mbkauthe 4.1.2 → 4.1.4

package/docs/api.md

@@ -25,7 +25,73 @@ This document provides comprehensive API documentation for MBKAuthe authenticati
 MBKAuthe supports two authentication methods:
 
 1. **Session-based Authentication** - Cookie-based sessions for web applications
-2. **Token-based Authentication** - API key authentication for server-to-server communication
+2. **Token-based Authentication** - Persistent API keys for server-to-server communication
+
+### Token-based Authentication
+
+For API clients and external services, use a Bearer token in the `Authorization` header.
+
+**Header Format:**
+```
+Authorization: Bearer <your_api_token>
+```
+*Token format: `mbk_` followed by 64 hexadecimal characters.*
+
+**Behavior:**
+- **Stateless:** Validates against the `ApiTokens` table on every request.
+- **Expiration:** Tokens can have an optional expiration date.
+- **Permissions:** API tokens inherit the permissions of the user who created them.
+- **Usage Tracking:** The system updates the `LastUsed` timestamp on every successful request.
+
+**Errors:**
+- `401 Unauthorized` (Code 1005: `INVALID_AUTH_TOKEN`): Token is malformed or not found.
+- `401 Unauthorized` (Code 1006: `API_TOKEN_EXPIRED`): Token exists but has passed its expiration date.
+
+**Example Usage:**
+
+**1. Backend Implementation (Express):**
+
+Even when using API tokens, the `validateSession` middleware hydrates `req.session.user` for consistency, allowing you to use the same route logic for both browser and API clients.
+
+```javascript
+import { validateSession } from 'mbkauthe';
+
+app.get('/api/protected-resource', validateSession, (req, res) => {
+  // Access user info populated from the token
+  const user = req.session.user; // { id, username, role, ... }
+  
+  res.json({ 
+    message: `Hello ${user.username}`,
+    role: user.role
+  });
+});
+```
+
+**2. Client Request Examples:**
+
+*cURL:*
+```bash
+curl -X GET https://api.yourdomain.com/api/protected-resource \
+  -H "Authorization: Bearer mbk_7f83a92b1dc..."
+```
+
+*JavaScript (Fetch):*
+```javascript
+const response = await fetch('https://api.yourdomain.com/api/protected-resource', {
+  headers: {
+    'Authorization': 'Bearer mbk_7f83a92b1dc...'
+  }
+});
+const data = await response.json();
+```
+
+**Output:**
+```json
+{
+  "message": "Hello john.doe",
+  "role": "NormalUser"
+}
+```
 
 ---
 
@@ -38,7 +104,7 @@ When a user logs in, MBKAuthe creates a session and sets the following cookies:
 | Cookie Name | Description | HttpOnly | Secure | SameSite |
 |------------|-------------|----------|--------|----------|
 | `mbkauthe.sid` | Session identifier | ✓ | Auto* | lax |
-| `sessionId` | Opaque session token (backed by `Sessions` table) | ✓ | Auto* | lax |
+| `sessionId` | Encrypted session token (AES-256-GCM) | ✓ | Auto* | lax |
 | `username` | Username | ✗ | Auto* | lax |
 
 \* `secure` flag is automatically set to `true` in production when `IS_DEPLOYED=true`

package/docs/db.md

@@ -68,6 +68,25 @@ CREATE INDEX IF NOT EXISTS idx_user_google_google_id ON user_google (google_id);
 CREATE INDEX IF NOT EXISTS idx_user_google_user_name ON user_google (user_name);
 ```
 
+### 5. API Tokens Table
+Used for storing persistent API keys.
