8.9 KiB
8.9 KiB
Authentication Troubleshooting Guide
This guide will help you debug authentication issues with sessions and 2FA endpoints.
Quick Diagnosis Steps
Step 1: Check if you're actually logged in
- Open your browser console (F12)
- Run this command:
console.log('Cookies:', document.cookie);
You should see accessToken and refreshToken in the output. If not, you're not actually logged in.
Step 2: Check the debug endpoint
- While logged in, navigate to:
http://localhost:5173/api/auth/debug-cookies - Or in console run:
fetch('/api/auth/debug-cookies', { credentials: 'include' })
.then(r => r.json())
.then(d => console.log(d));
This will show:
- All cookies the backend receives
- All relevant headers
- Cookie configuration settings
Expected output:
{
"success": true,
"hasAccessToken": true,
"hasRefreshToken": true,
"cookies": {
"accessToken": "eyJhbGc...",
"refreshToken": "eyJhbGc..."
}
}
If hasAccessToken is false, proceed to Step 3.
Step 3: Inspect browser cookies
- Open DevTools (F12)
- Go to Application tab (Chrome) or Storage tab (Firefox)
- Click on Cookies in the left sidebar
- Select your domain (
http://localhost:5173)
Check these cookie properties:
| Property | Expected Value (Development) | Problem if Different |
|---|---|---|
| Domain | localhost |
If it's 127.0.0.1 or 0.0.0.0, cookie won't be sent |
| Path | / |
If different, cookie may not apply to /api/* routes |
| SameSite | Lax or None |
If Strict, cookies may not be sent on redirects |
| Secure | ☐ (unchecked) | If checked, cookies won't work on http://localhost |
| HttpOnly | ☑ (checked) | This is correct - JavaScript can't access it |
Step 4: Check Network requests
- Open DevTools → Network tab
- Try to access sessions: Click "Active Sessions" or refresh your profile
- Find the request to
/api/user/sessions - Click on it and check the Headers tab
In Request Headers, look for:
Cookie: accessToken=eyJhbGc...; refreshToken=eyJhbGc...
If the Cookie header is missing or doesn't include accessToken:
- The browser is not sending the cookies
- This is usually due to incorrect cookie attributes (see Step 3)
Common Issues & Solutions
Issue 1: Cookies have wrong domain
Symptoms:
- Cookies exist in DevTools but aren't sent with requests
debug-cookiesshowshasAccessToken: false
Solution:
- Check your backend
.envfile orconfig/index.js - Ensure
COOKIE_DOMAIN=localhost(NOT127.0.0.1or0.0.0.0) - Restart the backend server
- Log out and log back in via Steam
Backend config check:
# In backend directory
cat .env | grep COOKIE_DOMAIN
# Should show: COOKIE_DOMAIN=localhost
Issue 2: Cookies are Secure but you're on HTTP
Symptoms:
- After Steam login, you're redirected back but cookies don't persist
- Chrome console shows warnings about Secure cookies on insecure origin
Solution:
- Set
COOKIE_SECURE=falsein your.envorconfig/index.js - Restart backend
- Clear all cookies for
localhost - Log in again
Issue 3: SameSite=Strict blocking cookies
Symptoms:
- Cookies set but not sent after Steam redirect
- Works on direct page load but not after navigation
Solution:
- Set
COOKIE_SAME_SITE=laxin your backend config - Restart backend
- Log out and log in again
Issue 4: CORS misconfiguration
Symptoms:
- Network errors in console
- 401 Unauthorized even though cookies exist
Solution:
- Check backend
config/index.js:cors: { origin: "http://localhost:5173", // Must match frontend URL exactly credentials: true, } - Ensure Vite dev server is running on
http://localhost:5173 - Restart backend
Issue 5: Axios not sending credentials
Symptoms:
- Cookies exist but requests don't include them
- Works in Postman/curl but not in browser
Solution:
Check frontend/src/utils/axios.js:
const axiosInstance = axios.create({
baseURL: '/api',
withCredentials: true, // This is CRITICAL
// ...
})
Also ensure individual requests include it:
axios.get('/api/user/sessions', {
withCredentials: true // Add this if missing
})
Backend Debugging
View authentication debug logs
The backend now has verbose debug logging. When you try to access /api/user/sessions, you'll see:
=== AUTH MIDDLEWARE DEBUG ===
URL: /user/sessions
Method: GET
Cookies present: [ 'accessToken', 'refreshToken' ]
Has accessToken cookie: true
Authorization header: Missing
Origin: http://localhost:5173
✓ Token found in cookies
✓ Token verified, userId: 65abc123...
