mbkauthe 4.3.0 → 4.3.2

package/docs/api.md

@@ -108,7 +108,7 @@ When a user logs in, MBKAuthe creates a session and sets the following cookies:
 | Cookie Name | Description | HttpOnly | Secure | SameSite |
 |------------|-------------|----------|--------|----------|
 | `mbkauthe.sid` | Session identifier | ✓ | Auto* | lax |
-| `sessionId` | Encrypted session token (AES-256-GCM). This cookie is encrypted and treated as an opaque value by clients; do not attempt to parse or rely on the raw cookie contents. Use server endpoints (e.g., `/mbkauthe/api/checkSession`) to validate or query session information. | ✓ | Auto* | lax |
+| `sessionId` | Encrypted session token (AES-256-GCM). This cookie is encrypted and treated as an opaque value by clients; do not attempt to parse or rely on the raw cookie contents. Use server endpoints (e.g., `GET /mbkauthe/api/checkSession`, `POST /mbkauthe/api/checkSession` (body) or `POST /mbkauthe/api/verifySession`) to validate or query session information. | ✓ | Auto* | lax |
 | `username` | Username | ✗ | Auto* | lax |
 
 \* `secure` flag is automatically set to `true` in production when `IS_DEPLOYED=true`
@@ -301,6 +301,97 @@ fetch('/mbkauthe/api/checkSession')
 
 ---
 
+#### `POST /mbkauthe/api/checkSession` (body)
+
+Validate a session by providing a session identifier in the request body. Useful for server-to-server checks or when you have an encrypted `sessionId` value from a cookie and need to validate it server-side.
+
+**Rate Limit:** 8 requests per minute (same limiter used by public session endpoints)
+
+**Request Body (JSON):**
+```json
+{
+  "sessionId": "string (uuid or encrypted string)",
+  "isEncrypt": "boolean | 'true' (optional, indicates sessionId is encrypted)
+}
+```
+
+**Notes:**
+- The endpoint accepts `isEncrypt` or the misspelled `isEncryt` (both `true` or the string `'true'` are accepted).
+- If `isEncrypt` is true, the server will first attempt `decodeURIComponent()` on the value and then decrypt it (AES) to obtain a UUID session id. If decryption fails or the resulting value is not a UUID, the server returns `400 Bad Request` with `SESSION_INVALID`.
+- A missing `sessionId` returns `400 Bad Request` with `MISSING_REQUIRED_FIELD`.
+
+**Success Response (200 OK):**
+```json
+{
+  "sessionValid": true,
+  "expiry": "2025-12-27T12:34:56.000Z"
+}
+```
+
+**Invalid/Expired Session:**
+- Returns 200 with `{ "sessionValid": false, "expiry": null }` for unknown/expired/inactive sessions.
+
+**Example Request (Fetch):**
+```javascript
+fetch('/mbkauthe/api/checkSession', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ sessionId: '550e8400-e29b-41d4-a716-446655440000' })
+}).then(r => r.json()).then(console.log);
+```
+
+**Example Request (Encrypted sessionId):**
+```javascript
+fetch('/mbkauthe/api/checkSession', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ sessionId: 'ENCRYPTED_VALUE', isEncrypt: true })
+}).then(r => r.json()).then(console.log);
+```
+
+---
+
+#### `POST /mbkauthe/api/verifySession`
+
+Returns session details for a provided `sessionId`. Intended for server-side validation and to retrieve associated user metadata without relying on an active cookie session.
+
+**Request Body (JSON):**
+```json
+{
+  "sessionId": "string (uuid or encrypted string)",
+  "isEncrypt": "boolean | 'true' (optional)"
+}
+```
+
+**Behavior and Notes:**
+- `isEncrypt`/`isEncryt` have the same behavior as in `/api/checkSession`.
+- If the session is valid and active, the response includes `username` and `role`.
+- Missing or invalid `sessionId` results in `400 Bad Request` with an appropriate error code (`MISSING_REQUIRED_FIELD` or `SESSION_INVALID`).
+
+**Success Response (200 OK):**
+```json
+{
+  "valid": true,
+  "expiry": "2025-12-27T12:34:56.000Z",
+  "username": "john.doe",
+  "role": "NormalUser"
+}
+```
+
+**Invalid/Expired Session:**
+- Returns 200 with `{ "valid": false, "expiry": null }` for unknown/expired/inactive sessions.
+
+**Example Request:**
+```javascript
+fetch('/mbkauthe/api/verifySession', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ sessionId: '550e8400-e29b-41d4-a716-446655440000' })
+}).then(r => r.json()).then(console.log);
+```
+
+---
+
 #### `GET /mbkauthe/2fa`
 
