mbkauthe 3.4.0 → 4.0.0

package/lib/routes/auth.js

@@ -7,7 +7,7 @@ import { dblogin } from "../database/pool.js";
 import { mbkautheVar } from "../config/index.js";
 import {
   cachedCookieOptions, cachedClearCookieOptions, clearSessionCookies,
-  generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS
+  generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS, hashDeviceToken
 } from "../config/cookies.js";
 import { packageJson } from "../config/index.js";
 import { hashPassword } from "../config/security.js";
@@ -63,6 +63,8 @@ export async function checkTrustedDevice(req, username) {
   }
 
   try {
+    // Hash the provided device token before querying DB (we store token hashes in DB)
+    const deviceTokenHash = hashDeviceToken(deviceToken);
     const deviceQuery = `
       SELECT td."UserName", td."LastUsed", td."ExpiresAt", u."id", u."Active", u."Role", u."AllowedApps"
       FROM "TrustedDevices" td
@@ -72,7 +74,7 @@ export async function checkTrustedDevice(req, username) {
     const deviceResult = await dblogin.query({
       name: 'check-trusted-device',
       text: deviceQuery,
-      values: [deviceToken, username]
+      values: [deviceTokenHash, username]
     });
 
     if (deviceResult.rows.length > 0) {
@@ -95,7 +97,7 @@ export async function checkTrustedDevice(req, username) {
       await dblogin.query({
         name: 'update-device-last-used',
         text: 'UPDATE "TrustedDevices" SET "LastUsed" = NOW() WHERE "DeviceToken" = $1',
-        values: [deviceToken]
+        values: [deviceTokenHash]
       });
 
       console.log(`[mbkauthe] Trusted device validated for user: ${username}`);
@@ -124,13 +126,9 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       throw new Error('Username is required in user object');
     }
 
-    // smaller session id is sufficient and faster to generate/serialize
-    const sessionId = crypto.randomBytes(32).toString("hex");
-    console.log(`[mbkauthe] Generated session ID for username: ${username}`);
-
     // Fix session fixation: Delete old session BEFORE regenerating to prevent timing window
     const oldSessionId = req.sessionID;
-    
+
     // Delete old session first to prevent session fixation attacks
     await dblogin.query({
       name: 'login-delete-old-session-before-regen',
@@ -146,30 +144,67 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       });
     });
 
-    // Run both queries in parallel for better performance
-    await Promise.all([
-      // Delete old sessions using indexed lookup on sess->'user'->>'id'
-      dblogin.query({
-        name: 'login-delete-old-user-sessions',
-        text: 'DELETE FROM "session" WHERE (sess->\'user\'->>\'id\')::int = $1',
-        values: [user.id]
-      }),
-      // Update session ID and last login time in Users table
-      dblogin.query({
-        name: 'login-update-session-and-last-login',
-        text: `UPDATE "Users" SET "SessionId" = $1, "last_login" = NOW() WHERE "id" = $2`,
-        values: [sessionId, user.id]
-      })
-    ]);
+    // Enforce max sessions per user (configurable via mbkautheVar.MAX_SESSIONS_PER_USER) and persist a new application session record (keyed by username)
+    const configuredMax = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
+    const MAX_SESSIONS = Number.isInteger(configuredMax) && configuredMax > 0 ? configuredMax : 5;
+
+    // Count active sessions for this user (by username)
+    const countRes = await dblogin.query({
+      name: 'count-user-sessions',
+      text: `SELECT id FROM "Sessions" WHERE "UserName" = $1 AND (expires_at IS NULL OR expires_at > NOW()) ORDER BY created_at ASC`,
+      values: [username]
+    });
+
+    const currentSessions = countRes.rows.length;
+    if (currentSessions >= MAX_SESSIONS) {
+      console.log(`[mbkauthe] User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Pruning oldest sessions.`);
+      // prune the oldest session(s) to make room for the new one
+      await dblogin.query({
+        name: 'prune-oldest-user-session',
+        text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 AND (expires_at IS NULL OR expires_at > NOW()) ORDER BY created_at ASC LIMIT $2)` ,
+        values: [username, (currentSessions - (MAX_SESSIONS - 1))]
+      });
+    }
+
+    const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
+
+    // Insert new session record for the user (store username) and return the DB id
+    const insertRes = await dblogin.query({
+      name: 'insert-app-session',
+      text: `INSERT INTO "Sessions" ("UserName", expires_at, meta) VALUES ($1, $2, $3) RETURNING id`,
+      values: [username, expiresAt, JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })]
+    });
+    const dbSessionId = insertRes.rows[0].id; 
+
+    // Update last_login timestamp for the user
+    await dblogin.query({
+      name: 'login-update-last-login',
+      text: `UPDATE "Users" SET "last_login" = NOW() WHERE "id" = $1`,
+      values: [user.id]
+    });
 
     req.session.user = {
       id: user.id,
       username: username,
       role: user.role || user.Role,
-      sessionId,
+      sessionId: dbSessionId,
       allowedApps: user.allowedApps || user.AllowedApps,
     };
 
