fix(api): replace UUID type with str for Better-Auth nanoid user IDs (#98)

Better-Auth uses nanoid strings for user IDs, not UUIDs. Changed all
user_id parameter/return types in the API layer from UUID to str,
removed the obsolete UUID import where unused, and updated the
_validate_session_token return type accordingly.

Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yml

@@ -95,7 +95,7 @@ jobs:
         run: |
           CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
           npm install -g @lhci/cli
-          LHCI_CHROME_PATH="$CHROME_PATH" lhci autorun
+          CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"
 
   build-and-push:
     runs-on: runners-cartsnitch

api/src/cartsnitch_api/auth/dependencies.py

@@ -5,7 +5,6 @@ Sessions are verified by querying the shared sessions table directly.
 """
 
 from datetime import UTC, datetime
-from uuid import UUID
 
 from fastapi import Cookie, Depends, Header, HTTPException, Request, status
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
@@ -19,18 +18,27 @@ from cartsnitch_api.database import get_db
 # but we support Bearer tokens for service-to-service or mobile clients.
 bearer_scheme = HTTPBearer(auto_error=False)
 
-# Better-Auth session cookie name
+# Better-Auth session cookie names.
-SESSION_COOKIE_NAME = "better-auth.session_token"
+# Over HTTPS Better-Auth adds the __Secure- prefix automatically.
+SESSION_COOKIE_NAMES = [
+    "__Secure-better-auth.session_token",  # HTTPS (deployed)
+    "better-auth.session_token",            # HTTP (local dev)
+]
 
 
-async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
+async def _validate_session_token(token: str, db: AsyncSession) -> str:
     """Validate a Better-Auth session token against the sessions table.
 
-    Returns the user_id (as UUID) if the session is valid and not expired.
+    Returns the user_id (as str) if the session is valid and not expired.
+    Better-Auth v1.5.6 stores raw tokens in the DB. The session cookie
+    is signed: ``rawToken.base64HMACSignature``. Strip the signature
+    before querying.
     """
+    # Signed cookie format: rawToken.hmacSignature — split and use only the token part
+    raw_token = token.split(".")[0] if "." in token else token
     result = await db.execute(
         text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
-        {"token": token},
+        {"token": raw_token},
     )
     row = result.first()
 
@@ -51,14 +59,14 @@ async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
             detail="Session expired",
         )
 
-    return UUID(str(user_id))
+    return str(user_id)
 
 
 async def get_current_user(
     request: Request,
     credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
     db: AsyncSession = Depends(get_db),
-) -> UUID:
+) -> str:
     """Extract and validate the session token from cookie or Authorization header.
 
     Checks in order:
@@ -67,8 +75,12 @@ async def get_current_user(
     """
     token: str | None = None
 
-    # 1. Check session cookie
+    # 1. Check session cookie (try both names for HTTP/HTTPS compatibility)
-    cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
+    cookie_token = None
+    for name in SESSION_COOKIE_NAMES:
+        cookie_token = request.cookies.get(name)
+        if cookie_token:
+            break
     if cookie_token:
         token = cookie_token
 

api/src/cartsnitch_api/auth/jwt.py

@@ -2,22 +2,21 @@
 
 from datetime import UTC, datetime, timedelta
 from typing import Any, cast
-from uuid import UUID
 
 from jose import JWTError, jwt
 
 from cartsnitch_api.config import settings
 
 
-def create_access_token(user_id: UUID) -> str:
+def create_access_token(user_id: str) -> str:
     expire = datetime.now(UTC) + timedelta(minutes=settings.jwt_access_token_expire_minutes)
-    payload = {"sub": str(user_id), "exp": expire, "type": "access"}
+    payload = {"sub": user_id, "exp": expire, "type": "access"}
     return cast(str, jwt.encode(payload, settings.jwt_secret_key, algorithm=settings.jwt_algorithm))
 
 
-def create_refresh_token(user_id: UUID) -> str:
+def create_refresh_token(user_id: str) -> str:
     expire = datetime.now(UTC) + timedelta(days=settings.jwt_refresh_token_expire_days)
-    payload = {"sub": str(user_id), "exp": expire, "type": "refresh"}
+    payload = {"sub": user_id, "exp": expire, "type": "refresh"}
     return cast(str, jwt.encode(payload, settings.jwt_secret_key, algorithm=settings.jwt_algorithm))
 
 

api/src/cartsnitch_api/auth/routes.py

@@ -5,8 +5,6 @@ the Better-Auth service (auth/). This router provides user profile
 endpoints that query our own user data from the shared database.
 """
 
