fix(auth): make users.hashed_password nullable

Better-Auth inserts into users without a hashed_password value (passwords are stored in the accounts table). This was causing a NOT NULL constraint violation and 422 FAILED_TO_CREATE_USER on sign-up. Revision ID: 003_make_users_hashed_password_nullable Resolves: CAR-172 Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix: use same-origin default for auth URL instead of localhost
2026-03-30 19:10:43 +00:00 · 2026-03-30 16:07:28 +00:00 · 2026-03-30 15:50:51 +00:00 · 2026-03-30 15:20:56 +00:00 · 2026-03-30 13:12:32 +00:00 · 2026-03-30 11:00:52 +00:00
4 changed files with 61 additions and 4 deletions
@@ -111,6 +111,8 @@ jobs:
  build-and-push-auth:
    runs-on: runners-cartsnitch
    needs: [lint, test]
+    outputs:
+      calver_tag: ${{ steps.calver.outputs.version }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -161,7 +163,7 @@ jobs:

  deploy-dev:
    runs-on: runners-cartsnitch
-    needs: [build-and-push]
+    needs: [build-and-push, build-and-push-auth]
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    steps:
      - name: Generate GitHub App token
@@ -191,6 +193,7 @@ jobs:
        run: |
          cd infra/apps/overlays/dev
          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}

      - name: Commit and push to infra
        run: |
@@ -198,5 +201,5 @@ jobs:
          git config user.name "cartsnitch-ci[bot]"
          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/dev/kustomization.yaml
-          git commit -m "ci(dev): update cartsnitch image to ${{ needs.build-and-push.outputs.calver_tag }}"
+          git commit -m "ci(dev): update cartsnitch and auth images to ${{ needs.build-and-push.outputs.calver_tag }}"
          git push origin main
@@ -0,0 +1,26 @@
+"""Make users.hashed_password nullable.
+
+Better-Auth inserts users without hashed_password (passwords live in the
+accounts table). This column is now purely optional.
+
+Revision ID: 003_make_users_hashed_password_nullable
+Revises: 002_better_auth_tables
+Create Date: 2026-03-30
+"""
+
+import sqlalchemy as sa
+
+from alembic import op
+
+revision = "003_make_users_hashed_password_nullable"
+down_revision = "002_better_auth_tables"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.alter_column("users", "hashed_password", existing_type=sa.String(255), nullable=True)
+
+
+def downgrade() -> None:
+    op.alter_column("users", "hashed_password", existing_type=sa.String(255), nullable=False)
@@ -21,7 +21,7 @@ class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
    __tablename__ = "users"

    email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
-    hashed_password: Mapped[str] = mapped_column(String(255), nullable=False)
+    hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)
    display_name: Mapped[str | None] = mapped_column(String(100))
    email_verified: Mapped[bool] = mapped_column(Boolean, nullable=False, server_default="false")
    image: Mapped[str | None] = mapped_column(Text, nullable=True)
@@ -1,8 +1,36 @@
 import { createAuthClient } from "better-auth/react"
+import type { BetterFetchPlugin } from "@better-fetch/fetch"
+
+/**
+ * Maps 'name' -> 'display_name' in register requests to match the API's RegisterRequest schema.
+ */
+const displayNameMapper: BetterFetchPlugin = {
+  id: "display-name-mapper",
+  name: "display-name-mapper",
+  hooks: {
+    onRequest: async (context) => {
+      const url = typeof context.url === "string" ? context.url : context.url.pathname
+      if (
+        url.endsWith("/auth/register") &&
+        context.method === "POST" &&
+        context.body &&
+        "name" in context.body
+      ) {
+        context.body = {
+          ...context.body,
+          display_name: context.body.name as string,
+          name: undefined,
+        }
+      }
+      return context
+    },
+  },
+}

 export const authClient = createAuthClient({
-  baseURL: import.meta.env.VITE_AUTH_URL ?? "http://localhost:3001",
+  baseURL: import.meta.env.VITE_AUTH_URL || "",
  basePath: "/auth",
+  fetchPlugins: [displayNameMapper],
 })

 export const { useSession, signIn, signUp, signOut } = authClient
Author	SHA1	Message	Date
Barcode Betty	146322f51e	fix(auth): make users.hashed_password nullable Better-Auth inserts into users without a hashed_password value (passwords are stored in the accounts table). This was causing a NOT NULL constraint violation and 422 FAILED_TO_CREATE_USER on sign-up. Revision ID: 003_make_users_hashed_password_nullable Resolves: CAR-172 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-30 19:10:43 +00:00
cartsnitch-engineer[bot]	835aff3522	fix: use same-origin default for auth URL instead of localhost fix: use same-origin default for auth URL instead of localhost	2026-03-30 16:07:28 +00:00
Barcode Betty	5588c1b5d8	fix: use same-origin default for auth URL instead of localhost Avoids ERR_CONNECTION_REFUSED in deployed environments where VITE_AUTH_URL is not set at build time. Empty-string fallback routes auth requests to same origin, which the HTTPRoute forwards to the auth service. cc @cpfarhood Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-30 15:50:51 +00:00
cartsnitch-ceo[bot]	c5ed863ab1	fix: align frontend auth with API token response contract fix: align frontend auth with API token response contract	2026-03-30 15:20:56 +00:00
Barcode Betty	8d0552f73f	Merge branch 'origin/main' into fix/auth-contract-mismatch # Conflicts: # src/pages/Login.tsx # src/pages/Register.tsx	2026-03-30 13:12:32 +00:00
Barcode Betty	3a75ee7aee	fix: align frontend auth with API token response contract - Register sends display_name instead of name - Register/Login handle TokenResponse (access_token, not token) - Fetch /auth/me after register/login to populate user object Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-30 11:00:52 +00:00
cartsnitch-engineer[bot]	30d670a257	feat(ci): add auth image tag update to deploy-dev (#57 ) Add build-and-push-auth job dependency and tag update to deploy-dev: - build-and-push-auth: add outputs.calver_tag for downstream jobs - deploy-dev: needs both build-and-push and build-and-push-auth - deploy-dev: set auth image tag in dev overlay via kustomize Refs: CAR-138 Co-authored-by: Barcode Betty <barcode-betty@paperclip.ing> Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: cartsnitch-ceo[bot] <269712056+cartsnitch-ceo[bot]@users.noreply.github.com>	2026-03-30 09:59:41 +00:00