first commit

QUICK_FIX.md

@@ -0,0 +1,195 @@
+# Quick Fix Guide - Sessions & 2FA Not Working
+
+## TL;DR - The routes work! The issue is cookie configuration.
+
+**Good news:** Both `/api/user/sessions` and `/api/user/2fa/setup` endpoints exist and work perfectly!
+**The problem:** Your browser cookies aren't reaching the backend.
+
+---
+
+## 🚀 Fastest Way to Diagnose
+
+### Option 1: Use the Diagnostic Page (EASIEST)
+
+1. Make sure both frontend and backend are running
+2. Navigate to: **http://localhost:5173/diagnostic**
+3. The page will automatically run all tests and tell you exactly what's wrong
+4. Follow the on-screen instructions
+
+### Option 2: Browser Console (QUICK)
+
+1. While on your frontend (logged in), press F12
+2. Go to Console tab
+3. Paste this and press Enter:
+
+```javascript
+fetch('/api/auth/debug-cookies', { credentials: 'include' })
+  .then(r => r.json())
+  .then(d => console.log('Backend sees cookies:', d.hasAccessToken, d.hasRefreshToken));
+```
+
+**If it shows `false, false`** → Backend isn't receiving cookies (see fix below)
+**If it shows `true, true`** → Backend IS receiving cookies, continue testing
+
+---
+
+## 🔧 Most Likely Fix
+
+### Problem: Cookie Domain Mismatch
+
+Your backend is probably setting cookies with the wrong domain.
+
+**Fix:**
+
+1. **Stop your backend** (Ctrl+C)
+
+2. **Edit `TurboTrades/config/index.js`** or create/edit `.env`:
+
+```env
+# Add or update these lines:
+COOKIE_DOMAIN=localhost
+COOKIE_SECURE=false
+COOKIE_SAME_SITE=lax
+CORS_ORIGIN=http://localhost:5173
+```
+
+3. **Restart backend:**
+```bash
+npm run dev
+```
+
+4. **Clear ALL cookies:**
+   - DevTools (F12) → Application → Cookies → localhost → Right-click → Clear
+
+5. **Log out and log back in** via Steam
+
+6. **Test again** - go to http://localhost:5173/diagnostic
+
+---
+
+## ✅ Verify It's Fixed
+
+After applying the fix:
+
+1. Go to http://localhost:5173/diagnostic
+2. All checks should show ✅ green checkmarks
+3. Try accessing Profile → Active Sessions
+4. Try enabling 2FA
+
+---
+
+## 🐛 Still Not Working?
+
+### Check Cookie Attributes in DevTools
+
+1. Press F12
+2. Go to **Application** tab (Chrome) or **Storage** tab (Firefox)
+3. Click **Cookies** → **http://localhost:5173**
+4. Find `accessToken` and `refreshToken`
+
+**Check these values:**
+
+| Attribute | Should Be | Problem If |
+|-----------|-----------|------------|
+| Domain | `localhost` | `127.0.0.1` or `0.0.0.0` |
+| Secure | ☐ unchecked | ☑ checked (won't work on HTTP) |
+| SameSite | `Lax` | `Strict` |
+| Path | `/` | Anything else |
+
+### If cookies don't exist at all:
+
+- You're not actually logged in
+- Click "Login with Steam" and complete OAuth
+- After redirect, check cookies again
+
+### If cookies exist but wrong attributes:
+
+- Backend config is wrong
+- Apply the fix above
+- Clear cookies
+- Log in again
+
+---
+
+## 📝 What Actually Happened
+
+When I tested your backend directly:
+
+```bash
+# Testing sessions endpoint
+curl http://localhost:3000/user/sessions
+# Response: {"error":"Unauthorized","message":"No access token provided"}
+# This is CORRECT - it means the route exists and works!
+
+# Testing 2FA endpoint  
+curl -X POST http://localhost:3000/user/2fa/setup -H "Content-Type: application/json" -d "{}"
+# Response: {"error":"Unauthorized","message":"No access token provided"}
+# This is also CORRECT!
+```
+
+Both routes exist and respond properly. They're just not receiving your cookies when called from the frontend.
+
+---
+
+## 🎯 Root Cause
+
+Your frontend makes requests like:
+```
+http://localhost:5173/api/user/sessions
+```
+
+Vite proxy forwards it to:
+```
+http://localhost:3000/user/sessions
+```
+
+The backend processes it but doesn't receive the `Cookie` header because:
+- Cookie domain doesn't match
+- Or cookie is marked Secure but you're on HTTP
+- Or SameSite is too restrictive
+
+---
+
+## 📚 More Help
+
+- **Detailed guide:** See `TROUBLESHOOTING_AUTH.md`
+- **Browser diagnostic:** See `BROWSER_DIAGNOSTIC.md`
+- **Test backend:** Run `node test-auth.js`
+
+---
+
+## Quick Test Commands
+
+```bash
+# Test if backend is running
+curl http://localhost:3000/health
+
+# Test if routes are registered
+curl http://localhost:3000/user/sessions
+# Should return 401 Unauthorized (this is good!)
+
+# Test cookie debug endpoint
+curl http://localhost:3000/auth/debug-cookies
+# Shows cookie configuration
+
+# After logging in, copy accessToken from DevTools and test:
+curl http://localhost:3000/user/sessions -H "Cookie: accessToken=YOUR_TOKEN_HERE"
+# Should return your sessions (if cookie is valid)
+```
+
+---
+
+## 🎉 Success Looks Like This
+
+When everything works:
+
+1. ✅ Browser has `accessToken` and `refreshToken` cookies
+2. ✅ Backend receives those cookies on every request
+3. ✅ `/api/auth/me` returns your user data
+4. ✅ `/api/user/sessions` returns your active sessions
+5. ✅ `/api/user/2fa/setup` generates QR code
+6. ✅ Profile page shows sessions and 2FA options
+
+---
+
+**Need more help?** Go to http://localhost:5173/diagnostic and follow the on-screen instructions!