mbkauthe 5.0.1 → 5.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "5.0.1",
+  "version": "5.0.4",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",
@@ -10,8 +10,10 @@
     "create-tables": "node lib/createTable.js",
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
     "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch",
+    "tets": "npm run test",
     "render:mermaid": "npx @mermaid-js/mermaid-cli -i docs/diagrams/auth-flows.mmd -o docs/images/auth-flows.svg",
-    "render:mermaid:png": "npx @mermaid-js/mermaid-cli -i docs/diagrams/auth-flows.mmd -o docs/images/auth-flows.png -s 20"
+    "render:mermaid:png": "npx @mermaid-js/mermaid-cli -i docs/diagrams/auth-flows.mmd -o docs/images/auth-flows.png -s 20",
+    "install-mermaid": "npm i @mermaid-js/mermaid-cli@11.15.0 --save-dev"
   },
   "imports": {
     "#pool.js": "./lib/pool.js",
@@ -29,10 +31,13 @@
     "nodejs",
     "express",
     "session",
-    "security"
+    "security",
+    "oauth",
+    "2fa",
+    "csrf"
   ],
-  "author": "Muhammad Bin Khalid <support@mbktech.org>",
-  "license": "GPL-2.0",
+  "author": "Muhammad Bin Khalid <support@mbktech.org> <chmuhammadbinkhalid28@gmail.com>",
+  "license": "LGPL-3.0-only",
   "bugs": {
     "url": "https://github.com/MIbnEKhalid/mbkauthe/issues"
   },
@@ -53,7 +58,6 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "@mermaid-js/mermaid-cli": "^11.15.0",
     "bytes": "^3.1.2",
     "connect-pg-simple": "^10.0.0",
     "content-type": "^1.0.5",
@@ -99,7 +103,6 @@
     }
   },
   "devDependencies": {
-    "@types/express": "^5.0.6",
     "cross-env": "^7.0.3",
     "jest": "^30.2.0",
     "nodemon": "^3.1.11",

package/public/main.js

@@ -1,115 +1,162 @@
-async function logout() {
-  const confirmation = confirm("Are you sure you want to logout?");
-  if (!confirmation) {
-    return;
-  }
+(() => {
+  const SESSION_KEYS = [
+    'sessionId',
+    'mbkauthe.sid',
+    'fullName',
+    '_csrf',
+    'profileImageUser',
+    'profileImageUrl'
+  ];
+  const LOG_PREFIX = '[mbkauthe]';
+  const EXPIRED_COOKIE = 'expires=Thu, 01 Jan 1970 00:00:00 GMT';
+  const dateFormatter = new Intl.DateTimeFormat('en-GB', {
+    day: '2-digit',
+    month: '2-digit',
+    year: 'numeric',
+    hour: 'numeric',
+    minute: 'numeric',
+    second: 'numeric',
+    hour12: true
+  });
+
+  const reloadPage = () => window.location.reload();
+
+  const getCookieDomains = () => {
+    const hostname = window.location.hostname;
+
+    if (!hostname) {
+      return [];
+    }
+
+    return [...new Set([hostname, hostname.includes('.') ? `.${hostname}` : null].filter(Boolean))];
+  };
+
+  const clearCookie = (name) => {
+    document.cookie = `${name}=; ${EXPIRED_COOKIE}; path=/`;
 
-  try {
-    // First, logout from server
-    const response = await fetch("/mbkauthe/api/logout", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Cache-Control": "no-cache"
-      },
-      credentials: "include"
+    getCookieDomains().forEach((domain) => {
+      document.cookie = `${name}=; ${EXPIRED_COOKIE}; path=/; domain=${domain}`;
     });
+  };
 
-    const result = await response.json();
+  const parseJson = async (response) => {
+    try {
+      return await response.json();
+    } catch {
+      return {};
+    }
+  };
 
