mbkauthe 4.0.0 → 4.1.0

package/README.md

@@ -23,6 +23,8 @@
 - Easy Express.js integration
 - Customizable Handlebars templates
 - Session fixation prevention
+- Dynamic profile picture routing with session caching
+- Modern responsive UI with desktop two-column layout
 
 ## 📦 Installation
 

package/docs/api.md

@@ -356,6 +356,129 @@ fetch('/mbkauthe/api/logout', {
 
 ---
 
+### Multi-Account Endpoints
+
+#### `GET /mbkauthe/accounts`
+
+Renders the account switching page, allowing users to switch between remembered accounts on the device.
+
+**Rate Limit:** 8 requests per minute
+
+**CSRF Protection:** Required
+
+**Response:** HTML page with account list
+
+**Template Variables:**
+- `customURL` - Redirect URL after switch
+- `userLoggedIn` - Whether a user is currently logged in
+- `username` - Current username
+- `fullname` - Current user's full name
+- `role` - Current user's role
+
+**Usage:**
+```
+GET /mbkauthe/accounts
+```
+
+---
+
+#### `GET /mbkauthe/api/account-sessions`
+
+Retrieves the list of remembered accounts for the current device.
+
+**Rate Limit:** 8 requests per minute
+
+**Response (200 OK):**
+```json
+{
+  "accounts": [
+    {
+      "sessionId": "64-char-session-id",
+      "username": "john.doe",
+      "fullName": "John Doe",
+      "isCurrent": true
+    },
+    {
+      "sessionId": "another-session-id",
+      "username": "jane.smith",
+      "fullName": "Jane Smith",
+      "isCurrent": false
+    }
+  ],
+  "currentSessionId": "64-char-session-id"
+}
+```
+
+**Behavior:**
+- Validates each stored session against the database
+- Automatically removes invalid/expired sessions from the cookie
+- Returns only valid, active sessions
+
+---
+
+#### `POST /mbkauthe/api/switch-session`
+
+Switches the active session to another remembered account.
+
+**Rate Limit:** 8 requests per minute
+
+**Request Body:**
+```json
+{
+  "sessionId": "target-session-id (required)",
+  "redirect": "/dashboard (optional)"
+}
+```
+
+**Success Response (200 OK):**
+```json
+{
+  "success": true,
+  "username": "jane.smith",
+  "fullName": "Jane Smith",
+  "redirect": "/dashboard"
+}
+```
+
+**Error Responses:**
+
+| Status Code | Message |
+|------------|---------|
+| 400 | Invalid session ID format |
+| 401 | Session expired |
+| 403 | Account not available on this device |
+| 500 | Internal Server Error |
+
+**Behavior:**
+- Verifies the target session exists in the device's remembered list
+- Validates the session against the database
+- Regenerates the session ID to prevent fixation
+- Updates session cookies and current user context
+
+---
+
+#### `POST /mbkauthe/api/logout-all`
+
+Logs out all remembered accounts on the current device.
+
+**Rate Limit:** 8 requests per minute
+
+**Response (200 OK):**
+```json
+{
+  "success": true,
+  "message": "All accounts logged out"
+}
+```
+
+**Behavior:**
+- Deletes all session records associated with the device's remembered accounts from the database
+- Clears the account list cookie
+- Destroys the current session
+- Clears all session cookies
+
+---
+
 #### `POST /mbkauthe/api/terminateAllSessions`
 
 Terminates all active sessions across all users (admin only).
@@ -523,34 +646,50 @@ Serves the application's SVG icon file from the root level.
 
 ---
 
-#### `GET /favicon.ico`
-
-Serves the application's favicon.
+#### `GET /mbkauthe/bg.webp`
 
-**Aliases:** `/icon.ico`
+Serves the background image for authentication pages.
 
