mbkauthe 4.8.4 → 5.0.0

package/lib/middleware/index.js

@@ -4,6 +4,7 @@ const PgSession = pgSession(session);
 import { dblogin, runWithRequestContext } from "#pool.js";
 import { mbkautheVar } from "#config.js";
 import { cachedCookieOptions, decryptSessionId, encryptSessionId } from "#cookies.js";
+import { AuthRepository } from "../db/AuthRepository.js";
 
 // Session configuration
 export const sessionConfig = {
@@ -33,6 +34,9 @@ export const sessionConfig = {
   name: 'mbkauthe.sid'
 };
 
+const authRepo = new AuthRepository({ db: dblogin });
+const hasAuthorizationHeader = (req) => typeof req.headers?.authorization === 'string' && req.headers.authorization.trim().length > 0;
+
 // CORS middleware
 export function corsMiddleware(req, res, next) {
   const origin = req.headers.origin;
@@ -57,6 +61,10 @@ export function corsMiddleware(req, res, next) {
 
 // Session restoration middleware
 export async function sessionRestorationMiddleware(req, res, next) {
+  if (hasAuthorizationHeader(req)) {
+    return next();
+  }
+
   // Only restore session if not already present and sessionId cookie exists
   if (!req.session.user && req.cookies.sessionId) {
     // Decrypt the sessionId from cookie
@@ -77,45 +85,26 @@ export async function sessionRestorationMiddleware(req, res, next) {
 
     try {
       // Validate session by DB primary key id and join to user
-      const query = `SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps", s.expires_at
-                     FROM "Sessions" s
-                     JOIN "Users" u ON s."UserName" = u."UserName"
-                     WHERE s.id = $1 LIMIT 1`;
-      const result = await dblogin.query({ name: 'restore-user-session', text: query, values: [sessionId] });
-
-      if (result.rows.length > 0) {
-        const row = result.rows[0];
+      const row = await authRepo.getSessionWithUserById(sessionId, 'restore-user-session');
 
+      if (row) {
         // Reject expired sessions or inactive users
         if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) {
           // leave cookies cleared and don't restore session
         } else {
           const normalizedSessionId = String(sessionId);
           req.session.user = {
-            id: row.id,
+            id: row.uid,
             username: row.UserName,
             role: row.Role,
             sessionId: normalizedSessionId,
             allowedApps: row.AllowedApps,
           };
 
-          // Use cached FullName from client cookie when available to avoid extra DB queries
-          if (req.cookies && req.cookies.fullName && typeof req.cookies.fullName === 'string') {
+          if (typeof row.FullName === 'string' && row.FullName.trim() !== '') {
+            req.session.user.fullname = row.FullName;
+          } else if (req.cookies && typeof req.cookies.fullName === 'string') {
             req.session.user.fullname = req.cookies.fullName;
-          } else {
-            // Fallback: attempt to fetch FullName from Users to populate session
-            try {
-              const profileRes = await dblogin.query({
-                name: 'restore-get-fullname',
-                text: 'SELECT "FullName" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-                values: [row.UserName]
-              });
-              if (profileRes.rows.length > 0 && profileRes.rows[0].FullName) {
-                req.session.user.fullname = profileRes.rows[0].FullName;
-              }
-            } catch (profileErr) {
-              console.error(`[mbkauthe] Error fetching FullName during session restore:`, profileErr);
-            }
           }
         }
       }
@@ -128,6 +117,10 @@ export async function sessionRestorationMiddleware(req, res, next) {
 