 Renders the Two-Factor Authentication verification page.

package/lib/routes/misc.js

@@ -4,9 +4,9 @@ import rateLimit from 'express-rate-limit';
 import { mbkautheVar, packageJson, appVersion } from "#config.js";
 import { renderError } from "#response.js";
 import { authenticate, validateSession, validateApiSession } from "../middleware/auth.js";
-import { ErrorCodes, ErrorMessages } from "../utils/errors.js";
+import { ErrorCodes, ErrorMessages, createErrorResponse } from "../utils/errors.js";
 import { dblogin } from "#pool.js";
-import { clearSessionCookies } from "#cookies.js";
+import { clearSessionCookies, decryptSessionId } from "#cookies.js";
 import { fileURLToPath } from "url";
 import path from "path";
 import fs from "fs";
@@ -236,6 +236,107 @@ router.get('/api/checkSession', LoginLimit, async (req, res) => {
   }
 });
 
+// UUID helper used by session endpoints
+const isUuid = (val) => typeof val === 'string' && /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(val);
+
+// POST /api/checkSession — accept sessionId in request body { sessionId: "<uuid>" }
+router.post('/api/checkSession', LoginLimit, async (req, res) => {
+  try {
+    const { sessionId: rawSessionId, isEncrypt, isEncryt } = req.body || {};
+    let sessionId = rawSessionId;
+    if (!sessionId) {
+      return res.status(400).json(createErrorResponse(400, ErrorCodes.MISSING_REQUIRED_FIELD));
+    }
+
+    // If body indicates the sessionId is encrypted, decode (if URL-encoded) then decrypt it first
+    const encryptedFlag = isEncrypt === true || isEncrypt === 'true' || isEncryt === true || isEncryt === 'true';
+    if (encryptedFlag) {
+      // Some clients URL-encode cookie values when posting; safely try to decode first
+      let toDecrypt = typeof sessionId === 'string' ? sessionId : String(sessionId);
+      try {
+        toDecrypt = decodeURIComponent(toDecrypt);
+      } catch (decodeErr) {
+        // ignore decode errors and continue with original value
+      }
+      const decrypted = decryptSessionId(toDecrypt);
+      if (!decrypted || !isUuid(decrypted)) {
+        return res.status(400).json(createErrorResponse(400, ErrorCodes.SESSION_INVALID));
+      }
+      sessionId = decrypted;
+    }
+
+    const result = await dblogin.query({
+      name: 'check-session-validity-by-id',
+      text: `SELECT s.expires_at, u."Active" FROM "Sessions" s JOIN "Users" u ON s."UserName" = u."UserName" WHERE s.id = $1 LIMIT 1`,
+      values: [sessionId]
+    });
+
+    if (result.rows.length === 0) {
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    const row = result.rows[0];
+    if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
+      return res.status(200).json({ sessionValid: false, expiry: null });
+    }
+
+    const expiry = row.expires_at ? new Date(row.expires_at).toISOString() : null;
+    return res.status(200).json({ sessionValid: true, expiry });
+  } catch (err) {
+    console.error('[mbkauthe] checkSession (body) error:', err);
+    return res.status(200).json({ sessionValid: false, expiry: null });
+  }
+});
+
+// POST /api/verifySession — returns details about sessionId provided in body
+router.post('/api/verifySession', LoginLimit, async (req, res) => {
+  try {
+    const { sessionId: rawSessionId, isEncrypt, isEncryt } = req.body || {};
+    let sessionId = rawSessionId;
+    if (!sessionId) {
+      return res.status(400).json(createErrorResponse(400, ErrorCodes.MISSING_REQUIRED_FIELD));
+    }
+
+    // If body indicates the sessionId is encrypted, decode (if URL-encoded) then decrypt it first
+    const encryptedFlag = isEncrypt === true || isEncrypt === 'true' || isEncryt === true || isEncryt === 'true';
+    if (encryptedFlag) {
+      // Some clients URL-encode cookie values when posting; safely try to decode first
+      let toDecrypt = typeof sessionId === 'string' ? sessionId : String(sessionId);
+      try {
+        toDecrypt = decodeURIComponent(toDecrypt);
+      } catch (decodeErr) {
+        // ignore decode errors and continue with original value
+      }
+      const decrypted = decryptSessionId(toDecrypt);
+      if (!decrypted || !isUuid(decrypted)) {
+        return res.status(400).json(createErrorResponse(400, ErrorCodes.SESSION_INVALID));
+      }
+      sessionId = decrypted;
+    }
+
+    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
+                   FROM "Sessions" s
+                   JOIN "Users" u ON s."UserName" = u."UserName"
+                   WHERE s.id = $1 LIMIT 1`;
+    const result = await dblogin.query({ name: 'verify-session', text: query, values: [sessionId] });
+
+    if (result.rows.length === 0) {
+      return res.status(200).json({ valid: false, expiry: null });
+    }
+
+    const row = result.rows[0];
+    if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
+      return res.status(200).json({ valid: false, expiry: null });
+    }
+
+    const expiry = row.expires_at ? new Date(row.expires_at).toISOString() : null;
+    return res.status(200).json({ valid: true, expiry, username: row.UserName, role: row.Role });
+  } catch (err) {
+    console.error('[mbkauthe] verifySession error:', err);
+    return res.status(200).json({ valid: false, expiry: null });
+  }
+});
+
 // Error codes page
 router.get("/ErrorCode", (req, res) => {
   try {
@@ -427,4 +528,4 @@ router.post("/api/terminateAllSessions", AdminOperationLimit, authenticate(mbkau
   }
 });
 
