mbkauthe 3.4.0 → 4.0.0

package/docs/db.sql

@@ -0,0 +1,116 @@
+
+-- GitHub users table
+CREATE TABLE user_github (
+    id SERIAL PRIMARY KEY,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    github_id VARCHAR(255) UNIQUE,
+    github_username VARCHAR(255),
+    access_token TEXT,
+    created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
+    updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_user_github_github_id ON user_github (github_id);
+CREATE INDEX IF NOT EXISTS idx_user_github_user_name ON user_github (user_name);
+
+-- Google users table
+CREATE TABLE user_google (
+    id SERIAL PRIMARY KEY,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    google_id VARCHAR(255) UNIQUE,
+    google_email VARCHAR(255),
+    access_token TEXT,
+    created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
+    updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_user_google_google_id ON user_google (google_id);
+CREATE INDEX IF NOT EXISTS idx_user_google_user_name ON user_google (user_name);
+
+
+
+
+CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
+
+CREATE TABLE "Users" (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    "UserName" VARCHAR(50) NOT NULL UNIQUE,
+    "Password" VARCHAR(61), -- For raw passwords (when EncPass=false)
+    "PasswordEnc" VARCHAR(128), -- For encrypted passwords (when EncPass=true)
+    "Role" role DEFAULT 'NormalUser' NOT NULL,
+    "Active" BOOLEAN DEFAULT FALSE,
+    "HaveMailAccount" BOOLEAN DEFAULT FALSE,
+    "AllowedApps" JSONB DEFAULT '["mbkauthe", "portal"]',
+    "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "last_login" TIMESTAMP WITH TIME ZONE
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" ("Active");
+CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" ("Role");
+CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" (last_login);
+
+-- Application Sessions table (stores multiple concurrent sessions per user)
+-- Note: this is separate from the express-session store table named "session"
+CREATE TABLE "Sessions" (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- requires pgcrypto or uuid-ossp
+  "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+  expires_at TIMESTAMP WITH TIME ZONE,
+    meta JSONB
+);
+
+-- Indexes optimized by username instead of numeric user id
+CREATE INDEX IF NOT EXISTS idx_sessions_username ON "Sessions" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_sessions_user_created ON "Sessions" ("UserName", created_at);
+
+
+CREATE TABLE "session" (
+    sid VARCHAR(33) PRIMARY KEY NOT NULL,
+    sess JSONB NOT NULL,
+    expire TimeStamp WITH TIME ZONE Not Null,
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_session_expire ON "session" ("expire");
+CREATE INDEX IF NOT EXISTS idx_session_user_id ON "session" ((sess->'user'->>'id'));
+
+
+
+CREATE TABLE "TwoFA" (
+    "UserName" VARCHAR(50) primary key REFERENCES "Users"("UserName"),
+    "TwoFAStatus" boolean NOT NULL,
+    "TwoFASecret" TEXT
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_twofa_username ON "TwoFA" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_twofa_username_status ON "TwoFA" ("UserName", "TwoFAStatus");
+
+
+
+CREATE TABLE "TrustedDevices" (
+    "id" SERIAL PRIMARY KEY,
+    "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+    "DeviceToken" VARCHAR(64) UNIQUE NOT NULL,
+    "DeviceName" VARCHAR(255),
+    "UserAgent" TEXT,
+    "IpAddress" VARCHAR(45),
+    "CreatedAt" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "ExpiresAt" TIMESTAMP WITH TIME ZONE NOT NULL,
+    "LastUsed" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_token ON "TrustedDevices"("DeviceToken");
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_username ON "TrustedDevices"("UserName");
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_expires ON "TrustedDevices"("ExpiresAt");
+
+
+-- No Encrypted password for 'support' user
+INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "GuestRole")
+        VALUES ('support', '12345678', 'SuperAdmin', true, false, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);

package/docs/env.md

@@ -42,6 +42,7 @@ This document describes the environment variables MBKAuth expects and keeps brie
   - Description: PostgreSQL connection string for auth (must start with `postgresql://` or `postgres://`).
   - Example: `"LOGIN_DB":"postgresql://user:pass@localhost:5432/mbkauth"`
   - Required: Yes
+  - Create free postgres db: https://neon.com/
 
 - MBKAUTH_TWO_FA_ENABLE
   - Description: Enable Two-Factor Authentication.
@@ -67,6 +68,13 @@ This document describes the environment variables MBKAuth expects and keeps brie
   - Example: `"DEVICE_TRUST_DURATION_DAYS":30`
   - Required: No
 
