Merge main into fix/npm-audit-vulnerabilities

- Override brace-expansion to >=1.1.13 to resolve GHSA-f886-m6hf-6m8v
- Override lodash to >=4.17.24 to resolve GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
- Override minimatch to ^10.2.4 to maintain compatibility with brace-expansion@5.x

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yml

@@ -334,7 +334,7 @@ jobs:
       - name: Build and push API Docker image
         uses: docker/build-push-action@v6
         with:
-          context: ./api
+          context: .
           file: ./api/Dockerfile
           push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -399,67 +399,4 @@ jobs:
           git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
           git add apps/overlays/dev/kustomization.yaml
           git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images"
-          git pull --rebase origin main
-          git push origin main
-
-  deploy-uat:
-    runs-on: runners-cartsnitch
-    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
-    if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/main'
-    steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
-      - name: Checkout infra repo
-        uses: actions/checkout@v4
-        with:
-          repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
-          ref: main
-          path: infra
-
-      - name: Install kubectl
-        uses: azure/setup-kubectl@v4
-
-      - name: Install kustomize
-        uses: imranismail/setup-kustomize@v2
-
-      - name: Update frontend image tag
-        if: needs.build-and-push.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
-
-      - name: Update auth image tag
-        if: needs.build-and-push-auth.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}
-
-      - name: Update receiptwitness image tag
-        if: needs.build-and-push-receiptwitness.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
-
-      - name: Update api image tag
-        if: needs.build-and-push-api.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}
-
-      - name: Commit and push to infra
-        run: |
-          cd infra
-          git config user.name "cartsnitch-ci[bot]"
-          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
-          git add apps/overlays/uat/kustomization.yaml
-          git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images"
-          git pull --rebase origin main
           git push origin main

api/src/cartsnitch_api/auth/routes.py

@@ -22,6 +22,11 @@ from cartsnitch_api.services.auth import AuthService
 router = APIRouter(prefix="/auth", tags=["auth"])
 
 
+class EmailInAddressResponse(BaseModel):
+    email_address: str
+    instructions: str
+
+
 @router.get("/me", response_model=UserResponse)
 async def get_me(
     user_id: str = Depends(get_current_user),
@@ -65,3 +70,23 @@ async def delete_me(
         raise HTTPException(
             status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
         ) from None
+
+
+@router.get("/me/email-in-address", response_model=EmailInAddressResponse)
+async def get_email_in_address(
+    user_id: str = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+):
+    result = await db.execute(select(User.email_inbound_token).where(User.id == user_id))
+    token = result.scalar_one_or_none()
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Email inbound token not found"
+        ) from None
+    return EmailInAddressResponse(
+        email_address=f"receipts+{token}@receipts.cartsnitch.com",
+        instructions=(
+            "Forward your digital receipt emails to this address. "
+            "We currently support Meijer, Kroger, and Target receipt emails."
+        ),
+    )

api/src/cartsnitch_api/routes/user.py

@@ -19,13 +19,7 @@ async def get_email_in_address(
     svc = AuthService(db)
     try:
         email_address = await svc.get_email_in_address(user_id)
-        return EmailInAddressResponse(
-            email_address=email_address,
-            instructions=(
-                "Forward your digital receipt emails to this address. "
-                "We currently support Meijer, Kroger, and Target receipt emails."
-            ),
-        )
+        return EmailInAddressResponse(email_address=email_address)
     except LookupError:
         raise HTTPException(
             status_code=status.HTTP_404_NOT_FOUND, detail="User not found"

api/src/cartsnitch_api/schemas.py

@@ -24,7 +24,6 @@ class UserResponse(BaseModel):
 
 class EmailInAddressResponse(BaseModel):
     email_address: str
-    instructions: str
 
 
 # ---------- Stores ----------

api/src/cartsnitch_api/services/auth.py

@@ -76,4 +76,4 @@ class AuthService:
         if not user:
             raise LookupError("User not found")
 
-        return f"receipts+{user.email_inbound_token}@receipts.cartsnitch.com"
+        return f"{user.email_inbound_token}@email.cartsnitch.com"

api/tests/test_e2e/test_email_in_address.py

@@ -1,4 +1,4 @@
-"""Tests for GET /api/v1/me/email-in-address endpoint."""
+"""Tests for GET /auth/me/email-in-address endpoint."""
 
 import pytest
 from httpx import AsyncClient
@@ -8,7 +8,7 @@ from httpx import AsyncClient
 async def test_get_email_in_address_authenticated(client: AsyncClient, auth_headers: dict):
     """Authenticated user gets their email-in address."""
     response = await client.get(
-        "/api/v1/me/email-in-address",
+        "/auth/me/email-in-address",
         headers=auth_headers,
     )
 