+
+```sql
+CREATE TABLE "ApiTokens" (
+    "id" SERIAL PRIMARY KEY,
+    "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+    "Name" VARCHAR(255) NOT NULL, -- User-provided friendly name
+    "TokenHash" VARCHAR(128) NOT NULL UNIQUE, -- Hashed access token (SHA-256)
+    "Prefix" VARCHAR(32) NOT NULL, -- First few chars of token for ID
+    "LastUsed" TIMESTAMP WITH TIME ZONE,
+    "CreatedAt" TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+    "ExpiresAt" TIMESTAMP WITH TIME ZONE -- Optional expiration
+);
+
+CREATE INDEX IF NOT EXISTS idx_apitokens_tokenhash ON "ApiTokens" ("TokenHash");
+CREATE INDEX IF NOT EXISTS idx_apitokens_username ON "ApiTokens" ("UserName");
+```
+
 ## How It Works
 
 ### Login Flow (GitHub/Google)

package/docs/db.sql

@@ -130,3 +130,20 @@ CREATE INDEX IF NOT EXISTS idx_trusted_devices_expires ON "TrustedDevices"("Expi
 -- No Encrypted password for 'support' user
 INSERT INTO "Users" ("UserName", "Password", "Role", "Active", "HaveMailAccount", "GuestRole")
         VALUES ('support', '12345678', 'SuperAdmin', true, false, '{"allowPages": [""], "NotallowPages": [""]}'::jsonb);
+
+
+
+-- API Tokens for persistent programmatic access
+CREATE TABLE "ApiTokens" (
+    "id" SERIAL PRIMARY KEY,
+    "UserName" VARCHAR(50) NOT NULL REFERENCES "Users"("UserName") ON DELETE CASCADE,
+    "Name" VARCHAR(255) NOT NULL, -- User-provided friendly name
+    "TokenHash" VARCHAR(128) NOT NULL UNIQUE, -- Hashed access token
+    "Prefix" VARCHAR(32) NOT NULL, -- First few chars of token for ID
+    "LastUsed" TIMESTAMP WITH TIME ZONE,
+    "CreatedAt" TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+    "ExpiresAt" TIMESTAMP WITH TIME ZONE -- Optional expiration
+);
+
+CREATE INDEX IF NOT EXISTS idx_apitokens_tokenhash ON "ApiTokens" ("TokenHash");
+CREATE INDEX IF NOT EXISTS idx_apitokens_username ON "ApiTokens" ("UserName");

package/docs/error-messages.md

@@ -168,6 +168,12 @@ Password doesn't meet length requirements.
 #### `1004 - INVALID_TOKEN_FORMAT`
 Token format is incorrect.
 
+#### `1005 - INVALID_AUTH_TOKEN`
+The provided API token is invalid.
+
+#### `1006 - API_TOKEN_EXPIRED`
+The provided API token has expired.
+
 ### Rate Limiting (1100-1199)
 
 #### `1101 - RATE_LIMIT_EXCEEDED`

package/index.js

@@ -99,4 +99,5 @@ export {
     ErrorCodes, ErrorMessages, getErrorByCode,
     createErrorResponse, logError
 } from "./lib/utils/errors.js";
+export { mbkautheVar } from "./lib/config/index.js";
 export default router;

package/lib/config/cookies.js

@@ -17,7 +17,7 @@ const getEncryptionKey = () => {
 // Encrypt and sign cookie payload
 const encryptCookiePayload = (data) => {
     try {
-        const iv = crypto.randomBytes(16);
+        const iv = crypto.randomBytes(12);
         const key = getEncryptionKey();
         const cipher = crypto.createCipheriv(ENCRYPTION_ALGORITHM, key, iv);
 
@@ -78,6 +78,26 @@ const generateFingerprint = (req) => {
         .substring(0, 32);
 };
 
+// Encrypt sessionId for cookie storage
+export const encryptSessionId = (sessionId) => {
+    if (!sessionId) return null;
+    const encrypted = encryptCookiePayload({ sessionId });
+    return encrypted ? JSON.stringify(encrypted) : null;
+};
+
+// Decrypt sessionId from cookie
+export const decryptSessionId = (encryptedSessionId) => {
+    if (!encryptedSessionId) return null;
+    try {
+        const parsed = JSON.parse(encryptedSessionId);
+        const decrypted = decryptCookiePayload(parsed);
+        return decrypted?.sessionId || null;
+    } catch (error) {
+        console.error('[mbkauthe] SessionId decryption error:', error);
+        return null;
+    }
+};
+
 // Shared cookie options functions
 const getCookieOptions = () => ({
     maxAge: mbkautheVar.COOKIE_EXPIRE_TIME * 24 * 60 * 60 * 1000,

package/lib/config/index.js

@@ -36,8 +36,6 @@ function validateConfiguration() {
             if (mbkauthShared && typeof mbkauthShared !== 'object') {
                 console.warn('[mbkauthe] mbkauthShared is not a valid object, ignoring it');
                 mbkauthShared = null;
-            } else {
-                console.log('[mbkauthe] mbkauthShared detected and parsed successfully');
             }
         }
     } catch (error) {
@@ -46,6 +44,8 @@ function validateConfiguration() {
     }
 
