QA review of PR #39 (CAR-1121) identified three blocking issues; this
commit addresses all three plus the typecheck errors flagged as CI RED.
CAR-1077 (PR #39) changes:
- database.py: add pool_timeout=30 so the engine fails fast when the
connection pool is exhausted (defends against the "server closed
connection unexpectedly" pod failures).
- routes/health.py: /health now calls SELECT 1 through Depends(get_db)
and raises HTTPException(503) when the database is unreachable, so
Kubernetes readiness probes can correctly mark the pod unhealthy and
stop routing traffic to it. Logs the failure at exception level for
observability.
- Drop .mcp.json from this PR (root-level MCP server config, not
related to the pool fix; tracked separately).
CI typecheck fixes (pre-existing on dev, were failing mypy on PR #39):
- auth/passwords.py: cast bcrypt return values so mypy doesn't widen
to Any.
- config.py: silence the false-positive call-arg on Settings() — the
three required fields are populated from the environment by
pydantic-settings at runtime.
- cache.py: coerce the bytes/str union returned by the redis client
to the documented str | None return type.
- middleware/rate_limit.py: annotate the three module-level limiters
with the RateLimitBackend protocol, cast the redis zrange score to
float before arithmetic, and add max_requests/window_seconds to the
protocol so the response-header builder can read them.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add dev.cartsnitch.com and uat.cartsnitch.com to the CORS origins list
to match the infra HTTPRoute domains and fix auth blocking on UAT.
Refs: CAR-992
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60) settings
- Add rate_limit_redis_enabled flag for opt-in Redis usage
- Refactor _SlidingWindowCounter into InMemorySlidingWindow class
- Add RedisSlidingWindow using sorted sets with fallback to in-memory
- Add third _auth_strict_limiter for POST /auth/* paths (5 req/min)
- Add protocol-based backend selection at module load time
- Update tests for auth strict limiter and Redis fallback behavior
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60)
settings to config.py
- Refactor rate_limit.py to use protocol/ABC pattern with InMemorySlidingWindow
and RedisSlidingWindow implementations
- Add RedisSlidingWindow using sorted sets for distributed rate limiting
- Add auth_strict_limiter for /auth/* POST endpoints (5 req/min per IP)
- Fall back to in-memory when Redis is unavailable
- Update tests to cover new functionality
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Remove dangerous default values for jwt_secret_key, service_key, and
fernet_key. Add startup validation that raises RuntimeError if these
secrets are not set via environment variables or contain placeholder
values.
Add test fixture to provide explicit test values for these secrets,
ensuring existing tests continue to pass.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
API config.py now reads CARTSNITCH_DATABASE_URL first, falls back to
DATABASE_URL (which the infra K8s overlay sets for all pods), and finally
falls back to the hardcoded default. Also normalizes plain postgresql://
to postgresql+asyncpg:// for the asyncpg driver.
Fixes CAR-510.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Revert auth/dependencies.py to cookie+Bearer dual auth with str user IDs
- Add GET /auth/me/email-in-address endpoint for receipt email routing
- Update User model: add email_inbound_token, change id/store_id/user_id to str
- Update AuthService and UserResponse to use str user IDs
- Update route count test: 33 -> 34 routes
- Restore e2e test for email-in-address endpoint
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace hand-rolled JWT auth with Better-Auth session-based authentication.
- Scaffold auth/ Node.js service with Better-Auth, bcrypt password compat,
Postgres adapter mapped to existing users table
- Add Alembic migration (002) creating sessions, accounts, verifications
tables and migrating password hashes to accounts table
- Update FastAPI auth dependency to validate sessions via shared DB
(supports both cookie and Bearer token)
- Remove registration/login/refresh endpoints from API gateway (now
handled by Better-Auth service)
- Update frontend to use better-auth/react client with httpOnly cookies
(no tokens in localStorage or memory)
- Rewrite auth store, Login, Register, Dashboard, Settings, ProtectedRoute
to use session-based auth
- Update all tests to create sessions directly in DB instead of JWT tokens
Resolves CAR-27
See plan: CAR-26#document-plan
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Barcode Betty