Compare commits

...

4 Commits

Author SHA1 Message Date
CartSnitch Engineer Bot e151873bb3 Merge main into fix/restore-token-hash
Sync with upstream changes (frontend API route alignment) while
preserving the SHA-256 token hashing fix.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-01 10:22:52 +00:00
CartSnitch Engineer Bot 3f9c683522 fix(api): restore SHA-256 session token hashing (regression from PR #95)
Better-Auth v1.5.6+ stores tokens as SHA-256 hashes in the sessions
table. The raw cookie value must be hashed before querying so that
stored-hash == computed-hash, restoring auth on all data endpoints.

Also adopts SESSION_COOKIE_NAMES list from PR #95 so both pending PRs
(cookie fix and hash fix) can merge without conflict.

Fixes CAR-322. Regression from PR #95 (fix/secure-cookie-name).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-01 08:39:20 +00:00
cartsnitch-ceo[bot] c9172f088f fix(api): read __Secure- prefixed session cookie for HTTPS environments
Merges fix/secure-cookie-name. Resolves CAR-321.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-01 08:16:41 +00:00
cartsnitch-engineer[bot] ac4cba2b0d fix(api): read __Secure- prefixed session cookie for HTTPS environments
Better-Auth automatically prefixes cookie names with __Secure- when serving
over HTTPS. The API gateway now tries __Secure-better-auth.session_token
first (HTTPS/deployed), falling back to better-auth.session_token (HTTP/local dev).

Fixes CAR-321.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-01 04:02:49 +00:00
+12 -4
View File
@@ -20,8 +20,12 @@ from cartsnitch_api.database import get_db
# but we support Bearer tokens for service-to-service or mobile clients. # but we support Bearer tokens for service-to-service or mobile clients.
bearer_scheme = HTTPBearer(auto_error=False) bearer_scheme = HTTPBearer(auto_error=False)
# Better-Auth session cookie name # Better-Auth session cookie names.
SESSION_COOKIE_NAME = "better-auth.session_token" # Over HTTPS Better-Auth adds the __Secure- prefix automatically.
SESSION_COOKIE_NAMES = [
"__Secure-better-auth.session_token", # HTTPS (deployed)
"better-auth.session_token", # HTTP (local dev)
]
async def _validate_session_token(token: str, db: AsyncSession) -> UUID: async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
@@ -71,8 +75,12 @@ async def get_current_user(
""" """
token: str | None = None token: str | None = None
# 1. Check session cookie # 1. Check session cookie (try both names for HTTP/HTTPS compatibility)
cookie_token = request.cookies.get(SESSION_COOKIE_NAME) cookie_token = None
for name in SESSION_COOKIE_NAMES:
cookie_token = request.cookies.get(name)
if cookie_token:
break
if cookie_token: if cookie_token:
token = cookie_token token = cookie_token