mbkauthe 3.5.0 → 4.0.0

package/README.md

@@ -1,35 +1,28 @@
-# MBKAuthe - Authentication System for Node.js
+# MBKAuthe - Node.js Authentication System
 
 [![Version](https://img.shields.io/npm/v/mbkauthe.svg)](https://www.npmjs.com/package/mbkauthe)
 [![License](https://img.shields.io/badge/License-GPL--2.0-blue.svg)](LICENSE)
 [![Node.js](https://img.shields.io/badge/node-%3E%3D14.0.0-brightgreen.svg)](https://nodejs.org/)
-[![Publish to npm](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml)
-[![CodeQL Advanced](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/codeql.yml)
-
-
-<p align="center">
-  <img height="64px" src="./public/icon.svg" alt="MBK Chat Platform" />
-</p>
+[![Publish](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/MIbnEKhalid/mbkauthe/actions/workflows/publish.yml)
 
 <p align="center">
-  <img src="https://skillicons.dev/icons?i=nodejs,express,postgres" />
-  <img height="48px" src="https://handlebarsjs.com/handlebars-icon.svg" alt="Handlebars" />
+  <img height="64px" src="./public/icon.svg" alt="MBKAuthe" />
 </p>
 
-**MBKAuthe** is a production-ready authentication system for Node.js applications. Built with Express and PostgreSQL, it provides secure authentication, 2FA, role-based access, and OAuth integration (GitHub & Google) out of the box.
+**MBKAuthe** is a production-ready authentication system for Node.js with Express and PostgreSQL. Features include secure login, 2FA, role-based access, OAuth (GitHub & Google), multi-session support, and multi-app user management.
 
 ## ✨ Key Features
 
-- 🔐 Secure password authentication with PBKDF2 hashing
-- 🔑 PostgreSQL session management with cross-subdomain support
-- 📱 Optional TOTP-based 2FA with trusted device memory
-- 🔄 OAuth integration (GitHub & Google)
-- 👥 Role-based access control (SuperAdmin, NormalUser, Guest)
-- 🎯 Multi-application user management
-- 🛡️ CSRF protection & advanced rate limiting
-- 🚀 Easy Express.js integration
-- 🎨 Customizable Handlebars templates
-- 🔒 Enhanced security with session fixation prevention
+- Secure password authentication (PBKDF2)
+- PostgreSQL session management
+- Multi-session support (configurable concurrent sessions per user)
+- Optional TOTP-based 2FA with trusted devices
+- OAuth login (GitHub & Google)
+- Role-based access: SuperAdmin, NormalUser, Guest
+- CSRF protection & rate limiting
+- Easy Express.js integration
+- Customizable Handlebars templates
+- Session fixation prevention
 
 ## 📦 Installation
 
@@ -39,49 +32,15 @@ npm install mbkauthe
 
 ## 🚀 Quick Start
 
-**1. Configure Environment (.env)**
+**1. Configure Environment**
 
-```env
-APP_NAME=your-app
-SESSION_SECRET_KEY=your-secret-key
-MAIN_SECRET_TOKEN=api-token
-IS_DEPLOYED=false
-DOMAIN=localhost
-LOGIN_DB=postgresql://user:pass@localhost:5432/db
-
-# Optional Features
-MBKAUTH_TWO_FA_ENABLE=false
-COOKIE_EXPIRE_TIME=2
-
-# OAuth Configuration (Optional)
-GITHUB_LOGIN_ENABLED=false
-GITHUB_CLIENT_ID=
-GITHUB_CLIENT_SECRET=
-
-GOOGLE_LOGIN_ENABLED=false
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-```
-
-**2. Set Up Database**
-
-```sql
-CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
-
-CREATE TABLE "Users" (
-    id SERIAL PRIMARY KEY,
-    "UserName" VARCHAR(50) NOT NULL UNIQUE,
-    "Password" VARCHAR(61) NOT NULL,
-    "Role" role DEFAULT 'NormalUser',
-    "Active" BOOLEAN DEFAULT FALSE,
-    "AllowedApps" JSONB DEFAULT '["mbkauthe"]',
-    "SessionId" VARCHAR(213),
-    created_at TIMESTAMP DEFAULT NOW(),
-    updated_at TIMESTAMP DEFAULT NOW()
-);
+```bash
+Copy-Item .env.example .env
 ```
+See [docs/env.md](docs/env.md).
 
-See [docs/db.md](docs/db.md) for complete schemas.
+**2. Set Up Database**  
+Run [docs/db.sql](docs/db.sql) to create tables and a default SuperAdmin (`support` / `12345678`). Change the password immediately. See [docs/db.md](docs/db.md).
 
 **3. Integrate with Express**
 
@@ -89,295 +48,86 @@ See [docs/db.md](docs/db.md) for complete schemas.
 import express from 'express';
 import mbkauthe, { validateSession, checkRolePermission } from 'mbkauthe';
 import dotenv from 'dotenv';
-
 dotenv.config();
 
-// App-specific configuration (as JSON string)
-process.env.mbkautheVar = JSON.stringify({
-    APP_NAME: process.env.APP_NAME,
-    SESSION_SECRET_KEY: process.env.SESSION_SECRET_KEY,
-    Main_SECRET_TOKEN: process.env.MAIN_SECRET_TOKEN,
-    IS_DEPLOYED: process.env.IS_DEPLOYED,
-    DOMAIN: process.env.DOMAIN,
-    LOGIN_DB: process.env.LOGIN_DB,
-    loginRedirectURL: '/dashboard'
-});
-
-// Optional shared configuration (useful for shared OAuth credentials across multiple projects)
-process.env.mbkauthShared = JSON.stringify({
-    GITHUB_CLIENT_ID: process.env.GITHUB_CLIENT_ID,
-    GITHUB_CLIENT_SECRET: process.env.GITHUB_CLIENT_SECRET,
-    GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID,
-    GOOGLE_CLIENT_SECRET: process.env.GOOGLE_CLIENT_SECRET
-});
-
-// MBKAuth prioritizes values in mbkautheVar, then mbkauthShared, then built-in defaults.
-
 const app = express();
-
-// Mount authentication routes
 app.use(mbkauthe);
 
-// Protected routes
-app.get('/dashboard', validateSession, (req, res) => {
-    res.send(`Welcome ${req.session.user.username}!`);
-});
-
-app.get('/admin', validateSession, checkRolePermission(['SuperAdmin']), (req, res) => {
-    res.send('Admin Panel');
-});
+app.get('/dashboard', validateSession, (req, res) => res.send(`Welcome ${req.session.user.username}!`));
+app.get('/admin', validateSession, checkRolePermission(['SuperAdmin']), (req, res) => res.send('Admin Panel'));
 
 app.listen(3000);
 ```
 