-    if (response.ok) {
-      // Then clear all caches after successful logout (except rememberedUsername)
-      await selectiveCacheClear();
-      // selectiveCacheClear already redirects, so no need for additional redirect
-    } else {
-      alert(result.message);
+  async function logout({ confirmLogout = true } = {}) {
+    if (confirmLogout && !confirm('Are you sure you want to logout?')) {
+      return false;
     }
-  } catch (error) {
-    console.error(`[mbkauthe] Error during logout:`, error);
-    alert(`Logout failed: ${error.message}`);
-  }
-}
-
-async function selectiveCacheClear() {
-  try {
-
-    const cookiesToClear = [
-      'sessionId',
-      'mbkauthe.sid',
-      'fullName',
-      '_csrf',
-      'profileImageUser',
-      'profileImageUrl'
-    ];
-
-    const localStorageToClear = [
-      'sessionId',
-      'mbkauthe.sid',
-      'fullName',
-      '_csrf',
-      'profileImageUser',
-      'profileImageUrl'
-    ];
-
-    // 1. Clear selected localStorage keys
-    localStorageToClear.forEach(key => {
-      localStorage.removeItem(key);
-    });
 
-    // 2. Clear selected cookies
-    cookiesToClear.forEach(name => {
-      document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/`;
-      document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=${window.location.hostname}`;
-      document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=.${window.location.hostname}`;
-    });
+    try {
+      const response = await fetch('/mbkauthe/api/logout', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Cache-Control': 'no-cache'
+        },
+        credentials: 'include',
+        cache: 'no-store'
+      });
+      const result = await parseJson(response);
+
+      if (response.ok) {
+        selectiveCacheClear();
+        return true;
+      }
 
-    // 3. Optional reload
-    window.location.reload();
+      alert(result.message || 'Logout failed. Please try again.');
+    } catch (error) {
+      console.error(`${LOG_PREFIX} Error during logout:`, error);
+      alert(`Logout failed: ${error.message}`);
+    }
 
-  } catch (error) {
-    console.error(`[mbkauthe] selective cache clear failed:`, error);
-    window.location.reload();
+    return false;
   }
-}
-
-async function logoutuser() {
-  await logout();
-}
-
-const validateSessionInterval = 60000;
-// 1 minutes in milliseconds Function to check session validity by sending a request to the server
-function checkSession() {
-  fetch("/api/validate-session")
-    .then((response) => {
-      if (!response.ok) {
-        // Redirect or handle errors (session expired, user inactive, etc.)
-        window.location.reload(); // Reload the page to update the session status
-      }
+
+  function selectiveCacheClear() {
+    try {
+      SESSION_KEYS.forEach((key) => localStorage.removeItem(key));
+      SESSION_KEYS.forEach(clearCookie);
+    } catch (error) {
+      console.error(`${LOG_PREFIX} selective cache clear failed:`, error);
+    } finally {
+      reloadPage();
+    }
+  }
+
+  async function logoutuser() {
+    return logout();
+  }
+
+  function checkSession() {
+    return fetch('/mbkauthe/api/checkSession', {
+      credentials: 'include',
+      cache: 'no-store'
     })
-    .catch((error) => console.error(`[mbkauthe] Error checking session:`, error));
-}
-// Call validateSession every 2 minutes (120000 milliseconds)
-// setInterval(checkSession, validateSessionInterval);
-
-function getCookieValue(cookieName) {
-  const cookies = document.cookie.split('; ');
-  for (let cookie of cookies) {
-    const [name, value] = cookie.split('=');
-    if (name === cookieName) {
+      .then(async (response) => {
+        if (!response.ok) {
+          reloadPage();
+          return;
+        }
+
+        const session = await parseJson(response);
+        if (session.sessionValid === false) {
+          reloadPage();
+        }
+      })
+      .catch((error) => console.error(`${LOG_PREFIX} Error checking session:`, error));
+  }
+
+  function getCookieValue(cookieName) {
+    if (!cookieName) {
+      return null;
+    }
+
+    const prefix = `${cookieName}=`;
+    const cookie = document.cookie
+      .split('; ')
+      .find((entry) => entry.startsWith(prefix));
+
+    if (!cookie) {
+      return null;
+    }
+
+    const value = cookie.slice(prefix.length);
+
+    try {
       return decodeURIComponent(value);
+    } catch {
+      return value;
     }
   }
-  return null; // Return null if the cookie is not found
-}
 
