From 07b76bf0489b1bbad1366459682104e03e095178 Mon Sep 17 00:00:00 2001
From: "Jenola.base.eth" <jesutolaolusegun@gmail.com>
Date: Sat, 30 May 2026 00:10:14 +0000
Subject: [PATCH] feat: enhance authentication flow and cookie management

- Updated CORS configuration to allow credentials.
- Modified authentication middleware to check for token in cookies.
- Implemented access token cookie management in auth routes.
- Refactored frontend AuthContext to remove token state management.
- Adjusted API service to remove token parameter from requests.
- Updated various components to handle user state without direct token access.
- Added cookie handling for access tokens in login and registration flows.
- Improved admin dashboard and campaign management to align with new auth structure.
---
 backend/src/index.js                  |   7 +-
 backend/src/middleware/auth.js        |   5 +-
 backend/src/routes/auth.js            |  42 ++++++-
 frontend/src/context/AuthContext.jsx  |  20 +--
 frontend/src/pages/AcceptInvite.jsx   |   6 +-
 frontend/src/pages/AdminDashboard.jsx |  50 ++++----
 frontend/src/pages/CreateCampaign.jsx |  19 ++-
 frontend/src/pages/Dashboard.jsx      |  10 +-
 frontend/src/pages/Developer.jsx      |  19 ++-
 frontend/src/pages/Login.jsx          |   4 +-
 frontend/src/pages/Register.jsx       |   4 +-
 frontend/src/services/api.js          | 171 ++++++++++++--------------
 package-lock.json                     | 106 ++++++++++++++++
 13 files changed, 286 insertions(+), 177 deletions(-)
 create mode 100644 package-lock.json

diff --git a/backend/src/index.js b/backend/src/index.js
index 73a7388..67d7452 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -21,7 +21,12 @@ const rateLimit = require('express-rate-limit');
 const app = express();
 
 app.use(helmet());
-app.use(cors({ origin: process.env.FRONTEND_URL || 'http://localhost:5173' }));
+app.use(
+  cors({
+    origin: process.env.FRONTEND_URL || 'http://localhost:5173',
+    credentials: true,
+  })
+);
 app.use(express.json({ limit: '50kb' }));
 app.use(cookieParser());
 app.use(requestIdMiddleware);
diff --git a/backend/src/middleware/auth.js b/backend/src/middleware/auth.js
index e1e6b4b..dc4af17 100644
--- a/backend/src/middleware/auth.js
+++ b/backend/src/middleware/auth.js
@@ -12,10 +12,7 @@ function hashApiKey(rawKey) {
 
 async function authenticate(req) {
   const header = req.headers.authorization;
-  if (!header || !header.startsWith('Bearer ')) {
-    throw new Error('Missing token');
-  }
-  const token = header.slice(7).trim();
+  const token = req.cookies?.cp_token || (header && header.startsWith('Bearer ') ? header.slice(7).trim() : null);
   if (!token) throw new Error('Missing token');
 
   if (token.startsWith('cp_live_')) {
diff --git a/backend/src/routes/auth.js b/backend/src/routes/auth.js
index 4cc41d2..5d95be8 100644
--- a/backend/src/routes/auth.js
+++ b/backend/src/routes/auth.js
@@ -27,12 +27,42 @@ const {
  *     description: User registration and login
  */
 
+const ACCESS_TOKEN_COOKIE_NAME = 'cp_token';
 const REFRESH_TOKEN_COOKIE_NAME = 'cp_refresh_token';
 const REFRESH_TOKEN_COOKIE_MAX_AGE = 7 * 24 * 60 * 60 * 1000;
 const PASSWORD_RESET_TTL_MS = 60 * 60 * 1000;
 const FORGOT_PASSWORD_MESSAGE =
   'If that email exists, a password reset link has been sent.';
 
+function parseJwtExpiresIn(value) {
+  const match = String(value).match(/^(\d+)([smhd])$/);
+  if (!match) return 15 * 60;
+  const num = parseInt(match[1], 10);
+  const unit = match[2];
+  if (unit === 's') return num;
+  if (unit === 'm') return num * 60;
+  if (unit === 'h') return num * 60 * 60;
+  if (unit === 'd') return num * 24 * 60 * 60;
+  return 15 * 60;
+}
+
+function setAccessTokenCookie(res, token) {
+  res.cookie(ACCESS_TOKEN_COOKIE_NAME, token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+    maxAge: parseJwtExpiresIn(process.env.JWT_EXPIRES_IN || '15m') * 1000,
+  });
+}
+
+function clearAccessTokenCookie(res) {
+  res.clearCookie(ACCESS_TOKEN_COOKIE_NAME, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+  });
+}
+
 const isTest = process.env.NODE_ENV === 'test';
 const registerLimiter = rateLimit({
   windowMs: 60 * 60 * 1000,
@@ -252,6 +282,7 @@ router.post('/register', registerLimiter, registerValidation, validateRequest, a
   const { token: refreshToken, expiresAt } = await createRefreshToken(user.id);
 
   setRefreshTokenCookie(res, refreshToken, expiresAt);
+  setAccessTokenCookie(res, accessToken);
 
   const requestId = req.id;
   setImmediate(() => {
@@ -269,7 +300,7 @@ router.post('/register', registerLimiter, registerValidation, validateRequest, a
     });
   });
 
