mbkauthe 4.7.1 → 4.7.2

package/index.js

@@ -46,7 +46,7 @@ app.engine("handlebars", engine({
             return Object.entries(obj).map(([key, value]) => ({ key, value }));
         },
         cacheBuster: function () {
-            return packageJson.version;
+            return "?v=" + packageJson.version;
         }
     }
 

package/lib/config/cookies.js

@@ -149,6 +149,8 @@ export const clearSessionCookies = (res) => {
     res.clearCookie("mbkauthe.sid", cachedClearCookieOptions);
     res.clearCookie("sessionId", cachedClearCookieOptions);
     res.clearCookie("fullName", cachedClearCookieOptions);
+    res.clearCookie("profileImageUrl", cachedClearCookieOptions);
+    res.clearCookie("profileImageUser", cachedClearCookieOptions);
     res.clearCookie("device_token", cachedClearCookieOptions);
 };
 

package/lib/pool.js

@@ -1,9 +1,12 @@
 import pkg from "pg";
 const { Pool } = pkg;
 import { mbkautheVar } from "#config.js";
+import { attachDevQueryLogger, runWithRequestContext, getRequestContext } from "./utils/dbQueryLogger.js";
 import dotenv from "dotenv";
 dotenv.config();
 
+export { runWithRequestContext, getRequestContext };
+
 const poolConfig = {
   connectionString: mbkautheVar.LOGIN_DB,
   ssl: {
@@ -21,190 +24,8 @@ const poolConfig = {
 
 export const dblogin = new Pool(poolConfig);
 
