npm - mbkauthe - Versions diffs - 5.0.1 → 5.0.4 - Mend

mbkauthe 5.0.1 → 5.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/LICENSE +161 -335
package/README.md +9 -4
package/docs/diagrams/auth-processes.mmd +37 -77
package/docs/images/auth-processes.svg +1 -1
package/lib/config/index.js +157 -152
package/lib/middleware/auth.js +32 -6
package/lib/middleware/index.js +1 -5
package/lib/routes/auth.js +7 -7
package/lib/routes/misc.js +55 -17
package/lib/routes/oauth.js +1 -1
package/package.json +10 -7
package/public/main.js +146 -99
package/views/head.handlebars +1 -0
package/views/pages/test.handlebars +1 -2
package/views/profilemenu.handlebars +1 -15
package/docs/diagrams/c.md +0 -122
package/docs/images/auth-process.svg +0 -102

package/lib/config/index.js CHANGED Viewed

@@ -5,140 +5,181 @@ import { createLogger } from "../utils/logger.js";
 dotenv.config();
 const logConfig = createLogger("config");
-// Comprehensive validation function
-function validateConfiguration() {
-    const errors = [];
+const CONFIG_KEYS = [
+    "APP_NAME", "DEVICE_TRUST_DURATION_DAYS", "Main_SECRET_TOKEN", "SESSION_SECRET_KEY",
+    "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "COOKIE_EXPIRE_TIME", "DOMAIN", "loginRedirectURL",
+    "GITHUB_LOGIN_ENABLED", "GITHUB_APP_SLUG", "GITHUB_APP_CLIENT_ID", "GITHUB_APP_CLIENT_SECRET", "GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET", "GOOGLE_LOGIN_ENABLED", "GOOGLE_CLIENT_ID",
+    "GOOGLE_CLIENT_SECRET", "MAX_SESSIONS_PER_USER"
+];
+const DEFAULT_CONFIG = {
+    DEVICE_TRUST_DURATION_DAYS: 7,
+    IS_DEPLOYED: 'false',
+    MBKAUTH_TWO_FA_ENABLE: 'false',
+    COOKIE_EXPIRE_TIME: 2,
+    loginRedirectURL: '/dashboard',
+    GITHUB_LOGIN_ENABLED: 'false',
+    GOOGLE_LOGIN_ENABLED: 'false',
+    MAX_SESSIONS_PER_USER: 5
+};
+const BOOLEAN_KEYS = ['GITHUB_LOGIN_ENABLED', 'GOOGLE_LOGIN_ENABLED', 'MBKAUTH_TWO_FA_ENABLE', 'IS_DEPLOYED'];
+const STRING_KEYS = [
+    "APP_NAME", "Main_SECRET_TOKEN", "SESSION_SECRET_KEY", "LOGIN_DB", "DOMAIN", "loginRedirectURL",
+    "GITHUB_APP_SLUG", "GITHUB_APP_CLIENT_ID", "GITHUB_APP_CLIENT_SECRET", "GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET",
+    "GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"
+];
+const REQUIRED_KEYS = ["APP_NAME", "Main_SECRET_TOKEN", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB",
+    "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
+const isPlainObject = (value) => !!value && typeof value === 'object' && !Array.isArray(value);
+const isBlank = (value) => value === undefined || value === null || (typeof value === 'string' && value.trim() === '');
+const hasValue = (value) => !isBlank(value);
+function parseJsonEnv(name, { required = false } = {}) {
+    const raw = process.env[name];
+    if (isBlank(raw)) {
+        if (required) {
+            throw new Error(`[mbkauthe] Configuration Error:\n  - process.env.${name} is not defined`);
+        }
+        return null;
+    }
-    // Parse and validate mbkautheVar
-    let mbkautheVar;
     try {
-        if (!process.env.mbkautheVar) {
-            errors.push("process.env.mbkautheVar is not defined");
-            throw new Error("Configuration validation failed");
+        const parsed = JSON.parse(raw);
+        if (!isPlainObject(parsed)) {
+            throw new Error(`${name} must be a valid object`);
         }
-        mbkautheVar = JSON.parse(process.env.mbkautheVar);
+        return parsed;
     } catch (error) {
-        if (error.message === "Configuration validation failed") {
-            throw new Error(`[mbkauthe] Configuration Error:\n  - ${errors.join('\n  - ')}`);
