iDefineHD/TurboTrades
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f6e78f1a335b67d348f70e1739fcbb33725eca95
TurboTrades/TROUBLESHOOTING_AUTH.md
iDefineHD 232968de1e first commit
2026-01-10 04:57:43 +00:00

329 lines
8.9 KiB
Markdown
Raw Blame History

# Authentication Troubleshooting Guide
This guide will help you debug authentication issues with sessions and 2FA endpoints.
## Quick Diagnosis Steps
### Step 1: Check if you're actually logged in
1. Open your browser console (F12)
2. Run this command:
```javascript
console.log('Cookies:', document.cookie);
```
You should see `accessToken` and `refreshToken` in the output. If not, you're not actually logged in.
### Step 2: Check the debug endpoint
1. While logged in, navigate to: `http://localhost:5173/api/auth/debug-cookies`
2. Or in console run:
```javascript
fetch('/api/auth/debug-cookies', { credentials: 'include' })
.then(r => r.json())
.then(d => console.log(d));
```
This will show:
- All cookies the backend receives
- All relevant headers
- Cookie configuration settings
**Expected output:**
```json
{
"success": true,
"hasAccessToken": true,
"hasRefreshToken": true,
"cookies": {
"accessToken": "eyJhbGc...",
"refreshToken": "eyJhbGc..."
}
}
```
**If `hasAccessToken` is `false`**, proceed to Step 3.
### Step 3: Inspect browser cookies
1. Open DevTools (F12)
2. Go to **Application** tab (Chrome) or **Storage** tab (Firefox)
3. Click on **Cookies** in the left sidebar
4. Select your domain (`http://localhost:5173`)
**Check these cookie properties:**
| Property | Expected Value (Development) | Problem if Different |
|----------|------------------------------|---------------------|
| **Domain** | `localhost` | If it's `127.0.0.1` or `0.0.0.0`, cookie won't be sent |
| **Path** | `/` | If different, cookie may not apply to `/api/*` routes |
| **SameSite** | `Lax` or `None` | If `Strict`, cookies may not be sent on redirects |
| **Secure** | ☐ (unchecked) | If checked, cookies won't work on http://localhost |
| **HttpOnly** | ☑ (checked) | This is correct - JavaScript can't access it |
### Step 4: Check Network requests
1. Open DevTools → **Network** tab
2. Try to access sessions: Click "Active Sessions" or refresh your profile
3. Find the request to `/api/user/sessions`
4. Click on it and check the **Headers** tab
**In Request Headers, look for:**
```
Cookie: accessToken=eyJhbGc...; refreshToken=eyJhbGc...
```
**If the Cookie header is missing or doesn't include `accessToken`:**
- The browser is not sending the cookies
- This is usually due to incorrect cookie attributes (see Step 3)
## Common Issues & Solutions
### Issue 1: Cookies have wrong domain
**Symptoms:**
- Cookies exist in DevTools but aren't sent with requests
- `debug-cookies` shows `hasAccessToken: false`
**Solution:**
1. Check your backend `.env` file or `config/index.js`
2. Ensure `COOKIE_DOMAIN=localhost` (NOT `127.0.0.1` or `0.0.0.0`)
3. Restart the backend server
4. Log out and log back in via Steam
**Backend config check:**
```bash
# In backend directory
cat .env | grep COOKIE_DOMAIN
# Should show: COOKIE_DOMAIN=localhost
```
### Issue 2: Cookies are Secure but you're on HTTP
**Symptoms:**
- After Steam login, you're redirected back but cookies don't persist
- Chrome console shows warnings about Secure cookies on insecure origin
**Solution:**
1. Set `COOKIE_SECURE=false` in your `.env` or `config/index.js`
2. Restart backend
3. Clear all cookies for `localhost`
4. Log in again
### Issue 3: SameSite=Strict blocking cookies
**Symptoms:**
- Cookies set but not sent after Steam redirect
- Works on direct page load but not after navigation
**Solution:**
1. Set `COOKIE_SAME_SITE=lax` in your backend config
2. Restart backend
3. Log out and log in again
### Issue 4: CORS misconfiguration
**Symptoms:**
- Network errors in console
- 401 Unauthorized even though cookies exist
**Solution:**
1. Check backend `config/index.js`:
```javascript
cors: {
origin: "http://localhost:5173", // Must match frontend URL exactly
credentials: true,
}
```
2. Ensure Vite dev server is running on `http://localhost:5173`
3. Restart backend
### Issue 5: Axios not sending credentials
**Symptoms:**
- Cookies exist but requests don't include them
- Works in Postman/curl but not in browser
**Solution:**
Check `frontend/src/utils/axios.js`:
```javascript
const axiosInstance = axios.create({
baseURL: '/api',
withCredentials: true, // This is CRITICAL
// ...
