mbkauthe 4.7.1 → 4.8.0

package/README.md

@@ -22,7 +22,7 @@
 - PostgreSQL session management
 - Multi-session support (configurable concurrent sessions per user)
 - Optional TOTP-based 2FA with trusted devices
-- OAuth login (GitHub & Google)
+- Social login (GitHub App & Google OAuth)
 - Role-based access: SuperAdmin, NormalUser, Guest
 - CSRF protection & rate limiting
 - Easy Express.js integration
@@ -101,9 +101,9 @@ These are only mounted when `process.env.env === "dev"`:
 
 Enable via `MBKAUTH_TWO_FA_ENABLE=true`. Trusted devices can skip 2FA for a set duration.
 
-## 🔄 OAuth Integration
+## 🔄 Social Login Integration
 
-**GitHub / Google OAuth:** Configure apps and credentials via `.env` or `mbkautheVar`. Users must link accounts before login.
+**GitHub App / Google OAuth:** Configure credentials via `.env` or `mbkautheVar`. Users must link accounts before login.
 
 ## 🎨 Customization
 

package/docs/api.md

@@ -179,7 +179,7 @@ Renders the main login page.
 **Response:** HTML page with login form
 
 **Template Variables:**
-- `githubLoginEnabled` - Whether GitHub OAuth is enabled
+- `githubLoginEnabled` - Whether GitHub App login is enabled
 - `googleLoginEnabled` - Whether Google OAuth is enabled
 - `customURL` - Redirect URL after login
 - `userLoggedIn` - Whether user is already authenticated
@@ -317,8 +317,8 @@ The endpoints below are active in the router but are not fully expanded above. U
 
 **OAuth:**
 
-- `GET /mbkauthe/api/github/login` - Starts GitHub OAuth login flow.
-- `GET /mbkauthe/api/github/login/callback` - GitHub OAuth callback.
+- `GET /mbkauthe/api/github/login` - Starts GitHub App login flow.
+- `GET /mbkauthe/api/github/login/callback` - GitHub App callback.
 - `GET /mbkauthe/api/google/login` - Starts Google OAuth login flow.
 - `GET /mbkauthe/api/google/login/callback` - Google OAuth callback.
 
@@ -1222,11 +1222,11 @@ GET /mbkauthe/test
 
 ### OAuth Endpoints
 
-#### GitHub OAuth
+#### GitHub App
 
 ##### `GET /mbkauthe/api/github/login`
 
-Initiates the GitHub OAuth authentication flow.
+Initiates the GitHub App authentication flow.
 
 **Rate Limit:** 10 requests per 5 minutes
 
@@ -1235,11 +1235,11 @@ Initiates the GitHub OAuth authentication flow.
 **Query Parameters:**
 - `redirect` (optional) - Relative URL to redirect after successful authentication (must start with `/` to prevent open redirect attacks)
 
-**Response:** Redirects to GitHub OAuth authorization page
+**Response:** Redirects to GitHub authorization page
 
 **Prerequisites:**
 - `GITHUB_LOGIN_ENABLED=true` in environment
-- Valid `GITHUB_CLIENT_ID` and `GITHUB_CLIENT_SECRET` configured
+- Valid `GITHUB_APP_CLIENT_ID` and `GITHUB_APP_CLIENT_SECRET` configured
 - User's GitHub account must be linked to an MBKAuth account in `user_github` table
 
 **Example:**
@@ -1250,9 +1250,9 @@ GET /mbkauthe/api/github/login?redirect=/dashboard
 **Workflow:**
 1. User clicks "Login with GitHub"
 2. CSRF token generated and stored in session
-3. Redirects to GitHub for authorization
-4. GitHub redirects back to callback URL
-5. System verifies GitHub account is linked
+3. Redirects to GitHub authorization page
+4. GitHub redirects back to callback URL with authorization `code`
+5. System verifies `github_id` is linked
 6. If 2FA enabled, prompts for 2FA
 7. Creates session and redirects to specified URL
 
@@ -1260,7 +1260,7 @@ GET /mbkauthe/api/github/login?redirect=/dashboard
 
 ##### `GET /mbkauthe/api/github/login/callback`
 
-Handles the OAuth callback from GitHub after user authorization.
+Handles the callback from GitHub after user authorization.
 