+        const message = error.message === `${name} must be a valid object`
+            ? error.message
+            : `Invalid JSON in process.env.${name}`;
+        if (required) {
+            throw new Error(`[mbkauthe] Configuration Error:\n  - ${message}`);
         }
-        errors.push("Invalid JSON in process.env.mbkautheVar");
-        throw new Error(`[mbkauthe] Configuration Error:\n  - ${errors.join('\n  - ')}`);
+        console.warn(`[mbkauthe] ${message}, ignoring it`);
+        return null;
     }
+}
-    if (!mbkautheVar || typeof mbkautheVar !== 'object') {
-        errors.push("mbkautheVar must be a valid object");
-        throw new Error(`[mbkauthe] Configuration Error:\n  - ${errors.join('\n  - ')}`);
-    }
+function applySharedFallbacks(config, sharedConfig, usedFromShared) {
+    if (!sharedConfig) return;
-    // Parse and validate mbkauthShared (optional fallback for shared settings)
-    let mbkauthShared = null;
-    try {
-        if (process.env.mbkauthShared) {
-            mbkauthShared = JSON.parse(process.env.mbkauthShared);
-            if (mbkauthShared && typeof mbkauthShared !== 'object') {
-                console.warn(`[mbkauthe] mbkauthShared is not a valid object, ignoring it`);
-                mbkauthShared = null;
-            }
-        }
-    } catch (error) {
-        console.warn(`[mbkauthe] Invalid JSON in process.env.mbkauthShared, ignoring it`);
-        mbkauthShared = null;
-    }
-    // Merge fallback settings: for any key missing or empty in mbkautheVar, check mbkauthShared
-    const usedFromShared = [];
-    const usedDefaults = [];
-    const applyFallback = (source, sourceName) => {
-        if (!source) return;
-        Object.keys(source).forEach(key => {
-            const val = source[key];
-            if ((mbkautheVar[key] === undefined || (typeof mbkautheVar[key] === 'string' && mbkautheVar[key].trim() === '')) &&
-                val !== undefined && !(typeof val === 'string' && val.trim() === '')) {
-                mbkautheVar[key] = val;
-                if (sourceName === 'mbkauthShared') usedFromShared.push(key);
-            }
-        });
-    };
-    applyFallback(mbkauthShared, 'mbkauthShared');
-    // Ensure specific keys are checked in mbkautheVar first, then mbkauthShared, then apply config defaults
-    const keysToCheck = [
-        "APP_NAME", "DEVICE_TRUST_DURATION_DAYS", "Main_SECRET_TOKEN", "SESSION_SECRET_KEY",
-        "IS_DEPLOYED", "LOGIN_DB", "MBKAUTH_TWO_FA_ENABLE", "COOKIE_EXPIRE_TIME", "DOMAIN", "loginRedirectURL",
-        "GITHUB_LOGIN_ENABLED", "GITHUB_APP_SLUG", "GITHUB_APP_CLIENT_ID", "GITHUB_APP_CLIENT_SECRET", "GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET", "GOOGLE_LOGIN_ENABLED", "GOOGLE_CLIENT_ID",
-        "GOOGLE_CLIENT_SECRET", "MAX_SESSIONS_PER_USER"
-    ];
-    const defaults = {
-        DEVICE_TRUST_DURATION_DAYS: 7,
-        IS_DEPLOYED: 'false',
-        MBKAUTH_TWO_FA_ENABLE: 'false',
-        COOKIE_EXPIRE_TIME: 2,
-        loginRedirectURL: '/dashboard',
-        GITHUB_LOGIN_ENABLED: 'false',
-        GOOGLE_LOGIN_ENABLED: 'false',
-        MAX_SESSIONS_PER_USER: 5
-    };
-    keysToCheck.forEach(key => {
-        const current = mbkautheVar[key];
-        const isEmpty = current === undefined || (typeof current === 'string' && current.trim() === '');
-        if (isEmpty) {
-            if (mbkauthShared && mbkauthShared[key] !== undefined && !(typeof mbkauthShared[key] === 'string' && mbkauthShared[key].trim() === '')) {
-                mbkautheVar[key] = mbkauthShared[key];
-                if (!usedFromShared.includes(key)) usedFromShared.push(key);
-            } else if (defaults[key] !== undefined) {
