RubyGems - spree_api - Versions diffs - 5.3.4 → 5.4.0.beta - Mend

spree_api 5.3.4 → 5.4.0.beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (332) hide show

data/app/controllers/spree/api/v3/store/orders/payment_methods_controller.rb ADDED Viewed

@@ -0,0 +1,43 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        module Orders
+          class PaymentMethodsController < Store::BaseController
+            include Spree::Api::V3::OrderConcern
+            before_action :set_parent
+            # GET /api/v3/store/orders/:order_id/payment_methods
+            # Returns available payment methods for the current order
+            def index
+              payment_methods = @parent.collect_frontend_payment_methods
+              render json: {
+                data: serialize_collection(payment_methods),
+                meta: { count: payment_methods.size }
+              }
+            end
+            protected
+            def serializer_class
+              Spree.api.payment_method_serializer
+            end
+            def serialize_collection(collection)
+              collection.map { |item| serializer_class.new(item, params: serializer_params).to_h }
+            end
+            def serializer_params
+              {
+                currency: current_currency,
+                store: current_store,
+                user: current_user
+              }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/orders/payment_sessions_controller.rb ADDED Viewed

@@ -0,0 +1,96 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        module Orders
+          class PaymentSessionsController < ResourceController
+            include Spree::Api::V3::OrderConcern
+            skip_before_action :set_resource
+            before_action :authorize_order_access!
+            before_action :set_payment_session, only: [:show, :update, :complete]
+            # POST /api/v3/store/orders/:order_id/payment_sessions
+            def create
+              payment_method = current_store.payment_methods.find_by_prefix_id!(permitted_params[:payment_method_id])
+              @payment_session = payment_method.create_payment_session(
+                order: @parent,
+                amount: permitted_params[:amount],
+                external_data: permitted_params[:external_data] || {}
+              )
+              if @payment_session.persisted?
+                render json: serialize_resource(@payment_session), status: :created
+              else
+                render_errors(@payment_session.errors)
+              end
+            end
+            # GET /api/v3/store/orders/:order_id/payment_sessions/:id
+            def show
+              render json: serialize_resource(@payment_session)
+            end
+            # PATCH /api/v3/store/orders/:order_id/payment_sessions/:id
+            def update
+              @payment_session.payment_method.update_payment_session(
+                payment_session: @payment_session,
+                amount: permitted_params[:amount],
+                external_data: permitted_params[:external_data] || {}
+              )
+              if @payment_session.errors.empty?
+                render json: serialize_resource(@payment_session.reload)
+              else
+                render_errors(@payment_session.errors)
+              end
+            end
+            # PATCH /api/v3/store/orders/:order_id/payment_sessions/:id/complete
+            def complete
+              @payment_session.payment_method.complete_payment_session(
+                payment_session: @payment_session,
+                params: complete_params
+              )
+              if @payment_session.errors.empty?
+                render json: serialize_resource(@payment_session.reload)
+              else
+                render_errors(@payment_session.errors)
+              end
+            end
+            protected
+            def parent_association
+              :payment_sessions
+            end
+            def model_class
+              Spree::PaymentSession
+            end
+            def serializer_class
+              Spree.api.payment_session_serializer
+            end
+            def permitted_params
+              params.permit(Spree::PermittedAttributes.payment_session_attributes)
+            end
+            def complete_params
+              params.permit(:session_result, { external_data: {} })
+            end
+            private
+            def set_payment_session
+              @payment_session = @parent.payment_sessions.find_by_prefix_id!(params[:id])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/orders/payments_controller.rb ADDED Viewed

