mbkauthe 3.0.0 → 3.2.0

package/lib/utils/response.js

@@ -2,7 +2,7 @@ import { mbkautheVar, packageJson } from "../config/index.js";
 
 // Helper function to render error pages consistently
 export const renderError = (res, { code, error, message, page, pagename, details }) => {
-    res.status(code);
+    res.status(parseInt(code, 10));
     const renderData = {
         layout: false,
         code,
@@ -18,4 +18,4 @@ export const renderError = (res, { code, error, message, page, pagename, details
     if (details !== undefined) renderData.details = details;
 
     return res.render("Error/dError.handlebars", renderData);
-};
+};

package/package.json

@@ -1,12 +1,14 @@
 {
   "name": "mbkauthe",
-  "version": "3.0.0",
+  "version": "3.2.0",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",
   "types": "index.d.ts",
   "scripts": {
-    "dev": "cross-env test=dev nodemon index.js"
+    "dev": "cross-env test=dev nodemon index.js",
+    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
+    "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch"
   },
   "repository": {
     "type": "git",
@@ -26,12 +28,22 @@
     "url": "https://github.com/MIbnEKhalid/mbkauthe/issues"
   },
   "homepage": "https://github.com/MIbnEKhalid/mbkauthe#readme",
+  "files": [
+    "index.js",
+    "index.d.ts",
+    "LICENSE",
+    "README.md",
+    "test.spec.js",
+    "docs/",
+    "lib/",
+    "public/",
+    "views/",
+    "vercel.json"
+  ],
   "publishConfig": {
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "bcrypt": "^6.0.0",
-    "cheerio": "^1.0.0",
     "connect-pg-simple": "^10.0.0",
     "cookie-parser": "^1.4.7",
     "csurf": "^1.2.2",
@@ -40,19 +52,27 @@
     "express-handlebars": "^8.0.1",
     "express-rate-limit": "^7.5.0",
     "express-session": "^1.18.1",
-    "marked": "^15.0.11",
     "node-fetch": "^3.3.2",
     "passport": "^0.7.0",
     "passport-github2": "^0.1.12",
-    "path": "^0.12.7",
+    "passport-google-oauth20": "^2.0.0",
     "pg": "^8.14.1",
-    "speakeasy": "^2.0.0",
-    "url": "^0.11.4"
+    "speakeasy": "^2.0.0"
   },
   "devDependencies": {
     "@types/express": "^5.0.6",
-    "@types/node": "^22.19.1",
     "cross-env": "^7.0.3",
-    "nodemon": "^3.1.11"
+    "jest": "^30.2.0",
+    "nodemon": "^3.1.11",
+    "supertest": "^7.1.4"
+  },
+  "jest": {
+    "testEnvironment": "node",
+    "testMatch": [
+      "**/*.spec.js",
+      "**/*.test.js"
+    ],
+    "testTimeout": 10000,
+    "transform": {}
   }
 }

