iDefineHD/TurboTrades
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
iDefineHD
2026-01-10 04:57:43 +00:00
parent 16a76a2cd6
commit 232968de1e
131 changed files with 43262 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

246
CHANGELOG_SESSION_2FA.md Normal file
View File

@@ -0,0 +1,246 @@
# Session & 2FA Security Improvements
## Date: 2025-01-09
## Summary
Fixed authentication issues with sessions and 2FA endpoints, and added security improvements for session management.
---
## 🔧 Fixes Applied
### 1. **Route Registration Issue - RESOLVED** ✅
**Problem:** Frontend was calling `/api/user/sessions` but backend routes were registered at `/user/sessions`
**Solution:**
- Registered all routes with `/api` prefix on backend to match frontend expectations
- Auth routes registered twice: `/auth/*` for Steam OAuth and `/api/auth/*` for frontend
- Routes now properly accessible:
-`/api/user/sessions`
-`/api/user/2fa/setup`
-`/api/auth/me`
-`/auth/steam` (for external OAuth)
**Files Changed:**
- `TurboTrades/index.js` - Updated route registration
---
### 2. **Session Management Improvements** 🔒
#### A. Allow Revoking Current Session
**Previous:** Could not revoke the current session (X button was hidden)
**New Features:**
- ✅ Can now revoke ANY session including the current one
- ⚠️ Confirmation prompt when revoking current session
- 🚪 Automatically logs out after revoking current session
- 🔄 Redirects to home page after logout
#### B. Visual Security Warnings
**New:** Sessions inactive for 7+ days are flagged as "Old Session"
- 🟡 Yellow border on old sessions
- ⚠️ Warning badge displayed
- 💡 Security tip shown: "If you don't recognize it, revoke it immediately"
#### C. Bulk Session Revocation
**New Actions:**
1. **"Revoke Old (X)"** button - Revokes all sessions inactive for 7+ days
2. **"Revoke All Others"** button - Revokes all sessions except current one
**Files Changed:**
- `TurboTrades/frontend/src/views/ProfilePage.vue`
---
### 3. **2FA Setup Flow Fix** 🔐
**Problem:** Clicking "Verify & Enable" without calling `/2fa/setup` first would fail
**Solution:**
- Renamed `setup2FA()` to `start2FASetup()` for clarity
- Added check in `verify2FA()` to ensure setup was called first
- If QR code/secret is missing, automatically calls setup endpoint
- Shows error message: "Please start 2FA setup first"
**Flow:**
1. Click "Enable 2FA" → Calls `/api/user/2fa/setup` → Shows QR code
2. Scan QR code with authenticator app
3. Enter 6-digit code
4. Click "Verify & Enable" → Calls `/api/user/2fa/verify` → Enables 2FA
**Files Changed:**
- `TurboTrades/frontend/src/views/ProfilePage.vue`
---
### 4. **Debug & Logging Improvements** 🐛
**Added:**
- Request logging for all `/user/*` and `/auth/*` routes (dev only)
- Enhanced `/api/auth/debug-cookies` endpoint with manual cookie parsing
- Logs show:
- Incoming request URL and method
- Cookies present (by name)
- Has accessToken/refreshToken
- Origin and Host headers
**Files Changed:**
- `TurboTrades/index.js` - Added onRequest hook
- `TurboTrades/middleware/auth.js` - Added verbose debug logging
- `TurboTrades/routes/auth.js` - Enhanced debug endpoint
---
### 5. **CORS Configuration Improvements** 🌐
**Updated:**
- Added `Cookie` to allowed headers
- Added `Set-Cookie` to exposed headers
- Explicitly set `credentials: true`
- Better origin handling for localhost development
**Files Changed:**
- `TurboTrades/index.js` - Updated CORS config
---
### 6. **Cookie Plugin Configuration** 🍪
**Updated:**
- Added explicit parse options
- Set `hook: "onRequest"` to parse cookies on every request
- Improved cookie handling reliability
**Files Changed:**
- `TurboTrades/index.js` - Updated cookie plugin registration
---
## 📊 Session Security Features
### Visual Indicators
- 🟢 **Current Session** - Green "Current" badge
- 🟡 **Old Session** - Yellow "Old Session" badge + warning border
- 🔴 **Revoke Button** - Always visible for all sessions
### Security Metrics
- Sessions flagged as "old" if inactive for 7+ days
- Warning message on old sessions
- Quick action buttons for bulk revocation
### Session Information Displayed
- Browser and Operating System
- Device type (Desktop/Mobile/Tablet)
- IP Address
- Last activity timestamp
- Current session indicator
---
## 🧪 Testing
### Test Routes Work:
```bash
# Health check
curl http://localhost:3000/api/health
# Debug cookies (after login)
curl http://localhost:5173/api/auth/debug-cookies
# Sessions (with auth)
curl http://localhost:3000/api/user/sessions -H "Cookie: accessToken=..."