-
-
-// For logging and testing purposes, we can track query counts and logs in development mode.
-
-import path from "path";
-import { AsyncLocalStorage } from "async_hooks";
-
-const isDev = process.env.env === 'dev';
-const requestContext = isDev ? new AsyncLocalStorage() : null;
-
-export const runWithRequestContext = (req, fn) => {
-  if (!isDev || !requestContext) return fn();
-  return requestContext.run({ req }, fn);
-};
-
-export const getRequestContext = () => {
-  if (!isDev || !requestContext) return undefined;
-  return requestContext.getStore();
-};
-
-if (isDev) {
-
-  // Simple counter for all DB requests made via this pool. This is intentionally
-  // lightweight.
-  let _dbQueryCount = 0;
-  const _dbQueryLog = [];
-  const _MAX_QUERY_LOG_ENTRIES = 1000;
-
-  const _origQuery = dblogin.query.bind(dblogin);
-
-  dblogin.query = (...args) => {
-    _dbQueryCount++;
-
-    // Track query text for debugging/metrics.
-    // `pg` supports (text, values, callback) or (config, callback).
-    let queryText = '';
-    let queryName = '';
-    let queryValues;
-    try {
-      if (typeof args[0] === 'string') {
-        queryText = args[0];
-        queryValues = Array.isArray(args[1]) ? args[1] : undefined;
-      } else if (args[0] && typeof args[0] === 'object') {
-        queryText = args[0].text || '';
-        queryName = args[0].name || '';
-        queryValues = Array.isArray(args[0].values) ? args[0].values : undefined;
-      }
-    } catch {
-      queryText = '';
-    }
-
-    if (!queryText) {
-      return _origQuery(...args);
-    }
-
-    const startTime = process.hrtime.bigint();
-    const toWorkspacePath = (filePath) => {
-      const rel = path.relative(process.cwd(), filePath) || filePath;
-      return rel.replace(/\\/g, '/');
-    };
-
-    const buildCallsite = () => {
-      try {
-        const stack = new Error().stack || '';
-        const lines = stack.split('\n').map(l => l.trim());
-        // Skip frames from this wrapper and node internals; pick first app frame.
-        const frame = lines.find((line) =>
-          line.startsWith('at ') &&
-          !line.includes('/lib/pool.js') &&
-          !line.includes('node:internal') &&
-          !line.includes('internal/process')
-        );
-
-        if (!frame) return null;
-
-        const withFunc = /^at\s+([^\s(]+)\s+\((.+):([0-9]+):([0-9]+)\)$/.exec(frame);
-        const noFunc = /^at\s+(.+):([0-9]+):([0-9]+)$/.exec(frame);
-
-        if (withFunc) {
-          return {
-            function: withFunc[1],
-            file: toWorkspacePath(withFunc[2]),
-            line: Number(withFunc[3]),
-            column: Number(withFunc[4])
-          };
-        }
-        if (noFunc) {
-          return {
-            function: null,
-            file: toWorkspacePath(noFunc[1]),
-            line: Number(noFunc[2]),
-            column: Number(noFunc[3])
-          };
-        }
-      } catch {
-        return null;
-      }
-      return null;
-    };
-
-    const buildRequestContext = () => {
-      const store = getRequestContext();
-      const req = store?.req;
-      if (!req) return null;
-
-      const user = req.session?.user || null;
-      return {
-        method: req.method,
-        url: req.originalUrl || req.url,
-        ip: req.ip,
-        userId: user?.id || null,
-        username: user?.username || null
-      };
-    };
-
-    const callsiteSnapshot = buildCallsite();
-
-    const recordLog = (success, error) => {
-      const durationMs = Number(process.hrtime.bigint() - startTime) / 1_000_000;
-      const request = buildRequestContext();
-
-      _dbQueryLog.push({
-        time: new Date().toISOString(),
-        query: queryText,
-        name: queryName || undefined,
-        values: queryValues,
-        durationMs,
-        success,
-        error: error ? { message: error.message, code: error.code } : undefined,
-        request,
-        pool: {
-          total: dblogin.totalCount,
-          idle: dblogin.idleCount,
-          waiting: dblogin.waitingCount
-        },
-        callsite: callsiteSnapshot
-      });
-
-      if (_dbQueryLog.length > _MAX_QUERY_LOG_ENTRIES) {
-        _dbQueryLog.shift();
-      }
-    };
-
-    try {
-      const result = _origQuery(...args);
-      if (result && typeof result.then === 'function') {
-        return result
-          .then((res) => {
-            recordLog(true, null);
-            return res;
-          })
-          .catch((err) => {
-            recordLog(false, err);
-            throw err;
-          });
-      }
-
-      recordLog(true, null);
-      return result;
-    } catch (err) {
-      recordLog(false, err);
-      throw err;
-    }
-  };
-
-  // Public helpers
-
-  dblogin.getQueryCount = () => _dbQueryCount;
-  dblogin.resetQueryCount = () => {
-    _dbQueryCount = 0;
-  };
-
-  dblogin.getQueryLog = (options = {}) => {
-    const { limit } = options;
-    if (typeof limit === 'number') {
-      return _dbQueryLog.slice(-limit);
-    }
-    return [..._dbQueryLog];
-  };
-
-  dblogin.resetQueryLog = () => {
-    _dbQueryLog.length = 0;
-  };
-}
+// Keep pool.js focused on pool setup; attach dev-only query logger from dedicated module.
+attachDevQueryLogger(dblogin);
 
 (async () => {
   try {

package/lib/routes/auth.js

@@ -19,10 +19,13 @@ const router = express.Router();
 
 // Helper function to clear profile picture cache
 function clearProfilePicCache(req, username) {
-  if (req.session && username) {
-    const cacheKey = `profilepic_${username}`;
-    delete req.session[cacheKey];
-  }
+  if (!req || !req.res || !username) return;
+
+  const cookieUsername = req.cookies?.profileImageUser;
+  if (cookieUsername && cookieUsername !== username) return;
+
+  req.res.clearCookie('profileImageUrl', cachedClearCookieOptions);
+  req.res.clearCookie('profileImageUser', cachedClearCookieOptions);
 }
 
