mbkauthe 4.8.4 → 4.9.0

package/lib/middleware/index.js

@@ -4,6 +4,7 @@ const PgSession = pgSession(session);
 import { dblogin, runWithRequestContext } from "#pool.js";
 import { mbkautheVar } from "#config.js";
 import { cachedCookieOptions, decryptSessionId, encryptSessionId } from "#cookies.js";
+import { AuthRepository } from "../db/AuthRepository.js";
 
 // Session configuration
 export const sessionConfig = {
@@ -33,6 +34,8 @@ export const sessionConfig = {
   name: 'mbkauthe.sid'
 };
 
+const authRepo = new AuthRepository({ db: dblogin });
+
 // CORS middleware
 export function corsMiddleware(req, res, next) {
   const origin = req.headers.origin;
@@ -77,14 +80,9 @@ export async function sessionRestorationMiddleware(req, res, next) {
 
     try {
       // Validate session by DB primary key id and join to user
-      const query = `SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps", s.expires_at
-                     FROM "Sessions" s
-                     JOIN "Users" u ON s."UserName" = u."UserName"
-                     WHERE s.id = $1 LIMIT 1`;
-      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [sessionId] });
+      const row = await authRepo.getSessionWithUserById(sessionId, 'restore-user-session');
 
-      if (result.rows.length > 0) {
-        const row = result.rows[0];
+      if (row) {
 
         // Reject expired sessions or inactive users
         if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
@@ -105,13 +103,9 @@ export async function sessionRestorationMiddleware(req, res, next) {
           } else {
             // Fallback: attempt to fetch FullName from Users to populate session
             try {
-              const profileRes = await dblogin.query({
-                name: 'restore-get-fullname',
-                text: 'SELECT "FullName" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-                values: [row.UserName]
-              });
-              if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {
-                req.session.user.fullname = profileRes.rows[0].FullName;
+              const profileRes = await authRepo.getUserFullNameByUsername(row.UserName, 'restore-get-fullname');
+              if (profileRes && profileRes.FullName) {
+                req.session.user.fullname = profileRes.FullName;
               }
             } catch (profileErr) {
               console.error(`[mbkauthe] Error fetching FullName during session restore:`, profileErr);

package/lib/routes/auth.js

@@ -14,8 +14,10 @@ import {
 import { packageJson } from "#config.js";
 import { hashPassword, hashApiToken } from "#config.js";
 import { ErrorCodes, createErrorResponse, logError } from "../utils/errors.js";
+import { AuthRepository } from "../db/AuthRepository.js";
 
 const router = express.Router();
+const authRepo = new AuthRepository({ db: dblogin });
 
 // Helper function to clear profile picture cache
 function clearProfilePicCache(req, username) {
@@ -68,13 +70,8 @@ const csrfProtection = csurf({ cookie: true });
 // Helper: load a session by DB id and validate basics
 async function fetchActiveSession(sessionId) {
   if (!sessionId || typeof sessionId !== 'string') return null;
-  const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
-                 FROM "Sessions" s
-                 JOIN "Users" u ON s."UserName" = u."UserName"
-                 WHERE s.id = $1 LIMIT 1`;
-  const result = await dblogin.query({ name: 'multi-session-fetch', text: query, values: [sessionId] });
-  if (result.rows.length === 0) return null;
-  const row = result.rows[0];
+  const row = await authRepo.fetchActiveSession(sessionId);
+  if (!row) return null;
   if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) return null;
   if (row.Role !== 'SuperAdmin') {
     const allowedApps = row.AllowedApps;
@@ -91,7 +88,7 @@ const isUuid = (val) => typeof val === 'string' && /^[0-9a-f]{8}-[0-9a-f]{4}-[0-
 async function invalidateDbSession(sessionId) {
   if (!isUuid(sessionId)) return;
   try {
-    await dblogin.query({ name: 'invalidate-app-session', text: 'DELETE FROM "Sessions" WHERE id = $1', values: [sessionId] });
+    await authRepo.deleteAppSessionById(sessionId);
   } catch (err) {
     console.error(`[mbkauthe] Error invalidating session:`, err);
   }
@@ -111,25 +108,9 @@ export async function checkTrustedDevice(req, username) {
     // Hash the provided device token before querying DB (we store token hashes in DB)
     const deviceTokenHash = hashDeviceToken(deviceToken);
     // Single round-trip: validate trusted device AND refresh LastUsed.
-    const deviceQuery = `
-      UPDATE "TrustedDevices" td
-      SET "LastUsed" = NOW()
-      FROM "Users" u
-      WHERE td."DeviceToken" = $1
-        AND td."UserName" = $2
-        AND td."ExpiresAt" > NOW()
-        AND u."UserName" = td."UserName"
-        AND u."Active" = TRUE
-      RETURNING td."UserName", td."ExpiresAt", u."id" as id, u."Active", u."Role", u."AllowedApps"
-    `;
-    const deviceResult = await dblogin.query({
-      name: 'check-trusted-device',
-      text: deviceQuery,
-      values: [deviceTokenHash, username]
-    });
+    const deviceUser = await authRepo.touchTrustedDevice(deviceTokenHash, username);
 
