fix(api): revert SHA-256 session token hashing — better-auth stores raw tokens

Better-auth v1.5.6 stores raw 32-char tokens in sessions.token, not SHA-256
hashes. The SHA-256 fix from PR #136 causes all authenticated API calls to
return 401 because the UAT sessions table contains raw tokens.

- Remove hashlib from dependencies.py; compare tokens directly
- Remove hashlib from conftest.py; store raw tokens in test DB
- Remove hashlib from test_expired_session_rejected; use raw tokens

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/conftest.py

@@ -4,7 +4,6 @@ Session-based auth: tests create users and sessions directly in the DB,
 matching the Better-Auth session validation flow.
 """
 
-import hashlib
 import secrets
 import uuid
 from datetime import UTC, datetime, timedelta
@@ -137,14 +136,13 @@ async def client(db_engine):
 async def _create_test_user_and_session(client: AsyncClient, db_engine, **user_overrides) -> tuple[dict, str]:
     """Create a test user and a valid session directly in the DB.
 
-    Returns (user_dict, session_token).  Better-Auth v1.2+ stores SHA-256
-    hashed tokens in the DB, so the token is hashed before insertion.
+    Returns (user_dict, session_token).  Better-Auth stores the raw token
+    in the DB, so we insert it as-is.
     """
     user_id = str(uuid.uuid4())
     email = user_overrides.get("email", "test@example.com")
     display_name = user_overrides.get("display_name", "Test User")
     session_token = secrets.token_urlsafe(32)
-    token_hash = hashlib.sha256(session_token.encode()).hexdigest()
     session_id = str(uuid.uuid4())
     now = datetime.now(UTC).isoformat()
     expires = (datetime.now(UTC) + timedelta(days=7)).isoformat()
@@ -172,7 +170,7 @@ async def _create_test_user_and_session(client: AsyncClient, db_engine, **user_o
             ),
             {
                 "id": session_id,
-                "token": token_hash,
+                "token": session_token,
                 "user_id": user_id,
                 "expires_at": expires,
                 "created_at": now,

tests/test_auth/test_auth_endpoints.py

@@ -74,7 +74,6 @@ async def test_delete_me(client, auth_headers):
 @pytest.mark.asyncio
 async def test_expired_session_rejected(client, db_engine):
     """Expired sessions must be rejected."""
-    import hashlib
     import secrets
     import uuid
     from datetime import UTC, datetime, timedelta
@@ -83,7 +82,6 @@ async def test_expired_session_rejected(client, db_engine):
 
     user_id = str(uuid.uuid4())
     session_token = secrets.token_urlsafe(32)
-    token_hash = hashlib.sha256(session_token.encode()).hexdigest()
     now = datetime.now(UTC).isoformat()
     expired = (datetime.now(UTC) - timedelta(hours=1)).isoformat()
 
@@ -110,7 +108,7 @@ async def test_expired_session_rejected(client, db_engine):
             ),
             {
                 "id": str(uuid.uuid4()),
-                "token": token_hash,
+                "token": session_token,
                 "uid": user_id,
                 "ea": expired,
                 "ca": now,