-  res.status(201).json({ token: accessToken, user });
+  res.status(201).json({ user });
 });
 
 router.post('/login', loginLimiter, loginValidation, validateRequest, async (req, res) => {
@@ -349,9 +380,9 @@ router.post('/login', loginLimiter, loginValidation, validateRequest, async (req
   const { token: refreshToken, expiresAt } = await createRefreshToken(user.id);
 
   setRefreshTokenCookie(res, refreshToken, expiresAt);
+  setAccessTokenCookie(res, accessToken);
 
   res.json({
-    token: accessToken,
     user: {
       id: user.id,
       email: user.email,
@@ -381,9 +412,9 @@ router.post('/refresh', async (req, res) => {
   const { token: newRefreshToken, expiresAt } = await rotateRefreshToken(token, user.id);
 
   setRefreshTokenCookie(res, newRefreshToken, expiresAt);
+  setAccessTokenCookie(res, accessToken);
 
   res.json({
-    token: accessToken,
     user: {
       id: user.id,
       email: user.email,
@@ -398,13 +429,14 @@ router.post('/refresh', async (req, res) => {
   });
 });
 
-router.post('/logout', requireAuth, async (req, res) => {
+router.post('/logout', async (req, res) => {
   const token = req.cookies?.[REFRESH_TOKEN_COOKIE_NAME];
   if (token) {
     await revokeRefreshToken(token);
   }
   clearRefreshTokenCookie(res);
-  res.json({ message: 'Logged out successfully' });
+  clearAccessTokenCookie(res);
+  res.json({ ok: true });
 });
 
 router.post(
diff --git a/frontend/src/context/AuthContext.jsx b/frontend/src/context/AuthContext.jsx
index 5efca33..bf35d14 100644
--- a/frontend/src/context/AuthContext.jsx
+++ b/frontend/src/context/AuthContext.jsx
@@ -18,31 +18,25 @@ export function AuthProvider({ children }) {
       return null;
     }
   });
-  const [token, setToken] = useState(() => api.getToken());
   const [ready, setReady] = useState(false);
 
   useEffect(() => {
     let active = true;
 
     async function restoreSession() {
-      if (!user) {
-        setReady(true);
-        return;
-      }
-
       try {
         const data = await api.refresh();
         if (!active) return;
-        setToken(data.token);
         if (data.user) {
           setUser(data.user);
           localStorage.setItem('cp_user', JSON.stringify(data.user));
+        } else {
+          setUser(null);
+          localStorage.removeItem('cp_user');
         }
       } catch {
         if (!active) return;
         setUser(null);
-        setToken(null);
-        api.setToken(null);
         localStorage.removeItem('cp_user');
       } finally {
         if (active) {
@@ -58,11 +52,9 @@ export function AuthProvider({ children }) {
     };
   }, []);
 
-  const login = useCallback(async (userData, jwt) => {
+  const login = useCallback(async (userData) => {
     const normalized = { ...userData, role: userData.role || (userData.is_admin ? 'admin' : 'contributor') };
     setUser(normalized);
-    setToken(jwt);
-    api.setToken(jwt);
     localStorage.setItem('cp_user', JSON.stringify(normalized));
     setReady(true);
   }, []);
@@ -73,8 +65,6 @@ export function AuthProvider({ children }) {
     } catch {
     }
     setUser(null);
-    setToken(null);
-    api.setToken(null);
     localStorage.removeItem('cp_user');
     setReady(true);
   }, []);
@@ -85,7 +75,7 @@ export function AuthProvider({ children }) {
   }, []);
 
   return (
-    <AuthContext.Provider value={{ user, token, ready, login, logout, updateUser }}>
+    <AuthContext.Provider value={{ user, ready, login, logout, updateUser }}>
       {children}
     </AuthContext.Provider>
   );
diff --git a/frontend/src/pages/AcceptInvite.jsx b/frontend/src/pages/AcceptInvite.jsx
index e1e2cfd..d35e9a3 100644
--- a/frontend/src/pages/AcceptInvite.jsx
+++ b/frontend/src/pages/AcceptInvite.jsx
@@ -5,7 +5,7 @@ import { useAuth } from '../context/AuthContext';
 
 export default function AcceptInvite() {
   const { id, token } = useParams();
-  const { user, token: authToken, ready } = useAuth();
+  const { user, ready } = useAuth();
   const navigate = useNavigate();
   const [loading, setLoading] = useState(false);
   const [error, setError] = useState('');
@@ -15,7 +15,7 @@ export default function AcceptInvite() {
     setLoading(true);
     setError('');
     try {
-      await api.acceptCampaignInvitation(id, { token }, authToken);
+      await api.acceptCampaignInvitation(id, { token });
       setSuccess(true);
       setLoading(false);
       setTimeout(() => {
@@ -35,7 +35,7 @@ export default function AcceptInvite() {
     );
   }
 
-  if (!authToken) {
+  if (!user) {
     return (
       <main className="container page-narrow" style={{ paddingTop: '3rem' }}>
         <h1 style={{ fontSize: '1.5rem', fontWeight: 800, marginBottom: '1rem' }}>Join Campaign Team</h1>
diff --git a/frontend/src/pages/AdminDashboard.jsx b/frontend/src/pages/AdminDashboard.jsx
index 9708717..dfc779e 100644
--- a/frontend/src/pages/AdminDashboard.jsx
+++ b/frontend/src/pages/AdminDashboard.jsx
@@ -5,18 +5,18 @@ import { useNavigate } from 'react-router-dom';
 
 const DISPUTE_STATUSES = ['open', 'under_review', 'resolved_creator', 'resolved_contributor', 'closed'];
 