 // Session cookie sync middleware
 export function sessionCookieSyncMiddleware(req, res, next) {
+  if (hasAuthorizationHeader(req) || req.auth?.type === 'api-token') {
+    return next();
+  }
+
   if (req.session && req.session.user) {
     // Decrypt existing cookie to compare with session
     const currentDecryptedId = decryptSessionId(req.cookies.sessionId);

package/lib/middleware/scopeValidator.js

@@ -13,8 +13,13 @@ import { ErrorCodes, createErrorResponse } from '../utils/errors.js';
 export function validateTokenScope(req, res, next) {
   // Only validate for API token requests (not cookie-based sessions)
   // Check if this request was authenticated via API token
-  if (req.session?.user?.sessionId === 'api-token-session' && req.session?.user?.tokenScope) {
-    const tokenScope = req.session.user.tokenScope;
+  const tokenScope = req.auth?.type === 'api-token'
+    ? req.auth.tokenScope
+    : req.session?.user?.sessionId === 'api-token-session'
+      ? req.session.user.tokenScope
+      : null;
+
+  if (tokenScope) {
     const requestMethod = req.method;
     
     // Check if scope allows this HTTP method
@@ -29,4 +34,4 @@ export function validateTokenScope(req, res, next) {
   }
   
   next();
-}
+}

package/lib/pool.js

@@ -9,12 +9,11 @@ export { runWithRequestContext, getRequestContext };
 
 const poolConfig = {
   connectionString: mbkautheVar.LOGIN_DB,
-  ssl: {
-    rejectUnauthorized: true,
-  },
-  max: 3,
-  idleTimeoutMillis: 10000,
-  connectionTimeoutMillis: 10000,
+  ssl: { rejectUnauthorized: true },
+  max: 10,
+  idleTimeoutMillis: 30000,
+  connectionTimeoutMillis: 5000,
+  application_name: `${mbkautheVar.APP_NAME}-mbkauthe-app`,
 };
 
 export const dblogin = new Pool(poolConfig);

package/lib/routes/auth.js

@@ -12,10 +12,14 @@ import {
   encryptSessionId
 } from "#cookies.js";
 import { packageJson } from "#config.js";
-import { hashPassword, hashApiToken } from "#config.js";
+import { hashPassword } from "#config.js";
 import { ErrorCodes, createErrorResponse, logError } from "../utils/errors.js";
+import { AuthRepository } from "../db/AuthRepository.js";
+import { createLogger } from "../utils/logger.js";
 
 const router = express.Router();
+const authRepo = new AuthRepository({ db: dblogin });
+const logAuth = createLogger("auth");
 
 // Helper function to clear profile picture cache
 function clearProfilePicCache(req, username) {
@@ -68,13 +72,8 @@ const csrfProtection = csurf({ cookie: true });
 // Helper: load a session by DB id and validate basics
 async function fetchActiveSession(sessionId) {
   if (!sessionId || typeof sessionId !== 'string') return null;
-  const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
-                 FROM "Sessions" s
-                 JOIN "Users" u ON s."UserName" = u."UserName"
-                 WHERE s.id = $1 LIMIT 1`;
-  const result = await dblogin.query({ name: 'multi-session-fetch', text: query, values: [sessionId] });
-  if (result.rows.length === 0) return null;
-  const row = result.rows[0];
+  const row = await authRepo.fetchActiveSession(sessionId);
+  if (!row) return null;
   if ((row.expires_at && new Date(row.expires_at) <= new Date()) || !row.Active) return null;
   if (row.Role !== 'SuperAdmin') {
     const allowedApps = row.AllowedApps;
@@ -91,7 +90,7 @@ const isUuid = (val) => typeof val === 'string' && /^[0-9a-f]{8}-[0-9a-f]{4}-[0-
 async function invalidateDbSession(sessionId) {
   if (!isUuid(sessionId)) return;
   try {
-    await dblogin.query({ name: 'invalidate-app-session', text: 'DELETE FROM "Sessions" WHERE id = $1', values: [sessionId] });
+    await authRepo.deleteAppSessionById(sessionId);
   } catch (err) {
     console.error(`[mbkauthe] Error invalidating session:`, err);
   }
@@ -111,28 +110,12 @@ export async function checkTrustedDevice(req, username) {
     // Hash the provided device token before querying DB (we store token hashes in DB)
     const deviceTokenHash = hashDeviceToken(deviceToken);
     // Single round-trip: validate trusted device AND refresh LastUsed.
-    const deviceQuery = `
-      UPDATE "TrustedDevices" td
-      SET "LastUsed" = NOW()
-      FROM "Users" u
-      WHERE td."DeviceToken" = $1
-        AND td."UserName" = $2
-        AND td."ExpiresAt" > NOW()
-        AND u."UserName" = td."UserName"
-        AND u."Active" = TRUE
-      RETURNING td."UserName", td."ExpiresAt", u."id" as id, u."Active", u."Role", u."AllowedApps"
-    `;
-    const deviceResult = await dblogin.query({
-      name: 'check-trusted-device',
-      text: deviceQuery,
-      values: [deviceTokenHash, username]
-    });
+    const deviceUser = await authRepo.touchTrustedDevice(deviceTokenHash, username);
 
