mbkauthe 3.5.0 → 4.0.1

package/docs/db.sql

@@ -0,0 +1,116 @@
+
+-- GitHub users table
+CREATE TABLE user_github (
+    id SERIAL PRIMARY KEY,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    github_id VARCHAR(255) UNIQUE,
+    github_username VARCHAR(255),
+    access_token TEXT,
+    created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
+    updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_user_github_github_id ON user_github (github_id);
+CREATE INDEX IF NOT EXISTS idx_user_github_user_name ON user_github (user_name);
+
+-- Google users table
+CREATE TABLE user_google (
+    id SERIAL PRIMARY KEY,
+    user_name VARCHAR(50) REFERENCES "Users"("UserName"),
+    google_id VARCHAR(255) UNIQUE,
+    google_email VARCHAR(255),
+    access_token TEXT,
+    created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
+    updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_user_google_google_id ON user_google (google_id);
+CREATE INDEX IF NOT EXISTS idx_user_google_user_name ON user_google (user_name);
+
+
+
+
+CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
+
+CREATE TABLE "Users" (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    "UserName" VARCHAR(50) NOT NULL UNIQUE,
+    "Password" VARCHAR(61), -- For raw passwords (when EncPass=false)
+    "PasswordEnc" VARCHAR(128), -- For encrypted passwords (when EncPass=true)
+    "Role" role DEFAULT 'NormalUser' NOT NULL,
+    "Active" BOOLEAN DEFAULT FALSE,
+    "HaveMailAccount" BOOLEAN DEFAULT FALSE,
+    "AllowedApps" JSONB DEFAULT '["mbkauthe", "portal"]',
+    "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "last_login" TIMESTAMP WITH TIME ZONE
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" ("Active");
+CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" ("Role");
+CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" (last_login);
+
+-- Application Sessions table (stores multiple concurrent sessions per user)
+-- Note: this is separate from the express-session store table named "session"
+CREATE TABLE "Sessions" (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- requires pgcrypto or uuid-ossp
+  "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+  expires_at TIMESTAMP WITH TIME ZONE,
+    meta JSONB
+);
+
+-- Indexes optimized by username instead of numeric user id
+CREATE INDEX IF NOT EXISTS idx_sessions_username ON "Sessions" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_sessions_user_created ON "Sessions" ("UserName", created_at);
+
+
+CREATE TABLE "session" (
+    sid VARCHAR(33) PRIMARY KEY NOT NULL,
+    sess JSONB NOT NULL,
+    expire TimeStamp WITH TIME ZONE Not Null,
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_session_expire ON "session" ("expire");
+CREATE INDEX IF NOT EXISTS idx_session_user_id ON "session" ((sess->'user'->>'id'));
+
+
+
+CREATE TABLE "TwoFA" (
+    "UserName" VARCHAR(50) primary key REFERENCES "Users"("UserName"),
+    "TwoFAStatus" boolean NOT NULL,
+    "TwoFASecret" TEXT
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_twofa_username ON "TwoFA" ("UserName");
+CREATE INDEX IF NOT EXISTS idx_twofa_username_status ON "TwoFA" ("UserName", "TwoFAStatus");
+
+
+
+CREATE TABLE "TrustedDevices" (
+    "id" SERIAL PRIMARY KEY,
+    "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+    "DeviceToken" VARCHAR(64) UNIQUE NOT NULL,
+    "DeviceName" VARCHAR(255),
+    "UserAgent" TEXT,
+    "IpAddress" VARCHAR(45),
+    "CreatedAt" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    "ExpiresAt" TIMESTAMP WITH TIME ZONE NOT NULL,
+    "LastUsed" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Add indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_token ON "TrustedDevices"("DeviceToken");
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_username ON "TrustedDevices"("UserName");
+CREATE INDEX IF NOT EXISTS idx_trusted_devices_expires ON "TrustedDevices"("ExpiresAt");
+
+
+-- No Encrypted password for 'support' user
+INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "GuestRole")
+        VALUES ('support', '12345678', 'SuperAdmin', true, false, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);

package/docs/env.md

@@ -42,6 +42,7 @@ This document describes the environment variables MBKAuth expects and keeps brie
   - Description: PostgreSQL connection string for auth (must start with `postgresql://` or `postgres://`).
   - Example: `"LOGIN_DB":"postgresql://user:pass@localhost:5432/mbkauth"`
   - Required: Yes
+  - Create free postgres db: https://neon.com/
 