+- MAX_SESSIONS_PER_USER
+  - Description: Maximum number of concurrent application sessions allowed per user. When creating a new session that would exceed this number, the oldest session(s) for that user are pruned to make room for the new session.
+  - Default: `5`
+  - Example: `"MAX_SESSIONS_PER_USER": 10`
+  - Notes: Must be a positive integer. Validation is performed at startup by `lib/config/index.js`.
+  - Required: No
+
 - loginRedirectURL
   - Description: Post-login redirect path.
   - Default: `/dashboard`
@@ -81,6 +89,8 @@ This document describes the environment variables MBKAuth expects and keeps brie
 - GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET / GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET
   - Description: OAuth credentials (put in `mbkautheVar` preferred, or `mbkauthShared`).
   - Required when provider enabled.
+  - Create Github OAuth App: https://github.com/settings/developers
+  - Create Google OAuth: https://console.cloud.google.com/
 
 ---
 

package/index.d.ts

@@ -12,6 +12,7 @@ declare global {
       user?: {
         username: string;
         role: 'SuperAdmin' | 'NormalUser' | 'Guest';
+        fullname?: string;
       };
       userRole?: 'SuperAdmin' | 'NormalUser' | 'Guest';
     }
@@ -20,8 +21,9 @@ declare global {
       user?: {
         id: number;
         username: string;
+        fullname?: string;
         role: 'SuperAdmin' | 'NormalUser' | 'Guest';
-        sessionId: string;
+        sessionId?: string;
         allowedApps?: string[];
       };
       preAuthUser?: {
@@ -75,8 +77,9 @@ declare module 'mbkauthe' {
   export interface SessionUser {
     id: number;
     username: string;
+    fullname?: string;
     role: UserRole;
-    sessionId: string;
+    sessionId?: string;
     allowedApps?: string[];
   }
 
@@ -98,7 +101,7 @@ declare module 'mbkauthe' {
     Role: UserRole;
     Active: boolean;
     AllowedApps: string[];
-    SessionId?: string;
+
     created_at?: Date;
     updated_at?: Date;
     last_login?: Date;
@@ -209,6 +212,10 @@ declare module 'mbkauthe' {
 
   export function authenticate(token: string): AuthMiddleware;
 
+  // Reload session user values from DB and refresh cookies.
+  // Returns true when session is refreshed and valid, false if session invalidated.
+  export function reloadSessionUser(req: Request, res: Response): Promise<boolean>;
+
   // Utility Functions
   export function renderError(
     res: Response,

package/index.js

@@ -89,7 +89,10 @@ if (process.env.test !== "dev") {
     await checkVersion();
 }
 
-export { validateSession, checkRolePermission, validateSessionAndRole, authenticate } from "./lib/middleware/auth.js";
+export {
+    validateSession, validateApiSession, checkRolePermission,
+    validateSessionAndRole, authenticate, reloadSessionUser
+} from "./lib/middleware/auth.js";
 export { renderError } from "./lib/utils/response.js";
 export { dblogin } from "./lib/database/pool.js";
 export { ErrorCodes, ErrorMessages, getErrorByCode, createErrorResponse, logError } from "./lib/utils/errors.js";

package/lib/config/cookies.js

@@ -32,6 +32,12 @@ export const generateDeviceToken = () => {
     return crypto.randomBytes(32).toString('hex');
 };
 
+// Hash a device token for safe storage in the database
+export const hashDeviceToken = (token) => {
+    if (!token || typeof token !== 'string') return null;
+    return crypto.createHmac('sha256').update(token).digest('hex');
+};
+
 export const getDeviceTokenCookieOptions = () => ({
     maxAge: DEVICE_TRUST_DURATION_MS,
     domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
@@ -46,6 +52,7 @@ export const clearSessionCookies = (res) => {
     res.clearCookie("mbkauthe.sid", cachedClearCookieOptions);
     res.clearCookie("sessionId", cachedClearCookieOptions);
     res.clearCookie("username", cachedClearCookieOptions);
+    res.clearCookie("fullName", cachedClearCookieOptions);
     res.clearCookie("device_token", cachedClearCookieOptions);
 };
 

