?: string;
+    GOOGLE_LOGIN_ENABLED?: 'true' | 'false' | 'f';
+    GOOGLE_CLIENT_ID?: string;
+    GOOGLE_CLIENT_SECRET?: string;
+  }
+
   // User Types
   export type UserRole = 'SuperAdmin' | 'NormalUser' | 'Guest';
 
@@ -43,7 +93,7 @@ declare module 'mbkauthe' {
     UserName?: string;
     role: UserRole;
     Role?: UserRole;
-    loginMethod?: 'password' | 'github';
+    loginMethod?: 'password' | 'github' | 'google';
     redirectUrl?: string | null;
   }
 
@@ -90,24 +140,14 @@ declare module 'mbkauthe' {
     updated_at: Date;
   }
 
-  // Request Extensions
-  declare global {
-    namespace Express {
-      interface Request {
-        user?: {
-          username: string;
-          UserName: string;
-          role: UserRole;
-          Role: UserRole;
-        };
-      }
-
-      interface Session {
-        user?: SessionUser;
-        preAuthUser?: PreAuthUser;
-        oauthRedirect?: string;
-      }
-    }
+  export interface GoogleUser {
+    id: number;
+    user_name: string;
+    google_id: string;
+    google_email: string;
+    access_token: string;
+    created_at: Date;
+    updated_at: Date;
   }
 
   // API Response Types
@@ -177,8 +217,6 @@ declare module 'mbkauthe' {
 
   export function authenticate(token: string): AuthMiddleware;
 
-  export function authapi(requiredRole?: UserRole[]): AuthMiddleware;
-
   // Utility Functions
   export function renderError(
     res: Response,

package/lib/config/index.js

@@ -28,6 +28,38 @@ function validateConfiguration() {
         throw new Error(`[mbkauthe] Configuration Error:\n  - ${errors.join('\n  - ')}`);
     }
 
+    // Parse and validate oAuthVar (optional fallback for OAuth settings)
+    let oAuthVar = null;
+    try {
+        if (process.env.oAuthVar) {
+            oAuthVar = JSON.parse(process.env.oAuthVar);
+            if (oAuthVar && typeof oAuthVar !== 'object') {
+                console.warn('[mbkauthe] oAuthVar is not a valid object, ignoring it');
+                oAuthVar = null;
+            } else {
+                console.log('[mbkauthe] oAuthVar detected and parsed successfully');
+            }
+        }
+    } catch (error) {
+        console.warn('[mbkauthe] Invalid JSON in process.env.oAuthVar, ignoring it');
+        oAuthVar = null;
+    }
+
+    // Merge OAuth settings: use oAuthVar as fallback if values not in mbkautheVar
+    const oAuthKeys = [
+        'GITHUB_LOGIN_ENABLED', 'GITHUB_CLIENT_ID', 'GITHUB_CLIENT_SECRET',
+        'GOOGLE_LOGIN_ENABLED', 'GOOGLE_CLIENT_ID', 'GOOGLE_CLIENT_SECRET'
+    ];
+    
+    if (oAuthVar) {
+        oAuthKeys.forEach(key => {
+            if ((!mbkautheVar[key] || (typeof mbkautheVar[key] === 'string' && mbkautheVar[key].trim() === '')) && oAuthVar[key]) {
+                mbkautheVar[key] = oAuthVar[key];
+                console.log(`[mbkauthe] Using ${key} from oAuthVar`);
+            }
+        });
+    }
+
     // Validate required keys
     // COOKIE_EXPIRE_TIME is not required but if provided must be valid, COOKIE_EXPIRE_TIME by default is 2 days
     // loginRedirectURL is not required but if provided must be valid, loginRedirectURL by default is /dashboard
@@ -55,6 +87,11 @@ function validateConfiguration() {
         errors.push("mbkautheVar.GITHUB_LOGIN_ENABLED must be either 'true' or 'false' or 'f'");
     }
 
+    // Validate GOOGLE_LOGIN_ENABLED value
+    if (mbkautheVar.GOOGLE_LOGIN_ENABLED && !['true', 'false', 'f'].includes(mbkautheVar.GOOGLE_LOGIN_ENABLED.toLowerCase())) {
+        errors.push("mbkautheVar.GOOGLE_LOGIN_ENABLED must be either 'true' or 'false' or 'f'");
+    }
+
     // Validate EncPass value if provided
     if (mbkautheVar.EncPass && !['true', 'false', 'f'].includes(mbkautheVar.EncPass.toLowerCase())) {
         errors.push("mbkautheVar.EncPass must be either 'true' or 'false' or 'f'");
@@ -70,6 +107,16 @@ function validateConfiguration() {
         }
     }
 
+    // Validate Google login configuration
+    if (mbkautheVar.GOOGLE_LOGIN_ENABLED === "true") {
+        if (!mbkautheVar.GOOGLE_CLIENT_ID || mbkautheVar.GOOGLE_CLIENT_ID.trim() === '') {
+            errors.push("mbkautheVar.GOOGLE_CLIENT_ID is required when GOOGLE_LOGIN_ENABLED is 'true'");
+        }
+        if (!mbkautheVar.GOOGLE_CLIENT_SECRET || mbkautheVar.GOOGLE_CLIENT_SECRET.trim() === '') {
+            errors.push("mbkautheVar.GOOGLE_CLIENT_SECRET is required when GOOGLE_LOGIN_ENABLED is 'true'");
+        }
+    }
+
     // Validate COOKIE_EXPIRE_TIME if provided
     if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
         const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
@@ -133,4 +180,4 @@ try {
     }
 }
 