-**Response:** ICO image file (Content-Type: image/x-icon)
+**Response:** WEBP image file (Content-Type: image/webp)
 
 **Cache:** Cached for 1 year (max-age=31536000)
 
 **Usage:**
-```html
-<link rel="icon" type="image/x-icon" href="/favicon.ico">
+```css
+background-image: url('/mbkauthe/bg.webp');
 ```
 
 ---
 
-#### `GET /mbkauthe/bg.webp`
+#### `GET /mbkauthe/user/profilepic`
 
-Serves the background image for authentication pages.
+Serves the current user's profile picture or a default icon.
 
-**Response:** WEBP image file (Content-Type: image/webp)
+**Authentication:** Optional (returns default icon if not logged in)
 
-**Cache:** Cached for 1 year (max-age=31536000)
+**Response:** 
+- If logged in with valid profile picture URL: 302 redirect to the user's profile picture URL (from `Users.Image` column)
+- If not logged in or no profile picture: SVG image file (Content-Type: image/svg+xml) streaming `/icon.svg`
+
+**Cache:** 
+- Profile picture URL is cached in session for performance
+- Cache is automatically cleared on login, logout, or account switch
+
+**Behavior:**
+1. First request: Queries `Users` table for `Image` column value
+2. Subsequent requests: Returns cached value from session
+3. On login/logout/switch: Cache is invalidated and fresh data is fetched
 
 **Usage:**
-```css
-background-image: url('/mbkauthe/bg.webp');
+```html
+<img src="/mbkauthe/user/profilepic" alt="Profile Picture">
+```
+
+**Example Response Flow:**
+```
+User logged in → Query DB → Cache URL → Redirect to URL
+User not logged in → Stream /icon.svg
+Empty Image value → Stream /icon.svg
 ```
 
 ---

package/docs/db.md

@@ -196,30 +196,48 @@ The GitHub login feature is now fully integrated into your mbkauthe system and r
   - (SessionId removed) The application now stores multiple concurrent sessions in the `Sessions` table.
   - `GuestRole` (JSONB): Stores additional guest-specific role information in binary JSON format.
   - `AllowedApps`(JSONB): Array of applications the user is authorized to access.
+  - `Image` (TEXT): URL to the user's profile picture. Used by the `/mbkauthe/user/profilepic` route to serve profile images. If empty, the route returns the default icon.svg. The URL is cached in the session for performance and automatically refreshed on login/logout/account switch.
+  - `FullName` (VARCHAR): The full name/display name of the user.
+  - `email` (TEXT): The user's email address.
 
