fix(api): accept DATABASE_URL as fallback for shared DB with auth service

API config.py now reads CARTSNITCH_DATABASE_URL first, falls back to DATABASE_URL (which the infra K8s overlay sets for all pods), and finally falls back to the hardcoded default. Also normalizes plain postgresql:// to postgresql+asyncpg:// for the asyncpg driver. Fixes CAR-510. Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request #139 from cartsnitch/betty/revert-sha256-session-hash
2026-04-04 19:52:24 +00:00 · 2026-04-04 19:25:23 +00:00 · 2026-04-04 19:21:26 +00:00 · 2026-04-04 19:06:30 +00:00 · 2026-04-04 19:01:09 +00:00 · 2026-04-04 19:00:09 +00:00
5 changed files with 70 additions and 7 deletions
@@ -31,6 +31,7 @@ def run_migrations_offline() -> None:
        target_metadata=target_metadata,
        literal_binds=True,
        dialect_opts={"paramstyle": "named"},
+        version_table_column_width=128,
    )
    with context.begin_transaction():
        context.run_migrations()
@@ -44,7 +45,7 @@ def run_migrations_online() -> None:
        poolclass=pool.NullPool,
    )
    with connectable.connect() as connection:
-        context.configure(connection=connection, target_metadata=target_metadata)
+        context.configure(connection=connection, target_metadata=target_metadata, version_table_column_width=128)
        with context.begin_transaction():
            context.run_migrations()
        # Create any tables defined in models but not yet created by migrations.
@@ -19,12 +19,15 @@ bearer_scheme = HTTPBearer(auto_error=False)

 # Better-Auth session cookie name
 SESSION_COOKIE_NAME = "better-auth.session_token"
+# Secure prefix used by better-auth on HTTPS deployments
+SECURE_SESSION_COOKIE_NAME = "__Secure-better-auth.session_token"


 async def _validate_session_token(token: str, db: AsyncSession) -> str:
    """Validate a Better-Auth session token against the sessions table.

-    Returns the user_id (as str) if the session is valid and not expired.
+    Better-Auth stores the raw token in the DB. The cookie/Bearer header
+    carries the same raw token, so we compare directly.
    """
    result = await db.execute(
        text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
@@ -65,8 +68,8 @@ async def get_current_user(
    """
    token: str | None = None

-    # 1. Check session cookie
-    cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
+    # 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev)
+    cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(SESSION_COOKIE_NAME)
    if cookie_token:
        token = cookie_token

@@ -1,13 +1,16 @@
 import base64

-from pydantic import model_validator
+from pydantic import AliasChoices, Field, model_validator
 from pydantic_settings import BaseSettings


 class Settings(BaseSettings):
    model_config = {"env_prefix": "CARTSNITCH_"}

-    database_url: str = "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch"
+    database_url: str = Field(
+        default="postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+        validation_alias=AliasChoices("CARTSNITCH_DATABASE_URL", "DATABASE_URL"),
+    )
    redis_url: str = "redis://localhost:6379/0"

    jwt_secret_key: str = "change-me-in-production"
@@ -49,5 +52,12 @@ class Settings(BaseSettings):
            ) from None
        return self

+    @model_validator(mode="after")
+    def normalize_database_url(self):
+        """Normalize postgresql:// → postgresql+asyncpg:// for the asyncpg driver."""
+        if self.database_url.startswith("postgresql://"):
+            self.database_url = self.database_url.replace("postgresql://", "postgresql+asyncpg://", 1)
+        return self
+

 settings = Settings()
@@ -136,7 +136,8 @@ async def client(db_engine):
 async def _create_test_user_and_session(client: AsyncClient, db_engine, **user_overrides) -> tuple[dict, str]:
    """Create a test user and a valid session directly in the DB.