-
-## 🧪 Testing & Git Hooks
-
-MBKAuthe includes comprehensive test coverage for all authentication features. **A pre-commit hook is provided to ensure code quality:**
-
-### Pre-commit Hook (Automatic Test Runner)
-
-- Located at `scripts/pre-commit` and `scripts/pre-commit` (Node.js, cross-platform)
-- Starts the dev server, runs all tests, and blocks commits if any test fails
-- The dev server is automatically stopped after tests complete
-- Ensures you never commit code that breaks tests
-
-### Git Hook Setup
-
-Hooks are auto-configured every time you run `npm run dev`, `npm test`, or `npm run test:watch` (see `scripts/setup-hooks.js`).
-
-If you ever need to manually set up hooks:
-
-```bash
-node scripts/setup-hooks.js
-```
-
-### Running Tests
+## 🧪 Testing
 
 ```bash
-# Run all tests (auto-configures hooks)
 npm test
-
-# Run tests in watch mode (auto-configures hooks)
 npm run test:watch
-
-# Run with development flags (auto-configures hooks)
 npm run dev
 ```
 
-**Test Coverage:**
-- ✅ Authentication flows (login, 2FA, logout)
-- ✅ OAuth integration (GitHub)
-- ✅ Session management and security
-- ✅ Role-based access control
-- ✅ API endpoints and error handling
-- ✅ CSRF protection and rate limiting
-- ✅ Static asset serving
-
-## 📂 Architecture (v3.0)
-
-```
-lib/
-├── config/          # Configuration & security
-├── database/        # PostgreSQL pool
-├── utils/           # Errors & response helpers
-├── middleware/      # Auth & session middleware
-└── routes/          # Auth, OAuth, misc routes
-```
-
-**Key Improvements in v3.0:**
-- Modular structure with clear separation of concerns
-- Organized config, database, utils, middleware, and routes
-- Better maintainability and scalability
-
 ## 🔧 Core API
 
-### Middleware
-
-```javascript
-// Session validation
-app.get('/protected', validateSession, handler);
-
-// Role checking
-app.get('/admin', validateSession, checkRolePermission(['SuperAdmin']), handler);
+- **Session Validation:** `validateSession`
+- **Role Check:** `checkRolePermission(['Role'])`
+- **Combined:** `validateSessionAndRole(['SuperAdmin', 'NormalUser'])`
+- **API Token Auth:** `authenticate(process.env.API_TOKEN)`
 
-// Combined
-import { validateSessionAndRole } from 'mbkauthe';
-app.get('/mod', validateSessionAndRole(['SuperAdmin', 'NormalUser']), handler);
-
-// API token auth
-import { authenticate } from 'mbkauthe';
-app.post('/api/data', authenticate(process.env.API_TOKEN), handler);
-```
+## 🔐 Security
 
-### Built-in Routes
-
-**Authentication Routes:**
-- `GET /login`, `/signin` - Redirect to main login page
-- `GET /mbkauthe/login` - Login page (8/min rate limit)
-- `POST /mbkauthe/api/login` - Login endpoint (8/min rate limit)
-- `POST /mbkauthe/api/logout` - Logout endpoint (10/min rate limit)
-- `GET /mbkauthe/2fa` - 2FA verification page (if enabled)
-- `POST /mbkauthe/api/verify-2fa` - 2FA verification API (5/min rate limit)
-
-**OAuth Routes:**
-- `GET /mbkauthe/api/github/login` - GitHub OAuth initiation (10/5min rate limit)
-- `GET /mbkauthe/api/github/login/callback` - GitHub OAuth callback
-- `GET /mbkauthe/api/google/login` - Google OAuth initiation (10/5min rate limit)
-- `GET /mbkauthe/api/google/login/callback` - Google OAuth callback
-
-**Information & Utility Routes:**
-- `GET /mbkauthe/info`, `/mbkauthe/i` - Version & config info (8/min rate limit)
-- `GET /mbkauthe/ErrorCode` - Error code documentation
-- `GET /mbkauthe/test` - Test authentication status (8/min rate limit)
-
-**Static Asset Routes:**
-- `GET /mbkauthe/main.js` - Client-side JavaScript utilities
-- `GET /mbkauthe/bg.webp` - Background image for auth pages
-- `GET /icon.svg` - Application SVG icon (root level)
-- `GET /favicon.ico`, `/icon.ico` - Application favicon
-
-**Admin API Routes:**
-- `POST /mbkauthe/api/terminateAllSessions` - Terminate all sessions (admin only)
-
-## 🔐 Security Features
-
-- **Rate Limiting**: Login (8/min), Logout (10/min), 2FA (5/min), OAuth (10/5min), Admin (3/5min)
-- **CSRF Protection**: All state-changing routes protected with token validation
-- **Secure Cookies**: httpOnly, sameSite, secure in production
-- **Password Hashing**: PBKDF2 with 100k iterations
-- **Session Security**: PostgreSQL-backed, automatic cleanup, session fixation prevention
-- **OAuth Security**: State validation, token expiry handling, secure callback validation
+- Rate limiting, CSRF protection, secure cookies
+- Password hashing (PBKDF2, 100k iterations)
+- PostgreSQL-backed sessions with automatic cleanup
+- OAuth with state validation and secure callbacks
 
 ## 📱 Two-Factor Authentication
 
-Enable with `MBKAUTH_TWO_FA_ENABLE=true`:
-
-```sql
-CREATE TABLE "TwoFA" (
-    "UserName" VARCHAR(50) PRIMARY KEY REFERENCES "Users"("UserName"),
-    "TwoFAStatus" BOOLEAN NOT NULL,
-    "TwoFASecret" TEXT
-);
-```
-
-Users can mark devices as trusted to skip 2FA for configurable duration.
+Enable via `MBKAUTH_TWO_FA_ENABLE=true`. Trusted devices can skip 2FA for a set duration.
 
 ## 🔄 OAuth Integration
 
-### GitHub OAuth
-
-**Setup:**
-
-1. Create GitHub OAuth App with callback: `https://yourdomain.com/mbkauthe/api/github/login/callback`
-2. Configure environment:
-```env
-GITHUB_LOGIN_ENABLED=true
-GITHUB_CLIENT_ID=your_client_id
-GITHUB_CLIENT_SECRET=your_client_secret
-```
-3. Create table:
-```sql
-CREATE TABLE user_github (
-    id SERIAL PRIMARY KEY,
-    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
-    github_id VARCHAR(255) UNIQUE,
-    github_username VARCHAR(255),
-    access_token VARCHAR(255),
-    created_at TIMESTAMP DEFAULT NOW()
-);
-```
-
-### Google OAuth
-
-**Setup:**
-
-1. Create Google OAuth 2.0 Client in [Google Cloud Console](https://console.cloud.google.com/)
-2. Add authorized redirect URI: `https://yourdomain.com/mbkauthe/api/google/login/callback`
-3. Configure environment:
-```env
-GOOGLE_LOGIN_ENABLED=true
-GOOGLE_CLIENT_ID=your_client_id
-GOOGLE_CLIENT_SECRET=your_client_secret
-```
-4. Create table:
-```sql
-CREATE TABLE user_google (
-    id SERIAL PRIMARY KEY,
-    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
-    google_id VARCHAR(255) UNIQUE,
-    google_email VARCHAR(255),
-    access_token VARCHAR(255),
-    created_at TIMESTAMP DEFAULT NOW()
-);
-```
-
-**Note:** Users must link their OAuth accounts before they can use OAuth login.
+**GitHub / Google OAuth:** Configure apps and credentials via `.env` or `mbkautheVar`. Users must link accounts before login.
 