 // Rate limiters for auth routes
@@ -285,6 +288,9 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       }
       // Cache display name client-side to avoid extra DB lookups
       res.cookie("fullName", req.session.user.fullname || username, { ...cachedCookieOptions, httpOnly: false });
+      const profileImageForCookie = loginProfileImage && typeof loginProfileImage === 'string' ? loginProfileImage : 'default';
+      res.cookie('profileImageUrl', profileImageForCookie, { ...cachedCookieOptions, httpOnly: false });
+      res.cookie('profileImageUser', username, { ...cachedCookieOptions, httpOnly: false });
       // Record which method was used to login (client-visible badge)
       if (method && typeof method === 'string') {
         try {
@@ -561,9 +567,6 @@ router.post("/api/verify-2fa", TwoFALimit, csrfProtection, async (req, res) => {
   const shouldTrustDevice = trustDevice === true || trustDevice === 'true';
 
   try {
-    // Use cached allowedApps from preAuthUser to avoid extra database join
-    const cachedAllowedApps = req.session.preAuthUser?.allowedApps;
-
     const query = `SELECT tfa."TwoFASecret" FROM "TwoFA" tfa WHERE tfa."UserName" = $1`;
     const twoFAResult = await dblogin.query({ name: 'verify-2fa-secret', text: query, values: [username] });
 
@@ -574,7 +577,7 @@ router.post("/api/verify-2fa", TwoFALimit, csrfProtection, async (req, res) => {
     }
 
     const sharedSecret = twoFAResult.rows[0].TwoFASecret;
-    const allowedApps = cachedAllowedApps;
+    const allowedApps = req.session.preAuthUser?.allowedApps;
     const tokenValidates = speakeasy.totp.verify({
       secret: sharedSecret,
       encoding: "base32",
@@ -771,6 +774,9 @@ router.post("/api/switch-session", LoginLimit, async (req, res) => {
 
     // Sync sessionId cookie and remember list
     res.cookie('fullName', fullName, { ...cachedCookieOptions, httpOnly: false });
+    const switchProfileForCookie = switchProfileImage && typeof switchProfileImage === 'string' ? switchProfileImage : 'default';
+    res.cookie('profileImageUrl', switchProfileForCookie, { ...cachedCookieOptions, httpOnly: false });
+    res.cookie('profileImageUser', row.UserName, { ...cachedCookieOptions, httpOnly: false });
     const encryptedSid = encryptSessionId(row.sid);
     if (encryptedSid) {
       res.cookie('sessionId', encryptedSid, cachedCookieOptions);

package/lib/routes/dbLogs.js

@@ -6,6 +6,8 @@ import rateLimit from 'express-rate-limit';
 
 const router = express.Router();
 
+const isDbLogsEnabled = () => process.env.env === "dev" && process.env.dbLogs === "true";
+
 // Rate limiter for info/test routes
 const LogLimit = rateLimit({
   windowMs: 1 * 60 * 1000,
@@ -23,33 +25,65 @@ const LogLimit = rateLimit({
 // DB stats API (JSON)
 router.get(["/db.json"], LogLimit, async (req, res) => {
   try {
-    const queryCount = typeof dblogin.getQueryCount === 'function' ? dblogin.getQueryCount() : null;
+    const isDev = isDbLogsEnabled();
     const queryLimit = Number(req.query.limit) || 50;
-    const queryLog = typeof dblogin.getQueryLog === 'function' ? dblogin.getQueryLog({ limit: queryLimit }) : [];
-    const resetRequested = req.query.reset === '1';
 
-    if (resetRequested) {
-      if (typeof dblogin.resetQueryCount === 'function') dblogin.resetQueryCount();
-      if (typeof dblogin.resetQueryLog === 'function') dblogin.resetQueryLog();
+    if (!isDev) {
+      return res.status(403).json({
+        success: false,
+        message: "DB logs are disabled.",
+        isDev,
+        queryCount: 0,
+        queryLimit,
+        queryLog: []
+      });
     }
 
-    return res.json({ queryCount, queryLimit, queryLog, resetDone: resetRequested });
+    const queryCount = typeof dblogin.getQueryCount === 'function' ? dblogin.getQueryCount() : null;
+    const queryLog = typeof dblogin.getQueryLog === 'function' ? dblogin.getQueryLog({ limit: queryLimit }) : [];
+
+    return res.json({ queryCount, queryLimit, queryLog, isDev });
   } catch (err) {
     console.error('[mbkauthe] /db.json route error:', err);
     return res.status(500).json({ success: false, message: 'Could not fetch DB stats.' });
   }
 });
 
