Commit Graph

21 Commits

Author SHA1 Message Date
Savannah Savings 993302c72c fix(auth): pin base image to node 22.22.2 digest (CAR-1279 Phase 2) (#287) 2026-06-06 06:22:35 +00:00
Savannah Savings 7803d229eb fix(auth): pin base image to node 22.22.2 digest (CAR-1279 Phase 2)
Pin both build and runtime stages of auth/Dockerfile to
node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f
— the Docker Hub manifest digest for node:22.22.2-alpine (verified against
the registry by CTO).

This is the digest pulled in by the previously-healthy ghcr auth image, which
connects fine to the dev Postgres with the same pg 8.20.0 driver and
byte-identical source. The Gitea-built image, which bundles node 22.22.3
(via the floating 'node:22-alpine' tag), deterministically resets the
Postgres connection during the /health DB probe (read ECONNRESET →
Connection terminated unexpectedly).

Pinning both stages to the manifest digest restores the exact node runtime
that the healthy ghcr image used and fixes the dev auth crashloop. The
'RUN apk update && apk upgrade --no-cache' lines are kept as-is per task
spec.

Refs CAR-1279, CAR-1276 (CAR-1287)
2026-06-06 02:26:54 +00:00
Barcode Betty b2c4692400 fix(auth): log /health 503 error and surface message in body (CAR-1276)
The /health handler's catch block was empty, so when the DB probe
failed we had no log line to diagnose from. UAT auth was crashlooping
on /health 503s for that exact reason — pod logs only showed
'CartSnitch auth service listening on port 3001' and nothing else.

Add console.error with the error name/message and include the message
in the 503 response body so the next time this fails we can read the
actual error from `kubectl logs` without re-deploying.

This is the dev-side observability half of CAR-1276. The underlying
DB failure still needs investigation (likely better-auth schema
missing from the cartsnitch DB; see CAR-1276 for the analysis).

Tests updated to assert the new error field is present and a string.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-05 07:05:46 +00:00
savannah-savings-cto[bot] b39280ee2a fix(auth): exclude test files from tsc build (#251)
fix(auth): exclude test files from tsc build
2026-05-05 11:19:19 +00:00
Chris Farhood 752d7ed3d0 fix(auth): exclude test files from tsc compilation
Exclude src/__tests__ from tsconfig to prevent test files from being
compiled during Docker build. Fixes build-and-push-auth CI failure.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 11:11:53 +00:00
Chris Farhood 04965eb89d fix(auth): restore unconditional Better-Auth fallback, add unknown-path test
Remove startsWith('/auth') guard that caused non-auth paths to hang with
no response. Better-Auth already handles /health and /auth/health are
explicitly short-circuited before the handler. Add test asserting unknown
paths receive a terminal response within 1s.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-04 20:58:50 +00:00
Chris Farhood ea2fddc5cb fix(auth): support /auth/health path and align db response with tests
- Add /auth/health as additional health check route (Envoy forwards full path)
- Change db status 'connected' to 'reachable' to match health.test.ts
- Only pass /auth/* routes to Better-Auth handler to prevent 404 on unknown routes

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-04 16:22:41 +00:00
Chris Farhood 3ac61908f5 test(auth): add health endpoint unit tests
- Add node:test suite for auth health endpoint covering:
  - 200 with db=reachable when pool.connect succeeds
  - 503 with db=unreachable when pool.connect throws
  - 503 with db=unreachable when query times out
- Add test script to auth/package.json
- Merge dev to resolve 3-commit divergence

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-04 15:40:04 +00:00
Barcode Betty 8d7e0b44ee fix: restore Resend email verification and update health check timeout
- Restore import { Resend } from 'resend'
- Restore resend and fromEmail constants
- Restore emailVerification block with sendOnSignUp, autoSignInAfterVerification, and sendVerificationEmail
- Change health endpoint timeout from 2s to 3s

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-21 19:55:47 +00:00
Paperclip 9c7cd7454c fix(auth): add DB connectivity check to health endpoint
- Export pool from auth.ts for use in health check
- Replace static ok response with SELECT 1 query
- Return 503 with db=unreachable on failure or timeout

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-21 19:49:08 +00:00
Barcode Betty 9ba745b5a9 fix: increase bcrypt cost factor from 10 to 12
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:50:09 +00:00
Barcode Betty 4945ac71ae feat(auth): enable email verification with Resend
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 03:30:44 +00:00
Paperclip a0eef27944 fix: upgrade bcrypt and filter unfixed CVEs in Grype scans 2026-04-15 00:51:53 +00:00
Paperclip e1d77d7789 fix: remediate high-severity CVEs in Docker images
- Add apk upgrade to frontend Dockerfile (build + prod stages)
- Add apk upgrade to auth Dockerfile (build + runtime stages)
- Add apt-get upgrade to api Dockerfile (build + prod stages)
- Add apt-get upgrade to receiptwitness Dockerfile (build + prod stages)
- Run npm audit fix for frontend and auth dependencies

Refs: CAR-616
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-14 23:51:42 +00:00
Paperclip a64dc7ab5e fix: restore DB connectivity check to auth health endpoint
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-14 16:35:24 +00:00
Paperclip 3351d74058 fix: add startup validation to auth service config
- Add DATABASE_URL validation after BETTER_AUTH_SECRET check
- Warn clearly when DATABASE_URL is not set (uses localhost default)
- Move pool declaration after validation blocks

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-14 16:03:37 +00:00
Pawla Abdul bb7010f881 fix(auth): add UAT hostname to trustedOrigins
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-04 04:18:03 +00:00
cartsnitch-engineer[bot] 528887a4a2 fix(auth): add session table model mapping for plural table name
Better-Auth defaults to singular "session" table name, but our DB uses
the plural "sessions" table (created by migration 002). Add modelName and
snake_case field mappings to match the existing pattern for user,
account, and verification models.

Co-authored-by: Stockboy Steve <steve@cartsnitch.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: cartsnitch-ceo[bot] <269712056+cartsnitch-ceo[bot]@users.noreply.github.com>
2026-03-31 03:42:26 +00:00
Stockboy Steve 5596e22d0c fix: generate auth/package-lock.json for Docker build
The auth Dockerfile runs npm ci --omit=dev in the production stage
but there was no lock file, causing Docker build to fail.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-29 19:59:51 +00:00
Coupon Carl 57ce4315a1 fix: fail fast if BETTER_AUTH_SECRET is not set
Remove hardcoded fallback secret that allowed sessions to be
signed with a well-known value if the env var was unset.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-28 10:03:39 +00:00
Coupon Carl 782448a54a feat: migrate authentication to Better-Auth (Phase 1)
Replace hand-rolled JWT auth with Better-Auth session-based authentication.

- Scaffold auth/ Node.js service with Better-Auth, bcrypt password compat,
  Postgres adapter mapped to existing users table
- Add Alembic migration (002) creating sessions, accounts, verifications
  tables and migrating password hashes to accounts table
- Update FastAPI auth dependency to validate sessions via shared DB
  (supports both cookie and Bearer token)
- Remove registration/login/refresh endpoints from API gateway (now
  handled by Better-Auth service)
- Update frontend to use better-auth/react client with httpOnly cookies
  (no tokens in localStorage or memory)
- Rewrite auth store, Login, Register, Dashboard, Settings, ProtectedRoute
  to use session-based auth
- Update all tests to create sessions directly in DB instead of JWT tokens

Resolves CAR-27
See plan: CAR-26#document-plan

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-28 04:46:10 +00:00