- Registration test: assert 'Check your email' heading (dev shows email
verification screen after signUp, no session established)
- Sign-in test: use mock routes directly without registration step;
dev Login.tsx calls getSession() which the mock provides
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Make mockAuthRoutes async and await all page.route() calls to prevent race conditions
- Add auth route mocking to J8 unauth tests (required since VITE_MOCK_AUTH was removed)
- Add auth route mocking to smoke test
- Replace broken mockSessionPending with mockSessionDelayed for spinner test
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The J8 test calls /api/auth/session which maps to /auth/session in Better Auth. Adding mock to ensure consistent behavior.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Changed sign-up route from /auth/register to /auth/sign-up/email
- Changed session route from /auth/session to /auth/get-session
Better Auth hits /auth/sign-up/email for registration and /auth/get-session for session checks.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add emailVerification.sendVerificationEmail config to auth/src/auth.ts
using Resend to send verification emails on sign-up
- Add resend npm package to auth/package.json
- Update auth/.env.example with RESEND_API_KEY and FROM_EMAIL
- Create VerifyEmail.tsx page with token verification flow,
spinner UX, success/Error states, and resend option
- Update Register.tsx to redirect to /verify-email after signup
instead of auto-navigating to dashboard
- Add /verify-email route to App.tsx
- Frontend shows 'check your email' step after registration
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60) settings
- Add rate_limit_redis_enabled flag for opt-in Redis usage
- Refactor _SlidingWindowCounter into InMemorySlidingWindow class
- Add RedisSlidingWindow using sorted sets with fallback to in-memory
- Add third _auth_strict_limiter for POST /auth/* paths (5 req/min)
- Add protocol-based backend selection at module load time
- Update tests for auth strict limiter and Redis fallback behavior
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add DATABASE_URL validation after BETTER_AUTH_SECRET check
- Warn clearly when DATABASE_URL is not set (uses localhost default)
- Move pool declaration after validation blocks
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add async Redis client using redis-py with connection pooling
- Implement get/set/delete with graceful degradation when unavailable
- Add TTL support (default 300s) via SETEX
- Add cache invalidation hooks for price and product changes
- Use pattern-based SCAN for bulk invalidation
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60)
settings to config.py
- Refactor rate_limit.py to use protocol/ABC pattern with InMemorySlidingWindow
and RedisSlidingWindow implementations
- Add RedisSlidingWindow using sorted sets for distributed rate limiting
- Add auth_strict_limiter for /auth/* POST endpoints (5 req/min per IP)
- Fall back to in-memory when Redis is unavailable
- Update tests to cover new functionality
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Vite 6.4.1 has two high-severity vulnerabilities:
- GHSA-4w7w-66w2-5vf9: Path Traversal in Optimized Deps .map Handling
- GHSA-p9ff-h696-f583: Arbitrary File Read via Vite Dev Server WebSocket
Updated to vite 6.4.2.
Fixes CAR-599.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add Pydantic model_validator to ReceiptWitnessSettings that fails fast
if session_encryption_key is missing or a placeholder value. Conditional
validation for resend_api_key when notifications_enabled=true.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add connection pool config to SQLAlchemy async engine (pool_size=10, max_overflow=20, pool_pre_ping, pool_recycle)
- Implement Redis connection pool in CacheClient with initialize/close lifecycle
- Wire lifespan startup/shutdown to initialize and dispose pools
- Add dispose_engine() for graceful DB pool cleanup on shutdown
Closes CAR-550
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add PostgreSQL JSONB containment (@>) query for match_by_upc
- Add SQLite LIKE fallback for test compatibility
- Update upc_variants column to JSONB with variant for cross-db support
- Add GIN index migration for upc_variants
Co-Authored-By: Paperclip <noreply@paperclip.ing>
CTO review: LGTM. CORS methods restricted to explicit list (no TRACE/CONNECT), headers whitelisted, nginx security headers added (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP). Clean diff, CI green.
Barcode Betty