package/lib/config/index.js

@@ -62,9 +62,10 @@ function validateConfiguration() {
 
     // Ensure specific keys are checked in mbkautheVar first, then mbkauthShared, then apply config defaults
     const keysToCheck = [
-        "APP_NAME","DEVICE_TRUST_DURATION_DAYS","EncPass","Main_SECRET_TOKEN","SESSION_SECRET_KEY","IS_DEPLOYED",
-        "LOGIN_DB","MBKAUTH_TWO_FA_ENABLE","COOKIE_EXPIRE_TIME","DOMAIN","loginRedirectURL",
-        "GITHUB_LOGIN_ENABLED","GITHUB_CLIENT_ID","GITHUB_CLIENT_SECRET","GOOGLE_LOGIN_ENABLED","GOOGLE_CLIENT_ID","GOOGLE_CLIENT_SECRET"
+        "APP_NAME","DEVICE_TRUST_DURATION_DAYS","EncPass","Main_SECRET_TOKEN","SESSION_SECRET_KEY",
+        "IS_DEPLOYED","LOGIN_DB","MBKAUTH_TWO_FA_ENABLE","COOKIE_EXPIRE_TIME","DOMAIN","loginRedirectURL",
+        "GITHUB_LOGIN_ENABLED","GITHUB_CLIENT_ID","GITHUB_CLIENT_SECRET","GOOGLE_LOGIN_ENABLED","GOOGLE_CLIENT_ID",
+        "GOOGLE_CLIENT_SECRET","MAX_SESSIONS_PER_USER"
     ];
 
     const defaults = {
@@ -75,7 +76,8 @@ function validateConfiguration() {
         COOKIE_EXPIRE_TIME: 2,
         loginRedirectURL: '/dashboard',
         GITHUB_LOGIN_ENABLED: 'false',
-        GOOGLE_LOGIN_ENABLED: 'false'
+        GOOGLE_LOGIN_ENABLED: 'false',
+        MAX_SESSIONS_PER_USER: 5
     };
 
     keysToCheck.forEach(key => {
@@ -183,6 +185,20 @@ function validateConfiguration() {
         mbkautheVar.DEVICE_TRUST_DURATION_DAYS = 7;
     }
 
+    // Validate MAX_SESSIONS_PER_USER if provided (must be positive integer)
+    if (mbkautheVar.MAX_SESSIONS_PER_USER !== undefined) {
+        const maxSessions = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
+        if (isNaN(maxSessions) || maxSessions <= 0) {
+            errors.push("mbkautheVar.MAX_SESSIONS_PER_USER must be a valid positive integer");
+        } else {
+            // Normalize to integer
+            mbkautheVar.MAX_SESSIONS_PER_USER = maxSessions;
+        }
+    } else {
+        // Ensure default value is set
+        mbkautheVar.MAX_SESSIONS_PER_USER = 5;
+    }
+
     // Validate LOGIN_DB connection string format
     if (mbkautheVar.LOGIN_DB && !mbkautheVar.LOGIN_DB.startsWith('postgresql://') && !mbkautheVar.LOGIN_DB.startsWith('postgres://')) {
         errors.push("mbkautheVar.LOGIN_DB must be a valid PostgreSQL connection string");

package/lib/config/security.js

@@ -5,4 +5,4 @@ export const hashPassword = (password, username) => {
     const salt = username;
     // 128 characters returned
     return crypto.pbkdf2Sync(password, salt, 100000, 64, 'sha512').toString('hex');
-};
+};

package/lib/middleware/auth.js

@@ -1,7 +1,7 @@
 import { dblogin } from "../database/pool.js";
 import { mbkautheVar } from "../config/index.js";
 import { renderError } from "../utils/response.js";
-import { clearSessionCookies } from "../config/cookies.js";
+import { clearSessionCookies, cachedCookieOptions } from "../config/cookies.js";
 
 async function validateSession(req, res, next) {
   if (!req.session.user) {
@@ -33,19 +33,18 @@ async function validateSession(req, res, next) {
       });
     }
 
-    // Normalize sessionId to lowercase for consistent comparison
-    const normalizedSessionId = sessionId.toLowerCase();
+    // Normalize sessionId (DB id) for consistent comparison
+    const normalizedSessionId = sessionId;
 
-    // Single optimized query to validate session and get role
-    const query = `SELECT "SessionId", "Active", "Role" FROM "Users" WHERE "id" = $1`;
-    const result = await dblogin.query({ name: 'validate-user-session', text: query, values: [id] });
+    // Validate session by DB primary key id and join to user
+    const query = `SELECT s.id as sid, s.expires_at, u."Active", u."Role"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'validate-app-session', text: query, values: [normalizedSessionId] });
 
-    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
-    if (!dbSessionId || dbSessionId !== normalizedSessionId) {
-      if (result.rows.length > 0 && !result.rows[0].SessionId) {
-        console.warn(`[mbkauthe] DB sessionId is null for user "${req.session.user.username}"`);
-      }
-      console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
+    if (result.rows.length === 0) {
+      console.log(`[mbkauthe] Session not found for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
       return renderError(res, {
@@ -57,7 +56,25 @@ async function validateSession(req, res, next) {
       });
     }
 
