mbkauthe 4.8.4 → 5.0.0

package/lib/middleware/auth.js

@@ -1,23 +1,21 @@
 import { dblogin } from "#pool.js";
 import { mbkautheVar } from "#config.js";
 import { renderError } from "#response.js";
-import { clearSessionCookies, cachedCookieOptions, readAccountListFromCookie, encryptSessionId } from "#cookies.js";
+import { clearSessionCookies, cachedCookieOptions, encryptSessionId } from "#cookies.js";
 import { ErrorCodes, createErrorResponse } from "../utils/errors.js";
 import { hashApiToken } from "#config.js";
 import { canAccessMethod } from "#config.js";
 import { extractAuthorizationToken, timingSafeTokenMatch } from "../utils/timingSafeToken.js";
+import { AuthRepository } from "../db/AuthRepository.js";
+import { createLogger } from "../utils/logger.js";
 
 const IS_DEV = process.env.env === 'dev' || process.env.test === 'dev' || process.env.NODE_ENV === 'development';
 const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 const isUuid = (val) => typeof val === 'string' && UUID_RE.test(val);
-
-const SQL_VALIDATE_APP_SESSION = `
-  SELECT s.expires_at, u."Active", u."Role"
-  FROM "Sessions" s
-  JOIN "Users" u ON s."UserName" = u."UserName"
-  WHERE s.id = $1
-  LIMIT 1
-`;
+const MAX_API_TOKEN_LENGTH = 4096;
+const API_TOKEN_SESSION_RESTORE = Symbol('mbkauthe.apiTokenSessionRestore');
+const authRepo = new AuthRepository({ db: dblogin });
+const logAuth = createLogger("auth");
 
 /**
  * Decide if the incoming request should return JSON errors instead of HTML.
@@ -63,19 +61,12 @@ async function validateTokenAuthentication(req) {
 
   // 1. Check for API Token (mbk_)
   if (token.startsWith('mbk_')) {
+    if (token.length > MAX_API_TOKEN_LENGTH) return { error: 'INVALID_TOKEN' };
+
     const tokenHash = hashApiToken(token);
-    const tokenQuery = `
-      SELECT t.id, t."UserName", t."ExpiresAt", t."Permissions",
-             u.id as uid, u."Active", u."Role", u."AllowedApps" as user_allowed_apps, u."FullName"
-      FROM "ApiTokens" t
-      JOIN "Users" u ON t."UserName" = u."UserName"
-      WHERE t."TokenHash" = $1 LIMIT 1
-    `;
-    const tokenResult = await dblogin.query({ name: 'validate-api-token', text: tokenQuery, values: [tokenHash] });
-
-    if (tokenResult.rows.length === 0) return { error: 'INVALID_TOKEN' };
-
-    const row = tokenResult.rows[0];
+    const row = await authRepo.getApiTokenByHash(tokenHash);
+
+    if (!row) return { error: 'INVALID_TOKEN' };
     if (row.ExpiresAt && new Date(row.ExpiresAt) <= new Date()) return { error: 'TOKEN_EXPIRED' };
 
     // Parse permissions from JSONB
@@ -89,11 +80,8 @@ async function validateTokenAuthentication(req) {
       allowedApps = tokenAllowedApps;
     }
 
-    // Update usage
-    dblogin.query({
-      text: 'UPDATE "ApiTokens" SET "LastUsed" = NOW() WHERE id = $1',
-      values: [row.id]
-    }).catch(e => console.error(`[mbkauthe] Failed to update token usage:`, e));
+    // Update usage opportunistically, but not on every request.
+    authRepo.updateApiTokenLastUsed(row.id).catch(e => console.error(`[mbkauthe] Failed to update token usage:`, e));
 
     return {
       id: row.uid,
@@ -111,186 +99,161 @@ async function validateTokenAuthentication(req) {
   return null;
 }
 