 - MBKAUTH_TWO_FA_ENABLE
   - Description: Enable Two-Factor Authentication.
@@ -67,6 +68,13 @@ This document describes the environment variables MBKAuth expects and keeps brie
   - Example: `"DEVICE_TRUST_DURATION_DAYS":30`
   - Required: No
 
+- MAX_SESSIONS_PER_USER
+  - Description: Maximum number of concurrent application sessions allowed per user. When creating a new session that would exceed this number, the oldest session(s) for that user are pruned to make room for the new session.
+  - Default: `5`
+  - Example: `"MAX_SESSIONS_PER_USER": 10`
+  - Notes: Must be a positive integer. Validation is performed at startup by `lib/config/index.js`.
+  - Required: No
+
 - loginRedirectURL
   - Description: Post-login redirect path.
   - Default: `/dashboard`
@@ -81,6 +89,8 @@ This document describes the environment variables MBKAuth expects and keeps brie
 - GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET / GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET
   - Description: OAuth credentials (put in `mbkautheVar` preferred, or `mbkauthShared`).
   - Required when provider enabled.
+  - Create Github OAuth App: https://github.com/settings/developers
+  - Create Google OAuth: https://console.cloud.google.com/
 
 ---
 

package/index.d.ts

@@ -23,7 +23,7 @@ declare global {
         username: string;
         fullname?: string;
         role: 'SuperAdmin' | 'NormalUser' | 'Guest';
-        sessionId: string;
+        sessionId?: string;
         allowedApps?: string[];
       };
       preAuthUser?: {
@@ -79,7 +79,7 @@ declare module 'mbkauthe' {
     username: string;
     fullname?: string;
     role: UserRole;
-    sessionId: string;
+    sessionId?: string;
     allowedApps?: string[];
   }
 
@@ -101,7 +101,7 @@ declare module 'mbkauthe' {
     Role: UserRole;
     Active: boolean;
     AllowedApps: string[];
-    SessionId?: string;
+
     created_at?: Date;
     updated_at?: Date;
     last_login?: Date;

package/index.js

@@ -95,5 +95,8 @@ export {
 } from "./lib/middleware/auth.js";
 export { renderError } from "./lib/utils/response.js";
 export { dblogin } from "./lib/database/pool.js";
-export { ErrorCodes, ErrorMessages, getErrorByCode, createErrorResponse, logError } from "./lib/utils/errors.js";
+export {
+    ErrorCodes, ErrorMessages, getErrorByCode,
+    createErrorResponse, logError
+} from "./lib/utils/errors.js";
 export default router;

package/lib/config/cookies.js

@@ -32,6 +32,12 @@ export const generateDeviceToken = () => {
     return crypto.randomBytes(32).toString('hex');
 };
 
+// Hash a device token for safe storage in the database
+export const hashDeviceToken = (token) => {
+    if (!token || typeof token !== 'string') return null;
+    return crypto.createHmac('sha256').update(token).digest('hex');
+};
+
 export const getDeviceTokenCookieOptions = () => ({
     maxAge: DEVICE_TRUST_DURATION_MS,
     domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,