-    if (deviceResult.rows.length > 0) {
-      const deviceUser = deviceResult.rows[0];
+    if (deviceUser) {
 
       if (!deviceUser.Active) {
-        console.log(`[mbkauthe] Trusted device check: inactive account for username: ${username}`);
+        logAuth(`Trusted device check: inactive account for username: ${username}`);
         return null;
       }
 
@@ -144,7 +127,7 @@ export async function checkTrustedDevice(req, username) {
         }
       }
 
-      console.log(`[mbkauthe] Trusted device validated for user: ${username}`);
+      logAuth(`Trusted device validated for user: ${username}`);
       return {
         id: deviceUser.id,
         username: username,
@@ -174,11 +157,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     const oldSessionId = req.sessionID;
 
     // Delete old session first to prevent session fixation attacks
-    await dblogin.query({
-      name: 'login-delete-old-session-before-regen',
-      text: 'DELETE FROM "session" WHERE sid = $1',
-      values: [oldSessionId]
-    });
+    await authRepo.deleteSessionBySid(oldSessionId);
 
     // Now regenerate with new session ID (timing window closed)
     await new Promise((resolve, reject) => {
@@ -193,67 +172,40 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     const configuredMax = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
     const MAX_SESSIONS = Number.isInteger(configuredMax) && configuredMax > 0 ? configuredMax : 5;
 
-    const dbClient = await dblogin.connect();
     let dbSessionId;
     try {
-      await dbClient.query('BEGIN');
-      await dbClient.query('LOCK TABLE "Sessions" IN SHARE ROW EXCLUSIVE MODE');
-
-      // Clean up expired sessions + count active sessions in a single round-trip.
-      const countRes = await dbClient.query({
-        name: 'cleanup-and-count-user-sessions',
-        text: `
-          WITH deleted AS (
-            DELETE FROM "Sessions"
-            WHERE "UserName" = $1
-              AND expires_at IS NOT NULL
-              AND expires_at <= NOW()
-          )
-          SELECT COUNT(*)::int AS count
-          FROM "Sessions"
-          WHERE "UserName" = $1
-        `,
-        values: [username]
-      });
+      await authRepo.withTransaction(async (txRepo) => {
+        await txRepo.advisoryTransactionLock(`sessions:${username}`, "lock-user-sessions");
+        const currentSessions = await txRepo.cleanupAndCountUserSessions(username);
+        if (currentSessions >= MAX_SESSIONS) {
+          const sessionsToDelete = currentSessions - MAX_SESSIONS + 1; // +1 to make room for new session
+          logAuth(`User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Deleting ${sessionsToDelete} oldest sessions.`);
+
+          await txRepo.deleteOldestSessionsForUser(username, sessionsToDelete, "prune-oldest-user-session");
+        }
 
-      const currentSessions = Number(countRes.rows?.[0]?.count ?? 0);
-      if (currentSessions >= MAX_SESSIONS) {
-        const sessionsToDelete = currentSessions - MAX_SESSIONS + 1; // +1 to make room for new session
-        console.log(`[mbkauthe] User "${username}" has ${currentSessions} active sessions, exceeding max of ${MAX_SESSIONS}. Deleting ${sessionsToDelete} oldest sessions.`);
+        const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
+        const insertedSession = await txRepo.insertAppSession(
+          username,
+          expiresAt,
+          JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })
+        );
 
