odac 1.0.1 → 1.2.0

package/src/Auth.js

@@ -1,3 +1,4 @@
+const nodeCrypto = require('crypto')
 class Auth {
   #request = null
   #table = null
@@ -23,60 +24,113 @@ class Auth {
     if (!this.#table) return false
     if (where) {
       if (!this.#validateInput(where)) return false
-      let sql = Odac.Mysql.table(this.#table)
-      if (!sql) {
-        console.error('Odac Auth Error: MySQL connection not configured. Please add database configuration to your config.json')
+
+      // Using new DB API
+      let query = Odac.DB[this.#table]
+
+      if (!query) {
+        console.error('Odac Auth Error: Database not configured.')
         return false
       }
-      for (let key in where) sql = sql.orWhere(key, where[key] instanceof Promise ? await where[key] : where[key])
-      if (!sql.rows()) return false
-      let get = await sql.get()
-      let equal = false
-      for (var user of get) {
-        equal = Object.keys(where).length > 0
-        for (let key of Object.keys(where)) {
-          if (where[key] instanceof Promise) where[key] = await where[key]
-          if (!user[key]) equal = false
-          if (user[key] === where[key]) equal = equal && true
-          else if (Odac.Var(user[key]).is('bcrypt')) equal = equal && Odac.Var(user[key]).hashCheck(where[key])
-          else if (Odac.Var(user[key]).is('md5')) equal = equal && Odac.Var(where[key]).md5() === user[key]
+
+      // Knex build queries differently than previous builder
+      // Need to chain where clauses
+      // Resolve input promises upfront to avoid side effects and race conditions
+      const criteria = {}
+      const keys = Object.keys(where)
+
+      if (keys.length === 0) return false
+
+      for (const key of keys) {
+        criteria[key] = where[key] instanceof Promise ? await where[key] : where[key]
+      }
+
+      // Chain where clauses
+      for (const key in criteria) {
+        query = query.orWhere(key, criteria[key])
+      }
+
+      // Execute query
+      const candidates = await query
+
+      if (!candidates || candidates.length === 0) return false
+
+      // Iterate candidates to find the exact match
+      candidateLoop: for (const user of candidates) {
+        for (const key of keys) {
+          const userValue = user[key]
+          const targetValue = criteria[key]
+
+          if (!userValue) continue candidateLoop
+
+          // Strict equality check
+          if (userValue === targetValue) continue
+
+          // Security: Check hashed fields (Bcrypt/MD5)
+          const valueHandler = Odac.Var(userValue)
+          let hashMatch = false
+
+          if (valueHandler.is('hash')) {
+            hashMatch = valueHandler.hashCheck(targetValue)
+          } else if (valueHandler.is('md5')) {
+            hashMatch = Odac.Var(targetValue).md5() === userValue
+          }
+
+          if (!hashMatch) continue candidateLoop
         }
-        if (equal) break
+
+        return user
       }
-      if (!equal) return false
-      return user
+
+      return false
     } else if (this.#user) {
       return true
     } else {
-      let check_table = await Odac.Mysql.run('SHOW TABLES LIKE ?', [this.#table])
-      if (check_table.length == 0) return false
+      // Checking for token
       let odac_x = this.#request.cookie('odac_x')
       let odac_y = this.#request.cookie('odac_y')
       let browser = this.#request.header('user-agent')
+
       if (!odac_x || !odac_y || !browser) return false
+
       const tokenTable = Odac.Config.auth.token || 'odac_auth'
       const primaryKey = Odac.Config.auth.key || 'id'
-      let sql_token = await Odac.Mysql.table(tokenTable).where(['token_x', odac_x], ['browser', browser]).get()
-      if (sql_token.length !== 1) return false
+
+      // Code First Migration: Ensure token table exists and clean up old tokens
+      try {
+        await this.#ensureTokenTableV2(tokenTable)
+      } catch (e) {
+        console.error('Odac Auth Error: Failed to ensure token table exists:', e.message)
+      }
+
+      // Query token
+      let sql_token = await Odac.DB[tokenTable].where('token_x', odac_x).where('browser', browser)
+
+      if (!sql_token || sql_token.length !== 1) return false
+
       if (!Odac.Var(sql_token[0].token_y).hashCheck(odac_y)) return false
 
