spree_api 5.4.0.beta7 → 5.4.0.beta8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f27a3d636c9e7fdac4e297ba4820d97f91831b4124a1b6aafcc734b4f3906bc
-  data.tar.gz: a436eac6eee920191894f256c587c12f852b5b86f3a978d6af43f032cff1908b
+  metadata.gz: d59f56e428252697b4360183c26b92d20fe7607630b84589a5203ad766d6a467
+  data.tar.gz: 2807c39fa35138ae1db42e5fb184998dfc8e9c25d7309f11b43edc0af1751877
 SHA512:
-  metadata.gz: adce2c15462e5c368813c95419047c83e686254e93af752832e370a2ed19aa7f5893659ed8b79c982bbe37294695b245d87671d196d93e92d759b9d8fe79caa9
-  data.tar.gz: 1cdec354c04bd65e731b2ee0309170e597012047ede52184ca0cbe2f8323d9af4c0f5ed967cb13fade6c74c3a1206aa058a803992c983b1ae351fc887f77b934
+  metadata.gz: ed23df8b1714945bb9b4718f0c81443fb140fb3ddbaf48e72fbc4de1f9b6b0f9b41373587cf57f69fcc4e928aa75fc1636c7dc57b700e24c9958a3bd70c42bc0
+  data.tar.gz: bc499f9d970dc0fc0d24de5c711070b267e103d60c82704e5de1f48c7bcd635183cf024e1cfef4b0f9d0841f5e2ea150e74618f7ec3283dd59ee73f20059682f

data/app/controllers/concerns/spree/api/v3/error_handler.rb

@@ -13,6 +13,8 @@ module Spree
           invalid_token: 'invalid_token',
           invalid_provider: 'invalid_provider',
           current_password_invalid: 'current_password_invalid',
+          password_reset_token_invalid: 'password_reset_token_invalid',
+          redirect_url_not_allowed: 'redirect_url_not_allowed',
 
           # Resource errors
           record_not_found: 'record_not_found',

data/app/controllers/spree/api/v3/store/customer/password_resets_controller.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      module Store
+        module Customer
+          class PasswordResetsController < Store::BaseController
+            rate_limit to: Spree::Api::Config[:rate_limit_password_reset],
+                       within: Spree::Api::Config[:rate_limit_window].seconds,
+                       store: Rails.cache,
+                       with: RATE_LIMIT_RESPONSE
+
+            skip_before_action :authenticate_user
+
+            # POST /api/v3/store/customer/password_resets
+            def create
+              redirect_url = params[:redirect_url]
+
+              # Validate redirect_url against allowed origins (secure by default).
+              # If no allowed origins are configured, redirect_url is silently ignored
+              # to prevent open redirect / token exfiltration attacks.
+              if redirect_url.present?
+                if current_store.allowed_origins.exists? && current_store.allowed_origin?(redirect_url)
+                  # redirect_url is valid — keep it
+                else
+                  redirect_url = nil
+                end
+              end
+
+              user = Spree.user_class.find_by(email: params[:email])
+
+              if user
+                token = user.generate_token_for(:password_reset)
+                event_payload = { reset_token: token, email: user.email }
+                event_payload[:redirect_url] = redirect_url if redirect_url.present?
+                user.publish_event('customer.password_reset_requested', event_payload)
+              end
+
+              # Always return 202 to prevent email enumeration
+              render json: { message: Spree.t(:password_reset_requested, scope: :api) }, status: :accepted
+            end
+
+            # PATCH /api/v3/store/customer/password_resets/:id
+            def update
+              user = Spree.user_class.find_by_password_reset_token(params[:id])
+
+              unless user
+                return render_error(
+                  code: ERROR_CODES[:password_reset_token_invalid],
+                  message: Spree.t(:password_reset_token_invalid, scope: :api),
+                  status: :unprocessable_content
+                )
+              end
+
+              if user.update(password: params[:password], password_confirmation: params[:password_confirmation])
+                jwt = generate_jwt(user)
+                user.publish_event('customer.password_reset')
+
+                render json: {
+                  token: jwt,
+                  user: serializer_class.new(user, params: serializer_params).to_h
+                }
+              else
+                render_errors(user.errors)
+              end
+            end
+
+            protected
+
+            def serializer_class
+              Spree.api.customer_serializer
+            end
+
+            def serializer_params
+              {
+                store: current_store,
+                locale: current_locale,
+                currency: current_currency,
+                user: nil,
+                includes: []
+              }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/products_controller.rb

