Fix: strip PostgreSQL server_default from UUID + gen_random_bytes columns for SQLite tests

The sync engine fixture (engine) and async engine fixture (db_engine) now
iterate all Base.metadata tables and null server_default on any column
whose SQL text contains 'gen_random_uuid' or 'gen_random_bytes'. This
covers all UUIDPrimaryKeyMixin columns (Purchase, PurchaseItem, Store,
StoreLocation, Coupon, NormalizedProduct, PriceHistory,
ShrinkflationEvent, UserStoreAccount) as well as the
email_inbound_token gen_random_bytes expression in User.

Without this, SQLite raises 'type UUID is not supported' when the ORM
tries to bind Python UUID objects, and NOT NULL constraint failures when
server_default expressions reference non-existent PostgreSQL functions.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -15,7 +15,7 @@ permissions:
   packages: write
 
 env:
-  REGISTRY: ghcr.io
+  REGISTRY: git.farh.net
   IMAGE_NAME: cartsnitch/api
 
 jobs:
@@ -26,7 +26,6 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
-          cache: pip
       - run: pip install ruff
       - name: Ruff lint
         run: ruff check .
@@ -41,7 +40,6 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
-          cache: pip
       - name: Install system dependencies
         run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
       - run: pip install -e ".[dev]" mypy
@@ -53,9 +51,6 @@ jobs:
     services:
       postgres:
         image: postgres:15-alpine
-        credentials:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
         env:
           POSTGRES_USER: cartsnitch
           POSTGRES_PASSWORD: cartsnitch_test
@@ -69,9 +64,6 @@ jobs:
           --health-retries 5
       redis:
         image: redis:7-alpine
-        credentials:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
         ports:
           - 6379:6379
         options: >-
@@ -83,12 +75,13 @@ jobs:
       CARTSNITCH_DATABASE_URL: postgresql+asyncpg://cartsnitch:cartsnitch_test@localhost:5432/cartsnitch_test
       CARTSNITCH_REDIS_URL: redis://localhost:6379/0
       CARTSNITCH_JWT_SECRET_KEY: test-secret-do-not-use-in-prod
+      CARTSNITCH_SERVICE_KEY: test-service-key-do-not-use-in-prod
+      CARTSNITCH_FERNET_KEY: wXWQsC0FZlhSz2t_tfVQjNUSP8vgAGG3o3pkjrX8Bw0=
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
-          cache: pip
       - name: Install system dependencies
         run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
       - run: pip install -e ".[dev]"
@@ -123,19 +116,8 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "CalVer tag: $VERSION"
 
-      - name: Log in to Docker Hub
+      - name: Log in to Gitea Container Registry
-        uses: docker/login-action@v3
+        run: echo "${{ github.token }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata
         id: meta
@@ -172,7 +154,7 @@ jobs:
           only-fixed: "true"
           output-format: sarif
 
-      
+
 
       - name: Push Docker image
         if: github.event_name == 'push'
@@ -225,7 +207,7 @@ jobs:
         if: needs.build-and-push.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+          kustomize edit set image ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.api_tag.outputs.tag }}
 
       - name: Commit and push to infra
         run: |
@@ -269,7 +251,7 @@ jobs:
         if: needs.build-and-push.result == 'success'
         run: |
           cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+          kustomize edit set image ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.api_tag.outputs.tag }}
 
       - name: Commit and push to infra
         run: |

src/cartsnitch_api/config.py

@@ -23,7 +23,12 @@ class Settings(BaseSettings):
 
     auth_service_url: str = "http://auth:3001"
 
-    cors_origins: list[str] = ["http://localhost:3000", "https://cartsnitch.com"]
+    cors_origins: list[str] = [
+        "http://localhost:3000",
+        "https://cartsnitch.com",
+        "https://dev.cartsnitch.com",
+        "https://uat.cartsnitch.com",
+    ]
 
     receiptwitness_url: str = "http://receiptwitness:8001"
     stickershock_url: str = "http://stickershock:8002"

src/cartsnitch_api/main.py

@@ -6,7 +6,6 @@ from fastapi import APIRouter, FastAPI
 
 from cartsnitch_api.auth.routes import router as auth_router
 from cartsnitch_api.cache import cache_client
-from cartsnitch_api.database import dispose_engine
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware
@@ -26,6 +25,7 @@ from cartsnitch_api.routes.user import router as user_router
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):
+    from cartsnitch_api.database import dispose_engine
     await cache_client.initialize()
     yield
     await cache_client.close()

tests/conftest.py

@@ -51,8 +51,21 @@ def disable_rate_limiting():
 