+    // Attempt to fetch FullName from profiledata and store it in session for display purposes
+    try {
+      const profileResult = await dblogin.query({
+        name: 'login-get-fullname',
+        text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
+        values: [username]
+      });
+      if (profileResult.rows.length > 0 && profileResult.rows[0].FullName) {
+        req.session.user.fullname = profileResult.rows[0].FullName;
+      }
+    } catch (profileErr) {
+      console.error("[mbkauthe] Error fetching FullName for user:", profileErr);
+    }
+
     if (req.session.preAuthUser) {
       delete req.session.preAuthUser;
     }
@@ -180,9 +215,11 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
         return res.status(500).json({ success: false, message: "Internal Server Error" });
       }
 
-      res.cookie("sessionId", sessionId, cachedCookieOptions);
+      // Expose DB session id and display name to client for UI (fullName falls back to username)
+      res.cookie("sessionId", dbSessionId, cachedCookieOptions);
+      res.cookie("fullName", req.session.user.fullname || username, { ...cachedCookieOptions, httpOnly: false });
 
-      // Handle trusted device if requested
+      // Handle trusted device if requested (token no longer stored in DB as token_hash)
       if (trustDevice) {
         try {
           const deviceToken = generateDeviceToken();
@@ -192,13 +229,16 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
           const ipAddress = req.ip || req.connection.remoteAddress || 'Unknown';
           const expiresAt = new Date(Date.now() + DEVICE_TRUST_DURATION_MS);
 
+          // Store only the HASH of the device token in DB; send the raw token to the client (httpOnly cookie)
+          const deviceTokenHash = hashDeviceToken(deviceToken);
           await dblogin.query({
             name: 'insert-trusted-device',
             text: `INSERT INTO "TrustedDevices" ("UserName", "DeviceToken", "DeviceName", "UserAgent", "IpAddress", "ExpiresAt") 
                    VALUES ($1, $2, $3, $4, $5, $6)`,
-            values: [username, deviceToken, deviceName, userAgent, ipAddress, expiresAt]
+            values: [username, deviceTokenHash, deviceName, userAgent, ipAddress, expiresAt]
           });
 
+          // Send raw token to client as httpOnly cookie only
           res.cookie("device_token", deviceToken, getDeviceTokenCookieOptions());
           console.log(`[mbkauthe] Trusted device token created for user: ${username}`);
         } catch (deviceErr) {
@@ -212,7 +252,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       const responsePayload = {
         success: true,
         message: "Login successful",
-        sessionId,
+        sessionId: dbSessionId,
       };
 
       if (redirectUrl) {
@@ -490,15 +530,14 @@ router.post("/api/logout", LogoutLimit, async (req, res) => {
     try {
       const { id, username } = req.session.user;
 
-      // Run both database operations in parallel
-      const operations = [
-        dblogin.query({ name: 'logout-clear-session', text: `UPDATE "Users" SET "SessionId" = NULL WHERE "id" = $1`, values: [id] })
-      ];
+      // Remove the application session record for this token (if present)
+      const operations = [];
+      if (req.session && req.session.user && req.session.user.sessionId) {
+        operations.push(dblogin.query({ name: 'logout-delete-app-session', text: 'DELETE FROM "Sessions" WHERE id = $1', values: [req.session.user.sessionId] }));
+      }
 
       if (req.sessionID) {
-        operations.push(
-          dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] })
-        );
+        operations.push(dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] }));
       }
 
       await Promise.all(operations);