 - **Schema:**
 ```sql
 CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
 
 CREATE TABLE "Users" (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    id INTEGER PRIMARY KEY AUTOINCREMENT AS IDENTITY,
     "UserName" VARCHAR(50) NOT NULL UNIQUE,
-    "Password" VARCHAR(61), -- For raw passwords (when EncPass=false)
-    "PasswordEnc" VARCHAR(128), -- For encrypted passwords (when EncPass=true)
-    "Role" role DEFAULT 'NormalUser' NOT NULL,
+    "Password" VARCHAR(255) NOT NULL,
     "Active" BOOLEAN DEFAULT FALSE,
+    "Role" role DEFAULT 'NormalUser' NOT NULL,
     "HaveMailAccount" BOOLEAN DEFAULT FALSE,
     "AllowedApps" JSONB DEFAULT '["mbkauthe", "portal"]',
     "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-    "last_login" TIMESTAMP WITH TIME ZONE
+    "last_login" TIMESTAMP WITH TIME ZONE,
+    "PasswordEnc" VARCHAR(128),
+    
+    "FullName" VARCHAR(255),
+    "email" TEXT DEFAULT 'support@mbktech.org',
+    "Image" TEXT DEFAULT 'https://portal.mbktech.org/icon.svg',  -- Profile picture URL (used by /mbkauthe/user/profilepic route)
+    "Bio" TEXT DEFAULT 'I am ....',
+    "SocialAccounts" TEXT DEFAULT '{}',
+    "Positions" jsonb DEFAULT '{"Not_Permanent":"Member Is Not Permanent"}',
+    "resetToken" TEXT,
+    "resetTokenExpires" TimeStamp,
+    "resetAttempts" INTEGER DEFAULT '0',
+    "lastResetAttempt" TimeStamp WITH TIME ZONE
 );
 
--- Add indexes for performance optimization
-CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" ("UserName");
-CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" ("Active");
-CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" ("Role");
-CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" (last_login);
+
+CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" USING BTREE ("UserName");
+CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" USING BTREE ("Role");
+CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" USING BTREE ("Active");
+CREATE INDEX IF NOT EXISTS idx_users_email ON "Users" USING BTREE ("email");
+CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" USING BTREE (last_login);
+-- JSONB GIN indexes for common filters/queries on JSON fields
+CREATE INDEX IF NOT EXISTS idx_users_allowedapps_gin ON "Users" USING GIN ("AllowedApps");
+CREATE INDEX IF NOT EXISTS idx_users_positions_gin ON "Users" USING GIN ("Positions");
 
 -- Application Sessions table (stores multiple concurrent sessions per user)
 -- Note: this is separate from the express-session store table named "session"

package/docs/db.sql

@@ -34,25 +34,41 @@ CREATE INDEX IF NOT EXISTS idx_user_google_user_name ON user_google (user_name);
 
 CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
 
+
 CREATE TABLE "Users" (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    id INTEGER PRIMARY KEY AUTOINCREMENT AS IDENTITY,
     "UserName" VARCHAR(50) NOT NULL UNIQUE,
-    "Password" VARCHAR(61), -- For raw passwords (when EncPass=false)
-    "PasswordEnc" VARCHAR(128), -- For encrypted passwords (when EncPass=true)
-    "Role" role DEFAULT 'NormalUser' NOT NULL,
+    "Password" VARCHAR(255) NOT NULL,
     "Active" BOOLEAN DEFAULT FALSE,
+    "Role" role DEFAULT 'NormalUser' NOT NULL,
     "HaveMailAccount" BOOLEAN DEFAULT FALSE,
     "AllowedApps" JSONB DEFAULT '["mbkauthe", "portal"]',
     "created_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     "updated_at" TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-    "last_login" TIMESTAMP WITH TIME ZONE
+    "last_login" TIMESTAMP WITH TIME ZONE,
+    "PasswordEnc" VARCHAR(128),
+    
+    "FullName" VARCHAR(255),
+    "email" TEXT DEFAULT 'support@mbktech.org',
+    "Image" TEXT DEFAULT 'https://portal.mbktech.org/icon.svg',
+    "Bio" TEXT DEFAULT 'I am ....',
+    "SocialAccounts" TEXT DEFAULT '{}',
+    "Positions" jsonb DEFAULT '{"Not_Permanent":"Member Is Not Permanent"}',
+    "resetToken" TEXT,
+    "resetTokenExpires" TimeStamp,
+    "resetAttempts" INTEGER DEFAULT '0',
+    "lastResetAttempt" TimeStamp WITH TIME ZONE
 );
 
--- Add indexes for performance optimization
-CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" ("UserName");
-CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" ("Active");
-CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" ("Role");
-CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" (last_login);
+
+CREATE INDEX IF NOT EXISTS idx_users_username ON "Users" USING BTREE ("UserName");
+CREATE INDEX IF NOT EXISTS idx_users_role ON "Users" USING BTREE ("Role");
+CREATE INDEX IF NOT EXISTS idx_users_active ON "Users" USING BTREE ("Active");
+CREATE INDEX IF NOT EXISTS idx_users_email ON "Users" USING BTREE ("email");
+CREATE INDEX IF NOT EXISTS idx_users_last_login ON "Users" USING BTREE (last_login);
+-- JSONB GIN indexes for common filters/queries on JSON fields
+CREATE INDEX IF NOT EXISTS idx_users_allowedapps_gin ON "Users" USING GIN ("AllowedApps");
