fix(api): revert SHA-256 session token hashing — better-auth stores raw tokens

Better-auth v1.5.6 stores raw 32-char tokens in sessions.token, not SHA-256 hashes. The SHA-256 fix from PR #136 causes all authenticated API calls to return 401 because the UAT sessions table contains raw tokens. - Remove hashlib from dependencies.py; compare tokens directly - Remove hashlib from conftest.py; store raw tokens in test DB - Remove hashlib from test_expired_session_rejected; use raw tokens Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(api): hash session token with SHA-256 before DB lookup (#136 )
2026-04-04 19:21:26 +00:00 · 2026-04-04 19:06:30 +00:00 · 2026-04-04 19:01:09 +00:00 · 2026-04-04 19:00:09 +00:00 · 2026-04-04 18:48:30 +00:00 · 2026-04-04 18:40:22 +00:00
3 changed files with 10 additions and 5 deletions
@@ -31,6 +31,7 @@ def run_migrations_offline() -> None:
        target_metadata=target_metadata,
        literal_binds=True,
        dialect_opts={"paramstyle": "named"},
+        version_table_column_width=128,
    )
    with context.begin_transaction():
        context.run_migrations()
@@ -44,7 +45,7 @@ def run_migrations_online() -> None:
        poolclass=pool.NullPool,
    )
    with connectable.connect() as connection:
-        context.configure(connection=connection, target_metadata=target_metadata)
+        context.configure(connection=connection, target_metadata=target_metadata, version_table_column_width=128)
        with context.begin_transaction():
            context.run_migrations()
        # Create any tables defined in models but not yet created by migrations.
@@ -19,12 +19,15 @@ bearer_scheme = HTTPBearer(auto_error=False)

 # Better-Auth session cookie name
 SESSION_COOKIE_NAME = "better-auth.session_token"
+# Secure prefix used by better-auth on HTTPS deployments
+SECURE_SESSION_COOKIE_NAME = "__Secure-better-auth.session_token"


 async def _validate_session_token(token: str, db: AsyncSession) -> str:
    """Validate a Better-Auth session token against the sessions table.

-    Returns the user_id (as str) if the session is valid and not expired.
+    Better-Auth stores the raw token in the DB. The cookie/Bearer header
+    carries the same raw token, so we compare directly.
    """
    result = await db.execute(
        text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
@@ -65,8 +68,8 @@ async def get_current_user(
    """
    token: str | None = None

-    # 1. Check session cookie
-    cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
+    # 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev)
+    cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(SESSION_COOKIE_NAME)
    if cookie_token:
        token = cookie_token

@@ -136,7 +136,8 @@ async def client(db_engine):
 async def _create_test_user_and_session(client: AsyncClient, db_engine, **user_overrides) -> tuple[dict, str]:
    """Create a test user and a valid session directly in the DB.

-    Returns (user_dict, session_token).
+    Returns (user_dict, session_token).  Better-Auth stores the raw token
+    in the DB, so we insert it as-is.
    """
    user_id = str(uuid.uuid4())
    email = user_overrides.get("email", "test@example.com")
Author	SHA1	Message	Date
Barcode Betty	25edd8d5e3	fix(api): revert SHA-256 session token hashing — better-auth stores raw tokens Better-auth v1.5.6 stores raw 32-char tokens in sessions.token, not SHA-256 hashes. The SHA-256 fix from PR #136 causes all authenticated API calls to return 401 because the UAT sessions table contains raw tokens. - Remove hashlib from dependencies.py; compare tokens directly - Remove hashlib from conftest.py; store raw tokens in test DB - Remove hashlib from test_expired_session_rejected; use raw tokens Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-04 19:21:26 +00:00
cartsnitch-cto[bot]	bd3cb3b9ab	fix(api): hash session token with SHA-256 before DB lookup (#136 ) fix(api): hash session token with SHA-256 before DB lookup	2026-04-04 19:06:30 +00:00
cartsnitch-cto[bot]	3bedc651c6	Merge pull request #133 from cartsnitch/fix/alembic-version-table-width fix(api): widen alembic version_table column to 128 chars	2026-04-04 19:01:09 +00:00
Barcode Betty	138033be9b	fix(api): hash session token with SHA-256 before DB lookup Better-Auth v1.2+ stores SHA-256(raw_token) in the sessions.token column. The cookie/Bearer header carries the raw token, so the API was doing a plain-text lookup that would never match a hashed value — causing all authenticated endpoints to return 401. - Add hashlib import and hash token in _validate_session_token() - Update conftest._create_test_user_and_session() to store hashed tokens - Update test_expired_session_rejected() to store hashed tokens Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 19:00:09 +00:00
cartsnitch-cto[bot]	8ddefe82e4	fix: read __Secure- prefixed session cookie in API auth (#134 ) fix: read __Secure- prefixed session cookie in API auth	2026-04-04 18:48:30 +00:00
Barcode Betty	def921f115	fix(api): read __Secure- prefixed session cookie in auth Better-auth sets the session cookie with the __Secure- prefix on HTTPS deployments. The API was only reading the plain cookie name, causing all authenticated calls to return 401 in dev/UAT/prod environments. Check __Secure-better-auth.session_token first, fall back to better-auth.session_token for HTTP local dev compatibility. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 18:40:22 +00:00
Pawla Abdul	43ee1c3531	fix(api): widen alembic version_table column to 128 chars Default varchar(32) alembic_version column truncates long revision IDs like 003_make_users_hashed_password_nullable (39 chars) on fresh databases. Set version_table_column_width=128 in both context.configure() calls. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 18:32:36 +00:00
cartsnitch-cto[bot]	f03d7a33c8	Merge pull request #131 from cartsnitch/betty/fix-uat-users-table-bootstrap fix(api): bootstrap users table in migration 007 + harden create_all	2026-04-04 17:34:32 +00:00