     // Merge fallback settings: for any key missing or empty in mbkautheVar, check mbkauthShared
+    const usedFromShared = [];
+    const usedDefaults = [];
     const applyFallback = (source, sourceName) => {
         if (!source) return;
         Object.keys(source).forEach(key => {
@@ -53,7 +53,7 @@ function validateConfiguration() {
             if ((mbkautheVar[key] === undefined || (typeof mbkautheVar[key] === 'string' && mbkautheVar[key].trim() === '')) &&
                 val !== undefined && !(typeof val === 'string' && val.trim() === '')) {
                 mbkautheVar[key] = val;
-                console.log(`[mbkauthe] Using ${key} from ${sourceName}`);
+                if (sourceName === 'mbkauthShared') usedFromShared.push(key);
             }
         });
     };
@@ -86,10 +86,10 @@ function validateConfiguration() {
         if (isEmpty) {
             if (mbkauthShared && mbkauthShared[key] !== undefined && !(typeof mbkauthShared[key] === 'string' && mbkauthShared[key].trim() === '')) {
                 mbkautheVar[key] = mbkauthShared[key];
-                console.log(`[mbkauthe] Using ${key} from mbkauthShared`);
+                if (!usedFromShared.includes(key)) usedFromShared.push(key);
             } else if (defaults[key] !== undefined) {
                 mbkautheVar[key] = defaults[key];
-                console.log(`[mbkauthe] Using default value for ${key}`);
+                usedDefaults.push(key);
             }
         }
     });
@@ -209,7 +209,16 @@ function validateConfiguration() {
         throw new Error(`[mbkauthe] Configuration Validation Failed:\n  - ${errors.join('\n  - ')}`);
     }
 
-    console.log('[mbkauthe] Configuration validation passed successfully');
+    // Print consolidated configuration summary
+    const configParts = [];
+    if (mbkauthShared) {
+        configParts.push(`mbkauthShared: ${usedFromShared.length} keys`);
+    }
+    if (usedDefaults.length > 0) {
+        configParts.push(`defaults: ${usedDefaults.length} keys`);
+    }
+    const configSummary = configParts.length > 0 ? ` (${configParts.join(', ')})` : '';
+    console.log(`[mbkauthe] Configuration loaded${configSummary}`);
     return mbkautheVar;
 }
 

package/lib/config/security.js

@@ -5,4 +5,11 @@ export const hashPassword = (password, username) => {
     const salt = username;
     // 128 characters returned
     return crypto.pbkdf2Sync(password, salt, 100000, 64, 'sha512').toString('hex');
+};
+
+// Hash an API token for storage
+// Uses SHA-256 for fast, secure non-reversible hashing
+export const hashApiToken = (token) => {
+    if (!token) return null;
+    return crypto.createHash('sha256').update(token).digest('hex');
 };

package/lib/middleware/auth.js

@@ -2,8 +2,103 @@ import { dblogin } from "../database/pool.js";
 import { mbkautheVar } from "../config/index.js";
 import { renderError } from "../utils/response.js";
 import { clearSessionCookies, cachedCookieOptions, readAccountListFromCookie } from "../config/cookies.js";
+import { ErrorCodes, createErrorResponse } from "../utils/errors.js";
+import { hashApiToken } from "../config/security.js";
+
+/**
+ * Validates a Bearer token (API Token or Session UUID)
+ * Returns a user object if valid, or null/error object
+ */
+async function validateTokenAuthentication(req) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader) return null;
+
+  const parts = authHeader.split(' ');
+  if (parts.length !== 2 || parts[0] !== 'Bearer') return null;
+  const token = parts[1];
+
+  // 1. Check for API Token (mbk_)
+  if (token.startsWith('mbk_')) {
+    const tokenHash = hashApiToken(token);
+    const tokenQuery = `
+      SELECT t.id, t."UserName", t."ExpiresAt", u.id as uid, u."Active", u."Role", u."AllowedApps", u."FullName"
+      FROM "ApiTokens" t
+      JOIN "Users" u ON t."UserName" = u."UserName"
+      WHERE t."TokenHash" = $1 LIMIT 1
+    `;
+    const tokenResult = await dblogin.query({ name: 'validate-api-token', text: tokenQuery, values: [tokenHash] });
+
+    if (tokenResult.rows.length === 0) return { error: 'INVALID_TOKEN' };
+    
+    const row = tokenResult.rows[0];
+    if (row.ExpiresAt && new Date(row.ExpiresAt) <= new Date()) return { error: 'TOKEN_EXPIRED' };
+
+    // Update usage
+    dblogin.query({
+        text: 'UPDATE "ApiTokens" SET "LastUsed" = NOW() WHERE id = $1',
+        values: [row.id]