-from uuid import UUID
-
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -23,7 +21,7 @@ router = APIRouter(prefix="/auth", tags=["auth"])
 
 @router.get("/me", response_model=UserResponse)
 async def get_me(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AuthService(db)
@@ -38,7 +36,7 @@ async def get_me(
 @router.patch("/me", response_model=UserResponse)
 async def update_me(
     body: UpdateUserRequest,
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AuthService(db)
@@ -54,7 +52,7 @@ async def update_me(
 
 @router.delete("/me", status_code=status.HTTP_204_NO_CONTENT)
 async def delete_me(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AuthService(db)

api/src/cartsnitch_api/main.py

@@ -2,7 +2,7 @@
 
 from contextlib import asynccontextmanager
 
-from fastapi import FastAPI
+from fastapi import APIRouter, FastAPI
 
 from cartsnitch_api.auth.routes import router as auth_router
 from cartsnitch_api.middleware.cors import add_cors_middleware
@@ -46,15 +46,19 @@ def create_app() -> FastAPI:
     # Routers
     app.include_router(health_router)
     app.include_router(auth_router)
-    app.include_router(stores_router)
+
-    app.include_router(purchases_router)
+    # Data endpoints mounted under /api/v1
-    app.include_router(products_router)
+    v1_router = APIRouter(prefix="/api/v1")
-    app.include_router(prices_router)
+    v1_router.include_router(stores_router)
-    app.include_router(coupons_router)
+    v1_router.include_router(purchases_router)
-    app.include_router(shopping_router)
+    v1_router.include_router(products_router)
-    app.include_router(alerts_router)
+    v1_router.include_router(prices_router)
-    app.include_router(scraping_router)
+    v1_router.include_router(coupons_router)
-    app.include_router(public_router)
+    v1_router.include_router(shopping_router)
+    v1_router.include_router(alerts_router)
+    v1_router.include_router(scraping_router)
+    v1_router.include_router(public_router)
+    app.include_router(v1_router)
 
     return app
 

api/src/cartsnitch_api/routes/alerts.py

@@ -1,7 +1,5 @@
 """Alert routes: list alerts, manage settings."""
 
-from uuid import UUID
-
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -15,7 +13,7 @@ router = APIRouter(prefix="/alerts", tags=["alerts"])
 
 @router.get("", response_model=list[AlertResponse])
 async def list_alerts(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AlertService(db)
@@ -24,7 +22,7 @@ async def list_alerts(
 
 @router.get("/settings", response_model=AlertSettingsResponse)
 async def get_alert_settings(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AlertService(db)
@@ -34,7 +32,7 @@ async def get_alert_settings(
 @router.put("/settings")
 async def update_alert_settings(
     body: AlertSettingsRequest,
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     raise HTTPException(

api/src/cartsnitch_api/routes/coupons.py

@@ -16,7 +16,7 @@ router = APIRouter(prefix="/coupons", tags=["coupons"])
 @router.get("", response_model=list[CouponResponse])
 async def list_coupons(
     store_id: UUID | None = Query(None),
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = CouponService(db)
@@ -25,7 +25,7 @@ async def list_coupons(
 
 @router.get("/relevant", response_model=list[CouponResponse])
 async def relevant_coupons(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = CouponService(db)

api/src/cartsnitch_api/routes/prices.py

@@ -20,7 +20,7 @@ router = APIRouter(prefix="/prices", tags=["prices"])
 
 @router.get("/trends", response_model=list[PriceTrendResponse])
 async def price_trends(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     category: str | None = Query(None),
     db: AsyncSession = Depends(get_db),
 ):
@@ -30,7 +30,7 @@ async def price_trends(
 
 @router.get("/increases", response_model=list[PriceIncreaseResponse])
 async def price_increases(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = PriceService(db)
@@ -40,7 +40,7 @@ async def price_increases(
 @router.get("/comparison", response_model=list[PriceComparisonResponse])
 async def price_comparison(
     product_ids: Annotated[list[UUID], Query()],
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = PriceService(db)

api/src/cartsnitch_api/routes/products.py

@@ -15,7 +15,7 @@ router = APIRouter(prefix="/products", tags=["products"])
 
 @router.get("", response_model=list[ProductResponse])
 async def list_products(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     q: str | None = Query(None),
     category: str | None = Query(None),
     page: int = Query(1, ge=1),
@@ -29,7 +29,7 @@ async def list_products(
 @router.get("/{product_id}", response_model=ProductDetailResponse)
 async def get_product(
     product_id: UUID,
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = ProductService(db)
@@ -44,7 +44,7 @@ async def get_product(
 @router.get("/{product_id}/prices", response_model=PriceTrendResponse)
 async def get_product_prices(
     product_id: UUID,
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = ProductService(db)

api/src/cartsnitch_api/routes/purchases.py

@@ -15,7 +15,7 @@ router = APIRouter(prefix="/purchases", tags=["purchases"])
 
