# Quick Fix Guide - Sessions & 2FA Not Working ## TL;DR - The routes work! The issue is cookie configuration. **Good news:** Both `/api/user/sessions` and `/api/user/2fa/setup` endpoints exist and work perfectly! **The problem:** Your browser cookies aren't reaching the backend. --- ## 🚀 Fastest Way to Diagnose ### Option 1: Use the Diagnostic Page (EASIEST) 1. Make sure both frontend and backend are running 2. Navigate to: **http://localhost:5173/diagnostic** 3. The page will automatically run all tests and tell you exactly what's wrong 4. Follow the on-screen instructions ### Option 2: Browser Console (QUICK) 1. While on your frontend (logged in), press F12 2. Go to Console tab 3. Paste this and press Enter: ```javascript fetch('/api/auth/debug-cookies', { credentials: 'include' }) .then(r => r.json()) .then(d => console.log('Backend sees cookies:', d.hasAccessToken, d.hasRefreshToken)); ``` **If it shows `false, false`** → Backend isn't receiving cookies (see fix below) **If it shows `true, true`** → Backend IS receiving cookies, continue testing --- ## 🔧 Most Likely Fix ### Problem: Cookie Domain Mismatch Your backend is probably setting cookies with the wrong domain. **Fix:** 1. **Stop your backend** (Ctrl+C) 2. **Edit `TurboTrades/config/index.js`** or create/edit `.env`: ```env # Add or update these lines: COOKIE_DOMAIN=localhost COOKIE_SECURE=false COOKIE_SAME_SITE=lax CORS_ORIGIN=http://localhost:5173 ``` 3. **Restart backend:** ```bash npm run dev ``` 4. **Clear ALL cookies:** - DevTools (F12) → Application → Cookies → localhost → Right-click → Clear 5. **Log out and log back in** via Steam 6. **Test again** - go to http://localhost:5173/diagnostic --- ## ✅ Verify It's Fixed After applying the fix: 1. Go to http://localhost:5173/diagnostic 2. All checks should show ✅ green checkmarks 3. Try accessing Profile → Active Sessions 4. Try enabling 2FA --- ## 🐛 Still Not Working? ### Check Cookie Attributes in DevTools 1. Press F12 2. Go to **Application** tab (Chrome) or **Storage** tab (Firefox) 3. Click **Cookies** → **http://localhost:5173** 4. Find `accessToken` and `refreshToken` **Check these values:** | Attribute | Should Be | Problem If | |-----------|-----------|------------| | Domain | `localhost` | `127.0.0.1` or `0.0.0.0` | | Secure | ☐ unchecked | ☑ checked (won't work on HTTP) | | SameSite | `Lax` | `Strict` | | Path | `/` | Anything else | ### If cookies don't exist at all: - You're not actually logged in - Click "Login with Steam" and complete OAuth - After redirect, check cookies again ### If cookies exist but wrong attributes: - Backend config is wrong - Apply the fix above - Clear cookies - Log in again --- ## 📝 What Actually Happened When I tested your backend directly: ```bash # Testing sessions endpoint curl http://localhost:3000/user/sessions # Response: {"error":"Unauthorized","message":"No access token provided"} # This is CORRECT - it means the route exists and works! # Testing 2FA endpoint curl -X POST http://localhost:3000/user/2fa/setup -H "Content-Type: application/json" -d "{}" # Response: {"error":"Unauthorized","message":"No access token provided"} # This is also CORRECT! ``` Both routes exist and respond properly. They're just not receiving your cookies when called from the frontend. --- ## 🎯 Root Cause Your frontend makes requests like: ``` http://localhost:5173/api/user/sessions ``` Vite proxy forwards it to: ``` http://localhost:3000/user/sessions ``` The backend processes it but doesn't receive the `Cookie` header because: - Cookie domain doesn't match - Or cookie is marked Secure but you're on HTTP - Or SameSite is too restrictive --- ## 📚 More Help - **Detailed guide:** See `TROUBLESHOOTING_AUTH.md` - **Browser diagnostic:** See `BROWSER_DIAGNOSTIC.md` - **Test backend:** Run `node test-auth.js` --- ## Quick Test Commands ```bash # Test if backend is running curl http://localhost:3000/health # Test if routes are registered curl http://localhost:3000/user/sessions # Should return 401 Unauthorized (this is good!) # Test cookie debug endpoint curl http://localhost:3000/auth/debug-cookies # Shows cookie configuration # After logging in, copy accessToken from DevTools and test: curl http://localhost:3000/user/sessions -H "Cookie: accessToken=YOUR_TOKEN_HERE" # Should return your sessions (if cookie is valid) ``` --- ## 🎉 Success Looks Like This When everything works: 1. ✅ Browser has `accessToken` and `refreshToken` cookies 2. ✅ Backend receives those cookies on every request 3. ✅ `/api/auth/me` returns your user data 4. ✅ `/api/user/sessions` returns your active sessions 5. ✅ `/api/user/2fa/setup` generates QR code 6. ✅ Profile page shows sessions and 2FA options --- **Need more help?** Go to http://localhost:5173/diagnostic and follow the on-screen instructions!