spree_api 5.4.0.beta6 → 5.4.0.beta8

data/app/controllers/spree/api/v3/store/carts_controller.rb

@@ -0,0 +1,176 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class CartsController < Store::ResourceController
+          include Spree::Api::V3::CartResolvable
+          include Spree::Api::V3::OrderLock
+
+          skip_before_action :set_resource
+          prepend_before_action :require_authentication!, only: [:index, :associate]
+
+          # GET /api/v3/store/carts/:id
+          # Returns cart by prefixed ID
+          # Auto-advances the checkout state machine so that shipments and
+          # payment requirements are up-to-date (temporary until Spree 6 removes
+          # the state machine).
+          def show
+            @cart = find_cart
+
+            if @cart.ship_address_id.present? && @cart.shipments.empty?
+              ActiveRecord::Base.connected_to(role: :writing) do
+                with_order_lock { Spree::Checkout::Advance.call(order: @cart) }
+              end
+            end
+
+            render_cart
+          end
+
+          # POST /api/v3/store/carts
+          # Creates a new shopping cart (order)
+          # Can be created by guests or authenticated customers
+          def create
+            result = Spree::Carts::Create.call(
+              params: permitted_params.merge(
+                user: current_user,
+                store: current_store,
+                currency: current_currency,
+                locale: current_locale
+              )
+            )
+
+            if result.success?
+              @cart = result.value
+              render_cart(status: :created)
+            else
+              render_service_error(result.error.to_s)
+            end
+          end
+
+          # PATCH /api/v3/store/carts/:id
+          # Updates cart info (email, addresses, special instructions).
+          # Auto-advances to the next checkout step when possible.
+          def update
+            find_cart!
+
+            with_order_lock do
+              result = Spree::Carts::Update.call(
+                cart: @cart,
+                params: permitted_params
+              )
+
+              if result.success?
+                render_cart
+              else
+                render_service_error(result.error, code: ERROR_CODES[:validation_error])
+              end
+            end
+          end
+
+          # DELETE /api/v3/store/carts/:id
+          # Deletes/abandons the cart
+          def destroy
+            find_cart!
+
+            result = Spree.cart_destroy_service.call(order: @cart)
+
+            if result.success?
+              head :no_content
+            else
+              render_service_error(result.error.to_s)
+            end
+          end
+
+          # PATCH /api/v3/store/carts/:id/associate
+          # Associates a guest cart with the currently authenticated user
+          # Requires: JWT authentication + cart ID in URL
+          def associate
+            @cart = find_cart_for_association
+
+            result = Spree.cart_associate_service.call(guest_order: @cart, user: current_user, guest_only: true)
+
+            if result.success?
+              render_cart
+            else
+              render_service_error(result.error.to_s)
+            end
+          end
+
+          # POST /api/v3/store/carts/:id/complete
+          # Completes the checkout — returns Order (not Cart).
+          # Idempotent: if the cart is already completed, falls back to the
+          # orders scope and returns the completed order.
+          def complete
+            find_cart!
+
+            result = Spree::Dependencies.carts_complete_service.constantize.call(cart: @cart)
+
+            if result.success?
+              @cart = result.value
+              render_order
+            else
+              render_service_error(
+                result.error.to_s.presence || 'Could not complete checkout',
+                code: ERROR_CODES[:cart_cannot_complete]
+              )
+            end
+          rescue ActiveRecord::RecordNotFound
+            @cart = current_store.orders.complete.find_by_prefix_id!(params[:id])
+            authorize!(:show, @cart, cart_token)
+
+            render_order
+          end
+
+          protected
+
+          def model_class
+            Spree::Order
+          end
+
+          def serializer_class
+            Spree.api.cart_serializer
+          end
+
+          def scope
+            current_store.carts.where(user: current_user).order(updated_at: :desc)
+          end
+
+          private
+
+          def permitted_params
+            params.permit(
+              :email,
+              :special_instructions,
+              :currency,
+              :locale,
+              :ship_address_id,
+              :bill_address_id,
+              ship_address: address_params,
+              bill_address: address_params,
+              metadata: {},
+              items: item_params
+            )
+          end
+
+          def address_params
+            [
+              :id, :firstname, :lastname, :address1, :address2,
+              :city, :zipcode, :phone, :company,
+              :country_iso, :state_abbr, :state_name, :quick_checkout
+            ]
+          end
+
+          def item_params
+            [:variant_id, :quantity, { metadata: {}, options: {} }]
+          end
+
+          # Find incomplete cart for associate action.
+          # Only finds guest carts (no user) or carts already owned by current user (idempotent).
+          def find_cart_for_association
+            current_store.carts.where(user: [nil, current_user]).find_by_prefix_id!(params[:id])
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/customer/orders_controller.rb