-function DisputeQueue({ token }) {
+function DisputeQueue() {
   const [disputes, setDisputes] = useState([]);
   const [loading, setLoading] = useState(true);
   const [busyId, setBusyId] = useState(null);
 
   useEffect(() => {
     // Load open/under_review disputes across all campaigns via admin endpoint
-    api.getAdminCampaigns(token)
+    api.getAdminCampaigns()
       .then(async (campaigns) => {
         const all = await Promise.all(
           campaigns.map((c) =>
-            api.getCampaignDisputes(c.id, token)
+            api.getCampaignDisputes(c.id)
               .then((ds) => ds.map((d) => ({ ...d, campaign_title: c.title })))
               .catch(() => [])
           )
@@ -24,14 +24,14 @@ function DisputeQueue({ token }) {
         setDisputes(all.flat().sort((a, b) => new Date(b.created_at) - new Date(a.created_at)));
       })
       .finally(() => setLoading(false));
-  }, [token]);
+  }, []);
 
   async function resolve(dispute, status) {
     const note = window.prompt(`Resolution note (${status}):`, '');
     if (note === null) return;
     setBusyId(dispute.id);
     try {
-      const updated = await api.updateDispute(dispute.id, { status, resolution_note: note || undefined }, token);
+      const updated = await api.updateDispute(dispute.id, { status, resolution_note: note || undefined });
       setDisputes((prev) => prev.map((d) => (d.id === updated.id ? { ...d, ...updated } : d)));
     } catch (err) {
       alert(err.message || 'Could not update dispute');
@@ -98,7 +98,7 @@ function DisputeQueue({ token }) {
 }
 
 export default function AdminDashboard() {
-  const { user, token, ready } = useAuth();
+  const { user, ready } = useAuth();
   const navigate = useNavigate();
   const [stats, setStats] = useState(null);
   const [campaigns, setCampaigns] = useState([]);
@@ -121,11 +121,11 @@ export default function AdminDashboard() {
     }
 
     Promise.all([
-      api.getAdminStats(token),
-      api.getAdminCampaigns(token),
-      api.getAdminMilestones(token),
-      api.getAdminUsers(token),
-      api.getAdminAuditLog(token)
+      api.getAdminStats(),
+      api.getAdminCampaigns(),
+      api.getAdminMilestones(),
+      api.getAdminUsers(true),
+      api.getAdminAuditLog()
     ]).then(([st, camp, milestoneRows, usrs, audit]) => {
       setStats(st);
       setCampaigns(camp);
@@ -138,34 +138,34 @@ export default function AdminDashboard() {
       navigate('/');
     });
 
-  }, [ready, user, token, navigate]);
+  }, [ready, user, navigate]);
 
   if (!ready || loading) return <div className="container" style={{padding:'2rem'}}>Loading admin panel...</div>;
 
   async function refreshCampaigns() {
-    const camp = await api.getAdminCampaigns(token);
+    const camp = await api.getAdminCampaigns();
     setCampaigns(camp);
   }
 
   async function refreshUsers() {
-    const usrs = await api.getAdminUsers(token, true);
+    const usrs = await api.getAdminUsers(true);
     setUsers(usrs);
   }
 
   async function refreshAuditLog() {
-    const audit = await api.getAdminAuditLog(token);
+    const audit = await api.getAdminAuditLog();
     setAuditLog(audit);
   }
 
   async function refreshMilestones() {
-    const rows = await api.getAdminMilestones(token);
+    const rows = await api.getAdminMilestones();
     setMilestones(rows);
   }
 
   async function approveMilestone(id) {
     setBusyMilestoneId(id);
     try {
-      await api.approveMilestone(id, {}, token);
+      await api.approveMilestone(id, {});
       await refreshMilestones();
       await refreshCampaigns();
     } finally {
@@ -178,7 +178,7 @@ export default function AdminDashboard() {
     if (reason === null) return;
     setBusyMilestoneId(id);
     try {
-      await api.rejectMilestone(id, { reason: reason || 'Rejected by platform' }, token);
+      await api.rejectMilestone(id, { reason: reason || 'Rejected by platform' });
       await refreshMilestones();
     } finally {
       setBusyMilestoneId(null);
@@ -190,7 +190,7 @@ export default function AdminDashboard() {
     if (reason === null) return;
     setBusyCampaignId(campaignId);
     try {
-      await api.adminSuspendCampaign(campaignId, { reason }, token);
+      await api.adminSuspendCampaign(campaignId, { reason });
       await refreshCampaigns();
       await refreshAuditLog();
       alert('Campaign suspended');
@@ -205,7 +205,7 @@ export default function AdminDashboard() {
     if (!window.confirm('Restore this campaign to active?')) return;
     setBusyCampaignId(campaignId);
     try {
-      await api.adminRestoreCampaign(campaignId, token);
+      await api.adminRestoreCampaign(campaignId);
       await refreshCampaigns();
       await refreshAuditLog();
       alert('Campaign restored');
@@ -222,7 +222,7 @@ export default function AdminDashboard() {
     if (!window.confirm('This will permanently delete the campaign. Are you sure?')) return;
     setBusyCampaignId(campaignId);
     try {
-      await api.adminDeleteCampaign(campaignId, { reason }, token);
+      await api.adminDeleteCampaign(campaignId, { reason });
       await refreshCampaigns();
       await refreshAuditLog();
       alert('Campaign deleted');
@@ -238,7 +238,7 @@ export default function AdminDashboard() {
     if (reason === null) return;
     setBusyUserId(userId);
     try {
-      await api.adminBanUser(userId, { reason }, token);
+      await api.adminBanUser(userId, { reason });
       await refreshUsers();
       await refreshAuditLog();
       alert('User banned');
@@ -253,7 +253,7 @@ export default function AdminDashboard() {
     if (!window.confirm('Unban this user?')) return;
     setBusyUserId(userId);
     try {
-      await api.adminUnbanUser(userId, token);
+      await api.adminUnbanUser(userId);
       await refreshUsers();
       await refreshAuditLog();
       alert('User unbanned');
@@ -453,7 +453,7 @@ export default function AdminDashboard() {
       {activeTab === 'disputes' && (
         <>
           <h2 style={{fontSize:'1.4rem', fontWeight:700, marginBottom:'1rem'}}>Dispute Queue</h2>
-          <DisputeQueue token={token} />
+          <DisputeQueue />
         </>
       )}
 