@@ -41,7 +41,7 @@ module Spree
           # these scopes are not automatically picked by ar_lazy_preload gem and we need to explicitly include them
           def scope_includes
             [
-              thumbnail: [attachment_attachment: :blob],
+              primary_media: [attachment_attachment: :blob],
               master: [:prices, stock_items: :stock_location],
               variants: [:prices, stock_items: :stock_location]
             ]

data/app/serializers/spree/api/v3/admin/allowed_origin_serializer.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      module Admin
+        class AllowedOriginSerializer < V3::BaseSerializer
+          typelize store_id: :string
+
+          attributes :id, :origin
+
+          attribute :store_id do |allowed_origin|
+            allowed_origin.store&.prefixed_id
+          end
+
+          attributes created_at: :iso8601, updated_at: :iso8601
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/media_serializer.rb

@@ -0,0 +1,17 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class MediaSerializer < V3::MediaSerializer
+          typelize viewable_type: :string, viewable_id: :string
+
+          attribute :viewable_id do |asset|
+            asset.viewable&.prefixed_id
+          end
+
+          attributes :viewable_type
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/product_serializer.rb

@@ -37,10 +37,14 @@ module Spree
               resource: Spree.api.admin_variant_serializer,
               if: proc { expand?('master_variant') }
 
-          many :variant_images,
-               key: :images,
-               resource: Spree.api.admin_image_serializer,
-               if: proc { expand?('images') }
+          one :primary_media,
+              resource: Spree.api.admin_media_serializer,
+              if: proc { expand?('primary_media') }
+
+          many :gallery_media,
+               key: :media,
+               resource: Spree.api.admin_media_serializer,
+               if: proc { expand?('media') }
 
           many :option_types,
                resource: Spree.api.admin_option_type_serializer,

data/app/serializers/spree/api/v3/admin/variant_serializer.rb

@@ -20,9 +20,14 @@ module Spree
           end
 
           # Override inherited associations to use admin serializers
-          many :images,
-               resource: Spree.api.admin_image_serializer,
-               if: proc { expand?('images') }
+          one :primary_media,
+              resource: Spree.api.admin_media_serializer,
+              if: proc { expand?('primary_media') }
+
+          many :gallery_media,
+               key: :media,
+               resource: Spree.api.admin_media_serializer,
+               if: proc { expand?('media') }
 
           many :option_values, resource: Spree.api.admin_option_value_serializer
 

data/app/serializers/spree/api/v3/base_serializer.rb

@@ -38,7 +38,7 @@ module Spree
         end
 
         # Check if an association should be expanded
-        # Supports dot notation: expand?('variants') matches both 'variants' and 'variants.images'
+        # Supports dot notation: expand?('variants') matches both 'variants' and 'variants.media'
         def expand?(name)
           name = name.to_s
           expands.any? { |e| e == name || e.start_with?("#{name}.") }