 ## 🎨 Customization
 
-**Redirect URL:**
-```javascript
-process.env.mbkautheVar = JSON.stringify({
-    // ...
-    loginRedirectURL: '/dashboard'
-});
-```
-
-**Custom Views:** Create in `views/` directory:
-- `loginmbkauthe.handlebars` - Login page
-- `2fa.handlebars` - 2FA page
-- `Error/dError.handlebars` - Error page
-
-**Database Access:**
-```javascript
-import { dblogin } from 'mbkauthe';
-const result = await dblogin.query('SELECT * FROM "Users"');
-```
+- **Redirect URL:** `mbkautheVar={"loginRedirectURL":"/dashboard"}`
+- **Custom Views:** `views/loginmbkauthe.handlebars`, `2fa.handlebars`, `Error/dError.handlebars`
+- **Database Access:** `import { dblogin } from 'mbkauthe'; const result = await dblogin.query('SELECT * FROM "Users"');`
 
 ## 🚢 Deployment
 
-**Production Checklist:**
-- ✅ Set `IS_DEPLOYED=true`
-- ✅ Use strong secrets for SESSION_SECRET_KEY and Main_SECRET_TOKEN
-- ✅ Enable HTTPS
-- ✅ Configure correct DOMAIN
-- ✅ Set appropriate COOKIE_EXPIRE_TIME
-- ✅ Use environment variables for all secrets
-
-**Vercel:**
-
-Tip: On Vercel you can set `mbkauthShared` at the project or team level to share common OAuth credentials across multiple deployments. MBKAuth will use values from `mbkautheVar` first and fall back to `mbkauthShared`.
-```json
-{
-    "version": 2,
-    "builds": [{ "src": "index.js", "use": "@vercel/node" }],
-    "routes": [{ "src": "/(.*)", "dest": "/index.js" }]
-}
-```
+Checklist for production:
+- `IS_DEPLOYED=true`
+- Strong secrets for SESSION_SECRET_KEY & Main_SECRET_TOKEN
+- HTTPS enabled
+- Correct DOMAIN & COOKIE_EXPIRE_TIME
+- Use environment variables for all secrets
+
+**Vercel:** Supports shared OAuth credentials via `mbkauthShared`.
 
 ## 📚 Documentation
 
-- [API Documentation](docs/api.md) - Complete API reference
-- [Database Guide](docs/db.md) - Schema details  
-- [Environment Config](docs/env.md) - Configuration options
-- [Error Messages](docs/error-messages.md) - Error code reference
+- [API Reference](docs/api.md)
+- [Database Schema](docs/db.md)
+- [Environment Config](docs/env.md)
+- [Error Codes](docs/error-messages.md)
 
 ## 📝 License
 
-GNU General Public License v2.0 - see [LICENSE](LICENSE)
+GPL v2.0 — see [LICENSE](LICENSE)
 
 ## 👨‍💻 Author
 
 **Muhammad Bin Khalid**  
 📧 [support@mbktech.org](mailto:support@mbktech.org) | [chmuhammadbinkhalid28@gmail.com](mailto:chmuhammadbinkhalid28@gmail.com)  
-🔗 [@MIbnEKhalid](https://github.com/MIbnEKhalid)
+🔗 [GitHub @MIbnEKhalid](https://github.com/MIbnEKhalid)
 
 ## 🔗 Links
 
-- [npm Package](https://www.npmjs.com/package/mbkauthe)
-- [GitHub Repository](https://github.com/MIbnEKhalid/mbkauthe)
-- [Issues & Support](https://github.com/MIbnEKhalid/mbkauthe/issues)
+- [npm](https://www.npmjs.com/package/mbkauthe)
+- [GitHub](https://github.com/MIbnEKhalid/mbkauthe)
+- [Support](https://github.com/MIbnEKhalid/mbkauthe/issues)
 
 ---
 

package/docs/api.md

@@ -38,7 +38,7 @@ When a user logs in, MBKAuthe creates a session and sets the following cookies:
 | Cookie Name | Description | HttpOnly | Secure | SameSite |
 |------------|-------------|----------|--------|----------|
 | `mbkauthe.sid` | Session identifier | ✓ | Auto* | lax |
-| `sessionId` | User session ID | ✓ | Auto* | lax |
+| `sessionId` | Opaque session token (backed by `Sessions` table) | ✓ | Auto* | lax |
 | `username` | Username | ✗ | Auto* | lax |
 
 \* `secure` flag is automatically set to `true` in production when `IS_DEPLOYED=true`
@@ -46,7 +46,7 @@ When a user logs in, MBKAuthe creates a session and sets the following cookies:
 ### Session Lifetime
 
 - Default: 2 days (configurable via `COOKIE_EXPIRE_TIME`)
-- Sessions are stored in PostgreSQL
+- Application sessions are stored in the `Sessions` table in PostgreSQL
 - Sessions persist across subdomains in production
 
 ---

package/docs/db.md

@@ -170,11 +170,6 @@ GITHUB_CLIENT_SECRET=your_github_client_secret
 
 The GitHub login feature is now fully integrated into your mbkauthe system and ready to use!
 
-
-
-
-
-
 ## Database structure
 
 [<- Back](README.md)
@@ -198,7 +193,7 @@ The GitHub login feature is now fully integrated into your mbkauthe system and r
   - `Role` (ENUM): The role of the user. Possible values: `SuperAdmin`, `NormalUser`, `Guest`.
   - `Active` (BOOLEAN): Indicates whether the user account is active.
   - `HaveMailAccount` (BOOLEAN)(optional): Indicates if the user has a linked mail account.
-  - `SessionId` (TEXT): The session ID associated with the user.
+  - (SessionId removed) The application now stores multiple concurrent sessions in the `Sessions` table.
   - `GuestRole` (JSONB): Stores additional guest-specific role information in binary JSON format.
   - `AllowedApps`(JSONB): Array of applications the user is authorized to access.
 