package/test.spec.js

@@ -0,0 +1,196 @@
+import request from 'supertest';
+
+const BASE_URL = "http://localhost:5555";
+
+// Helper to get CSRF token and cookies
+const getCSRFTokenAndCookies = async () => {
+  const response = await request(BASE_URL).get('/mbkauthe/login');
+  const html = response.text;
+  const csrfMatch = html.match(/name="_csrf".*?value="([^"]+)"/i) || 
+                   html.match(/content="([^"]+)".*?name="_csrf"/i);
+  
+  return {
+    csrfToken: csrfMatch?.[1] || '',
+    cookies: response.headers['set-cookie'] || []
+  };
+};
+
+describe('mbkauthe Routes', () => {
+  
+  describe('Redirect Routes', () => {
+    test('GET /login redirects to /mbkauthe/login', async () => {
+      const response = await request(BASE_URL)
+        .get('/login')
+        .redirects(0);
+      
+      expect(response.status).toBe(302);
+      expect(response.headers.location).toContain('/mbkauthe/login');
+    });
+
+    test('GET /signin redirects to /mbkauthe/login', async () => {
+      const response = await request(BASE_URL)
+        .get('/signin')
+        .redirects(0);
+      
+      expect(response.status).toBe(302);
+      expect(response.headers.location).toContain('/mbkauthe/login');
+    });
+  });
+
+  describe('Authentication Pages', () => {
+    test('GET /mbkauthe/login contains loginUsername input', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/login');
+      
+      expect(response.status).toBe(200);
+      expect(response.text).toMatch(/id\s*=\s*["']loginUsername["']/i);
+    });
+
+    test('GET /mbkauthe/2fa contains token input or redirects', async () => {
+      const response = await request(BASE_URL)
+        .get('/mbkauthe/2fa')
+        .redirects(0);
+      
+      if (response.status === 302) {
+        expect(response.headers.location).toContain('/mbkauthe/login');
+      } else {
+        expect(response.status).toBe(200);
+        expect(response.text).toMatch(/id\s*=\s*["']token["']/i);
+      }
+    });
+  });
+
+  describe('Info Pages', () => {
+    test.each([
+      ['/mbkauthe/info', 'info page'],
+      ['/mbkauthe/i', 'info short page'],
+    ])('GET %s contains CurrentVersion div', async (path, desc) => {
+      const response = await request(BASE_URL).get(path);
+      
+      expect(response.status).toBe(200);
+      expect(response.text).toMatch(/id\s*=\s*["']CurrentVersion["']/i);
+    });
+
+    test('GET /mbkauthe/ErrorCode contains error-603 div', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/ErrorCode');
+      
+      expect(response.status).toBe(200);
+      expect(response.text).toMatch(/id\s*=\s*["']error-603["']/i);
+    });
+  });
+
+  describe('Static Assets', () => {
+    test('GET /mbkauthe/main.js returns JavaScript', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/main.js');
+      
+      expect(response.status).toBe(200);
+      expect(response.headers['content-type']).toContain('javascript');
+    });
+
+    test('GET /icon.svg returns SVG content', async () => {
+      const response = await request(BASE_URL).get('/icon.svg');
+      
+      expect(response.status).toBe(200);
+      expect(response.text || response.body.toString()).toMatch(/<svg|SVG/);
+    });
+
+    test.each([
+      ['/favicon.ico', 'favicon'],
+      ['/icon.ico', 'icon'],
+    ])('GET %s returns ICO content', async (path, desc) => {
+      const response = await request(BASE_URL).get(path);
+      expect(response.status).toBe(200);
+    });
+
+    test('GET /mbkauthe/bg.webp returns WEBP content', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/bg.webp');
+      
+      expect(response.status).toBe(200);
+      expect(response.headers['content-type']).toContain('image/webp');
+    });
+  });
+
+  describe('Protected Routes', () => {
+    test('GET /mbkauthe/test responds appropriately', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/test');
+      expect([200, 302, 401, 403, 429]).toContain(response.status);
+    });
+  });
+
+  describe('OAuth Routes', () => {
+    test('GET /mbkauthe/api/github/login handles GitHub OAuth', async () => {
+      const response = await request(BASE_URL)
+        .get('/mbkauthe/api/github/login')
+        .redirects(0);
+      
+      expect([200, 302, 403, 500, 429]).toContain(response.status);
+      
+      if (response.status === 302) {
+        const location = response.headers.location;
+        expect(location).toMatch(/github\.com|login/);
+      }
+    });
+
+    test('GET /mbkauthe/api/github/login/callback handles callback', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/api/github/login/callback');
+      expect([200, 302, 400, 401, 403, 429]).toContain(response.status);
+    });
+
+    test('GET /mbkauthe/api/google/login handles Google OAuth', async () => {
+      const response = await request(BASE_URL)
+        .get('/mbkauthe/api/google/login')
+        .redirects(0);
+      
+      expect([200, 302, 403, 500, 429]).toContain(response.status);
+      
+      if (response.status === 302) {
+        const location = response.headers.location;
+        expect(location).toMatch(/accounts\.google\.com|login/);
+      }
+    });
+
+    test('GET /mbkauthe/api/google/login/callback handles callback', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/api/google/login/callback');
+      expect([200, 302, 400, 401, 403, 429]).toContain(response.status);
+    });
+  });
+
+  describe('API Endpoints', () => {
+    test('POST /mbkauthe/api/login handles login API', async () => {
+      const response = await request(BASE_URL)
+        .post('/mbkauthe/api/login')
+        .send({ username: 'test', password: 'test' });
+      
+      expect([200, 400, 401, 403, 429]).toContain(response.status);
+      expect(response.headers['content-type']).toContain('application/json');
+    });
+
+    test('POST /mbkauthe/api/verify-2fa handles 2FA API', async () => {
+      const { csrfToken, cookies } = await getCSRFTokenAndCookies();
+      
+      const response = await request(BASE_URL)
+        .post('/mbkauthe/api/verify-2fa')
+        .set('Cookie', cookies)
+        .send({ token: '123456', _csrf: csrfToken });
+      
+      expect([200, 400, 401, 403, 429]).toContain(response.status);
+      expect(response.headers['content-type']).toContain('application/json');
+    });
+
+    test('POST /mbkauthe/api/terminateAllSessions handles session termination', async () => {
+      const { csrfToken, cookies } = await getCSRFTokenAndCookies();
+      
+      const response = await request(BASE_URL)
+        .post('/mbkauthe/api/terminateAllSessions')
+        .set('Cookie', cookies)
+        .send({ _csrf: csrfToken });
+      
+      expect([200, 400, 401, 403, 429]).toContain(response.status);
+      
+      if (response.status === 401) {
+        expect(response.headers['content-type']).not.toContain('application/json');
+      } else {
+        expect(response.headers['content-type']).toContain('application/json');
+      }
+    });
+  });
+});