-export default router;
+export default router;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "4.3.0",
+  "version": "4.3.2",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/views/profilemenu.handlebars

@@ -1,45 +1,76 @@
-<div class="header-actions">
+<div class="mbkauthe-header-actions">
     {{#if userLoggedIn}}
-    <div class="profile-menu">
-        <button class="profile-trigger" type="button" aria-expanded="false" aria-haspopup="true">
-            <img src="/mbkauthe/user/profilepic?u={{username}}" alt="Profile" class="profile-avatar">
+    <div class="mbkauthe-profile-menu">
+        <button class="mbkauthe-profile-trigger" type="button" aria-expanded="false" aria-haspopup="true">
+            <img src="/mbkauthe/user/profilepic?u={{username}}" alt="Profile" class="mbkauthe-profile-avatar">
         </button>
-        <div class="profile-dropdown" role="menu" hidden>
-            <a class="profile-item" role="menuitem" title="{{username}}">
+        <div class="mbkauthe-profile-dropdown" role="menu" hidden>
+            <a class="mbkauthe-profile-item" role="menuitem" title="{{username}}">
                 <span>@{{username}}</span>
             </a>
-            <a class="profile-item" href="https://portal.mbktech.org/user/settings" role="menuitem" title="Settings">
+            <a class="mbkauthe-profile-item" href="https://portal.mbktech.org/user/settings" role="menuitem"
+                title="Settings">
                 <i class="fas fa-cog"></i>
                 <span>Settings</span>
             </a>
-            <a class="profile-item" href="/mbkauthe/accounts" role="menuitem" title="Switch or Add another Account">
+            <a class="mbkauthe-profile-item" href="/mbkauthe/accounts" role="menuitem"
+                title="Switch or Add another Account">
                 <i class="fa fa-user-group"></i>
                 <span>Switch account</span>
             </a>
-            <button class="profile-item" type="button" data-action="logout" role="menuitem" title="Logout">
+            <button class="mbkauthe-profile-item" type="button" data-action="logout" role="menuitem" title="Logout">
                 <i class="fas fa-sign-out-alt"></i>
                 <span>Logout</span>
             </button>
         </div>
     </div>
     {{else}}
-    <a class="btn-login" style="text-decoration: none;" href="/mbkauthe/login"><i class="fas fa-sign-in-alt"></i>
+    <a class="mbkauthe-btn-login" style="text-decoration: none;" href="/mbkauthe/login"><i
+            class="fas fa-sign-in-alt"></i>
         Login</a>
     {{/if}}
 </div>
 <style>
-    .header-actions {
+    .mbkauthe-btn-login {
+        width: 100%;
+        padding: 8px;
+        border-radius: var(--border-radius);
+        background: var(--accent);
+        color: var(--dark);
+        font-weight: 700;
+        font-size: 1.2rem;
+        border: .1rem solid var(--accent);
+        cursor: pointer;
+        transition: all 0.4s cubic-bezier(.4, 0, .2, 1);
+        box-shadow: var(--box-shadow);
+    }
+
+    .mbkauthe-btn-login:hover {
+        background: var(--dark);
+        color: var(--accent);
+        box-shadow: 0 6px 20px rgba(0, 184, 148, 0.3);
+    }
+
+    .mbkauthe-btn-login:disabled {
+        background: var(--dark);
+        color: var(--accent);
+        cursor: not-allowed;
+        transform: none;
+        box-shadow: none;
+    }
+
+    .mbkauthe-header-actions {
         display: flex;
         align-items: center;
         gap: 0.75rem;
         margin-left: auto;
     }
 