@@ -0,0 +1,45 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        module Orders
+          class PaymentsController < Store::BaseController
+            include Spree::Api::V3::OrderConcern
+            include Spree::Api::V3::ResourceSerializer
+            before_action :set_parent
+            before_action :set_payment, only: [:show]
+            # GET /api/v3/store/orders/:order_id/payments
+            def index
+              payments = @parent.payments.includes(:payment_method)
+              render json: {
+                data: serialize_payments(payments),
+                meta: {}
+              }
+            end
+            # GET /api/v3/store/orders/:order_id/payments/:id
+            def show
+              render json: serialize_resource(@payment)
+            end
+            private
+            def set_payment
+              @payment = @parent.payments.find_by_prefix_id!(params[:id])
+            end
+            def serializer_class
+              Spree.api.payment_serializer
+            end
+            def serialize_payments(payments)
+              payments.map { |p| serializer_class.new(p, params: serializer_params).to_h }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/orders/shipments_controller.rb ADDED Viewed

@@ -0,0 +1,53 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        module Orders
+          class ShipmentsController < ResourceController
+            include Spree::Api::V3::OrderConcern
+            before_action :authorize_order_access!
+            skip_before_action :set_resource
+            before_action :set_shipment, only: [:show, :update]
+            # PATCH /api/v3/store/orders/:order_id/shipments/:id
+            def update
+              if permitted_params[:selected_shipping_rate_id].present?
+                shipping_rate = @resource.shipping_rates.find_by_prefix_id!(permitted_params[:selected_shipping_rate_id])
+                @resource.selected_shipping_rate_id = shipping_rate.id
+                @resource.save!
+              end
+              render_order
+            end
+            protected
+            def parent_association
+              :shipments
+            end
+            def model_class
+              Spree::Shipment
+            end
+            def serializer_class
+              Spree.api.shipment_serializer
+            end
+            def permitted_params
+              params.permit(:selected_shipping_rate_id)
+            end
+            private
+            # Find shipment without additional authorization - order access already verified
+            def set_shipment
+              @resource = scope.find_by_prefix_id!(params[:id])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/orders/store_credits_controller.rb ADDED Viewed

@@ -0,0 +1,42 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        module Orders
+          class StoreCreditsController < Store::BaseController
+            include Spree::Api::V3::OrderConcern
+            before_action :require_authentication!
+            before_action :set_parent
+            before_action :authorize_order_access!
+            # POST /api/v3/store/orders/:order_id/store_credits
+            def create
+              result = Spree.checkout_add_store_credit_service.call(
+                order: @parent,
+                amount: params[:amount].try(:to_f)
+              )
+              if result.success?
+                render_order
+              else
+                render_service_error(result.error)
+              end
+            end
+            # DELETE /api/v3/store/orders/:order_id/store_credits
+            def destroy
+              result = Spree.checkout_remove_store_credit_service.call(order: @parent)
+              if result.success?
+                render_order
+              else
+                render_service_error(result.error)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/orders_controller.rb ADDED Viewed