       const maxAge = Odac.Config.auth?.maxAge || 30 * 24 * 60 * 60 * 1000
       const updateAge = Odac.Config.auth?.updateAge || 24 * 60 * 60 * 1000
       const now = Date.now()
+
+      // Active comes as Date object usually from drivers
       const lastActive = new Date(sql_token[0].active).getTime()
       const inactiveAge = now - lastActive
 
       if (inactiveAge > maxAge) {
-        await Odac.Mysql.table(tokenTable).where('id', sql_token[0].id).delete()
+        await Odac.DB[tokenTable].where('id', sql_token[0].id).delete()
         return false
       }
 
-      this.#user = await Odac.Mysql.table(this.#table).where(primaryKey, sql_token[0].user).first()
+      this.#user = await Odac.DB[this.#table].where(primaryKey, sql_token[0].user).first()
+      if (!this.#user) return false
 
       if (inactiveAge > updateAge) {
-        Odac.Mysql.table(tokenTable)
+        // Use update instead of set for Knex
+        Odac.DB[tokenTable]
           .where('id', sql_token[0].id)
-          .set({active: new Date()})
+          .update({active: new Date()}) // knex uses .update
           .catch(() => {})
       }
 
@@ -88,51 +142,47 @@ class Auth {
     this.#user = null
     let user = await this.check(where)
     if (!user) return false
+
     if (!Odac.Config.auth) Odac.Config.auth = {}
     let key = Odac.Config.auth.key || 'id'
     let token = Odac.Config.auth.token || 'odac_auth'
-    const mysql = require('mysql2')
-    const safeTokenTable = mysql.escapeId(token)
-    let check_table = await Odac.Mysql.run('SHOW TABLES LIKE ?', [token])
-    if (check_table === false) {
-      console.error('Odac Auth Error: MySQL connection not configured. Please add database configuration to your config.json')
-      return false
-    }
-    if (check_table.length == 0)
-      await Odac.Mysql.run(
-        `CREATE TABLE ${safeTokenTable} (id INT NOT NULL AUTO_INCREMENT, user INT NOT NULL, token_x VARCHAR(255) NOT NULL, token_y VARCHAR(255) NOT NULL, browser VARCHAR(255) NOT NULL, ip VARCHAR(255) NOT NULL, \`date\` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, \`active\` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (id))`
-      )
+
+    await this.#ensureTokenTableV2(token)
 
     this.#cleanupExpiredTokens(token)
 
-    let token_y = Odac.Var(Math.random().toString() + Date.now().toString() + this.#request.id + this.#request.ip).md5()
+    // Generate secure token using generic CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)
+    // Why: Math.random() is predictable and MD5 is a broken hashing algorithm.
+    // We use 32 bytes (256 bits) of entropy which is industry standard.
+    let token_y = nodeCrypto.randomBytes(32).toString('hex')
+
     let cookie = {
+      id: Odac.DB.nanoid(),
       user: user[key],
-      token_x: Odac.Var(Math.random().toString() + Date.now().toString()).md5(),
+      token_x: nodeCrypto.randomBytes(32).toString('hex'),
       token_y: Odac.Var(token_y).hash(),
       browser: this.#request.header('user-agent'),
       ip: this.#request.ip
     }
+
     this.#request.cookie('odac_x', cookie.token_x, {
       httpOnly: true,
       secure: true,
-      sameSite: 'Strict'
+      sameSite: 'Lax'
     })
-    this.#request.cookie('odac_y', token_y, {httpOnly: true, secure: true, sameSite: 'Strict'})
-    let mysqlTable = Odac.Mysql.table(token)
-    if (!mysqlTable) {
-      console.error('Odac Auth Error: MySQL connection not configured. Please add database configuration to your config.json')
-      return false
-    }
-    let sql = await mysqlTable.insert(cookie)
-    return sql !== false
+    this.#request.cookie('odac_y', token_y, {httpOnly: true, secure: true, sameSite: 'Lax'})
+
+    // Knex insert returns ids on some dbs, promise resolves to result
+    const result = await Odac.DB[token].insert(cookie)
+    return !!result
   }
 