 **Rate Limit:** Inherited from OAuth rate limiter (10 requests per 5 minutes)
 
@@ -1277,7 +1277,7 @@ Handles the OAuth callback from GitHub after user authorization.
 - **GitHub Not Linked**: Returns error if GitHub account is not in `user_github` table
 - **Account Inactive**: Returns error if user account is deactivated
 - **Not Authorized**: Returns error if user is not allowed to access the application
-- **GitHub Auth Error**: Returns error for any OAuth-related failures
+- **GitHub Auth Error**: Returns error for provider authentication failures
 
 **Success Flow:**
 ```

package/docs/db.md

@@ -85,7 +85,9 @@ CREATE TABLE IF NOT EXISTS user_github (
     user_name VARCHAR(50) REFERENCES "Users"("UserName"),
     github_id VARCHAR(255) UNIQUE,
     github_username VARCHAR(255),
-    access_token TEXT,
+    installation_id BIGINT,
+    installation_target_type VARCHAR(32),
+    access_token VARCHAR(255),
     created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
     updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
 );

package/docs/db.sql

@@ -49,11 +49,17 @@ CREATE TABLE IF NOT EXISTS user_github (
     user_name VARCHAR(50) REFERENCES "Users"("UserName"),
     github_id VARCHAR(255) UNIQUE,
     github_username VARCHAR(255),
+    installation_id BIGINT,
+    installation_target_type VARCHAR(32),
     access_token TEXT,
     created_at TimeStamp WITH TIME ZONE DEFAULT NOW(),
     updated_at TimeStamp WITH TIME ZONE DEFAULT NOW()
 );
 
+ALTER TABLE user_github
+    ADD COLUMN IF NOT EXISTS installation_id BIGINT,
+    ADD COLUMN IF NOT EXISTS installation_target_type VARCHAR(32);
+
 -- Add indexes for performance optimization
 CREATE INDEX IF NOT EXISTS idx_user_github_github_id ON user_github (github_id);
 CREATE INDEX IF NOT EXISTS idx_user_github_user_name ON user_github (user_name);

package/docs/env.md

@@ -95,14 +95,26 @@ This document describes the environment variables MBKAuth expects and keeps brie
   - Required: No
 
 - GITHUB_LOGIN_ENABLED / GOOGLE_LOGIN_ENABLED
-  - Description: Enable OAuth providers.
+  - Description: Enable social login providers.
   - Default: `false`
-  - If `true`, corresponding `*_CLIENT_ID` and `*_CLIENT_SECRET` are required.
+  - If `GOOGLE_LOGIN_ENABLED=true`, `GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET` are required.
+  - If `GITHUB_LOGIN_ENABLED=true`, GitHub App client credentials are required.
 
-- GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET / GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET
-  - Description: OAuth credentials (put in `mbkautheVar` preferred, or `mbkauthShared`).
-  - Required when provider enabled.
-  - Create Github OAuth App: https://github.com/settings/developers
+- GITHUB_APP_SLUG
+  - Description: GitHub App slug (optional for login flow in this package; useful for install/link flows handled elsewhere).
+  - Required: No
+  - Create GitHub App: https://github.com/settings/apps
+
+- GITHUB_APP_CLIENT_ID / GITHUB_APP_CLIENT_SECRET
+  - Description: GitHub App OAuth credentials used for user sign-in.
+  - Required when `GITHUB_LOGIN_ENABLED=true`.
+
+- GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET
+  - Description: Legacy fallback keys if app-prefixed keys are not provided.
+
+- GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET
+  - Description: Google OAuth credentials.
+  - Required when `GOOGLE_LOGIN_ENABLED=true`.
   - Create Google OAuth: https://console.cloud.google.com/
 
 ---

package/index.d.ts

@@ -55,8 +55,9 @@ declare module 'mbkauthe' {
     COOKIE_EXPIRE_TIME?: number;
     DEVICE_TRUST_DURATION_DAYS?: number;
     GITHUB_LOGIN_ENABLED?: 'true' | 'false' | 'f';