@@ -499,7 +499,7 @@ export default function AdminDashboard() {
                 <td style={tdStyle}>{c.status}</td>
                 <td style={tdStyle}>
                   <select value={c.status} onChange={(e) => {
-                    api.updateCampaignStatus(c.id, e.target.value, token).then(() => {
+                    api.updateCampaignStatus(c.id, e.target.value).then(() => {
                       setCampaigns(campaigns.map(camp => camp.id === c.id ? {...camp, status: e.target.value} : camp));
                     });
                   }} style={{padding:'0.3rem', borderRadius:'4px', border:'1px solid var(--color-border-light)'}}>
diff --git a/frontend/src/pages/CreateCampaign.jsx b/frontend/src/pages/CreateCampaign.jsx
index 0c8df45..c06aae7 100644
--- a/frontend/src/pages/CreateCampaign.jsx
+++ b/frontend/src/pages/CreateCampaign.jsx
@@ -32,7 +32,7 @@ function milestonePercentTotal(milestones) {
 }
 
 export default function CreateCampaign() {
-  const { token, user, ready, updateUser } = useAuth();
+  const { user, ready, updateUser } = useAuth();
   const navigate = useNavigate();
   const [step, setStep] = useState(1);
   const [form, setForm] = useState({
@@ -50,15 +50,15 @@ export default function CreateCampaign() {
   const [showCreatorTips, setShowCreatorTips] = useState(isCreatorOnboardingVisible);
 
   useEffect(() => {
-    if (ready && !token) {
+    if (ready && !user) {
       navigate('/login', { replace: true, state: { from: '/campaigns/new' } });
     }
-  }, [ready, token, navigate]);
+  }, [ready, user, navigate]);
 
   useEffect(() => {
-    if (!token) return;
-    api.getMe(token).then(updateUser).catch(() => {});
-  }, [token, updateUser]);
+    if (!user) return;
+    api.getMe().then(updateUser).catch(() => {});
+  }, [user, updateUser]);
 
   function setField(field) {
     return (e) => setForm((f) => ({ ...f, [field]: e.target.value }));
@@ -221,14 +221,13 @@ export default function CreateCampaign() {
                 release_percentage: Number(milestone.release_percentage),
               }))
             : undefined,
-        },
-        token
+        }
       );
 
       let coverUploadError = '';
       if (coverImageFile) {
         try {
-          await api.uploadCampaignCoverImage(campaign.id, coverImageFile, token);
+          await api.uploadCampaignCoverImage(campaign.id, coverImageFile);
         } catch (uploadError) {
           coverUploadError = uploadError.message || 'Campaign created, but cover image upload failed.';
         }
@@ -256,7 +255,7 @@ export default function CreateCampaign() {
     );
   }
 
-  if (!token) {
+  if (!user) {
     return (
       <main className="container page-narrow" style={{ paddingTop: '3rem' }}>
         <p className="alert alert--info">Redirecting to sign in…</p>
diff --git a/frontend/src/pages/Dashboard.jsx b/frontend/src/pages/Dashboard.jsx
index 1f44526..4f1d859 100644
--- a/frontend/src/pages/Dashboard.jsx
+++ b/frontend/src/pages/Dashboard.jsx
@@ -28,7 +28,7 @@ function formatConversionRate(row) {
 }
 
 export default function Dashboard() {
-  const { token, user, ready, updateUser } = useAuth();
+  const { user, ready, updateUser } = useAuth();
   const [searchParams, setSearchParams] = useSearchParams();
   const tabParam = searchParams.get('tab');
   const activeTab = tabParam === 'contributions' ? 'contributions' : 'campaigns';
@@ -46,12 +46,12 @@ export default function Dashboard() {
     String(import.meta.env.VITE_KYC_REQUIRED_FOR_CAMPAIGNS ?? 'true').toLowerCase() !== 'false';
 
   useEffect(() => {
-    if (!token) return;
+    if (!user) return;
     setLoadingCampaigns(true);
     setError('');
-    const requests = [api.getMyContributions(token)];
+    const requests = [api.getMyContributions()];
     if (isCreator) {
-      requests.unshift(api.getMe(token), api.getMyStats(token), api.getMyCampaigns(token));
+      requests.unshift(api.getMe(), api.getMyStats(), api.getMyCampaigns());
     }
 