   async #cleanupExpiredTokens(tokenTable) {
     const maxAge = Odac.Config.auth?.maxAge || 30 * 24 * 60 * 60 * 1000
+    // Knex handles dates well, but better to pass JS Date object
     const cutoffDate = new Date(Date.now() - maxAge)
 
-    Odac.Mysql.table(tokenTable)
+    Odac.DB[tokenTable]
       .where('active', '<', cutoffDate)
       .delete()
       .catch(() => {})
@@ -148,58 +198,81 @@ class Auth {
     const passwordField = options.passwordField || 'password'
     const uniqueFields = options.uniqueFields || ['email']
 
-    const checkTable = await Odac.Mysql.run('SHOW TABLES LIKE ?', [this.#table])
-    if (checkTable === false) {
-      console.error('Odac Auth Error: MySQL connection not configured. Please add database configuration to your config.json')
-      return {success: false, error: 'Database connection not configured'}
-    }
-    if (checkTable.length === 0) {
-      await this.#createUserTable(this.#table, primaryKey, passwordField, uniqueFields, data)
+    try {
+      await this.#ensureUserTableV2(this.#table, primaryKey, passwordField, uniqueFields, data)
+    } catch (e) {
+      // If DB not configured or connection failed
+      console.error('Odac Auth Error:', e.message)
+      return {success: false, error: 'Database connection failed'}
     }
 
     if (!data || typeof data !== 'object') {
       return {success: false, error: 'Invalid data provided'}
     }
 
-    if (data[passwordField] && !Odac.Var(data[passwordField]).is('bcrypt')) {
+    if (data[passwordField] && !Odac.Var(data[passwordField]).is('hash')) {
       data[passwordField] = Odac.Var(data[passwordField]).hash()
     }
 
+    // Check unique fields
     for (const field of uniqueFields) {
       if (data[field]) {
-        const mysqlTable = Odac.Mysql.table(this.#table)
-        if (!mysqlTable) {
-          console.error('Odac Auth Error: MySQL connection not configured. Please add database configuration to your config.json')
-          return {success: false, error: 'Database connection not configured'}
+        try {
+          const existing = await Odac.DB[this.#table].where(field, data[field]).first()
+          if (existing) {
+            return {success: false, error: `${field} already exists`, field}
+          }
+        } catch (e) {
+          console.error('Odac Auth Error checking unique:', e.message)
+          return {success: false, error: 'A database error occurred during registration.'}
         }
-        const existing = await mysqlTable.where(field, data[field]).first()
-        if (existing) {
-          return {success: false, error: `${field} already exists`, field}
+      }
+    }
+
+    // Auto-detect ID strategy (NanoID vs Auto-Increment)
+    let shouldGenerateId = true
+
+    // 1. Check User Config Preference
+    if (Odac.Config.auth.idType === 'int' || Odac.Config.auth.idType === 'auto') shouldGenerateId = false
+    else if (Odac.Config.auth.idType === 'string' || Odac.Config.auth.idType === 'nanoid') shouldGenerateId = true
+    else {
+      // 2. Detect from Database Schema (and Cache it)
+      if (!Odac.Config.auth._viewedPkType) {
+        try {
+          // Determine column type of primary key
+          const colInfo = await Odac.DB[this.#table].columnInfo(primaryKey)
+          const type = colInfo?.type ? colInfo.type.toLowerCase() : 'string'
+
+          // Common integer types in various SQL dialects
+          if (type.includes('int') || type.includes('serial') || type.includes('number')) {
+            Odac.Config.auth._viewedPkType = 'int'
+          } else {
+            Odac.Config.auth._viewedPkType = 'string'
+          }
+        } catch {
+          // If table doesn't exist yet or error, default to string (NanoID) as per our new standard
+          Odac.Config.auth._viewedPkType = 'string'
         }
       }
+
+      if (Odac.Config.auth._viewedPkType === 'int') shouldGenerateId = false
     }
 
