mbkauthe 4.9.0 → 5.0.1

package/lib/db/AuthRepository.js

@@ -14,6 +14,28 @@ const OAUTH_PROVIDERS = {
 };
 
 export class AuthRepository extends BaseRepository {
+  buildSessionUserSelect({ includeProfile = false, includeTwoFA = false } = {}) {
+    const fields = [
+      `s.id as sid`,
+      `s.expires_at`,
+      `u.id as uid`,
+      `u."UserName"`,
+      `u."Active"`,
+      `u."Role"`,
+      `u."AllowedApps"`
+    ];
+
+    if (includeProfile) {
+      fields.push(`u."FullName"`, `u."Image"`);
+    }
+
+    if (includeTwoFA) {
+      fields.push(`tfa."TwoFAStatus"`);
+    }
+
+    return fields.join(", ");
+  }
+
   resolveOAuthProvider(provider) {
     const key = String(provider || "").toLowerCase();
     const config = OAUTH_PROVIDERS[key];
@@ -24,7 +46,7 @@ export class AuthRepository extends BaseRepository {
   }
 
   async fetchActiveSession(sessionId) {
-    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
+    const query = `SELECT ${this.buildSessionUserSelect({ includeProfile: true })}
                  FROM "Sessions" s
                  JOIN "Users" u ON s."UserName" = u."UserName"
                  WHERE s.id = $1 LIMIT 1`;
@@ -42,6 +64,17 @@ export class AuthRepository extends BaseRepository {
     return this.executeRaw({ name: queryName, text: query, values: [sessionId] });
   }
 
+  async getSessionsWithUsersByIds(sessionIds, queryName = "multi-session-fetch-many") {
+    if (!Array.isArray(sessionIds) || sessionIds.length === 0) return [];
+
+    const query = `SELECT ${this.buildSessionUserSelect({ includeProfile: true })}
+                 FROM "Sessions" s
+                 JOIN "Users" u ON s."UserName" = u."UserName"
+                 WHERE s.id = ANY($1)`;
+    const result = await this.executeRaw({ name: queryName, text: query, values: [sessionIds] });
+    return result.rows || [];
+  }
+
   async touchTrustedDevice(deviceTokenHash, username) {
     const query = `
       UPDATE "TrustedDevices" td
@@ -164,7 +197,7 @@ export class AuthRepository extends BaseRepository {
   async getUserWithTwoFA(username, queryName = "login-get-user") {
     const query = `
       SELECT u.id, u."UserName", u."PasswordEnc", u."Active", u."Role", u."AllowedApps",
-             tfa."TwoFAStatus"
+             tfa."TwoFAStatus", u."FullName", u."Image"
       FROM "Users" u
       LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
       WHERE u."UserName" = $1
@@ -189,7 +222,11 @@ export class AuthRepository extends BaseRepository {
 
   async getOAuthUserByProviderId(provider, providerId) {
     const { table, idColumn, queryName } = this.resolveOAuthProvider(provider);
-    const query = `SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id" FROM ${table} ug JOIN "Users" u ON ug.user_name = u."UserName" WHERE ug.${idColumn} = $1`;
+    const query = `SELECT ug.*, u."UserName", u."Role", u."Active", u."AllowedApps", u."id", tfa."TwoFAStatus"
+                   FROM ${table} ug
+                   JOIN "Users" u ON ug.user_name = u."UserName"
+                   LEFT JOIN "TwoFA" tfa ON u."UserName" = tfa."UserName"
+                   WHERE ug.${idColumn} = $1`;
     const result = await this.executeRaw({ name: queryName, text: query, values: [providerId] });
     return result.rows?.[0] || null;
   }
@@ -207,17 +244,26 @@ export class AuthRepository extends BaseRepository {
     return result.rows?.[0] || null;
   }
 