-    .profile-menu {
+    .mbkauthe-profile-menu {
         position: relative;
     }
 
-    .profile-trigger {
+    .mbkauthe-profile-trigger {
         width: 45px;
         height: 45px;
         border-radius: 999px;
@@ -52,17 +83,17 @@
         transition: var(--transition);
     }
 
-    .profile-trigger:hover {
+    .mbkauthe-profile-trigger:hover {
         border-color: var(--accent);
         box-shadow: 0 10px 30px rgba(0, 184, 148, 0.2);
     }
 
-    .profile-trigger:focus-visible {
+    .mbkauthe-profile-trigger:focus-visible {
         outline: 2px solid var(--accent);
         outline-offset: 2px;
     }
 
-    .profile-avatar {
+    .mbkauthe-profile-avatar {
         width: 40px;
         height: 40px;
         border-radius: 999px;
@@ -70,34 +101,46 @@
         background: var(--dark);
     }
 
-    .profile-dropdown {
+    /* Theme-aware dropdown variables and improved visuals */
+    .mbkauthe-profile-dropdown {
+        --mbk-bg: var(--mbkauthe-dropdown-bg, #ffffff);
+        --mbk-border: var(--mbkauthe-dropdown-border, rgba(15, 23, 42, 0.06));
+        --mbk-item-hover: var(--mbkauthe-item-hover, rgba(15, 23, 42, 0.03));
+        --mbk-text: var(--mbkauthe-text, var(--text, #0f172a));
+
         position: absolute;
         right: 0;
         top: calc(100% + 0.5rem);
-        background: var(--darker);
-        border: 1px solid rgba(255, 255, 255, 0.08);
+        background: var(--mbk-bg);
+        border: 1px solid var(--mbk-border);
         border-radius: var(--border-radius);
         min-width: 190px;
-        box-shadow: 0 12px 32px rgba(0, 0, 0, 0.4);
+        box-shadow: 0 10px 30px rgba(2, 6, 23, 0.12);
         padding: 0;
         opacity: 0;
         visibility: hidden;
         transform: translateY(-6px);
         transition: var(--transition);
         z-index: 1000;
+        backdrop-filter: blur(6px);
+        -webkit-backdrop-filter: blur(6px);
+        color: var(--mbk-text);
+        overflow: hidden;
     }
 
-    .profile-dropdown.open {
+    .mbkauthe-profile-dropdown.open {
+        display: block;
         opacity: 1;
         visibility: visible;
         transform: translateY(0);
+        border-radius: 3%;
     }
 
-    .profile-item {
+    .mbkauthe-profile-item {
         width: 100%;
         display: block;
         padding: 0.85rem 1rem;
-        color: var(--text);
+        color: var(--mbk-text);
         background: transparent;
         border: none;
         text-decoration: none;
@@ -105,61 +148,103 @@
         font-weight: 600;
         letter-spacing: 0.01em;
         cursor: pointer;
-        transition: var(--transition);
+        transition: background 0.12s ease, color 0.12s ease, transform 0.12s ease;
     }
 
-    .profile-item:hover {
-        background: rgba(255, 255, 255, 0.05);
-        color: var(--accent);
+    .mbkauthe-profile-item:hover {
+        background: var(--mbk-item-hover);
+        color: var(--color-accent, var(--accent, #0d9488));
     }
 