-        await dbClient.query({
-          name: 'prune-oldest-user-session',
-          text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 ORDER BY created_at ASC LIMIT $2)`,
-          values: [username, sessionsToDelete]
-        });
-      }
+        if (!insertedSession?.id) {
+          throw new Error('Failed to insert app session');
+        }
 
-      const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
-      const insertRes = await dbClient.query({
-        name: 'insert-app-session',
-        text: `INSERT INTO "Sessions" ("UserName", expires_at, meta) VALUES ($1, $2, $3) RETURNING id`,
-        values: [username, expiresAt, JSON.stringify({ ip: req.ip, ua: req.headers['user-agent'] || null })]
+        dbSessionId = insertedSession.id;
       });
-      dbSessionId = insertRes.rows[0].id;
-
-      await dbClient.query('COMMIT');
     } catch (err) {
-      await dbClient.query('ROLLBACK').catch(() => {});
       console.error(`[mbkauthe] Error enforcing session limit or inserting app session:`, err);
       throw err;
-    } finally {
-      dbClient.release();
     }
 
     // Update last_login and fetch FullName/Image in a single query.
     let profileRow = null;
     try {
-      const profUpdateRes = await dblogin.query({
-        name: 'login-update-last-login-return-profile',
-        text: `UPDATE "Users" SET "last_login" = NOW() WHERE "id" = $1 RETURNING "FullName", "Image"`,
-        values: [user.id]
-      });
-      profileRow = profUpdateRes.rows?.[0] || null;
+      profileRow = await authRepo.updateLastLoginReturnProfile(user.id);
     } catch (profileUpdateErr) {
       console.error(`[mbkauthe] Error updating last_login/returning profile:`, profileUpdateErr);
     }
@@ -277,14 +229,10 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     } else {
       // Fallback: try a read query if UPDATE...RETURNING failed unexpectedly.
       try {
-        const profileResult = await dblogin.query({
-          name: 'login-get-fullname-and-image',
-          text: 'SELECT "FullName", "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-          values: [username]
-        });
-        if (profileResult.rows.length > 0) {
-          if (profileResult.rows[0].FullName) req.session.user.fullname = profileResult.rows[0].FullName;
-          if (profileResult.rows[0].Image && profileResult.rows[0].Image.trim() !== '') loginProfileImage = profileResult.rows[0].Image;
+        const profileResult = await authRepo.getUserProfileByUsername(username);
+        if (profileResult) {
+          if (profileResult.FullName) req.session.user.fullname = profileResult.FullName;
+          if (profileResult.Image && profileResult.Image.trim() !== '') loginProfileImage = profileResult.Image;
         }
       } catch (profileErr) {
         console.error(`[mbkauthe] Error fetching FullName/Image for user:`, profileErr);
@@ -340,23 +288,25 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
 
           // Store only the HASH of the device token in DB; send the raw token to the client (httpOnly cookie)
           const deviceTokenHash = hashDeviceToken(deviceToken);
-          await dblogin.query({
-            name: 'insert-trusted-device',
-            text: `INSERT INTO "TrustedDevices" ("UserName", "DeviceToken", "DeviceName", "UserAgent", "IpAddress", "ExpiresAt") 
-                   VALUES ($1, $2, $3, $4, $5, $6)`,
-            values: [username, deviceTokenHash, deviceName, userAgent, ipAddress, expiresAt]
+          await authRepo.insertTrustedDevice({
+            username,
+            deviceTokenHash,
+            deviceName,
+            userAgent,
+            ipAddress,
+            expiresAt
           });
 
