iDefineHD/TurboTrades
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3f763781f8ba38bd4bf0872529e6a95e1ad8e106
TurboTrades/CHANGELOG_SESSION_2FA.md
iDefineHD 232968de1e first commit
2026-01-10 04:57:43 +00:00

7.1 KiB
Raw Blame History

Session & 2FA Security Improvements

Date: 2025-01-09

Summary

Fixed authentication issues with sessions and 2FA endpoints, and added security improvements for session management.

🔧 Fixes Applied

1. Route Registration Issue - RESOLVED

Problem: Frontend was calling /api/user/sessions but backend routes were registered at /user/sessions

Solution:

  • Registered all routes with /api prefix on backend to match frontend expectations
  • Auth routes registered twice: /auth/* for Steam OAuth and /api/auth/* for frontend
  • Routes now properly accessible:
    • /api/user/sessions
    • /api/user/2fa/setup
    • /api/auth/me
    • /auth/steam (for external OAuth)

Files Changed:

  • TurboTrades/index.js - Updated route registration

2. Session Management Improvements 🔒

A. Allow Revoking Current Session

Previous: Could not revoke the current session (X button was hidden)

New Features:

  • Can now revoke ANY session including the current one
  • ⚠️ Confirmation prompt when revoking current session
  • 🚪 Automatically logs out after revoking current session
  • 🔄 Redirects to home page after logout

B. Visual Security Warnings

New: Sessions inactive for 7+ days are flagged as "Old Session"

  • 🟡 Yellow border on old sessions
  • ⚠️ Warning badge displayed
  • 💡 Security tip shown: "If you don't recognize it, revoke it immediately"

C. Bulk Session Revocation

New Actions:

  1. "Revoke Old (X)" button - Revokes all sessions inactive for 7+ days
  2. "Revoke All Others" button - Revokes all sessions except current one

Files Changed:

  • TurboTrades/frontend/src/views/ProfilePage.vue

3. 2FA Setup Flow Fix 🔐

Problem: Clicking "Verify & Enable" without calling /2fa/setup first would fail

Solution:

  • Renamed setup2FA() to start2FASetup() for clarity
  • Added check in verify2FA() to ensure setup was called first
  • If QR code/secret is missing, automatically calls setup endpoint
  • Shows error message: "Please start 2FA setup first"

Flow:

  1. Click "Enable 2FA" → Calls /api/user/2fa/setup → Shows QR code
  2. Scan QR code with authenticator app
  3. Enter 6-digit code
  4. Click "Verify & Enable" → Calls /api/user/2fa/verify → Enables 2FA

Files Changed:

  • TurboTrades/frontend/src/views/ProfilePage.vue

4. Debug & Logging Improvements 🐛

Added:

  • Request logging for all /user/* and /auth/* routes (dev only)
  • Enhanced /api/auth/debug-cookies endpoint with manual cookie parsing
  • Logs show:
    • Incoming request URL and method
    • Cookies present (by name)
    • Has accessToken/refreshToken
    • Origin and Host headers

Files Changed:

  • TurboTrades/index.js - Added onRequest hook
  • TurboTrades/middleware/auth.js - Added verbose debug logging
  • TurboTrades/routes/auth.js - Enhanced debug endpoint

5. CORS Configuration Improvements 🌐

Updated:

  • Added Cookie to allowed headers
  • Added Set-Cookie to exposed headers
  • Explicitly set credentials: true
  • Better origin handling for localhost development

Files Changed:

  • TurboTrades/index.js - Updated CORS config

6. Cookie Plugin Configuration 🍪

Updated:

  • Added explicit parse options
  • Set hook: "onRequest" to parse cookies on every request
  • Improved cookie handling reliability

Files Changed:

  • TurboTrades/index.js - Updated cookie plugin registration

📊 Session Security Features

Visual Indicators

  • 🟢 Current Session - Green "Current" badge
  • 🟡 Old Session - Yellow "Old Session" badge + warning border
  • 🔴 Revoke Button - Always visible for all sessions

Security Metrics

  • Sessions flagged as "old" if inactive for 7+ days
  • Warning message on old sessions
  • Quick action buttons for bulk revocation

Session Information Displayed

  • Browser and Operating System
  • Device type (Desktop/Mobile/Tablet)
  • IP Address
  • Last activity timestamp
  • Current session indicator

🧪 Testing

Test Routes Work:

# Health check
curl http://localhost:3000/api/health

# Debug cookies (after login)
curl http://localhost:5173/api/auth/debug-cookies

# Sessions (with auth)
curl http://localhost:3000/api/user/sessions -H "Cookie: accessToken=..."

# 2FA setup (with auth)
curl -X POST http://localhost:3000/api/user/2fa/setup -H "Cookie: accessToken=..." -d "{}"

Diagnostic Page

Visit: http://localhost:5173/diagnostic

  • Automated testing of all auth endpoints
  • Cookie verification
  • Visual status indicators
  • Troubleshooting suggestions

🎯 User Impact

Before

  • Sessions endpoint returned 404
  • 2FA setup endpoint returned 404
  • Could not revoke current session
  • No warning for old sessions
  • Had to revoke sessions one by one

After

  • All endpoints work correctly
  • Can revoke any session including current
  • Visual warnings for potentially hijacked sessions
  • Bulk actions for session cleanup
  • Better 2FA setup flow with error handling
  • Security-focused UI with clear warnings

📝 Notes

Security Considerations

  1. Session Hijacking Prevention: Users can now easily identify and revoke suspicious sessions
  2. Current Session Revocation: Useful if user suspects their current device is compromised
  3. Old Session Cleanup: Helps maintain account security by removing stale sessions
  4. 2FA Enforcement: Improved flow makes it easier for users to enable 2FA

Future Improvements

  • Add email notifications when new sessions are created
  • Show session location using IP geolocation
  • Add "Remember this device" feature
  • Implement session limits (e.g., max 10 active sessions)
  • Add session activity logs (what actions were performed)

🔗 Related Files

Frontend

  • frontend/src/views/ProfilePage.vue - Main session/2FA UI
  • frontend/src/views/DiagnosticPage.vue - Debug/test page
  • frontend/src/utils/axios.js - HTTP client config
  • frontend/vite.config.js - Proxy configuration

Backend

  • index.js - Route registration and CORS
  • routes/auth.js - Authentication routes
  • routes/user.js - User/session/2FA routes
  • middleware/auth.js - Auth middleware
  • models/Session.js - Session data model

Documentation

  • QUICK_FIX.md - Quick troubleshooting guide
  • TROUBLESHOOTING_AUTH.md - Comprehensive auth guide
  • BROWSER_DIAGNOSTIC.md - Browser console tests
  • test-auth.js - Backend test script

Verification Checklist

  • Backend routes registered correctly
  • Sessions endpoint returns data
  • 2FA setup endpoint works
  • Can revoke non-current sessions
  • Can revoke current session (with confirmation)
  • Old sessions are flagged visually
  • Bulk revoke old sessions works
  • Bulk revoke all others works
  • 2FA setup flow is robust
  • Debug logging works
  • CORS configuration allows credentials
  • Cookies are parsed correctly
  • Diagnostic page shows all tests passing

Status: All Issues Resolved Tested: All Features Working Documentation: Complete

Reference in New Issue View Git Blame Copy Permalink