195 lines
4.8 KiB
Markdown
195 lines
4.8 KiB
Markdown
# Quick Fix Guide - Sessions & 2FA Not Working
|
|
|
|
## TL;DR - The routes work! The issue is cookie configuration.
|
|
|
|
**Good news:** Both `/api/user/sessions` and `/api/user/2fa/setup` endpoints exist and work perfectly!
|
|
**The problem:** Your browser cookies aren't reaching the backend.
|
|
|
|
---
|
|
|
|
## 🚀 Fastest Way to Diagnose
|
|
|
|
### Option 1: Use the Diagnostic Page (EASIEST)
|
|
|
|
1. Make sure both frontend and backend are running
|
|
2. Navigate to: **http://localhost:5173/diagnostic**
|
|
3. The page will automatically run all tests and tell you exactly what's wrong
|
|
4. Follow the on-screen instructions
|
|
|
|
### Option 2: Browser Console (QUICK)
|
|
|
|
1. While on your frontend (logged in), press F12
|
|
2. Go to Console tab
|
|
3. Paste this and press Enter:
|
|
|
|
```javascript
|
|
fetch('/api/auth/debug-cookies', { credentials: 'include' })
|
|
.then(r => r.json())
|
|
.then(d => console.log('Backend sees cookies:', d.hasAccessToken, d.hasRefreshToken));
|
|
```
|
|
|
|
**If it shows `false, false`** → Backend isn't receiving cookies (see fix below)
|
|
**If it shows `true, true`** → Backend IS receiving cookies, continue testing
|
|
|
|
---
|
|
|
|
## 🔧 Most Likely Fix
|
|
|
|
### Problem: Cookie Domain Mismatch
|
|
|
|
Your backend is probably setting cookies with the wrong domain.
|
|
|
|
**Fix:**
|
|
|
|
1. **Stop your backend** (Ctrl+C)
|
|
|
|
2. **Edit `TurboTrades/config/index.js`** or create/edit `.env`:
|
|
|
|
```env
|
|
# Add or update these lines:
|
|
COOKIE_DOMAIN=localhost
|
|
COOKIE_SECURE=false
|
|
COOKIE_SAME_SITE=lax
|
|
CORS_ORIGIN=http://localhost:5173
|
|
```
|
|
|
|
3. **Restart backend:**
|
|
```bash
|
|
npm run dev
|
|
```
|
|
|
|
4. **Clear ALL cookies:**
|
|
- DevTools (F12) → Application → Cookies → localhost → Right-click → Clear
|
|
|
|
5. **Log out and log back in** via Steam
|
|
|
|
6. **Test again** - go to http://localhost:5173/diagnostic
|
|
|
|
---
|
|
|
|
## ✅ Verify It's Fixed
|
|
|
|
After applying the fix:
|
|
|
|
1. Go to http://localhost:5173/diagnostic
|
|
2. All checks should show ✅ green checkmarks
|
|
3. Try accessing Profile → Active Sessions
|
|
4. Try enabling 2FA
|
|
|
|
---
|
|
|
|
## 🐛 Still Not Working?
|
|
|
|
### Check Cookie Attributes in DevTools
|
|
|
|
1. Press F12
|
|
2. Go to **Application** tab (Chrome) or **Storage** tab (Firefox)
|
|
3. Click **Cookies** → **http://localhost:5173**
|
|
4. Find `accessToken` and `refreshToken`
|
|
|
|
**Check these values:**
|
|
|
|
| Attribute | Should Be | Problem If |
|
|
|-----------|-----------|------------|
|
|
| Domain | `localhost` | `127.0.0.1` or `0.0.0.0` |
|
|
| Secure | ☐ unchecked | ☑ checked (won't work on HTTP) |
|
|
| SameSite | `Lax` | `Strict` |
|
|
| Path | `/` | Anything else |
|
|
|
|
### If cookies don't exist at all:
|
|
|
|
- You're not actually logged in
|
|
- Click "Login with Steam" and complete OAuth
|
|
- After redirect, check cookies again
|
|
|
|
### If cookies exist but wrong attributes:
|
|
|
|
- Backend config is wrong
|
|
- Apply the fix above
|
|
- Clear cookies
|
|
- Log in again
|
|
|
|
---
|
|
|
|
## 📝 What Actually Happened
|
|
|
|
When I tested your backend directly:
|
|
|
|
```bash
|
|
# Testing sessions endpoint
|
|
curl http://localhost:3000/user/sessions
|
|
# Response: {"error":"Unauthorized","message":"No access token provided"}
|
|
# This is CORRECT - it means the route exists and works!
|
|
|
|
# Testing 2FA endpoint
|
|
curl -X POST http://localhost:3000/user/2fa/setup -H "Content-Type: application/json" -d "{}"
|
|
# Response: {"error":"Unauthorized","message":"No access token provided"}
|
|
# This is also CORRECT!
|
|
```
|
|
|
|
Both routes exist and respond properly. They're just not receiving your cookies when called from the frontend.
|
|
|
|
---
|
|
|
|
## 🎯 Root Cause
|
|
|
|
Your frontend makes requests like:
|
|
```
|
|
http://localhost:5173/api/user/sessions
|
|
```
|
|
|
|
Vite proxy forwards it to:
|
|
```
|
|
http://localhost:3000/user/sessions
|
|
```
|
|
|
|
The backend processes it but doesn't receive the `Cookie` header because:
|
|
- Cookie domain doesn't match
|
|
- Or cookie is marked Secure but you're on HTTP
|
|
- Or SameSite is too restrictive
|
|
|
|
---
|
|
|
|
## 📚 More Help
|
|
|
|
- **Detailed guide:** See `TROUBLESHOOTING_AUTH.md`
|
|
- **Browser diagnostic:** See `BROWSER_DIAGNOSTIC.md`
|
|
- **Test backend:** Run `node test-auth.js`
|
|
|
|
---
|
|
|
|
## Quick Test Commands
|
|
|
|
```bash
|
|
# Test if backend is running
|
|
curl http://localhost:3000/health
|
|
|
|
# Test if routes are registered
|
|
curl http://localhost:3000/user/sessions
|
|
# Should return 401 Unauthorized (this is good!)
|
|
|
|
# Test cookie debug endpoint
|
|
curl http://localhost:3000/auth/debug-cookies
|
|
# Shows cookie configuration
|
|
|
|
# After logging in, copy accessToken from DevTools and test:
|
|
curl http://localhost:3000/user/sessions -H "Cookie: accessToken=YOUR_TOKEN_HERE"
|
|
# Should return your sessions (if cookie is valid)
|
|
```
|
|
|
|
---
|
|
|
|
## 🎉 Success Looks Like This
|
|
|
|
When everything works:
|
|
|
|
1. ✅ Browser has `accessToken` and `refreshToken` cookies
|
|
2. ✅ Backend receives those cookies on every request
|
|
3. ✅ `/api/auth/me` returns your user data
|
|
4. ✅ `/api/user/sessions` returns your active sessions
|
|
5. ✅ `/api/user/2fa/setup` generates QR code
|
|
6. ✅ Profile page shows sessions and 2FA options
|
|
|
|
---
|
|
|
|
**Need more help?** Go to http://localhost:5173/diagnostic and follow the on-screen instructions! |