Compare commits

..

9 Commits

Author SHA1 Message Date
Barcode Betty c953fabc6b fix(e2e): correct j1 registration assertions to match dev Register.tsx flow
- Registration test: assert 'Check your email' heading (dev shows email
  verification screen after signUp, no session established)
- Sign-in test: use mock routes directly without registration step;
  dev Login.tsx calls getSession() which the mock provides

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:05 +00:00
Barcode Betty 09f88f0bf8 fix(e2e): await route mocks and add session mocking to all tests
- Make mockAuthRoutes async and await all page.route() calls to prevent race conditions
- Add auth route mocking to J8 unauth tests (required since VITE_MOCK_AUTH was removed)
- Add auth route mocking to smoke test
- Replace broken mockSessionPending with mockSessionDelayed for spinner test

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:05 +00:00
Barcode Betty f0bbf51486 fix: change remaining text-gray-400 to text-gray-600 on Dashboard stats
CAR-676

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:04 +00:00
Barcode Betty 716fb4e1b2 fix: change text-gray-400 to text-gray-600 on Dashboard empty state
CAR-676

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:04 +00:00
Barcode Betty 68420b5f01 fix(e2e): add mock for /auth/session endpoint
The J8 test calls /api/auth/session which maps to /auth/session in Better Auth. Adding mock to ensure consistent behavior.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:04 +00:00
Barcode Betty b6da52fb07 fix(e2e): correct Better Auth mock response formats
- sign-up returns { token, user }
- sign-in returns { redirect, token, user }
- get-session returns { session, user }

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:04 +00:00
Barcode Betty 5e5f13c5b5 fix(e2e): use more permissive regex patterns for route mocking
Use wildcard patterns to match URLs with query parameters or trailing slashes.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:04 +00:00
Barcode Betty c47252a342 fix(e2e): correct Better Auth mock route patterns
- Changed sign-up route from /auth/register to /auth/sign-up/email
- Changed session route from /auth/session to /auth/get-session

Better Auth hits /auth/sign-up/email for registration and /auth/get-session for session checks.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:04 +00:00
Barcode Betty 00f3c86276 fix(e2e): replace VITE_MOCK_AUTH with Playwright route mocking
- Removed VITE_MOCK_AUTH=true from playwright.config.ts webServer command
- Added mockAuthRoutes helper to e2e/fixtures.ts to mock /auth/* endpoints
- Updated j1-registration-login.spec.ts to use route mocking instead
  of env var-based mock auth

