mbkauthe 3.4.0 → 3.5.0

package/docs/api.md

@@ -194,6 +194,39 @@ fetch('/mbkauthe/api/login', {
 
 ---
 
+#### `GET /mbkauthe/api/checkSession`
+
+Checks whether the current session (cookie-based) is valid. Returns a JSON response suitable for AJAX/SPA checks.
+
+**Authentication:** Requires a valid session cookie set by `/mbkauthe/api/login`.
+
+**Success Response (200 OK):**
+```json
+{
+  "sessionValid": true,
+  "expiry": "2025-12-27T12:34:56.000Z"
+}
+```
+
+**Error Responses (examples):**
+- 200 Session invalid ( { "sessionValid": false, "expiry": null } )
+- 500 Internal Server Error (rare)
+
+**Example Request:**
+```javascript
+fetch('/mbkauthe/api/checkSession')
+  .then(res => res.json())
+  .then(data => {
+    if (data.sessionValid) {
+      // session active, expiry available in data.expiry
+    } else {
+      // not authenticated
+    }
+  });
+```
+
+---
+
 #### `GET /mbkauthe/2fa`
 
 Renders the Two-Factor Authentication verification page.
@@ -759,16 +792,51 @@ app.get('/protected', validateSession, (req, res) => {
 - Verifies user is authorized for the current application
 - Redirects to login page if validation fails
 
+### reloadSessionUser(req, res)
+
+Use this helper when you need to refresh the values stored in `req.session.user` from the authoritative database record (for example, after a profile update that changes FullName, or when session expiration policies are updated).
+
+- Behavior:
+  - Validates the session against the database (sessionId, active)
+  - Updates `req.session.user` fields: `username`, `role`, `allowedApps`, `fullname`
+  - Uses cached `fullName` cookie if available; falls back to querying `profiledata`
+  - Syncs `username`, `fullName`, and `sessionId` cookies for client display
+  - If the session is invalid (sessionId mismatch, inactive account, or unauthorized), it destroys the session and clears cookies
+
+- Returns: `Promise<boolean>` — `true` if session was refreshed and still valid, `false` if session was invalidated or reload failed.
+
+- Example:
+```javascript
+import { reloadSessionUser } from 'mbkauthe';
+
+// After updating profile data
+app.post('/mbkauthe/api/update-profile', validateSession, async (req, res) => {
+  // ... update profiledata.FullName in DB ...
+  const refreshed = await reloadSessionUser(req, res);
+  if (!refreshed) {
+    return res.status(401).json({ success: false, message: 'Session invalidated' });
+  }
+  res.json({ success: true, fullname: req.session.user.fullname });
+});
+```
+
 **Session Object:**
 ```javascript
 req.session.user = {
   id: 1,                    // User ID
-  username: "john.doe",     // Username
+  username: "john.doe",     // Username (login name)
+  fullname: "John Doe",     // Optional display name fetched from profiledata
   role: "NormalUser",       // User role
   sessionId: "abc123...",   // 64-char hex session ID
 }
 ```
 
+**Session Cookie Sync:**
+- The middleware sets non-httpOnly cookies for client display:
+  - `username` — the login username (exposed for UI)
+  - `fullName` — the display name (falls back to username if not available)
+
+These cookies allow front-end UI to display a friendly name without making extra requests to the server.
 ---
 
 ### `checkRolePermission(requiredRole, notAllowed)`

package/index.d.ts

@@ -12,6 +12,7 @@ declare global {
       user?: {
         username: string;
         role: 'SuperAdmin' | 'NormalUser' | 'Guest';
+        fullname?: string;
       };
       userRole?: 'SuperAdmin' | 'NormalUser' | 'Guest';
     }
@@ -20,6 +21,7 @@ declare global {
       user?: {
         id: number;
         username: string;
+        fullname?: string;
         role: 'SuperAdmin' | 'NormalUser' | 'Guest';
         sessionId: string;
         allowedApps?: string[];
@@ -75,6 +77,7 @@ declare module 'mbkauthe' {
   export interface SessionUser {
     id: number;
     username: string;
+    fullname?: string;
     role: UserRole;
     sessionId: string;
     allowedApps?: string[];
@@ -209,6 +212,10 @@ declare module 'mbkauthe' {
 
   export function authenticate(token: string): AuthMiddleware;
 