-    if (!result.rows[0].Active) {
+    const sessionRow = result.rows[0];
+
+    // Check expired
+    if (sessionRow.expires_at && new Date(sessionRow.expires_at) <= new Date()) {
+      console.log(`[mbkauthe] Session invalidated (expired) for user "${req.session.user.username}"`);
+      // destroy and clear cookies
+      req.session.destroy();
+      clearSessionCookies(res);
+      return renderError(res, {
+        code: 401,
+        error: "Session Expired",
+        message: "Your Session Has Expired. Please Log In Again.",
+        pagename: "Login",
+        page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
+      });
+    }
+
+
+    if (!sessionRow.Active) {
       console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
@@ -97,6 +114,177 @@ async function validateSession(req, res, next) {
   }
 }
 
+/**
+ * API-friendly session validation middleware
+ * Returns JSON error responses instead of rendering pages
+ */
+async function validateApiSession(req, res, next) {
+  if (!req.session.user) {
+    return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_NOT_FOUND));
+  }
+
+  try {
+    const { id, sessionId, role, allowedApps } = req.session.user;
+
+    // Defensive checks for sessionId and allowedApps
+    if (!sessionId) {
+      console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+    }
+
+    // Normalize sessionId (DB id) for consistent comparison
+    const normalizedSessionId = sessionId;
+
+    // Validate session by DB primary key id and join to user
+    const query = `SELECT s.id as sid, s.expires_at, u."Active", u."Role"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'validate-app-session-for-api', text: query, values: [normalizedSessionId] });
+
+    if (result.rows.length === 0) {
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_INVALID));
+    }
+
+    const sessionRow = result.rows[0];
+
+    // Check expired
+    if (sessionRow.expires_at && new Date(sessionRow.expires_at) <= new Date()) {
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+    }
+
+
+    if (!result.rows[0].Active) {
+      console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.ACCOUNT_INACTIVE));
+    }
+
+    if (role !== "SuperAdmin") {
+      // If allowedApps is not provided or not an array, treat as no access
+      const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
+      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+        console.warn(`[mbkauthe] User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
+        req.session.destroy();
+        clearSessionCookies(res);
+        return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+      }
+    }
+
+    // Store user role in request for checkRolePermission to use
+    req.userRole = result.rows[0].Role;
+
+    next();
+  } catch (err) {
+    console.error("[mbkauthe] API session validation error:", err);
+    return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
+  }
+}
+
+/**
+ * Reload session user values from the database and refresh cookies.
+ * - Validates sessionId and active status
+ * - Updates `req.session.user` fields (username, role, allowedApps, fullname)
+ * - Uses cached `fullName` cookie when available, otherwise queries `profiledata`
+ * - Syncs `username`, `fullName` and `sessionId` cookies
+ * Returns: true if session refreshed and valid, false if session invalidated
+ */
+export async function reloadSessionUser(req, res) {
+  if (!req.session || !req.session.user || !req.session.user.id) return false;
+  try {
+    const { id, sessionId: currentSessionId } = req.session.user;
+
+    if (!currentSessionId) {
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    const normalizedSessionId = String(currentSessionId);
+    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'reload-session-user', text: query, values: [normalizedSessionId] });
+
+    if (result.rows.length === 0) {
+      // Session not found — invalidate session
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    const row = result.rows[0];
+
+    // Check expired
+    if (row.expires_at && new Date(row.expires_at) <= new Date()) {
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    if (!row.Active) {
+      // Account is inactive
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    // Authorization: ensure allowed for current app unless SuperAdmin
+    if (row.Role !== 'SuperAdmin') {
+      const allowedApps = row.AllowedApps;
+      const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
+      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+        req.session.destroy(() => {});
+        clearSessionCookies(res);
+        return false;
+      }
+    }
+
+    // Update session fields
+    req.session.user.username = row.UserName;
+    req.session.user.role = row.Role;
+    req.session.user.allowedApps = row.AllowedApps;
+
+    // Obtain fullname from client cookie cache when present else DB
+    if (req.cookies && req.cookies.fullName && typeof req.cookies.fullName === 'string') {
+      req.session.user.fullname = req.cookies.fullName;
+    } else {
+      try {
+        const prof = await dblogin.query({ name: 'reload-get-fullname', text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1', values: [row.UserName] });
+        if (prof.rows.length > 0 && prof.rows[0].FullName) req.session.user.fullname = prof.rows[0].FullName;
+      } catch (profileErr) {
+        console.error('[mbkauthe] Error fetching fullname during reload:', profileErr);
+      }
+    }
+
+    // Persist session changes
+    await new Promise((resolve, reject) => req.session.save(err => err ? reject(err) : resolve()));
+
+    // Sync cookies for client UI (non-httpOnly)
+    try {
+      res.cookie('username', req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
+      res.cookie('fullName', req.session.user.fullname || req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
+      res.cookie('sessionId', req.session.user.sessionId, cachedCookieOptions);
+    } catch (cookieErr) {
+      // Ignore cookie setting errors, session is still refreshed
+      console.error('[mbkauthe] Error syncing cookies during reload:', cookieErr);
+    }
+
+    return true;
+  } catch (err) {
+    console.error('[mbkauthe] reloadSessionUser error:', err);
+    return false;
+  }
+}
+
 const checkRolePermission = (requiredRoles, notAllowed) => {
   return async (req, res, next) => {
     try {
@@ -173,5 +361,4 @@ const authenticate = (authentication) => {
   };
 };
 