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:41:04 +00:00
7 changed files with 135 additions and 148 deletions
+126 -20
View File
@@ -18,6 +18,7 @@ permissions:
env:
REGISTRY: ghcr.io
IMAGE_NAME: cartsnitch/cartsnitch
AUTH_IMAGE_NAME: cartsnitch/auth
RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness
API_IMAGE_NAME: cartsnitch/api
@@ -165,8 +166,6 @@ jobs:
- name: Scan frontend image for vulnerabilities
uses: anchore/scan-action@v5
id: scan
env:
GRYPE_CONFIG: .grype.yaml
with:
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
fail-build: true
@@ -197,6 +196,97 @@ jobs:
git tag "v${{ steps.calver.outputs.version }}"
git push origin "v${{ steps.calver.outputs.version }}"
build-and-push-auth:
runs-on: runners-cartsnitch
if: github.event_name == 'push'
needs: [lint, test, e2e]
outputs:
calver_tag: ${{ steps.calver.outputs.version }}
sha_tag: sha-${{ github.sha }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Generate CalVer tag
id: calver
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
DATE_TAG=$(date -u +%Y.%m.%d)
EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
if [ -z "$EXISTING" ]; then
VERSION="$DATE_TAG"
elif [ "$EXISTING" = "v${DATE_TAG}" ]; then
VERSION="${DATE_TAG}.2"
else
BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//")
VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Log in to Docker Hub
if: github.event_name == 'push'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Log in to GHCR
if: github.event_name == 'push'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (auth)
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}
tags: |
type=sha,prefix=sha-,format=long
type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
- name: Build Docker image
uses: docker/build-push-action@v6
with:
context: ./auth
file: ./auth/Dockerfile
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan auth image for vulnerabilities
uses: anchore/scan-action@v5
id: scan
with:
image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
fail-build: true
severity-cutoff: high
only-fixed: "true"
output-format: sarif
- name: Upload auth scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Push Docker image
if: github.event_name == 'push'
uses: docker/build-push-action@v6
with:
context: ./auth
file: ./auth/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
build-and-push-receiptwitness:
runs-on: runners-cartsnitch
if: github.event_name == 'push'
@@ -253,16 +343,12 @@ jobs:
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
APT_CACHE_BUST=${{ github.run_id }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan receiptwitness image for vulnerabilities
uses: anchore/scan-action@v5
id: scan
env:
GRYPE_CONFIG: .grype.yaml
with:
image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
fail-build: true
@@ -285,8 +371,6 @@ jobs:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
APT_CACHE_BUST=${{ github.run_id }}
cache-from: type=gha
build-and-push-api:
@@ -345,16 +429,12 @@ jobs:
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
APT_CACHE_BUST=${{ github.run_id }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan api image for vulnerabilities
uses: anchore/scan-action@v5
id: scan
env:
GRYPE_CONFIG: .grype.yaml
with:
image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
fail-build: true
@@ -377,13 +457,11 @@ jobs:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
APT_CACHE_BUST=${{ github.run_id }}
cache-from: type=gha
deploy-dev:
runs-on: runners-cartsnitch
needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api]
needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
steps:
- name: Generate GitHub App token
@@ -424,6 +502,21 @@ jobs:
cd infra/apps/overlays/dev
kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
- name: Determine image tag for auth
id: auth_tag
run: |
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update auth image tag
if: needs.build-and-push-auth.result == 'success'
run: |
cd infra/apps/overlays/dev
kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
- name: Determine image tag for receiptwitness
id: receiptwitness_tag
run: |
@@ -460,14 +553,13 @@ jobs:
git config user.name "cartsnitch-ci[bot]"
git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
git add apps/overlays/dev/kustomization.yaml
git diff --cached --quiet && echo "No image changes to deploy" && exit 0
git commit -m "ci(dev): update cartsnitch, receiptwitness, and api images"
git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images"
git pull --rebase origin main
git push origin main
deploy-uat:
runs-on: runners-cartsnitch
needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api]
needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
steps:
- name: Generate GitHub App token
@@ -508,6 +600,21 @@ jobs:
cd infra/apps/overlays/uat
kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
- name: Determine image tag for auth
id: auth_tag
run: |
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update auth image tag
if: needs.build-and-push-auth.result == 'success'
run: |
cd infra/apps/overlays/uat
kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
- name: Determine image tag for receiptwitness
id: receiptwitness_tag
run: |
@@ -544,7 +651,6 @@ jobs:
git config user.name "cartsnitch-ci[bot]"
git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
git add apps/overlays/uat/kustomization.yaml
git diff --cached --quiet && echo "No image changes to deploy" && exit 0
git commit -m "ci(uat): update cartsnitch, receiptwitness, and api images"
git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images"
git pull --rebase origin main
git push origin main
-108
View File
@@ -1,108 +0,0 @@
ignore:
# Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely
- vulnerability: CVE-2025-13836
- vulnerability: CVE-2026-4519
# Chrome CVEs — Playwright bundles Chromium and controls version separately.
# Chrome is not a system package that can be upgraded via apt-get upgrade.
# These CVEs are specific to the Chromium version bundled with Playwright.
# Upstream fix: upgrade Playwright to a version that includes patched Chrome.
- vulnerability: CVE-2026-2313
- vulnerability: CVE-2026-2314
