fix(api): escape percent signs in alembic database URL for configparser

CNPG-generated passwords containing URL-encoded chars (e.g. %2B, %2F) cause
configparser.BasicInterpolation to fail with "invalid interpolation syntax".
Escaping % as %% prevents this.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev, uat]
   pull_request:
-    branches: [main]
+    branches: [main, dev, uat]
 
 concurrency:
   group: ci-${{ github.ref }}
@@ -99,10 +99,11 @@ jobs:
 
   build-and-push:
     runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
     needs: [lint, test, e2e]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -126,14 +127,14 @@ jobs:
           echo "CalVer tag: $VERSION"
 
       - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
@@ -146,7 +147,7 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
             type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
 
@@ -154,7 +155,7 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ github.event_name == 'push' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           target: prod
@@ -169,10 +170,11 @@ jobs:
 
   build-and-push-auth:
     runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
     needs: [lint, test, e2e]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -195,14 +197,14 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
@@ -215,7 +217,7 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}
           tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
             type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
 
@@ -224,16 +226,17 @@ jobs:
         with:
           context: ./auth
           file: ./auth/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ github.event_name == 'push' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
   build-and-push-receiptwitness:
     runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
     needs: [lint, test]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -251,14 +254,14 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
@@ -271,7 +274,7 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}
           tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
             type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
 
@@ -280,16 +283,17 @@ jobs:
         with:
           context: .
           file: ./receiptwitness/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ github.event_name == 'push' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
   build-and-push-api:
     runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
     needs: [lint, test]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -307,14 +311,14 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
@@ -327,23 +331,23 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}
           tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
             type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
 
       - name: Build and push API Docker image
         uses: docker/build-push-action@v6
         with:
-          context: .
+          context: ./api
           file: ./api/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ github.event_name == 'push' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
   deploy-dev:
     runs-on: runners-cartsnitch
     needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
-    if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
     steps:
       - name: Generate GitHub App token
         id: app-token
@@ -368,29 +372,65 @@ jobs:
       - name: Install kustomize
         uses: imranismail/setup-kustomize@v2
 
+      - name: Determine image tag for frontend
+        id: frontend_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Update frontend image tag
         if: needs.build-and-push.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+
+      - name: Determine image tag for auth
+        id: auth_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Update auth image tag
         if: needs.build-and-push-auth.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+
+      - name: Determine image tag for receiptwitness
+        id: receiptwitness_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Update receiptwitness image tag
         if: needs.build-and-push-receiptwitness.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+
+      - name: Determine image tag for api
+        id: api_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Update api image tag
         if: needs.build-and-push-api.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
 
       - name: Commit and push to infra
         run: |
@@ -399,4 +439,103 @@ jobs:
           git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
           git add apps/overlays/dev/kustomization.yaml
           git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images"
+          git pull --rebase origin main
+          git push origin main
+
+  deploy-uat:
+    runs-on: runners-cartsnitch
+    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
+    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
+          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: infra
+
+      - name: Checkout infra repo
+        uses: actions/checkout@v4
+        with:
+          repository: cartsnitch/infra
+          token: ${{ steps.app-token.outputs.token }}
+          ref: main
+          path: infra
+
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Install kustomize
+        uses: imranismail/setup-kustomize@v2
+
+      - name: Determine image tag for frontend
+        id: frontend_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update frontend image tag
+        if: needs.build-and-push.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+
+      - name: Determine image tag for auth
+        id: auth_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update auth image tag
+        if: needs.build-and-push-auth.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+
+      - name: Determine image tag for receiptwitness
+        id: receiptwitness_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update receiptwitness image tag
+        if: needs.build-and-push-receiptwitness.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+
+      - name: Determine image tag for api
+        id: api_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update api image tag
+        if: needs.build-and-push-api.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+
+      - name: Commit and push to infra
+        run: |
+          cd infra
+          git config user.name "cartsnitch-ci[bot]"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
+          git add apps/overlays/uat/kustomization.yaml
+          git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images"
+          git pull --rebase origin main
           git push origin main

api/Dockerfile

@@ -16,6 +16,8 @@ WORKDIR /app
 RUN adduser --system --group --uid 1000 app
 COPY --from=build /install /usr/local
 COPY src/ ./src/
+COPY alembic.ini ./
+COPY alembic/ ./alembic/
 