-    Returns (user_dict, session_token).
+    Returns (user_dict, session_token).  Better-Auth stores the raw token
+    in the DB, so we insert it as-is.
    """
    user_id = str(uuid.uuid4())
    email = user_overrides.get("email", "test@example.com")
@@ -0,0 +1,48 @@
+"""Tests for Settings config, specifically the database_url env var fallback."""
+
+import os
+
+from cartsnitch_api.config import Settings
+
+
+def test_database_url_prefers_cartsnitch_prefix():
+    """CARTSNITCH_DATABASE_URL takes precedence over DATABASE_URL."""
+    env = {
+        "CARTSNITCH_DATABASE_URL": "postgresql+asyncpg://user1:pass1@host1:5432/db1",
+        "DATABASE_URL": "postgresql://user2:pass2@host2:5432/db2",
+    }
+    settings = Settings(**env)
+    assert settings.database_url == "postgresql+asyncpg://user1:pass1@host1:5432/db1"
+
+
+def test_database_url_falls_back_to_database_url():
+    """When CARTSNITCH_DATABASE_URL is absent, DATABASE_URL is accepted."""
+    env = {
+        "DATABASE_URL": "postgresql://user:pass@dbhost:5432/mydb",
+    }
+    settings = Settings(**env)
+    assert settings.database_url == "postgresql+asyncpg://user:pass@dbhost:5432/mydb"
+
+
+def test_database_url_normalizes_plain_postgresql_prefix():
+    """DATABASE_URL with plain postgresql:// is normalized to postgresql+asyncpg://."""
+    env = {
+        "DATABASE_URL": "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+    }
+    settings = Settings(**env)
+    assert settings.database_url == "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch"
+
+
+def test_database_url_preserves_asyncpg_prefix():
+    """CARTSNITCH_DATABASE_URL with postgresql+asyncpg:// is left unchanged."""
+    env = {
+        "CARTSNITCH_DATABASE_URL": "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+    }
+    settings = Settings(**env)
+    assert settings.database_url == "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch"
+
+
+def test_database_url_default():
+    """When neither env var is set, the hardcoded default is used."""
+    settings = Settings()
+    assert settings.database_url == "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch"
Author	SHA1	Message	Date
Barcode Betty	ec9deb515b	fix(api): accept DATABASE_URL as fallback for shared DB with auth service API config.py now reads CARTSNITCH_DATABASE_URL first, falls back to DATABASE_URL (which the infra K8s overlay sets for all pods), and finally falls back to the hardcoded default. Also normalizes plain postgresql:// to postgresql+asyncpg:// for the asyncpg driver. Fixes CAR-510. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 19:52:24 +00:00
cartsnitch-cto[bot]	cfed9b0482	Merge pull request #139 from cartsnitch/betty/revert-sha256-session-hash fix(api): revert SHA-256 session token hashing — better-auth stores raw tokens	2026-04-04 19:25:23 +00:00
Barcode Betty	25edd8d5e3	fix(api): revert SHA-256 session token hashing — better-auth stores raw tokens Better-auth v1.5.6 stores raw 32-char tokens in sessions.token, not SHA-256 hashes. The SHA-256 fix from PR #136 causes all authenticated API calls to return 401 because the UAT sessions table contains raw tokens. - Remove hashlib from dependencies.py; compare tokens directly - Remove hashlib from conftest.py; store raw tokens in test DB - Remove hashlib from test_expired_session_rejected; use raw tokens Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-04 19:21:26 +00:00
cartsnitch-cto[bot]	bd3cb3b9ab	fix(api): hash session token with SHA-256 before DB lookup (#136 ) fix(api): hash session token with SHA-256 before DB lookup	2026-04-04 19:06:30 +00:00
cartsnitch-cto[bot]	3bedc651c6	Merge pull request #133 from cartsnitch/fix/alembic-version-table-width fix(api): widen alembic version_table column to 128 chars	2026-04-04 19:01:09 +00:00
Barcode Betty	138033be9b	fix(api): hash session token with SHA-256 before DB lookup Better-Auth v1.2+ stores SHA-256(raw_token) in the sessions.token column. The cookie/Bearer header carries the raw token, so the API was doing a plain-text lookup that would never match a hashed value — causing all authenticated endpoints to return 401. - Add hashlib import and hash token in _validate_session_token() - Update conftest._create_test_user_and_session() to store hashed tokens - Update test_expired_session_rejected() to store hashed tokens Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 19:00:09 +00:00
cartsnitch-cto[bot]	8ddefe82e4	fix: read __Secure- prefixed session cookie in API auth (#134 ) fix: read __Secure- prefixed session cookie in API auth	2026-04-04 18:48:30 +00:00
Barcode Betty	def921f115	fix(api): read __Secure- prefixed session cookie in auth Better-auth sets the session cookie with the __Secure- prefix on HTTPS deployments. The API was only reading the plain cookie name, causing all authenticated calls to return 401 in dev/UAT/prod environments. Check __Secure-better-auth.session_token first, fall back to better-auth.session_token for HTTP local dev compatibility. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 18:40:22 +00:00
Pawla Abdul	43ee1c3531	fix(api): widen alembic version_table column to 128 chars Default varchar(32) alembic_version column truncates long revision IDs like 003_make_users_hashed_password_nullable (39 chars) on fresh databases. Set version_table_column_width=128 in both context.configure() calls. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 18:32:36 +00:00
cartsnitch-cto[bot]	f03d7a33c8	Merge pull request #131 from cartsnitch/betty/fix-uat-users-table-bootstrap fix(api): bootstrap users table in migration 007 + harden create_all	2026-04-04 17:34:32 +00:00