+// Dedicated reset API for DB logs and counters
+router.post(["/db/reset"], LogLimit, async (req, res) => {
+  try {
+    const isDev = isDbLogsEnabled();
+    if (!isDev) {
+      return res.status(403).json({
+        success: false,
+        message: "DB logs are disabled.",
+        isDev
+      });
+    }
+
+    if (typeof dblogin.resetQueryCount === 'function') dblogin.resetQueryCount();
+    if (typeof dblogin.resetQueryLog === 'function') dblogin.resetQueryLog();
+
+    return res.json({ success: true, message: 'Query log and count have been reset.' });
+  } catch (err) {
+    console.error('[mbkauthe] /db/reset route error:', err);
+    return res.status(500).json({ success: false, message: 'Could not reset DB stats.' });
+  }
+});
+
 // DB stats page (HTML)
 router.get(["/db"], LogLimit, async (req, res) => {
   try {
+    const isDev = isDbLogsEnabled();
     const queryLimit = Number(req.query.limit) || 50;
     const resetDone = req.query.resetDone === '1';
     return res.render('pages/dbLogs.handlebars', {
       layout: false,
       appName: mbkautheVar.APP_NAME,
       queryLimit,
-      resetDone
+      resetDone,
+      isDev,
+      disabledMessage: isDev ? null : 'DB logs are disabled.'
     });
   } catch (err) {
     console.error('[mbkauthe] /db route error:', err);

package/lib/routes/misc.js

@@ -6,7 +6,7 @@ import { renderError, renderPage } from "#response.js";
 import { authenticate, validateSession, validateSessionAndRole } from "../middleware/auth.js";
 import { ErrorCodes, ErrorMessages, createErrorResponse } from "../utils/errors.js";
 import { dblogin } from "#pool.js";
-import { clearSessionCookies, decryptSessionId } from "#cookies.js";
+import { clearSessionCookies, decryptSessionId, cachedCookieOptions } from "#cookies.js";
 import { fileURLToPath } from "url";
 import path from "path";
 import fs from "fs";
@@ -91,8 +91,12 @@ router.get('/user/profilepic', async (req, res) => {
     }
 
     const username = req.session.user.username;
-    const cacheKey = `profilepic_${username}`;
-    let imageUrl = req.session[cacheKey];
+    let imageUrl = null;
+    const cookieUser = req.cookies?.profileImageUser;
+    const cookieImageUrl = req.cookies?.profileImageUrl;
+    if (cookieUser === username && typeof cookieImageUrl === 'string' && cookieImageUrl.length > 0) {
+      imageUrl = cookieImageUrl;
+    }
 
     // If not in cache, fetch from DB
     if (!imageUrl) {
@@ -107,7 +111,8 @@ router.get('/user/profilepic', async (req, res) => {
       } else {
         imageUrl = 'default';
       }
-      req.session[cacheKey] = imageUrl;
+      res.cookie('profileImageUrl', imageUrl, { ...cachedCookieOptions, httpOnly: false });
+      res.cookie('profileImageUser', username, { ...cachedCookieOptions, httpOnly: false });
     }
 
     // Generate ETag based on username and image URL
@@ -137,7 +142,8 @@ router.get('/user/profilepic', async (req, res) => {
 
       if (!imageResponse.ok) {
         console.warn(`[mbkauthe] Failed to fetch profile pic from ${imageUrl}, status: ${imageResponse.status}`);
-        req.session[cacheKey] = 'default';
+        res.cookie('profileImageUrl', 'default', { ...cachedCookieOptions, httpOnly: false });
+        res.cookie('profileImageUser', username, { ...cachedCookieOptions, httpOnly: false });
         return serveDefaultIcon();
       }
 
@@ -147,7 +153,8 @@ router.get('/user/profilepic', async (req, res) => {
       imageResponse.body.pipe(res);
     } catch (fetchErr) {
       console.error('[mbkauthe] Error fetching external profile picture:', fetchErr);
-      req.session[cacheKey] = 'default';
+      res.cookie('profileImageUrl', 'default', { ...cachedCookieOptions, httpOnly: false });
+      res.cookie('profileImageUser', username, { ...cachedCookieOptions, httpOnly: false });
       return serveDefaultIcon();
     }
 
