mbkauthe 4.8.2 → 4.8.4

package/lib/routes/auth.js

@@ -93,7 +93,7 @@ async function invalidateDbSession(sessionId) {
   try {
     await dblogin.query({ name: 'invalidate-app-session', text: 'DELETE FROM "Sessions" WHERE id = $1', values: [sessionId] });
   } catch (err) {
-    console.error('[mbkauthe] Error invalidating session:', err);
+    console.error(`[mbkauthe] Error invalidating session:`, err);
   }
 }
 
@@ -153,7 +153,7 @@ export async function checkTrustedDevice(req, username) {
       };
     }
   } catch (deviceErr) {
-    console.error("[mbkauthe] Error checking trusted device:", deviceErr);
+    console.error(`[mbkauthe] Error checking trusted device:`, deviceErr);
   }
 
   return null;
@@ -239,7 +239,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       await dbClient.query('COMMIT');
     } catch (err) {
       await dbClient.query('ROLLBACK').catch(() => {});
-      console.error('[mbkauthe] Error enforcing session limit or inserting app session:', err);
+      console.error(`[mbkauthe] Error enforcing session limit or inserting app session:`, err);
       throw err;
     } finally {
       dbClient.release();
@@ -255,7 +255,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       });
       profileRow = profUpdateRes.rows?.[0] || null;
     } catch (profileUpdateErr) {
-      console.error('[mbkauthe] Error updating last_login/returning profile:', profileUpdateErr);
+      console.error(`[mbkauthe] Error updating last_login/returning profile:`, profileUpdateErr);
     }
 
     req.session.user = {
@@ -287,7 +287,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
           if (profileResult.rows[0].Image && profileResult.rows[0].Image.trim() !== '') loginProfileImage = profileResult.rows[0].Image;
         }
       } catch (profileErr) {
-        console.error("[mbkauthe] Error fetching FullName/Image for user:", profileErr);
+        console.error(`[mbkauthe] Error fetching FullName/Image for user:`, profileErr);
       }
     }
 
@@ -297,7 +297,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
 
     req.session.save(async (err) => {
       if (err) {
-        console.error("[mbkauthe] Session save error:", err);
+        console.error(`[mbkauthe] Session save error:`, err);
         return res.status(500).json({ success: false, message: "Internal Server Error" });
       }
 
@@ -316,7 +316,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
         try {
           res.cookie('lastLoginMethod', method, { ...cachedCookieOptions, httpOnly: false });
         } catch (err) {
-          console.error('[mbkauthe] Failed to set lastLoginMethod cookie:', err);
+          console.error(`[mbkauthe] Failed to set lastLoginMethod cookie:`, err);
         }
       }
 
@@ -351,7 +351,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
           res.cookie("device_token", deviceToken, getDeviceTokenCookieOptions());
           console.log(`[mbkauthe] Trusted device token created for user: ${username}`);
         } catch (deviceErr) {
-          console.error("[mbkauthe] Error creating trusted device:", deviceErr);
+          console.error(`[mbkauthe] Error creating trusted device:`, deviceErr);
           // Continue with login even if device trust fails
         }
       }
@@ -371,14 +371,14 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       res.status(200).json(responsePayload);
     });
   } catch (err) {
-    console.error("[mbkauthe] Error during login completion:", err);
+    console.error(`[mbkauthe] Error during login completion:`, err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 }
 
 // POST /mbkauthe/api/login
 router.post("/api/login", LoginLimit, async (req, res) => {
-  console.log("[mbkauthe] Login request received");
+  console.log(`[mbkauthe] Login request received`);
 
   const { username, password, redirect } = req.body;
 
@@ -415,7 +415,7 @@ router.post("/api/login", LoginLimit, async (req, res) => {
   try {
     // Combined query: fetch user data and 2FA status in one query
     const userQuery = `
-      SELECT u.id, u."UserName", u."Password", u."PasswordEnc", u."Active", u."Role", u."AllowedApps",
+      SELECT u.id, u."UserName", u."PasswordEnc", u."Active", u."Role", u."AllowedApps",
              tfa."TwoFAStatus"
       FROM "Users" u
       LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
@@ -432,25 +432,13 @@ router.post("/api/login", LoginLimit, async (req, res) => {
 
     const user = userResult.rows[0];
 