-export { packageJson, appVersion };
+export { packageJson, appVersion };

package/lib/main.js

@@ -2,7 +2,6 @@ import express from "express";
 import session from "express-session";
 import cookieParser from "cookie-parser";
 import passport from 'passport';
-import { packageJson } from "./config/index.js";
 import {
   sessionConfig,
   corsMiddleware,
@@ -12,9 +11,26 @@ import {
 import authRoutes from "./routes/auth.js";
 import oauthRoutes from "./routes/oauth.js";
 import miscRoutes from "./routes/misc.js";
+import { fileURLToPath } from "url";
+import path from "path";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
 
 const router = express.Router();
 
+// Configure Express to trust proxy headers for rate limiting in dev mode only
+// This prevents conflicts with parent project proxy settings in production
+if (process.env.test === "dev") {
+  router.use((req, res, next) => {
+    // Set trust proxy to true for the app instance if not already set
+    if (!req.app.get('trust proxy')) {
+      req.app.set('trust proxy', true);
+    }
+    next();
+  });
+}
+
 // Basic middleware
 router.use(express.json());
 router.use(express.urlencoded({ extended: true }));
@@ -48,5 +64,15 @@ router.get(["/login", "/signin"], async (req, res) => {
   return res.redirect(redirectUrl);
 });
 
+router.get('/icon.svg', (req, res) => {
+  res.setHeader('Cache-Control', 'public, max-age=31536000');
+  res.sendFile(path.join(__dirname, '..', 'public', 'icon.svg'));
+});
+
+router.get(['/favicon.ico', '/icon.ico'], (req, res) => {
+  res.setHeader('Cache-Control', 'public, max-age=31536000');
+  res.sendFile(path.join(__dirname, '..', 'public', 'icon.ico'));
+});
+
 export { getLatestVersion } from "./routes/misc.js";
 export default router;

package/lib/middleware/index.js

@@ -18,9 +18,11 @@ export const sessionConfig = {
   proxy: true,
   cookie: {
     maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
-    domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
+    // Don't set domain in development/localhost to avoid cookie issues
+    domain: (mbkautheVar.IS_DEPLOYED === 'true' && process.env.test !== 'dev') ? `.${mbkautheVar.DOMAIN}` : undefined,
     httpOnly: true,
-    secure: mbkautheVar.IS_DEPLOYED === 'true',
+    // Only use secure cookies in production with HTTPS
+    secure: mbkautheVar.IS_DEPLOYED === 'true' && process.env.test !== 'dev',
     sameSite: 'lax',
     path: '/'
   },

package/lib/routes/auth.js

@@ -22,19 +22,31 @@ const LoginLimit = rateLimit({
   message: { success: false, message: "Too many attempts, please try again later" },
   skip: (req) => {
     return !!req.session.user;
+  },
+  validate: {
+    trustProxy: false,
+    xForwardedForHeader: false
   }
 });
 
 const LogoutLimit = rateLimit({
   windowMs: 1 * 60 * 1000,
   max: 10,
-  message: { success: false, message: "Too many logout attempts, please try again later" }
+  message: { success: false, message: "Too many logout attempts, please try again later" },
+  validate: {
+    trustProxy: false,
+    xForwardedForHeader: false
+  }
 });
 
 const TwoFALimit = rateLimit({
   windowMs: 1 * 60 * 1000,
   max: 5,
-  message: { success: false, message: "Too many 2FA attempts, please try again later" }
+  message: { success: false, message: "Too many 2FA attempts, please try again later" },
+  validate: {
+    trustProxy: false,
+    xForwardedForHeader: false
+  }
 });
 
 // CSRF protection middleware
@@ -117,8 +129,17 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     const sessionId = crypto.randomBytes(32).toString("hex");
     console.log(`[mbkauthe] Generated session ID for username: ${username}`);
 
-    // Regenerate session to prevent session fixation attacks
+    // Fix session fixation: Delete old session BEFORE regenerating to prevent timing window
     const oldSessionId = req.sessionID;
+    
+    // Delete old session first to prevent session fixation attacks
+    await dblogin.query({
+      name: 'login-delete-old-session-before-regen',
+      text: 'DELETE FROM "session" WHERE sid = $1',
+      values: [oldSessionId]
+    });
+
+    // Now regenerate with new session ID (timing window closed)
     await new Promise((resolve, reject) => {
       req.session.regenerate((err) => {
         if (err) reject(err);
@@ -509,6 +530,7 @@ router.get("/login", LoginLimit, csrfProtection, (req, res) => {
   return res.render("loginmbkauthe.handlebars", {
     layout: false,
     githubLoginEnabled: mbkautheVar.GITHUB_LOGIN_ENABLED,
+    googleLoginEnabled: mbkautheVar.GOOGLE_LOGIN_ENABLED,
     customURL: mbkautheVar.loginRedirectURL || '/dashboard',
     userLoggedIn: !!req.session?.user,
     username: req.session?.user?.username || '',