-    GITHUB_CLIENT_ID?: string;
-    GITHUB_CLIENT_SECRET?: string;
+    GITHUB_APP_SLUG?: string;
+    GITHUB_APP_CLIENT_ID?: string;
+    GITHUB_APP_CLIENT_SECRET?: string;
     GOOGLE_LOGIN_ENABLED?: 'true' | 'false' | 'f';
     GOOGLE_CLIENT_ID?: string;
     GOOGLE_CLIENT_SECRET?: string;
@@ -66,8 +67,9 @@ declare module 'mbkauthe' {
 
   export interface OAuthConfig {
     GITHUB_LOGIN_ENABLED?: 'true' | 'false' | 'f';
-    GITHUB_CLIENT_ID?: string;
-    GITHUB_CLIENT_SECRET?: string;
+    GITHUB_APP_SLUG?: string;
+    GITHUB_APP_CLIENT_ID?: string;
+    GITHUB_APP_CLIENT_SECRET?: string;
     GOOGLE_LOGIN_ENABLED?: 'true' | 'false' | 'f';
     GOOGLE_CLIENT_ID?: string;
     GOOGLE_CLIENT_SECRET?: string;
@@ -132,6 +134,8 @@ declare module 'mbkauthe' {
     user_name: string;
     github_id: string;
     github_username: string;
+    installation_id?: number;
+    installation_target_type?: string;
     access_token: string;
     created_at: Date;
     updated_at: Date;

package/index.js

@@ -46,7 +46,7 @@ app.engine("handlebars", engine({
             return Object.entries(obj).map(([key, value]) => ({ key, value }));
         },
         cacheBuster: function () {
-            return packageJson.version;
+            return "?v=" + packageJson.version;
         }
     }
 

package/lib/config/cookies.js

@@ -149,6 +149,8 @@ export const clearSessionCookies = (res) => {
     res.clearCookie("mbkauthe.sid", cachedClearCookieOptions);
     res.clearCookie("sessionId", cachedClearCookieOptions);
     res.clearCookie("fullName", cachedClearCookieOptions);
+    res.clearCookie("profileImageUrl", cachedClearCookieOptions);
+    res.clearCookie("profileImageUser", cachedClearCookieOptions);
     res.clearCookie("device_token", cachedClearCookieOptions);
 };
 

package/lib/config/index.js

@@ -64,7 +64,7 @@ function validateConfiguration() {
     const keysToCheck = [
         "APP_NAME", "DEVICE_TRUST_DURATION_DAYS", "EncPass", "Main_SECRET_TOKEN", "SESSION_SECRET_KEY",
         "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "COOKIE_EXPIRE_TIME", "DOMAIN", "loginRedirectURL",
-        "GITHUB_LOGIN_ENABLED", "GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET", "GOOGLE_LOGIN_ENABLED", "GOOGLE_CLIENT_ID",
+        "GITHUB_LOGIN_ENABLED", "GITHUB_APP_SLUG", "GITHUB_APP_CLIENT_ID", "GITHUB_APP_CLIENT_SECRET", "GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET", "GOOGLE_LOGIN_ENABLED", "GOOGLE_CLIENT_ID",
         "GOOGLE_CLIENT_SECRET", "MAX_SESSIONS_PER_USER"
     ];
 
@@ -145,11 +145,14 @@ function validateConfiguration() {
 
     // Validate GitHub login configuration
     if (mbkautheVar.GITHUB_LOGIN_ENABLED === "true") {
-        if (!mbkautheVar.GITHUB_CLIENT_ID || mbkautheVar.GITHUB_CLIENT_ID.trim() === '') {
-            errors.push("mbkautheVar.GITHUB_CLIENT_ID is required when GITHUB_LOGIN_ENABLED is 'true'");
+        const hasGithubClientId = !!(mbkautheVar.GITHUB_APP_CLIENT_ID || mbkautheVar.GITHUB_CLIENT_ID);
+        const hasGithubClientSecret = !!(mbkautheVar.GITHUB_APP_CLIENT_SECRET || mbkautheVar.GITHUB_CLIENT_SECRET);
+
+        if (!hasGithubClientId) {
+            errors.push("mbkautheVar.GITHUB_APP_CLIENT_ID (or GITHUB_CLIENT_ID) is required when GITHUB_LOGIN_ENABLED is 'true'");
         }
-        if (!mbkautheVar.GITHUB_CLIENT_SECRET || mbkautheVar.GITHUB_CLIENT_SECRET.trim() === '') {
-            errors.push("mbkautheVar.GITHUB_CLIENT_SECRET is required when GITHUB_LOGIN_ENABLED is 'true'");
+        if (!hasGithubClientSecret) {
+            errors.push("mbkautheVar.GITHUB_APP_CLIENT_SECRET (or GITHUB_CLIENT_SECRET) is required when GITHUB_LOGIN_ENABLED is 'true'");
