[Bug] axios requests in Login.tsx and Signup.tsx missing withCredentials: true — session cookie never attached

[anshul23102]

Description

Both src/pages/Login/Login.tsx and src/pages/Signup/Signup.tsx make API calls using axios without the withCredentials: true option:

// src/pages/Login/Login.tsx
const response = await axios.post(`${backendUrl}/api/auth/login`, formData);

// src/pages/Signup/Signup.tsx — comment says "Include cookies for session" but the option is absent
const response = await axios.post(`${backendUrl}/api/auth/signup`, formData);

The backend uses express-session with cookie-based sessions (configured in backend/server.js). For a browser to store and send session cookies on cross-origin requests, the axios call must include withCredentials: true and the server must respond with Access-Control-Allow-Credentials: true.

Without withCredentials: true:

• The Set-Cookie header in the login response is silently ignored by the browser.
• No session cookie is stored.
• Every subsequent request is treated as unauthenticated by the backend.

Root Cause

src/pages/Login/Login.tsx and src/pages/Signup/Signup.tsx do not pass { withCredentials: true } to axios. The comment in Signup.tsx ("Include cookies for session") confirms this was intended but never implemented.

Impact

• Login is non-functional across page navigations. The user appears to log in (response is 200) but is immediately unauthenticated on any subsequent page load or API request.
• The logout route at /api/auth/logout is also unreachable with a valid session because the cookie is never sent back.
• This is the root cause of the authentication breakage reported in issue Authentication (Sign In / Sign Up) Not Working on Live Demo #296.

Steps to Reproduce

1. Open browser DevTools > Network tab.
2. Log in with valid credentials.
3. Observe the login response headers: Set-Cookie is present in the response.
4. Navigate to any protected page.
5. Observe that no Cookie header is sent on subsequent requests — the session is lost.

Expected Behavior

After a successful login, the session cookie should be stored and sent with every subsequent request, maintaining the authenticated state across page navigations.

Proposed Fix

Add withCredentials: true to both axios calls:

// src/pages/Login/Login.tsx
const response = await axios.post(
  `${backendUrl}/api/auth/login`,
  formData,
  { withCredentials: true }
);

// src/pages/Signup/Signup.tsx
const response = await axios.post(
  `${backendUrl}/api/auth/signup`,
  formData,
  { withCredentials: true }
);

Also ensure the backend CORS config allows credentials (replace cors('*') with a specific origin and credentials: true as tracked in issue #374).

Affected Files

• src/pages/Login/Login.tsx
• src/pages/Signup/Signup.tsx
• backend/server.js (CORS must also set credentials: true)

Suggested Labels

type:bug level:advanced quality:exceptional

I would like to work on this issue under GSSoC 2026. Could you please assign it to me? @GitMetricsLab

/assign

[anshul23102]

Opened PR #464 addressing all three changes described above.

Root cause is two-part: { withCredentials: true } was missing from both axios calls, and the backend was using cors('*') which browsers reject when credentials are involved (the Fetch spec forbids a wildcard Access-Control-Allow-Origin alongside credentials: true).

Changes:

• Login.tsx: added { withCredentials: true } to the /api/auth/login call
• Signup.tsx: same fix for /api/auth/signup; removed the stale comment that noted the intent but was never fulfilled
• backend/server.js: replaced cors('*') with { origin: process.env.FRONTEND_URL || 'http://localhost:5173', credentials: true }

With all three in place the browser will store the session cookie on login and send it on every subsequent request.