-function loadpage(url) {
-  window.location.href = url;
-}
+  function loadpage(url) {
+    if (url) {
+      window.location.href = url;
+    }
+  }
 
-function formatDate(date) {
-  return new Date(date).toLocaleString('en-GB', { day: '2-digit', month: '2-digit', year: 'numeric', hour: 'numeric', minute: 'numeric', second: 'numeric', hour12: true });
-}
+  function formatDate(date) {
+    const parsedDate = new Date(date);
+    return Number.isNaN(parsedDate.getTime()) ? 'Invalid Date' : dateFormatter.format(parsedDate);
+  }
 
-function reloadPage() {
-  window.location.reload();
-}
+  const api = {
+    checkSession,
+    formatDate,
+    getCookieValue,
+    loadpage,
+    logout,
+    logoutuser,
+    reloadPage,
+    selectiveCacheClear
+  };
+
+  window.mbkauthe = Object.assign(window.mbkauthe || {}, api);
+  Object.assign(window, api);
+})();

package/views/head.handlebars

@@ -29,4 +29,5 @@
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
     {{> sharedStyles}}
     {{#if extraStyles}}{{{extraStyles}}}{{/if}}
+    <script src="/mbkauthe/main.js{{cacheBuster}}" defer></script>
 </head>

package/views/pages/test.handlebars

@@ -205,7 +205,7 @@
                 </div>
 
                 <div class="session-actions">
-                    <button class="btn btn-danger" onclick="logout()" aria-label="Log out">
+                    <button class="btn btn-danger" onclick="mbkauthe.logout()" aria-label="Log out">
                         <i class="fas fa-sign-out-alt"></i> Logout
                     </button>
                     <a class="btn btn-outline" href="https://portal.mbktech.org/">
@@ -233,7 +233,6 @@
         </div>
     </section>
 
-    <script src="/mbkauthe/main.js{{cacheBuster}}"></script>
     {{#if sessionExpiry}}
     <script>
         (function () {

package/views/profilemenu.handlebars

@@ -261,21 +261,7 @@
                 logoutButton.textContent = 'Logging out...';
 
                 try {
-                    const response = await fetch('/mbkauthe/api/logout', {
-                        method: 'POST',
-                        headers: {
-                            'Content-Type': 'application/json'
-                        },
-                        credentials: 'include'
-                    });
-
-                    const result = await response.json().catch(() => ({}));
-
-                    if (response.ok) {
-                        window.location.reload();
-                    } else {
-                        alert(result.message || 'Logout failed. Please try again.');
-                    }
+                    await mbkauthe.logout();
                 } catch (error) {
                     console.error(`[mbkauthe] Error during logout:`, error);
                     alert('Logout failed. Please try again.');