           // Send raw token to client as httpOnly cookie only
           res.cookie("device_token", deviceToken, getDeviceTokenCookieOptions());
-          console.log(`[mbkauthe] Trusted device token created for user: ${username}`);
+          logAuth(`Trusted device token created for user: ${username}`);
         } catch (deviceErr) {
           console.error(`[mbkauthe] Error creating trusted device:`, deviceErr);
           // Continue with login even if device trust fails
         }
       }
 
-      console.log(`[mbkauthe] User "${username}" logged in successfully (last_login updated)`);
+      logAuth(`User "${username}" logged in successfully (last_login updated)`);
 
       const responsePayload = {
         success: true,
@@ -378,7 +328,7 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
 
 // POST /mbkauthe/api/login
 router.post("/api/login", LoginLimit, async (req, res) => {
-  console.log(`[mbkauthe] Login request received`);
+  logAuth(`Login request received`);
 
   const { username, password, redirect } = req.body;
 
@@ -408,30 +358,21 @@ router.post("/api/login", LoginLimit, async (req, res) => {
     );
   }
 
-  console.log(`[mbkauthe] Login attempt for username: ${username.trim()}`);
+  logAuth(`Login attempt for username: ${username.trim()}`);
 
   const trimmedUsername = username.trim();
 
   try {
     // Combined query: fetch user data and 2FA status in one query
-    const userQuery = `
-      SELECT u.id, u."UserName", u."PasswordEnc", u."Active", u."Role", u."AllowedApps",
-             tfa."TwoFAStatus"
-      FROM "Users" u
-      LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
-      WHERE u."UserName" = $1
-    `;
-    const userResult = await dblogin.query({ name: 'login-get-user', text: userQuery, values: [trimmedUsername] });
-
-    if (userResult.rows.length === 0) {
+    const user = await authRepo.getUserWithTwoFA(trimmedUsername);
+
+    if (!user) {
       logError('Login attempt', ErrorCodes.USER_NOT_FOUND, { username: trimmedUsername });
       return res.status(401).json(
         createErrorResponse(401, ErrorCodes.INVALID_CREDENTIALS)
       );
     }
 
-    const user = userResult.rows[0];
-
     // Password verification (hash-only). We never read/compare plaintext passwords.
     let passwordMatches = false;
     if (user.PasswordEnc) {
@@ -474,7 +415,7 @@ router.post("/api/login", LoginLimit, async (req, res) => {
     // Check for trusted device AFTER password validation
     const trustedDeviceUser = await checkTrustedDevice(req, trimmedUsername);
     if (trustedDeviceUser && (mbkautheVar.MBKAUTH_TWO_FA_ENABLE || "").toLocaleLowerCase() === "true" && user.TwoFAStatus) {
-      console.log(`[mbkauthe] Trusted device login for user: ${trimmedUsername}, skipping 2FA only`);
+      logAuth(`Trusted device login for user: ${trimmedUsername}, skipping 2FA only`);
 
       const userForSession = {
         id: user.id,
@@ -496,7 +437,7 @@ router.post("/api/login", LoginLimit, async (req, res) => {
         allowedApps: user.AllowedApps,
         redirectUrl: requestedRedirect
       };
-      console.log(`[mbkauthe] 2FA required for user: ${trimmedUsername}`);
+      logAuth(`2FA required for user: ${trimmedUsername}`);
       return res.json({ success: true, twoFactorRequired: true, redirectUrl: requestedRedirect });
     }
 
@@ -575,16 +516,15 @@ router.post("/api/verify-2fa", TwoFALimit, csrfProtection, async (req, res) => {
   const shouldTrustDevice = trustDevice === true || trustDevice === 'true';
 
   try {
-    const query = `SELECT tfa."TwoFASecret" FROM "TwoFA" tfa WHERE tfa."UserName" = $1`;
-    const twoFAResult = await dblogin.query({ name: 'verify-2fa-secret', text: query, values: [username] });
+    const twoFARecord = await authRepo.getTwoFASecret(username);
 
