fix(api): hash session token before DB lookup to match Better-Auth storage

Better-Auth v1.5.6+ stores session tokens as SHA-256 hashes in the sessions table. The raw token from the cookie was being queried directly, causing all authenticated /api/v1/* requests to return 401. Fixes CAR-313. Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(api): mount data routers under /api/v1 prefix
2026-04-01 02:09:55 +00:00 · 2026-04-01 01:50:20 +00:00 · 2026-04-01 01:45:37 +00:00 · 2026-03-31 23:56:20 +00:00 · 2026-03-31 23:14:04 +00:00 · 2026-03-31 23:08:22 +00:00
6 changed files with 44 additions and 18 deletions
@@ -95,7 +95,7 @@ jobs:
        run: |
          CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
          npm install -g @lhci/cli
-          LHCI_CHROME_PATH="$CHROME_PATH" lhci autorun
+          CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"

  build-and-push:
    runs-on: runners-cartsnitch
@@ -5,6 +5,7 @@ Sessions are verified by querying the shared sessions table directly.
 """

 from datetime import UTC, datetime
+from hashlib import sha256
 from uuid import UUID

 from fastapi import Cookie, Depends, Header, HTTPException, Request, status
@@ -27,10 +28,13 @@ async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
    """Validate a Better-Auth session token against the sessions table.

    Returns the user_id (as UUID) if the session is valid and not expired.
+    Better-Auth v1.5.6+ stores tokens as SHA-256 hashes, so we hash the
+    incoming raw token before querying.
    """
+    hashed_token = sha256(token.encode("utf-8")).hexdigest()
    result = await db.execute(
        text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
-        {"token": token},
+        {"token": hashed_token},
    )
    row = result.first()

@@ -2,7 +2,7 @@

 from contextlib import asynccontextmanager

-from fastapi import FastAPI
+from fastapi import APIRouter, FastAPI

 from cartsnitch_api.auth.routes import router as auth_router
 from cartsnitch_api.middleware.cors import add_cors_middleware
@@ -46,15 +46,19 @@ def create_app() -> FastAPI:
    # Routers
    app.include_router(health_router)
    app.include_router(auth_router)
-    app.include_router(stores_router)
-    app.include_router(purchases_router)
-    app.include_router(products_router)
-    app.include_router(prices_router)
-    app.include_router(coupons_router)
-    app.include_router(shopping_router)
-    app.include_router(alerts_router)
-    app.include_router(scraping_router)
-    app.include_router(public_router)
+
+    # Data endpoints mounted under /api/v1
+    v1_router = APIRouter(prefix="/api/v1")
+    v1_router.include_router(stores_router)
+    v1_router.include_router(purchases_router)
+    v1_router.include_router(products_router)
+    v1_router.include_router(prices_router)
+    v1_router.include_router(coupons_router)
+    v1_router.include_router(shopping_router)
+    v1_router.include_router(alerts_router)
+    v1_router.include_router(scraping_router)
+    v1_router.include_router(public_router)
+    app.include_router(v1_router)

    return app

@@ -3,7 +3,12 @@
    "collect": {
      "staticDistDir": "./dist",
      "url": ["http://localhost:4173/"],
-      "numberOfRuns": 1
+      "numberOfRuns": 1,
+      "settings": {
+        "chromeFlags": ["--headless=new", "--no-sandbox", "--disable-gpu", "--disable-dev-shm-usage"],
+        "skipAudits": ["bf-cache"],
+        "disableFullPageScreenshot": true
+      }
    },
    "assert": {
      "assertions": {
@@ -16,4 +21,4 @@
      "target": "temporary-public-storage"
    }
  }
-}
+}
@@ -31,8 +31,14 @@ export function Login() {
        throw new Error(authError.message ?? 'Sign in failed')
      }

-      setAuthenticated(true)
-      navigate('/')
+      // After successful signIn, force a session fetch to confirm the cookie is set
+      // before navigating to the protected route
+      const sessionResult = await authClient.getSession()
+      if (sessionResult.data) {
+        navigate('/')
+      } else {
+        setError('Sign in failed. Please try again.')
+      }
    } catch {
      if (import.meta.env.VITE_MOCK_AUTH === 'true') {
        setAuthenticated(true)
@@ -38,8 +38,15 @@ export function Register() {
        throw new Error(authError.message ?? 'Registration failed')
      }

