chore: retrigger CI on correct commit

Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix: remove unused navigate variable from Login.tsx
2026-04-19 16:01:28 +00:00 · 2026-04-19 15:54:12 +00:00 · 2026-04-19 15:22:37 +00:00 · 2026-04-15 21:18:45 +00:00 · 2026-04-15 11:13:21 +00:00 · 2026-04-15 11:06:19 +00:00
16 changed files with 131 additions and 190 deletions
@@ -13,7 +13,6 @@ concurrency:
 permissions:
  contents: write
  packages: write
-  security-events: write

 env:
  REGISTRY: ghcr.io
@@ -152,44 +151,17 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
+      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
-          load: true
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
          cache-from: type=gha
          cache-to: type=gha,mode=max

-      - name: Scan frontend image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload frontend scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          target: prod
-          cache-from: type=gha
-
      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        run: |
@@ -249,43 +221,14 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
+      - name: Build and push auth Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./auth
          file: ./auth/Dockerfile
-          load: true
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan auth image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload auth scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: ./auth
-          file: ./auth/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha

  build-and-push-receiptwitness:
    runs-on: runners-cartsnitch
@@ -335,43 +278,14 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
+      - name: Build and push receiptwitness image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./receiptwitness/Dockerfile
-          load: true
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan receiptwitness image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload receiptwitness scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./receiptwitness/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha

  build-and-push-api:
    runs-on: runners-cartsnitch
@@ -421,43 +335,14 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
+      - name: Build and push API Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./api
          file: ./api/Dockerfile
-          load: true
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan api image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload api scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: ./api
-          file: ./api/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha

  deploy-dev:
    runs-on: runners-cartsnitch
@@ -1,6 +1,6 @@
 # Stage 1: Build
 FROM node:20-alpine AS build
-RUN apk update && apk upgrade --no-cache
+
 WORKDIR /app

 COPY package.json package-lock.json ./
@@ -11,9 +11,6 @@ RUN npm run build

 # Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
 FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
-USER root
-RUN apk update && apk upgrade --no-cache
-USER 101

 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
@@ -1,6 +1,6 @@
 FROM python:3.12-slim AS build

-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
@@ -12,7 +12,7 @@ RUN pip install --no-cache-dir --prefix=/install .

 FROM python:3.12-slim AS prod

-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*

 WORKDIR /app
 RUN adduser --system --group --uid 1000 app
@@ -1,5 +1,4 @@
 FROM node:22-alpine AS builder
-RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 COPY package.json package-lock.json* ./
 RUN npm ci
@@ -8,7 +7,6 @@ COPY src/ src/
 RUN npm run build

 FROM node:22-alpine
-RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 ENV NODE_ENV=production
 COPY package.json package-lock.json* ./
@@ -941,9 +941,9 @@
      }
    },
    "node_modules/defu": {
-      "version": "6.1.7",
-      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.7.tgz",
-      "integrity": "sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==",
+      "version": "6.1.4",
+      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz",
+      "integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==",
      "license": "MIT"
    },
    "node_modules/delegates": {
@@ -17,7 +17,7 @@ if (!databaseUrl) {
  );
 }

-export const pool = new Pool({
+const pool = new Pool({
  connectionString: databaseUrl ?? "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
 });

@@ -1,6 +1,6 @@
 import { createServer } from "node:http";
 import { toNodeHandler } from "better-auth/node";
-import { auth, pool } from "./auth.js";
+import { auth } from "./auth.js";

 const port = parseInt(process.env.PORT ?? "3001", 10);

@@ -9,22 +9,8 @@ const handler = toNodeHandler(auth);
 const server = createServer(async (req, res) => {
  // Health check
  if (req.url === "/health" && req.method === "GET") {
-    try {
-      const client = await pool.connect();
-      try {
-        await Promise.race([
-          client.query("SELECT 1"),
-          new Promise((_, reject) => setTimeout(() => reject(new Error("DB timeout")), 2000)),
-        ]);
-      } finally {
-        client.release();
-      }
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ status: "ok", db: "connected" }));
-    } catch {
-      res.writeHead(503, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ status: "error", db: "unreachable" }));
-    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "ok" }));
    return;
  }