@@ -503,8 +510,7 @@ router.get(["/info", "/i"], LoginLimit, async (req, res) => {
   }
 
   try {
-    res.render("pages/info_mbkauthe.handlebars", {
-      layout: false,
+    renderPage(req, res, "pages/info_mbkauthe.handlebars", false, {
       mbkautheVar: safe_mbkautheVar,
       CurrentVersion: packageJson.version,
       APP_VERSION: appVersion,

package/lib/utils/dbQueryLogger.js

@@ -0,0 +1,247 @@
+import path from "path";
+import { AsyncLocalStorage } from "async_hooks";
+
+const isDev = process.env.env === "dev" && process.env.dbLogs === "true";
+const requestContext = isDev ? new AsyncLocalStorage() : null;
+
+export const runWithRequestContext = (req, fn) => {
+  if (!isDev || !requestContext) return fn();
+  return requestContext.run({ req }, fn);
+};
+
+export const getRequestContext = () => {
+  if (!isDev || !requestContext) return undefined;
+  return requestContext.getStore();
+};
+
+export const attachDevQueryLogger = (pool) => {
+  if (!isDev || !pool || pool.__mbkQueryLoggerInstalled) {
+    return;
+  }
+
+  pool.__mbkQueryLoggerInstalled = true;
+
+  // Simple counter for all DB requests made via this pool. This is intentionally lightweight.
+  let dbQueryCount = 0;
+  const dbQueryLog = [];
+  const MAX_QUERY_LOG_ENTRIES = 1000;
+
+  const originalQuery = pool.query.bind(pool);
+
+  const safeValue = (value, depth = 0, seen = new WeakSet()) => {
+    if (value == null) return value;
+    if (typeof value === "string") {
+      return value.length > 300 ? `${value.slice(0, 300)}...` : value;
+    }
+    if (typeof value === "number" || typeof value === "boolean") return value;
+    if (typeof value === "bigint") return value.toString();
+    if (value instanceof Date) return value.toISOString();
+    if (Buffer.isBuffer(value)) return `[buffer:${value.length}]`;
+
+    if (Array.isArray(value)) {
+      if (depth >= 4) return `[array:${value.length}]`;
+      const sample = value.slice(0, 8).map((v) => safeValue(v, depth + 1, seen));
+      if (value.length > 8) sample.push(`...(${value.length - 8} more)`);
+      return sample;
+    }
+
+    if (typeof value === "object") {
+      if (seen.has(value)) return "[circular]";
+      seen.add(value);
+
+      const keys = Object.keys(value);
+      if (depth >= 4) {
+        const head = keys.slice(0, 5).join(", ");
+        return keys.length > 5 ? `[object:${head}, ...]` : `[object:${head}]`;
+      }
+
+      const out = {};
+      const entries = Object.entries(value).slice(0, 20);
+      for (const [k, v] of entries) {
+        out[k] = safeValue(v, depth + 1, seen);
+      }
+      if (keys.length > 20) {
+        out.__truncated = `${keys.length - 20} more keys`;
+      }
+
+      seen.delete(value);
+      return out;
+    }
+
+    return String(value);
+  };
+
+  const buildReturnValue = (result) => {
+    if (!result || typeof result !== "object") return undefined;
+
+    const returnValue = {
+      command: result.command || undefined,
+      rowCount: typeof result.rowCount === "number" ? result.rowCount : undefined,
+    };
+
+    if (Array.isArray(result.rows)) {
+      const previewSize = 3;
+      returnValue.returnedRows = result.rows.length;
+      returnValue.rowsPreview = result.rows.slice(0, previewSize).map((row) => safeValue(row));
+      if (result.rows.length > previewSize) {
+        returnValue.rowsTruncated = true;
+      }
+    }
+
+    return returnValue;
+  };
+
+  pool.query = (...args) => {
+    dbQueryCount++;
+
+    // `pg` supports (text, values, callback) or (config, callback).
+    let queryText = "";
+    let queryName = "";
+    let queryValues;
+    try {
+      if (typeof args[0] === "string") {
+        queryText = args[0];
+        queryValues = Array.isArray(args[1]) ? args[1] : undefined;
+      } else if (args[0] && typeof args[0] === "object") {
+        queryText = args[0].text || "";
+        queryName = args[0].name || "";