@@ -25,7 +25,7 @@ module Spree
             end
 
             def scope
-              super.for_store(current_store)
+              super.for_store(current_store).complete
             end
           end
         end

data/app/controllers/spree/api/v3/store/customer/password_resets_controller.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      module Store
+        module Customer
+          class PasswordResetsController < Store::BaseController
+            rate_limit to: Spree::Api::Config[:rate_limit_password_reset],
+                       within: Spree::Api::Config[:rate_limit_window].seconds,
+                       store: Rails.cache,
+                       with: RATE_LIMIT_RESPONSE
+
+            skip_before_action :authenticate_user
+
+            # POST /api/v3/store/customer/password_resets
+            def create
+              redirect_url = params[:redirect_url]
+
+              # Validate redirect_url against allowed origins (secure by default).
+              # If no allowed origins are configured, redirect_url is silently ignored
+              # to prevent open redirect / token exfiltration attacks.
+              if redirect_url.present?
+                if current_store.allowed_origins.exists? && current_store.allowed_origin?(redirect_url)
+                  # redirect_url is valid — keep it
+                else
+                  redirect_url = nil
+                end
+              end
+
+              user = Spree.user_class.find_by(email: params[:email])
+
+              if user
+                token = user.generate_token_for(:password_reset)
+                event_payload = { reset_token: token, email: user.email }
+                event_payload[:redirect_url] = redirect_url if redirect_url.present?
+                user.publish_event('customer.password_reset_requested', event_payload)
+              end
+
+              # Always return 202 to prevent email enumeration
+              render json: { message: Spree.t(:password_reset_requested, scope: :api) }, status: :accepted
+            end
+
+            # PATCH /api/v3/store/customer/password_resets/:id
+            def update
+              user = Spree.user_class.find_by_password_reset_token(params[:id])
+
+              unless user
+                return render_error(
+                  code: ERROR_CODES[:password_reset_token_invalid],
+                  message: Spree.t(:password_reset_token_invalid, scope: :api),
+                  status: :unprocessable_content
+                )
+              end
+
+              if user.update(password: params[:password], password_confirmation: params[:password_confirmation])
+                jwt = generate_jwt(user)
+                user.publish_event('customer.password_reset')
+
+                render json: {
+                  token: jwt,
+                  user: serializer_class.new(user, params: serializer_params).to_h
+                }
+              else
+                render_errors(user.errors)
+              end
+            end
+
+            protected
+
+            def serializer_class
+              Spree.api.customer_serializer
+            end
+
+            def serializer_params
+              {
+                store: current_store,
+                locale: current_locale,
+                currency: current_currency,
+                user: nil,
+                includes: []
+              }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/orders_controller.rb

@@ -2,133 +2,40 @@ module Spree
   module Api
     module V3
       module Store
-        class OrdersController < ResourceController
-          include Spree::Api::V3::OrderConcern
-          include Spree::Api::V3::OrderLock
+        class OrdersController < Store::BaseController
+          # GET /api/v3/store/orders/:id
+          # Single order lookup — accessible via order token (guests) or JWT (authenticated users)
+          before_action :find_order!
 