@@ -1,4 +1,4 @@
-import { test as base, expect } from "@playwright/test";
+import { test as base, expect, type Page } from "@playwright/test";
 import AxeBuilder from "@axe-core/playwright";

 export const test = base.extend<{ axeCheck: void }>({
@@ -10,3 +10,90 @@ export const test = base.extend<{ axeCheck: void }>({
 });

 export { expect } from "@playwright/test";
+
+const MOCK_USER_ID = "mock_user_123";
+const MOCK_SESSION_ID = "mock_session_456";
+
+function mockAuthRoutes(page: Page, authenticated = false) {
+  page.route(/.*\/auth\/sign-up\/email.*/, async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        token: null,
+        user: {
+          id: MOCK_USER_ID,
+          email: "mock@cartsnitch.test",
+          name: "Mock User",
+          emailVerified: true,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        },
+      }),
+    });
+  });
+
+  page.route(/.*\/auth\/sign-in\/email.*/, async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        redirect: false,
+        token: "mock_token_123",
+        user: {
+          id: MOCK_USER_ID,
+          email: "mock@cartsnitch.test",
+          name: "Mock User",
+          emailVerified: true,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        },
+      }),
+    });
+  });
+
+  page.route(/.*\/auth\/get-session.*/, async (route) => {
+    if (authenticated) {
+      await route.fulfill({
+        status: 200,
+        contentType: "application/json",
+        body: JSON.stringify({
+          session: {
+            id: MOCK_SESSION_ID,
+            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+            ipAddress: null,
+            userAgent: null,
+          },
+          user: {
+            id: MOCK_USER_ID,
+            email: "mock@cartsnitch.test",
+            name: "Mock User",
+            emailVerified: true,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+          },
+        }),
+      });
+    } else {
+      await route.fulfill({
+        status: 401,
+        contentType: "application/json",
+        body: JSON.stringify({ error: "Unauthorized" }),
+      });
+    }
+  });
+}
+
+export function mockSessionPending(page: Page) {
+  page.route(/.*\/auth\/session.*/, async (route) => {
+    await route.fulfill({
+      status: 401,
+      contentType: "application/json",
+      body: JSON.stringify({ error: "Unauthorized" }),
+    });
+  });
+}
+
+export { mockAuthRoutes };
@@ -1,18 +1,18 @@
 import { test, expect } from '@playwright/test';
+import { mockAuthRoutes } from '../fixtures';

 const uniqueEmail = () => `betty+e2e-${Date.now()}@cartsnitch.test`;

 test.describe('J1: Registration and Login', () => {
-  test('can register a new account and lands on dashboard', async ({ page }) => {
+  test('can register a new account and see check your email screen', async ({ page }) => {
+    mockAuthRoutes(page, true);
    await page.goto('/register');
    await page.fill('[placeholder="Full Name"]', 'Betty Tester');
    await page.fill('[placeholder="Email"]', uniqueEmail());
    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
    await page.click('button[type="submit"]');

-    // With VITE_MOCK_AUTH=true the app navigates to "/" on success
-    await expect(page).toHaveURL('http://localhost:5173/');
-    await expect(page.getByRole('heading', { name: /cart/i })).toBeVisible();
+    await expect(page.getByRole('heading', { name: /check your email/i })).toBeVisible();
  });

  test('shows validation error when registration fields are empty', async ({ page }) => {
@@ -31,22 +31,9 @@ test.describe('J1: Registration and Login', () => {
  });

  test('can sign in with credentials and land on dashboard', async ({ page }) => {
-    // Register first so we have a real account
-    const email = uniqueEmail();
-    await page.goto('/register');
-    await page.fill('[placeholder="Full Name"]', 'Login Betty');
-    await page.fill('[placeholder="Email"]', email);
-    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
-    await page.click('button[type="submit"]');
-    await expect(page).toHaveURL('http://localhost:5173/');
-
-    // Sign out by clearing the mock session (reload with no session)
-    await page.goto('/');
-    await page.reload();
-
-    // Now sign in
+    mockAuthRoutes(page, true);
    await page.goto('/login');
-    await page.fill('[placeholder="Email"]', email);
+    await page.fill('[placeholder="Email"]', 'test@cartsnitch.test');
    await page.fill('[placeholder="Password"]', 'TestPass123!');
    await page.click('button[type="submit"]');

@@ -1,8 +1,9 @@
 import { test, expect } from '@playwright/test';
+import { mockAuthRoutes } from '../fixtures';

 test.describe('J8: Unauthenticated Access', () => {
  test('redirects /dashboard (/) to /login when not authenticated', async ({ page }) => {
-    // No session cookie — start fresh
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
    await page.goto('/');

@@ -11,6 +12,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /purchases to /login when not authenticated', async ({ page }) => {
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
    await page.goto('/purchases');

@@ -19,6 +21,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /products to /login when not authenticated', async ({ page }) => {
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
    await page.goto('/products');

@@ -27,6 +30,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /coupons to /login when not authenticated', async ({ page }) => {
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
    await page.goto('/coupons');