-    // Validate user has password field
-    if (!user.Password && !user.PasswordEnc) {
-      console.error("[mbkauthe] User account has no password set");
-      return res.status(500).json({ success: false, message: "Internal Server Error" });
-    }
-
-    // Check password based on EncPass configuration - ALWAYS validate password first
+    // Password verification (hash-only). We never read/compare plaintext passwords.
     let passwordMatches = false;
-    if (mbkautheVar.EncPass === "true" || mbkautheVar.EncPass === true) {
-      // Use encrypted password comparison
-      if (user.PasswordEnc) {
-        const hashedInputPassword = hashPassword(password, user.UserName);
-        passwordMatches = user.PasswordEnc === hashedInputPassword;
-      }
-    } else {
-      // Use raw password comparison
-      if (user.Password) {
-        passwordMatches = user.Password === password;
-      }
+    if (user.PasswordEnc) {
+      const hashedInputPassword = hashPassword(password, user.UserName);
+      const stored = Buffer.from(String(user.PasswordEnc), 'utf8');
+      const computed = Buffer.from(String(hashedInputPassword), 'utf8');
+      passwordMatches = stored.length === computed.length && crypto.timingSafeEqual(stored, computed);
     }
 
     if (!passwordMatches) {
@@ -523,7 +511,7 @@ router.post("/api/login", LoginLimit, async (req, res) => {
     await completeLoginProcess(req, res, userForSession, requestedRedirect, false, 'password');
 
   } catch (err) {
-    console.error("[mbkauthe] Error during login process:", err);
+    console.error(`[mbkauthe] Error during login process:`, err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });
@@ -627,7 +615,7 @@ router.post("/api/verify-2fa", TwoFALimit, csrfProtection, async (req, res) => {
     await completeLoginProcess(req, res, userForSession, redirectUrl, shouldTrustDevice, methodToUse);
 
   } catch (err) {
-    console.error("[mbkauthe] Error during 2FA verification:", err);
+    console.error(`[mbkauthe] Error during 2FA verification:`, err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });
@@ -660,7 +648,7 @@ router.post("/api/logout", LogoutLimit, async (req, res) => {
 
       req.session.destroy((err) => {
         if (err) {
-          console.error("[mbkauthe] Error destroying session:", err);
+          console.error(`[mbkauthe] Error destroying session:`, err);
           return res.status(500).json({ success: false, message: "Logout failed" });
         }
 
@@ -670,7 +658,7 @@ router.post("/api/logout", LogoutLimit, async (req, res) => {
         res.status(200).json({ success: true, message: "Logout successful" });
       });
     } catch (err) {
-      console.error("[mbkauthe] Database query error during logout:", err);
+      console.error(`[mbkauthe] Database query error during logout:`, err);
       res.status(500).json({ success: false, message: "Internal Server Error" });
     }
   } else {
@@ -716,7 +704,7 @@ router.get("/api/account-sessions", LoginLimit, async (req, res) => {
             if (!acct.image && prof.rows[0].Image && prof.rows[0].Image.trim() !== '') image = prof.rows[0].Image;
           }
         } catch (profileErr) {
-          console.error('[mbkauthe] Error fetching fullname/image for account list:', profileErr);
+          console.error(`[mbkauthe] Error fetching fullname/image for account list:`, profileErr);
         }
       }
 
@@ -728,7 +716,7 @@ router.get("/api/account-sessions", LoginLimit, async (req, res) => {
         isCurrent: currentSessionId && row.sid === currentSessionId
       });
     } catch (err) {
-      console.error('[mbkauthe] Error validating remembered account:', err);
+      console.error(`[mbkauthe] Error validating remembered account:`, err);
     }
   }
 
@@ -770,7 +758,7 @@ router.post("/api/switch-session", LoginLimit, async (req, res) => {
         if (prof.rows[0].Image && prof.rows[0].Image.trim() !== '') switchProfileImage = prof.rows[0].Image;
       }
     } catch (profileErr) {
-      console.error('[mbkauthe] Error fetching fullname/image during switch:', profileErr);
+      console.error(`[mbkauthe] Error fetching fullname/image during switch:`, profileErr);
     }
 