 USER 1000
 EXPOSE 8000
@@ -23,4 +25,4 @@ EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=3s \
     CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"
 
-CMD ["uvicorn", "cartsnitch_api.main:app", "--host", "0.0.0.0", "--port", "8000"]
+CMD ["uvicorn", "cartsnitch_api.main:app", "--host", "0.0.0.0", "--port", "8000"]

api/alembic/env.py

@@ -18,7 +18,7 @@ if not db_url:
         "CARTSNITCH_DATABASE_URL_SYNC must be set. "
         "Example: postgresql://user:pass@localhost:5432/cartsnitch"
     )
-config.set_main_option("sqlalchemy.url", db_url)
+config.set_main_option("sqlalchemy.url", db_url.replace("%", "%%"))
 
 target_metadata = Base.metadata
 

api/alembic/versions/006_email_inbound_token_server_default.py

@@ -0,0 +1,32 @@
+"""Add server_default to users.email_inbound_token.
+
+Revision ID: 006_email_inbound_token_server_default
+Revises: 005_add_email_inbound_token
+Create Date: 2026-04-04
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+revision = "006_email_inbound_token_server_default"
+down_revision = "005_add_email_inbound_token"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.alter_column(
+        "users",
+        "email_inbound_token",
+        server_default=sa.text(
+            "replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_')"
+        ),
+    )
+
+
+def downgrade() -> None:
+    op.alter_column(
+        "users",
+        "email_inbound_token",
+        server_default=None,
+    )

api/src/cartsnitch_api/auth/routes.py

@@ -22,11 +22,6 @@ from cartsnitch_api.services.auth import AuthService
 router = APIRouter(prefix="/auth", tags=["auth"])
 
 
-class EmailInAddressResponse(BaseModel):
-    email_address: str
-    instructions: str
-
-
 @router.get("/me", response_model=UserResponse)
 async def get_me(
     user_id: str = Depends(get_current_user),
@@ -70,23 +65,3 @@ async def delete_me(
         raise HTTPException(
             status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
         ) from None
-
-
-@router.get("/me/email-in-address", response_model=EmailInAddressResponse)
-async def get_email_in_address(
-    user_id: str = Depends(get_current_user),
-    db: AsyncSession = Depends(get_db),
-):
-    result = await db.execute(select(User.email_inbound_token).where(User.id == user_id))
-    token = result.scalar_one_or_none()
-    if not token:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND, detail="Email inbound token not found"
-        ) from None
-    return EmailInAddressResponse(
-        email_address=f"receipts+{token}@receipts.cartsnitch.com",
-        instructions=(
-            "Forward your digital receipt emails to this address. "
-            "We currently support Meijer, Kroger, and Target receipt emails."
-        ),
-    )

api/src/cartsnitch_api/main.py

@@ -18,6 +18,7 @@ from cartsnitch_api.routes.purchases import router as purchases_router
 from cartsnitch_api.routes.scraping import router as scraping_router
 from cartsnitch_api.routes.shopping import router as shopping_router
 from cartsnitch_api.routes.stores import router as stores_router
+from cartsnitch_api.routes.user import router as user_router
 
 
 @asynccontextmanager
@@ -49,6 +50,7 @@ def create_app() -> FastAPI:
 
     # Data endpoints mounted under /api/v1
     v1_router = APIRouter(prefix="/api/v1")
+    v1_router.include_router(user_router)
     v1_router.include_router(stores_router)
     v1_router.include_router(purchases_router)
     v1_router.include_router(products_router)