     Promise.all(requests)
@@ -88,7 +88,7 @@ export default function Dashboard() {
       </main>
     );
   }
-  if (!token) return <Navigate to="/login" replace />;
+  if (!user) return <Navigate to="/login" replace />;
 
   const loading = activeTab === 'campaigns' ? loadingCampaigns : loadingContributions;
 
diff --git a/frontend/src/pages/Developer.jsx b/frontend/src/pages/Developer.jsx
index 129b669..88294eb 100644
--- a/frontend/src/pages/Developer.jsx
+++ b/frontend/src/pages/Developer.jsx
@@ -13,7 +13,7 @@ const EVENT_OPTIONS = [
 const SCOPE_OPTIONS = ['read', 'write', 'withdrawals', 'developer', 'full'];
 
 export default function Developer() {
-  const { token, user } = useAuth();
+  const { user } = useAuth();
   const [keys, setKeys] = useState([]);
   const [hooks, setHooks] = useState([]);
   const [deliveries, setDeliveries] = useState([]);
@@ -27,13 +27,12 @@ export default function Developer() {
   const [loading, setLoading] = useState(true);
 
   async function refresh() {
-    if (!token) return;
     setError('');
     try {
       const [k, h, d] = await Promise.all([
-        api.listApiKeys(token),
-        api.listWebhooks(token),
-        api.listWebhookDeliveries(token, { limit: 80 }),
+        api.listApiKeys(),
+        api.listWebhooks(),
+        api.listWebhookDeliveries({ limit: 80 }),
       ]);
       setKeys(k);
       setHooks(h);
@@ -47,7 +46,7 @@ export default function Developer() {
 
   useEffect(() => {
     refresh();
-  }, [token]);
+  }, []);
 
   if (!user) {
     return (
@@ -62,7 +61,7 @@ export default function Developer() {
     setRevealedKey('');
     setError('');
     try {
-      const res = await api.createApiKey({ label: newKeyLabel, scopes: newKeyScopes }, token);
+      const res = await api.createApiKey({ label: newKeyLabel, scopes: newKeyScopes });
       setRevealedKey(res.api_key);
       await refresh();
     } catch (err) {
@@ -74,7 +73,7 @@ export default function Developer() {
     if (!confirm('Revoke this API key?')) return;
     setError('');
     try {
-      await api.deleteApiKey(id, token);
+      await api.deleteApiKey(id);
       await refresh();
     } catch (err) {
       setError(err.message);
@@ -86,7 +85,7 @@ export default function Developer() {
     setRevealedSecret('');
     setError('');
     try {
-      const res = await api.createWebhook({ url: hookUrl, events: hookEvents }, token);
+      const res = await api.createWebhook({ url: hookUrl, events: hookEvents });
       setRevealedSecret(res.secret);
       setHookUrl('');
       await refresh();
@@ -99,7 +98,7 @@ export default function Developer() {
     if (!confirm('Remove this webhook endpoint?')) return;
     setError('');
     try {
-      await api.deleteWebhook(id, token);
+      await api.deleteWebhook(id);
       await refresh();
     } catch (err) {
       setError(err.message);
diff --git a/frontend/src/pages/Login.jsx b/frontend/src/pages/Login.jsx
index 96f1d32..b94994f 100644
--- a/frontend/src/pages/Login.jsx
+++ b/frontend/src/pages/Login.jsx
@@ -26,8 +26,8 @@ export default function Login() {
     setLoading(true);
     setError('');
     try {
-      const { token, user } = await api.login(form);
-      login(user, token);
+      const { user } = await api.login(form);
+      login(user);
       navigate(location.state?.from || '/', { replace: true });
     } catch (err) {
       setError(err.message);
diff --git a/frontend/src/pages/Register.jsx b/frontend/src/pages/Register.jsx
index 10b47f0..bfcf690 100644
--- a/frontend/src/pages/Register.jsx
+++ b/frontend/src/pages/Register.jsx
@@ -39,8 +39,8 @@ export default function Register() {
         payload.wallet_type = 'freighter';
         payload.wallet_public_key = freighterPublicKey;
       }
-      const { token, user } = await api.register(payload);
-      login(user, token);
+      const { user } = await api.register(payload);
+      login(user);
       markJustRegistered();
       navigate(user.role === 'creator' ? '/dashboard' : '/');
     } catch (err) {
diff --git a/frontend/src/services/api.js b/frontend/src/services/api.js
index ae04670..60b7db0 100644
--- a/frontend/src/services/api.js
+++ b/frontend/src/services/api.js
@@ -1,16 +1,14 @@
 const BASE = '/api';
 
-let accessToken = null;
 let refreshPromise = null;
 
-function authHeaders(token) {
+function jsonHeaders() {
   return {
     'Content-Type': 'application/json',
-    ...(token ? { Authorization: `Bearer ${token}` } : {}),
   };
 }
 
-async function request(method, path, body, token, options = {}) {
+async function request(method, path, body, options = {}) {
   const { query, _retry = false } = options;
   let url = `${BASE}${path}`;
   if (query && Object.keys(query).length) {
@@ -21,11 +19,9 @@ async function request(method, path, body, token, options = {}) {
     url += `?${params.toString()}`;
   }
 
-  const activeToken = token || accessToken;
-
   const res = await fetch(url, {
     method,
-    headers: authHeaders(activeToken),
+    headers: body ? jsonHeaders() : undefined,
     body: body ? JSON.stringify(body) : undefined,
     credentials: 'include',
   });
@@ -50,8 +46,8 @@ async function request(method, path, body, token, options = {}) {
     const promise = refresh();
     if (promise) {
       try {
-        const result = await promise;
-        return request(method, path, body, result.token, { ...options, _retry: true });
+        await promise;
+        return request(method, path, body, { ...options, _retry: true });
       } catch {
         throw new Error('Session expired. Please log in again.');
       }
@@ -76,11 +72,10 @@ async function request(method, path, body, token, options = {}) {
   return data;
 }
 
-async function uploadFormData(path, formData, token) {
+async function uploadFormData(path, formData) {
   const url = `${BASE}${path}`;
   const res = await fetch(url, {
     method: 'POST',
-    headers: token ? { Authorization: `Bearer ${token}` } : undefined,
     body: formData,
     credentials: 'include',
   });
@@ -136,7 +131,6 @@ async function refresh() {
     }
 
     const data = await res.json();
-    accessToken = data.token;
     refreshPromise = null;
     return data;
   })();
@@ -160,14 +154,9 @@ async function logout() {
     throw new Error(error);
   }
 