 @router.get("", response_model=list[PurchaseResponse])
 async def list_purchases(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     store_id: UUID | None = Query(None),
     page: int = Query(1, ge=1),
     page_size: int = Query(20, ge=1, le=100),
@@ -27,7 +27,7 @@ async def list_purchases(
 
 @router.get("/stats", response_model=PurchaseStatsResponse)
 async def purchase_stats(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = PurchaseService(db)
@@ -37,7 +37,7 @@ async def purchase_stats(
 @router.get("/{purchase_id}", response_model=PurchaseDetailResponse)
 async def get_purchase(
     purchase_id: UUID,
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = PurchaseService(db)

api/src/cartsnitch_api/routes/scraping.py

@@ -1,7 +1,5 @@
 """Scraping routes: trigger sync, check status (proxy to ReceiptWitness)."""
 
-from uuid import UUID
-
 from fastapi import APIRouter, Depends, HTTPException, status
 from httpx import HTTPStatusError, RequestError
 
@@ -13,7 +11,7 @@ router = APIRouter(prefix="/scraping", tags=["scraping"])
 
 
 @router.post("/{store_slug}/sync", response_model=SyncTriggerResponse)
-async def trigger_sync(store_slug: str, user_id: UUID = Depends(get_current_user)):
+async def trigger_sync(store_slug: str, user_id: str = Depends(get_current_user)):
     client = ReceiptWitnessClient()
     try:
         result = await client.trigger_sync(str(user_id), store_slug)
@@ -31,7 +29,7 @@ async def trigger_sync(store_slug: str, user_id: UUID = Depends(get_current_user
 
 
 @router.get("/status", response_model=list[SyncStatusResponse])
-async def sync_status(user_id: UUID = Depends(get_current_user)):
+async def sync_status(user_id: str = Depends(get_current_user)):
     client = ReceiptWitnessClient()
     try:
         return await client.get_sync_status(str(user_id))

api/src/cartsnitch_api/routes/shopping.py

@@ -1,7 +1,5 @@
 """Shopping routes: optimize list, saved lists."""
 
-from uuid import UUID
-
 from fastapi import APIRouter, Depends, HTTPException, status
 from httpx import HTTPStatusError, RequestError
 
@@ -13,7 +11,7 @@ router = APIRouter(prefix="/shopping", tags=["shopping"])
 
 
 @router.post("/optimize", response_model=OptimizeResponse)
-async def optimize_shopping(body: OptimizeRequest, user_id: UUID = Depends(get_current_user)):
+async def optimize_shopping(body: OptimizeRequest, user_id: str = Depends(get_current_user)):
     client = ClipArtistClient()
     try:
         result = await client.optimize(
@@ -37,7 +35,7 @@ async def optimize_shopping(body: OptimizeRequest, user_id: UUID = Depends(get_c
 
 
 @router.get("/lists", response_model=list[ShoppingListResponse])
-async def list_shopping_lists(user_id: UUID = Depends(get_current_user)):
+async def list_shopping_lists(user_id: str = Depends(get_current_user)):
     client = ClipArtistClient()
     try:
         return await client.get_shopping_lists(str(user_id))

api/src/cartsnitch_api/routes/stores.py

@@ -1,7 +1,5 @@
 """Store routes: list stores, manage user store connections."""
 
-from uuid import UUID
-
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -21,7 +19,7 @@ async def list_stores(db: AsyncSession = Depends(get_db)):
 
 @router.get("/me/stores", response_model=list[StoreAccountResponse])
 async def list_user_stores(
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = StoreService(db)
@@ -36,7 +34,7 @@ async def list_user_stores(
 async def connect_store(
     store_slug: str,
     body: ConnectStoreRequest,
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = StoreService(db)
@@ -51,7 +49,7 @@ async def connect_store(
 @router.delete("/me/stores/{store_slug}", status_code=status.HTTP_204_NO_CONTENT)
 async def disconnect_store(
     store_slug: str,
-    user_id: UUID = Depends(get_current_user),
+    user_id: str = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = StoreService(db)

api/src/cartsnitch_api/services/alerts.py

@@ -4,8 +4,6 @@ Alerts are generated by StickerShock and ShrinkRay services and written to the D
 This service reads them for the API gateway.
 """
 
-from uuid import UUID
-
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
@@ -15,7 +13,7 @@ class AlertService:
     def __init__(self, db: AsyncSession) -> None:
         self.db = db
 