+    }).catch(e => console.error('[mbkauthe] Failed to update token usage:', e));
+
+    return {
+        id: row.uid,
+        username: row.UserName,
+        fullname: row.FullName,
+        role: row.Role,
+        sessionId: 'api-token-session',
+        allowedApps: row.AllowedApps,
+        active: row.Active
+    };
+  }
+
+  return null;
+}
 
 async function validateSession(req, res, next) {
+  // --- Check for API Token Header first ---
+  if (req.headers.authorization) {
+    try {
+      const tokenUser = await validateTokenAuthentication(req);
+      
+      if (tokenUser && !tokenUser.error) {
+         if (!tokenUser.active) {
+            return res.status(401).json(createErrorResponse(401, ErrorCodes.ACCOUNT_INACTIVE));
+         }
+
+         if (tokenUser.role !== "SuperAdmin") {
+            const allowedApps = tokenUser.allowedApps;
+            const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
+            if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+              return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+            }
+         }
+
+         // Populate session for downstream
+         req.session.user = {
+            id: tokenUser.id,
+            username: tokenUser.username,
+            fullname: tokenUser.fullname,
+            role: tokenUser.role,
+            sessionId: tokenUser.sessionId,
+            allowedApps: tokenUser.allowedApps,
+         };
+         req.userRole = tokenUser.role;
+         return next();
+      }
+      
+      // Token provided but invalid (or null if format incorrect)
+      let errorCode = ErrorCodes.INVALID_AUTH_TOKEN;
+      if (tokenUser && tokenUser.error === 'TOKEN_EXPIRED') {
+         errorCode = ErrorCodes.API_TOKEN_EXPIRED;
+      }
+      return res.status(401).json(createErrorResponse(401, errorCode));
+
+    } catch (err) {
+      console.error("[mbkauthe] Token validation error:", err);
+      return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
+    }
+  }
+
+  // --- Fallback to Cookie Session ---
   if (!req.session.user) {
     console.log("[mbkauthe] User not authenticated");
     console.log("[mbkauthe]: ", req.session.user);
@@ -258,7 +353,7 @@ export async function reloadSessionUser(req, res) {
       req.session.user.fullname = req.cookies.fullName;
     } else {
       try {
-        const prof = await dblogin.query({ name: 'reload-get-fullname', text: 'SELECT "FullName" FROM "USers" WHERE "UserName" = $1 LIMIT 1', values: [row.UserName] });
+        const prof = await dblogin.query({ name: 'reload-get-fullname', text: 'SELECT "FullName" FROM "Users" WHERE "UserName" = $1 LIMIT 1', values: [row.UserName] });
         if (prof.rows.length > 0 && prof.rows[0].FullName) req.session.user.fullname = prof.rows[0].FullName;
       } catch (profileErr) {
         console.error('[mbkauthe] Error fetching fullname during reload:', profileErr);
@@ -270,7 +365,7 @@ export async function reloadSessionUser(req, res) {
 
     // Sync cookies for client UI (non-httpOnly)
     try {
-      res.cookie('username', req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
+            res.cookie('username', req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
       res.cookie('fullName', req.session.user.fullname || req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
       res.cookie('sessionId', req.session.user.sessionId, cachedCookieOptions);
     } catch (cookieErr) {

package/lib/middleware/index.js

@@ -3,7 +3,7 @@ import pgSession from "connect-pg-simple";
 const PgSession = pgSession(session);
 import { dblogin } from "../database/pool.js";
 import { mbkautheVar } from "../config/index.js";
-import { cachedCookieOptions } from "../config/cookies.js";
+import { cachedCookieOptions, decryptSessionId, encryptSessionId } from "../config/cookies.js";
 
 // Session configuration
 export const sessionConfig = {
@@ -55,10 +55,11 @@ export function corsMiddleware(req, res, next) {
 export async function sessionRestorationMiddleware(req, res, next) {
   // Only restore session if not already present and sessionId cookie exists
   if (!req.session.user && req.cookies.sessionId) {
-    const sessionId = req.cookies.sessionId;
+    // Decrypt the sessionId from cookie
+    const sessionId = decryptSessionId(req.cookies.sessionId);
 