     try {
-      const mysqlTable = Odac.Mysql.table(this.#table)
-      if (!mysqlTable) {
-        console.error('Odac Auth Error: MySQL connection not configured. Please add database configuration to your config.json')
-        return {success: false, error: 'Database connection not configured'}
+      if (shouldGenerateId && !data[primaryKey]) {
+        data[primaryKey] = Odac.DB.nanoid()
       }
-      const insertResult = await mysqlTable.insert(data)
-      if (insertResult === false) {
-        console.error('Odac Auth Error: Failed to insert user into database - query failed')
-        console.error('Data attempted to insert:', {...data, [passwordField]: '[REDACTED]'})
-        return {success: false, error: 'Failed to create user'}
-      }
-      if (!insertResult.affected || insertResult.affected === 0) {
-        console.error('Odac Auth Error: Insert query succeeded but no rows were affected')
-        console.error('Insert result:', insertResult)
-        console.error('Data attempted to insert:', {...data, [passwordField]: '[REDACTED]'})
+
+      await Odac.DB[this.#table].insert(data)
+
+      let userId = data[primaryKey]
+
+      if (!userId) {
+        console.error('Odac Auth Error: Could not determine new user ID')
         return {success: false, error: 'Failed to create user'}
       }
 
-      const userId = insertResult.id
-      const newUser = await Odac.Mysql.table(this.#table).where(primaryKey, userId).first()
+      const newUser = await Odac.DB[this.#table].where(primaryKey, userId).first()
 
       if (!newUser) {
         return {success: false, error: 'User created but could not be retrieved'}
@@ -221,7 +294,6 @@ class Auth {
     } catch (error) {
       console.error('Odac Auth Error: Registration failed with exception')
       console.error('Error:', error.message)
-      console.error('Stack:', error.stack)
       return {success: false, error: error.message || 'Registration failed'}
     }
   }
@@ -235,10 +307,7 @@ class Auth {
     const browser = this.#request.header('user-agent')
 
     if (odacX && browser) {
-      const mysqlTable = Odac.Mysql.table(token)
-      if (mysqlTable) {
-        await mysqlTable.where(['token_x', odacX], ['browser', browser]).delete()
-      }
+      await Odac.DB[token].where('token_x', odacX).where('browser', browser).delete()
     }
 
     this.#request.cookie('odac_x', '', {maxAge: -1})
@@ -248,61 +317,285 @@ class Auth {
     return true
   }
 
-  async #createUserTable(tableName, primaryKey, passwordField, uniqueFields, sampleData) {
-    const mysql = require('mysql2')
-    const columns = []
+  // --- MAGIC LINK START ---
 
-    const safePrimaryKey = mysql.escapeId(primaryKey)
-    columns.push(`${safePrimaryKey} INT NOT NULL AUTO_INCREMENT`)
+  async magic(email, options = {}) {
+    if (!Odac.Config.auth) Odac.Config.auth = {}
+    this.#table = Odac.Config.auth.table || 'users'
+    const magicTable = Odac.Config.auth.magicTable || 'odac_magic'
 