-async function validateSession(req, res, next, strictTokenValidation = false) {
-  // --- Check for API Token Header first ---
-  if (req.headers.authorization) {
-    // If strict validation is enabled, reject token-based authentication
-    if (strictTokenValidation) {
-      return res.status(401).json(createErrorResponse(401, ErrorCodes.INVALID_AUTH_TOKEN, {
-        message: 'Token-based authentication not allowed for this endpoint',
-        hint: 'Use session-based authentication (cookies) instead'
-      }));
-    }
-
-    try {
-      const tokenUser = await validateTokenAuthentication(req);
-
-      if (tokenUser && !tokenUser.error) {
-        if (!tokenUser.active) {
-          return res.status(401).json(createErrorResponse(401, ErrorCodes.ACCOUNT_INACTIVE));
-        }
-
-        // SuperAdmin bypasses app permission checks
-        if (tokenUser.role !== "SuperAdmin") {
-          // API tokens must respect their app restrictions for non-SuperAdmin users
-          const allowedApps = tokenUser.allowedApps;
-          const userAllowedApps = tokenUser.userAllowedApps;
+function attachApiTokenUser(req, res, tokenUser) {
+  const user = {
+    id: tokenUser.id,
+    username: tokenUser.username,
+    fullname: tokenUser.fullname,
+    role: tokenUser.role,
+    sessionId: tokenUser.sessionId,
+    allowedApps: tokenUser.allowedApps,
+    tokenScope: tokenUser.tokenScope || null,
+  };
 
-          // allowedApps should always be an array (never null at this point)
-          // If token had null allowedApps, it was already replaced with user's apps in validateTokenAuthentication
-          if (!Array.isArray(allowedApps) || allowedApps.length === 0) {
-            return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
-          }
+  req.auth = {
+    type: 'api-token',
+    user,
+    tokenScope: user.tokenScope,
+    allowedApps: user.allowedApps,
+  };
 
-          // Check if token has access to current app
-          const hasWildcard = allowedApps.includes('*');
-          const hasSpecificApp = allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase());
+  // Backwards compatibility: existing protected routes commonly read
+  // req.session.user. For API tokens this must be request-local so the
+  // Postgres session store is not dirtied/saved on every token request.
+  if (req.session) {
+    const originalDescriptor = Object.getOwnPropertyDescriptor(req.session, 'user');
+
+    Object.defineProperty(req.session, 'user', {
+      value: user,
+      enumerable: false,
+      configurable: true,
+      writable: true,
+    });
 
-          // If wildcard, check against user's allowed apps (wildcard means "all user's apps", not "all apps")
-          if (hasWildcard) {
-            const userHasApp = userAllowedApps && Array.isArray(userAllowedApps) &&
-              userAllowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase());
-            if (!userHasApp) {
-              return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
-            }
-          } else if (!hasSpecificApp) {
-            return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+    if (res && !req.session[API_TOKEN_SESSION_RESTORE]) {
+      req.session[API_TOKEN_SESSION_RESTORE] = true;
+      const originalEnd = res.end;
+      let restored = false;
+
+      res.end = function apiTokenSessionEnd(...args) {
+        if (!restored) {
+          restored = true;
+          if (originalDescriptor) {
+            Object.defineProperty(req.session, 'user', originalDescriptor);
+          } else {
+            delete req.session.user;
           }
+          delete req.session[API_TOKEN_SESSION_RESTORE];
         }
+        return originalEnd.apply(this, args);
+      };
+    }
+  }
 
-        // Populate session for downstream
-        req.session.user = {
-          id: tokenUser.id,
-          username: tokenUser.username,
-          fullname: tokenUser.fullname,
-          role: tokenUser.role,
-          sessionId: tokenUser.sessionId,
-          allowedApps: tokenUser.allowedApps,
-          tokenScope: tokenUser.tokenScope || null, // Add scope for token-based auth
-        };
-        req.userRole = tokenUser.role;
-
-        // Validate token scope for API token requests
-        if (tokenUser.tokenScope) {
-          const requestMethod = req.method;
-          if (!canAccessMethod(tokenUser.tokenScope, requestMethod)) {
-            return res.status(403).json(createErrorResponse(403, ErrorCodes.TOKEN_SCOPE_INSUFFICIENT, {
-              message: `Token scope '${tokenUser.tokenScope}' does not allow ${requestMethod} requests`,
-              tokenScope: tokenUser.tokenScope,
-              requestedMethod: requestMethod,
-              hint: 'Use a token with write scope for write operations'
-            }));
-          }
-        }
+  req.user = user;
+  req.userRole = tokenUser.role;
+  return user;
+}
 
