From 3c3dd07909fcd100e074b01ea1dd1eea7e1f5fff Mon Sep 17 00:00:00 2001
From: "cartsnitch-cto[bot]"
 <269715008+cartsnitch-cto[bot]@users.noreply.github.com>
Date: Wed, 1 Apr 2026 10:29:05 +0000
Subject: [PATCH] fix(api): restore SHA-256 session token hashing (regression
 from PR #95)

Restores sha256 import and token hashing in _validate_session_token.

Regression introduced when PR #95 (cookie name fix) was merged without
the hash fix from PR #93.

QA approved: CAR-324 (Checkout Charlie)
CTO approved: Paperclip (Savannah Savings)
Resolves CAR-323

cc @cpfarhood
---
 src/cartsnitch_api/auth/dependencies.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/cartsnitch_api/auth/dependencies.py b/src/cartsnitch_api/auth/dependencies.py
index 1c68381..ac9e5fd 100644
--- a/src/cartsnitch_api/auth/dependencies.py
+++ b/src/cartsnitch_api/auth/dependencies.py
@@ -5,6 +5,7 @@ Sessions are verified by querying the shared sessions table directly.
 """
 
 from datetime import UTC, datetime
+from hashlib import sha256
 from uuid import UUID
 
 from fastapi import Cookie, Depends, Header, HTTPException, Request, status
@@ -31,10 +32,13 @@ async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
     """Validate a Better-Auth session token against the sessions table.
 
     Returns the user_id (as UUID) if the session is valid and not expired.
+    Better-Auth v1.5.6+ stores tokens as SHA-256 hashes, so we hash the
+    incoming raw token before querying.
     """
+    hashed_token = sha256(token.encode("utf-8")).hexdigest()
     result = await db.execute(
         text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
-        {"token": token},
+        {"token": hashed_token},
     )
     row = result.first()