-    for (const field of uniqueFields) {
-      if (field !== primaryKey) {
-        const safeField = mysql.escapeId(field)
-        columns.push(`${safeField} VARCHAR(255) NOT NULL UNIQUE`)
+    // Ensure magic table exists
+    try {
+      await this.#ensureMagicLinkTable(magicTable)
+    } catch (e) {
+      console.error('Failed to ensure magic link table exists:', e)
+      // Consider returning an error here to prevent further execution.
+    }
+
+    // Rate limiting: Check recent requests from this IP and email
+    // Magic link requires only email input, so rate limits should be very strict
+    const rateLimitWindow = Odac.Config.auth?.magicLinkRateLimit || 60 * 60 * 1000 // 1 hour default
+    const maxAttempts = Odac.Config.auth?.magicLinkMaxAttempts || 2 // Per email - very strict
+    const maxAttemptsPerIP = Odac.Config.auth?.magicLinkMaxAttemptsPerIP || 5 // Per IP
+    const sessionCooldown = Odac.Config.auth?.magicLinkSessionCooldown || 30 * 1000 // 30 seconds default
+
+    // 1. Session Rate Limit (Fastest, no DB access)
+    const lastRequestTime = this.#request.session('magic_last_request')
+    if (lastRequestTime && Date.now() - lastRequestTime < sessionCooldown) {
+      const remaining = Math.ceil((sessionCooldown - (Date.now() - lastRequestTime)) / 1000)
+      return {success: false, error: `Please wait ${remaining} seconds before requesting another link.`}
+    }
+    this.#request.session('magic_last_request', Date.now())
+
+    try {
+      // 2. Database Rate Limits
+      // Check email-based rate limit
+      const recentEmailRequests = await Odac.DB[magicTable]
+        .where('email', email)
+        .where('created_at', '>', new Date(Date.now() - rateLimitWindow))
+
+      if (recentEmailRequests && recentEmailRequests.length >= maxAttempts) {
+        return {success: false, error: 'Too many login attempts. Please wait a while before trying again.'}
+      }
+
+      // Check IP-based rate limit (prevents mass enumeration attacks)
+      const clientIP = this.#request.ip
+      const recentIPRequests = await Odac.DB[magicTable]
+        .where('ip', clientIP)
+        .where('created_at', '>', new Date(Date.now() - rateLimitWindow))
+
+      if (recentIPRequests && recentIPRequests.length >= maxAttemptsPerIP) {
+        return {success: false, error: 'Too many requests from this IP. Please wait a while.'}
       }
+    } catch {
+      // Ignore rate limit check errors, proceed with request
     }
 
-    if (!uniqueFields.includes(passwordField) && passwordField !== primaryKey) {
-      const safePasswordField = mysql.escapeId(passwordField)
-      columns.push(`${safePasswordField} VARCHAR(255) NOT NULL`)
+    // Cleanup: Remove expired tokens periodically
+    this.#cleanupExpiredMagicLinks(magicTable)
+
+    // 1. Check if user exists.
+    // We proceed regardless of whether the user exists or not.
+    // If they exist, it's a login. If not, it will accept the link and Auto-Register them (Passwordless Signup).
+    // let user = null
+    try {
+      // Check if user exists (logic preserved but unused 'user' variable issue fixed)
+      const existingUser = await Odac.DB[this.#table].where('email', email).first()
+      if (existingUser) {
+        /* user exists */
+      }
+    } catch (e) {
+      // Ignore table not found error, treat as user not found
+      if (e.code !== '42P01' && !e.message.includes('no such table')) {
+        throw e
+      }
     }
 
-    for (const key in sampleData) {
-      if (key === primaryKey || uniqueFields.includes(key) || key === passwordField) continue
+    // If user doesn't exist, we still proceed to send the link to allow for "Sign Up via Magic Link" (Passwordless Signup)
+    // The user will be created upon verification.
 