-    if (deviceResult.rows.length > 0) {
-      const deviceUser = deviceResult.rows[0];
+    if (deviceUser) {
 
       if (!deviceUser.Active) {
         console.log(`[mbkauthe] Trusted device check: inactive account for username: ${username}`);
@@ -174,11 +155,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     const oldSessionId = req.sessionID;
 
     // Delete old session first to prevent session fixation attacks
-    await dblogin.query({
-      name: 'login-delete-old-session-before-regen',
-      text: 'DELETE FROM "session" WHERE sid = $1',
-      values: [oldSessionId]
-    });
+    await authRepo.deleteSessionBySid(oldSessionId);
 
     // Now regenerate with new session ID (timing window closed)
     await new Promise((resolve, reject) => {
@@ -193,67 +170,40 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     const configuredMax = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
     const MAX_SESSIONS = Number.isInteger(configuredMax) && configuredMax > 0 ? configuredMax : 5;
 
-    const dbClient = await dblogin.connect();
     let dbSessionId;
     try {
-      await dbClient.query('BEGIN');
-      await dbClient.query('LOCK TABLE "Sessions" IN SHARE ROW EXCLUSIVE MODE');
-
-      // Clean up expired sessions + count active sessions in a single round-trip.
-      const countRes = await dbClient.query({
-        name: 'cleanup-and-count-user-sessions',
-        text: `
-          WITH deleted AS (
-            DELETE FROM "Sessions"
-            WHERE "UserName" = $1
-              AND expires_at IS NOT NULL
-              AND expires_at <= NOW()
-          )
-          SELECT COUNT(*)::int AS count
-          FROM "Sessions"
-          WHERE "UserName" = $1
-        `,
-        values: [username]
-      });
+      await authRepo.withTransaction(async (txRepo) => {
+        await txRepo.lockTable("Sessions", "SHARE ROW EXCLUSIVE");
+        const currentSessions = await txRepo.cleanupAndCountUserSessions(username);
+        if (currentSessions >= MAX_SESSIONS) {
+          const sessionsToDelete = currentSessions - MAX_SESSIONS + 1; // +1 to make room for new session
+          console.log(`[mbkauthe] User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Deleting ${sessionsToDelete} oldest sessions.`);
+
+          await txRepo.deleteOldestSessionsForUser(username, sessionsToDelete, "prune-oldest-user-session");
+        }
 
-      const currentSessions = Number(countRes.rows?.[0]?.count ?? 0);
-      if (currentSessions >= MAX_SESSIONS) {
-        const sessionsToDelete = currentSessions - MAX_SESSIONS + 1; // +1 to make room for new session
-        console.log(`[mbkauthe] User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Deleting ${sessionsToDelete} oldest sessions.`);
+        const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
+        const insertedSession = await txRepo.insertAppSession(
+          username,
+          expiresAt,
+          JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })
+        );
 