package/docs/diagrams/c.md

@@ -1,122 +0,0 @@
-```mermaid
-sequenceDiagram
-    autonumber
-
-    participant R as Protected Route
-    participant VS as validateSession
-    participant JT as isJsonRequest
-    participant VT as validateTokenAuthentication
-    participant CS as validateCookieSession
-    participant DB as AuthRepository / DB
-    participant RES as Response
-
-    R->>VS: validateSession(req, res, next, strictTokenValidation?)
-
-    alt Authorization header exists
-        alt strictTokenValidation is true
-            VS-->>RES: 401 INVALID_AUTH_TOKEN
-            Note over VS,RES: Token auth is rejected for strict cookie-only middleware.
-        else token auth allowed
-            VS->>VT: validateTokenAuthentication(req)
-
-            alt Header is not "Bearer <token>"
-                VT-->>VS: null
-                VS-->>RES: 401 INVALID_AUTH_TOKEN
-            else Token does not start with mbk_ or is too long
-                VT-->>VS: { error: "INVALID_TOKEN" }
-                VS-->>RES: 401 INVALID_AUTH_TOKEN
-            else Token format is accepted
-                VT->>VT: hashApiToken(token)
-                VT->>DB: getApiTokenByHash(tokenHash)
-
-                alt API token row not found
-                    DB-->>VT: null
-                    VT-->>VS: { error: "INVALID_TOKEN" }
-                    VS-->>RES: 401 INVALID_AUTH_TOKEN
-                else API token expired
-                    DB-->>VT: row with ExpiresAt <= now
-                    VT-->>VS: { error: "TOKEN_EXPIRED" }
-                    VS-->>RES: 401 API_TOKEN_EXPIRED
-                else API token found
-                    DB-->>VT: token row joined to user
-                    VT->>VT: Resolve token scope and allowedApps
-                    VT->>DB: updateApiTokenLastUsed(row.id) async
-                    VT-->>VS: tokenUser
-
-                    alt tokenUser.active is false
-                        VS-->>RES: 401 ACCOUNT_INACTIVE
-                    else Non-SuperAdmin has no allowed apps
-                        VS-->>RES: 401 APP_NOT_AUTHORIZED
-                    else Token allowedApps has wildcard but user apps do not include APP_NAME
-                        VS-->>RES: 401 APP_NOT_AUTHORIZED
-                    else Token allowedApps does not include APP_NAME
-                        VS-->>RES: 401 APP_NOT_AUTHORIZED
-                    else App access allowed
-                        VS->>VS: attachApiTokenUser(req, res, tokenUser)
-                        Note over VS: Sets req.auth, req.user, req.userRole,<br/>and request-local req.session.user.
-
-                        alt tokenScope does not allow req.method
-                            VS-->>RES: 403 TOKEN_SCOPE_INSUFFICIENT
-                        else token scope allows method
-                            VS-->>R: next()
-                        end
-                    end
-                end
-            end
-        end
-    else No Authorization header
-        VS->>JT: isJsonRequest(req)
-        JT-->>VS: prefersJson
-        VS->>CS: validateCookieSession(req, res, next, prefersJson)
-
-        alt req.session.user is missing
-            alt prefersJson
-                CS-->>RES: 401 SESSION_NOT_FOUND
-            else browser/page request
-                CS-->>RES: 302 /mbkauthe/login?redirect=...&reason=logged_out
-            end
-        else req.session.user exists
-            CS->>CS: Read req.session.user.sessionId
-
-            alt sessionId missing or not UUID
-                CS->>CS: destroy session and clear cookies
-                alt prefersJson
-                    CS-->>RES: 401 SESSION_EXPIRED
-                else browser/page request
-                    CS-->>RES: Render "Session Expired" error page
-                end
-            else sessionId is UUID
-                CS->>DB: getSessionAuthData(sessionId)
-
-                alt DB session row not found
-                    CS->>CS: destroy session and clear cookies
-                    alt prefersJson
-                        CS-->>RES: 401 SESSION_INVALID
-                    else browser/page request
-                        CS-->>RES: Render "Session Expired" error page
-                    end
-                else DB session row found
-                    DB-->>CS: session row joined to user
-
-                    alt session expired
-                        CS->>CS: destroy session and clear cookies
-                        CS-->>RES: 401 SESSION_EXPIRED or rendered error page
-                    else user account inactive
-                        CS->>CS: destroy session and clear cookies
-                        CS-->>RES: 401 ACCOUNT_INACTIVE or rendered support page
-                    else user not allowed for APP_NAME
-                        CS->>CS: destroy session and clear cookies
-                        CS-->>RES: 401 APP_NOT_AUTHORIZED or rendered unauthorized page
-                    else session valid and app access allowed
-                        CS->>CS: req.userRole = sessionRow.Role
-                        CS-->>R: next()
-                    end
-                end
-            end
-        end
-    end
-
-    opt Token or session validation throws
-        VS-->>RES: 500 INTERNAL_SERVER_ERROR
-    end
-```