-    if (twoFAResult.rows.length === 0 || !twoFAResult.rows[0].TwoFASecret) {
+    if (!twoFARecord || !twoFARecord.TwoFASecret) {
       return res.status(500).json(
         createErrorResponse(500, ErrorCodes.TWO_FA_NOT_CONFIGURED)
       );
     }
 
-    const sharedSecret = twoFAResult.rows[0].TwoFASecret;
+    const sharedSecret = twoFARecord.TwoFASecret;
     const allowedApps = req.session.preAuthUser?.allowedApps;
     const tokenValidates = speakeasy.totp.verify({
       secret: sharedSecret,
@@ -632,11 +572,11 @@ router.post("/api/logout", LogoutLimit, async (req, res) => {
       // Remove the application session record for this token (if present)
       const operations = [];
       if (req.session && req.session.user && req.session.user.sessionId) {
-        operations.push(dblogin.query({ name: 'logout-delete-app-session', text: 'DELETE FROM "Sessions" WHERE id = $1', values: [req.session.user.sessionId] }));
+        operations.push(authRepo.deleteAppSessionById(req.session.user.sessionId, "logout-delete-app-session"));
       }
 
       if (req.sessionID) {
-        operations.push(dblogin.query({ name: 'logout-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] }));
+        operations.push(authRepo.deleteSessionBySid(req.sessionID, "logout-delete-session"));
       }
 
       await Promise.all(operations);
@@ -654,7 +594,7 @@ router.post("/api/logout", LogoutLimit, async (req, res) => {
 
         clearSessionCookies(res);
 
-        console.log(`[mbkauthe] User "${username}" logged out successfully`);
+        logAuth(`User "${username}" logged out successfully`);
         res.status(200).json({ success: true, message: "Logout successful" });
       });
     } catch (err) {
@@ -673,54 +613,52 @@ router.get("/api/account-sessions", LoginLimit, async (req, res) => {
     return res.json({ accounts: [], currentSessionId: req.session?.user?.sessionId || null });
   }
 
-  const validated = [];
   const currentSessionId = req.session?.user?.sessionId || null;
 
+  const validAccountEntries = [];
   for (const acct of storedAccounts) {
     if (!isUuid(acct.sessionId)) {
       removeAccountFromCookie(req, res, acct.sessionId);
       continue;
     }
+    validAccountEntries.push(acct);
+  }
 
-    try {
-      const row = await fetchActiveSession(acct.sessionId);
-      if (!row) {
+  const sessionIds = validAccountEntries.map((acct) => acct.sessionId);
+
+  try {
+    const sessionRows = await authRepo.getSessionsWithUsersByIds(sessionIds, "multi-session-fetch-many");
+    const sessionMap = new Map(sessionRows.map((row) => [row.sid, row]));
+    const validated = [];
+
+    for (const acct of validAccountEntries) {
+      const row = sessionMap.get(acct.sessionId);
+      const expired = row?.expires_at && new Date(row.expires_at) <= new Date();
+      const authorized = row && row.Active && (
+        row.Role === "SuperAdmin" ||
+        (Array.isArray(row.AllowedApps) && row.AllowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase()))
+      );
+
+      if (!row || expired || !authorized) {
         await invalidateDbSession(acct.sessionId);
         removeAccountFromCookie(req, res, acct.sessionId);
         continue;
       }
 
-      let fullName = acct.fullName || acct.username;
-      let image = acct.image || null;
-      if (!acct.fullName || !acct.image) {
-        try {
-          const prof = await dblogin.query({
-            name: 'multi-session-fullname-image',
-            text: 'SELECT "FullName", "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-            values: [row.UserName]
-          });
-          if (prof.rows.length > 0) {
-            if (!acct.fullName && prof.rows[0].FullName) fullName = prof.rows[0].FullName;
-            if (!acct.image && prof.rows[0].Image && prof.rows[0].Image.trim() !== '') image = prof.rows[0].Image;
-          }
-        } catch (profileErr) {
-          console.error(`[mbkauthe] Error fetching fullname/image for account list:`, profileErr);
-        }
-      }
-
       validated.push({
         sessionId: row.sid,
         username: row.UserName,
-        fullName,
-        image,
+        fullName: acct.fullName || row.FullName || acct.username || row.UserName,
+        image: acct.image || (typeof row.Image === 'string' && row.Image.trim() !== '' ? row.Image : null),
         isCurrent: currentSessionId && row.sid === currentSessionId
       });
-    } catch (err) {
-      console.error(`[mbkauthe] Error validating remembered account:`, err);
     }
-  }
 