@@ -0,0 +1,125 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class OrdersController < ResourceController
+          include Spree::Api::V3::OrderConcern
+          # Skip base controller's set_resource and define our own complete list
+          skip_before_action :set_resource
+          before_action :set_resource, only: [:show, :update, :next, :advance, :complete]
+          # PATCH  /api/v3/store/orders/:id
+          #
+          # Accepts flat parameters:
+          #   {
+          #     "email": "customer@example.com",
+          #     "currency": "EUR",
+          #     "ship_address": { "firstname": "John", "country_iso": "US", ... },
+          #     "bill_address": { "firstname": "John", "country_iso": "US", ... }
+          #   }
+          #
+          def update
+            result = Spree::Api::V3::Orders::Update.call(
+              order: @order,
+              params: order_params
+            )
+            if result.success?
+              render json: serialize_resource(@order.reload)
+            else
+              render_service_error(result.error, code: ERROR_CODES[:validation_error])
+            end
+          end
+          # PATCH  /api/v3/store/orders/:id/next
+          def next
+            result = Spree.checkout_next_service.call(order: @order)
+            if result.success?
+              render json: serialize_resource(@order)
+            else
+              render_service_error(result.error, code: ERROR_CODES[:order_cannot_transition])
+            end
+          end
+          # PATCH  /api/v3/store/orders/:id/advance
+          def advance
+            result = Spree.checkout_advance_service.call(order: @order)
+            if result.success?
+              render json: serialize_resource(@order)
+            else
+              render_service_error(result.error, code: ERROR_CODES[:order_cannot_transition])
+            end
+          end
+          # PATCH  /api/v3/store/orders/:id/complete
+          def complete
+            result = Spree.checkout_complete_service.call(order: @order)
+            if result.success?
+              render json: serialize_resource(@order)
+            else
+              render_service_error(result.error, code: ERROR_CODES[:order_already_completed])
+            end
+          end
+          protected
+          # Override scope to avoid accessible_by (Order permissions use blocks)
+          def scope
+            order_scope
+          end
+          # Override set_resource to scope lookup by user or order token (IDOR prevention)
+          def set_resource
+            @order = order_scope.find_by_prefix_id!(params[:id])
+            @resource = @order
+            authorize_resource!(@order)
+          end
+          # override authorize_resource! to pass the order token
+          # Maps custom checkout actions to appropriate permissions
+          def authorize_resource!(resource = @resource, action = action_name.to_sym)
+            mapped_action = case action
+                            when :next, :advance, :complete
+                              :update # Checkout actions require update (non-completed order)
+                            else
+                              action
+                            end
+            authorize!(mapped_action, resource, order_token)
+          end
+          def model_class
+            Spree::Order
+          end
+          def serializer_class
+            Spree.api.order_serializer
+          end
+          def order_params
+            params.permit(
+              :email,
+              :currency,
+              :special_instructions,
+              :ship_address_id,
+              :bill_address_id,
+              ship_address: address_params,
+              bill_address: address_params
+            )
+          end
+          def address_params
+            [
+              :id, :firstname, :lastname, :address1, :address2,
+              :city, :zipcode, :phone, :company,
+              :country_iso, :state_abbr, :state_name
+            ]
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/products/filters_controller.rb ADDED Viewed

@@ -0,0 +1,38 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        module Products
+          class FiltersController < Store::BaseController
+            def index
+              aggregator = Spree::Api::V3::FiltersAggregator.new(
+                scope: filters_scope,
+                currency: current_currency,
+                taxon: taxon
+              )
+              render json: aggregator.call
+            end
+            private
+            # Build scope from taxon and/or ransack params
+            # @return [ActiveRecord::Relation]
+            def filters_scope
+              scope = current_store.products.active(current_currency)
+              scope = scope.in_taxon(taxon) if taxon.present?
+              scope = scope.ransack(params[:q]).result if params[:q].present?
+              scope.accessible_by(current_ability, :show)
+            end
+            # Fetches taxon from params
+            # @param [String] taxon_id
+            # @return [Spree::Taxon]
+            def taxon
+              @taxon ||= params[:taxon_id].present? ? current_store.taxons.find_by_param(params[:taxon_id]) : nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/products_controller.rb ADDED Viewed