-        await dbClient.query({
-          name: 'prune-oldest-user-session',
-          text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 ORDER BY created_at ASC LIMIT $2)`,
-          values: [username, sessionsToDelete]
-        });
-      }
+        if (!insertedSession?.id) {
+          throw new Error('Failed to insert app session');
+        }
 
-      const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
-      const insertRes = await dbClient.query({
-        name: 'insert-app-session',
-        text: `INSERT INTO "Sessions" ("UserName", expires_at, meta) VALUES ($1, $2, $3) RETURNING id`,
-        values: [username, expiresAt, JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })]
+        dbSessionId = insertedSession.id;
       });
-      dbSessionId = insertRes.rows[0].id;
-
-      await dbClient.query('COMMIT');
     } catch (err) {
-      await dbClient.query('ROLLBACK').catch(() => {});
       console.error(`[mbkauthe] Error enforcing session limit or inserting app session:`, err);
       throw err;
-    } finally {
-      dbClient.release();
     }
 
     // Update last_login and fetch FullName/Image in a single query.
     let profileRow = null;
     try {
-      const profUpdateRes = await dblogin.query({
-        name: 'login-update-last-login-return-profile',
-        text: `UPDATE "Users" SET "last_login" = NOW() WHERE "id" = $1 RETURNING "FullName", "Image"`,
-        values: [user.id]
-      });
-      profileRow = profUpdateRes.rows?.[0] || null;
+      profileRow = await authRepo.updateLastLoginReturnProfile(user.id);
     } catch (profileUpdateErr) {
       console.error(`[mbkauthe] Error updating last_login/returning profile:`, profileUpdateErr);
     }
@@ -277,14 +227,10 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     } else {
       // Fallback: try a read query if UPDATE...RETURNING failed unexpectedly.
       try {
-        const profileResult = await dblogin.query({
-          name: 'login-get-fullname-and-image',
-          text: 'SELECT "FullName", "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-          values: [username]
-        });
-        if (profileResult.rows.length > 0) {
-          if (profileResult.rows[0].FullName) req.session.user.fullname = profileResult.rows[0].FullName;
-          if (profileResult.rows[0].Image && profileResult.rows[0].Image.trim() !== '') loginProfileImage = profileResult.rows[0].Image;
+        const profileResult = await authRepo.getUserProfileByUsername(username);
+        if (profileResult) {
+          if (profileResult.FullName) req.session.user.fullname = profileResult.FullName;
+          if (profileResult.Image && profileResult.Image.trim() !== '') loginProfileImage = profileResult.Image;
         }
       } catch (profileErr) {
         console.error(`[mbkauthe] Error fetching FullName/Image for user:`, profileErr);
@@ -340,11 +286,13 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
 
           // Store only the HASH of the device token in DB; send the raw token to the client (httpOnly cookie)
           const deviceTokenHash = hashDeviceToken(deviceToken);
-          await dblogin.query({
-            name: 'insert-trusted-device',
-            text: `INSERT INTO "TrustedDevices" ("UserName", "DeviceToken", "DeviceName", "UserAgent", "IpAddress", "ExpiresAt") 
-                   VALUES ($1, $2, $3, $4, $5, $6)`,
-            values: [username, deviceTokenHash, deviceName, userAgent, ipAddress, expiresAt]
+          await authRepo.insertTrustedDevice({
+            username,
+            deviceTokenHash,
+            deviceName,
+            userAgent,
+            ipAddress,
+            expiresAt
           });
 
           // Send raw token to client as httpOnly cookie only
@@ -414,24 +362,15 @@ router.post("/api/login", LoginLimit, async (req, res) => {
 
   try {
     // Combined query: fetch user data and 2FA status in one query
-    const userQuery = `
-      SELECT u.id, u."UserName", u."PasswordEnc", u."Active", u."Role", u."AllowedApps",
-             tfa."TwoFAStatus"
-      FROM "Users" u
-      LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
-      WHERE u."UserName" = $1
-    `;
-    const userResult = await dblogin.query({ name: 'login-get-user', text: userQuery, values: [trimmedUsername] });
-
-    if (userResult.rows.length === 0) {
+    const user = await authRepo.getUserWithTwoFA(trimmedUsername);
+
+    if (!user) {
       logError('Login attempt', ErrorCodes.USER_NOT_FOUND, { username: trimmedUsername });
       return res.status(401).json(
         createErrorResponse(401, ErrorCodes.INVALID_CREDENTIALS)
       );
     }
 
