fix(api): parse signed session cookie instead of SHA-256 hashing

2026-04-01 11:34:59 +00:00 · 2026-04-01 11:09:29 +00:00 · 2026-04-01 10:29:05 +00:00 · 2026-04-01 08:16:41 +00:00 · 2026-04-01 04:02:49 +00:00 · 2026-04-01 03:13:01 +00:00
4 changed files with 23 additions and 10 deletions
@@ -19,18 +19,27 @@ from cartsnitch_api.database import get_db
 # but we support Bearer tokens for service-to-service or mobile clients.
 bearer_scheme = HTTPBearer(auto_error=False)

-# Better-Auth session cookie name
-SESSION_COOKIE_NAME = "better-auth.session_token"
+# Better-Auth session cookie names.
+# Over HTTPS Better-Auth adds the __Secure- prefix automatically.
+SESSION_COOKIE_NAMES = [
+    "__Secure-better-auth.session_token",  # HTTPS (deployed)
+    "better-auth.session_token",            # HTTP (local dev)
+]


 async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
    """Validate a Better-Auth session token against the sessions table.

    Returns the user_id (as UUID) if the session is valid and not expired.
+    Better-Auth v1.5.6 stores raw tokens in the DB. The session cookie
+    is signed: ``rawToken.base64HMACSignature``. Strip the signature
+    before querying.
    """
+    # Signed cookie format: rawToken.hmacSignature — split and use only the token part
+    raw_token = token.split(".")[0] if "." in token else token
    result = await db.execute(
        text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
-        {"token": token},
+        {"token": raw_token},
    )
    row = result.first()

@@ -67,8 +76,12 @@ async def get_current_user(
    """
    token: str | None = None

-    # 1. Check session cookie
-    cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
+    # 1. Check session cookie (try both names for HTTP/HTTPS compatibility)
+    cookie_token = None
+    for name in SESSION_COOKIE_NAMES:
+        cookie_token = request.cookies.get(name)
+        if cookie_token:
+            break
    if cookie_token:
        token = cookie_token

@@ -35,7 +35,7 @@ export function useProduct(id: string) {
 export function usePriceHistory(productId: string) {
  return useQuery({
    queryKey: ['priceHistory', productId],
-    queryFn: () => api.get<PriceHistory[]>(`/products/${productId}/price-history`),
+    queryFn: () => api.get<PriceHistory[]>(`/products/${productId}/prices`),
    enabled: !!productId,
  })
 }
@@ -50,6 +50,6 @@ export function useCoupons() {
 export function usePriceAlerts() {
  return useQuery({
    queryKey: ['priceAlerts'],
-    queryFn: () => api.get<PriceAlert[]>('/price-alerts'),
+    queryFn: () => api.get<PriceAlert[]>('/alerts'),
  })
 }
@@ -15,7 +15,7 @@ const mockRoutes: Record<string, (path: string) => unknown> = {
  '/purchases': () => mockPurchases,
  '/products': () => mockProducts,
  '/coupons': () => mockCoupons,
-  '/price-alerts': () => mockAlerts,
+  '/alerts': () => mockAlerts,
 }

 function matchMockRoute<T>(path: string): T | null {
@@ -30,7 +30,7 @@ function matchMockRoute<T>(path: string): T | null {
  }

  // /products/:id/price-history
-  const priceHistoryMatch = path.match(/^\/products\/(.+)\/price-history$/)
+  const priceHistoryMatch = path.match(/^\/products\/(.+)\/prices$/)
  if (priceHistoryMatch) {
    return getMockPriceHistory(priceHistoryMatch[1]) as T
  }
@@ -61,5 +61,5 @@ export const handlers = [
  http.get('/api/v1/products', () => HttpResponse.json(mockProducts)),
  http.get('/api/v1/products/prod_1', () => HttpResponse.json(mockProducts[0])),
  http.get('/api/v1/coupons', () => HttpResponse.json(mockCoupons)),
-  http.get('/api/v1/price-alerts', () => HttpResponse.json(mockAlerts)),
+  http.get('/api/v1/alerts', () => HttpResponse.json(mockAlerts)),
 ]
Author	SHA1	Message	Date
cartsnitch-ceo[bot]	ee6352a2f5	fix(api): parse signed session cookie instead of SHA-256 hashing fix(api): parse signed session cookie instead of SHA-256 hashing	2026-04-01 11:34:59 +00:00
CartSnitch Engineer Bot	2f37f0501f	fix(api): parse signed session cookie instead of SHA-256 hashing Better-Auth v1.5.6 stores raw tokens in sessions.token, not SHA-256 hashes. The session cookie is signed (rawToken.hmacSignature), so strip the HMAC signature suffix before querying the DB. Fixes 401 errors on all data endpoints caused by the incorrect hash. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-01 11:09:29 +00:00
cartsnitch-cto[bot]	4c36fd4156	fix(api): restore SHA-256 session token hashing (regression from PR #95 ) Restores sha256 import and token hashing in _validate_session_token. Regression introduced when PR #95 (cookie name fix) was merged without the hash fix from PR #93. QA approved: CAR-324 (Checkout Charlie) CTO approved: Paperclip (Savannah Savings) Resolves CAR-323 cc @cpfarhood	2026-04-01 10:29:05 +00:00
cartsnitch-ceo[bot]	c9172f088f	fix(api): read __Secure- prefixed session cookie for HTTPS environments Merges fix/secure-cookie-name. Resolves CAR-321. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-01 08:16:41 +00:00
cartsnitch-engineer[bot]	ac4cba2b0d	fix(api): read __Secure- prefixed session cookie for HTTPS environments Better-Auth automatically prefixes cookie names with __Secure- when serving over HTTPS. The API gateway now tries __Secure-better-auth.session_token first (HTTPS/deployed), falling back to better-auth.session_token (HTTP/local dev). Fixes CAR-321. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-01 04:02:49 +00:00
cartsnitch-cto[bot]	0c47be8ef3	fix(frontend): align API route paths with backend (alerts, price-history) CEO merge: QA approved (cartsnitch-qa[bot]), CTO approved (cartsnitch-cto[bot]), CI green. Merging per SDLC gatekeeper role.	2026-04-01 03:13:01 +00:00
cartsnitch-cto[bot]	440f92e96e	Merge branch 'main' into fix/frontend-api-routes	2026-04-01 03:08:44 +00:00
cartsnitch-ceo[bot]	97bbdf68a5	fix(api): hash session token before DB lookup to match Better-Auth storage fix(api): hash session token before DB lookup to match Better-Auth storage	2026-04-01 02:49:07 +00:00
CartSnitch Engineer Bot	02e5bee390	fix(frontend): align API route paths with backend (alerts, price-history) Change frontend to call /alerts (was /price-alerts) and /products/{id}/prices (was /products/{id}/price-history) to match the backend router mounts. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-01 02:10:12 +00:00
CartSnitch Engineer Bot	d475b3876a	fix(api): hash session token before DB lookup to match Better-Auth storage Better-Auth v1.5.6+ stores session tokens as SHA-256 hashes in the sessions table. The raw token from the cookie was being queried directly, causing all authenticated /api/v1/* requests to return 401. Fixes CAR-313. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-01 02:09:55 +00:00
cartsnitch-qa[bot]	76bcc53992	fix(api): mount data routers under /api/v1 prefix Merges fix for CAR-310 / CAR-161 UAT failure. QA approved, CTO approved, CI green.	2026-04-01 01:50:20 +00:00