package/lib/config/index.js

@@ -62,9 +62,10 @@ function validateConfiguration() {
 
     // Ensure specific keys are checked in mbkautheVar first, then mbkauthShared, then apply config defaults
     const keysToCheck = [
-        "APP_NAME","DEVICE_TRUST_DURATION_DAYS","EncPass","Main_SECRET_TOKEN","SESSION_SECRET_KEY","IS_DEPLOYED",
-        "LOGIN_DB","MBKAUTH_TWO_FA_ENABLE","COOKIE_EXPIRE_TIME","DOMAIN","loginRedirectURL",
-        "GITHUB_LOGIN_ENABLED","GITHUB_CLIENT_ID","GITHUB_CLIENT_SECRET","GOOGLE_LOGIN_ENABLED","GOOGLE_CLIENT_ID","GOOGLE_CLIENT_SECRET"
+        "APP_NAME","DEVICE_TRUST_DURATION_DAYS","EncPass","Main_SECRET_TOKEN","SESSION_SECRET_KEY",
+        "IS_DEPLOYED","LOGIN_DB","MBKAUTH_TWO_FA_ENABLE","COOKIE_EXPIRE_TIME","DOMAIN","loginRedirectURL",
+        "GITHUB_LOGIN_ENABLED","GITHUB_CLIENT_ID","GITHUB_CLIENT_SECRET","GOOGLE_LOGIN_ENABLED","GOOGLE_CLIENT_ID",
+        "GOOGLE_CLIENT_SECRET","MAX_SESSIONS_PER_USER"
     ];
 
     const defaults = {
@@ -75,7 +76,8 @@ function validateConfiguration() {
         COOKIE_EXPIRE_TIME: 2,
         loginRedirectURL: '/dashboard',
         GITHUB_LOGIN_ENABLED: 'false',
-        GOOGLE_LOGIN_ENABLED: 'false'
+        GOOGLE_LOGIN_ENABLED: 'false',
+        MAX_SESSIONS_PER_USER: 5
     };
 
     keysToCheck.forEach(key => {
@@ -183,6 +185,20 @@ function validateConfiguration() {
         mbkautheVar.DEVICE_TRUST_DURATION_DAYS = 7;
     }
 
+    // Validate MAX_SESSIONS_PER_USER if provided (must be positive integer)
+    if (mbkautheVar.MAX_SESSIONS_PER_USER !== undefined) {
+        const maxSessions = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
+        if (isNaN(maxSessions) || maxSessions <= 0) {
+            errors.push("mbkautheVar.MAX_SESSIONS_PER_USER must be a valid positive integer");
+        } else {
+            // Normalize to integer
+            mbkautheVar.MAX_SESSIONS_PER_USER = maxSessions;
+        }
+    } else {
+        // Ensure default value is set
+        mbkautheVar.MAX_SESSIONS_PER_USER = 5;
+    }
+
     // Validate LOGIN_DB connection string format
     if (mbkautheVar.LOGIN_DB && !mbkautheVar.LOGIN_DB.startsWith('postgresql://') && !mbkautheVar.LOGIN_DB.startsWith('postgres://')) {
         errors.push("mbkautheVar.LOGIN_DB must be a valid PostgreSQL connection string");

package/lib/config/security.js

@@ -5,4 +5,4 @@ export const hashPassword = (password, username) => {
     const salt = username;
     // 128 characters returned
     return crypto.pbkdf2Sync(password, salt, 100000, 64, 'sha512').toString('hex');
-};
+};

package/lib/middleware/auth.js

@@ -33,19 +33,18 @@ async function validateSession(req, res, next) {
       });
     }
 
-    // Normalize sessionId to lowercase for consistent comparison
-    const normalizedSessionId = sessionId.toLowerCase();
+    // Normalize sessionId (DB id) for consistent comparison
+    const normalizedSessionId = sessionId;
 
-    // Single optimized query to validate session and get role
-    const query = `SELECT "SessionId", "Active", "Role" FROM "Users" WHERE "id" = $1`;
-    const result = await dblogin.query({ name: 'validate-user-session', text: query, values: [id] });
+    // Validate session by DB primary key id and join to user
+    const query = `SELECT s.id as sid, s.expires_at, u."Active", u."Role"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'validate-app-session', text: query, values: [normalizedSessionId] });
 