package/views/2fa.handlebars

@@ -40,10 +40,10 @@
 
                 <p class="terms-info">
                     By logging in, you agree to our
-                    <a href="https://portal.mbktech.org/info/Terms&Conditions" target="_blank"
+                    <a href="https://mbktech.org/PrivacyPolicy" target="_blank"
                         class="terms-link">Terms & Conditions</a>
                     and
-                    <a href="https://portal.mbktech.org/info/PrivacyPolicy" target="_blank"
+                    <a href="https://mbktech.org/PrivacyPolicy" target="_blank"
                         class="terms-link">Privacy Policy</a>.
                 </p>
             </form>

package/views/loginmbkauthe.handlebars

@@ -33,6 +33,11 @@
                     <i class="fas fa-eye input-icon" id="togglePassword"></i>
                 </div>
 
+                <div class="remember-me">
+                    <input type="checkbox" id="rememberMe" name="rememberMe">
+                    <label for="rememberMe">Remember me</label>
+                </div>
+
                 <button type="submit" class="btn-login" id="loginButton">
                     <span id="loginButtonText">Login</span>
                 </button>
@@ -48,10 +53,20 @@
                     </a>
                 </div>
                 {{/if }}
-                <div class="remember-me">
-                    <input type="checkbox" id="rememberMe" name="rememberMe">
-                    <label for="rememberMe">Remember me</label>
+                {{#if googleLoginEnabled }}
+                <div class="social-login">
+                    {{#unless githubLoginEnabled }}
+                    <div class="divider">
+                        <span>or</span>
+                    </div>
+                    {{/unless}}
+                    <!-- Use JS to initiate Google login and pass redirect param to backend -->
+                    <a type="button" id="googleLoginBtn" class="btn-github">
+                        <i class="fab fa-google"></i>
+                        <span>Continue with Google</span>
+                    </a>
                 </div>
+                {{/if }}
 
                 {{#if userLoggedIn }}
                 <div class="WarningboxInfo">
@@ -68,10 +83,10 @@
 