data/app/serializers/spree/api/v3/media_serializer.rb

@@ -0,0 +1,60 @@
+module Spree
+  module Api
+    module V3
+      class MediaSerializer < BaseSerializer
+        typelize position: :number, alt: [:string, nullable: true],
+                 product_id: [:string, nullable: true],
+                 variant_ids: [:string, multi: true],
+                 media_type: :string,
+                 focal_point_x: [:number, nullable: true],
+                 focal_point_y: [:number, nullable: true],
+                 external_video_url: [:string, nullable: true],
+                 original_url: [:string, nullable: true], mini_url: [:string, nullable: true],
+                 small_url: [:string, nullable: true], medium_url: [:string, nullable: true],
+                 large_url: [:string, nullable: true], xlarge_url: [:string, nullable: true],
+                 og_image_url: [:string, nullable: true]
+
+        attribute :product_id do |asset|
+          asset.product&.prefixed_id
+        end
+
+        # Returns prefixed IDs of variants this media is associated with.
+        # Currently: single variant via viewable (legacy). In 6.0: multiple via VariantMedia join table.
+        attribute :variant_ids do |asset|
+          if asset.viewable_type == 'Spree::Variant'
+            [asset.viewable&.prefixed_id].compact
+          else
+            []
+          end
+        end
+
+        attributes :position, :alt, :media_type,
+                   :focal_point_x, :focal_point_y, :external_video_url,
+                   created_at: :iso8601, updated_at: :iso8601
+
+        attribute :original_url do |asset|
+          image_url_for(asset)
+        end
+
+        # Dynamically define attributes for each configured image variant
+        # Uses named variants from Spree::Config.product_image_variant_sizes
+        # (e.g., mini, small, medium, large, xlarge)
+        Spree::Config.product_image_variant_sizes.each_key do |variant_name|
+          attribute :"#{variant_name}_url" do |asset|
+            variant_url(asset, variant_name)
+          end
+        end
+
+        private
+
+        def variant_url(asset, variant_name)
+          return nil unless asset&.attachment&.attached?
+
+          Rails.application.routes.url_helpers.cdn_image_url(
+            asset.attachment.variant(variant_name)
+          )
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/product_serializer.rb

@@ -40,9 +40,9 @@ module Spree
           product.default_variant&.prefixed_id
         end
 
-        # Main product image URL for listings (cached thumbnail)
+        # Main product image URL for listings (cached primary_media)
         attribute :thumbnail_url do |product|
-          image_url_for(product.thumbnail)
+          image_url_for(product.primary_media)
         end
 
         attribute :tags do |product|
@@ -68,10 +68,14 @@ module Spree
         end
 
         # Conditional associations
-        many :variant_images,
-             key: :images,
-             resource: Spree.api.image_serializer,
-             if: proc { expand?('images') }
+        one :primary_media,
+            resource: Spree.api.media_serializer,
+            if: proc { expand?('primary_media') }
+
+        many :gallery_media,
+             key: :media,
+             resource: Spree.api.media_serializer,
+             if: proc { expand?('media') }
 
         many :variants,
              resource: Spree.api.variant_serializer,

data/app/serializers/spree/api/v3/variant_serializer.rb

@@ -5,8 +5,8 @@ module Spree
       # Customer-facing variant data with limited fields
       class VariantSerializer < BaseSerializer
         typelize product_id: :string, sku: [:string, nullable: true],
-                 is_master: :boolean, options_text: :string, track_inventory: :boolean, image_count: :number,
-                 thumbnail: [:string, nullable: true],
+                 is_master: :boolean, options_text: :string, track_inventory: :boolean, media_count: :number,
+                 thumbnail_url: [:string, nullable: true],
                  purchasable: :boolean, in_stock: :boolean, backorderable: :boolean,
                  weight: [:number, nullable: true], height: [:number, nullable: true], width: [:number, nullable: true], depth: [:number, nullable: true],
                  price: 'Price',
@@ -16,12 +16,12 @@ module Spree
           variant.product&.prefixed_id
         end
 
-        attributes :sku, :is_master, :options_text, :track_inventory, :image_count,
+        attributes :sku, :is_master, :options_text, :track_inventory, :media_count,
                    created_at: :iso8601, updated_at: :iso8601
 