@@ -215,19 +210,32 @@ CREATE TABLE "Users" (
     "Active" BOOLEAN DEFAULT FALSE,
     "HaveMailAccount" BOOLEAN DEFAULT FALSE,
     "AllowedApps" JSONB DEFAULT '["mbkauthe", "portal"]',
-    "SessionId" VARCHAR(213),
     "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     "last_login" TIMESTAMP WITH TIME ZONE
 );
 
 -- Add indexes for performance optimization
-CREATE INDEX IF NOT EXISTS idx_users_sessionid ON "Users" (LOWER("SessionId"));
 CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" ("UserName");
 CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" ("Active");
 CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" ("Role");
 CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" (last_login);
-CREATE INDEX IF NOT EXISTS idx_users_id_sessionid_active_role ON "Users" ("id", LOWER("SessionId"), "Active", "Role");
+
+-- Application Sessions table (stores multiple concurrent sessions per user)
+-- Note: this is separate from the express-session store table named "session"
+CREATE TABLE "Sessions" (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- requires pgcrypto or uuid-ossp
+  "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+  expires_at TIMESTAMP WITH TIME ZONE,
+    meta JSONB
+);
+
+-- Indexes optimized by username instead of numeric user id
+CREATE INDEX IF NOT EXISTS idx_sessions_username ON "Sessions" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_sessions_user_created ON "Sessions" ("UserName", created_at);
+
+**Multi-session behavior:** MBKAuthe supports multiple concurrent application sessions per user. The maximum number of concurrent sessions is controlled by `mbkautheVar.MAX_SESSIONS_PER_USER` (default: 5). When a new session would exceed that limit, the system prunes the oldest session(s) for that user (ordered by `created_at`) to keep the count within the configured maximum.
 ```
 
 **Password Storage Notes:**
@@ -250,12 +258,10 @@ CREATE TABLE "session" (
     sid VARCHAR(33) PRIMARY KEY NOT NULL,
     sess JSONB NOT NULL,
     expire TimeStamp WITH TIME ZONE Not Null,
-    last_activity TimeStamp WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
 );
 
 -- Add indexes for performance optimization
 CREATE INDEX IF NOT EXISTS idx_session_expire ON "session" ("expire");
-CREATE INDEX IF NOT EXISTS idx_session_last_activity ON "session" (last_activity);
 CREATE INDEX IF NOT EXISTS idx_session_user_id ON "session" ((sess->'user'->>'id'));
 ```
 
@@ -286,7 +292,7 @@ CREATE INDEX IF NOT EXISTS idx_twofa_username_status ON "TwoFA" ("UserName", "Tw
 
   - `id` (INTEGER, auto-increment, primary key): Unique identifier for each trusted device.
   - `UserName` (VARCHAR): The username of the device owner (foreign key to Users).
-  - `DeviceToken` (VARCHAR): Unique token identifying the trusted device.
+  - `DeviceToken` (VARCHAR): **HMAC-SHA256 hash** of the device token (raw token is only sent to the client in an httpOnly cookie and **not** stored in plaintext).
   - `DeviceName` (VARCHAR): Optional friendly name for the device.
   - `UserAgent` (TEXT): Browser/client user agent string.
   - `IpAddress` (VARCHAR): IP address when device was trusted.
@@ -320,22 +326,22 @@ To add new users to the `Users` table, use the following SQL queries:
 
 **For Raw Password Storage (EncPass=false):**
 ```sql
-        INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
-        VALUES ('support', '12345678', 'SuperAdmin', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+        INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "GuestRole")
+        VALUES ('support', '12345678', 'SuperAdmin', true, false, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
 
-        INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
-        VALUES ('test', '12345678', 'NormalUser', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+        INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "GuestRole")
+        VALUES ('test', '12345678', 'NormalUser', true, false, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
 ```
 
 **For Encrypted Password Storage (EncPass=true):**
 ```sql
         -- Note: You'll need to hash the password using the hashPassword function
         -- Example with pre-hashed password (PBKDF2 with username as salt)
-        INSERT INTO "Users" ("UserName", "PasswordEnc", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
-        VALUES ('support', 'your_hashed_password_here', 'SuperAdmin', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+        INSERT INTO "Users" ("UserName", "PasswordEnc", "Role", "Active", "HaveMailAccount", "GuestRole")
+        VALUES ('support', 'your_hashed_password_here', 'SuperAdmin', true, false, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
 
-        INSERT INTO "Users" ("UserName", "PasswordEnc", "Role", "Active", "HaveMailAccount", "SessionId", "GuestRole")
-        VALUES ('test', 'your_hashed_password_here', 'NormalUser', true, false, NULL, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+        INSERT INTO "Users" ("UserName", "PasswordEnc", "Role", "Active", "HaveMailAccount", "GuestRole")
+        VALUES ('test', 'your_hashed_password_here', 'NormalUser', true, false, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
 ```
 
 **Configuration Notes:**

package/docs/db.sql

@@ -0,0 +1,116 @@
+
+-- GitHub users table
+CREATE TABLE user_github (
+    id SERIAL PRIMARY KEY,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    github_id VARCHAR(255) UNIQUE,
+    github_username VARCHAR(255),
+    access_token TEXT,
+    created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
+    updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_user_github_github_id ON user_github (github_id);
+CREATE INDEX IF NOT EXISTS idx_user_github_user_name ON user_github (user_name);
+
+-- Google users table
+CREATE TABLE user_google (
+    id SERIAL PRIMARY KEY,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    google_id VARCHAR(255) UNIQUE,
+    google_email VARCHAR(255),
+    access_token TEXT,
+    created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
+    updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_user_google_google_id ON user_google (google_id);
+CREATE INDEX IF NOT EXISTS idx_user_google_user_name ON user_google (user_name);
+
+
+
+
+CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
+
+CREATE TABLE "Users" (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    "UserName" VARCHAR(50) NOT NULL UNIQUE,
+    "Password" VARCHAR(61), -- For raw passwords (when EncPass=false)
+    "PasswordEnc" VARCHAR(128), -- For encrypted passwords (when EncPass=true)
+    "Role" role DEFAULT 'NormalUser' NOT NULL,
+    "Active" BOOLEAN DEFAULT FALSE,
+    "HaveMailAccount" BOOLEAN DEFAULT FALSE,
+    "AllowedApps" JSONB DEFAULT '["mbkauthe", "portal"]',
+    "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "last_login" TIMESTAMP WITH TIME ZONE
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" ("Active");
+CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" ("Role");
+CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" (last_login);
+
+-- Application Sessions table (stores multiple concurrent sessions per user)
+-- Note: this is separate from the express-session store table named "session"
+CREATE TABLE "Sessions" (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- requires pgcrypto or uuid-ossp
+  "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+  expires_at TIMESTAMP WITH TIME ZONE,
+    meta JSONB
+);
+
+-- Indexes optimized by username instead of numeric user id
+CREATE INDEX IF NOT EXISTS idx_sessions_username ON "Sessions" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_sessions_user_created ON "Sessions" ("UserName", created_at);
+
+
+CREATE TABLE "session" (
+    sid VARCHAR(33) PRIMARY KEY NOT NULL,
+    sess JSONB NOT NULL,
+    expire TimeStamp WITH TIME ZONE Not Null,
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_session_expire ON "session" ("expire");
+CREATE INDEX IF NOT EXISTS idx_session_user_id ON "session" ((sess->'user'->>'id'));
+
+
+
+CREATE TABLE "TwoFA" (
+    "UserName" VARCHAR(50) primary key REFERENCES "Users"("UserName"),
+    "TwoFAStatus" boolean NOT NULL,
+    "TwoFASecret" TEXT
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_twofa_username ON "TwoFA" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_twofa_username_status ON "TwoFA" ("UserName", "TwoFAStatus");
+
+
+
+CREATE TABLE "TrustedDevices" (
+    "id" SERIAL PRIMARY KEY,
+    "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+    "DeviceToken" VARCHAR(64) UNIQUE NOT NULL,
+    "DeviceName" VARCHAR(255),
+    "UserAgent" TEXT,
+    "IpAddress" VARCHAR(45),
+    "CreatedAt" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "ExpiresAt" TIMESTAMP WITH TIME ZONE NOT NULL,
+    "LastUsed" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_token ON "TrustedDevices"("DeviceToken");
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_username ON "TrustedDevices"("UserName");
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_expires ON "TrustedDevices"("ExpiresAt");
+
+
+-- No Encrypted password for 'support' user
+INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "GuestRole")
+        VALUES ('support', '12345678', 'SuperAdmin', true, false, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);