-                mbkautheVar[key] = defaults[key];
-                usedDefaults.push(key);
-            }
+    Object.entries(sharedConfig).forEach(([key, value]) => {
+        if (isBlank(config[key]) && hasValue(value)) {
+            config[key] = value;
+            usedFromShared.add(key);
         }
     });
+}
-    // Normalize boolean-like values to consistent lowercase 'true'/'false' strings
-    ['GITHUB_LOGIN_ENABLED', 'GOOGLE_LOGIN_ENABLED', 'MBKAUTH_TWO_FA_ENABLE', 'IS_DEPLOYED'].forEach(k => {
-        const val = mbkautheVar[k];
-        if (typeof val === 'boolean') {
-            mbkautheVar[k] = val ? 'true' : 'false';
-        } else if (typeof val === 'string') {
-            const norm = val.trim().toLowerCase();
-            // Accept 'f' as shorthand for false but normalize it to 'false'
-            mbkautheVar[k] = (norm === 'f') ? 'false' : norm;
+function applyDefaults(config, usedDefaults) {
+    CONFIG_KEYS.forEach((key) => {
+        if (isBlank(config[key]) && DEFAULT_CONFIG[key] !== undefined) {
+            config[key] = DEFAULT_CONFIG[key];
+            usedDefaults.add(key);
         }
     });
+}
-    // Validate required keys
-    // COOKIE_EXPIRE_TIME is not required but if provided must be valid, COOKIE_EXPIRE_TIME by default is 2 days
-    // loginRedirectURL is not required but if provided must be valid, loginRedirectURL by default is /dashboard
-    const requiredKeys = ["APP_NAME", "Main_SECRET_TOKEN", "SESSION_SECRET_KEY", "IS_DEPLOYED", "LOGIN_DB",
-        "MBKAUTH_TWO_FA_ENABLE", "DOMAIN"];
+function normalizeBooleanFlag(config, key, errors) {
+    const value = config[key];
+    if (typeof value === 'boolean') {
+        config[key] = value ? 'true' : 'false';
+        return;
+    }
-    requiredKeys.forEach(key => {
-        if (!mbkautheVar[key] || (typeof mbkautheVar[key] === 'string' && mbkautheVar[key].trim() === '')) {
-            errors.push(`mbkautheVar.${key} is required and cannot be empty`);
-        }
-    });
+    const normalized = String(value ?? '').trim().toLowerCase();
+    if (normalized === 'f') {
+        config[key] = 'false';
+        return;
+    }
+    if (normalized === 'true' || normalized === 'false') {
+        config[key] = normalized;
+        return;
+    }
+    if (!isBlank(value)) {
+        errors.push(`mbkautheVar.${key} must be either 'true' or 'false' or 'f'`);
+    }
+}
+function normalizePositiveNumber(config, key, errors) {
+    const numericValue = Number(config[key]);
+    if (!Number.isFinite(numericValue) || numericValue <= 0) {
+        errors.push(`mbkautheVar.${key} must be a valid positive number`);
+        return;
+    }
+    config[key] = numericValue;
+}
-    // Validate IS_DEPLOYED value
-    if (mbkautheVar.IS_DEPLOYED && !['true', 'false', 'f'].includes((mbkautheVar.IS_DEPLOYED + '').toLowerCase())) {
-        errors.push("mbkautheVar.IS_DEPLOYED must be either 'true' or 'false' or 'f'");
+function normalizePositiveInteger(config, key, errors) {
+    const numericValue = Number(config[key]);
+    if (!Number.isInteger(numericValue) || numericValue <= 0) {
+        errors.push(`mbkautheVar.${key} must be a valid positive integer`);
+        return;
     }
+    config[key] = numericValue;
+}
-    // Validate MBKAUTH_TWO_FA_ENABLE value
-    if (mbkautheVar.MBKAUTH_TWO_FA_ENABLE && !['true', 'false', 'f'].includes(mbkautheVar.MBKAUTH_TWO_FA_ENABLE.toLowerCase())) {
-        errors.push("mbkautheVar.MBKAUTH_TWO_FA_ENABLE must be either 'true' or 'false' or 'f'");
+function normalizeString(config, key) {
+    if (hasValue(config[key])) {
+        config[key] = String(config[key]).trim();