+  // Reload session user values from DB and refresh cookies.
+  // Returns true when session is refreshed and valid, false if session invalidated.
+  export function reloadSessionUser(req: Request, res: Response): Promise<boolean>;
+
   // Utility Functions
   export function renderError(
     res: Response,

package/index.js

@@ -89,7 +89,10 @@ if (process.env.test !== "dev") {
     await checkVersion();
 }
 
-export { validateSession, checkRolePermission, validateSessionAndRole, authenticate } from "./lib/middleware/auth.js";
+export {
+    validateSession, validateApiSession, checkRolePermission,
+    validateSessionAndRole, authenticate, reloadSessionUser
+} from "./lib/middleware/auth.js";
 export { renderError } from "./lib/utils/response.js";
 export { dblogin } from "./lib/database/pool.js";
 export { ErrorCodes, ErrorMessages, getErrorByCode, createErrorResponse, logError } from "./lib/utils/errors.js";

package/lib/config/cookies.js

@@ -46,6 +46,7 @@ export const clearSessionCookies = (res) => {
     res.clearCookie("mbkauthe.sid", cachedClearCookieOptions);
     res.clearCookie("sessionId", cachedClearCookieOptions);
     res.clearCookie("username", cachedClearCookieOptions);
+    res.clearCookie("fullName", cachedClearCookieOptions);
     res.clearCookie("device_token", cachedClearCookieOptions);
 };
 

package/lib/middleware/auth.js

@@ -1,7 +1,7 @@
 import { dblogin } from "../database/pool.js";
 import { mbkautheVar } from "../config/index.js";
 import { renderError } from "../utils/response.js";
-import { clearSessionCookies } from "../config/cookies.js";
+import { clearSessionCookies, cachedCookieOptions } from "../config/cookies.js";
 
 async function validateSession(req, res, next) {
   if (!req.session.user) {
@@ -97,6 +97,160 @@ async function validateSession(req, res, next) {
   }
 }
 
+/**
+ * API-friendly session validation middleware
+ * Returns JSON error responses instead of rendering pages
+ */
+async function validateApiSession(req, res, next) {
+  if (!req.session.user) {
+    return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_NOT_FOUND));
+  }
+
+  try {
+    const { id, sessionId, role, allowedApps } = req.session.user;
+
+    // Defensive checks for sessionId and allowedApps
+    if (!sessionId) {
+      console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+    }
+
+    // Normalize sessionId to lowercase for consistent comparison
+    const normalizedSessionId = sessionId.toLowerCase();
+
+    // Single optimized query to validate session and get role
+    const query = `SELECT "SessionId", "Active", "Role" FROM "Users" WHERE "id" = $1`;
+    const result = await dblogin.query({ name: 'validate-user-session-for-api', text: query, values: [id] });
+
+    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
+    if (!dbSessionId || dbSessionId !== normalizedSessionId) {
+      if (result.rows.length > 0 && !result.rows[0].SessionId) {
+        console.warn(`[mbkauthe] DB sessionId is null for user "${req.session.user.username}"`);
+      }
+      console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_INVALID));
+    }
+
+    if (!result.rows[0].Active) {
+      console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.ACCOUNT_INACTIVE));
+    }
+
+    if (role !== "SuperAdmin") {
+      // If allowedApps is not provided or not an array, treat as no access
+      const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
+      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+        console.warn(`[mbkauthe] User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
+        req.session.destroy();
+        clearSessionCookies(res);
+        return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+      }
+    }
+
+    // Store user role in request for checkRolePermission to use
+    req.userRole = result.rows[0].Role;
+
+    next();
+  } catch (err) {
+    console.error("[mbkauthe] API session validation error:", err);
+    return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
+  }
+}
+
+/**
+ * Reload session user values from the database and refresh cookies.
+ * - Validates sessionId and active status
+ * - Updates `req.session.user` fields (username, role, allowedApps, fullname)
+ * - Uses cached `fullName` cookie when available, otherwise queries `profiledata`
+ * - Syncs `username`, `fullName` and `sessionId` cookies
+ * Returns: true if session refreshed and valid, false if session invalidated
+ */
+export async function reloadSessionUser(req, res) {
+  if (!req.session || !req.session.user || !req.session.user.id) return false;
+  try {
+    const { id, sessionId: currentSessionId } = req.session.user;
+
+    // Fetch fresh user record
+    const query = `SELECT id, "UserName", "Active", "Role", "AllowedApps", "SessionId" FROM "Users" WHERE id = $1`;
+    const result = await dblogin.query({ name: 'reload-session-user', text: query, values: [id] });
+
+    if (result.rows.length === 0) {
+      // User not found — invalidate session
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    const row = result.rows[0];
+    const dbSessionId = row.SessionId ? String(row.SessionId).toLowerCase() : null;
+    if (!dbSessionId || dbSessionId !== String(currentSessionId).toLowerCase()) {
+      // Session invalidated in DB
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    if (!row.Active) {
+      // Account is inactive
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    // Authorization: ensure allowed for current app unless SuperAdmin
+    if (row.Role !== 'SuperAdmin') {
+      const allowedApps = row.AllowedApps;
+      const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
+      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+        req.session.destroy(() => {});
+        clearSessionCookies(res);
+        return false;
+      }
+    }
+
+    // Update session fields
+    req.session.user.username = row.UserName;
+    req.session.user.role = row.Role;
+    req.session.user.allowedApps = row.AllowedApps;
+
+    // Obtain fullname from client cookie cache when present else DB
+    if (req.cookies && req.cookies.fullName && typeof req.cookies.fullName === 'string') {
+      req.session.user.fullname = req.cookies.fullName;
+    } else {
+      try {
+        const prof = await dblogin.query({ name: 'reload-get-fullname', text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1', values: [row.UserName] });
+        if (prof.rows.length > 0 && prof.rows[0].FullName) req.session.user.fullname = prof.rows[0].FullName;
+      } catch (profileErr) {
+        console.error('[mbkauthe] Error fetching fullname during reload:', profileErr);
+      }
+    }
+
+    // Persist session changes
+    await new Promise((resolve, reject) => req.session.save(err => err ? reject(err) : resolve()));
+
+    // Sync cookies for client UI (non-httpOnly)
+    try {
+      res.cookie('username', req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
+      res.cookie('fullName', req.session.user.fullname || req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
+      res.cookie('sessionId', req.session.user.sessionId, cachedCookieOptions);
+    } catch (cookieErr) {
+      // Ignore cookie setting errors, session is still refreshed
+      console.error('[mbkauthe] Error syncing cookies during reload:', cookieErr);
+    }
+
+    return true;
+  } catch (err) {
+    console.error('[mbkauthe] reloadSessionUser error:', err);
+    return false;
+  }
+}
+
 const checkRolePermission = (requiredRoles, notAllowed) => {
   return async (req, res, next) => {
     try {
@@ -173,5 +327,4 @@ const authenticate = (authentication) => {
   };
 };
 