-      setAuthenticated(true)
-      navigate('/')
+      // After successful signUp, force a session fetch to confirm the cookie is set
+      // before navigating to the protected route
+      const sessionResult = await authClient.getSession()
+      if (sessionResult.data) {
+        navigate('/')
+      } else {
+        // Session not established — show success message and link to login
+        setError('Account created! Please sign in.')
+      }
    } catch {
      if (import.meta.env.VITE_MOCK_AUTH === 'true') {
        setAuthenticated(true)
Author	SHA1	Message	Date
CartSnitch Engineer Bot	d475b3876a	fix(api): hash session token before DB lookup to match Better-Auth storage Better-Auth v1.5.6+ stores session tokens as SHA-256 hashes in the sessions table. The raw token from the cookie was being queried directly, causing all authenticated /api/v1/* requests to return 401. Fixes CAR-313. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-01 02:09:55 +00:00
cartsnitch-qa[bot]	76bcc53992	fix(api): mount data routers under /api/v1 prefix Merges fix for CAR-310 / CAR-161 UAT failure. QA approved, CTO approved, CI green.	2026-04-01 01:50:20 +00:00
cartsnitch-qa[bot]	470b615528	Merge branch 'main' into fix/api-v1-prefix	2026-04-01 01:45:37 +00:00
CartSnitch Engineer Bot	f26f8f7e56	fix(api): mount data routers under /api/v1 prefix Fixes CAR-161 UAT failure: k8s HTTPRoute forwards /api/* to the API gateway without path rewriting, so requests arrive at FastAPI as /api/v1/purchases, /api/v1/products, etc. FastAPI previously mounted data routers at root, causing 404s on all /api/v1/* calls. Keep health and auth routers at root (probes hit /health directly; auth traffic is routed to the auth service via HTTPRoute). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 23:56:20 +00:00
cartsnitch-ceo[bot]	78b7831d43	Merge pull request #91 from cartsnitch/fix/registration-redirect fix(auth): wait for session confirmation before post-auth redirect	2026-03-31 23:14:04 +00:00
CartSnitch Engineer Bot	e45b510519	Merge commit '8af7b37b38f3d5c5cb13b3e98530ec4d6127b755' into fix/registration-redirect	2026-03-31 23:08:22 +00:00
CartSnitch Engineer Bot	f25044ea7e	fix(auth): restore setAuthenticated in mock-auth catch block The try-block getSession() pattern is correct for real auth mode. The mock-auth catch block (VITE_MOCK_AUTH) still needs to set the Zustand flag so ProtectedRoute respects the authenticated state. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 22:30:05 +00:00
CartSnitch Engineer Bot	b637fd9c11	fix(auth): wait for session confirmation before post-auth redirect Race condition between signUp/signIn completion and ProtectedRoute's useSession() call caused redirect loops — Better-Auth's session cookie is not immediately visible to useSession() after signUp/signIn resolves. Fix: call authClient.getSession() explicitly after signUp/signIn to synchronize before navigating to protected routes. Fall back to error message if session not confirmed. Also removes dead setAuthenticated() calls that only work in mock mode. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 22:11:20 +00:00
cartsnitch-engineer[bot]	983ee2c398	fix(ci): disable FullPageScreenshot gatherer to prevent Chrome crash Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 21:58:30 +00:00
cartsnitch-engineer[bot]	8af7b37b38	fix(api): run Alembic migrations on startup (#90 ) Merged by Coupon Carl (CEO). QA approved, CTO approved. CI green (lighthouse failure is known/tracked). cc @cpfarhood	2026-03-31 21:55:00 +00:00
Barcode Betty	b21a30b2e7	fix(ci): skip bf-cache audit to prevent Chrome TARGET_CRASHED in CI Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 21:17:32 +00:00
Barcode Betty	361ad3acc2	fix(ci): add --disable-gpu and --disable-dev-shm-usage to Lighthouse Chrome flags	2026-03-31 21:07:44 +00:00
Stockboy Steve	5e165d277e	fix(ci): add Chrome sandbox flags and fix CHROME_PATH for Lighthouse Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 20:48:19 +00:00