From ac4cba2b0ddb296beedba1c7154b596720fdb860 Mon Sep 17 00:00:00 2001
From: "cartsnitch-engineer[bot]"
 <269717931+cartsnitch-engineer[bot]@users.noreply.github.com>
Date: Wed, 1 Apr 2026 04:02:49 +0000
Subject: [PATCH] fix(api): read __Secure- prefixed session cookie for HTTPS
 environments

Better-Auth automatically prefixes cookie names with __Secure- when serving
over HTTPS. The API gateway now tries __Secure-better-auth.session_token
first (HTTPS/deployed), falling back to better-auth.session_token (HTTP/local dev).

Fixes CAR-321.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 api/src/cartsnitch_api/auth/dependencies.py | 22 ++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/api/src/cartsnitch_api/auth/dependencies.py b/api/src/cartsnitch_api/auth/dependencies.py
index 54bac74..1c68381 100644
--- a/api/src/cartsnitch_api/auth/dependencies.py
+++ b/api/src/cartsnitch_api/auth/dependencies.py
@@ -5,7 +5,6 @@ Sessions are verified by querying the shared sessions table directly.
 """
 
 from datetime import UTC, datetime
-from hashlib import sha256
 from uuid import UUID
 
 from fastapi import Cookie, Depends, Header, HTTPException, Request, status
@@ -20,21 +19,22 @@ from cartsnitch_api.database import get_db
 # but we support Bearer tokens for service-to-service or mobile clients.
 bearer_scheme = HTTPBearer(auto_error=False)
 
-# Better-Auth session cookie name
-SESSION_COOKIE_NAME = "better-auth.session_token"
+# Better-Auth session cookie names.
+# Over HTTPS Better-Auth adds the __Secure- prefix automatically.
+SESSION_COOKIE_NAMES = [
+    "__Secure-better-auth.session_token",  # HTTPS (deployed)
+    "better-auth.session_token",            # HTTP (local dev)
+]
 
 
 async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
     """Validate a Better-Auth session token against the sessions table.
 
     Returns the user_id (as UUID) if the session is valid and not expired.
-    Better-Auth v1.5.6+ stores tokens as SHA-256 hashes, so we hash the
-    incoming raw token before querying.
     """
-    hashed_token = sha256(token.encode("utf-8")).hexdigest()
     result = await db.execute(
         text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
-        {"token": hashed_token},
+        {"token": token},
     )
     row = result.first()
 
@@ -71,8 +71,12 @@ async def get_current_user(
     """
     token: str | None = None
 
-    # 1. Check session cookie
-    cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
+    # 1. Check session cookie (try both names for HTTP/HTTPS compatibility)
+    cookie_token = None
+    for name in SESSION_COOKIE_NAMES:
+        cookie_token = request.cookies.get(name)
+        if cookie_token:
+            break
     if cookie_token:
         token = cookie_token