-    const user = userResult.rows[0];
-
     // Password verification (hash-only). We never read/compare plaintext passwords.
     let passwordMatches = false;
     if (user.PasswordEnc) {
@@ -575,16 +514,15 @@ router.post("/api/verify-2fa", TwoFALimit, csrfProtection, async (req, res) => {
   const shouldTrustDevice = trustDevice === true || trustDevice === 'true';
 
   try {
-    const query = `SELECT tfa."TwoFASecret" FROM "TwoFA" tfa WHERE tfa."UserName" = $1`;
-    const twoFAResult = await dblogin.query({ name: 'verify-2fa-secret', text: query, values: [username] });
+    const twoFARecord = await authRepo.getTwoFASecret(username);
 
-    if (twoFAResult.rows.length === 0 || !twoFAResult.rows[0].TwoFASecret) {
+    if (!twoFARecord || !twoFARecord.TwoFASecret) {
       return res.status(500).json(
         createErrorResponse(500, ErrorCodes.TWO_FA_NOT_CONFIGURED)
       );
     }
 
-    const sharedSecret = twoFAResult.rows[0].TwoFASecret;
+    const sharedSecret = twoFARecord.TwoFASecret;
     const allowedApps = req.session.preAuthUser?.allowedApps;
     const tokenValidates = speakeasy.totp.verify({
       secret: sharedSecret,
@@ -632,11 +570,11 @@ router.post("/api/logout", LogoutLimit, async (req, res) => {
       // Remove the application session record for this token (if present)
       const operations = [];
       if (req.session && req.session.user && req.session.user.sessionId) {
-        operations.push(dblogin.query({ name: 'logout-delete-app-session', text: 'DELETE FROM "Sessions" WHERE id = $1', values: [req.session.user.sessionId] }));
+        operations.push(authRepo.deleteAppSessionById(req.session.user.sessionId, "logout-delete-app-session"));
       }
 
       if (req.sessionID) {
-        operations.push(dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] }));
+        operations.push(authRepo.deleteSessionBySid(req.sessionID, "logout-delete-session"));
       }
 
       await Promise.all(operations);
@@ -694,14 +632,10 @@ router.get("/api/account-sessions", LoginLimit, async (req, res) => {
       let image = acct.image || null;
       if (!acct.fullName || !acct.image) {
         try {
-          const prof = await dblogin.query({
-            name: 'multi-session-fullname-image',
-            text: 'SELECT "FullName", "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-            values: [row.UserName]
-          });
-          if (prof.rows.length > 0) {
-            if (!acct.fullName && prof.rows[0].FullName) fullName = prof.rows[0].FullName;
-            if (!acct.image && prof.rows[0].Image && prof.rows[0].Image.trim() !== '') image = prof.rows[0].Image;
+          const prof = await authRepo.getUserProfileByUsername(row.UserName, "multi-session-fullname-image");
+          if (prof) {
+            if (!acct.fullName && prof.FullName) fullName = prof.FullName;
+            if (!acct.image && prof.Image && prof.Image.trim() !== '') image = prof.Image;
           }
         } catch (profileErr) {
           console.error(`[mbkauthe] Error fetching fullname/image for account list:`, profileErr);
@@ -748,14 +682,10 @@ router.post("/api/switch-session", LoginLimit, async (req, res) => {
     let fullName = row.UserName;
     let switchProfileImage = null;
     try {
-      const prof = await dblogin.query({
-        name: 'multi-session-switch-fullname-image',
-        text: 'SELECT "FullName", "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-        values: [row.UserName]
-      });
-      if (prof.rows.length > 0) {
-        if (prof.rows[0].FullName) fullName = prof.rows[0].FullName;
-        if (prof.rows[0].Image && prof.rows[0].Image.trim() !== '') switchProfileImage = prof.rows[0].Image;
+      const prof = await authRepo.getUserProfileByUsername(row.UserName, "multi-session-switch-fullname-image");
+      if (prof) {
+        if (prof.FullName) fullName = prof.FullName;
+        if (prof.Image && prof.Image.trim() !== '') switchProfileImage = prof.Image;
       }
     } catch (profileErr) {
       console.error(`[mbkauthe] Error fetching fullname/image during switch:`, profileErr);
@@ -816,15 +746,11 @@ router.post("/api/logout-all", LoginLimit, async (req, res) => {
     if (currentSessionId) sessionIds.push(currentSessionId);
 