api/src/cartsnitch_api/routes/user.py

@@ -0,0 +1,32 @@
+"""User routes: per-user account endpoints (email-in address, etc.)."""
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from cartsnitch_api.auth.dependencies import get_current_user
+from cartsnitch_api.database import get_db
+from cartsnitch_api.schemas import EmailInAddressResponse
+from cartsnitch_api.services.auth import AuthService
+
+router = APIRouter(tags=["user"])
+
+
+@router.get("/me/email-in-address", response_model=EmailInAddressResponse)
+async def get_email_in_address(
+    user_id: str = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+):
+    svc = AuthService(db)
+    try:
+        email_address = await svc.get_email_in_address(user_id)
+        return EmailInAddressResponse(
+            email_address=email_address,
+            instructions=(
+                "Forward your digital receipt emails to this address. "
+                "We currently support Meijer, Kroger, and Target receipt emails."
+            ),
+        )
+    except LookupError:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
+        ) from None

api/src/cartsnitch_api/schemas.py

@@ -1,6 +1,7 @@
 """Pydantic v2 request/response schemas for all API endpoints."""
 
 from datetime import datetime
+from uuid import UUID
 
 from pydantic import BaseModel, EmailStr, Field
 
@@ -21,6 +22,11 @@ class UserResponse(BaseModel):
     created_at: datetime
 
 
+class EmailInAddressResponse(BaseModel):
+    email_address: str
+    instructions: str
+
+
 # ---------- Stores ----------
 
 

api/src/cartsnitch_api/services/auth.py

@@ -66,3 +66,14 @@ class AuthService:
 
         await self.db.delete(user)
         await self.db.commit()
+
+    async def get_email_in_address(self, user_id: str) -> str:
+        """Return the per-user email-in address for receipt forwarding."""
+        from cartsnitch_api.models import User
+
+        result = await self.db.execute(select(User).where(User.id == user_id))
+        user = result.scalar_one_or_none()
+        if not user:
+            raise LookupError("User not found")
+
+        return f"receipts+{user.email_inbound_token}@receipts.cartsnitch.com"

api/tests/test_e2e/test_email_in_address.py

@@ -1,4 +1,4 @@
-"""Tests for GET /auth/me/email-in-address endpoint."""
+"""Tests for GET /api/v1/me/email-in-address endpoint."""
 
 import pytest
 from httpx import AsyncClient
@@ -8,7 +8,7 @@ from httpx import AsyncClient
 async def test_get_email_in_address_authenticated(client: AsyncClient, auth_headers: dict):
     """Authenticated user gets their email-in address."""
     response = await client.get(
-        "/auth/me/email-in-address",
+        "/api/v1/me/email-in-address",
         headers=auth_headers,
     )
 
@@ -27,7 +27,7 @@ async def test_get_email_in_address_authenticated(client: AsyncClient, auth_head
 @pytest.mark.asyncio
 async def test_get_email_in_address_unauthenticated(client: AsyncClient):
     """Unauthenticated request returns 401."""
-    response = await client.get("/auth/me/email-in-address")
+    response = await client.get("/api/v1/me/email-in-address")
     assert response.status_code == 401
 
 
@@ -35,7 +35,7 @@ async def test_get_email_in_address_unauthenticated(client: AsyncClient):
 async def test_get_email_in_address_invalid_token(client: AsyncClient):
     """Invalid JWT token returns 401."""
     response = await client.get(
-        "/auth/me/email-in-address",
+        "/api/v1/me/email-in-address",
         headers={"Authorization": "Bearer invalid-token-xyz"},
     )
     assert response.status_code == 401
@@ -45,7 +45,7 @@ async def test_get_email_in_address_invalid_token(client: AsyncClient):
 async def test_email_address_format(client: AsyncClient, auth_headers: dict):
     """Email address format is receipts+{22-char-urlsafe-token}@receipts.cartsnitch.com."""
     response = await client.get(
-        "/auth/me/email-in-address",
+        "/api/v1/me/email-in-address",
         headers=auth_headers,
     )
 

auth/src/auth.ts

@@ -95,5 +95,6 @@ export const auth = betterAuth({
     "https://cartsnitch.com",
     "https://cartsnitch.farh.net",
     "https://cartsnitch.dev.farh.net",
+    "https://cartsnitch.uat.farh.net",
   ],
 });

common/alembic/env.py

@@ -14,7 +14,7 @@ if config.config_file_name is not None:
 
 db_url = os.environ.get("CARTSNITCH_DATABASE_URL_SYNC")
 if db_url:
-    config.set_main_option("sqlalchemy.url", db_url)
+    config.set_main_option("sqlalchemy.url", db_url.replace("%", "%%"))
 