- vulnerability: CVE-2026-2315
- vulnerability: CVE-2026-2319
- vulnerability: CVE-2026-2321
- vulnerability: CVE-2026-2441
- vulnerability: CVE-2026-2648
- vulnerability: CVE-2026-2649
- vulnerability: CVE-2026-2650
- vulnerability: CVE-2026-3061
- vulnerability: CVE-2026-3062
- vulnerability: CVE-2026-3536
- vulnerability: CVE-2026-3537
- vulnerability: CVE-2026-3538
- vulnerability: CVE-2026-3539
- vulnerability: CVE-2026-3540
- vulnerability: CVE-2026-3541
- vulnerability: CVE-2026-3542
- vulnerability: CVE-2026-3543
- vulnerability: CVE-2026-3544
- vulnerability: CVE-2026-3545
- vulnerability: CVE-2026-3913
- vulnerability: CVE-2026-3914
- vulnerability: CVE-2026-3915
- vulnerability: CVE-2026-3916
- vulnerability: CVE-2026-3917
- vulnerability: CVE-2026-3918
- vulnerability: CVE-2026-3919
- vulnerability: CVE-2026-3920
- vulnerability: CVE-2026-3921
- vulnerability: CVE-2026-3922
- vulnerability: CVE-2026-3923
- vulnerability: CVE-2026-3924
- vulnerability: CVE-2026-3926
- vulnerability: CVE-2026-3931
- vulnerability: CVE-2026-3932
- vulnerability: CVE-2026-3936
- vulnerability: CVE-2026-5858
- vulnerability: CVE-2026-5859
- vulnerability: CVE-2026-5860
- vulnerability: CVE-2026-5861
- vulnerability: CVE-2026-5862
- vulnerability: CVE-2026-5863
- vulnerability: CVE-2026-5865
- vulnerability: CVE-2026-5866
- vulnerability: CVE-2026-5868
- vulnerability: CVE-2026-5870
- vulnerability: CVE-2026-5871
- vulnerability: CVE-2026-5872
- vulnerability: CVE-2026-5873
- vulnerability: CVE-2026-5874
- vulnerability: CVE-2026-5877
- vulnerability: CVE-2026-5879
- vulnerability: CVE-2026-5883
- vulnerability: CVE-2026-5884
- vulnerability: CVE-2026-5902
- vulnerability: CVE-2026-5904
- vulnerability: CVE-2026-5907
- vulnerability: CVE-2026-5908
- vulnerability: CVE-2026-5909
- vulnerability: CVE-2026-5910
- vulnerability: CVE-2026-5912
- vulnerability: CVE-2026-5913
- vulnerability: CVE-2026-5914
- vulnerability: CVE-2026-5915
- vulnerability: CVE-2026-6296
- vulnerability: CVE-2026-6297
- vulnerability: CVE-2026-6299
- vulnerability: CVE-2026-6300
- vulnerability: CVE-2026-6301
- vulnerability: CVE-2026-6302
- vulnerability: CVE-2026-6303
- vulnerability: CVE-2026-6304
- vulnerability: CVE-2026-6305
- vulnerability: CVE-2026-6306
- vulnerability: CVE-2026-6307
- vulnerability: CVE-2026-6308
- vulnerability: CVE-2026-6309
- vulnerability: CVE-2026-6310
- vulnerability: CVE-2026-6311
- vulnerability: CVE-2026-6314
- vulnerability: CVE-2026-6315
- vulnerability: CVE-2026-6316
- vulnerability: CVE-2026-6317
- vulnerability: CVE-2026-6318
- vulnerability: CVE-2026-6319
- vulnerability: CVE-2026-6358
- vulnerability: CVE-2026-6359
- vulnerability: CVE-2026-6360
- vulnerability: CVE-2026-6361
- vulnerability: CVE-2026-6363
# Node.js CVE — comes from Playwright's bundled tooling (playwright-core uses Node.js
# for its CLI). The system Node.js is not used by receiptwitness service.
# Fix requires upgrading Playwright to a version that ships with patched Node.js.
- vulnerability: CVE-2026-21710
# cryptography GHSA — fixed by upgrading to >=46.0 per requirements
- vulnerability: GHSA-r6ph-v2qm-q3c2
-2
View File
@@ -1,6 +1,5 @@
FROM python:3.12-slim AS build
ARG APT_CACHE_BUST=0
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
libpq-dev \
build-essential \
@@ -13,7 +12,6 @@ RUN pip install --no-cache-dir --prefix=/install .
FROM python:3.12-slim AS prod
ARG APT_CACHE_BUST=0
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
WORKDIR /app
+1 -1
View File
@@ -37,7 +37,7 @@ export const auth = betterAuth({
maxPasswordLength: 128,
password: {
hash: async (password: string) => {
return bcrypt.hash(password, 12);
return bcrypt.hash(password, 10);
},
verify: async (data: { hash: string; password: string }) => {
return bcrypt.compare(data.password, data.hash);
-2
View File
@@ -5,7 +5,6 @@ WORKDIR /app
# build-essential and libpq-dev are needed to compile any C-extension wheels
# (e.g. psycopg2 fallback). No git needed — common/ is copied from the repo root.
ARG APT_CACHE_BUST=1
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
libpq-dev \
build-essential \
@@ -26,7 +25,6 @@ FROM python:3.12-slim AS prod
WORKDIR /app
# Install Playwright system dependencies for Chromium
ARG APT_CACHE_BUST=1
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
libnss3 \
libatk1.0-0 \
+1 -1
View File
@@ -11,7 +11,7 @@ dependencies = [
"cartsnitch-common>=0.1.0",
"playwright>=1.49,<2.0",
"playwright-stealth>=1.0,<2.0",
"cryptography>=46.0,<47.0",
"cryptography>=42.0,<44.0",
"fastapi>=0.115,<1.0",
"uvicorn[standard]>=0.30,<1.0",
"beautifulsoup4>=4.12,<5.0",
+7 -14
View File
@@ -1,14 +1,13 @@
import { useState } from 'react'
import { Link } from 'react-router-dom'
import { Link, useNavigate } from 'react-router-dom'
import { authClient } from '../lib/auth-client.ts'
import { useAuthStore } from '../stores/auth.ts'
export function Login() {
const [email, setEmail] = useState('')
const [password, setPassword] = useState('')
const [error, setError] = useState('')
const [loading, setLoading] = useState(false)
const setAuthenticated = useAuthStore((s) => s.setAuthenticated)
const navigate = useNavigate()
async function handleSubmit(e: React.FormEvent) {
e.preventDefault()
@@ -30,22 +29,16 @@ export function Login() {
throw new Error(authError.message ?? 'Sign in failed')
}
// After successful signIn, force a full page reload so Better-Auth's
// useSession() reinitializes with fresh cookie-backed session state.
// Using React Router's navigate() races with Better-Auth's internal update.
// After successful signIn, force a session fetch to confirm the cookie is set
// before navigating to the protected route
const sessionResult = await authClient.getSession()
if (sessionResult.data) {
window.location.href = '/'
navigate('/')
} else {
setError('Sign in failed. Please try again.')
}
} catch {
if (import.meta.env.VITE_MOCK_AUTH === 'true') {
setAuthenticated(true)
window.location.href = '/'
} else {
setError('Invalid email or password. Please try again.')
}
setError('Invalid email or password. Please try again.')
} finally {
setLoading(false)
}
@@ -100,4 +93,4 @@ export function Login() {
</p>
</main>
)
}
}