     // Regenerate session to avoid fixation
@@ -814,7 +802,7 @@ router.post("/api/switch-session", LoginLimit, async (req, res) => {
       redirect: safeRedirect
     });
   } catch (err) {
-    console.error('[mbkauthe] Error during session switch:', err);
+    console.error(`[mbkauthe] Error during session switch:`, err);
     return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
   }
 });
@@ -846,7 +834,7 @@ router.post("/api/logout-all", LoginLimit, async (req, res) => {
 
     return res.json({ success: true, message: 'All accounts logged out' });
   } catch (err) {
-    console.error('[mbkauthe] Error during logout-all:', err);
+    console.error(`[mbkauthe] Error during logout-all:`, err);
     return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
   }
 });

package/lib/routes/dbLogs.js

@@ -45,7 +45,7 @@ router.get(["/db.json"], LogLimit, async (req, res) => {
 
     return res.json({ queryCount, queryLimit, queryLog, isDev });
   } catch (err) {
-    console.error('[mbkauthe] /db.json route error:', err);
+    console.error(`[mbkauthe] /db.json route error:`, err);
     return res.status(500).json({ success: false, message: 'Could not fetch DB stats.' });
   }
 });
@@ -70,7 +70,7 @@ router.post(["/db/reset"], LogLimit, async (req, res) => {
 
     return res.json({ success: true, message: 'Query log and count have been reset.' });
   } catch (err) {
-    console.error('[mbkauthe] /db/reset route error:', err);
+    console.error(`[mbkauthe] /db/reset route error:`, err);
     return res.status(500).json({ success: false, message: 'Could not reset DB stats.' });
   }
 });
@@ -90,7 +90,7 @@ router.get(["/db"], LogLimit, async (req, res) => {
       disabledMessage: isDev ? null : 'DB logs are disabled.'
     });
   } catch (err) {
-    console.error('[mbkauthe] /db route error:', err);
+    console.error(`[mbkauthe] /db route error:`, err);
     return renderError(res, req, {
       layout: false,
       code: 500,

package/lib/routes/misc.js

@@ -3,7 +3,7 @@ import fetch from 'node-fetch';
 import rateLimit from 'express-rate-limit';
 import { mbkautheVar, packageJson, appVersion } from "#config.js";
 import { renderError, renderPage } from "#response.js";
-import { authenticate, validateSession, validateSessionAndRole } from "../middleware/auth.js";
+import { authenticate, sessVal, sessRole } from "../middleware/auth.js";
 import { ErrorCodes, ErrorMessages, createErrorResponse } from "../utils/errors.js";
 import { dblogin } from "#pool.js";
 import { clearSessionCookies, decryptSessionId, cachedCookieOptions } from "#cookies.js";
@@ -60,7 +60,7 @@ router.get("/bg.webp", (req, res) => {
   res.setHeader('Cache-Control', 'public, max-age=31536000');
   const stream = fs.createReadStream(imgPath);
   stream.on('error', (err) => {
-    console.error('[mbkauthe] Error streaming bg.webp:', err);
+    console.error(`[mbkauthe] Error streaming bg.webp:`, err);
     res.status(404).send('Image not found');
   });
   stream.pipe(res);
@@ -78,7 +78,7 @@ router.get('/user/profilepic', async (req, res) => {
     }
     const stream = fs.createReadStream(iconPath);
     stream.on('error', (err) => {
-      console.error('[mbkauthe] Error streaming icon.svg:', err);
+      console.error(`[mbkauthe] Error streaming icon.svg:`, err);
       res.status(404).send('Icon not found');
     });
     stream.pipe(res);
@@ -152,21 +152,21 @@ router.get('/user/profilepic', async (req, res) => {
 
       imageResponse.body.pipe(res);
     } catch (fetchErr) {
-      console.error('[mbkauthe] Error fetching external profile picture:', fetchErr);
+      console.error(`[mbkauthe] Error fetching external profile picture:`, fetchErr);
       res.cookie('profileImageUrl', 'default', { ...cachedCookieOptions, httpOnly: false });
       res.cookie('profileImageUser', username, { ...cachedCookieOptions, httpOnly: false });
       return serveDefaultIcon();
     }
 
