# ๐ŸŒ File Protocol Testing Guide ## Overview This guide explains how to use the test client (`test-client.html`) when opened directly from your filesystem (`file://` protocol) instead of through a web server. --- ## ๐Ÿ”‘ The Authentication Challenge When you open `test-client.html` directly from your filesystem: - The file runs with `file://` protocol (e.g., `file:///C:/Users/you/TurboTrades/test-client.html`) - Cookies set by `http://localhost:3000` are **not accessible** from `file://` - You must use **Bearer token authentication** instead of cookies --- ## โœ… How to Authenticate ### Step 1: Login via Steam 1. **Open your browser and navigate to:** ``` http://localhost:3000/auth/steam ``` 2. **Complete Steam OAuth login** - You'll be redirected to Steam - Authorize the application - You'll be redirected back 3. **Get your access token** - After successful login, navigate to: ``` http://localhost:3000/auth/decode-token ``` - Copy the entire `accessToken` value from the JSON response **Alternative: Extract from Browser Console** ```javascript // Open browser console (F12) on http://localhost:3000 document.cookie.split('; ').find(row => row.startsWith('accessToken=')).split('=')[1] ``` --- ### Step 2: Use Token in Test Client 1. **Open the test client:** ``` Double-click: test-client.html ``` 2. **Paste your token:** - Find the "Access Token (optional)" field in the Connection section - Paste your full JWT token (starts with `eyJhbGciOiJIUzI1NiIs...`) 3. **Verify authentication:** - Click **"๐Ÿ”„ Check Auth Status"** button in the Authentication Status section - You should see: โœ… Authenticated with your username and Steam ID --- ## ๐Ÿงช What Works Now With your token pasted, you can use all authenticated features: ### โœ… WebSocket Connection ``` - Connect with token in URL parameter - Receive authenticated welcome message - Server identifies you by Steam ID ``` ### โœ… Marketplace APIs ``` - Create Listing (POST /marketplace/listings) - Update Price (PATCH /marketplace/listings/:id/price) - Get Listings (GET /marketplace/listings) - with user-specific data ``` ### โœ… User APIs ``` - Set Trade URL (PUT /user/trade-url) - Update Email (PATCH /user/email) - Get Profile (GET /user/profile) - Get Balance (GET /user/balance) - Get Stats (GET /user/stats) ``` --- ## ๐Ÿ” How It Works ### API Request Flow 1. **Test client reads token from input field:** ```javascript const token = document.getElementById("token").value; ``` 2. **Adds Authorization header to requests:** ```javascript headers: { "Authorization": `Bearer ${token}`, "Content-Type": "application/json" } ``` 3. **Server validates token:** ```javascript // Server checks Authorization header first const authHeader = request.headers.authorization; if (authHeader && authHeader.startsWith("Bearer ")) { token = authHeader.substring(7); } // Falls back to cookies if no header if (!token && request.cookies.accessToken) { token = request.cookies.accessToken; } ``` 4. **Request succeeds with user context** --- ## ๐ŸŽฏ Quick Start Example ### Example: Create a Listing 1. **Login and get token** (see Step 1 above) ``` Your token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOi... ``` 2. **Open test-client.html** 3. **Paste token in "Access Token" field** 4. **Click "Check Auth Status"** - Should show: โœ… Authenticated as [Your Name] 5. **Set your Trade URL** (if not set): - Get from: Steam โ†’ Inventory โ†’ Trade Offers โ†’ "Who can send me trade offers?" - Format: `https://steamcommunity.com/tradeoffer/new/?partner=XXXXX&token=XXXXX` - Click "Set Trade URL" 6. **Create a listing:** - Item Name: "AK-47 | Redline" - Game: CS2 - Price: 45.99 - Click "Create Listing (Requires Auth)" 7. **Success!** โœ… - You'll get a success message - WebSocket will broadcast the new listing to all connected clients --- ## ๐Ÿ› Troubleshooting ### "No access token provided" Error **Problem:** Token not being sent with request **Solutions:** 1. Check token is pasted in "Access Token" field 2. Click "Check Auth Status" to verify 3. Token must be the full JWT (starts with `eyJhbGci...