-          # Skip base controller's set_resource and define our own complete list
-          skip_before_action :set_resource
-          before_action :set_resource, only: [:show, :update, :next, :advance, :complete]
-
-          # PATCH  /api/v3/store/orders/:id
-          #
-          # Accepts flat parameters:
-          #   {
-          #     "email": "customer@example.com",
-          #     "currency": "EUR",
-          #     "ship_address": { "firstname": "John", "country_iso": "US", ... },
-          #     "bill_address": { "firstname": "John", "country_iso": "US", ... }
-          #   }
-          #
-          def update
-            with_order_lock do
-              result = Spree.order_update_service.call(
-                order: @order,
-                params: order_params
-              )
-
-              if result.success?
-                render json: serialize_resource(@order.reload)
-              else
-                render_service_error(result.error, code: ERROR_CODES[:validation_error])
-              end
-            end
-          end
-
-          # PATCH  /api/v3/store/orders/:id/next
-          def next
-            with_order_lock do
-              result = Spree.checkout_next_service.call(order: @order)
-
-              if result.success?
-                render json: serialize_resource(@order)
-              else
-                render_service_error(result.error, code: ERROR_CODES[:order_cannot_transition])
-              end
-            end
-          end
-
-          # PATCH  /api/v3/store/orders/:id/advance
-          def advance
-            with_order_lock do
-              result = Spree.checkout_advance_service.call(order: @order)
-
-              if result.success?
-                render json: serialize_resource(@order)
-              else
-                render_service_error(result.error, code: ERROR_CODES[:order_cannot_transition])
-              end
-            end
+          def show
+            render json: serializer_class.new(@order, params: serializer_params).to_h
           end
 
-          # PATCH  /api/v3/store/orders/:id/complete
-          def complete
-            with_order_lock do
-              result = Spree.checkout_complete_service.call(order: @order)
+          private
 
-              if result.success?
-                render json: serialize_resource(@order)
-              else
-                render_service_error(result.error, code: ERROR_CODES[:order_already_completed])
-              end
-            end
+          def find_order!
+            @order = scope.find_by_prefix_id!(params[:id])
+            authorize!(:show, @order, order_token)
           end
 
-          protected
-
-          # Override scope to avoid accessible_by (Order permissions use blocks)
           def scope
-            order_scope
-          end
-
-          # Override set_resource to scope lookup by user or order token (IDOR prevention)
-          def set_resource
-            @order = order_scope.find_by_prefix_id!(params[:id])
-            @resource = @order
-            authorize_resource!(@order)
-          end
-
-          # override authorize_resource! to pass the order token
-          # Maps custom checkout actions to appropriate permissions
-          def authorize_resource!(resource = @resource, action = action_name.to_sym)
-            mapped_action = case action
-                            when :next, :advance, :complete
-                              :update # Checkout actions require update (non-completed order)
-                            else
-                              action
-                            end
-            authorize!(mapped_action, resource, order_token)
-          end
-
-          def model_class
-            Spree::Order
+            base = current_store.orders.complete
+
+            if current_user.present?
+              base.where(user: current_user)
+            elsif order_token.present?
+              base.where(token: order_token)
+            else
+              base.none
+            end
           end
 
           def serializer_class
             Spree.api.order_serializer
           end
 
-          def order_params
-            params.permit(
-              :email,
-              :currency,
-              :locale,
-              :special_instructions,
-              :ship_address_id,
-              :bill_address_id,
-              ship_address: address_params,
-              bill_address: address_params,
-              metadata: {},
-              line_items: [:variant_id, :quantity, { metadata: {}, options: {} }]
-            )
-          end
-
-          def address_params
-            [
-              :id, :firstname, :lastname, :address1, :address2,
-              :city, :zipcode, :phone, :company,
-              :country_iso, :state_abbr, :state_name, :quick_checkout
-            ]
+          def order_token
+            request.headers['x-spree-token']
           end
         end
       end

data/app/controllers/spree/api/v3/store/products_controller.rb

@@ -41,7 +41,7 @@ module Spree
           # these scopes are not automatically picked by ar_lazy_preload gem and we need to explicitly include them
           def scope_includes
             [
-              thumbnail: [attachment_attachment: :blob],
+              primary_media: [attachment_attachment: :blob],
               master: [:prices, stock_items: :stock_location],
               variants: [:prices, stock_items: :stock_location]
             ]