-    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
-    if (!dbSessionId || dbSessionId !== normalizedSessionId) {
-      if (result.rows.length > 0 && !result.rows[0].SessionId) {
-        console.warn(`[mbkauthe] DB sessionId is null for user "${req.session.user.username}"`);
-      }
-      console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
+    if (result.rows.length === 0) {
+      console.log(`[mbkauthe] Session not found for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
       return renderError(res, {
@@ -57,7 +56,25 @@ async function validateSession(req, res, next) {
       });
     }
 
-    if (!result.rows[0].Active) {
+    const sessionRow = result.rows[0];
+
+    // Check expired
+    if (sessionRow.expires_at && new Date(sessionRow.expires_at) <= new Date()) {
+      console.log(`[mbkauthe] Session invalidated (expired) for user "${req.session.user.username}"`);
+      // destroy and clear cookies
+      req.session.destroy();
+      clearSessionCookies(res);
+      return renderError(res, {
+        code: 401,
+        error: "Session Expired",
+        message: "Your Session Has Expired. Please Log In Again.",
+        pagename: "Login",
+        page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
+      });
+    }
+
+
+    if (!sessionRow.Active) {
       console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
@@ -117,24 +134,32 @@ async function validateApiSession(req, res, next) {
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
     }
 
-    // Normalize sessionId to lowercase for consistent comparison
-    const normalizedSessionId = sessionId.toLowerCase();
+    // Normalize sessionId (DB id) for consistent comparison
+    const normalizedSessionId = sessionId;
 
-    // Single optimized query to validate session and get role
-    const query = `SELECT "SessionId", "Active", "Role" FROM "Users" WHERE "id" = $1`;
-    const result = await dblogin.query({ name: 'validate-user-session-for-api', text: query, values: [id] });
+    // Validate session by DB primary key id and join to user
+    const query = `SELECT s.id as sid, s.expires_at, u."Active", u."Role"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'validate-app-session-for-api', text: query, values: [normalizedSessionId] });
 
-    const dbSessionId = result.rows.length > 0 && result.rows[0].SessionId ? String(result.rows[0].SessionId).toLowerCase() : null;
-    if (!dbSessionId || dbSessionId !== normalizedSessionId) {
-      if (result.rows.length > 0 && !result.rows[0].SessionId) {
-        console.warn(`[mbkauthe] DB sessionId is null for user "${req.session.user.username}"`);
-      }
-      console.log(`[mbkauthe] Session invalidated for user "${req.session.user.username}"`);
+    if (result.rows.length === 0) {
       req.session.destroy();
       clearSessionCookies(res);
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_INVALID));
     }
 
+    const sessionRow = result.rows[0];
+
+    // Check expired
+    if (sessionRow.expires_at && new Date(sessionRow.expires_at) <= new Date()) {
+      req.session.destroy();
+      clearSessionCookies(res);
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+    }
+
+
     if (!result.rows[0].Active) {
       console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
@@ -176,21 +201,30 @@ export async function reloadSessionUser(req, res) {
   try {
     const { id, sessionId: currentSessionId } = req.session.user;
 
-    // Fetch fresh user record
-    const query = `SELECT id, "UserName", "Active", "Role", "AllowedApps", "SessionId" FROM "Users" WHERE id = $1`;
-    const result = await dblogin.query({ name: 'reload-session-user', text: query, values: [id] });
+    if (!currentSessionId) {
+      req.session.destroy(() => {});
+      clearSessionCookies(res);
+      return false;
+    }
+
+    const normalizedSessionId = String(currentSessionId);
+    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'reload-session-user', text: query, values: [normalizedSessionId] });
 
     if (result.rows.length === 0) {
-      // User not found — invalidate session
+      // Session not found — invalidate session
       req.session.destroy(() => {});
       clearSessionCookies(res);
       return false;
     }
 
