Compare commits

..

1 Commits

Author SHA1 Message Date
Pawla Abdul 43ee1c3531 fix(api): widen alembic version_table column to 128 chars
Default varchar(32) alembic_version column truncates long revision IDs
like 003_make_users_hashed_password_nullable (39 chars) on fresh databases.
Set version_table_column_width=128 in both context.configure() calls.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-04 18:32:36 +00:00
4 changed files with 9 additions and 19 deletions
+2 -1
View File
@@ -31,6 +31,7 @@ def run_migrations_offline() -> None:
target_metadata=target_metadata, target_metadata=target_metadata,
literal_binds=True, literal_binds=True,
dialect_opts={"paramstyle": "named"}, dialect_opts={"paramstyle": "named"},
version_table_column_width=128,
) )
with context.begin_transaction(): with context.begin_transaction():
context.run_migrations() context.run_migrations()
@@ -44,7 +45,7 @@ def run_migrations_online() -> None:
poolclass=pool.NullPool, poolclass=pool.NullPool,
) )
with connectable.connect() as connection: with connectable.connect() as connection:
context.configure(connection=connection, target_metadata=target_metadata) context.configure(connection=connection, target_metadata=target_metadata, version_table_column_width=128)
with context.begin_transaction(): with context.begin_transaction():
context.run_migrations() context.run_migrations()
# Create any tables defined in models but not yet created by migrations. # Create any tables defined in models but not yet created by migrations.
+4 -10
View File
@@ -4,7 +4,6 @@ Validates Better-Auth session tokens from cookies or Bearer header.
Sessions are verified by querying the shared sessions table directly. Sessions are verified by querying the shared sessions table directly.
""" """
import hashlib
from datetime import UTC, datetime from datetime import UTC, datetime
from fastapi import Cookie, Depends, Header, HTTPException, Request, status from fastapi import Cookie, Depends, Header, HTTPException, Request, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
@@ -20,21 +19,16 @@ bearer_scheme = HTTPBearer(auto_error=False)
# Better-Auth session cookie name # Better-Auth session cookie name
SESSION_COOKIE_NAME = "better-auth.session_token" SESSION_COOKIE_NAME = "better-auth.session_token"
# Secure prefix used by better-auth on HTTPS deployments
SECURE_SESSION_COOKIE_NAME = "__Secure-better-auth.session_token"
async def _validate_session_token(token: str, db: AsyncSession) -> str: async def _validate_session_token(token: str, db: AsyncSession) -> str:
"""Validate a Better-Auth session token against the sessions table. """Validate a Better-Auth session token against the sessions table.
Better-Auth v1.2+ stores SHA-256(raw_token) in the DB. Returns the user_id (as str) if the session is valid and not expired.
The cookie/Bearer header carries the raw token, so we hash before lookup.
""" """
token_hash = hashlib.sha256(token.encode()).hexdigest()
result = await db.execute( result = await db.execute(
text("SELECT user_id, expires_at FROM sessions WHERE token = :token"), text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
{"token": token_hash}, {"token": token},
) )
row = result.first() row = result.first()
@@ -71,8 +65,8 @@ async def get_current_user(
""" """
token: str | None = None token: str | None = None
# 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev) # 1. Check session cookie
cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(SESSION_COOKIE_NAME) cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
if cookie_token: if cookie_token:
token = cookie_token token = cookie_token
+2 -5
View File
@@ -4,7 +4,6 @@ Session-based auth: tests create users and sessions directly in the DB,
matching the Better-Auth session validation flow. matching the Better-Auth session validation flow.
""" """
import hashlib
import secrets import secrets
import uuid import uuid
from datetime import UTC, datetime, timedelta from datetime import UTC, datetime, timedelta
@@ -137,14 +136,12 @@ async def client(db_engine):
async def _create_test_user_and_session(client: AsyncClient, db_engine, **user_overrides) -> tuple[dict, str]: async def _create_test_user_and_session(client: AsyncClient, db_engine, **user_overrides) -> tuple[dict, str]:
"""Create a test user and a valid session directly in the DB. """Create a test user and a valid session directly in the DB.
Returns (user_dict, session_token). Better-Auth v1.2+ stores SHA-256 Returns (user_dict, session_token).
hashed tokens in the DB, so the token is hashed before insertion.
""" """
user_id = str(uuid.uuid4()) user_id = str(uuid.uuid4())
email = user_overrides.get("email", "test@example.com") email = user_overrides.get("email", "test@example.com")
display_name = user_overrides.get("display_name", "Test User") display_name = user_overrides.get("display_name", "Test User")
session_token = secrets.token_urlsafe(32) session_token = secrets.token_urlsafe(32)
token_hash = hashlib.sha256(session_token.encode()).hexdigest()
session_id = str(uuid.uuid4()) session_id = str(uuid.uuid4())
now = datetime.now(UTC).isoformat() now = datetime.now(UTC).isoformat()
expires = (datetime.now(UTC) + timedelta(days=7)).isoformat() expires = (datetime.now(UTC) + timedelta(days=7)).isoformat()
@@ -172,7 +169,7 @@ async def _create_test_user_and_session(client: AsyncClient, db_engine, **user_o
), ),
{ {
"id": session_id, "id": session_id,
"token": token_hash, "token": session_token,
"user_id": user_id, "user_id": user_id,
"expires_at": expires, "expires_at": expires,
"created_at": now, "created_at": now,
+1 -3
View File
@@ -74,7 +74,6 @@ async def test_delete_me(client, auth_headers):
@pytest.mark.asyncio @pytest.mark.asyncio
async def test_expired_session_rejected(client, db_engine): async def test_expired_session_rejected(client, db_engine):
"""Expired sessions must be rejected.""" """Expired sessions must be rejected."""
import hashlib
import secrets import secrets
import uuid import uuid
from datetime import UTC, datetime, timedelta from datetime import UTC, datetime, timedelta
@@ -83,7 +82,6 @@ async def test_expired_session_rejected(client, db_engine):
user_id = str(uuid.uuid4()) user_id = str(uuid.uuid4())
session_token = secrets.token_urlsafe(32) session_token = secrets.token_urlsafe(32)
token_hash = hashlib.sha256(session_token.encode()).hexdigest()
now = datetime.now(UTC).isoformat() now = datetime.now(UTC).isoformat()
expired = (datetime.now(UTC) - timedelta(hours=1)).isoformat() expired = (datetime.now(UTC) - timedelta(hours=1)).isoformat()
@@ -110,7 +108,7 @@ async def test_expired_session_rejected(client, db_engine):
), ),
{ {
"id": str(uuid.uuid4()), "id": str(uuid.uuid4()),
"token": token_hash, "token": session_token,
"uid": user_id, "uid": user_id,
"ea": expired, "ea": expired,
"ca": now, "ca": now,