package/lib/routes/misc.js

@@ -3,7 +3,7 @@ import fetch from 'node-fetch';
 import rateLimit from 'express-rate-limit';
 import { mbkautheVar, packageJson, appVersion } from "../config/index.js";
 import { renderError } from "../utils/response.js";
-import { authenticate, validateSession } from "../middleware/auth.js";
+import { authenticate, validateSession, validateApiSession } from "../middleware/auth.js";
 import { ErrorCodes, ErrorMessages } from "../utils/errors.js";
 import { dblogin } from "../database/pool.js";
 import { clearSessionCookies } from "../config/cookies.js";
@@ -79,10 +79,15 @@ router.get('/test', validateSession, LoginLimit, async (req, res) => {
         <p class="success">✅ Authentication successful! User is logged in.</p>
         <p>Welcome, <strong>${req.session.user.username}</strong>! Your role: <strong>${req.session.user.role}</strong></p>
         <div class="user-info">
+          Username: ${req.session.user.username}<br>
+          Role: ${req.session.user.role}<br>
+          Full Name: ${req.session.user.fullname || 'N/A'}<br>
           User ID: ${req.session.user.id}<br>
           Session ID: ${req.session.user.sessionId.slice(0, 5)}...
         </div>
         <button onclick="logout()">Logout</button>
+        <a href="https://portal.mbktech.org/">Web Portal</a>
+        <a href="https://portal.mbktech.org/user/settings">User Settings</a>
         <a href="/mbkauthe/info">Info Page</a>
         <a href="/mbkauthe/login">Login Page</a>
       </div>
@@ -90,6 +95,49 @@ router.get('/test', validateSession, LoginLimit, async (req, res) => {
   }
 });
 
+// API: check current session validity (JSON) — minimal response
+router.get('/api/checkSession', LoginLimit, async (req, res) => {
+  try {
+    if (!req.session?.user) {
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    const { id, sessionId } = req.session.user;
+    if (!sessionId) {
+      req.session.destroy(() => { });
+      clearSessionCookies(res);
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    const result = await dblogin.query({ name: 'check-session-validity', text: `SELECT s.expires_at, u."Active" FROM "Sessions" s JOIN "Users" u ON s."UserName" = u."UserName" WHERE s.id = $1 LIMIT 1`, values: [sessionId] });
+
+    if (result.rows.length === 0) {
+      req.session.destroy(() => { });
+      clearSessionCookies(res);
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    const row = result.rows[0];
+    if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
+      req.session.destroy(() => { });
+      clearSessionCookies(res);
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    // Determine expiry: prefer application session expiry if present else fallback to connect-pg-simple expire
+    let expiry = row.expires_at ? new Date(row.expires_at).toISOString() : null;
+    if (!expiry) {
+      const sessResult = await dblogin.query({ name: 'get-session-expiry', text: 'SELECT expire FROM "session" WHERE sid = $1', values: [req.sessionID] });
+      expiry = sessResult.rows.length > 0 && sessResult.rows[0].expire ? new Date(sessResult.rows[0].expire).toISOString() : null;
+    }
+
+    return res.status(200).json({ sessionValid: true, expiry });
+  } catch (err) {
+    console.error('[mbkauthe] checkSession error:', err);
+    return res.status(200).json({ sessionValid: false, expiry: null });
+  }
+});
+
 // Error codes page
 router.get("/ErrorCode", (req, res) => {
   try {
@@ -251,12 +299,12 @@ router.post("/api/terminateAllSessions", AdminOperationLimit, authenticate(mbkau
   try {
     // Run both operations in parallel for better performance
     await Promise.all([
-      dblogin.query({ 
-        name: 'terminate-all-user-sessions', 
-        text: 'UPDATE "Users" SET "SessionId" = NULL WHERE "SessionId" IS NOT NULL'
+      dblogin.query({
+        name: 'terminate-all-app-sessions',
+        text: 'DELETE FROM "Sessions"'
       }),
-      dblogin.query({ 
-        name: 'terminate-all-db-sessions', 
+      dblogin.query({
+        name: 'terminate-all-db-sessions',
         text: 'DELETE FROM "session" WHERE expire > NOW()'
       })
     ]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "3.4.0",
+  "version": "4.0.0",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/test.spec.js

@@ -192,5 +192,20 @@ describe('mbkauthe Routes', () => {
         expect(response.headers['content-type']).toContain('application/json');
       }
     });
+
+    test('GET /mbkauthe/api/checkSession handles session check', async () => {
+      const response = await request(BASE_URL).get('/mbkauthe/api/checkSession');
+      expect(response.status).toBe(200);
+      expect(response.headers['content-type']).toContain('application/json');
+      expect(response.body).toHaveProperty('sessionValid');
+    });
+
+    test('POST /mbkauthe/api/logout handles logout', async () => {
+      const response = await request(BASE_URL).post('/mbkauthe/api/logout').send();
+      expect([200, 400, 401, 403, 429]).toContain(response.status);
+      if (response.status === 200) {
+        expect(response.headers['content-type']).toContain('application/json');
+      }
+    });
   });
 });

package/views/loginmbkauthe.handlebars

@@ -167,8 +167,6 @@
                             window.location.href = `/mbkauthe/2fa${redirectQuery}`;
                         } else {
                             loginButtonText.textContent = 'Success! Redirecting...';
-                            sessionStorage.setItem('sessionId', data.sessionId);
-
                             if (rememberMe) {
                                 setCookie('rememberedUsername', username, 30); // 30 days
                             } else {