-    .profile-item:disabled {
+    .mbkauthe-profile-item:focus-visible {
+        outline: 2px solid color-mix(in srgb, var(--color-accent, var(--accent, #0d9488)) 40%, transparent 60%);
+        outline-offset: 2px;
+    }
+
+    .mbkauthe-profile-item:disabled {
         opacity: 0.6;
         cursor: not-allowed;
     }
+
+    /* Make trigger adapt to theme */
+    .mbkauthe-profile-trigger {
+        transition: box-shadow 0.15s ease, border-color 0.15s ease, transform 0.12s ease;
+    }
+
+    .mbkauthe-profile-trigger:hover {
+    }
+
+    /* prefers-color-scheme fallbacks scoped to component */
+    @media (prefers-color-scheme: dark) {
+        .mbkauthe-profile-dropdown {
+            --mbk-bg: #0b1220;
+            --mbk-border: rgba(255, 255, 255, 0.06);
+            --mbk-item-hover: rgba(255, 255, 255, 0.03);
+            --mbk-text: #e6eef6;
+            box-shadow: 0 12px 36px rgba(0, 0, 0, 0.7);
+        }
+
+        .mbkauthe-profile-trigger {
+            border: 1px solid rgba(255, 255, 255, 0.06);
+            background: rgba(255, 255, 255, 0.02);
+        }
+    }
+
+    @media (prefers-color-scheme: light) {
+        .mbkauthe-profile-dropdown {
+            --mbk-bg: #ffffff;
+            --mbk-border: rgba(15, 23, 42, 0.06);
+            --mbk-item-hover: rgba(15, 23, 42, 0.03);
+            --mbk-text: var(--dark-color-ml, #0f172a);
+            box-shadow: 0 8px 22px rgba(2, 6, 23, 0.08);
+        }
+
+        .mbkauthe-profile-trigger {
+            border: 1px solid rgba(2, 6, 23, 0.06);
+            background: rgba(255, 255, 255, 0.96);
+        }
+    }
 </style>
 <script>
     (() => {
-        const trigger = document.querySelector('header .profile-trigger');
-        const dropdown = document.querySelector('header .profile-dropdown');
+        const mbkTrigger = document.querySelector('.mbkauthe-profile-trigger');
+        const mbkDropdown = document.querySelector('.mbkauthe-profile-dropdown');
 
-        if (!trigger || !dropdown) {
+        if (!mbkTrigger || !mbkDropdown) {
             return;
         }
 
         const closeMenu = () => {
-            if (!dropdown.classList.contains('open')) return;
-            dropdown.classList.remove('open');
-            trigger.setAttribute('aria-expanded', 'false');
-
+            if (!mbkDropdown.classList.contains('open')) return;
+            mbkDropdown.classList.remove('open');
+            mbkTrigger.setAttribute('aria-expanded', 'false');
             // After transition, hide to prevent FOUC on next paint
             const onTransition = (e) => {
                 if (e.propertyName === 'opacity') {
-                    dropdown.setAttribute('hidden', '');
-                    dropdown.removeEventListener('transitionend', onTransition);
+                    mbkDropdown.setAttribute('hidden', '');
+                    mbkDropdown.removeEventListener('transitionend', onTransition);
                 }
             };
 
-            dropdown.addEventListener('transitionend', onTransition);
+            mbkDropdown.addEventListener('transitionend', onTransition);
             // Fallback in case transitionend doesn't fire
             setTimeout(() => {
-                if (!dropdown.classList.contains('open')) {
-                    dropdown.setAttribute('hidden', '');
+                if (!mbkDropdown.classList.contains('open')) {
+                    mbkDropdown.setAttribute('hidden', '');
                 }
             }, 350);
         };
 
-        trigger.addEventListener('click', (event) => {
+        mbkTrigger.addEventListener('click', (event) => {
             event.stopPropagation();
-            const isOpening = !dropdown.classList.contains('open');
-
+            const isOpening = !mbkDropdown.classList.contains('open');
             if (isOpening) {
                 // Reveal then start transition to open state
-                dropdown.removeAttribute('hidden');
+                mbkDropdown.removeAttribute('hidden');
                 // Ensure the class add happens on next frame for transition to work
                 requestAnimationFrame(() => {
-                    dropdown.classList.add('open');
-                    trigger.setAttribute('aria-expanded', 'true');
+                    mbkDropdown.classList.add('open');
+                    mbkTrigger.setAttribute('aria-expanded', 'true');
                 });
             } else {
                 // Close the menu
@@ -168,7 +253,7 @@
         });
 
         document.addEventListener('click', (event) => {
-            if (!dropdown.contains(event.target) && !trigger.contains(event.target)) {
+            if (!mbkDropdown.contains(event.target) && !mbkTrigger.contains(event.target)) {
                 closeMenu();
             }
         });
@@ -179,7 +264,7 @@
             }
         });
 
-        const logoutButton = dropdown.querySelector('[data-action="logout"]');
+        const logoutButton = mbkDropdown.querySelector('[data-action="logout"]');
         if (logoutButton) {
             logoutButton.addEventListener('click', async () => {
                 const originalLabel = logoutButton.textContent;
@@ -215,7 +300,7 @@
 
         // Populate the "Switch account" link with encoded current page URL in its `redirect` param
         (function setSwitchAccountRedirect() {
-            const switchAccountLink = dropdown.querySelector('a[href^="/mbkauthe/accounts"]');
+            const switchAccountLink = mbkDropdown.querySelector('a[href^="/mbkauthe/accounts"]');
             if (!switchAccountLink) return;
 
             try {