-  accessToken = null;
   return { message: 'Logged out' };
 }
 
-function setToken(t) {
-  accessToken = t;
-}
-
 export const api = {
   getPlatformConfig: () => request('GET', '/config'),
   register: (body) => request('POST', '/auth/register', body),
@@ -176,100 +165,92 @@ export const api = {
   resetPassword: (body) => request('POST', '/auth/reset-password', body),
   logout: () => logout(),
   refresh,
-  setToken,
-  getToken: () => accessToken,
 
-  getMyCampaigns: (token) => request('GET', '/campaigns/mine', null, token),
-  getMyStats: (token) => request('GET', '/users/me/stats', null, token),
-  getMyContributions: (token) => request('GET', '/contributions/mine', null, token),
-  getMe: (token) => request('GET', '/users/me', null, token),
-  startKyc: (token) => request('POST', '/users/me/kyc/start', null, token),
+  getMyCampaigns: () => request('GET', '/campaigns/mine'),
+  getMyStats: () => request('GET', '/users/me/stats'),
+  getMyContributions: () => request('GET', '/contributions/mine'),
+  getMe: () => request('GET', '/users/me'),
+  startKyc: () => request('POST', '/users/me/kyc/start'),
 
-  getCampaigns: (options = {}) => request('GET', '/campaigns', null, null, { query: options }),
-  getCampaign: (id, token) => request('GET', `/campaigns/${id}`, null, token),
+  getCampaigns: (options = {}) => request('GET', '/campaigns', null, { query: options }),
+  getCampaign: (id) => request('GET', `/campaigns/${id}`),
   getCampaignEmbed: (id) => request('GET', `/campaigns/${id}/embed`),
   getCampaignBackers: (id) => request('GET', `/campaigns/${id}/backers`),
   getCampaignBalance: (id) => request('GET', `/campaigns/${id}/balance`),
-  createCampaign: (body, token) => request('POST', '/campaigns', body, token),
-  updateCampaign: (id, body, token) => request('PATCH', `/campaigns/${id}`, body, token),
-  uploadCampaignCoverImage: (campaignId, file, token) => {
+  createCampaign: (body) => request('POST', '/campaigns', body),
+  updateCampaign: (id, body) => request('PATCH', `/campaigns/${id}`, body),
+  uploadCampaignCoverImage: (campaignId, file) => {
     const formData = new FormData();
     formData.append('cover_image', file);
-    return uploadFormData(`/campaigns/${encodeURIComponent(campaignId)}/cover-image`, formData, token);
+    return uploadFormData(`/campaigns/${encodeURIComponent(campaignId)}/cover-image`, formData);
   },
-  getCampaignMembers: (campaignId, token) => request('GET', `/campaigns/${campaignId}/members`, null, token),
-  inviteCampaignMember: (campaignId, body, token) => request('POST', `/campaigns/${campaignId}/members`, body, token),
-  updateCampaignMemberRole: (campaignId, userId, body, token) => request('PATCH', `/campaigns/${campaignId}/members/${userId}`, body, token),
-  removeCampaignMember: (campaignId, userId, token) => request('DELETE', `/campaigns/${campaignId}/members/${userId}`, null, token),
-  acceptCampaignInvitation: (campaignId, body, token) => request('POST', `/campaigns/${campaignId}/members/accept`, body, token),
+  getCampaignMembers: (campaignId) => request('GET', `/campaigns/${campaignId}/members`),
+  inviteCampaignMember: (campaignId, body) => request('POST', `/campaigns/${campaignId}/members`, body),
+  updateCampaignMemberRole: (campaignId, userId, body) => request('PATCH', `/campaigns/${campaignId}/members/${userId}`, body),
+  removeCampaignMember: (campaignId, userId) => request('DELETE', `/campaigns/${campaignId}/members/${userId}`),
+  acceptCampaignInvitation: (campaignId, body) => request('POST', `/campaigns/${campaignId}/members/accept`, body),
   getAnchorInfo: () => request('GET', '/anchor/info'),
-  startAnchorDeposit: (body, token) => request('POST', '/anchor/deposits/start', body, token),
-  getAnchorDepositStatus: (id, token) => request('GET', `/anchor/deposits/${id}`, null, token),
+  startAnchorDeposit: (body) => request('POST', '/anchor/deposits/start', body),
+  getAnchorDepositStatus: (id) => request('GET', `/anchor/deposits/${id}`),
   getCampaignUpdates: (campaignId, options = {}) =>
-    request('GET', `/campaigns/${campaignId}/updates`, null, null, { query: options }),
-  postCampaignUpdate: (campaignId, body, token) =>
-    request('POST', `/campaigns/${campaignId}/updates`, body, token),
+    request('GET', `/campaigns/${campaignId}/updates`, null, { query: options }),
+  postCampaignUpdate: (campaignId, body) => request('POST', `/campaigns/${campaignId}/updates`, body),
 