data/app/controllers/spree/api/v3/webhooks/payments_controller.rb

@@ -0,0 +1,52 @@
+module Spree
+  module Api
+    module V3
+      module Webhooks
+        class PaymentsController < ActionController::API
+          include ActionController::RateLimiting
+
+          RATE_LIMIT_RESPONSE = -> {
+            [429, { 'Content-Type' => 'application/json', 'Retry-After' => '60' },
+             [{ error: { code: 'rate_limit_exceeded', message: 'Too many requests' } }.to_json]]
+          }
+
+          rate_limit to: 120, within: 1.minute,
+                     store: Rails.cache,
+                     by: -> { request.remote_ip },
+                     with: RATE_LIMIT_RESPONSE
+
+          # POST /api/v3/webhooks/payments/:payment_method_id
+          #
+          # Verifies the webhook signature synchronously (returns 401 if invalid),
+          # then enqueues async processing and returns 200 immediately.
+          def create
+            payment_method = Spree::PaymentMethod.find_by_prefix_id!(params[:payment_method_id])
+
+            # Signature verification must be synchronous — invalid = 401
+            result = payment_method.parse_webhook_event(request.raw_post, request.headers)
+
+            # Unsupported event — acknowledge receipt
+            return head :ok if result.nil?
+
+            # Process asynchronously — gateways have timeout limits and will
+            # retry on timeouts, so we must return 200 quickly.
+            Spree::Payments::HandleWebhookJob.perform_later(
+              payment_method_id: payment_method.id,
+              action: result[:action].to_s,
+              payment_session_id: result[:payment_session].id
+            )
+
+            head :ok
+          rescue Spree::PaymentMethod::WebhookSignatureError
+            head :unauthorized
+          rescue ActiveRecord::RecordNotFound
+            head :not_found
+          rescue StandardError => e
+            Rails.error.report(e, source: 'spree.webhooks.payments')
+            head :ok
+          end
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/allowed_origin_serializer.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      module Admin
+        class AllowedOriginSerializer < V3::BaseSerializer
+          typelize store_id: :string
+
+          attributes :id, :origin
+
+          attribute :store_id do |allowed_origin|
+            allowed_origin.store&.prefixed_id
+          end
+
+          attributes created_at: :iso8601, updated_at: :iso8601
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/media_serializer.rb

@@ -0,0 +1,17 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class MediaSerializer < V3::MediaSerializer
+          typelize viewable_type: :string, viewable_id: :string
+
+          attribute :viewable_id do |asset|
+            asset.viewable&.prefixed_id
+          end
+
+          attributes :viewable_type
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/order_serializer.rb

@@ -43,8 +43,8 @@ module Spree
           end
 
           # Override inherited associations to use admin serializers
-          many :order_promotions, resource: Spree.api.admin_order_promotion_serializer, if: proc { expand?('order_promotions') }
-          many :line_items, resource: Spree.api.admin_line_item_serializer, if: proc { expand?('line_items') }
+          many :order_promotions, key: :promotions, resource: Spree.api.admin_order_promotion_serializer, if: proc { expand?('promotions') }
+          many :line_items, key: :items, resource: Spree.api.admin_line_item_serializer, if: proc { expand?('items') }
           many :shipments, resource: Spree.api.admin_shipment_serializer, if: proc { expand?('shipments') }
           many :payments, resource: Spree.api.admin_payment_serializer, if: proc { expand?('payments') }
 

data/app/serializers/spree/api/v3/admin/product_serializer.rb

@@ -37,10 +37,14 @@ module Spree
               resource: Spree.api.admin_variant_serializer,
               if: proc { expand?('master_variant') }
 
-          many :variant_images,
-               key: :images,
-               resource: Spree.api.admin_image_serializer,
-               if: proc { expand?('images') }
+          one :primary_media,
+              resource: Spree.api.admin_media_serializer,
+              if: proc { expand?('primary_media') }
+
+          many :gallery_media,
+               key: :media,
+               resource: Spree.api.admin_media_serializer,
+               if: proc { expand?('media') }
 
           many :option_types,
                resource: Spree.api.admin_option_type_serializer,

