npm - mbkauthe - Versions diffs - 4.8.1 → 4.8.2 - Mend

mbkauthe 4.8.1 → 4.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/lib/routes/auth.js +43 -37
package/package.json +1 -1

package/lib/routes/auth.js CHANGED Viewed

@@ -188,55 +188,61 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       });
     });
-    // Enforce max sessions per user (configurable via mbkautheVar.MAX_SESSIONS_PER_USER) and persist a new application session record (keyed by username)
+    // Enforce max sessions per user (configurable via mbkautheVar.MAX_SESSIONS_PER_USER)
+    // Use a transaction and lock the Sessions table to prevent concurrent logins from exceeding the configured limit.
     const configuredMax = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
     const MAX_SESSIONS = Number.isInteger(configuredMax) && configuredMax > 0 ? configuredMax : 5;
-    // Clean up expired sessions + count active sessions in a single round-trip.
-    const countRes = await dblogin.query({
-      name: 'cleanup-and-count-user-sessions',
-      text: `
-        WITH deleted AS (
-          DELETE FROM "Sessions"
+    const dbClient = await dblogin.connect();
+    let dbSessionId;
+    try {
+      await dbClient.query('BEGIN');
+      await dbClient.query('LOCK TABLE "Sessions" IN SHARE ROW EXCLUSIVE MODE');
+      // Clean up expired sessions + count active sessions in a single round-trip.
+      const countRes = await dbClient.query({
+        name: 'cleanup-and-count-user-sessions',
+        text: `
+          WITH deleted AS (
+            DELETE FROM "Sessions"
+            WHERE "UserName" = $1
+              AND expires_at IS NOT NULL
+              AND expires_at <= NOW()
+          )
+          SELECT COUNT(*)::int AS count
+          FROM "Sessions"
           WHERE "UserName" = $1
-            AND expires_at IS NOT NULL
-            AND expires_at <= NOW()
-        )
-        SELECT COUNT(*)::int AS count
-        FROM "Sessions"
-        WHERE "UserName" = $1
-      `,
-      values: [username]
-    });
-    const currentSessions = Number(countRes.rows?.[0]?.count ?? 0);
-    // If we have MAX_SESSIONS or more, delete oldest to make room for exactly 1 new session
-    if (currentSessions >= MAX_SESSIONS) {
-      const sessionsToDelete = currentSessions - MAX_SESSIONS + 1; // +1 to make room for new session
-      console.log(`[mbkauthe] User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Deleting ${sessionsToDelete} oldest sessions.`);
-      await dblogin.query({
-        name: 'prune-oldest-user-session',
-        // Expired sessions were already removed above; remaining rows are active.
-        text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 ORDER BY created_at ASC LIMIT $2)`,
-        values: [username, sessionsToDelete]
+        `,
+        values: [username]
       });
-    }
-    const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
+      const currentSessions = Number(countRes.rows?.[0]?.count ?? 0);
+      if (currentSessions >= MAX_SESSIONS) {
+        const sessionsToDelete = currentSessions - MAX_SESSIONS + 1; // +1 to make room for new session
+        console.log(`[mbkauthe] User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Deleting ${sessionsToDelete} oldest sessions.`);
-    // Insert new session record for the user.
-    let dbSessionId;
-    try {
-      const insertRes = await dblogin.query({
+        await dbClient.query({
+          name: 'prune-oldest-user-session',
+          text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 ORDER BY created_at ASC LIMIT $2)`,
+          values: [username, sessionsToDelete]
+        });
+      }
+      const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
+      const insertRes = await dbClient.query({
         name: 'insert-app-session',
         text: `INSERT INTO "Sessions" ("UserName", expires_at, meta) VALUES ($1, $2, $3) RETURNING id`,
         values: [username, expiresAt, JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })]
       });
       dbSessionId = insertRes.rows[0].id;
-    } catch (insertErr) {
-      console.error('[mbkauthe] Error inserting app session:', insertErr);
-      throw insertErr;
+      await dbClient.query('COMMIT');
+    } catch (err) {
+      await dbClient.query('ROLLBACK').catch(() => {});
+      console.error('[mbkauthe] Error enforcing session limit or inserting app session:', err);
+      throw err;
+    } finally {
+      dbClient.release();
     }
     // Update last_login and fetch FullName/Image in a single query.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "4.8.1",
+  "version": "4.8.2",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",