fix(auth): revert store_id to uuid.UUID in user schemas

CTO review feedback: store_id must remain uuid.UUID since Store model still uses UUIDPrimaryKeyMixin. Only user_id changes to str. Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(auth): add alembic migration to change users.id and user_id FKs from uuid to text
2026-03-31 17:44:20 +00:00 · 2026-03-31 17:32:00 +00:00 · 2026-03-31 17:15:31 +00:00 · 2026-03-31 15:23:45 +00:00 · 2026-03-31 04:47:17 +00:00 · 2026-03-31 04:43:45 +00:00
11 changed files with 187 additions and 9 deletions
@@ -46,6 +46,31 @@ jobs:
      - name: Run tests
        run: npx vitest run

+  lighthouse:
+    runs-on: runners-cartsnitch
+    needs: [test]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+      - run: npm ci
+      - run: npm run build
+      - name: Install Chromium for Lighthouse
+        run: |
+          npm install -g playwright
+          npx playwright install --with-deps chromium
+      - name: Start preview server
+        run: |
+          npm run preview &
+          npx wait-on http://localhost:4173/ --timeout 30000
+      - name: Run Lighthouse CI
+        run: |
+          CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
+          npm install -g @lhci/cli
+          LHCI_CHROME_PATH="$CHROME_PATH" lhci autorun
+
  build-and-push:
    runs-on: runners-cartsnitch
    needs: [lint, test]
@@ -0,0 +1,53 @@
+"""Change users.id and FK columns from uuid to text.
+
+Better-Auth generates nanoid-style text IDs (e.g. pGud2ln2WAFHC0KYjBVKR4Rc7mM8OcTI),
+but the users table was using PostgreSQL uuid type, causing INSERT failures.
+
+Revision ID: 003_fix_user_id_text
+Revises: 002_better_auth_tables
+Create Date: 2026-03-31
+"""
+
+import sqlalchemy as sa
+from sqlalchemy import text
+
+from alembic import op
+
+revision = "003_fix_user_id_text"
+down_revision = "002_better_auth_tables"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Step 1: Drop FK constraints that reference users.id
+    op.execute(text("ALTER TABLE user_store_accounts DROP CONSTRAINT IF EXISTS user_store_accounts_user_id_fkey"))
+    op.execute(text("ALTER TABLE purchases DROP CONSTRAINT IF EXISTS purchases_user_id_fkey"))
+
+    # Step 2: Alter users.id from uuid to text
+    op.alter_column("users", "id", existing_type=sa.UUID(), type_=sa.Text(), existing_nullable=False, postgresql_using="id::text")
+
+    # Step 3: Alter user_store_accounts.user_id from uuid to text
+    op.alter_column("user_store_accounts", "user_id", existing_type=sa.UUID(), type_=sa.Text(), existing_nullable=False, postgresql_using="user_id::text")
+
+    # Step 4: Alter purchases.user_id from uuid to text
+    op.alter_column("purchases", "user_id", existing_type=sa.UUID(), type_=sa.Text(), existing_nullable=False, postgresql_using="user_id::text")
+
+    # Step 5: Re-add FK constraints
+    op.execute(text("ALTER TABLE user_store_accounts ADD CONSTRAINT user_store_accounts_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id)"))
+    op.execute(text("ALTER TABLE purchases ADD CONSTRAINT purchases_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id)"))
+
+
+def downgrade() -> None:
+    # Drop FK constraints
+    op.execute(text("ALTER TABLE purchases DROP CONSTRAINT IF EXISTS purchases_user_id_fkey"))
+    op.execute(text("ALTER TABLE user_store_accounts DROP CONSTRAINT IF EXISTS user_store_accounts_user_id_fkey"))
+
+    # Alter back to UUID
+    op.alter_column("purchases", "user_id", existing_type=sa.Text(), type_=sa.UUID(), existing_nullable=False, postgresql_using="user_id::uuid")
+    op.alter_column("user_store_accounts", "user_id", existing_type=sa.Text(), type_=sa.UUID(), existing_nullable=False, postgresql_using="user_id::uuid")
+    op.alter_column("users", "id", existing_type=sa.Text(), type_=sa.UUID(), existing_nullable=False, postgresql_using="id::uuid")
+
+    # Re-add FK constraints
+    op.execute(text("ALTER TABLE user_store_accounts ADD CONSTRAINT user_store_accounts_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id)"))
+    op.execute(text("ALTER TABLE purchases ADD CONSTRAINT purchases_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id)"))
@@ -36,6 +36,15 @@ export const auth = betterAuth({
  },

