cartsnitch/api
12
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): parse compound Better-Auth cookie/bearer token to extract token part

Browse Source 
Better-Auth sets the session cookie as "token.sessionId". The DB stores
only the token part, so passing the full compound value caused 401s.

Splits on "." for both cookie and Bearer paths.

Tests added for compound cookie, raw token cookie (regression), and
compound Bearer token.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Barcode Betty
2026-04-04 20:32:43 +00:00
parent 455ef14519
commit b3af0833e8
2 changed files with 55 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/cartsnitch_api/auth/dependencies.py
+5 -2
View File
@@ -71,11 +71,14 @@ async def get_current_user(
# 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev)
cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(SESSION_COOKIE_NAME)
if cookie_token:
token = cookie_token
# Better-Auth cookie format is "token.sessionId" — extract just the token part
token = cookie_token.split(".")[0] if "." in cookie_token else cookie_token
# 2. Fall back to Bearer header
if not token and credentials:
token = credentials.credentials
# Callers might pass the compound value here too
raw = credentials.credentials
token = raw.split(".")[0] if "." in raw else raw
if not token:
raise HTTPException(