-      const value = sampleData[key]
-      let columnType = 'VARCHAR(255)'
+    // 2. Generate secure token
+    const tokenRaw = nodeCrypto.randomBytes(32).toString('hex')
+    const tokenHash = Odac.Var(tokenRaw).hash() // Hash it for DB storage
 
-      if (typeof value === 'number') {
-        if (Number.isInteger(value)) {
-          columnType = value > 2147483647 ? 'BIGINT' : 'INT'
-        } else {
-          columnType = 'DECIMAL(10,2)'
-        }
-      } else if (typeof value === 'boolean') {
-        columnType = 'TINYINT(1)'
-      } else if (value && value.length > 255) {
-        columnType = 'TEXT'
+    // 3. Save to DB
+    await Odac.DB[magicTable].insert({
+      email: email,
+      token_hash: tokenHash,
+      ip: this.#request.ip,
+      browser: this.#request.header('user-agent'),
+      expires_at: new Date(Date.now() + 15 * 60 * 1000) // 15 mins
+    })
+
+    // 4. Send Email
+    let link = `${(this.#request.ssl ? 'https://' : 'http://') + this.#request.host}/_odac/magic-verify?token=${tokenRaw}&email=${encodeURIComponent(email)}`
+    if (options.redirect) link += `&redirect_url=${encodeURIComponent(options.redirect)}`
+
+    try {
+      let mail = Odac.Mail(options.template || 'auth/magic-link')
+        .to(email)
+        .subject(options.subject || 'Login to our site')
+
+      if (options.from) {
+        if (typeof options.from === 'object') mail.from(options.from.email, options.from.name)
+        else mail.from(options.from)
+      }
+
+      await mail.send({
+        link: link,
+        magic_link: link,
+        network: this.#request.host,
+        ip: this.#request.ip
+      })
+    } catch (e) {
+      console.error('Magic Link Email Error:', e)
+      return {success: false, error: 'Failed to send email'}
+    }
+
+    return {success: true, message: 'Magic link sent!'}
+  }
+
+  async verifyMagicLink(tokenRaw, email) {
+    if (!tokenRaw || !email) {
+      return {success: false, error: 'Invalid link'}
+    }
+
+    const magicTable = Odac.Config.auth?.magicTable || 'odac_magic'
+    this.#table = Odac.Config.auth?.table || 'users'
+    const primaryKey = Odac.Config.auth?.key || 'id'
+
+    // 1. Find potential tokens for this email
+    const records = await Odac.DB[magicTable].where('email', email).where('expires_at', '>', new Date())
+
+    if (!records || records.length === 0) {
+      return {success: false, error: 'Link expired or invalid'}
+    }
+
+    // 2. Find the matching token (verify hash)
+    let validRecord = null
+    // Iterate through all records without an early exit to mitigate timing attacks.
+    for (const record of records) {
+      if (Odac.Var(record.token_hash).hashCheck(tokenRaw)) {
+        validRecord = record
+      }
+    }
+
+    if (!validRecord) {
+      return {success: false, error: 'Invalid token'}
+    }
+
+    // 3. Consume all tokens for this email to prevent reuse of other valid links.
+    await Odac.DB[magicTable].where('email', email).delete()
+
+    // 4. Log in user (or Register if new)
+    let user = await Odac.DB[this.#table].where('email', email).first()
+
+    if (!user) {
+      // Auto-Register the user
+
+      const passwordField = Odac.Config.auth?.passwordField || 'password'
+      // Optimization: If explicitly configured as passwordless, skip password generation overhead
+      const isPasswordless = Odac.Config.auth?.passwordless === true
+
+      const registerData = {
+        email: email
+      }
+
+      if (!isPasswordless) {
+        // Generate a random high-entropy password since they are using passwordless auth but DB might require password
+        registerData[passwordField] = nodeCrypto.randomBytes(32).toString('hex')
+      }
+
+      let regResult = await this.register(registerData)
+
+      // Fallback: If we tried to be secure (sent password) but DB failed because column doesn't exist, retry without password
+      if (
+        !isPasswordless &&
+        !regResult.success &&
+        regResult.error &&
+        (regResult.error.includes(`column "${passwordField}"`) || regResult.error.includes(`Unknown column '${passwordField}'`)) &&
+        (regResult.error.includes('does not exist') || regResult.error.includes('field list'))
+      ) {
+        regResult = await this.register({
+          email: email
+        })
       }
 