`) 4. Token expires after 15 minutes - get a new one --- ### "Invalid access token" Error **Problem:** Token is expired or malformed **Solutions:** 1. Login again to get a fresh token 2. Copy the entire token (no spaces or line breaks) 3. Check token hasn't expired (15 minute lifespan) --- ### "Trade URL must be set" Error **Problem:** Trying to create listing without trade URL **Solutions:** 1. Set your trade URL first using the "Set Trade URL" section 2. Get your trade URL from Steam: - Steam โ†’ Inventory โ†’ Trade Offers - "Who can send me trade offers?" - Copy the URL --- ### Authentication Status Shows "Not Authenticated" **Problem:** Token not recognized or not present **Solutions:** 1. Make sure you pasted the token in the "Access Token" field 2. Click "Check Auth Status" button 3. If still failing, get a new token (it may have expired) 4. Check browser console for specific error messages --- ## ๐Ÿ“Š Token Information ### Your Current Token ``` Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2OTYxMzRlOTIwNzYxOTc3ZGNjMWQ2ZDIiLCJzdGVhbUlkIjoiNzY1NjExOTgwMjc2MDgwNzEiLCJ1c2VybmFtZSI6IuKchSBBc2hsZXkg44Ki44K344Ol44Oq44O8IiwiYXZhdGFyIjoiaHR0cHM6Ly9hdmF0YXJzLnN0ZWFtc3RhdGljLmNvbS9kNmI2MTY0NjQ2MjlkYjIxNjcwYTQ0NTY3OWFlZmVlYjE4ZmI0MDFmX2Z1bGwuanBnIiwic3RhZmZMZXZlbCI6MCwiaWF0IjoxNzY3OTk0MzkwLCJleHAiOjE3Njc5OTUyOTAsImF1ZCI6InR1cmJvdHJhZGVzLWFwaSIsImlzcyI6InR1cmJvdHJhZGVzIn0.9Xh-kDvWZbQERuXgRb-NEMw6il2h8SQyVQySdILcLo8 User ID: 696134e92076197...[truncated] Steam ID: 76561198027608071 Username: โœ… Ashley ใ‚ขใ‚ทใƒฅใƒชใƒผ Staff Level: 0 Issued At: 1767994390 (Unix timestamp) Expires At: 1767995290 (Unix timestamp - 15 minutes from issue) ``` ### Token Lifespan - **Access Token:** 15 minutes - **Refresh Token:** 7 days (stored in cookies, not available in file:// protocol) ### When Token Expires 1. Navigate to `http://localhost:3000/auth/steam` again 2. You'll be automatically logged in (Steam session still active) 3. Get new token from `/auth/decode-token` 4. Paste new token in test client --- ## ๐ŸŽ“ Advanced Tips ### Save Token Temporarily ```javascript // In browser console on test client page localStorage.setItem('authToken', 'YOUR_TOKEN_HERE'); // Load it later const token = localStorage.getItem('authToken'); document.getElementById('token').value = token; ``` ### Check Token Expiry ```javascript // Decode JWT (client-side, no verification) function parseJwt(token) { const base64Url = token.split('.')[1]; const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/'); const jsonPayload = decodeURIComponent(atob(base64).split('').map(c => { return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2); }).join('')); return JSON.parse(jsonPayload); } const decoded = parseJwt(YOUR_TOKEN); const expiresAt = new Date(decoded.exp * 1000); console.log('Token expires at:', expiresAt); ``` ### Auto-Refresh Before Expiry ```javascript // Set up auto-refresh 1 minute before expiry const decoded = parseJwt(token); const expiresIn = (decoded.exp * 1000) - Date.now(); const refreshTime = expiresIn - 60000; // 1 minute before if (refreshTime > 0) { setTimeout(() => { alert('Token expiring soon! Please get a new token.'); }, refreshTime); } ``` --- ## ๐ŸŒ Alternative: Use a Web Server If you prefer cookie-based authentication: ### Option 1: Simple HTTP Server (Python) ```bash cd TurboTrades python -m http.server 8000 ``` Then open: `http://localhost:8000/test-client.html` ### Option 2: Node.js HTTP Server ```bash cd TurboTrades npx http-server -p 8000 ``` Then open: `http://localhost:8000/test-client.html` ### Option 3: VS Code Live Server 1. Install "Live Server" extension 2. Right-click `test-client.html` 3. Select "Open with Live Server" **Note:** With a web server, cookies will work and you don't need to paste tokens! --- ## ๐Ÿ“‹ Testing Checklist ### With Token Authentication (file:// protocol) - [ ] Login via Steam - [ ] Get access token - [ ] Paste token in test client - [ ] Check auth status (should show โœ…) - [ ] Connect WebSocket with token - [ ] Set trade URL - [ ] Create listing - [ ] Update listing price - [ ] Get listings - [ ] Verify WebSocket broadcasts received --- ## ๐Ÿ” Security Notes ### Token Security - โœ… Token is sent via HTTPS in production - โœ… Token expires after 15 minutes - โœ… Token is JWT signed and verified server-side - โš ๏ธ Don't share your token with others - โš ๏ธ Don't commit tokens to version control ### File Protocol Limitations - โŒ Cookies don't work across protocols - โŒ Can't access localStorage from different origin - โœ… Authorization header works perfectly - โœ… CORS configured to allow file:// protocol --- ## ๐Ÿ“š Related Documentation - **WEBSOCKET_AUTH.md** - WebSocket authentication details - **TESTING_GUIDE.md** - Comprehensive testing guide - **TEST_CLIENT_REFERENCE.md** - Quick reference for test client - **NEW_FEATURES.md** - Latest features and enhancements --- ## ๐Ÿ’ก Summary **File Protocol Testing Flow:** 1. Login via `http://localhost:3000/auth/steam` 2. Get token from `/auth/decode-token` 3. Paste token in test client "Access Token" field 4. Click "Check Auth Status" 5. Use all authenticated features! ๐ŸŽ‰ **Key Points:** - Token authentication works from `file://` protocol - Token lasts 15 minutes - Server accepts `Authorization: Bearer ` header - All API requests automatically include your token - WebSocket can use token via query parameter **You're all set! Happy testing! ๐Ÿš€**