     }
+}
-    // Validate GITHUB_LOGIN_ENABLED value
-    if (mbkautheVar.GITHUB_LOGIN_ENABLED && !['true', 'false', 'f'].includes(mbkautheVar.GITHUB_LOGIN_ENABLED.toLowerCase())) {
-        errors.push("mbkautheVar.GITHUB_LOGIN_ENABLED must be either 'true' or 'false' or 'f'");
+function normalizeAndValidateConfig(config, errors) {
+    STRING_KEYS.forEach((key) => normalizeString(config, key));
+    if (hasValue(config.APP_NAME)) {
+        config.APP_NAME = config.APP_NAME.toLowerCase();
     }
-    // Validate GOOGLE_LOGIN_ENABLED value
-    if (mbkautheVar.GOOGLE_LOGIN_ENABLED && !['true', 'false', 'f'].includes(mbkautheVar.GOOGLE_LOGIN_ENABLED.toLowerCase())) {
-        errors.push("mbkautheVar.GOOGLE_LOGIN_ENABLED must be either 'true' or 'false' or 'f'");
+    if (hasValue(config.DOMAIN)) {
+        const domain = config.DOMAIN.toLowerCase().replace(/^\.+/, '');
+        config.DOMAIN = domain;
+        if (domain.includes('://') || domain.includes('/') || domain.includes(':')) {
+            errors.push("mbkautheVar.DOMAIN must be a hostname only, without protocol, path, or port");
+        }
     }
+    if (hasValue(config.loginRedirectURL)) {
+        const redirectUrl = String(config.loginRedirectURL).trim();
+        config.loginRedirectURL = redirectUrl;
+        if (!redirectUrl.startsWith('/') || redirectUrl.startsWith('//')) {
+            errors.push("mbkautheVar.loginRedirectURL must be a relative path starting with '/'");
+        }
+    }
+    BOOLEAN_KEYS.forEach((key) => normalizeBooleanFlag(config, key, errors));
+    normalizePositiveNumber(config, "COOKIE_EXPIRE_TIME", errors);
+    normalizePositiveNumber(config, "DEVICE_TRUST_DURATION_DAYS", errors);
+    normalizePositiveInteger(config, "MAX_SESSIONS_PER_USER", errors);
+}
+// Comprehensive validation function
+function validateConfiguration() {
+    const errors = [];
+    const usedFromShared = new Set();
+    const usedDefaults = new Set();
+    const mbkautheVar = parseJsonEnv("mbkautheVar", { required: true });
+    const mbkauthShared = parseJsonEnv("mbkauthShared");
+    applySharedFallbacks(mbkautheVar, mbkauthShared, usedFromShared);
+    applyDefaults(mbkautheVar, usedDefaults);
+    normalizeAndValidateConfig(mbkautheVar, errors);
+    // Validate required keys
+    // COOKIE_EXPIRE_TIME is not required but if provided must be valid, COOKIE_EXPIRE_TIME by default is 2 days
+    // loginRedirectURL is not required but if provided must be valid, loginRedirectURL by default is /dashboard
+    REQUIRED_KEYS.forEach(key => {
+        if (isBlank(mbkautheVar[key])) {
+            errors.push(`mbkautheVar.${key} is required and cannot be empty`);
+        }
+    });
     // Validate GitHub login configuration
     if (mbkautheVar.GITHUB_LOGIN_ENABLED === "true") {
         const hasGithubClientId = !!(mbkautheVar.GITHUB_APP_CLIENT_ID || mbkautheVar.GITHUB_CLIENT_ID);
@@ -154,50 +195,14 @@ function validateConfiguration() {
     // Validate Google login configuration
     if (mbkautheVar.GOOGLE_LOGIN_ENABLED === "true") {
-        if (!mbkautheVar.GOOGLE_CLIENT_ID || mbkautheVar.GOOGLE_CLIENT_ID.trim() === '') {
+        if (isBlank(mbkautheVar.GOOGLE_CLIENT_ID)) {
             errors.push("mbkautheVar.GOOGLE_CLIENT_ID is required when GOOGLE_LOGIN_ENABLED is 'true'");
         }
-        if (!mbkautheVar.GOOGLE_CLIENT_SECRET || mbkautheVar.GOOGLE_CLIENT_SECRET.trim() === '') {
+        if (isBlank(mbkautheVar.GOOGLE_CLIENT_SECRET)) {
             errors.push("mbkautheVar.GOOGLE_CLIENT_SECRET is required when GOOGLE_LOGIN_ENABLED is 'true'");
         }
     }
-    // Validate COOKIE_EXPIRE_TIME if provided