   getContributions: (campaignId) => request('GET', `/contributions/campaign/${campaignId}`),
   getMilestones: (campaignId) => request('GET', `/campaigns/${campaignId}/milestones`),
-  setCampaignMilestones: (campaignId, milestones, token) =>
-    request('POST', `/campaigns/${campaignId}/milestones`, { milestones }, token),
-  submitMilestoneEvidence: (id, body, token) => request('POST', `/milestones/${id}/submit`, body, token),
-  approveMilestone: (id, body, token) => request('POST', `/milestones/${id}/release`, body || {}, token),
-  rejectMilestone: (id, body, token) => request('POST', `/milestones/${id}/reject`, body || {}, token),
-  contribute: (body, token) => request('POST', '/contributions', body, token),
-  prepareContribution: (body, token) => request('POST', '/contributions/prepare', body, token),
-  submitSignedContribution: (body, token) => request('POST', '/contributions/submit-signed', body, token),
-  quoteContribution: ({ send_asset, dest_asset, dest_amount }, token) =>
-    request('GET', '/contributions/quote', null, token, {
+  setCampaignMilestones: (campaignId, milestones) =>
+    request('POST', `/campaigns/${campaignId}/milestones`, { milestones }),
+  submitMilestoneEvidence: (id, body) => request('POST', `/milestones/${id}/submit`, body),
+  approveMilestone: (id, body) => request('POST', `/milestones/${id}/release`, body || {}),
+  rejectMilestone: (id, body) => request('POST', `/milestones/${id}/reject`, body || {}),
+  contribute: (body) => request('POST', '/contributions', body),
+  prepareContribution: (body) => request('POST', '/contributions/prepare', body),
+  submitSignedContribution: (body) => request('POST', '/contributions/submit-signed', body),
+  quoteContribution: ({ send_asset, dest_asset, dest_amount }) =>
+    request('GET', '/contributions/quote', null, {
       query: { send_asset, dest_asset, dest_amount },
     }),
-  failExpiredCampaigns: (token) => request('POST', '/campaigns/cron/fail-expired', null, token),
-  triggerCampaignRefunds: (campaignId, token) => request('POST', `/campaigns/${campaignId}/trigger-refunds`, null, token),
-
-  getWithdrawalCapabilities: (token) => request('GET', '/withdrawals/capabilities', null, token),
-  listWithdrawals: (campaignId, token) =>
-    request('GET', `/withdrawals/campaign/${campaignId}`, null, token),
-  requestWithdrawal: (body, token) => request('POST', '/withdrawals/request', body, token),
-  approveWithdrawalCreator: (id, token, body) =>
-    request('POST', `/withdrawals/${id}/approve/creator`, body || {}, token),
-  approveWithdrawalPlatform: (id, token) =>
-    request('POST', `/withdrawals/${id}/approve/platform`, {}, token),
-  cancelWithdrawal: (id, body, token) => request('POST', `/withdrawals/${id}/cancel`, body || {}, token),
-  rejectWithdrawal: (id, body, token) => request('POST', `/withdrawals/${id}/reject`, body || {}, token),
-  getWithdrawalEvents: (id, token) => request('GET', `/withdrawals/${id}/events`, null, token),
-  getWithdrawal: (id, token) => request('GET', `/withdrawals/${id}`, null, token),
+  failExpiredCampaigns: () => request('POST', '/campaigns/cron/fail-expired'),
+  triggerCampaignRefunds: (campaignId) => request('POST', `/campaigns/${campaignId}/trigger-refunds`),
 
-  raiseDispute: (campaignId, body, token) =>
-    request('POST', `/campaigns/${campaignId}/disputes`, body, token),
-  getCampaignDisputes: (campaignId, token) =>
-    request('GET', `/campaigns/${campaignId}/disputes`, null, token),
-  updateDispute: (id, body, token) => request('PATCH', `/disputes/${id}`, body, token),
-  getDisputeEvents: (id, token) => request('GET', `/disputes/${id}/events`, null, token),
+  getWithdrawalCapabilities: () => request('GET', '/withdrawals/capabilities'),
+  listWithdrawals: (campaignId) =>
+    request('GET', `/withdrawals/campaign/${campaignId}`),
+  requestWithdrawal: (body) => request('POST', '/withdrawals/request', body),
+  approveWithdrawalCreator: (id, body) =>
+    request('POST', `/withdrawals/${id}/approve/creator`, body || {}),
+  approveWithdrawalPlatform: (id) =>
+    request('POST', `/withdrawals/${id}/approve/platform`, {}),
+  cancelWithdrawal: (id, body) => request('POST', `/withdrawals/${id}/cancel`, body || {}),
+  rejectWithdrawal: (id, body) => request('POST', `/withdrawals/${id}/reject`, body || {}),
+  getWithdrawalEvents: (id) => request('GET', `/withdrawals/${id}/events`),
+  getWithdrawal: (id) => request('GET', `/withdrawals/${id}`),
 