-        return next();
-      }
+function hasAppAccess(role, allowedApps) {
+  if (role === "SuperAdmin") return true;
+  return Array.isArray(allowedApps)
+    && allowedApps.length > 0
+    && allowedApps.some((app) => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase());
+}
 
-      // Token provided but invalid (or null if format incorrect)
-      let errorCode = ErrorCodes.INVALID_AUTH_TOKEN;
-      if (tokenUser && tokenUser.error === 'TOKEN_EXPIRED') {
-        errorCode = ErrorCodes.API_TOKEN_EXPIRED;
-      }
-      return res.status(401).json(createErrorResponse(401, errorCode));
+function destroySessionCookies(req, res) {
+  req.session?.destroy?.(() => { });
+  clearSessionCookies(res);
+}
 
-    } catch (err) {
-      console.error(`[mbkauthe] Token validation error:`, err);
-      return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
-    }
+function respondSessionFailure(req, res, { prefersJson, code, errorCode, error, message, page, pagename = "Login" }) {
+  destroySessionCookies(req, res);
+  if (prefersJson) {
+    return res.status(code).json(createErrorResponse(code, errorCode));
   }
+  return renderError(res, req, {
+    code,
+    error,
+    message,
+    pagename,
+    page,
+  });
+}
 
-  // --- Fallback to Cookie Session ---
+async function validateCookieSession(req, res, next, { prefersJson }) {
   if (!req.session.user) {
     if (IS_DEV) {
-      console.log(`[mbkauthe] User not authenticated`);
-      console.log(`[mbkauthe] req.session.user:`, req.session.user);
+      logAuth(`User not authenticated`);
+      logAuth(`req.session.user: %O`, req.session.user);
     }
-    if (isJsonRequest(req)) {
+    if (prefersJson) {
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_NOT_FOUND));
     }
-    return renderError(res, req, {
-      code: 401,
-      error: "Not Logged In",
-      message: "You Are Not Logged In. Please Log In To Continue.",
-      pagename: "Login",
-      page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
+
+    const redirectParams = new URLSearchParams({
+      redirect: req.originalUrl,
+      reason: 'logged_out'
     });
+    return res.redirect(302, `/mbkauthe/login?${redirectParams.toString()}`);
   }
 
   try {
-    const { sessionId, role, allowedApps } = req.session.user;
+    const { sessionId } = req.session.user;
 
-    // Defensive checks for sessionId and allowedApps
     if (!sessionId || !isUuid(sessionId)) {
       console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
-      req.session.destroy();
-      clearSessionCookies(res);
-      if (isJsonRequest(req)) {
-        return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
-      }
-      return renderError(res, req, {
+      return respondSessionFailure(req, res, {
+        prefersJson,
         code: 401,
+        errorCode: ErrorCodes.SESSION_EXPIRED,
         error: "Session Expired",
         message: "Your Session Has Expired. Please Log In Again.",
-        pagename: "Login",
         page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
       });
     }
 
-    // Validate session by DB primary key id and join to user
-    const result = await dblogin.query({ name: 'validate-app-session', text: SQL_VALIDATE_APP_SESSION, values: [sessionId] });
+    const sessionRow = await authRepo.getSessionAuthData(
+      sessionId,
+      prefersJson ? 'validate-app-session-for-api' : 'validate-app-session'
+    );
 
-    if (result.rows.length === 0) {
-      console.log(`[mbkauthe] Session not found for user "${req.session.user.username}"`);
-      req.session.destroy();
-      clearSessionCookies(res);
-      if (isJsonRequest(req)) {
-        return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
-      }
-      return renderError(res, req, {
+    if (!sessionRow) {
+      logAuth(`Session not found for user "${req.session.user.username}"`);
+      return respondSessionFailure(req, res, {
+        prefersJson,
         code: 401,
+        errorCode: prefersJson ? ErrorCodes.SESSION_INVALID : ErrorCodes.SESSION_EXPIRED,
         error: "Session Expired",
         message: "Your Session Has Expired. Please Log In Again.",
-        pagename: "Login",
         page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
       });
     }
 