     if (sessionIds.length) {
-      await dblogin.query({
-        name: 'logout-all-app-sessions',
-        text: 'DELETE FROM "Sessions" WHERE id = ANY($1)',
-        values: [sessionIds]
-      });
+      await authRepo.deleteSessionsByIds(sessionIds, "logout-all-app-sessions");
     }
 
     if (req.sessionID) {
-      await dblogin.query({ name: 'logout-all-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] });
+      await authRepo.deleteSessionBySid(req.sessionID, "logout-all-delete-session");
     }
 
     clearAccountListCookie(res);
@@ -842,6 +768,9 @@ router.post("/api/logout-all", LoginLimit, async (req, res) => {
 // GET /mbkauthe/login
 router.get("/login", LoginLimit, csrfProtection, (req, res) => {
   const lastLogin = req.cookies && typeof req.cookies.lastLoginMethod === 'string' ? req.cookies.lastLoginMethod : null;
+  const reason = req.query.reason;
+  const redirectTarget = req.query.redirect || null;
+  
   return res.render("pages/loginmbkauthe.handlebars", {
     layout: false,
     githubLoginEnabled: mbkautheVar.GITHUB_LOGIN_ENABLED,
@@ -856,7 +785,9 @@ router.get("/login", LoginLimit, csrfProtection, (req, res) => {
     lastLoginMethod: lastLogin,
     lastLoginPassword: lastLogin === 'password',
     lastLoginGithub: lastLogin === 'github',
-    lastLoginGoogle: lastLogin === 'google'
+    lastLoginGoogle: lastLogin === 'google',
+    showLoggedOutMessage: reason === 'logged_out',
+    redirectTarget: redirectTarget
   });
 });
 

package/lib/routes/misc.js

@@ -7,6 +7,7 @@ import { authenticate, sessVal, sessRole } from "../middleware/auth.js";
 import { ErrorCodes, ErrorMessages, createErrorResponse } from "../utils/errors.js";
 import { dblogin } from "#pool.js";
 import { clearSessionCookies, decryptSessionId, cachedCookieOptions } from "#cookies.js";
+import { AuthRepository } from "../db/AuthRepository.js";
 import { fileURLToPath } from "url";
 import path from "path";
 import fs from "fs";
@@ -18,6 +19,7 @@ const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
 
 const router = express.Router();
+const authRepo = new AuthRepository({ db: dblogin });
 // Rate limiter for info/test routes
 const LoginLimit = rateLimit({
   windowMs: 1 * 60 * 1000,
@@ -100,14 +102,10 @@ router.get('/user/profilepic', async (req, res) => {
 
     // If not in cache, fetch from DB
     if (!imageUrl) {
-      const result = await dblogin.query({
-        name: 'get-user-profile-pic',
-        text: 'SELECT "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-        values: [username]
-      });
+      const profile = await authRepo.getUserImageByUsername(username, 'get-user-profile-pic');
 
-      if (result.rows.length > 0 && result.rows[0].Image && result.rows[0].Image.trim() !== '') {
-        imageUrl = result.rows[0].Image;
+      if (profile && profile.Image && profile.Image.trim() !== '') {
+        imageUrl = profile.Image;
       } else {
         imageUrl = 'default';
       }
@@ -229,31 +227,13 @@ router.get('/api/checkSession', LoginLimit, async (req, res) => {
     }
 