-  getAdminStats: (token) => request('GET', '/admin/stats', null, token),
-  getAdminCampaigns: (token) => request('GET', '/admin/campaigns', null, token),
-  getAdminMilestones: (token, options = {}) => request('GET', '/admin/milestones', null, token, { query: options }),
-  getAdminUsers: (token, include_banned = false) => request('GET', '/admin/users', null, token, { query: { include_banned: include_banned ? 'true' : 'false' } }),
-  getAdminAuditLog: (token, options = {}) => request('GET', '/admin/audit-log', null, token, { query: options }),
-  updateCampaignStatus: (id, status, token) => request('PATCH', `/admin/campaigns/${id}/status`, { status }, token),
-  
-  adminSuspendCampaign: (id, body, token) => request('PATCH', `/admin/campaigns/${id}/suspend`, body, token),
-  adminRestoreCampaign: (id, token) => request('PATCH', `/admin/campaigns/${id}/restore`, {}, token),
-  adminDeleteCampaign: (id, body, token) => request('DELETE', `/admin/campaigns/${id}`, body, token),
-  
-  adminBanUser: (id, body, token) => request('PATCH', `/admin/users/${id}/ban`, body, token),
-  adminUnbanUser: (id, token) => request('PATCH', `/admin/users/${id}/unban`, {}, token),
-  adminPromoteUser: (id, token) => request('PATCH', `/admin/users/${id}/promote`, {}, token),
-  adminDemoteUser: (id, token) => request('PATCH', `/admin/users/${id}/demote`, {}, token),
-  
-  listApiKeys: (token) => request('GET', '/api-keys', null, token),
-  createApiKey: (body, token) => request('POST', '/api-keys', body, token),
-  deleteApiKey: (id, token) => request('DELETE', `/api-keys/${id}`, null, token),
+  raiseDispute: (campaignId, body) =>
+    request('POST', `/campaigns/${campaignId}/disputes`, body),
+  getCampaignDisputes: (campaignId) =>
+    request('GET', `/campaigns/${campaignId}/disputes`),
+  updateDispute: (id, body) => request('PATCH', `/disputes/${id}`, body),
+  getDisputeEvents: (id) => request('GET', `/disputes/${id}/events`),
 
-  listWebhooks: (token) => request('GET', '/webhooks', null, token),
-  createWebhook: (body, token) => request('POST', '/webhooks', body, token),
-  deleteWebhook: (id, token) => request('DELETE', `/webhooks/${id}`, null, token),
-  listWebhookDeliveries: (token, options = {}) =>
-    request('GET', '/webhooks/deliveries', null, token, { query: options }),
+  getAdminStats: () => request('GET', '/admin/stats'),
+  getAdminCampaigns: () => request('GET', '/admin/campaigns'),
+  getAdminMilestones: (options = {}) => request('GET', '/admin/milestones', null, { query: options }),
+  getAdminUsers: (include_banned = false) => request('GET', '/admin/users', null, { query: { include_banned: include_banned ? 'true' : 'false' } }),
+  getAdminAuditLog: (options = {}) => request('GET', '/admin/audit-log', null, { query: options }),
+  updateCampaignStatus: (id, status) => request('PATCH', `/admin/campaigns/${id}/status`, { status }),
+  adminSuspendCampaign: (id, body) => request('PATCH', `/admin/campaigns/${id}/suspend`, body),
+  adminRestoreCampaign: (id) => request('PATCH', `/admin/campaigns/${id}/restore`, {},),
+  adminDeleteCampaign: (id, body) => request('DELETE', `/admin/campaigns/${id}`, body),
+  adminBanUser: (id, body) => request('PATCH', `/admin/users/${id}/ban`, body),
+  adminUnbanUser: (id) => request('PATCH', `/admin/users/${id}/unban`, {}),
+  adminPromoteUser: (id) => request('PATCH', `/admin/users/${id}/promote`, {}),
+  adminDemoteUser: (id) => request('PATCH', `/admin/users/${id}/demote`, {}),
+  listApiKeys: () => request('GET', '/api-keys'),
+  createApiKey: (body) => request('POST', '/api-keys', body),
+  deleteApiKey: (id) => request('DELETE', `/api-keys/${id}`),
+  listWebhooks: () => request('GET', '/webhooks'),
+  createWebhook: (body) => request('POST', '/webhooks', body),
+  listWebhookDeliveries: (options = {}) => request('GET', '/webhooks/deliveries', null, { query: options }),
+  deleteWebhook: (id) => request('DELETE', `/webhooks/${id}`),
 };
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 0000000..54a0959
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,106 @@
+{
+  "name": "crowdpay",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "crowdpay",
+      "devDependencies": {
+        "@playwright/test": "^1.52.0"
+      }
+    },
+    "node_modules/@playwright/test": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.60.0.tgz",
+      "integrity": "sha512-O71yZIbAh/PxDMNGns37GHBIfrVkEVyn+AXyIa5dOTfb4/xNvRWV+Vv/NMbNCtODB/pO7vLlF2OTmMVLhmr7Ag==",
+      "dev": true,
+      "dependencies": {
+        "playwright": "1.60.0"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "hasInstallScript": true,
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/playwright": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.60.0.tgz",
+      "integrity": "sha512-hheHdokM8cdqCb0lcE3s+zT4t4W+vvjpGxsZlDnikarzx8tSzMebh3UiFtgqwFwnTnjYQcsyMF8ei2mCO/tpeA==",
+      "dev": true,
+      "dependencies": {
+        "playwright-core": "1.60.0"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
+    "node_modules/playwright-core": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.60.0.tgz",
+      "integrity": "sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==",
+      "dev": true,
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    }
+  },
+  "dependencies": {
+    "@playwright/test": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.60.0.tgz",
+      "integrity": "sha512-O71yZIbAh/PxDMNGns37GHBIfrVkEVyn+AXyIa5dOTfb4/xNvRWV+Vv/NMbNCtODB/pO7vLlF2OTmMVLhmr7Ag==",
+      "dev": true,
+      "requires": {
+        "playwright": "1.60.0"
+      }
+    },
+    "fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "optional": true
+    },
+    "playwright": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.60.0.tgz",
+      "integrity": "sha512-hheHdokM8cdqCb0lcE3s+zT4t4W+vvjpGxsZlDnikarzx8tSzMebh3UiFtgqwFwnTnjYQcsyMF8ei2mCO/tpeA==",
+      "dev": true,
+      "requires": {
+        "fsevents": "2.3.2",
+        "playwright-core": "1.60.0"
+      }
+    },
+    "playwright-core": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.60.0.tgz",
+      "integrity": "sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==",
+      "dev": true
+    }
+  }
+}