   } catch (err) {
-    console.error('[mbkauthe] Error fetching profile picture:', err);
+    console.error(`[mbkauthe] Error fetching profile picture:`, err);
     return serveDefaultIcon();
   }
 });
 
 if (process.env.env === 'dev') {
   // Dev-only diagnostic endpoint to verify SuperAdmin role enforcement
-  router.get(['/validate-superadmin'], validateSessionAndRole("SuperAdmin"), LoginLimit, async (req, res) => {
+  router.get(['/validate-superadmin'], sessRole("SuperAdmin"), LoginLimit, async (req, res) => {
     try {
       const user = req.session?.user || null;
       return res.json({
@@ -180,14 +180,14 @@ if (process.env.env === 'dev') {
         } : null
       });
     } catch (err) {
-      console.error('[mbkauthe] debug validate-superadmin error:', err);
+      console.error(`[mbkauthe] debug validate-superadmin error:`, err);
       return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
     }
   });
 }
 
 // Test route
-router.get(['/test', '/'], validateSession, LoginLimit, async (req, res) => {
+router.get(['/test', '/'], sessVal, LoginLimit, async (req, res) => {
   const { username, fullname, role, id, sessionId, allowedApps } = req.session.user;
 
   const sessionExpiry = req.session.cookie?.expires
@@ -208,7 +208,7 @@ router.get(['/test', '/'], validateSession, LoginLimit, async (req, res) => {
   });
 });
 
-router.post('/test', validateSession, LoginLimit, async (req, res) => {
+router.post('/test', sessVal, LoginLimit, async (req, res) => {
   if (req.session?.user) {
     return res.json({ success: true, message: "You are logged in" });
   }
@@ -266,7 +266,7 @@ router.get('/api/checkSession', LoginLimit, async (req, res) => {
 
     return res.status(200).json({ sessionValid: true, expiry });
   } catch (err) {
-    console.error('[mbkauthe] checkSession error:', err);
+    console.error(`[mbkauthe] checkSession error:`, err);
     return res.status(200).json({ sessionValid: false, expiry: null });
   }
 });
@@ -342,7 +342,7 @@ router.post('/api/checkSession', LoginLimit, async (req, res) => {
     const expiry = row.expires_at ? new Date(row.expires_at).toISOString() : null;
     return res.status(200).json({ sessionValid: true, expiry });
   } catch (err) {
-    console.error('[mbkauthe] checkSession (body) error:', err);
+    console.error(`[mbkauthe] checkSession (body) error:`, err);
     return res.status(200).json({ sessionValid: false, expiry: null });
   }
 });
@@ -374,7 +374,7 @@ router.post('/api/verifySession', LoginLimit, async (req, res) => {
     const expiry = row.expires_at ? new Date(row.expires_at).toISOString() : null;
     return res.status(200).json({ valid: true, expiry, username: row.UserName, role: row.Role });
   } catch (err) {
-    console.error('[mbkauthe] verifySession error:', err);
+    console.error(`[mbkauthe] verifySession error:`, err);
     return res.status(200).json({ valid: false, expiry: null });
   }
 });
@@ -465,7 +465,7 @@ router.get("/ErrorCode", (req, res) => {
       errorCategories: categoriesWithErrors
     });
   } catch (err) {
-    console.error("[mbkauthe] Error rendering error codes page:", err);
+    console.error(`[mbkauthe] Error rendering error codes page:`, err);
     return renderError(res, req, {
       layout: false,
       code: 500,
@@ -488,7 +488,7 @@ export async function getLatestVersion() {
     const latestPackageJson = await response.json();
     return typeof latestPackageJson.version === 'string' ? latestPackageJson.version : null;
   } catch (error) {
-    console.error('[mbkauthe] Error fetching latest version from GitHub');
+    console.error(`[mbkauthe] Error fetching latest version from GitHub`, error);
     return null;
   }
 }
@@ -503,7 +503,7 @@ export async function checkVersion() {
         } else if (hasValidLatest) {
             console.info(`[mbkauthe] Running latest version (${packageJson.version}).`);
         } else {
-            console.info('[mbkauthe] Skipped version check warning: latest version unavailable.');
+            console.info(`[mbkauthe] Skipped version check warning: latest version unavailable.`);
         }
     } catch (error) {
         console.warn(`[mbkauthe] Failed to check for updates: ${error.message}`);
@@ -520,7 +520,7 @@ router.get(["/info", "/i"], LoginLimit, async (req, res) => {
   try {
     latestVersion = await getLatestVersion();
   } catch (err) {
-    console.error("[mbkauthe] Error fetching package-lock.json:", err);
+    console.error(`[mbkauthe] Error fetching package-lock.json:`, err);
   }
 