-
-export { validateSession, checkRolePermission, validateSessionAndRole, authenticate };
+export { validateSession, validateApiSession, checkRolePermission, validateSessionAndRole, authenticate };

package/lib/middleware/index.js

@@ -85,6 +85,25 @@ export async function sessionRestorationMiddleware(req, res, next) {
           sessionId: normalizedSessionId,
           allowedApps: user.AllowedApps,
         };
+
+        // Use cached FullName from client cookie when available to avoid extra DB queries
+        if (req.cookies.fullName && typeof req.cookies.fullName === 'string') {
+          req.session.user.fullname = req.cookies.fullName;
+        } else {
+          // Fallback: attempt to fetch FullName from profiledata to populate session
+          try {
+            const profileRes = await dblogin.query({
+              name: 'restore-get-fullname',
+              text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
+              values: [user.UserName]
+            });
+            if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {
+              req.session.user.fullname = profileRes.rows[0].FullName;
+            }
+          } catch (profileErr) {
+            console.error("[mbkauthe] Error fetching FullName during session restore:", profileErr);
+          }
+        }
       }
     } catch (err) {
       console.error("[mbkauthe] Session restoration error:", err);
@@ -99,8 +118,10 @@ export function sessionCookieSyncMiddleware(req, res, next) {
     // Only set cookies if they're missing or different
     if (req.cookies.sessionId !== req.session.user.sessionId) {
       res.cookie("username", req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
+      // Also expose FullName (fallback to username) for display in client-side UI
+      res.cookie("fullName", req.session.user.fullname || req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
       res.cookie("sessionId", req.session.user.sessionId, cachedCookieOptions);
     }
   }
   next();
-}
+}

package/lib/routes/auth.js

@@ -170,6 +170,20 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       allowedApps: user.allowedApps || user.AllowedApps,
     };
 