         }
     }
 

package/lib/middleware/auth.js

@@ -6,6 +6,32 @@ import { ErrorCodes, createErrorResponse } from "../utils/errors.js";
 import { hashApiToken } from "#config.js";
 import { canAccessMethod } from "#config.js";
 
+/**
+ * Decide if the incoming request should return JSON errors instead of HTML.
+ * Non-browser clients (API calls / AJAX) should get JSON.
+ */
+function isJsonRequest(req) {
+  if (!req || !req.headers) return false;
+  const accept = (req.headers.accept || "").toLowerCase();
+  const xRequestedWith = (req.headers["x-requested-with"] || "").toLowerCase();
+  const userAgent = (req.headers["user-agent"] || "").toLowerCase();
+  const url = (req.originalUrl || req.url || "").toLowerCase();
+  const path = (req.path || "").toLowerCase();
+
+  const isApiPath = url.startsWith("/mbkauthe/api/") || url.startsWith("/api/") || path.startsWith("/mbkauthe/api/") || path.startsWith("/api/");
+  const isAcceptJson = accept.includes("application/json") || accept.includes("json") || accept.includes("*/*");
+
+  const nonBrowserAgent = /curl|wget|httpie|python-requests|python|go-http-client|java\/|php|node-fetch|axios|postman|insomnia|okhttp/;
+  const browserAgent = /mozilla|applewebkit|chrome|safari|firefox|edg|msie|trident|opera/;
+
+  if (isApiPath || xRequestedWith === "xmlhttprequest") return true;
+  if (isAcceptJson && !accept.includes("text/html")) return true;
+
+  if (nonBrowserAgent.test(userAgent) && !browserAgent.test(userAgent)) return true;
+
+  return false;
+}
+
 /**
  * Validates a Bearer token (API Token or Session UUID)
  * Returns a user object if valid, or null/error object
@@ -160,6 +186,9 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
   if (!req.session.user) {
     console.log("[mbkauthe] User not authenticated");
     console.log("[mbkauthe]: ", req.session.user);
+    if (isJsonRequest(req)) {
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_NOT_FOUND));
+    }
     return renderError(res, req, {
       code: 401,
       error: "Not Logged In",
@@ -177,6 +206,9 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
       console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
+      if (isJsonRequest(req)) {
+        return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+      }
       return renderError(res, req, {
         code: 401,
         error: "Session Expired",
@@ -200,6 +232,9 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
       console.log(`[mbkauthe] Session not found for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
+      if (isJsonRequest(req)) {
+        return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+      }
       return renderError(res, req, {
         code: 401,
         error: "Session Expired",
@@ -217,6 +252,9 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
       // destroy and clear cookies
       req.session.destroy();
       clearSessionCookies(res);
+      if (isJsonRequest(req)) {
+        return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+      }
       return renderError(res, req, {
         code: 401,
         error: "Session Expired",
@@ -231,6 +269,9 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
       console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
+      if (isJsonRequest(req)) {
+        return res.status(401).json(createErrorResponse(401, ErrorCodes.ACCOUNT_INACTIVE));
+      }
       return renderError(res, req, {
         code: 401,
         error: "Account Inactive",
@@ -247,6 +288,9 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
         console.warn(`[mbkauthe] User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