-    if (mbkautheVar.COOKIE_EXPIRE_TIME !== undefined) {
-        const expireTime = parseFloat(mbkautheVar.COOKIE_EXPIRE_TIME);
-        if (isNaN(expireTime) || expireTime <= 0) {
-            errors.push("mbkautheVar.COOKIE_EXPIRE_TIME must be a valid positive number");
-        }
-    } else {
-        // Set default value
-        mbkautheVar.COOKIE_EXPIRE_TIME = 2;
-    }
-    // Validate DEVICE_TRUST_DURATION_DAYS if provided
-    if (mbkautheVar.DEVICE_TRUST_DURATION_DAYS !== undefined) {
-        const trustDuration = parseFloat(mbkautheVar.DEVICE_TRUST_DURATION_DAYS);
-        if (isNaN(trustDuration) || trustDuration <= 0) {
-            errors.push("mbkautheVar.DEVICE_TRUST_DURATION_DAYS must be a valid positive number");
-        }
-    } else {
-        // Set default value
-        mbkautheVar.DEVICE_TRUST_DURATION_DAYS = 7;
-    }
-    // Validate MAX_SESSIONS_PER_USER if provided (must be positive integer)
-    if (mbkautheVar.MAX_SESSIONS_PER_USER !== undefined) {
-        const maxSessions = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
-        if (isNaN(maxSessions) || maxSessions <= 0) {
-            errors.push("mbkautheVar.MAX_SESSIONS_PER_USER must be a valid positive integer");
-        } else {
-            // Normalize to integer
-            mbkautheVar.MAX_SESSIONS_PER_USER = maxSessions;
-        }
-    } else {
-        // Ensure default value is set
-        mbkautheVar.MAX_SESSIONS_PER_USER = 5;
-    }
     // Validate LOGIN_DB connection string format
     if (mbkautheVar.LOGIN_DB && !mbkautheVar.LOGIN_DB.startsWith('postgresql://') && !mbkautheVar.LOGIN_DB.startsWith('postgres://')) {
         errors.push("mbkautheVar.LOGIN_DB must be a valid PostgreSQL connection string");
@@ -211,14 +216,14 @@ function validateConfiguration() {
     // Print consolidated configuration summary
     const configParts = [];
     if (mbkauthShared) {
-        configParts.push(`mbkauthShared: ${usedFromShared.length} keys`);
+        configParts.push(`mbkauthShared: ${usedFromShared.size} keys`);
     }
-    if (usedDefaults.length > 0) {
-        configParts.push(`defaults: ${usedDefaults.length} keys`);
+    if (usedDefaults.size > 0) {
+        configParts.push(`defaults: ${usedDefaults.size} keys`);
     }
     const configSummary = configParts.length > 0 ? ` (${configParts.join(', ')})` : '';
     logConfig(`Configuration loaded${configSummary}`);
-    return mbkautheVar;
+    return Object.freeze(mbkautheVar);
 }
 // Parse and validate mbkautheVar once

package/lib/middleware/auth.js CHANGED Viewed

@@ -13,10 +13,37 @@ const IS_DEV = process.env.env === 'dev' || process.env.test === 'dev' || proces
 const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 const isUuid = (val) => typeof val === 'string' && UUID_RE.test(val);
 const MAX_API_TOKEN_LENGTH = 4096;
+const API_TOKEN_LAST_USED_INTERVAL_MS = 15 * 60 * 1000;
 const API_TOKEN_SESSION_RESTORE = Symbol('mbkauthe.apiTokenSessionRestore');
+const apiTokenLastUsedCache = new Map();
 const authRepo = new AuthRepository({ db: dblogin });
 const logAuth = createLogger("auth");
+function pruneApiTokenLastUsedCache(now) {
+  if (apiTokenLastUsedCache.size < 10000) return;
+  const staleBefore = now - (API_TOKEN_LAST_USED_INTERVAL_MS * 2);
+  for (const [tokenId, lastTouchedAt] of apiTokenLastUsedCache) {
+    if (lastTouchedAt < staleBefore) {
+      apiTokenLastUsedCache.delete(tokenId);
+    }
+  }
+}
+function updateApiTokenLastUsedThrottled(tokenId) {
+  if (!tokenId) return;
+  const now = Date.now();
+  const lastTouchedAt = apiTokenLastUsedCache.get(tokenId) || 0;
+  if (now - lastTouchedAt < API_TOKEN_LAST_USED_INTERVAL_MS) return;