-    const sessionRow = result.rows[0];
-
-    // Check expired
     if (sessionRow.expires_at) {
       const expiresMs = sessionRow.expires_at instanceof Date
         ? sessionRow.expires_at.getTime()
         : Date.parse(sessionRow.expires_at);
+
       if (!Number.isNaN(expiresMs) && expiresMs <= Date.now()) {
-      console.log(`[mbkauthe] Session invalidated (expired) for user "${req.session.user.username}"`);
-      // destroy and clear cookies
-      req.session.destroy();
-      clearSessionCookies(res);
-      if (isJsonRequest(req)) {
-        return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
+        logAuth(`Session invalidated (expired) for user "${sessionRow.UserName || req.session.user.username}"`);
+        return respondSessionFailure(req, res, {
+          prefersJson,
+          code: 401,
+          errorCode: ErrorCodes.SESSION_EXPIRED,
+          error: "Session Expired",
+          message: "Your Session Has Expired. Please Log In Again.",
+          page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
+        });
       }
-      return renderError(res, req, {
-        code: 401,
-        error: "Session Expired",
-        message: "Your Session Has Expired. Please Log In Again.",
-        pagename: "Login",
-        page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
-      });
-    }
     }
 
-
     if (!sessionRow.Active) {
-      console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
-      req.session.destroy();
-      clearSessionCookies(res);
-      if (isJsonRequest(req)) {
-        return res.status(401).json(createErrorResponse(401, ErrorCodes.ACCOUNT_INACTIVE));
-      }
-      return renderError(res, req, {
+      logAuth(`Account is inactive for user "${sessionRow.UserName || req.session.user.username}"`);
+      return respondSessionFailure(req, res, {
+        prefersJson,
         code: 401,
+        errorCode: ErrorCodes.ACCOUNT_INACTIVE,
         error: "Account Inactive",
         message: "Your Account Is Inactive. Please Contact Support.",
         pagename: "Support",
@@ -298,106 +261,106 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
       });
     }
 
-    if (role !== "SuperAdmin") {
-      // If allowedApps is not provided or not an array, treat as no access
-      const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
-      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
-        console.warn(`[mbkauthe] User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
-        req.session.destroy();
-        clearSessionCookies(res);
-        if (isJsonRequest(req)) {
-          return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
-        }
-        return renderError(res, req, {
-          code: 401,
-          error: "Unauthorized",
-          message: `You Are Not Authorized To Use The Application \"${mbkautheVar.APP_NAME}\"`,
-          pagename: "Home",
-          page: `/${mbkautheVar.loginRedirectURL}`
-        });
-      }
+    if (!hasAppAccess(sessionRow.Role, sessionRow.AllowedApps)) {
+      console.warn(`[mbkauthe] User "${sessionRow.UserName || req.session.user.username}" is not authorized to use the application "${mbkautheVar.APP_NAME}"`);
+      return respondSessionFailure(req, res, {
+        prefersJson,
+        code: 401,
+        errorCode: ErrorCodes.APP_NOT_AUTHORIZED,
+        error: "Unauthorized",
+        message: `You Are Not Authorized To Use The Application "${mbkautheVar.APP_NAME}"`,
+        pagename: "Home",
+        page: `/${mbkautheVar.loginRedirectURL}`
+      });
     }
 
-    // Store user role in request for checkRolePermission to use
     req.userRole = sessionRow.Role;
-
-    next();
+    return next();
   } catch (err) {
     console.error(`[mbkauthe] Session validation error:`, err);
-    res.status(500).json({ success: false, message: "Internal Server Error" });
+    return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
   }
 }
 
-/**
- * API-friendly session validation middleware
- * Returns JSON error responses instead of rendering pages
- */
-async function validateApiSession(req, res, next) {
-  if (!req.session.user) {
-    return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_NOT_FOUND));
-  }
+async function validateSession(req, res, next, strictTokenValidation = false) {
+  if (req.headers.authorization) {
+    if (strictTokenValidation) {
+      return res.status(401).json(createErrorResponse(401, ErrorCodes.INVALID_AUTH_TOKEN, {
+        message: 'Token-based authentication not allowed for this endpoint',
+        hint: 'Use session-based authentication (cookies) instead'
+      }));
+    }
 