@@ -27,7 +27,7 @@ async def test_get_email_in_address_authenticated(client: AsyncClient, auth_head
 @pytest.mark.asyncio
 async def test_get_email_in_address_unauthenticated(client: AsyncClient):
     """Unauthenticated request returns 401."""
-    response = await client.get("/api/v1/me/email-in-address")
+    response = await client.get("/auth/me/email-in-address")
     assert response.status_code == 401
 
 
@@ -35,7 +35,7 @@ async def test_get_email_in_address_unauthenticated(client: AsyncClient):
 async def test_get_email_in_address_invalid_token(client: AsyncClient):
     """Invalid JWT token returns 401."""
     response = await client.get(
-        "/api/v1/me/email-in-address",
+        "/auth/me/email-in-address",
         headers={"Authorization": "Bearer invalid-token-xyz"},
     )
     assert response.status_code == 401
@@ -45,7 +45,7 @@ async def test_get_email_in_address_invalid_token(client: AsyncClient):
 async def test_email_address_format(client: AsyncClient, auth_headers: dict):
     """Email address format is receipts+{22-char-urlsafe-token}@receipts.cartsnitch.com."""
     response = await client.get(
-        "/api/v1/me/email-in-address",
+        "/auth/me/email-in-address",
         headers=auth_headers,
     )
 

common/alembic/versions/001_add_email_inbound_token.py

@@ -1,37 +0,0 @@
-"""Add email_inbound_token to users.
-
-Revision ID: 001_add_email_inbound_token
-Revises:
-Create Date: 2026-04-02
-"""
-
-from collections.abc import Sequence
-
-import sqlalchemy as sa
-
-from alembic import op
-
-revision: str = "001_add_email_inbound_token"
-down_revision: str | None = None
-branch_labels: str | Sequence[str] | None = None
-depends_on: str | Sequence[str] | None = None
-
-
-def upgrade() -> None:
-    op.add_column("users", sa.Column("email_inbound_token", sa.String(22), nullable=True))
-    op.create_unique_constraint("uq_users_email_inbound_token", "users", ["email_inbound_token"])
-
-    # Backfill existing users with generated tokens (PostgreSQL)
-    op.execute(
-        "UPDATE users SET email_inbound_token = "
-        "substring(replace(gen_random_uuid()::text, '-', ''), 1, 22) "
-        "WHERE email_inbound_token IS NULL"
-    )
-
-    # Alter to non-nullable
-    op.alter_column("users", "email_inbound_token", nullable=False)
-
-
-def downgrade() -> None:
-    op.drop_constraint("uq_users_email_inbound_token", "users", type_="unique")
-    op.drop_column("users", "email_inbound_token")

common/src/cartsnitch_common/models/user.py

@@ -1,6 +1,5 @@
 """User and UserStoreAccount models."""
 
-import secrets
 import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING
@@ -22,9 +21,6 @@ class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     __tablename__ = "users"
 
     email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
-    email_inbound_token: Mapped[str] = mapped_column(
-        String(22), nullable=False, unique=True, default=lambda: secrets.token_urlsafe(16)
-    )
     hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)
     display_name: Mapped[str | None] = mapped_column(String(100))
     email_verified: Mapped[bool] = mapped_column(Boolean, nullable=False, server_default="false")

common/src/cartsnitch_common/schemas/user.py

@@ -20,7 +20,6 @@ class UserRead(BaseModel):
     id: uuid.UUID
     email: str
     display_name: str | None
-    email_inbound_token: str
     created_at: datetime
     updated_at: datetime
 

common/tests/test_models.py

@@ -147,40 +147,6 @@ class TestStoreLocationModel:
         assert loc.lat == pytest.approx(42.2808)
 
 
-class TestUserModel:
-    def test_email_inbound_token_auto_populated(self, session):
-        user = User(
-            id=uuid.uuid4(),
-            email="token_test@example.com",
-            hashed_password="hashed",
-            created_at=datetime.now(UTC),
-            updated_at=datetime.now(UTC),
-        )
-        session.add(user)
-        session.commit()
-        assert user.email_inbound_token is not None
-        assert len(user.email_inbound_token) == 22
-
-    def test_email_inbound_token_unique(self, session):
-        user1 = User(
-            id=uuid.uuid4(),
-            email="user1@example.com",
-            hashed_password="hashed",
-            created_at=datetime.now(UTC),
-            updated_at=datetime.now(UTC),
-        )
-        user2 = User(
-            id=uuid.uuid4(),
-            email="user2@example.com",
-            hashed_password="hashed",
-            created_at=datetime.now(UTC),
-            updated_at=datetime.now(UTC),
-        )
-        session.add_all([user1, user2])
-        session.commit()
-        assert user1.email_inbound_token != user2.email_inbound_token
-
-
 class TestUserStoreAccountModel:
     def test_account_status_enum(self, session):
         user = User(