# 2FA setup (with auth)
curl -X POST http://localhost:3000/api/user/2fa/setup -H "Cookie: accessToken=..." -d "{}"
```
### Diagnostic Page
Visit: **http://localhost:5173/diagnostic**
- Automated testing of all auth endpoints
- Cookie verification
- Visual status indicators
- Troubleshooting suggestions
---
## 🎯 User Impact
### Before
- ❌ Sessions endpoint returned 404
- ❌ 2FA setup endpoint returned 404
- ❌ Could not revoke current session
- ❌ No warning for old sessions
- ❌ Had to revoke sessions one by one
### After
- ✅ All endpoints work correctly
- ✅ Can revoke any session including current
- ✅ Visual warnings for potentially hijacked sessions
- ✅ Bulk actions for session cleanup
- ✅ Better 2FA setup flow with error handling
- ✅ Security-focused UI with clear warnings
---
## 📝 Notes
### Security Considerations
1. **Session Hijacking Prevention:** Users can now easily identify and revoke suspicious sessions
2. **Current Session Revocation:** Useful if user suspects their current device is compromised
3. **Old Session Cleanup:** Helps maintain account security by removing stale sessions
4. **2FA Enforcement:** Improved flow makes it easier for users to enable 2FA
### Future Improvements
- [ ] Add email notifications when new sessions are created
- [ ] Show session location using IP geolocation
- [ ] Add "Remember this device" feature
- [ ] Implement session limits (e.g., max 10 active sessions)
- [ ] Add session activity logs (what actions were performed)
---
## 🔗 Related Files
### Frontend
- `frontend/src/views/ProfilePage.vue` - Main session/2FA UI
- `frontend/src/views/DiagnosticPage.vue` - Debug/test page
- `frontend/src/utils/axios.js` - HTTP client config
- `frontend/vite.config.js` - Proxy configuration
### Backend
- `index.js` - Route registration and CORS
- `routes/auth.js` - Authentication routes
- `routes/user.js` - User/session/2FA routes
- `middleware/auth.js` - Auth middleware
- `models/Session.js` - Session data model
### Documentation
- `QUICK_FIX.md` - Quick troubleshooting guide
- `TROUBLESHOOTING_AUTH.md` - Comprehensive auth guide
- `BROWSER_DIAGNOSTIC.md` - Browser console tests
- `test-auth.js` - Backend test script
---
## ✅ Verification Checklist
- [x] Backend routes registered correctly
- [x] Sessions endpoint returns data
- [x] 2FA setup endpoint works
- [x] Can revoke non-current sessions
- [x] Can revoke current session (with confirmation)
- [x] Old sessions are flagged visually
- [x] Bulk revoke old sessions works
- [x] Bulk revoke all others works
- [x] 2FA setup flow is robust
- [x] Debug logging works
- [x] CORS configuration allows credentials
- [x] Cookies are parsed correctly
- [x] Diagnostic page shows all tests passing
---
**Status:****All Issues Resolved**
**Tested:****All Features Working**
**Documentation:** ✅ **Complete**