+    // Attempt to fetch FullName from profiledata and store it in session for display purposes
+    try {
+      const profileResult = await dblogin.query({
+        name: 'login-get-fullname',
+        text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
+        values: [username]
+      });
+      if (profileResult.rows.length > 0 && profileResult.rows[0].FullName) {
+        req.session.user.fullname = profileResult.rows[0].FullName;
+      }
+    } catch (profileErr) {
+      console.error("[mbkauthe] Error fetching FullName for user:", profileErr);
+    }
+
     if (req.session.preAuthUser) {
       delete req.session.preAuthUser;
     }
@@ -180,7 +194,9 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
         return res.status(500).json({ success: false, message: "Internal Server Error" });
       }
 
+      // Expose sessionId and display name to client for UI (fullName falls back to username)
       res.cookie("sessionId", sessionId, cachedCookieOptions);
+      res.cookie("fullName", req.session.user.fullname || username, { ...cachedCookieOptions, httpOnly: false });
 
       // Handle trusted device if requested
       if (trustDevice) {

package/lib/routes/misc.js

@@ -3,7 +3,7 @@ import fetch from 'node-fetch';
 import rateLimit from 'express-rate-limit';
 import { mbkautheVar, packageJson, appVersion } from "../config/index.js";
 import { renderError } from "../utils/response.js";
-import { authenticate, validateSession } from "../middleware/auth.js";
+import { authenticate, validateSession, validateApiSession } from "../middleware/auth.js";
 import { ErrorCodes, ErrorMessages } from "../utils/errors.js";
 import { dblogin } from "../database/pool.js";
 import { clearSessionCookies } from "../config/cookies.js";
@@ -90,6 +90,41 @@ router.get('/test', validateSession, LoginLimit, async (req, res) => {
   }
 });
 
+// API: check current session validity (JSON) — minimal response
+router.get('/api/checkSession', LoginLimit, async (req, res) => {
+  try {
+    if (!req.session?.user) {
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    const { id, sessionId } = req.session.user;
+    if (!sessionId) {
+      req.session.destroy(() => { });
+      clearSessionCookies(res);
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    const normalizedSessionId = String(sessionId).toLowerCase();
+    const result = await dblogin.query({ name: 'check-session-validity', text: 'SELECT "SessionId", "Active" FROM "Users" WHERE id = $1', values: [id] });
+
+    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
+    if (!dbSessionId || dbSessionId !== normalizedSessionId || !result.rows[0].Active) {
+      req.session.destroy(() => { });
+      clearSessionCookies(res);
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    // Fetch expiry timestamp from session table (connect-pg-simple)
+    const sessResult = await dblogin.query({ name: 'get-session-expiry', text: 'SELECT expire FROM "session" WHERE sid = $1', values: [req.sessionID] });
+    const expiry = sessResult.rows.length > 0 && sessResult.rows[0].expire ? new Date(sessResult.rows[0].expire).toISOString() : null;
+
+    return res.status(200).json({ sessionValid: true, expiry });
+  } catch (err) {
+    console.error('[mbkauthe] checkSession error:', err);
+    return res.status(200).json({ sessionValid: false, expiry: null });
+  }
+});
+
 // Error codes page
 router.get("/ErrorCode", (req, res) => {
   try {
@@ -251,12 +286,12 @@ router.post("/api/terminateAllSessions", AdminOperationLimit, authenticate(mbkau
   try {
     // Run both operations in parallel for better performance
     await Promise.all([
-      dblogin.query({ 
-        name: 'terminate-all-user-sessions', 
+      dblogin.query({
+        name: 'terminate-all-user-sessions',
         text: 'UPDATE "Users" SET "SessionId" = NULL WHERE "SessionId" IS NOT NULL'
       }),
-      dblogin.query({ 
-        name: 'terminate-all-db-sessions', 
+      dblogin.query({
+        name: 'terminate-all-db-sessions',
         text: 'DELETE FROM "session" WHERE expire > NOW()'
       })
     ]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "3.4.0",
+  "version": "3.5.0",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/test.spec.js

@@ -192,5 +192,20 @@ describe('mbkauthe Routes', () => {
         expect(response.headers['content-type']).toContain('application/json');
       }
     });
+
+    test('GET /mbkauthe/api/checkSession handles session check', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/api/checkSession');
+      expect(response.status).toBe(200);
+      expect(response.headers['content-type']).toContain('application/json');
+      expect(response.body).toHaveProperty('sessionValid');
+    });
+
+    test('POST /mbkauthe/api/logout handles logout', async () => {
+      const response = await request(BASE_URL).post('/mbkauthe/api/logout').send();
+      expect([200, 400, 401, 403, 429]).toContain(response.status);
+      if (response.status === 200) {
+        expect(response.headers['content-type']).toContain('application/json');
+      }
+    });
   });
 });