   try {
@@ -531,7 +531,7 @@ router.get(["/info", "/i"], LoginLimit, async (req, res) => {
       latestVersion
     });
   } catch (err) {
-    console.error("[mbkauthe] Error fetching version information:", err);
+    console.error(`[mbkauthe] Error fetching version information:`, err);
     res.status(500).send(`
             <html>
                 <head>
@@ -551,13 +551,13 @@ router.get(["/info.json", "/i.json"], LoginLimit, async (req, res) => {
   try {
     latestVersion = await getLatestVersion();
   } catch (err) {
-    console.error("[mbkauthe] Error fetching package-lock.json:", err);
+    console.error(`[mbkauthe] Error fetching package-lock.json:`, err);
   }
 
   try {
     res.json({ mbkautheVar: safe_mbkautheVar, CurrentVersion: packageJson.version, APP_VERSION: appVersion, latestVersion });
   } catch (err) {
-    console.error("[mbkauthe] Error fetching version information:", err);
+    console.error(`[mbkauthe] Error fetching version information:`, err);
     res.status(500).json({ success: false, message: "Failed to fetch version information" });
   }
 });
@@ -579,20 +579,20 @@ router.post("/api/terminateAllSessions", AdminOperationLimit, authenticate(mbkau
 
     req.session.destroy((err) => {
       if (err) {
-        console.log("[mbkauthe] Error destroying session:", err);
+        console.log(`[mbkauthe] Error destroying session:`, err);
         return res.status(500).json({ success: false, message: "Failed to terminate sessions" });
       }
 
       clearSessionCookies(res);
 
-      console.log("[mbkauthe] All sessions terminated successfully");
+      console.log(`[mbkauthe] All sessions terminated successfully`);
       res.status(200).json({
         success: true,
         message: "All sessions terminated successfully",
       });
     });
   } catch (err) {
-    console.error("[mbkauthe] Database query error during session termination:", err);
+    console.error(`[mbkauthe] Database query error during session termination:`, err);
     res.status(500).json({ success: false, message: "Internal Server Error" });
   }
 });

package/lib/utils/timingSafeToken.js

@@ -0,0 +1,35 @@
+import { createHash, timingSafeEqual } from "node:crypto";
+
+export function extractAuthorizationToken(authorizationHeader) {
+  if (typeof authorizationHeader !== "string") return "";
+
+  const raw = authorizationHeader.trim();
+  if (!raw) return "";
+
+  const bearerMatch = /^bearer\s+(.+)$/i.exec(raw);
+  if (bearerMatch) return bearerMatch[1].trim();
+
+  return raw;
+}
+
+function sha256Buffer(value) {
+  return createHash("sha256").update(value, "utf8").digest();
+}
+
+/**
+ * Constant-time comparison of two strings by hashing them first.
+ *
+ * Notes:
+ * - Always computes both hashes (32 bytes each) and uses timingSafeEqual.
+ * - Returns false when expectedToken is empty/unset.
+ */
+export function timingSafeTokenMatch(providedToken, expectedToken) {
+  const provided = typeof providedToken === "string" ? providedToken : "";
+  const expected = typeof expectedToken === "string" ? expectedToken : "";
+
+  const providedHash = sha256Buffer(provided);
+  const expectedHash = sha256Buffer(expected);
+
+  const matches = timingSafeEqual(providedHash, expectedHash);
+  return matches && expected.length > 0;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "4.8.2",
+  "version": "4.8.4",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/public/main.js

@@ -25,7 +25,7 @@ async function logout() {
       alert(result.message);
     }
   } catch (error) {
-    console.error("[mbkauthe] Error during logout:", error);
+    console.error(`[mbkauthe] Error during logout:`, error);
     alert(`Logout failed: ${error.message}`);
   }
 }
@@ -67,7 +67,7 @@ async function selectiveCacheClear() {
     window.location.reload();
 