@@ -0,0 +1,74 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class ProductsController < ResourceController
+          SORT_OPTIONS = {
+            'price-low-to-high' => :ascend_by_price,
+            'price-high-to-low' => :descend_by_price
+          }.freeze
+          protected
+          def model_class
+            Spree::Product
+          end
+          def serializer_class
+            Spree.api.product_serializer
+          end
+          # Find product by slug or prefixed ID with i18n scope for SEO-friendly URLs
+          # Falls back to default locale if product is not found in the current locale
+          # @return [Spree::Product]
+          def find_resource
+            id = params[:id]
+            if id.to_s.start_with?('prod_')
+              scope.find_by_prefix_id!(id)
+            else
+              find_with_fallback_default_locale { scope.i18n.find_by!(slug: id) }
+            end
+          end
+          def scope
+            super.active(Spree::Current.currency)
+          end
+          # these scopes are not automatically picked by ar_lazy_preload gem and we need to explicitly include them
+          def scope_includes
+            [
+              thumbnail: [attachment_attachment: :blob],
+              master: [:prices],
+              variants: [:prices]
+            ]
+          end
+          # Disable distinct when using custom sort scopes that add computed columns
+          def collection_distinct?
+            !custom_sort_requested?
+          end
+          # Apply custom sorting scopes for price/best-selling
+          def apply_collection_sort(collection)
+            sort_by = params.dig(:q, :sort_by) || params[:sort_by]
+            return collection unless sort_by.present?
+            return collection.distinct(false).reorder(nil).by_best_selling if sort_by == 'best-selling'
+            scope_method = SORT_OPTIONS[sort_by]
+            return collection.reorder(nil).send(scope_method) if scope_method.present?
+            collection
+          end
+          private
+          def custom_sort_requested?
+            sort_by = params.dig(:q, :sort_by) || params[:sort_by]
+            SORT_OPTIONS.key?(sort_by)
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/resource_controller.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class ResourceController < Spree::Api::V3::ResourceController
+          # Require publishable API key for all Store API requests
+          before_action :authenticate_api_key!
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/stores_controller.rb ADDED Viewed

@@ -0,0 +1,26 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class StoresController < ResourceController
+          skip_before_action :set_resource
+          # GET /api/v3/store/store
+          def show
+            render json: serialize_resource(current_store)
+          end
+          protected
+          def model_class
+            Spree::Store
+          end
+          def serializer_class
+            Spree.api.store_serializer
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/taxonomies_controller.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class TaxonomiesController < ResourceController
+          protected
+          def model_class
+            Spree::Taxonomy
+          end
+          def serializer_class
+            Spree.api.taxonomy_serializer
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/taxons/products_controller.rb ADDED Viewed

@@ -0,0 +1,37 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        module Taxons
+          class ProductsController < Store::ProductsController
+            before_action :set_taxon
+            protected
+            def set_taxon
+              @taxon = find_taxon
+            end
+            def scope
+              super.in_taxon(@taxon)
+            end
+            private
+            def find_taxon
+              id = params[:taxon_id]
+              taxon_scope = Spree::Taxon.for_store(current_store).accessible_by(current_ability, :show)
+              taxon_scope = taxon_scope.i18n if Spree::Taxon.include?(Spree::TranslatableResource)
+              if id.to_s.start_with?('txn_')
+                taxon_scope.find_by_prefix_id!(id)
+              else
+                find_with_fallback_default_locale { taxon_scope.i18n.find_by!(permalink: id) }
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/taxons_controller.rb ADDED Viewed

@@ -0,0 +1,34 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class TaxonsController < ResourceController
+          protected
+          def model_class
+            Spree::Taxon
+          end
+          def serializer_class
+            Spree.api.taxon_serializer
+          end
+          # Find taxon by permalink or prefixed ID with i18n scope for SEO-friendly URLs
+          # Falls back to default locale if taxon is not found in the current locale
+          def find_resource
+            id = params[:id]
+            if id.to_s.start_with?('txn_')
+              scope.find_by_prefix_id!(id)
+            else
+              find_with_fallback_default_locale { scope.i18n.find_by!(permalink: id) }
+            end
+          end
+          def collection_includes
+            [:taxonomy]
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/wishlist_items_controller.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class WishlistItemsController < ResourceController
+          prepend_before_action :require_authentication!
+          protected
+          def set_parent
+            @parent = current_user.wishlists.find_by_prefix_id!(params[:wishlist_id])
+          end
+          def parent_association
+            :wished_items
+          end
+          def model_class
+            Spree::WishedItem
+          end
+          def serializer_class
+            Spree.api.wished_item_serializer
+          end
+          def permitted_params
+            params.permit(Spree::PermittedAttributes.wished_item_attributes)
+          end
+        end
+      end
+    end
+  end
+end