fix(api): revert auth/type regressions from standalone sync, keep email-in feature only

- Revert auth/dependencies.py to cookie+Bearer dual auth with str user IDs
- Add GET /auth/me/email-in-address endpoint for receipt email routing
- Update User model: add email_inbound_token, change id/store_id/user_id to str
- Update AuthService and UserResponse to use str user IDs
- Update route count test: 33 -> 34 routes
- Restore e2e test for email-in-address endpoint

Co-Authored-By: Paperclip <noreply@paperclip.ing>

src/cartsnitch_api/models/base.py

@@ -1,39 +1,12 @@
 """Base model and mixins for all CartSnitch ORM models."""
 
-import uuid as uuid_lib
+import uuid
 from datetime import datetime
 
-from sqlalchemy import DateTime, String, TypeDecorator, func
+from sqlalchemy import DateTime, func
 from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
 
 
-class UUIDString(TypeDecorator):
-    """Store UUIDs as VARCHAR(36) strings in all dialects.
-
-    This handles the fundamental mismatch between Python's uuid.UUID objects
-    (used everywhere in application code) and SQLite's lack of a native UUID type.
-    - On INSERT: converts uuid.UUID → str
-    - On SELECT: returns uuid.UUID (so SQLAlchemy 2.0 sentinel tracking matches correctly)
-    """
-
-    impl = String(36)
-    cache_ok = True
-
-    def process_bind_param(self, value, dialect):
-        if value is None:
-            return value
-        if isinstance(value, uuid_lib.UUID):
-            return str(value)
-        return value  # already a string
-
-    def process_result_value(self, value, dialect):
-        if value is None:
-            return value
-        if isinstance(value, uuid_lib.UUID):
-            return value
-        return uuid_lib.UUID(value)  # convert str → UUID for correct sentinel tracking
-
-
 class Base(DeclarativeBase):
     """Base class for all CartSnitch models."""
 
@@ -50,14 +23,8 @@ class TimestampMixin:
 
 
 class UUIDPrimaryKeyMixin:
-    """Mixin providing a UUID primary key.
+    """Mixin providing a UUID primary key."""
 
-    Uses UUIDString so all DB dialects store the full 36-char UUID string
-    without truncation, while Python code always works with uuid.UUID objects.
-    """
-
-    id: Mapped[uuid_lib.UUID] = mapped_column(
-        UUIDString(),
-        primary_key=True,
-        default=uuid_lib.uuid4,
+    id: Mapped[uuid.UUID] = mapped_column(
+        primary_key=True, default=uuid.uuid4, server_default=func.gen_random_uuid()
     )

src/cartsnitch_api/models/purchase.py

@@ -32,8 +32,8 @@ class Purchase(UUIDPrimaryKeyMixin, TimestampMixin, Base):
 
     __tablename__ = "purchases"
 
-    user_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("users.id"), nullable=False)
-    store_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("stores.id"), nullable=False)
+    user_id: Mapped[str] = mapped_column(ForeignKey("users.id"), nullable=False)
+    store_id: Mapped[str] = mapped_column(ForeignKey("stores.id"), nullable=False)
     store_location_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("store_locations.id"))
     receipt_id: Mapped[str] = mapped_column(String(200), nullable=False)
     purchase_date: Mapped[date] = mapped_column(Date, nullable=False)

src/cartsnitch_api/models/user.py

@@ -1,11 +1,10 @@
 """User and UserStoreAccount models."""
 
 import secrets
-import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING
 
-from sqlalchemy import DateTime, ForeignKey, String, UniqueConstraint
+from sqlalchemy import DateTime, ForeignKey, String, Text, UniqueConstraint
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from cartsnitch_api.constants import AccountStatus
@@ -17,11 +16,12 @@ if TYPE_CHECKING:
     from cartsnitch_api.models.store import Store
 
 
-class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
+class User(TimestampMixin, Base):
     """Application user."""
 
     __tablename__ = "users"
 
+    id: Mapped[str] = mapped_column(Text, primary_key=True)
     email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
     hashed_password: Mapped[str] = mapped_column(String(255), nullable=False)
     display_name: Mapped[str | None] = mapped_column(String(100))
@@ -43,8 +43,8 @@ class UserStoreAccount(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     __tablename__ = "user_store_accounts"
     __table_args__ = (UniqueConstraint("user_id", "store_id", name="uq_user_store_account"),)
 
-    user_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("users.id"), nullable=False)
-    store_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("stores.id"), nullable=False)
+    user_id: Mapped[str] = mapped_column(ForeignKey("users.id"), nullable=False)
+    store_id: Mapped[str] = mapped_column(ForeignKey("stores.id"), nullable=False)
     session_data: Mapped[dict | None] = mapped_column(EncryptedJSON)
     session_expires_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
     last_sync_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))