                 <p class="terms-info">
                     By logging in, you agree to our
-                    <a href="https://portal.mbktech.org/info/Terms&Conditions" target="_blank"
+                    <a href="https://mbktech.org/PrivacyPolicy" target="_blank"
                         class="terms-link">Terms & Conditions</a>
                     and
-                    <a href="https://portal.mbktech.org/info/PrivacyPolicy" target="_blank"
+                    <a href="https://mbktech.org/PrivacyPolicy" target="_blank"
                         class="terms-link">Privacy Policy</a>.
                 </p>
             </form>
@@ -256,6 +271,21 @@
         const githubBtn = document.getElementById('githubLoginBtn');
         if (githubBtn) githubBtn.addEventListener('click', startGithubLogin);
         {{/if }}
+
+        {{#if googleLoginEnabled }}
+
+        // Google login: Navigate directly to Google OAuth flow
+        async function startGoogleLogin() {
+            const urlParams = new URLSearchParams(window.location.search);
+            const redirect = urlParams.get('redirect') || '{{customURL}}';
+
+            // Navigate directly to the backend GET endpoint with redirect query
+            window.location.href = `/mbkauthe/api/google/login?redirect=${encodeURIComponent(redirect)}`;
+        }
+
+        const googleBtn = document.getElementById('googleLoginBtn');
+        if (googleBtn) googleBtn.addEventListener('click', startGoogleLogin);
+        {{/if }}
     </script>
 </body>
 

package/views/sharedStyles.handlebars

@@ -297,6 +297,11 @@
             font-size: 1.1rem;
         }
 
+        #googleLoginBtn i {
+            font-size: 1.1rem;
+            color: #4285f4;
+        }
+
         .login-links {
             display: flex;
             justify-content: space-between;

package/views/showmessage.handlebars

@@ -8,9 +8,35 @@
 </div>
 <script>
     // showMessage("Failed to load the page. Please try again later.", "Error", "404");
+    
+    // Sanitize HTML to prevent XSS while allowing safe HTML tags
+    function sanitizeHTML(html) {
+        const temp = document.createElement('div');
+        temp.textContent = html;
+        let sanitized = temp.innerHTML;
+        
+        // Allow only safe HTML tags (no script, iframe, object, embed, etc.)
+        const allowedTags = ['b', 'i', 'u', 'strong', 'em', 'br', 'p', 'span', 'div'];
+        const tagRegex = /<(\/)?([\w]+)([^>]*)>/gi;
+        
+        sanitized = sanitized.replace(tagRegex, (match, closing, tagName, attributes) => {
+            tagName = tagName.toLowerCase();
+            if (allowedTags.includes(tagName)) {
+                // Remove event handlers and javascript: from attributes
+                const safeAttrs = attributes.replace(/on\w+\s*=\s*["'][^"']*["']/gi, '')
+                                           .replace(/javascript:/gi, '');
+                return `<${closing || ''}${tagName}${safeAttrs}>`;
+            }
+            return ''; // Remove disallowed tags
+        });
+        
+        return sanitized;
+    }
+    
     function showMessage(message, heading, errorCode) {
         document.querySelector(".showmessageWindow h1").innerText = heading;
-        document.querySelector(".showmessageWindow p").innerHTML = message;
+        // Sanitize and set innerHTML to allow safe HTML formatting
+        document.querySelector(".showmessageWindow p").innerHTML = sanitizeHTML(message);
 
         if (errorCode) {
             document.querySelector(".showmessageWindow .error-code").style.display = "block";

package/.env.example

@@ -1,3 +0,0 @@
-mbkautheVar={"APP_NAME":"mbkauthe","Main_SECRET_TOKEN": 123,"SESSION_SECRET_KEY":"123","IS_DEPLOYED":"true","LOGIN_DB":"postgres://","MBKAUTH_TWO_FA_ENABLE":"true","COOKIE_EXPIRE_TIME":2,"DOMAIN":"mbktech.org","loginRedirectURL":"/mbkauthe/test","GITHUB_LOGIN_ENABLED":"true","GITHUB_CLIENT_ID":"","GITHUB_CLIENT_SECRET":"","DEVICE_TRUST_DURATION_DAYS":7,"EncPass":"false"}
-
-# See docs/env.md for more details

package/.github/PACKAGE.md

@@ -1,17 +0,0 @@
-# Package Information
-
-This package is published on npm: [mbkauthe](https://www.npmjs.com/package/mbkauthe)
-
-## Installation
-
-```bash
-npm install mbkauthe
-```
-
-## Version
-
-Current Version: 1.4.2
-
-## Registry
-
-Published to: npm Registry (https://registry.npmjs.org/)