@@ -35,15 +39,9 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('shows loading spinner while auth session is pending', async ({ page }) => {
-    // Intercept but don't respond — session stays pending
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
-    await page.request.fetch('/api/auth/session', {
-      method: 'GET',
-    });
-
-    // Just navigate to a protected route — ProtectedRoute will show spinner while session is pending
    await page.goto('/purchases');
-    // Spinner is visible briefly; once resolved, should redirect to login
    await expect(page).toHaveURL(/\/login/, { timeout: 10_000 });
  });
 });
@@ -1,6 +1,7 @@
-import { test, expect } from './fixtures';
+import { test, expect, mockAuthRoutes } from './fixtures';

 test('app loads', async ({ page }) => {
+  mockAuthRoutes(page, false);
  await page.goto('/');
  // Unauthenticated users are redirected to /login
  await expect(page).toHaveURL(/\/login/);
@@ -9,9 +9,12 @@ export default defineConfig({
    },
  ],
  webServer: {
-    command: 'VITE_MOCK_AUTH=true npm run dev',
+    command: 'npm run dev',
    url: 'http://localhost:5173',
    reuseExistingServer: !process.env.CI,
+    env: {
+      VITE_MOCK_AUTH: 'true',
+    },
  },
  use: {
    baseURL: 'http://localhost:5173',
@@ -5,7 +5,7 @@ WORKDIR /app

 # build-essential and libpq-dev are needed to compile any C-extension wheels
 # (e.g. psycopg2 fallback).  No git needed — common/ is copied from the repo root.
-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
@@ -25,7 +25,7 @@ FROM python:3.12-slim AS prod
 WORKDIR /app

 # Install Playwright system dependencies for Chromium
-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get install -y --no-install-recommends \
    libnss3 \
    libatk1.0-0 \
    libatk-bridge2.0-0 \
@@ -1,5 +1,5 @@
 import { useState } from 'react'
-import { Link, useNavigate } from 'react-router-dom'
+import { Link } from 'react-router-dom'
 import { authClient } from '../lib/auth-client.ts'
 import { useAuthStore } from '../stores/auth.ts'

@@ -8,7 +8,6 @@ export function Login() {
  const [password, setPassword] = useState('')
  const [error, setError] = useState('')
  const [loading, setLoading] = useState(false)
-  const navigate = useNavigate()
  const setAuthenticated = useAuthStore((s) => s.setAuthenticated)

  async function handleSubmit(e: React.FormEvent) {
@@ -31,11 +30,12 @@ export function Login() {
        throw new Error(authError.message ?? 'Sign in failed')
      }

-      // After successful signIn, force a session fetch to confirm the cookie is set
-      // before navigating to the protected route
+      // After successful signIn, force a full page reload so Better-Auth's
+      // useSession() reinitializes with fresh cookie-backed session state.
+      // Using React Router's navigate() races with Better-Auth's internal update.
      const sessionResult = await authClient.getSession()
      if (sessionResult.data) {
-        navigate('/')
+        window.location.href = '/'
      } else {
        setError('Sign in failed. Please try again.')
      }
Author	SHA1	Message	Date
Barcode Betty	c77b88988b	chore: retrigger CI on correct commit Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-19 16:01:28 +00:00
Barcode Betty	7b85924018	fix: remove unused navigate variable from Login.tsx Remove const navigate = useNavigate() and the useNavigate import since the success path now uses window.location.href = '/' instead. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-19 15:54:12 +00:00
Barcode Betty	70e5a232c9	fix: resolve sign-in redirect race condition in Login.tsx Use window.location.href = '/' instead of React Router navigate() after successful sign-in. Better-Auth's useSession() hasn't updated its internal cache when navigate() fires, causing ProtectedRoute to see a null session and redirect back to /login. A full page reload reinitializes useSession() with fresh cookie-backed session state. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-19 15:22:37 +00:00
Barcode Betty	a55c64a9c8	fix e2e: update auth route mocks and config for Better Auth	2026-04-15 21:18:45 +00:00
Barcode Betty	3a67b26e1f	fix(e2e): add mock for /auth/session endpoint The J8 test calls /api/auth/session which maps to /auth/session in Better Auth. Adding mock to ensure consistent behavior. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 11:13:21 +00:00
Barcode Betty	271406de9e	fix(e2e): correct Better Auth mock response formats - sign-up returns { token, user } - sign-in returns { redirect, token, user } - get-session returns { session, user } Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 11:06:19 +00:00
Barcode Betty	d0b855b45d	fix(e2e): use more permissive regex patterns for route mocking Use wildcard patterns to match URLs with query parameters or trailing slashes. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 11:00:56 +00:00
Barcode Betty	14e17c5fc6	fix(e2e): correct Better Auth mock route patterns - Changed sign-up route from /auth/register to /auth/sign-up/email - Changed session route from /auth/session to /auth/get-session Better Auth hits /auth/sign-up/email for registration and /auth/get-session for session checks. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 10:44:57 +00:00
Barcode Betty	70b0801228	fix(e2e): replace VITE_MOCK_AUTH with Playwright route mocking - Removed VITE_MOCK_AUTH=true from playwright.config.ts webServer command - Added mockAuthRoutes helper to e2e/fixtures.ts to mock /auth/* endpoints - Updated j1-registration-login.spec.ts to use route mocking instead of env var-based mock auth Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 10:32:24 +00:00