-  return res.json({ accounts: validated, currentSessionId });
+    return res.json({ accounts: validated, currentSessionId });
+  } catch (err) {
+    console.error(`[mbkauthe] Error validating remembered accounts:`, err);
+    return res.status(500).json(createErrorResponse(500, ErrorCodes.INTERNAL_SERVER_ERROR));
+  }
 });
 
 // Switch active session to another remembered account
@@ -745,21 +683,8 @@ router.post("/api/switch-session", LoginLimit, async (req, res) => {
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
     }
 
-    let fullName = row.UserName;
-    let switchProfileImage = null;
-    try {
-      const prof = await dblogin.query({
-        name: 'multi-session-switch-fullname-image',
-        text: 'SELECT "FullName", "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-        values: [row.UserName]
-      });
-      if (prof.rows.length > 0) {
-        if (prof.rows[0].FullName) fullName = prof.rows[0].FullName;
-        if (prof.rows[0].Image && prof.rows[0].Image.trim() !== '') switchProfileImage = prof.rows[0].Image;
-      }
-    } catch (profileErr) {
-      console.error(`[mbkauthe] Error fetching fullname/image during switch:`, profileErr);
-    }
+    const fullName = row.FullName || row.UserName;
+    const switchProfileImage = typeof row.Image === 'string' && row.Image.trim() !== '' ? row.Image : null;
 
     // Regenerate session to avoid fixation
     await new Promise((resolve, reject) => {
@@ -816,15 +741,11 @@ router.post("/api/logout-all", LoginLimit, async (req, res) => {
     if (currentSessionId) sessionIds.push(currentSessionId);
 
     if (sessionIds.length) {
-      await dblogin.query({
-        name: 'logout-all-app-sessions',
-        text: 'DELETE FROM "Sessions" WHERE id = ANY($1)',
-        values: [sessionIds]
-      });
+      await authRepo.deleteSessionsByIds(sessionIds, "logout-all-app-sessions");
     }
 
     if (req.sessionID) {
-      await dblogin.query({ name: 'logout-all-delete-session', text: 'DELETE FROM "session" WHERE sid = $1', values: [req.sessionID] });
+      await authRepo.deleteSessionBySid(req.sessionID, "logout-all-delete-session");
     }
 
     clearAccountListCookie(res);
@@ -842,6 +763,9 @@ router.post("/api/logout-all", LoginLimit, async (req, res) => {
 // GET /mbkauthe/login
 router.get("/login", LoginLimit, csrfProtection, (req, res) => {
   const lastLogin = req.cookies && typeof req.cookies.lastLoginMethod === 'string' ? req.cookies.lastLoginMethod : null;
+  const reason = req.query.reason;
+  const redirectTarget = req.query.redirect || null;
+  
   return res.render("pages/loginmbkauthe.handlebars", {
     layout: false,
     githubLoginEnabled: mbkautheVar.GITHUB_LOGIN_ENABLED,
@@ -856,7 +780,9 @@ router.get("/login", LoginLimit, csrfProtection, (req, res) => {
     lastLoginMethod: lastLogin,
     lastLoginPassword: lastLogin === 'password',
     lastLoginGithub: lastLogin === 'github',
-    lastLoginGoogle: lastLogin === 'google'
+    lastLoginGoogle: lastLogin === 'google',
+    showLoggedOutMessage: reason === 'logged_out',
+    redirectTarget: redirectTarget
   });
 });