package/docs/env.md

@@ -42,6 +42,7 @@ This document describes the environment variables MBKAuth expects and keeps brie
   - Description: PostgreSQL connection string for auth (must start with `postgresql://` or `postgres://`).
   - Example: `"LOGIN_DB":"postgresql://user:pass@localhost:5432/mbkauth"`
   - Required: Yes
+  - Create free postgres db: https://neon.com/
 
 - MBKAUTH_TWO_FA_ENABLE
   - Description: Enable Two-Factor Authentication.
@@ -67,6 +68,13 @@ This document describes the environment variables MBKAuth expects and keeps brie
   - Example: `"DEVICE_TRUST_DURATION_DAYS":30`
   - Required: No
 
+- MAX_SESSIONS_PER_USER
+  - Description: Maximum number of concurrent application sessions allowed per user. When creating a new session that would exceed this number, the oldest session(s) for that user are pruned to make room for the new session.
+  - Default: `5`
+  - Example: `"MAX_SESSIONS_PER_USER": 10`
+  - Notes: Must be a positive integer. Validation is performed at startup by `lib/config/index.js`.
+  - Required: No
+
 - loginRedirectURL
   - Description: Post-login redirect path.
   - Default: `/dashboard`
@@ -81,6 +89,8 @@ This document describes the environment variables MBKAuth expects and keeps brie
 - GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET / GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET
   - Description: OAuth credentials (put in `mbkautheVar` preferred, or `mbkauthShared`).
   - Required when provider enabled.
+  - Create Github OAuth App: https://github.com/settings/developers
+  - Create Google OAuth: https://console.cloud.google.com/
 
 ---
 

package/index.d.ts

@@ -23,7 +23,7 @@ declare global {
         username: string;
         fullname?: string;
         role: 'SuperAdmin' | 'NormalUser' | 'Guest';
-        sessionId: string;
+        sessionId?: string;
         allowedApps?: string[];
       };
       preAuthUser?: {
@@ -79,7 +79,7 @@ declare module 'mbkauthe' {
     username: string;
     fullname?: string;
     role: UserRole;
-    sessionId: string;
+    sessionId?: string;
     allowedApps?: string[];
   }
 
@@ -101,7 +101,7 @@ declare module 'mbkauthe' {
     Role: UserRole;
     Active: boolean;
     AllowedApps: string[];
-    SessionId?: string;
+
     created_at?: Date;
     updated_at?: Date;
     last_login?: Date;

package/lib/config/cookies.js

@@ -32,6 +32,12 @@ export const generateDeviceToken = () => {
     return crypto.randomBytes(32).toString('hex');
 };
 
+// Hash a device token for safe storage in the database
+export const hashDeviceToken = (token) => {
+    if (!token || typeof token !== 'string') return null;
+    return crypto.createHmac('sha256').update(token).digest('hex');
+};
+
 export const getDeviceTokenCookieOptions = () => ({
     maxAge: DEVICE_TRUST_DURATION_MS,
     domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,

package/lib/config/index.js

@@ -62,9 +62,10 @@ function validateConfiguration() {
 
     // Ensure specific keys are checked in mbkautheVar first, then mbkauthShared, then apply config defaults
     const keysToCheck = [
-        "APP_NAME","DEVICE_TRUST_DURATION_DAYS","EncPass","Main_SECRET_TOKEN","SESSION_SECRET_KEY","IS_DEPLOYED",
-        "LOGIN_DB","MBKAUTH_TWO_FA_ENABLE","COOKIE_EXPIRE_TIME","DOMAIN","loginRedirectURL",
-        "GITHUB_LOGIN_ENABLED","GITHUB_CLIENT_ID","GITHUB_CLIENT_SECRET","GOOGLE_LOGIN_ENABLED","GOOGLE_CLIENT_ID","GOOGLE_CLIENT_SECRET"
+        "APP_NAME","DEVICE_TRUST_DURATION_DAYS","EncPass","Main_SECRET_TOKEN","SESSION_SECRET_KEY",
+        "IS_DEPLOYED","LOGIN_DB","MBKAUTH_TWO_FA_ENABLE","COOKIE_EXPIRE_TIME","DOMAIN","loginRedirectURL",
+        "GITHUB_LOGIN_ENABLED","GITHUB_CLIENT_ID","GITHUB_CLIENT_SECRET","GOOGLE_LOGIN_ENABLED","GOOGLE_CLIENT_ID",
+        "GOOGLE_CLIENT_SECRET","MAX_SESSIONS_PER_USER"
     ];
 
     const defaults = {
@@ -75,7 +76,8 @@ function validateConfiguration() {
         COOKIE_EXPIRE_TIME: 2,
         loginRedirectURL: '/dashboard',
         GITHUB_LOGIN_ENABLED: 'false',
-        GOOGLE_LOGIN_ENABLED: 'false'
+        GOOGLE_LOGIN_ENABLED: 'false',
+        MAX_SESSIONS_PER_USER: 5
     };
 
     keysToCheck.forEach(key => {
@@ -183,6 +185,20 @@ function validateConfiguration() {
         mbkautheVar.DEVICE_TRUST_DURATION_DAYS = 7;
     }
 