     // Early validation to avoid unnecessary processing (expect DB UUID id)
-    if (typeof sessionId !== 'string' || !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(sessionId)) {
+    if (!sessionId || typeof sessionId !== 'string' || !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(sessionId)) {
       // Clear invalid cookie to prevent repeated attempts
       res.clearCookie('sessionId', {
         domain: mbkautheVar.IS_DEPLOYED === 'true' ? `.${mbkautheVar.DOMAIN}` : undefined,
@@ -124,12 +125,18 @@ export async function sessionRestorationMiddleware(req, res, next) {
 // Session cookie sync middleware
 export function sessionCookieSyncMiddleware(req, res, next) {
   if (req.session && req.session.user) {
+    // Decrypt existing cookie to compare with session
+    const currentDecryptedId = decryptSessionId(req.cookies.sessionId);
+
     // Only set cookies if they're missing or different
-    if (req.cookies.sessionId !== req.session.user.sessionId) {
+    if (currentDecryptedId !== req.session.user.sessionId) {
       res.cookie("username", req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
-      // Also expose FullName (fallback to username) for display in client-side UI
       res.cookie("fullName", req.session.user.fullname || req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
-      res.cookie("sessionId", req.session.user.sessionId, cachedCookieOptions);
+      
+      const encryptedSessionId = encryptSessionId(req.session.user.sessionId);
+      if (encryptedSessionId) {
+        res.cookie("sessionId", encryptedSessionId, cachedCookieOptions);
+      }
     }
   }
   next();

package/lib/routes/auth.js

@@ -8,10 +8,11 @@ import { mbkautheVar } from "../config/index.js";
 import {
   cachedCookieOptions, cachedClearCookieOptions, clearSessionCookies,
   generateDeviceToken, getDeviceTokenCookieOptions, DEVICE_TRUST_DURATION_MS, hashDeviceToken,
-  upsertAccountListCookie, readAccountListFromCookie, removeAccountFromCookie, clearAccountListCookie
+  upsertAccountListCookie, readAccountListFromCookie, removeAccountFromCookie, clearAccountListCookie,
+  encryptSessionId
 } from "../config/cookies.js";
 import { packageJson } from "../config/index.js";
-import { hashPassword } from "../config/security.js";
+import { hashPassword, hashApiToken } from "../config/security.js";
 import { ErrorCodes, createErrorResponse, logError } from "../utils/errors.js";
 
 const router = express.Router();
@@ -218,13 +219,20 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
 
     const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
 
-    // Insert new session record for the user (store username) and return the DB id
-    const insertRes = await dblogin.query({
-      name: 'insert-app-session',
-      text: `INSERT INTO "Sessions" ("UserName", expires_at, meta) VALUES ($1, $2, $3) RETURNING id`,
-      values: [username, expiresAt, JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })]
-    });
-    const dbSessionId = insertRes.rows[0].id;
+    // Insert new session record for the user (generate id explicitly to avoid relying on DB default)
+    const newSessionId = crypto.randomUUID();
+    let dbSessionId;
+    try {
+      const insertRes = await dblogin.query({
+        name: 'insert-app-session',
+        text: `INSERT INTO "Sessions" ("UserName", expires_at, meta) VALUES ($1, $2, $3) RETURNING id`,
+        values: [username, expiresAt, JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })]
+      });
+      dbSessionId = insertRes.rows[0].id;
+    } catch (insertErr) {
+      console.error('[mbkauthe] Error inserting app session:', insertErr);
+      throw insertErr;
+    }
 
     // Update last_login timestamp for the user
     await dblogin.query({
@@ -269,7 +277,11 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       }
 
       // Expose DB session id and display name to client for UI (fullName falls back to username)
-      res.cookie("sessionId", dbSessionId, cachedCookieOptions);
+      const encryptedSessionId = encryptSessionId(dbSessionId);
+      if (encryptedSessionId) {
+        res.cookie("sessionId", encryptedSessionId, cachedCookieOptions);
+      }
+      res.cookie("username", username, { ...cachedCookieOptions, httpOnly: false });
       res.cookie("fullName", req.session.user.fullname || username, { ...cachedCookieOptions, httpOnly: false });
 
