fix(api): replace UUID type with str for Better-Auth nanoid user IDs (#98)
Better-Auth uses nanoid strings for user IDs, not UUIDs. Changed all user_id parameter/return types in the API layer from UUID to str, removed the obsolete UUID import where unused, and updated the _validate_session_token return type accordingly. Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com> Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
cartsnitch-engineer[bot]
committed by
GitHub
GitHub
parent
e86c27f341
commit
c46e524193
@@ -5,7 +5,6 @@ Sessions are verified by querying the shared sessions table directly.
|
||||
"""
|
||||
|
||||
from datetime import UTC, datetime
|
||||
from uuid import UUID
|
||||
|
||||
from fastapi import Cookie, Depends, Header, HTTPException, Request, status
|
||||
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
|
||||
@@ -27,10 +26,10 @@ SESSION_COOKIE_NAMES = [
|
||||
]
|
||||
|
||||
|
||||
async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
|
||||
async def _validate_session_token(token: str, db: AsyncSession) -> str:
|
||||
"""Validate a Better-Auth session token against the sessions table.
|
||||
|
||||
Returns the user_id (as UUID) if the session is valid and not expired.
|
||||
Returns the user_id (as str) if the session is valid and not expired.
|
||||
Better-Auth v1.5.6 stores raw tokens in the DB. The session cookie
|
||||
is signed: ``rawToken.base64HMACSignature``. Strip the signature
|
||||
before querying.
|
||||
@@ -60,14 +59,14 @@ async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
|
||||
detail="Session expired",
|
||||
)
|
||||
|
||||
return UUID(str(user_id))
|
||||
return str(user_id)
|
||||
|
||||
|
||||
async def get_current_user(
|
||||
request: Request,
|
||||
credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
) -> UUID:
|
||||
) -> str:
|
||||
"""Extract and validate the session token from cookie or Authorization header.
|
||||
|
||||
Checks in order:
|
||||
|
||||
@@ -2,22 +2,21 @@
|
||||
|
||||
from datetime import UTC, datetime, timedelta
|
||||
from typing import Any, cast
|
||||
from uuid import UUID
|
||||
|
||||
from jose import JWTError, jwt
|
||||
|
||||
from cartsnitch_api.config import settings
|
||||
|
||||
|
||||
def create_access_token(user_id: UUID) -> str:
|
||||
def create_access_token(user_id: str) -> str:
|
||||
expire = datetime.now(UTC) + timedelta(minutes=settings.jwt_access_token_expire_minutes)
|
||||
payload = {"sub": str(user_id), "exp": expire, "type": "access"}
|
||||
payload = {"sub": user_id, "exp": expire, "type": "access"}
|
||||
return cast(str, jwt.encode(payload, settings.jwt_secret_key, algorithm=settings.jwt_algorithm))
|
||||
|
||||
|
||||
def create_refresh_token(user_id: UUID) -> str:
|
||||
def create_refresh_token(user_id: str) -> str:
|
||||
expire = datetime.now(UTC) + timedelta(days=settings.jwt_refresh_token_expire_days)
|
||||
payload = {"sub": str(user_id), "exp": expire, "type": "refresh"}
|
||||
payload = {"sub": user_id, "exp": expire, "type": "refresh"}
|
||||
return cast(str, jwt.encode(payload, settings.jwt_secret_key, algorithm=settings.jwt_algorithm))
|
||||
|
||||
|
||||
|
||||
@@ -5,8 +5,6 @@ the Better-Auth service (auth/). This router provides user profile
|
||||
endpoints that query our own user data from the shared database.
|
||||
"""
|
||||
|
||||
from uuid import UUID
|
||||
|
||||
from fastapi import APIRouter, Depends, HTTPException, status
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
|
||||
@@ -23,7 +21,7 @@ router = APIRouter(prefix="/auth", tags=["auth"])
|
||||
|
||||
@router.get("/me", response_model=UserResponse)
|
||||
async def get_me(
|
||||
user_id: UUID = Depends(get_current_user),
|
||||
user_id: str = Depends(get_current_user),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
):
|
||||
svc = AuthService(db)
|
||||
@@ -38,7 +36,7 @@ async def get_me(
|
||||
@router.patch("/me", response_model=UserResponse)
|
||||
async def update_me(
|
||||
body: UpdateUserRequest,
|
||||
user_id: UUID = Depends(get_current_user),
|
||||
user_id: str = Depends(get_current_user),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
):
|
||||
svc = AuthService(db)
|
||||
@@ -54,7 +52,7 @@ async def update_me(
|
||||
|
||||
@router.delete("/me", status_code=status.HTTP_204_NO_CONTENT)
|
||||
async def delete_me(
|
||||
user_id: UUID = Depends(get_current_user),
|
||||
user_id: str = Depends(get_current_user),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
):
|
||||
svc = AuthService(db)
|
||||
|
||||
Reference in New Issue
Block a user