         req.session.destroy();
         clearSessionCookies(res);
+        if (isJsonRequest(req)) {
+          return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+        }
         return renderError(res, req, {
           code: 401,
           error: "Unauthorized",
@@ -444,6 +488,9 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
     try {
       if (!req.session || !req.session.user || !req.session.user.id) {
         console.log("[mbkauthe] User not authenticated");
+        if (isJsonRequest(req)) {
+          return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_NOT_FOUND));
+        }
         return renderError(res, req, {
           code: 401,
           error: "Not Logged In",
@@ -458,6 +505,9 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
 
       // Check notAllowed role
       if (notAllowed && userRole === notAllowed) {
+        if (isJsonRequest(req)) {
+          return res.status(403).json(createErrorResponse(403, ErrorCodes.ROLE_NOT_ALLOWED));
+        }
         return renderError(res, req, {
           code: 403,
           error: "Access Denied",
@@ -477,6 +527,9 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
 
       // Check if user role is in allowed roles
       if (!rolesArray.includes(userRole)) {
+        if (isJsonRequest(req)) {
+          return res.status(403).json(createErrorResponse(403, ErrorCodes.INSUFFICIENT_PERMISSIONS));
+        }
         return renderError(res, req, {
           code: 403,
           error: "Access Denied",

package/lib/pool.js

@@ -1,211 +1,35 @@
 import pkg from "pg";
 const { Pool } = pkg;
 import { mbkautheVar } from "#config.js";
+import { attachDevQueryLogger, runWithRequestContext, getRequestContext } from "./utils/dbQueryLogger.js";
 import dotenv from "dotenv";
 dotenv.config();
 
+export { runWithRequestContext, getRequestContext };
+
 const poolConfig = {
   connectionString: mbkautheVar.LOGIN_DB,
   ssl: {
     rejectUnauthorized: true,
   },
-
-  // Connection pool tuning for serverless/ephemeral environments (Vercel)
-  // - keep max small to avoid exhausting DB connections
-  // - reduce idle time so connections are returned sooner
-  // - set a short connection timeout to fail fast
-  max: 10,
+  max: 3,
   idleTimeoutMillis: 10000,
-  connectionTimeoutMillis: 25000,
+  connectionTimeoutMillis: 10000,
 };
 
 export const dblogin = new Pool(poolConfig);
 
+// Keep pool.js focused on pool setup; attach dev-only query logger from dedicated module.
+attachDevQueryLogger(dblogin);
 
+/*
+ attachDevQueryLogger([
+  { pool: dblogin, name: "loginDB" },
+  { pool: dblogin1, name: "loginDB1" },
+]);
+*/
 
-// For logging and testing purposes, we can track query counts and logs in development mode.
-
-import path from "path";
-import { AsyncLocalStorage } from "async_hooks";
-
-const isDev = process.env.env === 'dev';
-const requestContext = isDev ? new AsyncLocalStorage() : null;
-
-export const runWithRequestContext = (req, fn) => {
-  if (!isDev || !requestContext) return fn();
-  return requestContext.run({ req }, fn);
-};
-
-export const getRequestContext = () => {
-  if (!isDev || !requestContext) return undefined;
-  return requestContext.getStore();
-};
-
-if (isDev) {
-
-  // Simple counter for all DB requests made via this pool. This is intentionally
-  // lightweight.
-  let _dbQueryCount = 0;
-  const _dbQueryLog = [];
-  const _MAX_QUERY_LOG_ENTRIES = 1000;
-
-  const _origQuery = dblogin.query.bind(dblogin);
-
-  dblogin.query = (...args) => {
-    _dbQueryCount++;
-
-    // Track query text for debugging/metrics.
-    // `pg` supports (text, values, callback) or (config, callback).