+CREATE INDEX IF NOT EXISTS idx_users_positions_gin ON "Users" USING GIN ("Positions");
 
 -- Application Sessions table (stores multiple concurrent sessions per user)
 -- Note: this is separate from the express-session store table named "session"

package/index.d.ts

@@ -36,6 +36,7 @@ declare global {
       };
       oauthRedirect?: string;
       oauthCsrfToken?: string;
+      [key: string]: any;
     }
   }
 }
@@ -254,6 +255,8 @@ declare module 'mbkauthe' {
 
   export function clearSessionCookies(res: Response): void;
 
+  export function getLatestVersion(): Promise<string>;
+
   // Exports
   export const dblogin: Pool;
   export const mbkautheVar: MBKAuthConfig;

package/index.js

@@ -71,7 +71,7 @@ if (process.env.test === "dev") {
     app.use(router);
     app.use((req, res) => {
         console.log(`[mbkauthe] Path not found: ${req.method} ${req.url}`);
-        return renderError(res, {
+        return renderError(res, req, {
             layout: false,
             code: 404,
             error: "Not Found",
@@ -95,5 +95,8 @@ export {
 } from "./lib/middleware/auth.js";
 export { renderError } from "./lib/utils/response.js";
 export { dblogin } from "./lib/database/pool.js";
-export { ErrorCodes, ErrorMessages, getErrorByCode, createErrorResponse, logError } from "./lib/utils/errors.js";
+export {
+    ErrorCodes, ErrorMessages, getErrorByCode,
+    createErrorResponse, logError
+} from "./lib/utils/errors.js";
 export default router;

package/lib/config/cookies.js

@@ -1,6 +1,83 @@
 import crypto from "crypto";
 import { mbkautheVar } from "./index.js";
 
+// Maximum number of remembered accounts per device
+const MAX_REMEMBERED_ACCOUNTS = 5;
+const ACCOUNT_LIST_COOKIE = 'mbkauthe_accounts';
+
+// Cookie security: encryption and signing
+const COOKIE_ENCRYPTION_KEY = mbkautheVar.SESSION_SECRET || 'fallback-secret-key-change-this';
+const ENCRYPTION_ALGORITHM = 'aes-256-gcm';
+
+// Derive encryption key from session secret
+const getEncryptionKey = () => {
+    return crypto.createHash('sha256').update(COOKIE_ENCRYPTION_KEY).digest();
+};
+
+// Encrypt and sign cookie payload
+const encryptCookiePayload = (data) => {
+    try {
+        const iv = crypto.randomBytes(16);
+        const key = getEncryptionKey();
+        const cipher = crypto.createCipheriv(ENCRYPTION_ALGORITHM, key, iv);
+        
+        let encrypted = cipher.update(JSON.stringify(data), 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        
+        const authTag = cipher.getAuthTag();
+        
+        // Combine iv + authTag + encrypted data
+        return {
+            iv: iv.toString('hex'),
+            authTag: authTag.toString('hex'),
+            data: encrypted
+        };
+    } catch (error) {
+        console.error('[mbkauthe] Cookie encryption error:', error);
+        return null;
+    }
+};
+
+// Decrypt and verify cookie payload
+const decryptCookiePayload = (payload) => {
+    try {
+        if (!payload || !payload.iv || !payload.authTag || !payload.data) {
+            return null;
+        }
+        
+        const key = getEncryptionKey();
+        const decipher = crypto.createDecipheriv(
+            ENCRYPTION_ALGORITHM,
+            key,
+            Buffer.from(payload.iv, 'hex')
+        );
+        
+        decipher.setAuthTag(Buffer.from(payload.authTag, 'hex'));
+        
+        let decrypted = decipher.update(payload.data, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        
+        return JSON.parse(decrypted);
+    } catch (error) {
+        console.error('[mbkauthe] Cookie decryption error:', error);
+        return null;
+    }
+};
+
+// Generate fingerprint from user-agent only (salted)
+const generateFingerprint = (req) => {
+    const userAgent = req.headers['user-agent'] || '';
+    // Use SESSION_SECRET_KEY as salt if available, otherwise fallback to encryption key
+    const salt = mbkautheVar.SESSION_SECRET_KEY || COOKIE_ENCRYPTION_KEY;
+    
+    // Hash user-agent with salt to prevent rainbow table attacks on UAs
+    return crypto
+        .createHash('sha256')
+        .update(`${userAgent}:${salt}`)
+        .digest('hex')
+        .substring(0, 32);
+};
+
 // Shared cookie options functions
 const getCookieOptions = () => ({
     maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,
@@ -57,3 +134,83 @@ export const clearSessionCookies = (res) => {
 };
 
 export { getCookieOptions, getClearCookieOptions };
+
+// ---- Multi-account helpers ----
+const parseAccountList = (raw, req) => {
+    if (!raw) return [];
+    try {
+        // First, decrypt the cookie payload
+        const parsed = JSON.parse(raw);
+        const decrypted = decryptCookiePayload(parsed);
+        
+        if (!decrypted || !decrypted.accounts || !decrypted.fingerprint) {
+            return [];
+        }
+        