+        queryValues = Array.isArray(args[0].values) ? args[0].values : undefined;
+      }
+    } catch {
+      queryText = "";
+    }
+
+    if (!queryText) {
+      return originalQuery(...args);
+    }
+
+    const startTime = process.hrtime.bigint();
+    const toWorkspacePath = (filePath) => {
+      const rel = path.relative(process.cwd(), filePath) || filePath;
+      return rel.replace(/\\/g, "/");
+    };
+
+    const buildCallsite = () => {
+      try {
+        const stack = new Error().stack || "";
+        const lines = stack.split("\n").map((l) => l.trim());
+        const frame = lines.find(
+          (line) =>
+            line.startsWith("at ") &&
+            !line.includes("/lib/utils/dbQueryLogger.js") &&
+            !line.includes("node:internal") &&
+            !line.includes("internal/process")
+        );
+
+        if (!frame) return null;
+
+        const withFunc = /^at\s+([^\s(]+)\s+\((.+):([0-9]+):([0-9]+)\)$/.exec(frame);
+        const noFunc = /^at\s+(.+):([0-9]+):([0-9]+)$/.exec(frame);
+
+        if (withFunc) {
+          return {
+            function: withFunc[1],
+            file: toWorkspacePath(withFunc[2]),
+            line: Number(withFunc[3]),
+            column: Number(withFunc[4]),
+          };
+        }
+
+        if (noFunc) {
+          return {
+            function: null,
+            file: toWorkspacePath(noFunc[1]),
+            line: Number(noFunc[2]),
+            column: Number(noFunc[3]),
+          };
+        }
+      } catch {
+        return null;
+      }
+      return null;
+    };
+
+    const buildRequestContext = () => {
+      const store = getRequestContext();
+      const req = store?.req;
+      if (!req) return null;
+
+      const user = req.session?.user || null;
+      return {
+        method: req.method,
+        url: req.originalUrl || req.url,
+        ip: req.ip,
+        userId: user?.id || null,
+        username: user?.username || null,
+      };
+    };
+
+    const callsiteSnapshot = buildCallsite();
+
+    const recordLog = (success, error, result) => {
+      const durationMs = Number(process.hrtime.bigint() - startTime) / 1_000_000;
+      const request = buildRequestContext();
+      const returnValue = buildReturnValue(result);
+
+      dbQueryLog.push({
+        time: new Date().toISOString(),
+        query: queryText,
+        name: queryName || undefined,
+        values: queryValues,
+        durationMs,
+        success,
+        error: error ? { message: error.message, code: error.code } : undefined,
+        returnValue,
+        request,
+        pool: {
+          total: pool.totalCount,
+          idle: pool.idleCount,
+          waiting: pool.waitingCount,
+        },
+        callsite: callsiteSnapshot,
+      });
+
+      if (dbQueryLog.length > MAX_QUERY_LOG_ENTRIES) {
+        dbQueryLog.shift();
+      }
+    };
+
+    try {
+      const result = originalQuery(...args);
+      if (result && typeof result.then === "function") {
+        return result
+          .then((res) => {
+            recordLog(true, null, res);
+            return res;
+          })
+          .catch((err) => {
+            recordLog(false, err);
+            throw err;
+          });
+      }
+
+      recordLog(true, null, result);
+      return result;
+    } catch (err) {
+      recordLog(false, err);
+      throw err;
+    }
+  };
+
+  pool.getQueryCount = () => dbQueryCount;
+  pool.resetQueryCount = () => {
+    dbQueryCount = 0;
+  };
+
+  pool.getQueryLog = (options = {}) => {
+    const { limit } = options;
+    if (typeof limit === "number") {
+      return dbQueryLog.slice(-limit);
+    }
+    return [...dbQueryLog];
+  };
+
+  pool.resetQueryLog = () => {
+    dbQueryLog.length = 0;
+  };
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "4.7.1",
+  "version": "4.7.2",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",