-  async updateApiTokenLastUsed(tokenId, queryName = null) {
-    const query = `UPDATE "ApiTokens" SET "LastUsed" = NOW() WHERE id = $1`;
+  async updateApiTokenLastUsed(tokenId, queryName = null, minIntervalMinutes = 15) {
+    const query = `
+      UPDATE "ApiTokens"
+      SET "LastUsed" = NOW()
+      WHERE id = $1
+        AND (
+          "LastUsed" IS NULL
+          OR "LastUsed" < NOW() - ($2::int * INTERVAL '1 minute')
+        )
+    `;
+    const values = [tokenId, minIntervalMinutes];
     if (queryName) {
-      return this.executeRaw({ name: queryName, text: query, values: [tokenId] });
+      return this.executeRaw({ name: queryName, text: query, values });
     }
-    return this.executeRaw({ text: query, values: [tokenId] });
+    return this.executeRaw({ text: query, values });
   }
 
   async getSessionAuthData(sessionId, queryName = "validate-app-session") {
     const query = `
-  SELECT s.expires_at, u."Active", u."Role"
+  SELECT s.expires_at, u."Active", u."Role", u."AllowedApps", u."UserName"
   FROM "Sessions" s
   JOIN "Users" u ON s."UserName" = u."UserName"
   WHERE s.id = $1
@@ -229,7 +275,7 @@ export class AuthRepository extends BaseRepository {
   }
 
   async getSessionWithUserById(sessionId, queryName = "restore-user-session") {
-    const query = `SELECT u.id, u."UserName", u."Active", u."Role", u."AllowedApps", s.expires_at
+    const query = `SELECT ${this.buildSessionUserSelect({ includeProfile: true })}
                      FROM "Sessions" s
                      JOIN "Users" u ON s."UserName" = u."UserName"
                      WHERE s.id = $1 LIMIT 1`;
@@ -238,12 +284,7 @@ export class AuthRepository extends BaseRepository {
   }
 
   async getSessionWithUserForReload(sessionId, queryName = "reload-session-user") {
-    const query = `SELECT s.id as sid, s.expires_at, u.id as uid, u."UserName", u."Active", u."Role", u."AllowedApps"
-                   FROM "Sessions" s
-                   JOIN "Users" u ON s."UserName" = u."UserName"
-                   WHERE s.id = $1 LIMIT 1`;
-    const result = await this.executeRaw({ name: queryName, text: query, values: [sessionId] });
-    return result.rows?.[0] || null;
+    return this.getSessionWithUserById(sessionId, queryName);
   }
 
   async getSessionValidationRow(sessionId, queryName = "check-session-validity-by-id") {
@@ -292,4 +333,4 @@ export class AuthRepository extends BaseRepository {
     const query = `DELETE FROM "session" WHERE expire > NOW()`;
     return this.executeRaw({ name: queryName, text: query, values: [] });
   }
-}
+}

package/lib/db/BaseRepository.js

@@ -182,4 +182,12 @@ export class BaseRepository {
       values: []
     });
   }
-}
+
+  async advisoryTransactionLock(lockKey, queryName = "advisory-transaction-lock") {
+    return this.executeRaw({
+      name: queryName,
+      text: "SELECT pg_advisory_xact_lock(hashtext($1))",
+      values: [String(lockKey ?? "")]
+    });
+  }
+}

package/lib/db/dialects/postgres.js

@@ -15,4 +15,4 @@ export const postgresDialect = {
     return parts.length ? ` ${parts.join(" ")}` : "";
   },
   lockTable: (tableSql, mode = "ROW EXCLUSIVE") => `LOCK TABLE ${tableSql} IN ${mode} MODE`
-};
+};

package/lib/main.js

@@ -41,17 +41,17 @@ router.use(cookieParser());
 // CORS and security headers
 router.use(corsMiddleware);
 
+// Attach request context as early as possible so session-store queries are tied to the request.
+if (process.env.env === 'dev') {
+  router.use(requestContextMiddleware);
+}
+
 // Session configuration
 router.use(session(sessionConfig));
 
 // Session restoration
 router.use(sessionRestorationMiddleware);
 
-// Attach request context for DB query logging (dev only)
-if (process.env.env === 'dev') {
-  router.use(requestContextMiddleware);
-}
-
 // Initialize passport
 router.use(passport.initialize());
 router.use(passport.session());