-    let queryText = '';
-    let queryName = '';
-    let queryValues;
-    try {
-      if (typeof args[0] === 'string') {
-        queryText = args[0];
-        queryValues = Array.isArray(args[1]) ? args[1] : undefined;
-      } else if (args[0] && typeof args[0] === 'object') {
-        queryText = args[0].text || '';
-        queryName = args[0].name || '';
-        queryValues = Array.isArray(args[0].values) ? args[0].values : undefined;
-      }
-    } catch {
-      queryText = '';
-    }
-
-    if (!queryText) {
-      return _origQuery(...args);
-    }
-
-    const startTime = process.hrtime.bigint();
-    const toWorkspacePath = (filePath) => {
-      const rel = path.relative(process.cwd(), filePath) || filePath;
-      return rel.replace(/\\/g, '/');
-    };
-
-    const buildCallsite = () => {
-      try {
-        const stack = new Error().stack || '';
-        const lines = stack.split('\n').map(l => l.trim());
-        // Skip frames from this wrapper and node internals; pick first app frame.
-        const frame = lines.find((line) =>
-          line.startsWith('at ') &&
-          !line.includes('/lib/pool.js') &&
-          !line.includes('node:internal') &&
-          !line.includes('internal/process')
-        );
-
-        if (!frame) return null;
-
-        const withFunc = /^at\s+([^\s(]+)\s+\((.+):([0-9]+):([0-9]+)\)$/.exec(frame);
-        const noFunc = /^at\s+(.+):([0-9]+):([0-9]+)$/.exec(frame);
-
-        if (withFunc) {
-          return {
-            function: withFunc[1],
-            file: toWorkspacePath(withFunc[2]),
-            line: Number(withFunc[3]),
-            column: Number(withFunc[4])
-          };
-        }
-        if (noFunc) {
-          return {
-            function: null,
-            file: toWorkspacePath(noFunc[1]),
-            line: Number(noFunc[2]),
-            column: Number(noFunc[3])
-          };
-        }
-      } catch {
-        return null;
-      }
-      return null;
-    };
-
-    const buildRequestContext = () => {
-      const store = getRequestContext();
-      const req = store?.req;
-      if (!req) return null;
-
-      const user = req.session?.user || null;
-      return {
-        method: req.method,
-        url: req.originalUrl || req.url,
-        ip: req.ip,
-        userId: user?.id || null,
-        username: user?.username || null
-      };
-    };
-
-    const callsiteSnapshot = buildCallsite();
-
-    const recordLog = (success, error) => {
-      const durationMs = Number(process.hrtime.bigint() - startTime) / 1_000_000;
-      const request = buildRequestContext();
-
-      _dbQueryLog.push({
-        time: new Date().toISOString(),
-        query: queryText,
-        name: queryName || undefined,
-        values: queryValues,
-        durationMs,
-        success,
-        error: error ? { message: error.message, code: error.code } : undefined,
-        request,
-        pool: {
-          total: dblogin.totalCount,
-          idle: dblogin.idleCount,
-          waiting: dblogin.waitingCount
-        },
-        callsite: callsiteSnapshot
-      });
-
-      if (_dbQueryLog.length > _MAX_QUERY_LOG_ENTRIES) {
-        _dbQueryLog.shift();
-      }
-    };
-
-    try {
-      const result = _origQuery(...args);
-      if (result && typeof result.then === 'function') {
-        return result
-          .then((res) => {
-            recordLog(true, null);
-            return res;
-          })
-          .catch((err) => {
-            recordLog(false, err);
-            throw err;
-          });
-      }
-
-      recordLog(true, null);
-      return result;
-    } catch (err) {
-      recordLog(false, err);
