Barcode Betty
3eb11543b5
The data routes (purchases, alerts, stores, etc.) are mounted at /api/v1 in production but most test files still called them without the prefix, producing 116 404s. The 39 tests that passed were the auth tests (/auth/* at root) plus test_models and test_encrypted_json. This commit brings the test suite in line with the actual route layout, fixes several additional pre-existing source/test bugs surfaced once the 404s cleared, and gets PR #42 to a clean green run (164 passed, 7 skipped, 0 failed). Source fixes - src/cartsnitch_api/auth/dependencies.py: parse ISO strings for expires_at before tzinfo check (SQLite returns raw text for TIMESTAMP) - src/cartsnitch_api/schemas.py: UserResponse.id is UUID, matching the actual model type and avoiding ResponseValidationError on /auth/me Test alignment - tests/test_routes/*, tests/test_e2e/*: add /api/v1 prefix to all data route calls (auth routes left alone — they live at root) - tests/test_openapi.py: refresh EXPECTED_ROUTES to match the actual OpenAPI spec (drop Better-Auth-only routes, add /api/v1 prefix, update route count to 31) Pre-existing test fixes - tests/test_middleware/test_rate_limit.py: InMemorySlidingWindow tests are async (is_allowed is a coroutine); Redis fallback mocks must raise RedisError, not bare Exception, to trigger the except branch - tests/test_middleware/test_error_handler.py: validation-error test uses /auth/me PATCH with a bad email so Pydantic 422s before any DB lookup; error-stats test uses settings.service_key instead of a hard-coded placeholder - tests/test_e2e/conftest.py: Coupon.valid_to is date.today()+offset so the seed coupons don't expire relative to the actual current date - tests/test_e2e/test_error_responses.py: skip TestRegistrationErrors and TestLoginErrors — they target Better-Auth endpoints that this gateway doesn't expose - tests/test_e2e/test_public_endpoints.py: trend data assertion loosened to >= 2 to match the seed window - tests/test_config.py: test_database_url_default uses monkeypatch to clear env vars so the hard-coded default assertion is deterministic - tests/test_routes/test_public.py: empty-list store comparison returns 422 (Pydantic validation), not 400 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
108 lines
3.7 KiB
Python
108 lines
3.7 KiB
Python
"""FastAPI dependency injection for authentication.
|
|
|
|
Validates Better-Auth session tokens from cookies or Bearer header.
|
|
Sessions are verified by querying the shared sessions table directly.
|
|
"""
|
|
|
|
from datetime import UTC, datetime
|
|
|
|
from fastapi import Depends, Header, HTTPException, Request, status
|
|
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
|
|
from sqlalchemy import text
|
|
from sqlalchemy.ext.asyncio import AsyncSession
|
|
|
|
from cartsnitch_api.config import settings
|
|
from cartsnitch_api.database import get_db
|
|
|
|
# Keep Bearer scheme as optional — Better-Auth primarily uses cookies,
|
|
# but we support Bearer tokens for service-to-service or mobile clients.
|
|
bearer_scheme = HTTPBearer(auto_error=False)
|
|
|
|
# Better-Auth session cookie name
|
|
SESSION_COOKIE_NAME = "better-auth.session_token"
|
|
# Secure prefix used by better-auth on HTTPS deployments
|
|
SECURE_SESSION_COOKIE_NAME = "__Secure-better-auth.session_token"
|
|
|
|
|
|
async def _validate_session_token(token: str, db: AsyncSession) -> str:
|
|
"""Validate a Better-Auth session token against the sessions table.
|
|
|
|
Better-Auth stores the raw token in the DB. The cookie/Bearer header
|
|
carries the same raw token, so we compare directly.
|
|
"""
|
|
result = await db.execute(
|
|
text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
|
|
{"token": token},
|
|
)
|
|
row = result.first()
|
|
|
|
if not row:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Invalid session token",
|
|
)
|
|
|
|
user_id, expires_at = row
|
|
# SQLite stores TIMESTAMP as TEXT and returns it as a string via raw
|
|
# SQL — normalise to a tz-aware datetime here so the comparison below
|
|
# works regardless of driver.
|
|
if isinstance(expires_at, str):
|
|
expires_at = datetime.fromisoformat(expires_at)
|
|
if expires_at.tzinfo is None:
|
|
# Treat naive datetimes as UTC
|
|
expires_at = expires_at.replace(tzinfo=UTC)
|
|
|
|
if expires_at < datetime.now(UTC):
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Session expired",
|
|
)
|
|
|
|
return str(user_id)
|
|
|
|
|
|
async def get_current_user(
|
|
request: Request,
|
|
credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
|
|
db: AsyncSession = Depends(get_db),
|
|
) -> str:
|
|
"""Extract and validate the session token from cookie or Authorization header.
|
|
|
|
Checks in order:
|
|
1. Better-Auth session cookie (primary — web clients)
|
|
2. Bearer token in Authorization header (fallback — API clients)
|
|
"""
|
|
token: str | None = None
|
|
|
|
# 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev)
|
|
cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(
|
|
SESSION_COOKIE_NAME
|
|
)
|
|
if cookie_token:
|
|
# Better-Auth cookie format is "token.sessionId" — extract just the token part
|
|
token = cookie_token.split(".")[0] if "." in cookie_token else cookie_token
|
|
|
|
# 2. Fall back to Bearer header
|
|
if not token and credentials:
|
|
# Callers might pass the compound value here too
|
|
raw = credentials.credentials
|
|
token = raw.split(".")[0] if "." in raw else raw
|
|
|
|
if not token:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Authentication required",
|
|
)
|
|
|
|
user_id = await _validate_session_token(token, db)
|
|
request.state.user_id = user_id
|
|
return user_id
|
|
|
|
|
|
async def verify_service_key(x_service_key: str = Header()) -> None:
|
|
if x_service_key != settings.service_key:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Invalid service key",
|
|
)
|