     const row = result.rows[0];
-    const dbSessionId = row.SessionId ? String(row.SessionId).toLowerCase() : null;
-    if (!dbSessionId || dbSessionId !== String(currentSessionId).toLowerCase()) {
-      // Session invalidated in DB
+
+    // Check expired
+    if (row.expires_at && new Date(row.expires_at) <= new Date()) {
       req.session.destroy(() => {});
       clearSessionCookies(res);
       return false;

package/lib/middleware/index.js

@@ -57,8 +57,8 @@ export async function sessionRestorationMiddleware(req, res, next) {
   if (!req.session.user && req.cookies.sessionId) {
     const sessionId = req.cookies.sessionId;
 
-    // Early validation to avoid unnecessary processing
-    if (typeof sessionId !== 'string' || !/^[a-f0-9]{64}$/i.test(sessionId)) {
+    // Early validation to avoid unnecessary processing (expect DB UUID id)
+    if (typeof sessionId !== 'string' || !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(sessionId)) {
       // Clear invalid cookie to prevent repeated attempts
       res.clearCookie('sessionId', {
         domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
@@ -71,37 +71,46 @@ export async function sessionRestorationMiddleware(req, res, next) {
     }
 
     try {
-      const normalizedSessionId = sessionId.toLowerCase();
-
-      const query = `SELECT id, "UserName", "Active", "Role", "SessionId", "AllowedApps" FROM "Users" WHERE LOWER("SessionId") = $1 AND "Active" = true`;
-      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [normalizedSessionId] });
+      // Validate session by DB primary key id and join to user
+      const query = `SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps", s.expires_at
+                     FROM "Sessions" s
+                     JOIN "Users" u ON s."UserName" = u."UserName"
+                     WHERE s.id = $1 LIMIT 1`;
+      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [sessionId] });
 
       if (result.rows.length > 0) {
-        const user = result.rows[0];
-        req.session.user = {
-          id: user.id,
-          username: user.UserName,
-          role: user.Role,
-          sessionId: normalizedSessionId,
-          allowedApps: user.AllowedApps,
-        };
+        const row = result.rows[0];
 
-        // Use cached FullName from client cookie when available to avoid extra DB queries
-        if (req.cookies.fullName && typeof req.cookies.fullName === 'string') {
-          req.session.user.fullname = req.cookies.fullName;
+        // Reject expired sessions or inactive users
+        if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
+          // leave cookies cleared and don't restore session
         } else {
-          // Fallback: attempt to fetch FullName from profiledata to populate session
-          try {
-            const profileRes = await dblogin.query({
-              name: 'restore-get-fullname',
-              text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
-              values: [user.UserName]
-            });
-            if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {
-              req.session.user.fullname = profileRes.rows[0].FullName;
+          const normalizedSessionId = String(sessionId);
+          req.session.user = {
+            id: row.id,
+            username: row.UserName,
+            role: row.Role,
+            sessionId: normalizedSessionId,
+            allowedApps: row.AllowedApps,
+          };
+
+          // Use cached FullName from client cookie when available to avoid extra DB queries
+          if (req.cookies.fullName && typeof req.cookies.fullName === 'string') {
+            req.session.user.fullname = req.cookies.fullName;
+          } else {
+            // Fallback: attempt to fetch FullName from profiledata to populate session
+            try {
+              const profileRes = await dblogin.query({
+                name: 'restore-get-fullname',
+                text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
+                values: [row.UserName]
+              });
+              if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {
+                req.session.user.fullname = profileRes.rows[0].FullName;
+              }
+            } catch (profileErr) {
+              console.error("[mbkauthe] Error fetching FullName during session restore:", profileErr);
             }
-          } catch (profileErr) {
-            console.error("[mbkauthe] Error fetching FullName during session restore:", profileErr);
           }
         }
       }