  session: {
+    modelName: "sessions",
+    fields: {
+      userId: "user_id",
+      expiresAt: "expires_at",
+      ipAddress: "ip_address",
+      userAgent: "user_agent",
+      createdAt: "created_at",
+      updatedAt: "updated_at",
+    },
    expiresIn: 60 * 60 * 24 * 7, // 7 days
    updateAge: 60 * 60 * 24, // refresh after 1 day
    cookieCache: {
@@ -0,0 +1,61 @@
+"""Change users.id and user_id FKs from uuid to text.
+
+Revision ID: 003_fix_user_id_text
+Revises:
+Create Date: 2026-03-31
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+
+revision: str = "003_fix_user_id_text"
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Drop FK constraints first
+    op.execute("ALTER TABLE user_store_accounts DROP CONSTRAINT IF EXISTS user_store_accounts_user_id_fkey")
+    op.execute("ALTER TABLE purchases DROP CONSTRAINT IF EXISTS purchases_user_id_fkey")
+
+    # Alter users.id from uuid to text
+    op.execute("ALTER TABLE users ALTER COLUMN id TYPE text USING id::text")
+
+    # Alter user_id columns from uuid to text
+    op.execute("ALTER TABLE user_store_accounts ALTER COLUMN user_id TYPE text USING user_id::text")
+    op.execute("ALTER TABLE purchases ALTER COLUMN user_id TYPE text USING user_id::text")
+
+    # Re-add FK constraints
+    op.execute(
+        "ALTER TABLE user_store_accounts ADD CONSTRAINT user_store_accounts_user_id_fkey "
+        "FOREIGN KEY (user_id) REFERENCES users(id)"
+    )
+    op.execute(
+        "ALTER TABLE purchases ADD CONSTRAINT purchases_user_id_fkey "
+        "FOREIGN KEY (user_id) REFERENCES users(id)"
+    )
+
+
+def downgrade() -> None:
+    # Drop FK constraints
+    op.execute("ALTER TABLE user_store_accounts DROP CONSTRAINT IF EXISTS user_store_accounts_user_id_fkey")
+    op.execute("ALTER TABLE purchases DROP CONSTRAINT IF EXISTS purchases_user_id_fkey")
+
+    # Alter back to uuid
+    op.execute("ALTER TABLE users ALTER COLUMN id TYPE uuid USING id::uuid")
+    op.execute("ALTER TABLE user_store_accounts ALTER COLUMN user_id TYPE uuid USING user_id::uuid")
+    op.execute("ALTER TABLE purchases ALTER COLUMN user_id TYPE uuid USING user_id::uuid")
+
+    # Re-add FK constraints
+    op.execute(
+        "ALTER TABLE user_store_accounts ADD CONSTRAINT user_store_accounts_user_id_fkey "
+        "FOREIGN KEY (user_id) REFERENCES users(id)"
+    )
+    op.execute(
+        "ALTER TABLE purchases ADD CONSTRAINT purchases_user_id_fkey "
+        "FOREIGN KEY (user_id) REFERENCES users(id)"
+    )
@@ -32,7 +32,7 @@ class Purchase(UUIDPrimaryKeyMixin, TimestampMixin, Base):

    __tablename__ = "purchases"

-    user_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("users.id"), nullable=False)
+    user_id: Mapped[str] = mapped_column(ForeignKey("users.id"), nullable=False)
    store_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("stores.id"), nullable=False)
    store_location_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("store_locations.id"))
    receipt_id: Mapped[str] = mapped_column(String(200), nullable=False)
@@ -15,11 +15,12 @@ if TYPE_CHECKING:
    from cartsnitch_common.models.store import Store


-class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
+class User(TimestampMixin, Base):
    """Application user."""