+        // Verify fingerprint matches current request
+        const currentFingerprint = generateFingerprint(req);
+        if (decrypted.fingerprint !== currentFingerprint) {
+            console.warn('[mbkauthe] Cookie fingerprint mismatch - possible cookie theft attempt');
+            return [];
+        }
+        
+        const accounts = decrypted.accounts;
+        if (!Array.isArray(accounts)) return [];
+        
+        // Accept only minimal safe fields
+        return accounts
+            .filter(item => item && typeof item === 'object')
+            .map(item => ({
+                sessionId: typeof item.sessionId === 'string' ? item.sessionId : null,
+                username: typeof item.username === 'string' ? item.username : null,
+                fullName: typeof item.fullName === 'string' ? item.fullName : null
+            }))
+            .filter(item => item.sessionId && item.username)
+            .slice(0, MAX_REMEMBERED_ACCOUNTS);
+    } catch (error) {
+        console.error('[mbkauthe] Error parsing account list:', error);
+        return [];
+    }
+};
+
+const writeAccountList = (res, list, req) => {
+    const sanitized = Array.isArray(list) ? list.slice(0, MAX_REMEMBERED_ACCOUNTS) : [];
+    
+    // Create payload with fingerprint
+    const payload = {
+        accounts: sanitized,
+        fingerprint: generateFingerprint(req)
+    };
+    
+    // Encrypt the payload
+    const encrypted = encryptCookiePayload(payload);
+    if (!encrypted) {
+        console.error('[mbkauthe] Failed to encrypt account list cookie');
+        return;
+    }
+    
+    res.cookie(ACCOUNT_LIST_COOKIE, JSON.stringify(encrypted), cachedCookieOptions);
+};
+
+export const readAccountListFromCookie = (req) => {
+    const raw = req?.cookies ? req.cookies[ACCOUNT_LIST_COOKIE] : null;
+    return parseAccountList(raw, req);
+};
+
+export const upsertAccountListCookie = (req, res, entry) => {
+    if (!entry || !entry.sessionId || !entry.username) return;
+    const current = readAccountListFromCookie(req);
+    const filtered = current.filter(item => item.sessionId !== entry.sessionId && item.username !== entry.username);
+    const next = [{ sessionId: entry.sessionId, username: entry.username, fullName: entry.fullName || entry.username }, ...filtered];
+    writeAccountList(res, next, req);
+};
+
+export const removeAccountFromCookie = (req, res, sessionId) => {
+    const current = readAccountListFromCookie(req);
+    const next = current.filter(item => item.sessionId !== sessionId);
+    writeAccountList(res, next, req);
+};
+
+export const clearAccountListCookie = (res) => {
+    res.clearCookie(ACCOUNT_LIST_COOKIE, cachedClearCookieOptions);
+};

package/lib/main.js

@@ -69,10 +69,5 @@ router.get('/icon.svg', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'icon.svg'));
 });
 
-router.get(['/favicon.ico', '/icon.ico'], (req, res) => {
-  res.setHeader('Cache-Control', 'public, max-age=31536000');
-  res.sendFile(path.join(__dirname, '..', 'public', 'icon.ico'));
-});
-
 export { getLatestVersion } from "./routes/misc.js";
 export default router;

package/lib/middleware/auth.js

@@ -1,18 +1,23 @@
 import { dblogin } from "../database/pool.js";
 import { mbkautheVar } from "../config/index.js";
 import { renderError } from "../utils/response.js";
-import { clearSessionCookies, cachedCookieOptions } from "../config/cookies.js";
+import { clearSessionCookies, cachedCookieOptions, readAccountListFromCookie } from "../config/cookies.js";
 
 async function validateSession(req, res, next) {
   if (!req.session.user) {
     console.log("[mbkauthe] User not authenticated");
-    console.log("[mbkauthe]: ", req.session.user);
-    return renderError(res, {
+    const remembered = readAccountListFromCookie(req) || [];
+    const hasRemembered = remembered.some(acct => acct && typeof acct.sessionId === 'string' && acct.sessionId.length > 0);
+    const pageTarget = hasRemembered ? '/mbkauthe/accounts' : `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`;
+    const message = hasRemembered
+      ? "Another saved account is available. Open the switch page to continue."
+      : "You Are Not Logged In. Please Log In To Continue.";
+    return renderError(res, req, {
       code: 401,
       error: "Not Logged In",
-      message: "You Are Not Logged In. Please Log In To Continue.",
-      pagename: "Login",
-      page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
+      message,
+      pagename: hasRemembered ? "Switch Account" : "Login",
+      page: pageTarget,
     });
   }
 
@@ -24,7 +29,7 @@ async function validateSession(req, res, next) {
       console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
-      return renderError(res, {
+      return renderError(res, req, {
         code: 401,
         error: "Session Expired",
         message: "Your Session Has Expired. Please Log In Again.",