✓ User authenticated: YourUsername
=== END AUTH DEBUG ===
If you see "No token found":
- The backend is not receiving cookies
- Check cookie domain/path/secure settings
If you see "Token verified" but still get 401:
- Check the user exists in the database
- Check for ban status
Test with curl
If you have cookies working in the browser, test directly:
- Copy cookie values from DevTools
- Run:
curl -v http://localhost:3000/user/sessions \
-H "Cookie: accessToken=YOUR_TOKEN_HERE; refreshToken=YOUR_REFRESH_HERE"
If curl works but browser doesn't:
- CORS issue
- Browser security policy blocking cookies
- Check browser console for security warnings
Manual Cookie Fix
If all else fails, manually set correct cookie attributes:
- Log in via Steam
- After redirect, open DevTools console
- Run this in backend terminal to check current cookies:
# Look at the Steam callback code in routes/auth.js
# Check the cookie settings being used
- Modify
config/index.js:
cookie: {
domain: 'localhost', // NOT 127.0.0.1 or 0.0.0.0
secure: false, // Must be false for http://
sameSite: 'lax', // Not 'strict'
httpOnly: true, // Keep this true
},
- Restart backend:
npm run dev - Clear all cookies: DevTools → Application → Cookies → Right-click localhost → Clear
- Log in again
Environment File Template
Create/update TurboTrades/.env:
# Server
NODE_ENV=development
PORT=3000
HOST=0.0.0.0
# Database
MONGODB_URI=mongodb://localhost:27017/turbotrades
# JWT
JWT_ACCESS_SECRET=your-super-secret-access-key-change-this
JWT_REFRESH_SECRET=your-super-secret-refresh-key-change-this
JWT_ACCESS_EXPIRY=15m
JWT_REFRESH_EXPIRY=7d
# Steam
STEAM_API_KEY=your_steam_api_key_here
STEAM_REALM=http://localhost:3000
STEAM_RETURN_URL=http://localhost:3000/auth/steam/return
# Cookies - CRITICAL FOR DEVELOPMENT
COOKIE_DOMAIN=localhost
COOKIE_SECURE=false
COOKIE_SAME_SITE=lax
# CORS - Must match frontend URL exactly
CORS_ORIGIN=http://localhost:5173
# Session
SESSION_SECRET=your-session-secret-change-this
Testing Checklist
Run through this checklist:
- Backend running on
http://localhost:3000 - Frontend running on
http://localhost:5173 - MongoDB running and connected
- Steam API key configured
- Can visit
http://localhost:5173and see the site - Can visit
http://localhost:3000/healthand get response - Can click "Login with Steam" and complete OAuth
- After login, redirected back to frontend
- DevTools shows
accessTokenandrefreshTokencookies forlocalhost - Cookies have
Domain: localhost(not127.0.0.1) - Cookies have
Secure: false(unchecked) - Cookies have
SameSite: Lax - Profile page shows your username and avatar (means
/auth/meworked) /api/auth/debug-cookiesshowshasAccessToken: true- Network tab shows
Cookieheader on/api/user/sessionsrequest - Backend console shows "✓ User authenticated" in debug logs
Still Not Working?
If you've gone through all the above and it still doesn't work:
- Check browser console for any JavaScript errors
- Check backend logs (
backend.logor terminal output) - Try a different browser (sometimes browser extensions interfere)
- Try incognito/private mode (rules out extension interference)
- Check if MongoDB is running and has the User document
- Verify the Steam login actually created/updated your user in MongoDB
MongoDB Check
# Connect to MongoDB
mongosh
# Switch to database
use turbotrades
# Find your user
db.users.findOne({ steamId: "YOUR_STEAM_ID" })
# Check if sessions exist
db.sessions.find({ steamId: "YOUR_STEAM_ID" })
Getting Help
If you're still stuck, gather this information:
- Output of
/api/auth/debug-cookies - Screenshot of DevTools → Application → Cookies
- Screenshot of DevTools → Network →
/api/user/sessionsrequest headers - Backend console output when you try to access sessions
- Frontend console errors (if any)
- Your
config/index.jscookie settings (remove secrets)
Good luck! 🚀