 target_metadata = Base.metadata
 

common/alembic/versions/001_add_email_inbound_token.py

@@ -0,0 +1,37 @@
+"""Add email_inbound_token to users.
+
+Revision ID: 001_add_email_inbound_token
+Revises:
+Create Date: 2026-04-02
+"""
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+
+from alembic import op
+
+revision: str = "001_add_email_inbound_token"
+down_revision: str | None = None
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    op.add_column("users", sa.Column("email_inbound_token", sa.String(22), nullable=True))
+    op.create_unique_constraint("uq_users_email_inbound_token", "users", ["email_inbound_token"])
+
+    # Backfill existing users with generated tokens (PostgreSQL)
+    op.execute(
+        "UPDATE users SET email_inbound_token = "
+        "substring(replace(gen_random_uuid()::text, '-', ''), 1, 22) "
+        "WHERE email_inbound_token IS NULL"
+    )
+
+    # Alter to non-nullable
+    op.alter_column("users", "email_inbound_token", nullable=False)
+
+
+def downgrade() -> None:
+    op.drop_constraint("uq_users_email_inbound_token", "users", type_="unique")
+    op.drop_column("users", "email_inbound_token")

common/src/cartsnitch_common/models/user.py

@@ -1,10 +1,11 @@
 """User and UserStoreAccount models."""
 
+import secrets
 import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING
 
-from sqlalchemy import JSON, Boolean, DateTime, ForeignKey, String, Text, UniqueConstraint
+from sqlalchemy import JSON, Boolean, DateTime, ForeignKey, String, Text, UniqueConstraint, text
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from cartsnitch_common.constants import AccountStatus
@@ -21,6 +22,15 @@ class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     __tablename__ = "users"
 
     email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+    email_inbound_token: Mapped[str] = mapped_column(
+        String(22),
+        nullable=False,
+        unique=True,
+        default=lambda: secrets.token_urlsafe(16),
+        server_default=text(
+            "replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_')"
+        ),
+    )
     hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)
     display_name: Mapped[str | None] = mapped_column(String(100))
     email_verified: Mapped[bool] = mapped_column(Boolean, nullable=False, server_default="false")

common/src/cartsnitch_common/schemas/user.py

@@ -20,6 +20,7 @@ class UserRead(BaseModel):
     id: uuid.UUID
     email: str
     display_name: str | None
+    email_inbound_token: str
     created_at: datetime
     updated_at: datetime
 

common/tests/test_models.py

@@ -147,6 +147,40 @@ class TestStoreLocationModel:
         assert loc.lat == pytest.approx(42.2808)
 
 
+class TestUserModel:
+    def test_email_inbound_token_auto_populated(self, session):
+        user = User(
+            id=uuid.uuid4(),
+            email="token_test@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        session.add(user)
+        session.commit()
+        assert user.email_inbound_token is not None
+        assert len(user.email_inbound_token) == 22
+
+    def test_email_inbound_token_unique(self, session):
+        user1 = User(
+            id=uuid.uuid4(),
+            email="user1@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        user2 = User(
+            id=uuid.uuid4(),
+            email="user2@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        session.add_all([user1, user2])
+        session.commit()
+        assert user1.email_inbound_token != user2.email_inbound_token
+
+
 class TestUserStoreAccountModel:
     def test_account_status_enum(self, session):
         user = User(

package.json

@@ -50,6 +50,9 @@
   "overrides": {
     "@rollup/pluginutils": "5.3.0",
     "flatted": "^3.4.2",
-    "serialize-javascript": "7.0.5"
+    "serialize-javascript": "7.0.5",
+    "brace-expansion": ">=1.1.13",
+    "lodash": ">=4.17.24",
+    "minimatch": "^10.2.4"
   }
 }

receiptwitness/src/receiptwitness/api/routes.py

@@ -17,7 +17,11 @@ TOKEN_PATTERN = re.compile(r"receipts\+([A-Za-z0-9_-]+)@")
 