-  try {
-    const { sessionId, role, allowedApps } = req.session.user;
+    try {
+      const tokenUser = await validateTokenAuthentication(req);
 
-    // Defensive checks for sessionId and allowedApps
-    if (!sessionId || !isUuid(sessionId)) {
-      console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
-      req.session.destroy();
-      clearSessionCookies(res);
-      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
-    }
+      if (tokenUser && !tokenUser.error) {
+        if (!tokenUser.active) {
+          return res.status(401).json(createErrorResponse(401, ErrorCodes.ACCOUNT_INACTIVE));
+        }
 
-    // Validate session by DB primary key id and join to user
-    const result = await dblogin.query({ name: 'validate-app-session-for-api', text: SQL_VALIDATE_APP_SESSION, values: [sessionId] });
+        if (tokenUser.role !== "SuperAdmin") {
+          const allowedApps = tokenUser.allowedApps;
+          const userAllowedApps = tokenUser.userAllowedApps;
 
-    if (result.rows.length === 0) {
-      req.session.destroy();
-      clearSessionCookies(res);
-      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_INVALID));
-    }
+          if (!Array.isArray(allowedApps) || allowedApps.length === 0) {
+            return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+          }
 
-    const sessionRow = result.rows[0];
+          const hasWildcard = allowedApps.includes('*');
+          const hasSpecificApp = allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase());
 
-    // Check expired
-    if (sessionRow.expires_at) {
-      const expiresMs = sessionRow.expires_at instanceof Date
-        ? sessionRow.expires_at.getTime()
-        : Date.parse(sessionRow.expires_at);
-      if (!Number.isNaN(expiresMs) && expiresMs <= Date.now()) {
-      req.session.destroy();
-      clearSessionCookies(res);
-      return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
-    }
-    }
+          if (hasWildcard) {
+            const userHasApp = Array.isArray(userAllowedApps)
+              && userAllowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase());
+            if (!userHasApp) {
+              return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+            }
+          } else if (!hasSpecificApp) {
+            return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+          }
+        }
 
+        attachApiTokenUser(req, res, tokenUser);
 
-    if (!result.rows[0].Active) {
-      console.log(`[mbkauthe] Account is inactive for user "${req.session.user.username}"`);
-      req.session.destroy();
-      clearSessionCookies(res);
-      return res.status(401).json(createErrorResponse(401, ErrorCodes.ACCOUNT_INACTIVE));
-    }
+        if (tokenUser.tokenScope) {
+          const requestMethod = req.method;
+          if (!canAccessMethod(tokenUser.tokenScope, requestMethod)) {
+            return res.status(403).json(createErrorResponse(403, ErrorCodes.TOKEN_SCOPE_INSUFFICIENT, {
+              message: `Token scope '${tokenUser.tokenScope}' does not allow ${requestMethod} requests`,
+              tokenScope: tokenUser.tokenScope,
+              requestedMethod: requestMethod,
+              hint: 'Use a token with write scope for write operations'
+            }));
+          }
+        }
 
-    if (role !== "SuperAdmin") {
-      // If allowedApps is not provided or not an array, treat as no access
-      const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
-      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
-        console.warn(`[mbkauthe] User \"${req.session.user.username}\" is not authorized to use the application \"${mbkautheVar.APP_NAME}\"`);
-        req.session.destroy();
-        clearSessionCookies(res);
-        return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
+        return next();
       }
+
+      let errorCode = ErrorCodes.INVALID_AUTH_TOKEN;
+      if (tokenUser && tokenUser.error === 'TOKEN_EXPIRED') {
+        errorCode = ErrorCodes.API_TOKEN_EXPIRED;
+      }
+      return res.status(401).json(createErrorResponse(401, errorCode));
+    } catch (err) {
+      console.error(`[mbkauthe] Token validation error:`, err);
+      return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
     }
+  }
 
-    // Store user role in request for checkRolePermission to use
-    req.userRole = sessionRow.Role;
+  return validateCookieSession(req, res, next, { prefersJson: isJsonRequest(req) });
+}
 
