The data routes (purchases, alerts, stores, etc.) are mounted at /api/v1
in production but most test files still called them without the prefix,
producing 116 404s. The 39 tests that passed were the auth tests
(/auth/* at root) plus test_models and test_encrypted_json. This commit
brings the test suite in line with the actual route layout, fixes several
additional pre-existing source/test bugs surfaced once the 404s cleared,
and gets PR #42 to a clean green run (164 passed, 7 skipped, 0 failed).
Source fixes
- src/cartsnitch_api/auth/dependencies.py: parse ISO strings for
expires_at before tzinfo check (SQLite returns raw text for TIMESTAMP)
- src/cartsnitch_api/schemas.py: UserResponse.id is UUID, matching the
actual model type and avoiding ResponseValidationError on /auth/me
Test alignment
- tests/test_routes/*, tests/test_e2e/*: add /api/v1 prefix to all data
route calls (auth routes left alone — they live at root)
- tests/test_openapi.py: refresh EXPECTED_ROUTES to match the actual
OpenAPI spec (drop Better-Auth-only routes, add /api/v1 prefix,
update route count to 31)
Pre-existing test fixes
- tests/test_middleware/test_rate_limit.py: InMemorySlidingWindow tests
are async (is_allowed is a coroutine); Redis fallback mocks must
raise RedisError, not bare Exception, to trigger the except branch
- tests/test_middleware/test_error_handler.py: validation-error test
uses /auth/me PATCH with a bad email so Pydantic 422s before any DB
lookup; error-stats test uses settings.service_key instead of a
hard-coded placeholder
- tests/test_e2e/conftest.py: Coupon.valid_to is date.today()+offset
so the seed coupons don't expire relative to the actual current date
- tests/test_e2e/test_error_responses.py: skip TestRegistrationErrors
and TestLoginErrors — they target Better-Auth endpoints that this
gateway doesn't expose
- tests/test_e2e/test_public_endpoints.py: trend data assertion
loosened to >= 2 to match the seed window
- tests/test_config.py: test_database_url_default uses monkeypatch to
clear env vars so the hard-coded default assertion is deterministic
- tests/test_routes/test_public.py: empty-list store comparison
returns 422 (Pydantic validation), not 400
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Fix email format in AuthService.get_email_in_address to use
receipts+{token}@receipts.cartsnitch.com (was broken: @email.cartsnitch.com)
- Remove dead EmailInAddressResponse class and GET /auth/me/email-in-address
endpoint from auth/routes.py (endpoint moved to routes/user.py)
- Add instructions field to EmailInAddressResponse schema
- Update routes/user.py to include instructions in the response
- Update test URLs from /auth/me/email-in-address to /api/v1/me/email-in-address
Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
- Revert auth/dependencies.py to cookie+Bearer dual auth with str user IDs
- Add GET /auth/me/email-in-address endpoint for receipt email routing
- Update User model: add email_inbound_token, change id/store_id/user_id to str
- Update AuthService and UserResponse to use str user IDs
- Update route count test: 33 -> 34 routes
- Restore e2e test for email-in-address endpoint
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Revert auth/dependencies.py, auth/routes.py, services/auth.py, schemas.py
to Better-Auth session-cookie auth (removed JWT register/login/refresh)
- Preserve GET /auth/me/email-in-address endpoint
- Fix UUIDString TypeDecorator: process_result_value returns uuid.UUID
(not str) so SQLAlchemy 2.0 sentinel tracking matches UUID-to-UUID
- Fix seed_data fixture: look up real user_id from session token via
sessions table; purchases now reference actual user FK
- Update purchase_data fixture to use session-cookie auth
- Update test_auth_endpoints, test_auth_validation to cookie-based tests
- Remove TestRegistrationErrors and TestLoginErrors (no longer applicable)
- Update test_openapi.py expected routes and count
- Update test_error_handler.py to use PATCH /auth/me validation
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace hand-rolled JWT auth with Better-Auth session-based authentication.
- Scaffold auth/ Node.js service with Better-Auth, bcrypt password compat,
Postgres adapter mapped to existing users table
- Add Alembic migration (002) creating sessions, accounts, verifications
tables and migrating password hashes to accounts table
- Update FastAPI auth dependency to validate sessions via shared DB
(supports both cookie and Bearer token)
- Remove registration/login/refresh endpoints from API gateway (now
handled by Better-Auth service)
- Update frontend to use better-auth/react client with httpOnly cookies
(no tokens in localStorage or memory)
- Rewrite auth store, Login, Register, Dashboard, Settings, ProtectedRoute
to use session-based auth
- Update all tests to create sessions directly in DB instead of JWT tokens
Resolves CAR-27
See plan: CAR-26#document-plan
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Barcode Betty
Barcode Betty