     // Single round-trip: fetch app-session expiry and (if needed) connect-pg-simple expiry.
-    const result = await dblogin.query({
-      name: 'check-session-validity',
-      text: `
-        SELECT
-          s.expires_at,
-          u."Active",
-          CASE
-            WHEN s.expires_at IS NULL THEN (SELECT expire FROM "session" WHERE sid = $2)
-            ELSE NULL
-          END AS connect_expire
-        FROM "Sessions" s
-        JOIN "Users" u ON s."UserName" = u."UserName"
-        WHERE s.id = $1
-        LIMIT 1
-      `,
-      values: [sessionId, req.sessionID]
-    });
+    const row = await authRepo.getSessionValidity(sessionId, req.sessionID, 'check-session-validity');
 
-    if (result.rows.length === 0) {
+    if (!row) {
       req.session.destroy(() => { });
       clearSessionCookies(res);
       return res.status(200).json({ sessionValid: false, expiry: null });
     }
-
-    const row = result.rows[0];
     if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
       req.session.destroy(() => { });
       clearSessionCookies(res);
@@ -298,17 +278,8 @@ function normalizeSessionIdFromBody(body = {}) {
 }
 
 async function getSessionValidationRow(sessionId, queryName = 'check-session-validity-by-id') {
-  const result = await dblogin.query({
-    name: queryName,
-    text: `SELECT s.expires_at, u."Active", u."UserName", u."Role" FROM "Sessions" s JOIN "Users" u ON s."UserName" = u."UserName" WHERE s.id = $1 LIMIT 1`,
-    values: [sessionId]
-  });
-
-  if (result.rows.length === 0) {
-    return null;
-  }
-
-  return result.rows[0];
+  const row = await authRepo.getSessionValidationRow(sessionId, queryName);
+  return row || null;
 }
 
 function isSessionRowValid(row) {
@@ -567,14 +538,8 @@ router.post("/api/terminateAllSessions", AdminOperationLimit, authenticate(mbkau
   try {
     // Run both operations in parallel for better performance
     await Promise.all([
-      dblogin.query({
-        name: 'terminate-all-app-sessions',
-        text: 'DELETE FROM "Sessions"'
-      }),
-      dblogin.query({
-        name: 'terminate-all-db-sessions',
-        text: 'DELETE FROM "session" WHERE expire > NOW()'
-      })
+      authRepo.deleteAllAppSessions('terminate-all-app-sessions'),
+      authRepo.deleteActiveSessionStoreRows('terminate-all-db-sessions')
     ]);
 
     req.session.destroy((err) => {

package/lib/routes/oauth.js

@@ -8,8 +8,10 @@ import { dblogin } from "#pool.js";
 import { mbkautheVar } from "#config.js";
 import { renderError } from "../utils/response.js";
 import { checkTrustedDevice, completeLoginProcess } from "./auth.js";
+import { AuthRepository } from "../db/AuthRepository.js";
 
 const router = express.Router();
+const authRepo = new AuthRepository({ db: dblogin });
 
 // CSRF protection middleware
 const csrfProtection = csurf({ cookie: true });
@@ -42,25 +44,16 @@ const createOAuthStrategy = async (provider, profile, done) => {
         console.log(`[mbkauthe] ${provider} OAuth callback for user: ${profile.emails?.[0]?.value || profile.id}`);
 
         const isGitHub = provider === 'GitHub';
-        const tableName = isGitHub ? 'user_github' : 'user_google';
-        const idField = isGitHub ? 'github_id' : 'google_id';
-        const queryName = isGitHub ? 'github-login-get-user' : 'google-login-get-user';
 
         // Check if this OAuth account is linked to any user
-        const oauthUser = await dblogin.query({
-            name: queryName,
-            text: `SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM ${tableName} ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.${idField} = $1`,
-            values: [profile.id]
-        });
+        const user = await authRepo.getOAuthUserByProviderId(provider, profile.id);
 