+    // Validate MAX_SESSIONS_PER_USER if provided (must be positive integer)
+    if (mbkautheVar.MAX_SESSIONS_PER_USER !== undefined) {
+        const maxSessions = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
+        if (isNaN(maxSessions) || maxSessions <= 0) {
+            errors.push("mbkautheVar.MAX_SESSIONS_PER_USER must be a valid positive integer");
+        } else {
+            // Normalize to integer
+            mbkautheVar.MAX_SESSIONS_PER_USER = maxSessions;
+        }
+    } else {
+        // Ensure default value is set
+        mbkautheVar.MAX_SESSIONS_PER_USER = 5;
+    }
+
     // Validate LOGIN_DB connection string format
     if (mbkautheVar.LOGIN_DB && !mbkautheVar.LOGIN_DB.startsWith('postgresql://') && !mbkautheVar.LOGIN_DB.startsWith('postgres://')) {
         errors.push("mbkautheVar.LOGIN_DB must be a valid PostgreSQL connection string");

package/lib/config/security.js

@@ -5,4 +5,4 @@ export const hashPassword = (password, username) => {
     const salt = username;
     // 128 characters returned
     return crypto.pbkdf2Sync(password, salt, 100000, 64, 'sha512').toString('hex');
-};
+};

package/lib/middleware/auth.js

@@ -33,19 +33,18 @@ async function validateSession(req, res, next) {
       });
     }
 
-    // Normalize sessionId to lowercase for consistent comparison
-    const normalizedSessionId = sessionId.toLowerCase();
+    // Normalize sessionId (DB id) for consistent comparison
+    const normalizedSessionId = sessionId;
 
-    // Single optimized query to validate session and get role
-    const query = `SELECT "SessionId", "Active", "Role" FROM "Users" WHERE "id" = $1`;
-    const result = await dblogin.query({ name: 'validate-user-session', text: query, values: [id] });
+    // Validate session by DB primary key id and join to user
+    const query = `SELECT s.id as sid, s.expires_at, u."Active", u."Role"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'validate-app-session', text: query, values: [normalizedSessionId] });
 
-    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
-    if (!dbSessionId || dbSessionId !== normalizedSessionId) {
-      if (result.rows.length > 0 && !result.rows[0].SessionId) {
-        console.warn(`[mbkauthe] DB sessionId is null for user "${req.session.user.username}"`);
-      }
-      console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
+    if (result.rows.length === 0) {
+      console.log(`[mbkauthe] Session not found for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
       return renderError(res, {
@@ -57,7 +56,25 @@ async function validateSession(req, res, next) {
       });
     }
 
-    if (!result.rows[0].Active) {
+    const sessionRow = result.rows[0];
+
+    // Check expired
+    if (sessionRow.expires_at && new Date(sessionRow.expires_at) <= new Date()) {
+      console.log(`[mbkauthe] Session invalidated (expired) for user "${req.session.user.username}"`);
+      // destroy and clear cookies
+      req.session.destroy();
+      clearSessionCookies(res);
+      return renderError(res, {
+        code: 401,
+        error: "Session Expired",
+        message: "Your Session Has Expired. Please Log In Again.",
+        pagename: "Login",
+        page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
+      });
+    }
+
+
+    if (!sessionRow.Active) {
       console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
@@ -117,24 +134,32 @@ async function validateApiSession(req, res, next) {
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
     }
 
-    // Normalize sessionId to lowercase for consistent comparison
-    const normalizedSessionId = sessionId.toLowerCase();
+    // Normalize sessionId (DB id) for consistent comparison
+    const normalizedSessionId = sessionId;
 
-    // Single optimized query to validate session and get role
-    const query = `SELECT "SessionId", "Active", "Role" FROM "Users" WHERE "id" = $1`;
-    const result = await dblogin.query({ name: 'validate-user-session-for-api', text: query, values: [id] });
+    // Validate session by DB primary key id and join to user
+    const query = `SELECT s.id as sid, s.expires_at, u."Active", u."Role"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'validate-app-session-for-api', text: query, values: [normalizedSessionId] });
 
-    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
-    if (!dbSessionId || dbSessionId !== normalizedSessionId) {
-      if (result.rows.length > 0 && !result.rows[0].SessionId) {
-        console.warn(`[mbkauthe] DB sessionId is null for user "${req.session.user.username}"`);
-      }
-      console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
+    if (result.rows.length === 0) {
       req.session.destroy();
       clearSessionCookies(res);
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_INVALID));
     }
 
+    const sessionRow = result.rows[0];
+
+    // Check expired
+    if (sessionRow.expires_at && new Date(sessionRow.expires_at) <= new Date()) {
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+    }
+
+
     if (!result.rows[0].Active) {
       console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
@@ -176,21 +201,30 @@ export async function reloadSessionUser(req, res) {
   try {
     const { id, sessionId: currentSessionId } = req.session.user;
 
-    // Fetch fresh user record
-    const query = `SELECT id, "UserName", "Active", "Role", "AllowedApps", "SessionId" FROM "Users" WHERE id = $1`;
-    const result = await dblogin.query({ name: 'reload-session-user', text: query, values: [id] });
+    if (!currentSessionId) {
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    const normalizedSessionId = String(currentSessionId);
+    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'reload-session-user', text: query, values: [normalizedSessionId] });
 
     if (result.rows.length === 0) {
-      // User not found — invalidate session
+      // Session not found — invalidate session
       req.session.destroy(() => {});
       clearSessionCookies(res);
       return false;
     }
 
     const row = result.rows[0];
-    const dbSessionId = row.SessionId ? String(row.SessionId).toLowerCase() : null;
-    if (!dbSessionId || dbSessionId !== String(currentSessionId).toLowerCase()) {
-      // Session invalidated in DB
+
+    // Check expired
+    if (row.expires_at && new Date(row.expires_at) <= new Date()) {
       req.session.destroy(() => {});
       clearSessionCookies(res);
       return false;

package/lib/middleware/index.js

@@ -57,8 +57,8 @@ export async function sessionRestorationMiddleware(req, res, next) {
   if (!req.session.user && req.cookies.sessionId) {
     const sessionId = req.cookies.sessionId;
 
-    // Early validation to avoid unnecessary processing
-    if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
+    // Early validation to avoid unnecessary processing (expect DB UUID id)
+    if (typeof sessionId !== 'string' || !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(sessionId)) {
       // Clear invalid cookie to prevent repeated attempts
       res.clearCookie('sessionId', {
         domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
@@ -71,37 +71,46 @@ export async function sessionRestorationMiddleware(req, res, next) {
     }
 
     try {
-      const normalizedSessionId = sessionId.toLowerCase();
-
-      const query = `SELECT id, "UserName", "Active", "Role", "SessionId", "AllowedApps" FROM "Users" WHERE LOWER("SessionId") = $1 AND "Active" = true`;
-      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [normalizedSessionId] });
+      // Validate session by DB primary key id and join to user
+      const query = `SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps", s.expires_at
+                     FROM "Sessions" s
+                     JOIN "Users" u ON s."UserName" = u."UserName"
+                     WHERE s.id = $1 LIMIT 1`;
+      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [sessionId] });
 
       if (result.rows.length > 0) {
-        const user = result.rows[0];
-        req.session.user = {
-          id: user.id,
-          username: user.UserName,
-          role: user.Role,
-          sessionId: normalizedSessionId,
-          allowedApps: user.AllowedApps,
-        };
+        const row = result.rows[0];
 