-      const safeKey = mysql.escapeId(key)
-      columns.push(`${safeKey} ${columnType} NULL`)
+      if (!regResult.success) {
+        return {success: false, error: 'Registration failed: ' + regResult.error}
+      }
+
+      user = regResult.user
     }
 
-    columns.push(`${mysql.escapeId('created_at')} TIMESTAMP DEFAULT CURRENT_TIMESTAMP`)
-    columns.push(`${mysql.escapeId('updated_at')} TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP`)
-    columns.push(`PRIMARY KEY (${safePrimaryKey})`)
+    // Login logic similar to login()
+    const loginData = {}
+    loginData[primaryKey] = user[primaryKey]
+    await this.login(loginData)
+
+    return {success: true, user: user}
+  }
+
+  async #ensureMagicLinkTable(tableName) {
+    await Odac.DB[tableName].schema(t => {
+      t.increments('id')
+      t.string('email').notNullable().index()
+      t.string('token_hash').notNullable()
+      t.string('ip')
+      t.string('browser')
+      t.timestamp('created_at').defaultTo(Odac.DB.fn.now())
+      t.timestamp('expires_at')
+    })
+  }
+
+  #cleanupExpiredMagicLinks(tableName) {
+    // Run cleanup asynchronously without awaiting (fire and forget)
+    Odac.DB[tableName]
+      .where('expires_at', '<', new Date())
+      .delete()
+      .catch(() => {}) // Silently ignore cleanup errors
+  }
+
+  // --- MAGIC LINK END ---
+
+  // --- MIGRATION HELPERS (Code-First) ---
+
+  async #ensureTokenTableV2(tableName) {
+    // Using .schema helper
+    await Odac.DB[tableName].schema(t => {
+      t.string('id', 21).primary()
+      t.string('user', 21).notNullable()
+      t.string('token_x').notNullable()
+      t.string('token_y').notNullable()
+      t.string('browser').notNullable()
+      t.string('ip').notNullable()
+      t.timestamp('date').defaultTo(Odac.DB.fn.now())
+      t.timestamp('active').defaultTo(Odac.DB.fn.now())
+    })
+  }
+
+  async #ensureUserTableV2(tableName, primaryKey, passwordField, uniqueFields, sampleData) {
+    await Odac.DB[tableName].schema(t => {
+      t.string(primaryKey, 21).primary()
 
-    const safeTableName = mysql.escapeId(tableName)
-    const sql = `CREATE TABLE ${safeTableName} (${columns.join(', ')}) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci`
+      for (const field of uniqueFields) {
+        if (field !== primaryKey) t.string(field).notNullable().unique()
+      }
 
-    await Odac.Mysql.run(sql)
+      if (!uniqueFields.includes(passwordField) && passwordField !== primaryKey) {
+        t.string(passwordField).notNullable()
+      }
+
+      // Heuristic type guessing from sampleData
+      for (const key in sampleData) {
+        if (key === primaryKey || uniqueFields.includes(key) || key === passwordField) continue
+
+        const val = sampleData[key]
+        if (typeof val === 'number') {
+          if (Number.isInteger(val)) t.integer(key)
+          else t.float(key)
+        } else if (typeof val === 'boolean') {
+          t.boolean(key)
+        } else {
+          t.string(key)
+        }
+      }
+
+      t.timestamps(true, true) // created_at, updated_at
+    })
   }
 
-  user(col) {
+  /**
+   * Retrieves the authenticated user or a specific column.
+   * Why: To provide access to the current user's session data securely.
+   *
+   * @param {string|null} [col=null] - The column to retrieve, or null for the full user object.
+   * @returns {object|string|number|boolean|false} The user object, column value, or false if not logged in.
+   */
+  user(col = null) {
     if (!this.#user) return false
     if (col === null) return this.#user
-    else return this.#user[col]
+    return this.#user[col]
   }
 }