-    next();
-  } catch (err) {
-    console.error(`[mbkauthe] API session validation error:`, err);
-    return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
+/**
+ * API-friendly session validation middleware
+ * Returns JSON error responses instead of rendering pages
+ */
+async function validateApiSession(req, res, next) {
+  if (req.headers.authorization) {
+    return validateSession(req, res, next);
   }
+  return validateCookieSession(req, res, next, { prefersJson: true });
 }
 
 /**
@@ -411,7 +374,7 @@ async function validateApiSession(req, res, next) {
 async function reloadSessionUser(req, res) {
   if (!req.session || !req.session.user || !req.session.user.id) return false;
   try {
-    const { id, sessionId: currentSessionId } = req.session.user;
+    const { sessionId: currentSessionId } = req.session.user;
 
     if (!currentSessionId) {
       req.session.destroy(() => { });
@@ -420,21 +383,15 @@ async function reloadSessionUser(req, res) {
     }
 
     const normalizedSessionId = String(currentSessionId);
-    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
-                   FROM "Sessions" s
-                   JOIN "Users" u ON s."UserName" = u."UserName"
-                   WHERE s.id = $1 LIMIT 1`;
-    const result = await dblogin.query({ name: 'reload-session-user', text: query, values: [normalizedSessionId] });
+    const row = await authRepo.getSessionWithUserForReload(normalizedSessionId, 'reload-session-user');
 
-    if (result.rows.length === 0) {
+    if (!row) {
       // Session not found — invalidate session
       req.session.destroy(() => { });
       clearSessionCookies(res);
       return false;
     }
 
-    const row = result.rows[0];
-
     // Check expired
     if (row.expires_at && new Date(row.expires_at) <= new Date()) {
       req.session.destroy(() => { });
@@ -466,15 +423,10 @@ async function reloadSessionUser(req, res) {
     req.session.user.allowedApps = row.AllowedApps;
 
     // Obtain fullname from client cookie cache when present else DB
-    if (req.cookies && req.cookies.fullName && typeof req.cookies.fullName === 'string') {
+    if (typeof row.FullName === 'string' && row.FullName.trim() !== '') {
+      req.session.user.fullname = row.FullName;
+    } else if (req.cookies && req.cookies.fullName && typeof req.cookies.fullName === 'string') {
       req.session.user.fullname = req.cookies.fullName;
-    } else {
-      try {
-        const prof = await dblogin.query({ name: 'reload-get-fullname', text: 'SELECT "FullName" FROM "Users" WHERE "UserName" = $1 LIMIT 1', values: [row.UserName] });
-        if (prof.rows.length > 0 && prof.rows[0].FullName) req.session.user.fullname = prof.rows[0].FullName;
-      } catch (profileErr) {
-        console.error(`[mbkauthe] Error fetching fullname during reload:`, profileErr);
-      }
     }
 
     // Persist session changes
@@ -501,8 +453,10 @@ async function reloadSessionUser(req, res) {
 const checkRolePermission = (requiredRoles, notAllowed) => {
   return async (req, res, next) => {
     try {
-      if (!req.session || !req.session.user || !req.session.user.id) {
-        console.log(`[mbkauthe] User not authenticated`);
+      const authUser = req.auth?.user || req.session?.user;
+
+      if (!authUser || !authUser.id) {
+        logAuth(`User not authenticated`);
         if (isJsonRequest(req)) {
           return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_NOT_FOUND));
         }
@@ -516,10 +470,10 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
       }
 
       // Use role from validateSession to avoid additional DB query
-      const userRole = req.userRole;
+      const userRole = req.userRole || authUser.role;
 
       // SuperAdmin bypasses all role checks
-      if(req.session.user?.role === "SuperAdmin" || userRole === "SuperAdmin") {
+      if(authUser.role === "SuperAdmin" || userRole === "SuperAdmin") {
         return next();
       }
 
@@ -579,10 +533,10 @@ const authenticate = (authentication) => {
   return (req, res, next) => {
     const token = extractAuthorizationToken(req.headers?.authorization ?? req.headers?.["authorization"]);
     if (timingSafeTokenMatch(token, authentication)) {
-      console.log(`[mbkauthe] Authentication successful`);
+      logAuth(`Authentication successful`);
       next();
     } else {
-      console.log(`[mbkauthe] Authentication failed`);
+      logAuth(`Authentication failed`);
       res.status(401).send("Unauthorized");
     }
   };