-    async def list_alerts(self, user_id: UUID) -> list[dict]:
+    async def list_alerts(self, user_id: str) -> list[dict]:
         """List shrinkflation events for products the user has purchased."""
         from cartsnitch_api.models import Purchase, PurchaseItem, ShrinkflationEvent
 
@@ -57,7 +55,7 @@ class AlertService:
             for e in events
         ]
 
-    async def get_settings(self, user_id: UUID) -> dict:
+    async def get_settings(self, user_id: str) -> dict:
         # Alert settings would be stored in a user_settings table.
         # For now, return defaults since the table doesn't exist yet in common lib.
         return {
@@ -66,7 +64,7 @@ class AlertService:
             "email_notifications": False,
         }
 
-    async def update_settings(self, user_id: UUID, **fields) -> dict:
+    async def update_settings(self, user_id: str, **fields) -> dict:
         # Would update user_settings table. Return merged defaults for now.
         current = await self.get_settings(user_id)
         for k, v in fields.items():

api/src/cartsnitch_api/services/auth.py

@@ -5,8 +5,6 @@ handled by the Better-Auth service (auth/). This service provides
 user lookup and profile update operations for the API gateway.
 """
 
-from uuid import UUID
-
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -15,7 +13,7 @@ class AuthService:
     def __init__(self, db: AsyncSession) -> None:
         self.db = db
 
-    async def get_user(self, user_id: UUID) -> dict:
+    async def get_user(self, user_id: str) -> dict:
         from cartsnitch_api.models import User
 
         result = await self.db.execute(select(User).where(User.id == user_id))
@@ -30,7 +28,7 @@ class AuthService:
             "created_at": user.created_at,
         }
 
-    async def update_user(self, user_id: UUID, **fields) -> dict:
+    async def update_user(self, user_id: str, **fields) -> dict:
         from cartsnitch_api.models import User
 
         result = await self.db.execute(select(User).where(User.id == user_id))
@@ -58,7 +56,7 @@ class AuthService:
             "created_at": user.created_at,
         }
 
-    async def delete_user(self, user_id: UUID) -> None:
+    async def delete_user(self, user_id: str) -> None:
         from cartsnitch_api.models import User
 
         result = await self.db.execute(select(User).where(User.id == user_id))

api/src/cartsnitch_api/services/coupons.py

@@ -29,7 +29,7 @@ class CouponService:
         coupons = result.scalars().all()
         return [self._to_dict(c) for c in coupons]
 
-    async def relevant_coupons(self, user_id: UUID) -> list[dict]:
+    async def relevant_coupons(self, user_id: str) -> list[dict]:
         """Coupons for products the user has purchased."""
         from cartsnitch_api.models import Coupon, PurchaseItem
 

api/src/cartsnitch_api/services/purchases.py

@@ -13,7 +13,7 @@ class PurchaseService:
 
     async def list_purchases(
         self,
-        user_id: UUID,
+        user_id: str,
         store_id: UUID | None = None,
         page: int = 1,
         page_size: int = 20,
@@ -56,7 +56,7 @@ class PurchaseService:
             for p, item_count, store_name in result.all()
         ]
 
-    async def get_purchase(self, purchase_id: UUID, user_id: UUID) -> dict:
+    async def get_purchase(self, purchase_id: UUID, user_id: str) -> dict:
         from cartsnitch_api.models import Purchase
 
         result = await self.db.execute(
@@ -88,7 +88,7 @@ class PurchaseService:
             ],
         }
 
-    async def get_stats(self, user_id: UUID) -> dict:
+    async def get_stats(self, user_id: str) -> dict:
         from cartsnitch_api.models import Purchase
 
         result = await self.db.execute(

api/src/cartsnitch_api/services/stores.py

@@ -1,7 +1,6 @@
 """Store service — list stores, manage user store account connections."""
 
 import json
-from uuid import UUID
 
 from cryptography.fernet import Fernet
 from sqlalchemy import select
@@ -35,7 +34,7 @@ class StoreService:
             for s in stores
         ]
 
-    async def list_user_stores(self, user_id: UUID) -> list[dict]:
+    async def list_user_stores(self, user_id: str) -> list[dict]:
         from cartsnitch_api.models import UserStoreAccount
 
         result = await self.db.execute(
@@ -60,7 +59,7 @@ class StoreService:
             for a in accounts
         ]
 
-    async def connect_store(self, user_id: UUID, store_slug: str, credentials: dict | None) -> dict:
+    async def connect_store(self, user_id: str, store_slug: str, credentials: dict | None) -> dict:
         from cartsnitch_api.models import Store, UserStoreAccount
 
         result = await self.db.execute(select(Store).where(Store.slug == store_slug))
@@ -107,7 +106,7 @@ class StoreService:
             "sync_status": "active",
         }
 