package/.github/workflows/codeql.yml

@@ -1,98 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL Advanced"
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-  schedule:
-    - cron: '17 1 * * 3'
-
-jobs:
-  analyze:
-    name: Analyze (${{ matrix.language }})
-    # Runner size impacts CodeQL analysis time. To learn more, please see:
-    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
-    #   - https://gh.io/supported-runners-and-hardware-resources
-    #   - https://gh.io/using-larger-runners (GitHub.com only)
-    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
-    permissions:
-      # required for all workflows
-      security-events: write
-
-      # required to fetch internal or private CodeQL packs
-      packages: read
-
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-        - language: actions
-          build-mode: none
-        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
-        # Use `c-cpp` to analyze code written in C, C++ or both
-        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
-        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
-        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Add any setup steps before running the `github/codeql-action/init` action.
-    # This includes steps like installing compilers or runtimes (`actions/setup-node`
-    # or others). This is typically only required for manual builds.
-    # - name: Setup runtime (example)
-    #   uses: actions/setup-example@v1
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: ${{ matrix.language }}
-        build-mode: ${{ matrix.build-mode }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-    # If the analyze step fails for one of the languages you are analyzing with
-    # "We were unable to automatically build your code", modify the matrix above
-    # to set the build mode to "manual" for that language. Then modify this step
-    # to build your code.
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-    - if: matrix.build-mode == 'manual'
-      shell: bash
-      run: |
-        echo 'If you are using a "manual" build mode for one or more of the' \
-          'languages you are analyzing, replace this with the commands to build' \
-          'your code, for example:'
-        echo '  make bootstrap'
-        echo '  make release'
-        exit 1
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
-      with:
-        category: "/language:${{matrix.language}}"

package/.github/workflows/publish.yml

@@ -1,87 +0,0 @@
-name: Publish to npm and GitHub Packages
-on:
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-  packages: write
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Setup Node.js for npm
-        uses: actions/setup-node@v3
-        with:
-          node-version: '18'
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Cache Node.js modules
-        uses: actions/cache@v3
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
-
-      - name: Install dependencies
-        run: |
-          for i in {1..3}; do npm install && break || sleep 10; done
-
-      - name: Check if version exists on npm
-        id: check_version
-        run: |
-          PACKAGE_NAME=$(node -p "require('./package.json').name")
-          VERSION=$(node -p "require('./package.json').version")
-          if npm view $PACKAGE_NAME@$VERSION version 2>/dev/null; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-            echo "Version $VERSION already exists on npm"
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-            echo "Version $VERSION does not exist, will publish"
-          fi
-
-      - name: Publish to npm
-        if: steps.check_version.outputs.exists == 'false'
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Check if version exists on GitHub Packages
-        id: check_github_version
-        run: |
-          VERSION=$(node -p "require('./package.json').version")
-          if curl -f -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-            https://npm.pkg.github.com/@mibnekhalid/mbkauthe/$VERSION 2>/dev/null; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-            echo "Version $VERSION already exists on GitHub Packages"
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-            echo "Version $VERSION does not exist on GitHub Packages, will publish"
-          fi
-
-      - name: Modify package.json for GitHub Packages
-        if: steps.check_github_version.outputs.exists == 'false'
-        run: |
-          node -e "const pkg = require('./package.json'); pkg.name = '@mibnekhalid/mbkauthe'; pkg.publishConfig = { registry: 'https://npm.pkg.github.com' }; require('fs').writeFileSync('package.json', JSON.stringify(pkg, null, 2));"
-
-      - name: Setup Node.js for GitHub Packages
-        if: steps.check_github_version.outputs.exists == 'false'
-        uses: actions/setup-node@v3
-        with:
-          node-version: '18'
-          registry-url: 'https://npm.pkg.github.com'
-
-      - name: Publish to GitHub Packages
-        if: steps.check_github_version.outputs.exists == 'false'
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}