   } catch (error) {
-    console.error('[mbkauthe] selective cache clear failed:', error);
+    console.error(`[mbkauthe] selective cache clear failed:`, error);
     window.location.reload();
   }
 }
@@ -86,7 +86,7 @@ function checkSession() {
         window.location.reload(); // Reload the page to update the session status
       }
     })
-    .catch((error) => console.error("[mbkauthe] Error checking session:", error));
+    .catch((error) => console.error(`[mbkauthe] Error checking session:`, error));
 }
 // Call validateSession every 2 minutes (120000 milliseconds)
 // setInterval(checkSession, validateSessionInterval);

package/views/Error/dError.handlebars

@@ -312,7 +312,7 @@
                 setTimeout(() => { copyBtn.innerHTML = orig; }, 2000);
               }
             } catch (err) {
-              console.error('[mbkauthe] Failed to copy: ', err);
+              console.error(`[mbkauthe] Failed to copy:`, err);
             }
           });
         }

package/views/pages/2fa.handlebars

@@ -84,6 +84,7 @@
             try {
                 const response = await fetch('/mbkauthe/api/verify-2fa', {
                     method: 'POST',
+                    credentials: 'include',
                     headers: {
                         'Content-Type': 'application/json'
                     },

package/views/pages/accountSwitch.handlebars

@@ -362,7 +362,7 @@
                     emptyStateLink.href = `/mbkauthe/login${encoded ? `?redirect=${encoded}` : ''}`;
                 }
             } catch (err) {
-                console.error('[mbkauthe] Failed to set login hrefs with redirect query param:', err);
+                console.error(`[mbkauthe] Failed to set login hrefs with redirect query param:`, err);
             }
         })();
 
@@ -468,7 +468,7 @@
                 });
 
             } catch (err) {
-                console.error('[mbkauthe] Failed to load accounts:', err);
+                console.error(`[mbkauthe] Failed to load accounts:`, err);
                 list.innerHTML = '<div class="empty-state">Failed to load accounts.</div>';
             }
         }
@@ -501,7 +501,7 @@
                     loadAccounts();
                 }
             } catch (err) {
-                console.error('[mbkauthe] Switch failed:', err);
+                console.error(`[mbkauthe] Switch failed:`, err);
                 showMessage('Could not switch account right now. Please try again.', 'Switch Account');
             }
         }
@@ -521,7 +521,7 @@
                     showMessage(data.message || 'Could not sign out all accounts', 'Sign out');
                 }
             } catch (err) {
-                console.error('[mbkauthe] Sign-out-all failed:', err);
+                console.error(`[mbkauthe] Sign-out-all failed:`, err);
                 showMessage('Could not sign out all accounts right now. Please try again.', 'Sign out');
             }
         }

package/views/pages/loginmbkauthe.handlebars

@@ -287,6 +287,7 @@
             const pageRedirect = new URLSearchParams(window.location.search).get('redirect');
             fetch('/mbkauthe/api/login', {
                 method: 'POST',
+                credentials: 'include',
                 headers: {
                     'Content-Type': 'application/json'
                 },
@@ -326,7 +327,7 @@
                 .catch(error => {
                     loginButton.disabled = false;
                     loginButtonText.textContent = 'Login';
-                    console.error('[mbkauthe] Error:', error);
+                    console.error(`[mbkauthe] Error:`, error);
                     showMessage('An error occurred. Please try again.', 'Login Error');
                 });
         });

package/views/profilemenu.handlebars

@@ -277,7 +277,7 @@
                         alert(result.message || 'Logout failed. Please try again.');
                     }
                 } catch (error) {
-                    console.error('[mbkauthe] Error during logout:', error);
+                    console.error(`[mbkauthe] Error during logout:`, error);
                     alert('Logout failed. Please try again.');
                 } finally {
                     logoutButton.disabled = false;
@@ -299,7 +299,7 @@
                 switchAccountLink.href = baseHref + encodeURIComponent(currentUrl);
             } catch (err) {
                 // non-fatal, but log for debugging
-                console.error('[mbkauthe] Failed to set redirect URL for switch account link', err);
+                console.error(`[mbkauthe] Failed to set redirect URL for switch account link`, err);
             }
         })();
     })();