KD2303 · KD2303 · Mar 20, 2026 · Mar 20, 2026 · Copilot · Mar 20, 2026
diff --git a/backend/src/controllers/authController.js b/backend/src/controllers/authController.js
@@ -127,7 +127,7 @@ export const getSession = asyncHandler(async (req, res) => {
         .status(200)
         .json({ success: true, authenticated: false, user: null });
 
-    res.status(200).json({ success: true, authenticated: true, user });
+    res.status(200).json({ success: true, authenticated: true, user, token });
-    res.status(200).json({ success: true, authenticated: true, user, token });
+    // Issue a short-lived secondary token instead of exposing the primary cookie JWT
+    const secondaryToken = jwt.sign(
+      { id: user.id, purpose: "session" },
+      process.env.JWT_SECRET,
+      { expiresIn: "5m" },
+    );
+
+    res
+      .status(200)
+      .json({ success: true, authenticated: true, user, token: secondaryToken });
-    res.status(200).json({ success: true, authenticated: true, user, token });
+    res.status(200).json({ success: true, authenticated: true, user });
-    res.status(200).json({ success: true, authenticated: true, user, token });
+    // Issue a short-lived secondary token instead of exposing the primary cookie JWT
+    const secondaryToken = jwt.sign(
+      { id: user.id, purpose: "session" },
+      process.env.JWT_SECRET,
+      { expiresIn: "5m" },
+    );
+
+    res
+      .status(200)
+      .json({ success: true, authenticated: true, user, token: secondaryToken });
-    res.status(200).json({ success: true, authenticated: true, user, token });
+    res.status(200).json({ success: true, authenticated: true, user });
   } catch {
     res.status(200).json({ success: true, authenticated: false, user: null });
   }

diff --git a/backend/src/utils/tokenUtils.js b/backend/src/utils/tokenUtils.js
@@ -43,5 +43,6 @@ export const sendTokenResponse = (user, statusCode, res) => {
   res.status(statusCode).cookie("token", token, options).json({
     success: true,
     user: userData,
+    token, // Include token for Socket.io and client-side storage
   });
 };
-    token, // Include token for Socket.io and client-side storage
-  });
-};
+  });
+};
+};
-    token, // Include token for Socket.io and client-side storage
-  });
-};
+  });
+};
+};
diff --git a/frontend/src/context/AuthContext.jsx b/frontend/src/context/AuthContext.jsx
@@ -34,9 +34,16 @@ export const AuthProvider = ({ children }) => {
       const response = await authService.getSession();
       setUser(response.user || null);
       setIsAuthenticated(Boolean(response.authenticated));
+      // Store token in localStorage if authenticated for Socket.io connection
+      if (response.authenticated && response.token) {
+        localStorage.setItem("token", response.token);
+      } else {
+        localStorage.removeItem("token");
+      }
     } catch {
       setUser(null);
       setIsAuthenticated(false);
+      localStorage.removeItem("token");
     } finally {
       setLoading(false);
     }
@@ -47,6 +54,10 @@ export const AuthProvider = ({ children }) => {
       const response = await authService.login(email, password);
       setUser(response.user);
       setIsAuthenticated(true);
+      // Store token in localStorage for Socket.io and other client-side usage
+      if (response.token) {
+        localStorage.setItem("token", response.token);
+      }
       toast.success(`Welcome back, ${response.user.name}!`);
       return response;
     } catch (error) {
@@ -65,6 +76,10 @@ export const AuthProvider = ({ children }) => {
       const response = await authService.register(userData);
       setUser(response.user);
       setIsAuthenticated(true);
+      // Store token in localStorage for Socket.io and other client-side usage
+      if (response.token) {
+        localStorage.setItem("token", response.token);
-        localStorage.setItem("token", response.token);
+        localStorage.setItem("token", response.token);
+      } else {
+        localStorage.removeItem("token");
-        localStorage.setItem("token", response.token);
+        localStorage.setItem("token", response.token);
+      } else {
+        localStorage.removeItem("token");
+      }
       toast.success("Account created successfully!");
       return response;
     } catch (error) {
@@ -94,6 +109,9 @@ export const AuthProvider = ({ children }) => {
     setUser(null);
     setIsAuthenticated(false);
 
+    // Clear token from localStorage
+    localStorage.removeItem("token");
+
     // Clear any cached data (optional, add if there's caching in localStorage)
     // sessionStorage.clear(); // Only if you're using sessionStorage