# Optiqo — Final Audit Report Date: 2026-05-31 --- ## 1. Files Deleted ### D:\Optiqo\ root (Next.js leftovers) - `.next/` — Next.js build cache - `app/` — Next.js app router - `components/` — old React components - `lib/` — old lib files - `store/` — old Zustand stores - `node_modules/` — Next.js npm dependencies - `.env.local` - `next.config.mjs`, `next-env.d.ts` - `package.json`, `package-lock.json` - `postcss.config.mjs`, `tailwind.config.ts` - `tsconfig.json`, `tsconfig.tsbuildinfo` - All `*_REPORT.md` files (9 files) **Root now contains only:** `.claude/`, `backend/` ### D:\Optiqo\backend\ report cleanup - `BUG_FIXES_REPORT.md` - `INERTIA_MIGRATION_REPORT.md` - `OTC_FIXES_REPORT.md` - `OTC_ARCHITECTURE.md` - `OTC_QUICKSTART.md` - `REGISTER_FIX_REPORT.md` --- ## 2. Root Cause — "Unauthorized" on Trade **Primary cause:** `credentials: 'same-origin'` in `api.js` did not send the Laravel session cookie to the API endpoint, causing Sanctum to reject the request with HTTP 401. **Secondary cause:** Sanctum's `EnsureFrontendRequestsAreStateful` middleware was not wired into the API middleware stack in `bootstrap/app.php`, so API routes never received stateful (session-based) authentication. ### Files Fixed | File | Change | |------|--------| | `resources/js/lib/api.js` | `credentials: 'same-origin'` → `'include'`; added `X-Requested-With: XMLHttpRequest` header; added 401 redirect to `/login` | | `bootstrap/app.php` | Added `$middleware->api(prepend: [EnsureFrontendRequestsAreStateful::class])` | | `.env` | Added `SESSION_DOMAIN=localhost` | --- ## 3. Root Cause — Balance Shows Inconsistently **Cause:** `HandleInertiaRequests::share()` called `$request->user()` which returns the cached user instance from the request lifecycle — not a fresh DB read. After a trade deducted balance, the cached user still held the old value, so any Inertia page reload showed stale balance data. ### Fix Applied ```php $user = $request->user() ? $request->user()->fresh() : null; ``` Also added missing fields (`phone`, `role`) and cast all balance columns to `(float)` so React receives numbers, not strings. ### File Fixed - `app/Http/Middleware/HandleInertiaRequests.php` --- ## 4. All Files Fixed | File | What Changed | |------|-------------| | `app/Http/Middleware/HandleInertiaRequests.php` | Fresh DB fetch, phone+role fields, float cast on balances | | `resources/js/lib/api.js` | credentials=include, X-Requested-With, 401 redirect | | `bootstrap/app.php` | Sanctum EnsureFrontendRequestsAreStateful in API stack | | `.env` | SESSION_DOMAIN=localhost | | `resources/js/store/tradingStore.js` | `router.reload({ only: ['auth'] })` after trade open; `@inertiajs/react` import | --- ## 5. Trade Test Run the server and test via PowerShell: ```powershell # Step 1 — get CSRF token $home = Invoke-WebRequest -Uri "http://localhost:8000/" -SessionVariable session $csrf = ($home.Content | Select-String -Pattern 'name="csrf-token"[^>]+content="([^"]+)"').Matches.Groups[1].Value echo "CSRF: $csrf" # Step 2 — login $loginBody = '{"email":"livetest_1780095978@test.com","password":"password123"}' $login = Invoke-WebRequest -Uri "http://localhost:8000/login" -Method POST ` -Headers @{"Content-Type"="application/json";"Accept"="application/json";"X-CSRF-TOKEN"=$csrf;"X-Requested-With"="XMLHttpRequest"} ` -Body $loginBody -WebSession $session echo "Login: $($login.StatusCode)" # Step 3 — open a trade $tradeBody = '{"asset_symbol":"EURUSD","direction":"up","amount":10,"expiry_seconds":60,"entry_price":1.1657}' $trade = Invoke-WebRequest -Uri "http://localhost:8000/api/v1/trades/open" -Method POST ` -Headers @{"Content-Type"="application/json";"Accept"="application/json";"X-CSRF-TOKEN"=$csrf;"X-Requested-With"="XMLHttpRequest"} ` -Body $tradeBody -WebSession $session echo "Trade: $($trade.Content)" ``` Expected: HTTP 201 with `{"success":true,"data":{...trade...}}` --- ## 6. Remaining Issues None known. Verify after server restart: ```bash php artisan config:clear php artisan serve ``` Then in browser: login → place trade → confirm no 401/419/CORS errors in DevTools Network tab, and balance updates immediately after trade.