-    async def disconnect_store(self, user_id: UUID, store_slug: str) -> None:
+    async def disconnect_store(self, user_id: str, store_slug: str) -> None:
         from cartsnitch_api.models import Store, UserStoreAccount
 
         result = await self.db.execute(select(Store).where(Store.slug == store_slug))

lighthouserc.json

@@ -3,7 +3,12 @@
     "collect": {
       "staticDistDir": "./dist",
       "url": ["http://localhost:4173/"],
-      "numberOfRuns": 1
+      "numberOfRuns": 1,
+      "settings": {
+        "chromeFlags": ["--headless=new", "--no-sandbox", "--disable-gpu", "--disable-dev-shm-usage"],
+        "skipAudits": ["bf-cache"],
+        "disableFullPageScreenshot": true
+      }
     },
     "assert": {
       "assertions": {
@@ -16,4 +21,4 @@
       "target": "temporary-public-storage"
     }
   }
-}
+}

src/hooks/useApi.ts

@@ -35,7 +35,7 @@ export function useProduct(id: string) {
 export function usePriceHistory(productId: string) {
   return useQuery({
     queryKey: ['priceHistory', productId],
-    queryFn: () => api.get<PriceHistory[]>(`/products/${productId}/price-history`),
+    queryFn: () => api.get<PriceHistory[]>(`/products/${productId}/prices`),
     enabled: !!productId,
   })
 }
@@ -50,6 +50,6 @@ export function useCoupons() {
 export function usePriceAlerts() {
   return useQuery({
     queryKey: ['priceAlerts'],
-    queryFn: () => api.get<PriceAlert[]>('/price-alerts'),
+    queryFn: () => api.get<PriceAlert[]>('/alerts'),
   })
 }

src/lib/api.ts

@@ -15,7 +15,7 @@ const mockRoutes: Record<string, (path: string) => unknown> = {
   '/purchases': () => mockPurchases,
   '/products': () => mockProducts,
   '/coupons': () => mockCoupons,
-  '/price-alerts': () => mockAlerts,
+  '/alerts': () => mockAlerts,
 }
 
 function matchMockRoute<T>(path: string): T | null {
@@ -30,7 +30,7 @@ function matchMockRoute<T>(path: string): T | null {
   }
 
   // /products/:id/price-history
-  const priceHistoryMatch = path.match(/^\/products\/(.+)\/price-history$/)
+  const priceHistoryMatch = path.match(/^\/products\/(.+)\/prices$/)
   if (priceHistoryMatch) {
     return getMockPriceHistory(priceHistoryMatch[1]) as T
   }

src/pages/Login.tsx

@@ -31,8 +31,14 @@ export function Login() {
         throw new Error(authError.message ?? 'Sign in failed')
       }
 
-      setAuthenticated(true)
+      // After successful signIn, force a session fetch to confirm the cookie is set
-      navigate('/')
+      // before navigating to the protected route
+      const sessionResult = await authClient.getSession()
+      if (sessionResult.data) {
+        navigate('/')
+      } else {
+        setError('Sign in failed. Please try again.')
+      }
     } catch {
       if (import.meta.env.VITE_MOCK_AUTH === 'true') {
         setAuthenticated(true)

src/pages/Register.tsx

@@ -38,8 +38,15 @@ export function Register() {
         throw new Error(authError.message ?? 'Registration failed')
       }
 
-      setAuthenticated(true)
+      // After successful signUp, force a session fetch to confirm the cookie is set
-      navigate('/')
+      // before navigating to the protected route
+      const sessionResult = await authClient.getSession()
+      if (sessionResult.data) {
+        navigate('/')
+      } else {
+        // Session not established — show success message and link to login
+        setError('Account created! Please sign in.')
+      }
     } catch {
       if (import.meta.env.VITE_MOCK_AUTH === 'true') {
         setAuthenticated(true)

src/test/mocks/handlers.ts

@@ -61,5 +61,5 @@ export const handlers = [
   http.get('/api/v1/products', () => HttpResponse.json(mockProducts)),
   http.get('/api/v1/products/prod_1', () => HttpResponse.json(mockProducts[0])),
   http.get('/api/v1/coupons', () => HttpResponse.json(mockCoupons)),
-  http.get('/api/v1/price-alerts', () => HttpResponse.json(mockAlerts)),
+  http.get('/api/v1/alerts', () => HttpResponse.json(mockAlerts)),
 ]