-        if (oauthUser.rows.length === 0) {
+        if (!user) {
             const error = new Error(`${provider} account not linked to any user`);
             error.code = `${provider.toUpperCase()}_NOT_LINKED`;
             return done(error);
         }
 
-        const user = oauthUser.rows[0];
-
         // Check if the user account is active
         if (!user.Active) {
             const error = new Error('Account is inactive');
@@ -300,21 +293,9 @@ const validateOAuthCallback = (req, res) => {
 };
 
 const finishProviderLogin = async (req, res, provider, username, detailValue = '') => {
-    const userQuery = `
-    SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps",
-           tfa."TwoFAStatus"
-    FROM "Users" u
-    LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
-    WHERE u."UserName" = $1
-  `;
-
-    const userResult = await dblogin.query({
-        name: `${provider.toLowerCase()}-callback-get-user`,
-        text: userQuery,
-        values: [username]
-    });
-
-    if (userResult.rows.length === 0) {
+    const user = await authRepo.getUserWithTwoFA(username, `${provider.toLowerCase()}-callback-get-user`);
+
+    if (!user) {
         console.error(`[mbkauthe] ${provider} login: User not found: ${username}`);
         return renderError(res, req, {
             code: 404,
@@ -326,8 +307,6 @@ const finishProviderLogin = async (req, res, provider, username, detailValue = '
         });
     }
 
-    const user = userResult.rows[0];
-
     // Check for trusted device
     const trustedDeviceUser = await checkTrustedDevice(req, user.UserName);
     if (trustedDeviceUser && (mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLowerCase() === "true" && user.TwoFAStatus) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "4.8.4",
+  "version": "4.9.0",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",

package/public/main.css

@@ -286,6 +286,14 @@ header {
     transition: var(--transition);
 }
 
+.icon-button {
+    appearance: none;
+    border: 0;
+    background: transparent;
+    padding: 0;
+    font: inherit;
+}
+
 .input-icon:hover {
     color: var(--accent);
 }
@@ -304,6 +312,14 @@ header {
     box-shadow: var(--box-shadow);
 }
 
+.btn-social,
+.swi {
+    appearance: none;
+    border: 0.13rem solid;
+    font: inherit;
+    cursor: pointer;
+}
+
 .swi {
     display: flex;
     align-items: center;
@@ -315,7 +331,6 @@ header {
     font-size: var(--text-size-sm);
     text-decoration: none;
     transition: var(--transition);
-    border: 0.13rem solid;
     position: relative;
     z-index: 1;
     overflow: hidden;
@@ -423,6 +438,25 @@ header {
     text-decoration: none;
 }
 
+.btn-message-action {
+    appearance: none;
+    border: 0;
+    border-radius: var(--border-radius);
+    background: var(--accent);
+    color: var(--dark);
+    font: inherit;
+    font-weight: 700;
+    cursor: pointer;
+    padding: 0.7rem 1rem;
+    transition: var(--transition);
+}
+
+.btn-message-action:hover,
+.btn-message-action:focus-visible {
+    background: var(--surface-1);
+    color: var(--accent);
+}
+
 .token-container {
     animation: fadeInUp 0.4s ease-out;
 }
@@ -776,7 +810,6 @@ header {
         font-size: 0.9rem;
         text-decoration: none;
         transition: var(--transition);
-        border: 0.13rem solid;
         position: relative;
         z-index: 1;
         overflow: hidden;

package/views/header.handlebars

@@ -3,7 +3,7 @@
         <a class="logo">
             <img src="/icon.svg" alt="Logo" class="logo-image"/>
             <span class="logo-text">BK <span>Tech</span></span>
-            <span class="logo-comp">{{#if appName}}{{appName}}{{else}}{{#if app}}{{app}}{{else}}mbkauthe{{/if}}{{/if}}
+            <span class="logo-comp">{{#if appName}}{{appName}}{{else}}{{#if app}}{{app}}{{else}}mbkauthe{{/if}}{{/if}}</span>
         </a>
 
         {{> profilemenu}}