-        // Use cached FullName from client cookie when available to avoid extra DB queries
-        if (req.cookies.fullName && typeof req.cookies.fullName === 'string') {
-          req.session.user.fullname = req.cookies.fullName;
+        // Reject expired sessions or inactive users
+        if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
+          // leave cookies cleared and don't restore session
         } else {
-          // Fallback: attempt to fetch FullName from profiledata to populate session
-          try {
-            const profileRes = await dblogin.query({
-              name: 'restore-get-fullname',
-              text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
-              values: [user.UserName]
-            });
-            if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {
-              req.session.user.fullname = profileRes.rows[0].FullName;
+          const normalizedSessionId = String(sessionId);
+          req.session.user = {
+            id: row.id,
+            username: row.UserName,
+            role: row.Role,
+            sessionId: normalizedSessionId,
+            allowedApps: row.AllowedApps,
+          };
+
+          // Use cached FullName from client cookie when available to avoid extra DB queries
+          if (req.cookies.fullName && typeof req.cookies.fullName === 'string') {
+            req.session.user.fullname = req.cookies.fullName;
+          } else {
+            // Fallback: attempt to fetch FullName from profiledata to populate session
+            try {
+              const profileRes = await dblogin.query({
+                name: 'restore-get-fullname',
+                text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
+                values: [row.UserName]
+              });
+              if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {
+                req.session.user.fullname = profileRes.rows[0].FullName;
+              }
+            } catch (profileErr) {
+              console.error("[mbkauthe] Error fetching FullName during session restore:", profileErr);
             }
-          } catch (profileErr) {
-            console.error("[mbkauthe] Error fetching FullName during session restore:", profileErr);
           }
         }
       }

package/lib/routes/auth.js

@@ -7,7 +7,7 @@ import { dblogin } from "../database/pool.js";
 import { mbkautheVar } from "../config/index.js";
 import {
   cachedCookieOptions, cachedClearCookieOptions, clearSessionCookies,
-  generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS
+  generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS, hashDeviceToken
 } from "../config/cookies.js";
 import { packageJson } from "../config/index.js";
 import { hashPassword } from "../config/security.js";
@@ -63,6 +63,8 @@ export async function checkTrustedDevice(req, username) {
   }
 
   try {
+    // Hash the provided device token before querying DB (we store token hashes in DB)
+    const deviceTokenHash = hashDeviceToken(deviceToken);
     const deviceQuery = `
       SELECT td."UserName", td."LastUsed", td."ExpiresAt", u."id", u."Active", u."Role", u."AllowedApps"
       FROM "TrustedDevices" td
@@ -72,7 +74,7 @@ export async function checkTrustedDevice(req, username) {
     const deviceResult = await dblogin.query({
       name: 'check-trusted-device',
       text: deviceQuery,
-      values: [deviceToken, username]
+      values: [deviceTokenHash, username]
     });
 
     if (deviceResult.rows.length > 0) {
@@ -95,7 +97,7 @@ export async function checkTrustedDevice(req, username) {
       await dblogin.query({
         name: 'update-device-last-used',
         text: 'UPDATE "TrustedDevices" SET "LastUsed" = NOW() WHERE "DeviceToken" = $1',
-        values: [deviceToken]
+        values: [deviceTokenHash]
       });
 
       console.log(`[mbkauthe] Trusted device validated for user: ${username}`);
@@ -124,13 +126,9 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       throw new Error('Username is required in user object');
     }
 
-    // smaller session id is sufficient and faster to generate/serialize
-    const sessionId = crypto.randomBytes(32).toString("hex");
-    console.log(`[mbkauthe] Generated session ID for username: ${username}`);
-
     // Fix session fixation: Delete old session BEFORE regenerating to prevent timing window
     const oldSessionId = req.sessionID;
-    
+
     // Delete old session first to prevent session fixation attacks
     await dblogin.query({
       name: 'login-delete-old-session-before-regen',
@@ -146,27 +144,50 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       });
     });
 
-    // Run both queries in parallel for better performance
-    await Promise.all([
-      // Delete old sessions using indexed lookup on sess->'user'->>'id'
-      dblogin.query({
-        name: 'login-delete-old-user-sessions',
-        text: 'DELETE FROM "session" WHERE (sess->\'user\'->>\'id\')::int = $1',
-        values: [user.id]
-      }),
-      // Update session ID and last login time in Users table
-      dblogin.query({
-        name: 'login-update-session-and-last-login',
-        text: `UPDATE "Users" SET "SessionId" = $1, "last_login" = NOW() WHERE "id" = $2`,
-        values: [sessionId, user.id]
-      })
-    ]);
+    // Enforce max sessions per user (configurable via mbkautheVar.MAX_SESSIONS_PER_USER) and persist a new application session record (keyed by username)
+    const configuredMax = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
+    const MAX_SESSIONS = Number.isInteger(configuredMax) && configuredMax > 0 ? configuredMax : 5;
+
+    // Count active sessions for this user (by username)
+    const countRes = await dblogin.query({
+      name: 'count-user-sessions',
+      text: `SELECT id FROM "Sessions" WHERE "UserName" = $1 AND (expires_at IS NULL OR expires_at > NOW()) ORDER BY created_at ASC`,
+      values: [username]
+    });
+
+    const currentSessions = countRes.rows.length;
+    if (currentSessions >= MAX_SESSIONS) {
+      console.log(`[mbkauthe] User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Pruning oldest sessions.`);
+      // prune the oldest session(s) to make room for the new one
+      await dblogin.query({
+        name: 'prune-oldest-user-session',
+        text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 AND (expires_at IS NULL OR expires_at > NOW()) ORDER BY created_at ASC LIMIT $2)` ,
+        values: [username, (currentSessions - (MAX_SESSIONS - 1))]
+      });
+    }
+
+    const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
+
+    // Insert new session record for the user (store username) and return the DB id
+    const insertRes = await dblogin.query({
+      name: 'insert-app-session',
+      text: `INSERT INTO "Sessions" ("UserName", expires_at, meta) VALUES ($1, $2, $3) RETURNING id`,
+      values: [username, expiresAt, JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })]
+    });
+    const dbSessionId = insertRes.rows[0].id; 
+
+    // Update last_login timestamp for the user
+    await dblogin.query({
+      name: 'login-update-last-login',
+      text: `UPDATE "Users" SET "last_login" = NOW() WHERE "id" = $1`,
+      values: [user.id]
+    });
 
     req.session.user = {
       id: user.id,
       username: username,
       role: user.role || user.Role,
-      sessionId,
+      sessionId: dbSessionId,
       allowedApps: user.allowedApps || user.AllowedApps,
     };
 
@@ -194,11 +215,11 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
         return res.status(500).json({ success: false, message: "Internal Server Error" });
       }
 