package/lib/routes/auth.js

@@ -7,7 +7,7 @@ import { dblogin } from "../database/pool.js";
 import { mbkautheVar } from "../config/index.js";
 import {
   cachedCookieOptions, cachedClearCookieOptions, clearSessionCookies,
-  generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS
+  generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS, hashDeviceToken
 } from "../config/cookies.js";
 import { packageJson } from "../config/index.js";
 import { hashPassword } from "../config/security.js";
@@ -63,6 +63,8 @@ export async function checkTrustedDevice(req, username) {
   }
 
   try {
+    // Hash the provided device token before querying DB (we store token hashes in DB)
+    const deviceTokenHash = hashDeviceToken(deviceToken);
     const deviceQuery = `
       SELECT td."UserName", td."LastUsed", td."ExpiresAt", u."id", u."Active", u."Role", u."AllowedApps"
       FROM "TrustedDevices" td
@@ -72,7 +74,7 @@ export async function checkTrustedDevice(req, username) {
     const deviceResult = await dblogin.query({
       name: 'check-trusted-device',
       text: deviceQuery,
-      values: [deviceToken, username]
+      values: [deviceTokenHash, username]
     });
 
     if (deviceResult.rows.length > 0) {
@@ -95,7 +97,7 @@ export async function checkTrustedDevice(req, username) {
       await dblogin.query({
         name: 'update-device-last-used',
         text: 'UPDATE "TrustedDevices" SET "LastUsed" = NOW() WHERE "DeviceToken" = $1',
-        values: [deviceToken]
+        values: [deviceTokenHash]
       });
 
       console.log(`[mbkauthe] Trusted device validated for user: ${username}`);
@@ -124,13 +126,9 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       throw new Error('Username is required in user object');
     }
 
-    // smaller session id is sufficient and faster to generate/serialize
-    const sessionId = crypto.randomBytes(32).toString("hex");
-    console.log(`[mbkauthe] Generated session ID for username: ${username}`);
-
     // Fix session fixation: Delete old session BEFORE regenerating to prevent timing window
     const oldSessionId = req.sessionID;
-    
+
     // Delete old session first to prevent session fixation attacks
     await dblogin.query({
       name: 'login-delete-old-session-before-regen',
@@ -146,27 +144,50 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       });
     });
 
-    // Run both queries in parallel for better performance
-    await Promise.all([
-      // Delete old sessions using indexed lookup on sess->'user'->>'id'
-      dblogin.query({
-        name: 'login-delete-old-user-sessions',
-        text: 'DELETE FROM "session" WHERE (sess->\'user\'->>\'id\')::int = $1',
-        values: [user.id]
-      }),
-      // Update session ID and last login time in Users table
-      dblogin.query({
-        name: 'login-update-session-and-last-login',
-        text: `UPDATE "Users" SET "SessionId" = $1, "last_login" = NOW() WHERE "id" = $2`,
-        values: [sessionId, user.id]
-      })
-    ]);
+    // Enforce max sessions per user (configurable via mbkautheVar.MAX_SESSIONS_PER_USER) and persist a new application session record (keyed by username)
+    const configuredMax = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
+    const MAX_SESSIONS = Number.isInteger(configuredMax) && configuredMax > 0 ? configuredMax : 5;
+
+    // Count active sessions for this user (by username)
+    const countRes = await dblogin.query({
+      name: 'count-user-sessions',
+      text: `SELECT id FROM "Sessions" WHERE "UserName" = $1 AND (expires_at IS NULL OR expires_at > NOW()) ORDER BY created_at ASC`,
+      values: [username]
+    });
+
+    const currentSessions = countRes.rows.length;
+    if (currentSessions >= MAX_SESSIONS) {
+      console.log(`[mbkauthe] User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Pruning oldest sessions.`);
+      // prune the oldest session(s) to make room for the new one
+      await dblogin.query({
+        name: 'prune-oldest-user-session',
+        text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 AND (expires_at IS NULL OR expires_at > NOW()) ORDER BY created_at ASC LIMIT $2)` ,
+        values: [username, (currentSessions - (MAX_SESSIONS - 1))]
+      });
+    }
+
+    const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
+
+    // Insert new session record for the user (store username) and return the DB id
+    const insertRes = await dblogin.query({
+      name: 'insert-app-session',
+      text: `INSERT INTO "Sessions" ("UserName", expires_at, meta) VALUES ($1, $2, $3) RETURNING id`,
+      values: [username, expiresAt, JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })]
+    });
+    const dbSessionId = insertRes.rows[0].id; 
+
+    // Update last_login timestamp for the user
+    await dblogin.query({
+      name: 'login-update-last-login',
+      text: `UPDATE "Users" SET "last_login" = NOW() WHERE "id" = $1`,
+      values: [user.id]
+    });
 