-      throw err;
-    }
-  };
-
-  // Public helpers
-
-  dblogin.getQueryCount = () => _dbQueryCount;
-  dblogin.resetQueryCount = () => {
-    _dbQueryCount = 0;
-  };
-
-  dblogin.getQueryLog = (options = {}) => {
-    const { limit } = options;
-    if (typeof limit === 'number') {
-      return _dbQueryLog.slice(-limit);
-    }
-    return [..._dbQueryLog];
-  };
-
-  dblogin.resetQueryLog = () => {
-    _dbQueryLog.length = 0;
-  };
-}
-
+/*
 (async () => {
   try {
     const client = await dblogin.connect();
@@ -213,4 +37,5 @@ if (isDev) {
   } catch (err) {
     console.error("[mbkauthe] Database connection error (pool):", err);
   }
-})();
+})();
+*/

package/lib/routes/auth.js

@@ -19,10 +19,13 @@ const router = express.Router();
 
 // Helper function to clear profile picture cache
 function clearProfilePicCache(req, username) {
-  if (req.session && username) {
-    const cacheKey = `profilepic_${username}`;
-    delete req.session[cacheKey];
-  }
+  if (!req || !req.res || !username) return;
+
+  const cookieUsername = req.cookies?.profileImageUser;
+  if (cookieUsername && cookieUsername !== username) return;
+
+  req.res.clearCookie('profileImageUrl', cachedClearCookieOptions);
+  req.res.clearCookie('profileImageUser', cachedClearCookieOptions);
 }
 
 // Rate limiters for auth routes
@@ -285,6 +288,9 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       }
       // Cache display name client-side to avoid extra DB lookups
       res.cookie("fullName", req.session.user.fullname || username, { ...cachedCookieOptions, httpOnly: false });
+      const profileImageForCookie = loginProfileImage && typeof loginProfileImage === 'string' ? loginProfileImage : 'default';
+      res.cookie('profileImageUrl', profileImageForCookie, { ...cachedCookieOptions, httpOnly: false });
+      res.cookie('profileImageUser', username, { ...cachedCookieOptions, httpOnly: false });
       // Record which method was used to login (client-visible badge)
       if (method && typeof method === 'string') {
         try {
@@ -561,9 +567,6 @@ router.post("/api/verify-2fa", TwoFALimit, csrfProtection, async (req, res) => {
   const shouldTrustDevice = trustDevice === true || trustDevice === 'true';
 
   try {
-    // Use cached allowedApps from preAuthUser to avoid extra database join
-    const cachedAllowedApps = req.session.preAuthUser?.allowedApps;
-
     const query = `SELECT tfa."TwoFASecret" FROM "TwoFA" tfa WHERE tfa."UserName" = $1`;
     const twoFAResult = await dblogin.query({ name: 'verify-2fa-secret', text: query, values: [username] });
 
@@ -574,7 +577,7 @@ router.post("/api/verify-2fa", TwoFALimit, csrfProtection, async (req, res) => {
     }
 
     const sharedSecret = twoFAResult.rows[0].TwoFASecret;
-    const allowedApps = cachedAllowedApps;
+    const allowedApps = req.session.preAuthUser?.allowedApps;
     const tokenValidates = speakeasy.totp.verify({
       secret: sharedSecret,
       encoding: "base32",
@@ -771,6 +774,9 @@ router.post("/api/switch-session", LoginLimit, async (req, res) => {
 
     // Sync sessionId cookie and remember list
     res.cookie('fullName', fullName, { ...cachedCookieOptions, httpOnly: false });
+    const switchProfileForCookie = switchProfileImage && typeof switchProfileImage === 'string' ? switchProfileImage : 'default';
+    res.cookie('profileImageUrl', switchProfileForCookie, { ...cachedCookieOptions, httpOnly: false });
+    res.cookie('profileImageUser', row.UserName, { ...cachedCookieOptions, httpOnly: false });
     const encryptedSid = encryptSessionId(row.sid);
     if (encryptedSid) {
       res.cookie('sessionId', encryptedSid, cachedCookieOptions);