@@ -47,7 +52,7 @@ async function validateSession(req, res, next) {
       console.log(`[mbkauthe] Session not found for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
-      return renderError(res, {
+      return renderError(res, req, {
         code: 401,
         error: "Session Expired",
         message: "Your Session Has Expired. Please Log In Again.",
@@ -64,7 +69,7 @@ async function validateSession(req, res, next) {
       // destroy and clear cookies
       req.session.destroy();
       clearSessionCookies(res);
-      return renderError(res, {
+      return renderError(res, req, {
         code: 401,
         error: "Session Expired",
         message: "Your Session Has Expired. Please Log In Again.",
@@ -78,7 +83,7 @@ async function validateSession(req, res, next) {
       console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
-      return renderError(res, {
+      return renderError(res, req, {
         code: 401,
         error: "Account Inactive",
         message: "Your Account Is Inactive. Please Contact Support.",
@@ -94,7 +99,7 @@ async function validateSession(req, res, next) {
         console.warn(`[mbkauthe] User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
         req.session.destroy();
         clearSessionCookies(res);
-        return renderError(res, {
+        return renderError(res, req, {
           code: 401,
           error: "Unauthorized",
           message: `You Are Not Authorized To Use The Application \"${mbkautheVar.APP_NAME}\"`,
@@ -192,7 +197,7 @@ async function validateApiSession(req, res, next) {
  * Reload session user values from the database and refresh cookies.
  * - Validates sessionId and active status
  * - Updates `req.session.user` fields (username, role, allowedApps, fullname)
- * - Uses cached `fullName` cookie when available, otherwise queries `profiledata`
+ * - Uses cached `fullName` cookie when available, otherwise queries `Users`
  * - Syncs `username`, `fullName` and `sessionId` cookies
  * Returns: true if session refreshed and valid, false if session invalidated
  */
@@ -258,7 +263,7 @@ export async function reloadSessionUser(req, res) {
       req.session.user.fullname = req.cookies.fullName;
     } else {
       try {
-        const prof = await dblogin.query({ name: 'reload-get-fullname', text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1', values: [row.UserName] });
+        const prof = await dblogin.query({ name: 'reload-get-fullname', text: 'SELECT "FullName" FROM "USers" WHERE "UserName" = $1 LIMIT 1', values: [row.UserName] });
         if (prof.rows.length > 0 && prof.rows[0].FullName) req.session.user.fullname = prof.rows[0].FullName;
       } catch (profileErr) {
         console.error('[mbkauthe] Error fetching fullname during reload:', profileErr);
@@ -290,7 +295,7 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
     try {
       if (!req.session || !req.session.user || !req.session.user.id) {
         console.log("[mbkauthe] User not authenticated");
-        return renderError(res, {
+        return renderError(res, req, {
           code: 401,
           error: "Not Logged In",
           message: "You Are Not Logged In. Please Log In To Continue.",
@@ -304,7 +309,7 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
 
       // Check notAllowed role
       if (notAllowed && userRole === notAllowed) {
-        return renderError(res, {
+        return renderError(res, req, {
           code: 403,
           error: "Access Denied",
           message: "You are not allowed to access this resource",
@@ -323,7 +328,7 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
 
       // Check if user role is in allowed roles
       if (!rolesArray.includes(userRole)) {
-        return renderError(res, {
+        return renderError(res, req, {
           code: 403,
           error: "Access Denied",
           message: "You do not have permission to access this resource",

package/lib/middleware/index.js

@@ -98,11 +98,11 @@ export async function sessionRestorationMiddleware(req, res, next) {
           if (req.cookies.fullName && typeof req.cookies.fullName === 'string') {
             req.session.user.fullname = req.cookies.fullName;
           } else {
-            // Fallback: attempt to fetch FullName from profiledata to populate session
+            // Fallback: attempt to fetch FullName from Users to populate session
             try {
               const profileRes = await dblogin.query({
                 name: 'restore-get-fullname',
-                text: 'SELECT "FullName" FROM "profiledata" WHERE "UserName" = $1 LIMIT 1',
+                text: 'SELECT "FullName" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
                 values: [row.UserName]
               });
               if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {