npm - mbkauthe - Versions diffs - 4.9.0 → 5.0.0 - Mend

mbkauthe 4.9.0 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/docs/api.md +29 -178
package/docs/db.md +1 -1
package/docs/db.sql +305 -253
package/index.js +5 -3
package/lib/config/cookies.js +84 -18
package/lib/config/index.js +3 -1
package/lib/config/tokenScopes.js +1 -1
package/lib/createTable.js +95 -8
package/lib/db/AuthRepository.js +57 -16
package/lib/db/BaseRepository.js +9 -1
package/lib/db/dialects/postgres.js +1 -1
package/lib/main.js +5 -5
package/lib/middleware/auth.js +201 -218
package/lib/middleware/index.js +13 -14
package/lib/middleware/scopeValidator.js +8 -3
package/lib/pool.js +5 -6
package/lib/routes/auth.js +42 -47
package/lib/routes/dbLogs.js +247 -29
package/lib/routes/misc.js +6 -4
package/lib/routes/oauth.js +19 -23
package/lib/utils/dbQueryLogger.js +485 -80
package/lib/utils/errors.js +1 -1
package/lib/utils/logger.js +12 -0
package/lib/utils/timingSafeToken.js +1 -1
package/package.json +1 -1
package/public/main.css +1 -1
package/test.spec.js +515 -48
package/views/pages/dbLogs.handlebars +618 -420

package/lib/config/cookies.js CHANGED Viewed

@@ -14,6 +14,60 @@ const getEncryptionKey = () => {
     return crypto.createHash('sha256').update(COOKIE_ENCRYPTION_KEY).digest();
 };
+const getSigningKey = () => {
+    return crypto.createHash('sha256').update(`${COOKIE_ENCRYPTION_KEY}:cookie-signing`).digest();
+};
+const encodePayload = (data) => {
+    return Buffer.from(JSON.stringify(data), 'utf8').toString('base64url');
+};
+const decodePayload = (encoded) => {
+    return JSON.parse(Buffer.from(encoded, 'base64url').toString('utf8'));
+};
+const signCookiePayload = (encodedPayload) => {
+    return crypto.createHmac('sha256', getSigningKey()).update(encodedPayload).digest('hex');
+};
+const verifyCookieSignature = (encodedPayload, signature) => {
+    if (!encodedPayload || !signature || typeof encodedPayload !== 'string' || typeof signature !== 'string') {
+        return false;
+    }
+    const expected = signCookiePayload(encodedPayload);
+    const expectedBuffer = Buffer.from(expected, 'hex');
+    const actualBuffer = Buffer.from(signature, 'hex');
+    return expectedBuffer.length === actualBuffer.length && crypto.timingSafeEqual(expectedBuffer, actualBuffer);
+};
+const createSignedCookiePayload = (data) => {
+    try {
+        const payload = encodePayload(data);
+        return {
+            payload,
+            signature: signCookiePayload(payload)
+        };
+    } catch (error) {
+        console.error(`[mbkauthe] Cookie signing error:`, error);
+        return null;
+    }
+};
+const parseSignedCookiePayload = (signedPayload) => {
+    try {
+        if (!signedPayload || !verifyCookieSignature(signedPayload.payload, signedPayload.signature)) {
+            return null;
+        }
+        return decodePayload(signedPayload.payload);
+    } catch (error) {
+        console.error(`[mbkauthe] Cookie signature verification error:`, error);
+        return null;
+    }
+};
 // Encrypt and sign cookie payload
 const encryptCookiePayload = (data) => {
     try {
@@ -160,33 +214,46 @@ export { getCookieOptions, getClearCookieOptions };
 const parseAccountList = (raw, req) => {
     if (!raw) return [];
     try {
-        // First, decrypt the cookie payload
         const parsed = JSON.parse(raw);
-        const decrypted = decryptCookiePayload(parsed);
+        let data = parseSignedCookiePayload(parsed);
+        let isLegacyEncryptedCookie = false;
+        // Backward compatibility for previously encrypted account-list cookies.
+        if (!data && parsed.iv && parsed.authTag && parsed.data) {
+            data = decryptCookiePayload(parsed);
+            isLegacyEncryptedCookie = true;
+        }
-        if (!decrypted || !decrypted.accounts || !decrypted.fingerprint) {
+        if (!data || !data.accounts || !data.fingerprint) {
             return [];
         }
         // Verify fingerprint matches current request
         const currentFingerprint = generateFingerprint(req);
-        if (decrypted.fingerprint !== currentFingerprint) {
+        if (data.fingerprint !== currentFingerprint) {
             console.warn(`[mbkauthe] Cookie fingerprint mismatch - possible cookie theft attempt`);
             return [];
         }
-        const accounts = decrypted.accounts;
+        const accounts = data.accounts;
         if (!Array.isArray(accounts)) return [];
         // Accept only minimal safe fields
         return accounts
             .filter(item => item && typeof item === 'object')
-            .map(item => ({
-                sessionId: typeof item.sessionId === 'string' ? item.sessionId : null,
-                username: typeof item.username === 'string' ? item.username : null,
-                fullName: typeof item.fullName === 'string' ? item.fullName : null,
-                image: typeof item.image === 'string' ? item.image : null
-            }))
+            .map(item => {
+                const rawSessionId = typeof item.sessionId === 'string' ? item.sessionId : null;
+                const sessionId = isLegacyEncryptedCookie
+                    ? rawSessionId
+                    : decryptSessionId(rawSessionId);
+                return {
+                    sessionId,
+                    username: typeof item.username === 'string' ? item.username : null,
+                    fullName: typeof item.fullName === 'string' ? item.fullName : null,
+                    image: typeof item.image === 'string' ? item.image : null
+                };
+            })
             .filter(item => item.sessionId && item.username)
             .slice(0, MAX_REMEMBERED_ACCOUNTS);
     } catch (error) {
@@ -200,7 +267,7 @@ const writeAccountList = (res, list, req) => {
     // Clean and limit fields to safe values (limit image URL length)
     const cleaned = sanitized.map(item => ({
-        sessionId: item && item.sessionId ? item.sessionId : null,
+        sessionId: item && item.sessionId ? encryptSessionId(item.sessionId) : null,
         username: item && item.username ? item.username : null,
         fullName: item && item.fullName ? item.fullName : null,
         image: (item && typeof item.image === 'string' && item.image.length <= 2048) ? item.image : null
@@ -212,14 +279,13 @@ const writeAccountList = (res, list, req) => {
         fingerprint: generateFingerprint(req)
     };
-    // Encrypt the payload
-    const encrypted = encryptCookiePayload(payload);
-    if (!encrypted) {
-        console.error(`[mbkauthe] Failed to encrypt account list cookie`);
+    const signed = createSignedCookiePayload(payload);
+    if (!signed) {
+        console.error(`[mbkauthe] Failed to sign account list cookie`);
         return;
     }
-    res.cookie(ACCOUNT_LIST_COOKIE, JSON.stringify(encrypted), cachedCookieOptions);
+    res.cookie(ACCOUNT_LIST_COOKIE, JSON.stringify(signed), cachedCookieOptions);
 };
 export const readAccountListFromCookie = (req) => {
@@ -243,4 +309,4 @@ export const removeAccountFromCookie = (req, res, sessionId) => {
 export const clearAccountListCookie = (res) => {
     res.clearCookie(ACCOUNT_LIST_COOKIE, cachedClearCookieOptions);
-};
+};

package/lib/config/index.js CHANGED Viewed

@@ -1,7 +1,9 @@
 import dotenv from "dotenv";
 import { createRequire } from "module";
+import { createLogger } from "../utils/logger.js";
 dotenv.config();
+const logConfig = createLogger("config");
 // Comprehensive validation function
 function validateConfiguration() {
@@ -215,7 +217,7 @@ function validateConfiguration() {
         configParts.push(`defaults: ${usedDefaults.length} keys`);
     }
     const configSummary = configParts.length > 0 ? ` (${configParts.join(', ')})` : '';
-    console.log(`[mbkauthe] Configuration loaded${configSummary}`);
+    logConfig(`Configuration loaded${configSummary}`);
     return mbkautheVar;
 }

package/lib/config/tokenScopes.js CHANGED Viewed

@@ -56,4 +56,4 @@ export function getAvailableScopes() {
     name: value.name,
     description: value.description
   }));
-}
+}

package/lib/createTable.js CHANGED Viewed

@@ -2,33 +2,120 @@
 import { readFile } from "fs/promises";
 import path from "path";
 import { fileURLToPath } from "url";
+import { performance } from "perf_hooks";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 async function main() {
+  const startTime = performance.now();
+  console.log("[mbkauthe] Starting schema creation...");
   const schemaPath = path.resolve(__dirname, "../docs/db.sql");
+  console.log(`[mbkauthe] Schema file: ${schemaPath}`);
   const schemaSql = await readFile(schemaPath, "utf8");
+  console.log(
+    `[mbkauthe] Schema loaded (${Buffer.byteLength(schemaSql, "utf8")} bytes)`
+  );
+  const statementCount = schemaSql
+    .split(";")
+    .map(s => s.trim())
+    .filter(Boolean).length;
+  console.log(
+    `[mbkauthe] Detected approximately ${statementCount} SQL statements`
+  );
   try {
+    console.log("[mbkauthe] Testing database connection...");
+    const ping = await dblogin.query("SELECT version()");
+    console.log(
+      `[mbkauthe] Connected to PostgreSQL`
+    );
+    console.log(
+      `[mbkauthe] PostgreSQL version: ${ping.rows[0].version}`
+    );
+    console.log("[mbkauthe] Applying schema...");
+    const queryStart = performance.now();
     const res = await dblogin.query(schemaSql);
-    console.log(`[mbkauthe] Schema applied successfully.`);
+    const queryDuration = (
+      performance.now() - queryStart
+    ).toFixed(2);
+    console.log(
+      `[mbkauthe] Schema applied successfully in ${queryDuration} ms`
+    );
+    console.log(
+      `[mbkauthe] Command: ${res.command ?? "MULTI"}`
+    );
+    console.log(
+      `[mbkauthe] Row count: ${res.rowCount ?? 0}`
+    );
     if (res?.rows?.length) {
-      console.log(`[mbkauthe] Rows returned by schema query:`, res.rows);
-    } else {
-      console.log(`[mbkauthe] No rows returned by schema query (expected). If you want to verify table creation, query the database separately.`);
+      console.log(
+        `[mbkauthe] Returned rows: ${res.rows.length}`
+      );
     }
   } catch (err) {
     const IGNORE_CODES = ["42710", "42P07"];
-    if (err && typeof err.code === "string" && IGNORE_CODES.includes(err.code)) {
-      console.warn(`[mbkauthe] Schema already exists (ignored):`, err.message);
+    if (
+      err &&
+      typeof err.code === "string" &&
+      IGNORE_CODES.includes(err.code)
+    ) {
+      console.warn(
+        `[mbkauthe] Schema object already exists (ignored)`
+      );
+      console.warn(`Code: ${err.code}`);
+      console.warn(`Message: ${err.message}`);
     } else {
-      console.error(`[mbkauthe] Failed to apply schema:`, err);
+      console.error(
+        `[mbkauthe] Failed to apply schema`
+      );
+      console.error("Code:", err.code);
+      console.error("Severity:", err.severity);
+      console.error("Position:", err.position);
+      console.error("Table:", err.table);
+      console.error("Column:", err.column);
+      console.error("Constraint:", err.constraint);
+      console.error("Detail:", err.detail);
+      console.error("Hint:", err.hint);
+      console.error("Message:", err.message);
       process.exitCode = 1;
     }
   } finally {
+    console.log("[mbkauthe] Closing database connection...");
     await dblogin.end();
+    const totalDuration = (
+      performance.now() - startTime
+    ).toFixed(2);
+    console.log(
+      `[mbkauthe] Finished in ${totalDuration} ms`
+    );
   }
 }
-main();
+main();

package/lib/db/AuthRepository.js CHANGED Viewed

@@ -14,6 +14,28 @@ const OAUTH_PROVIDERS = {
 };
 export class AuthRepository extends BaseRepository {
+  buildSessionUserSelect({ includeProfile = false, includeTwoFA = false } = {}) {
+    const fields = [
+      `s.id as sid`,
+      `s.expires_at`,
+      `u.id as uid`,
+      `u."UserName"`,
+      `u."Active"`,
+      `u."Role"`,
+      `u."AllowedApps"`
+    ];
+    if (includeProfile) {
+      fields.push(`u."FullName"`, `u."Image"`);
+    }
+    if (includeTwoFA) {
+      fields.push(`tfa."TwoFAStatus"`);
+    }
+    return fields.join(", ");
+  }
   resolveOAuthProvider(provider) {
     const key = String(provider || "").toLowerCase();
     const config = OAUTH_PROVIDERS[key];
@@ -24,7 +46,7 @@ export class AuthRepository extends BaseRepository {
   }
   async fetchActiveSession(sessionId) {
-    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
+    const query = `SELECT ${this.buildSessionUserSelect({ includeProfile: true })}
                  FROM "Sessions" s
                  JOIN "Users" u ON s."UserName" = u."UserName"
                  WHERE s.id = $1 LIMIT 1`;
@@ -42,6 +64,17 @@ export class AuthRepository extends BaseRepository {
     return this.executeRaw({ name: queryName, text: query, values: [sessionId] });
   }
+  async getSessionsWithUsersByIds(sessionIds, queryName = "multi-session-fetch-many") {
+    if (!Array.isArray(sessionIds) || sessionIds.length === 0) return [];
+    const query = `SELECT ${this.buildSessionUserSelect({ includeProfile: true })}
+                 FROM "Sessions" s
+                 JOIN "Users" u ON s."UserName" = u."UserName"
+                 WHERE s.id = ANY($1)`;
+    const result = await this.executeRaw({ name: queryName, text: query, values: [sessionIds] });
+    return result.rows || [];
+  }
   async touchTrustedDevice(deviceTokenHash, username) {
     const query = `
       UPDATE "TrustedDevices" td
@@ -164,7 +197,7 @@ export class AuthRepository extends BaseRepository {
   async getUserWithTwoFA(username, queryName = "login-get-user") {
     const query = `
       SELECT u.id, u."UserName", u."PasswordEnc", u."Active", u."Role", u."AllowedApps",
-             tfa."TwoFAStatus"
+             tfa."TwoFAStatus", u."FullName", u."Image"
       FROM "Users" u
       LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
       WHERE u."UserName" = $1
@@ -189,7 +222,11 @@ export class AuthRepository extends BaseRepository {
   async getOAuthUserByProviderId(provider, providerId) {
     const { table, idColumn, queryName } = this.resolveOAuthProvider(provider);
-    const query = `SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM ${table} ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.${idColumn} = $1`;
+    const query = `SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id", tfa."TwoFAStatus"
+                   FROM ${table} ug
+                   JOIN "Users" u ON ug.user_name = u."UserName"
+                   LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
+                   WHERE ug.${idColumn} = $1`;
     const result = await this.executeRaw({ name: queryName, text: query, values: [providerId] });
     return result.rows?.[0] || null;
   }
@@ -207,17 +244,26 @@ export class AuthRepository extends BaseRepository {
     return result.rows?.[0] || null;
   }
-  async updateApiTokenLastUsed(tokenId, queryName = null) {
-    const query = `UPDATE "ApiTokens" SET "LastUsed" = NOW() WHERE id = $1`;
+  async updateApiTokenLastUsed(tokenId, queryName = null, minIntervalMinutes = 15) {
+    const query = `
+      UPDATE "ApiTokens"
+      SET "LastUsed" = NOW()
+      WHERE id = $1
+        AND (
+          "LastUsed" IS NULL
+          OR "LastUsed" < NOW() - ($2::int * INTERVAL '1 minute')
+        )
+    `;
+    const values = [tokenId, minIntervalMinutes];
     if (queryName) {
-      return this.executeRaw({ name: queryName, text: query, values: [tokenId] });
+      return this.executeRaw({ name: queryName, text: query, values });
     }
-    return this.executeRaw({ text: query, values: [tokenId] });
+    return this.executeRaw({ text: query, values });
   }
   async getSessionAuthData(sessionId, queryName = "validate-app-session") {
     const query = `
-  SELECT s.expires_at, u."Active", u."Role"
+  SELECT s.expires_at, u."Active", u."Role", u."AllowedApps", u."UserName"
   FROM "Sessions" s
   JOIN "Users" u ON s."UserName" = u."UserName"
   WHERE s.id = $1
@@ -229,7 +275,7 @@ export class AuthRepository extends BaseRepository {
   }
   async getSessionWithUserById(sessionId, queryName = "restore-user-session") {
-    const query = `SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps", s.expires_at
+    const query = `SELECT ${this.buildSessionUserSelect({ includeProfile: true })}
                      FROM "Sessions" s
                      JOIN "Users" u ON s."UserName" = u."UserName"
                      WHERE s.id = $1 LIMIT 1`;
@@ -238,12 +284,7 @@ export class AuthRepository extends BaseRepository {
   }
   async getSessionWithUserForReload(sessionId, queryName = "reload-session-user") {
-    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
-                   FROM "Sessions" s
-                   JOIN "Users" u ON s."UserName" = u."UserName"
-                   WHERE s.id = $1 LIMIT 1`;
-    const result = await this.executeRaw({ name: queryName, text: query, values: [sessionId] });
-    return result.rows?.[0] || null;
+    return this.getSessionWithUserById(sessionId, queryName);
   }
   async getSessionValidationRow(sessionId, queryName = "check-session-validity-by-id") {
@@ -292,4 +333,4 @@ export class AuthRepository extends BaseRepository {
     const query = `DELETE FROM "session" WHERE expire > NOW()`;
     return this.executeRaw({ name: queryName, text: query, values: [] });
   }
-}
+}

package/lib/db/BaseRepository.js CHANGED Viewed

@@ -182,4 +182,12 @@ export class BaseRepository {
       values: []
     });
   }
-}
+  async advisoryTransactionLock(lockKey, queryName = "advisory-transaction-lock") {
+    return this.executeRaw({
+      name: queryName,
+      text: "SELECT pg_advisory_xact_lock(hashtext($1))",
+      values: [String(lockKey ?? "")]
+    });
+  }
+}

package/lib/db/dialects/postgres.js CHANGED Viewed

@@ -15,4 +15,4 @@ export const postgresDialect = {
     return parts.length ? ` ${parts.join(" ")}` : "";
   },
   lockTable: (tableSql, mode = "ROW EXCLUSIVE") => `LOCK TABLE ${tableSql} IN ${mode} MODE`
-};
+};

package/lib/main.js CHANGED Viewed

@@ -41,17 +41,17 @@ router.use(cookieParser());
 // CORS and security headers
 router.use(corsMiddleware);
+// Attach request context as early as possible so session-store queries are tied to the request.
+if (process.env.env === 'dev') {
+  router.use(requestContextMiddleware);
+}
 // Session configuration
 router.use(session(sessionConfig));
 // Session restoration
 router.use(sessionRestorationMiddleware);
-// Attach request context for DB query logging (dev only)
-if (process.env.env === 'dev') {
-  router.use(requestContextMiddleware);
-}
 // Initialize passport
 router.use(passport.initialize());
 router.use(passport.session());