Merge main into fix/npm-audit-vulnerabilities

fix(deps): resolve npm audit vulnerabilities (brace-expansion, lodash)
- Override brace-expansion to >=1.1.13 to resolve GHSA-f886-m6hf-6m8v - Override lodash to >=4.17.24 to resolve GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh - Override minimatch to ^10.2.4 to maintain compatibility with brace-expansion@5.x Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-03 13:17:56 +00:00 · 2026-04-03 12:35:51 +00:00
6 changed files with 34 additions and 77 deletions
@@ -334,8 +334,8 @@ jobs:
      - name: Build and push API Docker image
        uses: docker/build-push-action@v6
        with:
-          context: ./api
-          file: ./Dockerfile
+          context: .
+          file: ./api/Dockerfile
          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
@@ -400,64 +400,3 @@ jobs:
          git add apps/overlays/dev/kustomization.yaml
          git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images"
          git push origin main
-
-  deploy-uat:
-    runs-on: runners-cartsnitch
-    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
-    if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/main'
-    steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
-      - name: Checkout infra repo
-        uses: actions/checkout@v4
-        with:
-          repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
-          ref: main
-          path: infra
-
-      - name: Install kubectl
-        uses: azure/setup-kubectl@v4
-
-      - name: Install kustomize
-        uses: imranismail/setup-kustomize@v2
-
-      - name: Update frontend image tag
-        if: needs.build-and-push.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
-
-      - name: Update auth image tag
-        if: needs.build-and-push-auth.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}
-
-      - name: Update receiptwitness image tag
-        if: needs.build-and-push-receiptwitness.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
-
-      - name: Update api image tag
-        if: needs.build-and-push-api.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}
-
-      - name: Commit and push to infra
-        run: |
-          cd infra
-          git config user.name "cartsnitch-ci[bot]"
-          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
-          git add apps/overlays/uat/kustomization.yaml
-          git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images"
-          git push origin main
@@ -22,6 +22,11 @@ from cartsnitch_api.services.auth import AuthService
 router = APIRouter(prefix="/auth", tags=["auth"])


+class EmailInAddressResponse(BaseModel):
+    email_address: str
+    instructions: str
+
+
@router.get("/me", response_model=UserResponse)
 async def get_me(
    user_id: str = Depends(get_current_user),
@@ -65,3 +70,23 @@ async def delete_me(
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
        ) from None
+
+
+@router.get("/me/email-in-address", response_model=EmailInAddressResponse)
+async def get_email_in_address(
+    user_id: str = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+):
+    result = await db.execute(select(User.email_inbound_token).where(User.id == user_id))
+    token = result.scalar_one_or_none()
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Email inbound token not found"
+        ) from None
+    return EmailInAddressResponse(
+        email_address=f"receipts+{token}@receipts.cartsnitch.com",
+        instructions=(
+            "Forward your digital receipt emails to this address. "
+            "We currently support Meijer, Kroger, and Target receipt emails."
+        ),
+    )
@@ -19,13 +19,7 @@ async def get_email_in_address(
    svc = AuthService(db)
    try:
        email_address = await svc.get_email_in_address(user_id)
-        return EmailInAddressResponse(
-            email_address=email_address,
-            instructions=(
-                "Forward your digital receipt emails to this address. "
-                "We currently support Meijer, Kroger, and Target receipt emails."
-            ),
-        )
+        return EmailInAddressResponse(email_address=email_address)
    except LookupError:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
@@ -24,7 +24,6 @@ class UserResponse(BaseModel):

 class EmailInAddressResponse(BaseModel):
    email_address: str
-    instructions: str


 # ---------- Stores ----------
@@ -76,4 +76,4 @@ class AuthService:
        if not user:
            raise LookupError("User not found")

-        return f"receipts+{user.email_inbound_token}@receipts.cartsnitch.com"
+        return f"{user.email_inbound_token}@email.cartsnitch.com"
@@ -1,4 +1,4 @@
-"""Tests for GET /api/v1/me/email-in-address endpoint."""
+"""Tests for GET /auth/me/email-in-address endpoint."""

 import pytest
 from httpx import AsyncClient
@@ -8,7 +8,7 @@ from httpx import AsyncClient
 async def test_get_email_in_address_authenticated(client: AsyncClient, auth_headers: dict):
    """Authenticated user gets their email-in address."""
    response = await client.get(
-        "/api/v1/me/email-in-address",
+        "/auth/me/email-in-address",
        headers=auth_headers,
    )

@@ -27,7 +27,7 @@ async def test_get_email_in_address_authenticated(client: AsyncClient, auth_head
@pytest.mark.asyncio
 async def test_get_email_in_address_unauthenticated(client: AsyncClient):
    """Unauthenticated request returns 401."""
-    response = await client.get("/api/v1/me/email-in-address")
+    response = await client.get("/auth/me/email-in-address")
    assert response.status_code == 401


@@ -35,7 +35,7 @@ async def test_get_email_in_address_unauthenticated(client: AsyncClient):
 async def test_get_email_in_address_invalid_token(client: AsyncClient):
    """Invalid JWT token returns 401."""
    response = await client.get(
-        "/api/v1/me/email-in-address",
+        "/auth/me/email-in-address",
        headers={"Authorization": "Bearer invalid-token-xyz"},
    )
    assert response.status_code == 401
@@ -45,7 +45,7 @@ async def test_get_email_in_address_invalid_token(client: AsyncClient):
 async def test_email_address_format(client: AsyncClient, auth_headers: dict):
    """Email address format is receipts+{22-char-urlsafe-token}@receipts.cartsnitch.com."""
    response = await client.get(
-        "/api/v1/me/email-in-address",
+        "/auth/me/email-in-address",
        headers=auth_headers,
    )