    __tablename__ = "users"

+    id: Mapped[str] = mapped_column(Text, primary_key=True)
    email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
    hashed_password: Mapped[str] = mapped_column(String(255), nullable=False)
    display_name: Mapped[str | None] = mapped_column(String(100))
@@ -37,7 +38,7 @@ class UserStoreAccount(UUIDPrimaryKeyMixin, TimestampMixin, Base):
    __tablename__ = "user_store_accounts"
    __table_args__ = (UniqueConstraint("user_id", "store_id", name="uq_user_store_account"),)

-    user_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("users.id"), nullable=False)
+    user_id: Mapped[str] = mapped_column(ForeignKey("users.id"), nullable=False)
    store_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("stores.id"), nullable=False)
    # WARNING: Contains retailer session cookies/tokens. Encryption-at-rest
    # required before production deployment (e.g., pgcrypto or app-level encryption).
@@ -40,7 +40,7 @@ class PurchaseItemRead(BaseModel):


 class PurchaseCreate(BaseModel):
-    user_id: uuid.UUID
+    user_id: str
    store_id: uuid.UUID
    store_location_id: uuid.UUID | None = None
    receipt_id: str
@@ -58,7 +58,7 @@ class PurchaseRead(BaseModel):
    model_config = {"from_attributes": True}

    id: uuid.UUID
-    user_id: uuid.UUID
+    user_id: str
    store_id: uuid.UUID
    store_location_id: uuid.UUID | None
    receipt_id: str
@@ -17,7 +17,7 @@ class UserCreate(BaseModel):
 class UserRead(BaseModel):
    model_config = {"from_attributes": True}

-    id: uuid.UUID
+    id: str
    email: str
    display_name: str | None
    created_at: datetime
@@ -25,7 +25,7 @@ class UserRead(BaseModel):


 class UserStoreAccountCreate(BaseModel):
-    user_id: uuid.UUID
+    user_id: str
    store_id: uuid.UUID
    session_data: dict | None = None
    status: AccountStatus = AccountStatus.ACTIVE
@@ -35,7 +35,7 @@ class UserStoreAccountRead(BaseModel):
    model_config = {"from_attributes": True}

    id: uuid.UUID
-    user_id: uuid.UUID
+    user_id: str
    store_id: uuid.UUID
    status: AccountStatus
    session_expires_at: datetime | None
@@ -0,0 +1,25 @@
+{
+  "ci": {
+    "collect": {
+      "staticDistDir": "./dist",
+      "url": ["http://localhost:4173/"],
+      "numberOfRuns": 1
+    },
+    "assert": {
+      "preset": "lighthouse:no-pwa",
+      "assertions": {
+        "categories:performance": ["warn", { "minScore": 0.5 }],
+        "categories:accessibility": ["error", { "minScore": 0.7 }],
+        "categories:best-practices": ["warn", { "minScore": 0.8 }],
+        "categories:seo": ["warn", { "minScore": 0.7 }],
+        "errors-in-console": ["warn"],
+        "network-dependency-tree-insight": ["warn"],
+        "robots-txt": ["warn"],
+        "unused-javascript": ["warn"]
+      }
+    },
+    "upload": {
+      "target": "temporary-public-storage"
+    }
+  }
+}
@@ -0,0 +1,4 @@
+User-agent: *
+Allow: /
+
+Sitemap: https://cartsnitch.com/sitemap.xml
@@ -1,7 +1,7 @@
 import { createAuthClient } from "better-auth/react"