 def verify_mailgun_signature(token: str, timestamp: str, signature: str) -> bool:
     """Verify Mailgun webhook signature."""
-    if abs(time.time() - int(timestamp)) > 300:  # 5 min freshness
+    try:
+        ts = int(timestamp)
+    except (ValueError, TypeError):
+        return False
+    if abs(time.time() - ts) > 300:  # 5 min freshness
         return False
     key = settings.mailgun_webhook_signing_key.encode()
     hmac_digest = hmac.new(key, f"{timestamp}{token}".encode(), hashlib.sha256).hexdigest()

receiptwitness/tests/test_api/test_webhook.py

@@ -99,3 +99,27 @@ def test_stale_timestamp(client, mock_redis):
     assert response.status_code == 406
     assert response.json()["detail"] == "Invalid signature"
     mock_redis["enqueue"].assert_not_awaited()
+
+
+def test_invalid_timestamp_returns_406(client, mock_redis):
+    """Empty timestamp should return 406, not 500."""
+    with patch("receiptwitness.api.routes.settings") as mock_settings:
+        mock_settings.mailgun_webhook_signing_key = "test-secret"
+        form = {
+            "token": "test-token",
+            "timestamp": "",
+            "signature": "any-sig",
+            "sender": "sender@example.com",
+            "recipient": "receipts+user123@example.com",
+            "subject": "Receipt",
+        }
+        response = client.post("/inbound/email", data=form)
+    assert response.status_code == 406
+    assert response.json()["detail"] == "Invalid signature"
+    mock_redis["enqueue"].assert_not_awaited()
+
+
+def test_get_inbound_email_returns_405(client):
+    """GET /inbound/email is not allowed."""
+    response = client.get("/inbound/email")
+    assert response.status_code == 405

src/pages/Settings.tsx

@@ -1,3 +1,4 @@
+import { useState, useEffect } from 'react'
 import { Link, useNavigate } from 'react-router-dom'
 import { authClient } from '../lib/auth-client.ts'
 import { useAuthStore } from '../stores/auth.ts'
@@ -9,6 +10,26 @@ export function Settings() {
   const setAuthenticated = useAuthStore((s) => s.setAuthenticated)
   const navigate = useNavigate()
   const { theme, setTheme } = useThemeStore()
+  const [emailInAddress, setEmailInAddress] = useState<string | null>(null)
+  const [copied, setCopied] = useState(false)
+
+  useEffect(() => {
+    if (!session?.user) return
+    fetch('/api/v1/me/email-in-address', {
+      credentials: 'include',
+    })
+      .then((res) => res.json())
+      .then((data) => setEmailInAddress(data.email_address))
+      .catch(() => setEmailInAddress(null))
+  }, [session])
+
+  async function handleCopyEmail() {
+    if (emailInAddress) {
+      await navigator.clipboard.writeText(emailInAddress)
+      setCopied(true)
+      setTimeout(() => setCopied(false), 2000)
+    }
+  }
 
   const user = session?.user
   const connectedStores: string[] = []
@@ -113,6 +134,30 @@ export function Settings() {
           </button>
         </div>
       </section>
+
+      {/* Receipt Email section */}
+      <section className="mt-6">
+        <h2 className="mb-3 text-sm font-semibold text-gray-500">Receipt Email</h2>
+        <div className="rounded-xl bg-white p-4 shadow-sm">
+          <p className="mb-2 text-sm text-gray-600">
+            Forward your digital receipt emails to this address:
+          </p>
+          <div className="flex items-center gap-2">
+            <code className="flex-1 rounded-lg bg-gray-100 px-3 py-2 text-sm font-mono text-gray-800 truncate">
+              {emailInAddress ?? 'Loading...'}
+            </code>
+            <button
+              onClick={handleCopyEmail}
+              className="rounded-lg bg-brand-blue px-3 py-2 text-sm font-medium text-white hover:bg-brand-blue/90 transition-colors"
+            >
+              {copied ? 'Copied!' : 'Copy'}
+            </button>
+          </div>
+          <p className="mt-2 text-xs text-gray-400">
+            Supports Meijer, Kroger, and Target receipt emails.
+          </p>
+        </div>
+      </section>
     </div>
   )
 }