+  pruneApiTokenLastUsedCache(now);
+  apiTokenLastUsedCache.set(tokenId, now);
+  authRepo.updateApiTokenLastUsed(tokenId).catch(e => {
+    apiTokenLastUsedCache.delete(tokenId);
+    console.error(`[mbkauthe] Failed to update token usage:`, e);
+  });
+}
 /**
  * Decide if the incoming request should return JSON errors instead of HTML.
  * Non-browser clients (API calls / AJAX) should get JSON.
@@ -80,8 +107,7 @@ async function validateTokenAuthentication(req) {
       allowedApps = tokenAllowedApps;
     }
-    // Update usage opportunistically, but not on every request.
-    authRepo.updateApiTokenLastUsed(row.id).catch(e => console.error(`[mbkauthe] Failed to update token usage:`, e));
+    updateApiTokenLastUsedThrottled(row.id);
     return {
       id: row.uid,
@@ -159,7 +185,7 @@ function hasAppAccess(role, allowedApps) {
   if (role === "SuperAdmin") return true;
   return Array.isArray(allowedApps)
     && allowedApps.length > 0
-    && allowedApps.some((app) => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase());
+    && allowedApps.some((app) => app && app.toLowerCase() === mbkautheVar.APP_NAME);
 }
 function destroySessionCookies(req, res) {
@@ -308,11 +334,11 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
           }
           const hasWildcard = allowedApps.includes('*');
-          const hasSpecificApp = allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase());
+          const hasSpecificApp = allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME);
           if (hasWildcard) {
             const userHasApp = Array.isArray(userAllowedApps)
-              && userAllowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase());
+              && userAllowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME);
             if (!userHasApp) {
               return res.status(401).json(createErrorResponse(401, ErrorCodes.APP_NOT_AUTHORIZED));
             }
@@ -410,7 +436,7 @@ async function reloadSessionUser(req, res) {
     if (row.Role !== 'SuperAdmin') {
       const allowedApps = row.AllowedApps;
       const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
-      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+      if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME)) {
         req.session.destroy(() => { });
         clearSessionCookies(res);
         return false;

package/lib/middleware/index.js CHANGED Viewed

@@ -122,11 +122,7 @@ export function sessionCookieSyncMiddleware(req, res, next) {
   }
   if (req.session && req.session.user) {
-    // Decrypt existing cookie to compare with session
-    const currentDecryptedId = decryptSessionId(req.cookies.sessionId);
-    // Only set cookies if they're missing or different
-    if (currentDecryptedId !== req.session.user.sessionId) {
+    if (!req.cookies.sessionId) {
       res.cookie("fullName", req.session.user.fullname || req.session.user.username, { ...cachedCookieOptions, httpOnly: false });
       const encryptedSessionId = encryptSessionId(req.session.user.sessionId);
       if (encryptedSessionId) {

package/lib/routes/auth.js CHANGED Viewed

@@ -78,7 +78,7 @@ async function fetchActiveSession(sessionId) {
   if (row.Role !== 'SuperAdmin') {
     const allowedApps = row.AllowedApps;
     const hasAllowedApps = Array.isArray(allowedApps) && allowedApps.length > 0;
-    if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+    if (!hasAllowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME)) {
       return null;
     }
   }
@@ -121,7 +121,7 @@ export async function checkTrustedDevice(req, username) {
       if (deviceUser.Role !== "SuperAdmin") {