data/app/serializers/spree/api/v3/admin/variant_serializer.rb

@@ -20,9 +20,14 @@ module Spree
           end
 
           # Override inherited associations to use admin serializers
-          many :images,
-               resource: Spree.api.admin_image_serializer,
-               if: proc { expand?('images') }
+          one :primary_media,
+              resource: Spree.api.admin_media_serializer,
+              if: proc { expand?('primary_media') }
+
+          many :gallery_media,
+               key: :media,
+               resource: Spree.api.admin_media_serializer,
+               if: proc { expand?('media') }
 
           many :option_values, resource: Spree.api.admin_option_value_serializer
 

data/app/serializers/spree/api/v3/base_serializer.rb

@@ -38,7 +38,7 @@ module Spree
         end
 
         # Check if an association should be expanded
-        # Supports dot notation: expand?('variants') matches both 'variants' and 'variants.images'
+        # Supports dot notation: expand?('variants') matches both 'variants' and 'variants.media'
         def expand?(name)
           name = name.to_s
           expands.any? { |e| e == name || e.start_with?("#{name}.") }

data/app/serializers/spree/api/v3/cart_promotion_serializer.rb

@@ -0,0 +1,18 @@
+module Spree
+  module Api
+    module V3
+      # Cart-facing promotion serializer.
+      # Same data as OrderPromotionSerializer but IDs use the cp_ prefix.
+      class CartPromotionSerializer < BaseSerializer
+        typelize name: :string, description: [:string, nullable: true], code: [:string, nullable: true],
+                 amount: :string, display_amount: :string, promotion_id: :string
+
+        attribute :promotion_id do |cart_promotion|
+          cart_promotion.promotion&.prefixed_id
+        end
+
+        attributes :name, :description, :code, :amount, :display_amount
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/cart_serializer.rb

@@ -0,0 +1,56 @@
+module Spree
+  module Api
+    module V3
+      # Store API Cart Serializer
+      # Pre-purchase cart data with checkout progression info
+      class CartSerializer < BaseSerializer
+        typelize number: :string, current_step: :string, completed_steps: 'string[]', token: :string, email: [:string, nullable: true],
+                 special_instructions: [:string, nullable: true], currency: :string, locale: [:string, nullable: true], item_count: :number,
+                 requirements: 'Array<{step: string, field: string, message: string}>',
+                 item_total: :string, display_item_total: :string,
+                 ship_total: :string, display_ship_total: :string,
+                 adjustment_total: :string, display_adjustment_total: :string,
+                 promo_total: :string, display_promo_total: :string,
+                 tax_total: :string, display_tax_total: :string,
+                 included_tax_total: :string, display_included_tax_total: :string,
+                 additional_tax_total: :string, display_additional_tax_total: :string,
+                 total: :string, display_total: :string,
+                 bill_address: { nullable: true }, ship_address: { nullable: true }
+
+        # Override ID to use cart_ prefix
+        attribute :id do |order|
+          "cart_#{Spree::PrefixedId::SQIDS.encode([order.id])}"
+        end
+
+        attributes :number, :token, :email, :special_instructions,
+                   :currency, :locale, :item_count,
+                   :item_total, :display_item_total, :ship_total, :display_ship_total,
+                   :adjustment_total, :display_adjustment_total, :promo_total, :display_promo_total,
+                   :tax_total, :display_tax_total, :included_tax_total, :display_included_tax_total,
+                   :additional_tax_total, :display_additional_tax_total, :total, :display_total,
+                   created_at: :iso8601, updated_at: :iso8601
+
+        attribute :current_step do |order|
+          order.current_checkout_step
+        end
+
+        attribute :completed_steps do |order|
+          order.completed_checkout_steps
+        end
+
+        attribute :requirements do |order|
+          Spree::Checkout::Requirements.new(order).call
+        end
+
+        many :cart_promotions, key: :promotions, resource: Spree.api.cart_promotion_serializer
+        many :line_items, key: :items, resource: Spree.api.line_item_serializer
+        many :shipments, resource: Spree.api.shipment_serializer
+        many :payments, resource: Spree.api.payment_serializer
+        one :bill_address, resource: Spree.api.address_serializer
+        one :ship_address, resource: Spree.api.address_serializer
+
+        many :payment_methods, resource: Spree.api.payment_method_serializer
+      end
+    end
+  end
+end