       // Remember this account on the device for quick switching (server-trusted list)
@@ -693,7 +705,8 @@ router.post("/api/switch-session", LoginLimit, async (req, res) => {
   }
 
   const storedAccounts = readAccountListFromCookie(req);
-  if (!storedAccounts.some(acct => acct.sessionId === sessionId)) {
+  const acct = storedAccounts.find(a => a.sessionId === sessionId);
+  if (!acct) {
     return res.status(403).json(createErrorResponse(403, ErrorCodes.SESSION_NOT_FOUND, { message: 'Account not available on this device' }));
   }
 

package/lib/routes/oauth.js

@@ -108,6 +108,9 @@ const createOAuthStrategy = async (provider, profile, done) => {
   }
 };
 
+// Configure OAuth strategies and track enabled providers
+const enabledProviders = [];
+
 // Configure GitHub Strategy for login (only if enabled and configured)
 if ((mbkautheVar.GITHUB_LOGIN_ENABLED || "").toLowerCase() === "true") {
   if (mbkautheVar.GITHUB_CLIENT_ID && mbkautheVar.GITHUB_CLIENT_SECRET) {
@@ -119,12 +122,10 @@ if ((mbkautheVar.GITHUB_LOGIN_ENABLED || "").toLowerCase() === "true") {
     }, (accessToken, refreshToken, profile, done) =>
       createOAuthStrategy('GitHub', profile, done)
     ));
-    console.log('[mbkauthe] GitHub OAuth strategy registered');
+    enabledProviders.push('GitHub');
   } else {
     console.warn('[mbkauthe] GITHUB_LOGIN_ENABLED is true but GITHUB_CLIENT_ID/SECRET missing; skipping GitHub strategy registration');
   }
-} else {
-  console.log('[mbkauthe] GitHub OAuth not enabled; skipping GitHub strategy registration');
 }
 
 // Configure Google Strategy for login (only if enabled and configured)
@@ -138,12 +139,15 @@ if ((mbkautheVar.GOOGLE_LOGIN_ENABLED || "").toLowerCase() === "true") {
     }, (accessToken, refreshToken, profile, done) =>
       createOAuthStrategy('Google', profile, done)
     ));
-    console.log('[mbkauthe] Google OAuth strategy registered');
+    enabledProviders.push('Google');
   } else {
     console.warn('[mbkauthe] GOOGLE_LOGIN_ENABLED is true but GOOGLE_CLIENT_ID/SECRET missing; skipping Google strategy registration');
   }
-} else {
-  console.log('[mbkauthe] Google OAuth not enabled; skipping Google strategy registration');
+}
+
+// Print consolidated OAuth summary
+if (enabledProviders.length > 0) {
+  console.log(`[mbkauthe] OAuth providers: ${enabledProviders.join(', ')}`);
 }
 
 // Serialize/Deserialize user for OAuth login

package/lib/utils/errors.js

@@ -32,6 +32,8 @@ export const ErrorCodes = {
   INVALID_USERNAME_FORMAT: 1002,
   INVALID_PASSWORD_LENGTH: 1003,
   INVALID_TOKEN_FORMAT: 1004,
+  INVALID_AUTH_TOKEN: 1005,
+  API_TOKEN_EXPIRED: 1006,
 
   // Rate limiting (1100-1199)
   RATE_LIMIT_EXCEEDED: 1101,
@@ -148,6 +150,16 @@ export const ErrorMessages = {
     userMessage: "Please enter a valid 6-digit code.",
     hint: "The code should be 6 numbers from your authenticator app"
   },
+  [ErrorCodes.INVALID_AUTH_TOKEN]: {
+    message: "Invalid API token",
+    userMessage: "The provided API token is invalid.",
+    hint: "Please check your token and try again"
+  },
+  [ErrorCodes.API_TOKEN_EXPIRED]: {
+    message: "API token expired",
+    userMessage: "The provided API token has expired.",
+    hint: "Please generate a new API token"
+  },
 
   // Rate Limiting
   [ErrorCodes.RATE_LIMIT_EXCEEDED]: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "4.1.2",
+  "version": "4.1.4",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/views/showmessage.handlebars

@@ -1,4 +1,4 @@
-<div class="showMessageOverlay" id="messageOverlay" aria-hidden="true">
+<div class="showMessageOverlay" id="messageOverlay" aria-hidden="true" hidden>
     <div class="messageModal" role="dialog" aria-modal="true" aria-labelledby="messageTitle"
         aria-describedby="messageContent">
         <div class="messageHeader">
@@ -115,6 +115,7 @@
         }
 
         // Show Modal
+        overlay.removeAttribute("hidden");
         overlay.classList.add("active");
         document.body.classList.add("blur-active");
         overlay.setAttribute("aria-hidden", "false");
@@ -131,6 +132,7 @@
             overlay.classList.remove("active", "fade-out");
             document.body.classList.remove("blur-active");
             overlay.setAttribute("aria-hidden", "true");
+            overlay.setAttribute("hidden", "");
         }, 300);
     }