         const allowedApps = deviceUser.AllowedApps;
-        if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+        if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME)) {
           console.warn(`[mbkauthe] Trusted device check: User "${username}" is not authorized to use the application "${mbkautheVar.APP_NAME}"`);
           return null;
         }
@@ -398,7 +398,7 @@ router.post("/api/login", LoginLimit, async (req, res) => {
     if (user.Role !== "SuperAdmin") {
       const allowedApps = user.AllowedApps;
-      if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+      if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME)) {
         logError('Login attempt', ErrorCodes.APP_NOT_AUTHORIZED, {
           username: user.UserName,
           app: mbkautheVar.APP_NAME
@@ -476,7 +476,7 @@ router.get("/2fa", csrfProtection, (req, res) => {
     layout: false,
     customURL: redirectToUse,
     csrfToken: req.csrfToken(),
-    appName: mbkautheVar.APP_NAME.toLowerCase(),
+    appName: mbkautheVar.APP_NAME,
     version: packageJson.version,
     DEVICE_TRUST_DURATION_DAYS: mbkautheVar.DEVICE_TRUST_DURATION_DAYS
   });
@@ -636,7 +636,7 @@ router.get("/api/account-sessions", LoginLimit, async (req, res) => {
       const expired = row?.expires_at && new Date(row.expires_at) <= new Date();
       const authorized = row && row.Active && (
         row.Role === "SuperAdmin" ||
-        (Array.isArray(row.AllowedApps) && row.AllowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase()))
+        (Array.isArray(row.AllowedApps) && row.AllowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME))
       );
       if (!row || expired || !authorized) {
@@ -774,7 +774,7 @@ router.get("/login", LoginLimit, csrfProtection, (req, res) => {
     userLoggedIn: !!req.session?.user,
     username: req.session?.user?.username || '',
     version: packageJson.version,
-    appName: mbkautheVar.APP_NAME.toLowerCase(),
+    appName: mbkautheVar.APP_NAME,
     csrfToken: req.csrfToken(),
     // Last-login method flags for immediate server-side badge rendering
     lastLoginMethod: lastLogin,
@@ -797,7 +797,7 @@ router.get("/accounts", LoginLimit, csrfProtection, (req, res) => {
     layout: false,
     customURL: safeRedirect,
     version: packageJson.version,
-    appName: mbkautheVar.APP_NAME.toLowerCase(),
+    appName: mbkautheVar.APP_NAME,
     csrfToken: req.csrfToken(),
     userLoggedIn: !!req.session?.user,
     username: req.session?.user?.username,

package/lib/routes/misc.js CHANGED Viewed

@@ -22,6 +22,23 @@ const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const router = express.Router();
 const authRepo = new AuthRepository({ db: dblogin });
 const logMisc = createLogger("misc");
+const PROFILE_IMAGE_CACHE_SECONDS = 300;
+const PROFILE_IMAGE_CACHE_CONTROL = `private, max-age=${PROFILE_IMAGE_CACHE_SECONDS}, stale-while-revalidate=${PROFILE_IMAGE_CACHE_SECONDS}`;
+const LATEST_VERSION_CACHE_TTL_MS = 10 * 60 * 1000;
+const LATEST_VERSION_FAILURE_CACHE_TTL_MS = 60 * 1000;
+const latestVersionCache = {
+  value: null,
+  expiresAt: 0,
+  pending: null
+};
+function setProfileImageCacheHeaders(res, eTag = null) {
+  res.setHeader('Cache-Control', PROFILE_IMAGE_CACHE_CONTROL);
+  if (eTag) {
+    res.setHeader('ETag', eTag);
+  }
+}
 // Rate limiter for info/test routes
 const LoginLimit = rateLimit({
   windowMs: 1 * 60 * 1000,
@@ -76,9 +93,8 @@ router.get('/user/profilepic', async (req, res) => {
   const serveDefaultIcon = () => {
     const iconPath = path.join(__dirname, "..", "..", "public", "M.png");
     res.setHeader('Content-Type', 'image/png');