     req.session.user = {
       id: user.id,
       username: username,
       role: user.role || user.Role,
-      sessionId,
+      sessionId: dbSessionId,
       allowedApps: user.allowedApps || user.AllowedApps,
     };
 
@@ -194,11 +215,11 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
         return res.status(500).json({ success: false, message: "Internal Server Error" });
       }
 
-      // Expose sessionId and display name to client for UI (fullName falls back to username)
-      res.cookie("sessionId", sessionId, cachedCookieOptions);
+      // Expose DB session id and display name to client for UI (fullName falls back to username)
+      res.cookie("sessionId", dbSessionId, cachedCookieOptions);
       res.cookie("fullName", req.session.user.fullname || username, { ...cachedCookieOptions, httpOnly: false });
 
-      // Handle trusted device if requested
+      // Handle trusted device if requested (token no longer stored in DB as token_hash)
       if (trustDevice) {
         try {
           const deviceToken = generateDeviceToken();
@@ -208,13 +229,16 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
           const ipAddress = req.ip || req.connection.remoteAddress || 'Unknown';
           const expiresAt = new Date(Date.now() + DEVICE_TRUST_DURATION_MS);
 
+          // Store only the HASH of the device token in DB; send the raw token to the client (httpOnly cookie)
+          const deviceTokenHash = hashDeviceToken(deviceToken);
           await dblogin.query({
             name: 'insert-trusted-device',
             text: `INSERT INTO "TrustedDevices" ("UserName", "DeviceToken", "DeviceName", "UserAgent", "IpAddress", "ExpiresAt") 
                    VALUES ($1, $2, $3, $4, $5, $6)`,
-            values: [username, deviceToken, deviceName, userAgent, ipAddress, expiresAt]
+            values: [username, deviceTokenHash, deviceName, userAgent, ipAddress, expiresAt]
           });
 
+          // Send raw token to client as httpOnly cookie only
           res.cookie("device_token", deviceToken, getDeviceTokenCookieOptions());
           console.log(`[mbkauthe] Trusted device token created for user: ${username}`);
         } catch (deviceErr) {
@@ -228,7 +252,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       const responsePayload = {
         success: true,
         message: "Login successful",
-        sessionId,
+        sessionId: dbSessionId,
       };
 
       if (redirectUrl) {
@@ -506,15 +530,14 @@ router.post("/api/logout", LogoutLimit, async (req, res) => {
     try {
       const { id, username } = req.session.user;
 
-      // Run both database operations in parallel
-      const operations = [
-        dblogin.query({ name: 'logout-clear-session', text: `UPDATE "Users" SET "SessionId" = NULL WHERE "id" = $1`, values: [id] })
-      ];
+      // Remove the application session record for this token (if present)
+      const operations = [];
+      if (req.session && req.session.user && req.session.user.sessionId) {
+        operations.push(dblogin.query({ name: 'logout-delete-app-session', text: 'DELETE FROM "Sessions" WHERE id = $1', values: [req.session.user.sessionId] }));
+      }
 
       if (req.sessionID) {
-        operations.push(
-          dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] })
-        );
+        operations.push(dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] }));
       }
 
       await Promise.all(operations);