 export const authClient = createAuthClient({
-  baseURL: import.meta.env.VITE_AUTH_URL ?? "http://localhost:3001",
+  baseURL: import.meta.env.VITE_AUTH_URL || "",
  basePath: "/auth",
 })
Author	SHA1	Message	Date
Stockboy Steve	a2b0e7cbd3	fix(auth): revert store_id to uuid.UUID in user schemas CTO review feedback: store_id must remain uuid.UUID since Store model still uses UUIDPrimaryKeyMixin. Only user_id changes to str. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 17:44:20 +00:00
Stockboy Steve	6d7d54729c	fix(auth): add alembic migration to change users.id and user_id FKs from uuid to text	2026-03-31 17:32:00 +00:00
Stockboy Steve	895ad77850	fix(auth): change users.id and user_id FKs from uuid to text Better-Auth generates nanoid-style text IDs (e.g. pGud2ln2WAFHC0KYjBVKR4Rc7mM8OcTI), but the users table was using PostgreSQL uuid type, causing INSERT failures on registration. This changes User.id, UserStoreAccount.user_id, and Purchase.user_id from uuid to text, with a corresponding Alembic migration. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 17:15:31 +00:00
cartsnitch-ci[bot]	5f1570e6d2	fix(auth): re-add session table model mapping Better-Auth defaults to singular "session" table with camelCase columns, but our DB uses plural "sessions" with snake_case columns (migration 002). Add modelName and field mappings to match the existing pattern for user, account, and verification models. Fixes: 401 on login and 422 on registration. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 15:23:45 +00:00
cartsnitch-ci[bot]	96c0f89a03	chore: trigger CI after rebase Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:47:17 +00:00
Barcode Betty	0f8aa2fe47	fix(ci): address CTO review feedback on PR #64 - Fix refs_heads_main typo → refs/heads/main in build-and-push-auth metadata - Fix ci(ev) typo → ci(dev) in deploy-dev commit message - Add preview server step before lhci autorun in lighthouse job Addresses: CAR-199 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:43:45 +00:00
Barcode Betty	6903c7dde3	fix(lighthouse): use warn for preset audit assertions + add robots.txt Per CTO guidance, override preset per-audit assertions to warn: - errors-in-console: warn (browser dev errors, not prod blockers) - network-dependency-tree-insight: warn (existing perf debt) - robots-txt: warn (existing SEO gap) - unused-javascript: warn (existing perf debt) Add public/robots.txt so the robots-txt audit passes at warn level. These are known gaps to address post-merge, not merge blockers. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:43:45 +00:00
Barcode Betty	2946ac8dc5	fix(lighthouse): install Chromium system deps via --with-deps Playwright Chromium binary was missing libnspr4.so and other system libraries. Use `npx playwright install --with-deps chromium` to install Chromium along with all required system dependencies. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:43:45 +00:00
Barcode Betty	6717e105f4	fix(lighthouse): set LHCI_CHROME_PATH via runtime discovery - Re-add Playwright Chromium install (LHCI needs a Chrome binary) - Use `find` at runtime to locate Playwright's chrome binary: CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome ...) - Pass to LHCI via LHCI_CHROME_PATH env var so LHCI does not try (and fail) to auto-download Puppeteer's Chromium Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:43:45 +00:00
Barcode Betty	01ea36c5aa	fix(lighthouse): use staticDistDir, drop Playwright dependency - lighthouserc.json: replace startServerCommand:npm-run-preview with staticDistDir:./dist so LHCI serves files directly - CI workflow: remove Playwright/Chromium install step and LHCI_CHROME_PATH env var (LHCI bundles its own Puppeteer) - LHCI now uses its built-in static server + bundled Chromium Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:43:45 +00:00
Stockboy Steve	0bb4b7d183	fix(lighthouse): set LHCI_CHROME_PATH and lower thresholds per CTO feedback - Set LHCI_CHROME_PATH to Playwright chromium binary path so LHCI healthcheck can find Chrome - Lower thresholds: performance=0.5, accessibility=0.7 (error), seo=0.7 - SEO threshold was missing, now added	2026-03-31 04:43:45 +00:00
Barcode Betty	7b9194a152	fix(ci): install Chromium via playwright instead of missing action browser-actions/chromium@v3 does not exist. Switch to using npm install -g playwright && npx playwright install chromium. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:43:45 +00:00
Barcode Betty	ca8cf2a80a	fix(ci): install Chromium before running Lighthouse CI lhci autorun requires Chrome to be present on the runner. This was causing the lighthouse job to fail with "Chrome installation not found". Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:43:45 +00:00
cartsnitch-engineer[bot]	5bb0a5817b	feat(ci): add Lighthouse CI performance checks	2026-03-31 04:43:45 +00:00
cartsnitch-engineer[bot]	2444219f75	feat(ci): add Lighthouse CI configuration	2026-03-31 04:43:45 +00:00
Barcode Betty	c707caea41	fix: use same-origin default for auth URL instead of localhost Avoids ERR_CONNECTION_REFUSED in deployed environments where VITE_AUTH_URL is not set at build time. Empty-string fallback routes auth requests to same origin, which the HTTPRoute forwards to the auth service. cc @cpfarhood Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:43:45 +00:00