-      // Expose sessionId and display name to client for UI (fullName falls back to username)
-      res.cookie("sessionId", sessionId, cachedCookieOptions);
+      // Expose DB session id and display name to client for UI (fullName falls back to username)
+      res.cookie("sessionId", dbSessionId, cachedCookieOptions);
       res.cookie("fullName", req.session.user.fullname || username, { ...cachedCookieOptions, httpOnly: false });
 
-      // Handle trusted device if requested
+      // Handle trusted device if requested (token no longer stored in DB as token_hash)
       if (trustDevice) {
         try {
           const deviceToken = generateDeviceToken();
@@ -208,13 +229,16 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
           const ipAddress = req.ip || req.connection.remoteAddress || 'Unknown';
           const expiresAt = new Date(Date.now() + DEVICE_TRUST_DURATION_MS);
 
+          // Store only the HASH of the device token in DB; send the raw token to the client (httpOnly cookie)
+          const deviceTokenHash = hashDeviceToken(deviceToken);
           await dblogin.query({
             name: 'insert-trusted-device',
             text: `INSERT INTO "TrustedDevices" ("UserName", "DeviceToken", "DeviceName", "UserAgent", "IpAddress", "ExpiresAt") 
                    VALUES ($1, $2, $3, $4, $5, $6)`,
-            values: [username, deviceToken, deviceName, userAgent, ipAddress, expiresAt]
+            values: [username, deviceTokenHash, deviceName, userAgent, ipAddress, expiresAt]
           });
 
+          // Send raw token to client as httpOnly cookie only
           res.cookie("device_token", deviceToken, getDeviceTokenCookieOptions());
           console.log(`[mbkauthe] Trusted device token created for user: ${username}`);
         } catch (deviceErr) {
@@ -228,7 +252,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       const responsePayload = {
         success: true,
         message: "Login successful",
-        sessionId,
+        sessionId: dbSessionId,
       };
 
       if (redirectUrl) {
@@ -506,15 +530,14 @@ router.post("/api/logout", LogoutLimit, async (req, res) => {
     try {
       const { id, username } = req.session.user;
 
-      // Run both database operations in parallel
-      const operations = [
-        dblogin.query({ name: 'logout-clear-session', text: `UPDATE "Users" SET "SessionId" = NULL WHERE "id" = $1`, values: [id] })
-      ];
+      // Remove the application session record for this token (if present)
+      const operations = [];
+      if (req.session && req.session.user && req.session.user.sessionId) {
+        operations.push(dblogin.query({ name: 'logout-delete-app-session', text: 'DELETE FROM "Sessions" WHERE id = $1', values: [req.session.user.sessionId] }));
+      }
 
       if (req.sessionID) {
-        operations.push(
-          dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] })
-        );
+        operations.push(dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] }));
       }
 
       await Promise.all(operations);

package/lib/routes/misc.js

@@ -79,10 +79,15 @@ router.get('/test', validateSession, LoginLimit, async (req, res) => {
         <p class="success">✅ Authentication successful! User is logged in.</p>
         <p>Welcome, <strong>${req.session.user.username}</strong>! Your role: <strong>${req.session.user.role}</strong></p>
         <div class="user-info">
+          Username: ${req.session.user.username}<br>
+          Role: ${req.session.user.role}<br>
+          Full Name: ${req.session.user.fullname || 'N/A'}<br>
           User ID: ${req.session.user.id}<br>
           Session ID: ${req.session.user.sessionId.slice(0, 5)}...
         </div>
         <button onclick="logout()">Logout</button>
+        <a href="https://portal.mbktech.org/">Web Portal</a>
+        <a href="https://portal.mbktech.org/user/settings">User Settings</a>
         <a href="/mbkauthe/info">Info Page</a>
         <a href="/mbkauthe/login">Login Page</a>
       </div>
@@ -104,19 +109,27 @@ router.get('/api/checkSession', LoginLimit, async (req, res) => {
       return res.status(200).json({ sessionValid: false, expiry: null });
     }
 
-    const normalizedSessionId = String(sessionId).toLowerCase();
-    const result = await dblogin.query({ name: 'check-session-validity', text: 'SELECT "SessionId", "Active" FROM "Users" WHERE id = $1', values: [id] });
+    const result = await dblogin.query({ name: 'check-session-validity', text: `SELECT s.expires_at, u."Active" FROM "Sessions" s JOIN "Users" u ON s."UserName" = u."UserName" WHERE s.id = $1 LIMIT 1`, values: [sessionId] });
 
-    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
-    if (!dbSessionId || dbSessionId !== normalizedSessionId || !result.rows[0].Active) {
+    if (result.rows.length === 0) {
       req.session.destroy(() => { });
       clearSessionCookies(res);
       return res.status(200).json({ sessionValid: false, expiry: null });
     }
 
-    // Fetch expiry timestamp from session table (connect-pg-simple)
-    const sessResult = await dblogin.query({ name: 'get-session-expiry', text: 'SELECT expire FROM "session" WHERE sid = $1', values: [req.sessionID] });
-    const expiry = sessResult.rows.length > 0 && sessResult.rows[0].expire ? new Date(sessResult.rows[0].expire).toISOString() : null;
+    const row = result.rows[0];
+    if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
+      req.session.destroy(() => { });
+      clearSessionCookies(res);
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    // Determine expiry: prefer application session expiry if present else fallback to connect-pg-simple expire
+    let expiry = row.expires_at ? new Date(row.expires_at).toISOString() : null;
+    if (!expiry) {
+      const sessResult = await dblogin.query({ name: 'get-session-expiry', text: 'SELECT expire FROM "session" WHERE sid = $1', values: [req.sessionID] });
+      expiry = sessResult.rows.length > 0 && sessResult.rows[0].expire ? new Date(sessResult.rows[0].expire).toISOString() : null;
+    }
 
     return res.status(200).json({ sessionValid: true, expiry });
   } catch (err) {
@@ -287,8 +300,8 @@ router.post("/api/terminateAllSessions", AdminOperationLimit, authenticate(mbkau
     // Run both operations in parallel for better performance
     await Promise.all([
       dblogin.query({
-        name: 'terminate-all-user-sessions',
-        text: 'UPDATE "Users" SET "SessionId" = NULL WHERE "SessionId" IS NOT NULL'
+        name: 'terminate-all-app-sessions',
+        text: 'DELETE FROM "Sessions"'
       }),
       dblogin.query({
         name: 'terminate-all-db-sessions',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "3.5.0",
+  "version": "4.0.0",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/views/loginmbkauthe.handlebars

@@ -167,8 +167,6 @@
                             window.location.href = `/mbkauthe/2fa${redirectQuery}`;
                         } else {
                             loginButtonText.textContent = 'Success! Redirecting...';
-                            sessionStorage.setItem('sessionId', data.sessionId);
-
                             if (rememberMe) {
                                 setCookie('rememberedUsername', username, 30); // 30 days
                             } else {