 @pytest.fixture
 def engine():
-    """Sync in-memory SQLite engine for model unit tests."""
+    """Sync in-memory SQLite engine for model unit tests.
+
+    Strips PostgreSQL-specific server_default expressions so SQLite can
+    handle all column inserts without missing-function errors.
+    """
     eng = create_engine("sqlite:///:memory:")
+
+    for table in Base.metadata.tables.values():
+        for col in table.columns.values():
+            sd = col.server_default
+            if sd is not None:
+                expr_str = str(sd.expression).lower()
+                if "gen_random_uuid" in expr_str or "gen_random_bytes" in expr_str:
+                    col.server_default = None
+
     Base.metadata.create_all(eng)
     yield eng
     eng.dispose()
@@ -76,9 +89,16 @@ async def db_engine():
         cursor.execute("PRAGMA foreign_keys=ON")
         cursor.close()
 
+    for table in Base.metadata.tables.values():
+        for col in table.columns.values():
+            sd = col.server_default
+            if sd is not None:
+                expr_str = str(sd.expression).lower()
+                if "gen_random_uuid" in expr_str or "gen_random_bytes" in expr_str:
+                    col.server_default = None
+
     async with engine.begin() as conn:
         await conn.run_sync(Base.metadata.create_all)
-        # Create Better-Auth tables (not managed by SQLAlchemy models)
         await conn.execute(
             text("""
             CREATE TABLE IF NOT EXISTS sessions (
@@ -177,8 +197,10 @@ async def _create_test_user_and_session(
     async with db_engine.begin() as conn:
         await conn.execute(
             text(
-                "INSERT INTO users (id, email, hashed_password, display_name, email_verified, created_at, updated_at) "
+                "INSERT INTO users (id, email, hashed_password, display_name, "
-                "VALUES (:id, :email, :hashed_password, :display_name, :email_verified, :created_at, :updated_at)"
+                "email_verified, email_inbound_token, created_at, updated_at) "
+                "VALUES (:id, :email, :hashed_password, :display_name, "
+                ":email_verified, :email_inbound_token, :created_at, :updated_at)"
             ),
             {
                 "id": user_id,
@@ -186,6 +208,7 @@ async def _create_test_user_and_session(
                 "hashed_password": "not-used-with-better-auth",
                 "display_name": display_name,
                 "email_verified": False,
+                "email_inbound_token": secrets.token_urlsafe(16),
                 "created_at": now,
                 "updated_at": now,
             },

tests/test_auth/test_auth_endpoints.py

@@ -138,8 +138,9 @@ async def test_expired_session_rejected(client, db_engine):
     async with db_engine.begin() as conn:
         await conn.execute(
             text(
-                "INSERT INTO users (id, email, hashed_password, display_name, email_verified, created_at, updated_at) "
+                "INSERT INTO users (id, email, hashed_password, display_name, "
-                "VALUES (:id, :email, :hp, :dn, :ev, :ca, :ua)"
+                "email_verified, email_inbound_token, created_at, updated_at) "
+                "VALUES (:id, :email, :hp, :dn, :ev, :token, :ca, :ua)"
             ),
             {
                 "id": user_id,
@@ -147,6 +148,7 @@ async def test_expired_session_rejected(client, db_engine):
                 "hp": "unused",
                 "dn": "Expired User",
                 "ev": False,
+                "token": secrets.token_urlsafe(16),
                 "ca": now,
                 "ua": now,
             },

tests/test_config.py

@@ -1,7 +1,5 @@
 """Tests for Settings config, specifically the database_url env var fallback."""
 
-import os
-
 from cartsnitch_api.config import Settings
 
 

tests/test_e2e/test_auth_validation.py

@@ -65,8 +65,9 @@ class TestSessionValidation:
         async with db_engine.begin() as conn:
             await conn.execute(
                 text(
-                    "INSERT INTO users (id, email, hashed_password, display_name, email_verified, created_at, updated_at) "
+                    "INSERT INTO users (id, email, hashed_password, display_name, "
-                    "VALUES (:id, :email, :hp, :dn, :ev, :ca, :ua)"
+                    "email_verified, email_inbound_token, created_at, updated_at) "
+                    "VALUES (:id, :email, :hp, :dn, :ev, :token, :ca, :ua)"
                 ),
                 {
                     "id": user_id,
@@ -74,6 +75,7 @@ class TestSessionValidation:
                     "hp": "unused",
                     "dn": "Expired User",
                     "ev": False,
+                    "token": secrets.token_urlsafe(16),
                     "ca": now,
                     "ua": now,
                 },

tests/test_encrypted_json.py

@@ -17,6 +17,15 @@ from cartsnitch_api.models.user import User, UserStoreAccount
 @pytest.fixture
 def engine():
     eng = create_engine("sqlite:///:memory:")
+
+    for table in Base.metadata.tables.values():
+        for col in table.columns.values():
+            sd = col.server_default
+            if sd is not None:
+                expr_str = str(sd.expression).lower()
+                if "gen_random_uuid" in expr_str or "gen_random_bytes" in expr_str:
+                    col.server_default = None
+
     Base.metadata.create_all(eng)
     yield eng
     eng.dispose()

tests/test_middleware/test_rate_limit.py

@@ -1,7 +1,7 @@
 """Tests for rate limiting middleware."""
 
 import time
-from unittest.mock import AsyncMock, MagicMock, patch
+from unittest.mock import AsyncMock, MagicMock
 
 import pytest