})
```
Also ensure individual requests include it:
```javascript
axios.get('/api/user/sessions', {
withCredentials: true // Add this if missing
})
```
## Backend Debugging
### View authentication debug logs
The backend now has verbose debug logging. When you try to access `/api/user/sessions`, you'll see:
```
=== AUTH MIDDLEWARE DEBUG ===
URL: /user/sessions
Method: GET
Cookies present: [ 'accessToken', 'refreshToken' ]
Has accessToken cookie: true
Authorization header: Missing
Origin: http://localhost:5173
✓ Token found in cookies
✓ Token verified, userId: 65abc123...
✓ User authenticated: YourUsername
=== END AUTH DEBUG ===
```
**If you see "No token found":**
- The backend is not receiving cookies
- Check cookie domain/path/secure settings
**If you see "Token verified" but still get 401:**
- Check the user exists in the database
- Check for ban status
### Test with curl
If you have cookies working in the browser, test directly:
1. Copy cookie values from DevTools
2. Run:
```bash
curl -v http://localhost:3000/user/sessions \
-H "Cookie: accessToken=YOUR_TOKEN_HERE; refreshToken=YOUR_REFRESH_HERE"
```
If curl works but browser doesn't:
- CORS issue
- Browser security policy blocking cookies
- Check browser console for security warnings
## Manual Cookie Fix
If all else fails, manually set correct cookie attributes:
1. Log in via Steam
2. After redirect, open DevTools console
3. Run this in backend terminal to check current cookies:
```bash
# Look at the Steam callback code in routes/auth.js
# Check the cookie settings being used
```
4. Modify `config/index.js`:
```javascript
cookie: {
domain: 'localhost', // NOT 127.0.0.1 or 0.0.0.0
secure: false, // Must be false for http://
sameSite: 'lax', // Not 'strict'
httpOnly: true, // Keep this true
},
```
5. Restart backend: `npm run dev`
6. Clear all cookies: DevTools → Application → Cookies → Right-click localhost → Clear
7. Log in again
## Environment File Template
Create/update `TurboTrades/.env`:
```env
# Server
NODE_ENV=development
PORT=3000
HOST=0.0.0.0
# Database
MONGODB_URI=mongodb://localhost:27017/turbotrades
# JWT
JWT_ACCESS_SECRET=your-super-secret-access-key-change-this
JWT_REFRESH_SECRET=your-super-secret-refresh-key-change-this
JWT_ACCESS_EXPIRY=15m
JWT_REFRESH_EXPIRY=7d
# Steam
STEAM_API_KEY=your_steam_api_key_here
STEAM_REALM=http://localhost:3000
STEAM_RETURN_URL=http://localhost:3000/auth/steam/return
# Cookies - CRITICAL FOR DEVELOPMENT
COOKIE_DOMAIN=localhost
COOKIE_SECURE=false
COOKIE_SAME_SITE=lax
# CORS - Must match frontend URL exactly
CORS_ORIGIN=http://localhost:5173
# Session
SESSION_SECRET=your-session-secret-change-this
```
## Testing Checklist
Run through this checklist:
- [ ] Backend running on `http://localhost:3000`
- [ ] Frontend running on `http://localhost:5173`
- [ ] MongoDB running and connected
- [ ] Steam API key configured
- [ ] Can visit `http://localhost:5173` and see the site
- [ ] Can visit `http://localhost:3000/health` and get response
- [ ] Can click "Login with Steam" and complete OAuth
- [ ] After login, redirected back to frontend
- [ ] DevTools shows `accessToken` and `refreshToken` cookies for `localhost`
- [ ] Cookies have `Domain: localhost` (not `127.0.0.1`)
- [ ] Cookies have `Secure: false` (unchecked)
- [ ] Cookies have `SameSite: Lax`
- [ ] Profile page shows your username and avatar (means `/auth/me` worked)
- [ ] `/api/auth/debug-cookies` shows `hasAccessToken: true`
- [ ] Network tab shows `Cookie` header on `/api/user/sessions` request
- [ ] Backend console shows "✓ User authenticated" in debug logs
## Still Not Working?
If you've gone through all the above and it still doesn't work:
1. **Check browser console** for any JavaScript errors
2. **Check backend logs** (`backend.log` or terminal output)
3. **Try a different browser** (sometimes browser extensions interfere)
4. **Try incognito/private mode** (rules out extension interference)
5. **Check if MongoDB is running** and has the User document
6. **Verify the Steam login actually created/updated your user** in MongoDB
### MongoDB Check
```bash
# Connect to MongoDB
mongosh
# Switch to database
use turbotrades
# Find your user
db.users.findOne({ steamId: "YOUR_STEAM_ID" })
# Check if sessions exist
db.sessions.find({ steamId: "YOUR_STEAM_ID" })
```
## Getting Help
If you're still stuck, gather this information:
1. Output of `/api/auth/debug-cookies`
2. Screenshot of DevTools → Application → Cookies
3. Screenshot of DevTools → Network → `/api/user/sessions` request headers
4. Backend console output when you try to access sessions
5. Frontend console errors (if any)
6. Your `config/index.js` cookie settings (remove secrets)
Good luck! 🚀
Reference in New Issue View Git Blame Copy Permalink