-    // Ensure we don't override the Cache-Control we set earlier, or set a default if not set
     if (!res.getHeader('Cache-Control')) {
-      res.setHeader('Cache-Control', 'private, no-cache');
+      setProfileImageCacheHeaders(res);
     }
     const stream = fs.createReadStream(iconPath);
     stream.on('error', (err) => {
@@ -118,9 +134,7 @@ router.get('/user/profilepic', async (req, res) => {
     // Generate ETag based on username and image URL
     const eTag = `"${Buffer.from(username + ':' + imageUrl).toString('base64')}"`;
-    // Set caching headers
-    res.setHeader('Cache-Control', 'private, no-cache');
-    res.setHeader('ETag', eTag);
+    setProfileImageCacheHeaders(res, eTag);
     // Check for conditional request
     if (req.headers['if-none-match'] === eTag) {
@@ -450,20 +464,44 @@ router.get("/ErrorCode", (req, res) => {
   }
 });
-// Fetch latest version from GitHub\
-export async function getLatestVersion() {
-  try {
-    const response = await fetch('https://raw.githubusercontent.com/MIbnEKhalid/mbkauthe/main/package.json');
-    if (!response.ok) {
-      console.error(`[mbkauthe] GitHub API responded with status ${response.status}`);
+// Fetch latest version from GitHub with a short in-memory cache.
+export async function getLatestVersion({ forceRefresh = false } = {}) {
+  const now = Date.now();
+  if (!forceRefresh && latestVersionCache.expiresAt > now) {
+    return latestVersionCache.value;
+  }
+  if (!forceRefresh && latestVersionCache.pending) {
+    return latestVersionCache.pending;
+  }
+  latestVersionCache.pending = (async () => {
+    try {
+      const response = await fetch('https://raw.githubusercontent.com/MIbnEKhalid/mbkauthe/main/package.json');
+      if (!response.ok) {
+        console.error(`[mbkauthe] GitHub API responded with status ${response.status}`);
+        latestVersionCache.value = null;
+        latestVersionCache.expiresAt = Date.now() + LATEST_VERSION_FAILURE_CACHE_TTL_MS;
+        return null;
+      }
+      const latestPackageJson = await response.json();
+      const latestVersion = typeof latestPackageJson.version === 'string' ? latestPackageJson.version : null;
+      latestVersionCache.value = latestVersion;
+      latestVersionCache.expiresAt = Date.now() + LATEST_VERSION_CACHE_TTL_MS;
+      return latestVersion;
+    } catch (error) {
+      console.error(`[mbkauthe] Error fetching latest version from GitHub`, error);
+      latestVersionCache.value = null;
+      latestVersionCache.expiresAt = Date.now() + LATEST_VERSION_FAILURE_CACHE_TTL_MS;
       return null;
+    } finally {
+      latestVersionCache.pending = null;
     }
-    const latestPackageJson = await response.json();
-    return typeof latestPackageJson.version === 'string' ? latestPackageJson.version : null;
-  } catch (error) {
-    console.error(`[mbkauthe] Error fetching latest version from GitHub`, error);
-    return null;
-  }
+  })();
+  return latestVersionCache.pending;
 }
 // Version check with error handling

package/lib/routes/oauth.js CHANGED Viewed

@@ -66,7 +66,7 @@ const createOAuthStrategy = async (provider, profile, done) => {
         // Check if user is authorized for this app
         if (user.Role !== "SuperAdmin") {
             const allowedApps = user.AllowedApps;
-            if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME.toLowerCase())) {
+            if (!allowedApps || !allowedApps.some(app => app && app.toLowerCase() === mbkautheVar.APP_NAME)) {
                 const error = new Error(`Not authorized to use ${mbkautheVar.APP_NAME}`);
                 error.code = 'NOT_AUTHORIZED';
                 return done(error);