-
-export { validateSession, checkRolePermission, validateSessionAndRole, authenticate };
+export { validateSession, validateApiSession, checkRolePermission, validateSessionAndRole, authenticate };

package/lib/middleware/index.js

@@ -57,8 +57,8 @@ export async function sessionRestorationMiddleware(req, res, next) {
   if (!req.session.user && req.cookies.sessionId) {
     const sessionId = req.cookies.sessionId;
 
-    // Early validation to avoid unnecessary processing
-    if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
+    // Early validation to avoid unnecessary processing (expect DB UUID id)
+    if (typeof sessionId !== 'string' || !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(sessionId)) {
       // Clear invalid cookie to prevent repeated attempts
       res.clearCookie('sessionId', {
         domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
@@ -71,20 +71,48 @@ export async function sessionRestorationMiddleware(req, res, next) {
     }
 
     try {
-      const normalizedSessionId = sessionId.toLowerCase();
-
-      const query = `SELECT id, "UserName", "Active", "Role", "SessionId", "AllowedApps" FROM "Users" WHERE LOWER("SessionId") = $1 AND "Active" = true`;
-      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [normalizedSessionId] });
+      // Validate session by DB primary key id and join to user
+      const query = `SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps", s.expires_at
+                     FROM "Sessions" s
+                     JOIN "Users" u ON s."UserName" = u."UserName"
+                     WHERE s.id = $1 LIMIT 1`;
+      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [sessionId] });
 
       if (result.rows.length > 0) {
-        const user = result.rows[0];
-        req.session.user = {
-          id: user.id,
-          username: user.UserName,
-          role: user.Role,
-          sessionId: normalizedSessionId,
-          allowedApps: user.AllowedApps,
-        };
+        const row = result.rows[0];
+
+        // Reject expired sessions or inactive users
+        if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
+          // leave cookies cleared and don't restore session
+        } else {
+          const normalizedSessionId = String(sessionId);
+          req.session.user = {
+            id: row.id,
+            username: row.UserName,
+            role: row.Role,
+            sessionId: normalizedSessionId,
+            allowedApps: row.AllowedApps,
+          };
+
+          // Use cached FullName from client cookie when available to avoid extra DB queries
+          if (req.cookies.fullName && typeof req.cookies.fullName === 'string') {
+            req.session.user.fullname = req.cookies.fullName;
+          } else {
+            // Fallback: attempt to fetch FullName from profiledata to populate session
+            try {
+              const profileRes = await dblogin.query({
+                name: 'restore-get-fullname',
+                text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
+                values: [row.UserName]
+              });
+              if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {
+                req.session.user.fullname = profileRes.rows[0].FullName;
+              }
+            } catch (profileErr) {
+              console.error("[mbkauthe] Error fetching FullName during session restore:", profileErr);
+            }
+          }
+        }
       }
     } catch (err) {
       console.error("[mbkauthe] Session restoration error:", err);
@@ -99,8 +127,10 @@ export function sessionCookieSyncMiddleware(req, res, next) {
     // Only set cookies if they're missing or different
     if (req.cookies.sessionId !== req.session.user.sessionId) {
       res.cookie("username", req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
+      // Also expose FullName (fallback to username) for display in client-side UI
+      res.cookie("fullName", req.session.user.fullname || req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
       res.cookie("sessionId", req.session.user.sessionId, cachedCookieOptions);
     }
   }
   next();
-}
+}