-        # Main variant image URL for listings (cached thumbnail)
-        attribute :thumbnail do |variant|
-          image_url_for(variant.thumbnail)
+        # Main variant image URL for listings (cached primary_media)
+        attribute :thumbnail_url do |variant|
+          image_url_for(variant.primary_media)
         end
 
         attribute :purchasable do |variant|
@@ -70,9 +70,14 @@ module Spree
         end
 
         # Conditional associations
-        many :images,
-             resource: Spree.api.image_serializer,
-             if: proc { expand?('images') }
+        one :primary_media,
+            resource: Spree.api.media_serializer,
+            if: proc { expand?('primary_media') }
+
+        many :gallery_media,
+             key: :media,
+             resource: Spree.api.media_serializer,
+             if: proc { expand?('media') }
 
         many :option_values, resource: Spree.api.option_value_serializer
 

data/config/locales/en.yml

@@ -7,6 +7,9 @@ en:
       invalid_resource: Invalid resource. Please fix errors and try again.
       invalid_taxonomy_id: Invalid taxonomy id.
       current_password_invalid: Current password is invalid or missing
+      password_reset_requested: If an account exists for that email, password reset instructions have been sent.
+      password_reset_token_invalid: Password reset token is invalid or has expired.
+      redirect_url_not_allowed: The redirect URL is not from an allowed origin for this store.
       must_specify_api_key: You must specify an API key.
       negative_quantity: quantity is negative
       order:

data/config/routes.rb

@@ -59,6 +59,8 @@ Spree::Core::Engine.add_routes do
 
         # Customer nested resources
         namespace :customer, path: 'customer' do
+          resources :password_resets, only: [:create, :update]
+
           resources :orders, only: [:index, :show]
           resources :addresses, only: [:index, :show, :create, :update, :destroy] do
             member do

data/lib/spree/api/configuration.rb

@@ -19,6 +19,7 @@ module Spree
       preference :rate_limit_register, :integer, default: 3 # per IP
       preference :rate_limit_refresh, :integer, default: 10 # per IP
       preference :rate_limit_oauth, :integer, default: 5 # per IP
+      preference :rate_limit_password_reset, :integer, default: 3 # per IP
 
       # Request body size limit in bytes
       preference :max_request_body_size, :integer, default: 102_400 # 100KB

data/lib/spree/api/dependencies.rb

@@ -96,7 +96,7 @@ module Spree
         price_serializer: 'Spree::Api::V3::PriceSerializer',
         product_serializer: 'Spree::Api::V3::ProductSerializer',
         variant_serializer: 'Spree::Api::V3::VariantSerializer',
-        image_serializer: 'Spree::Api::V3::ImageSerializer',
+        media_serializer: 'Spree::Api::V3::MediaSerializer',
         option_type_serializer: 'Spree::Api::V3::OptionTypeSerializer',
         option_value_serializer: 'Spree::Api::V3::OptionValueSerializer',
         cart_serializer: 'Spree::Api::V3::CartSerializer',
@@ -161,7 +161,7 @@ module Spree
         admin_line_item_serializer: 'Spree::Api::V3::Admin::LineItemSerializer',
         admin_option_type_serializer: 'Spree::Api::V3::Admin::OptionTypeSerializer',
         admin_option_value_serializer: 'Spree::Api::V3::Admin::OptionValueSerializer',
-        admin_image_serializer: 'Spree::Api::V3::Admin::ImageSerializer',
+        admin_media_serializer: 'Spree::Api::V3::Admin::MediaSerializer',
         admin_asset_serializer: 'Spree::Api::V3::Admin::AssetSerializer',
         admin_stock_item_serializer: 'Spree::Api::V3::Admin::StockItemSerializer',
         admin_shipment_serializer: 'Spree::Api::V3::Admin::ShipmentSerializer',

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_api
 version: !ruby/object:Gem::Version
-  version: 5.4.0.beta7
+  version: 5.4.0.beta8
 platform: ruby
 authors:
 - Vendo Connect Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-03-15 00:00:00.000000000 Z
+date: 2026-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rswag-specs
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.4.0.beta7
+        version: 5.4.0.beta8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.4.0.beta7
+        version: 5.4.0.beta8
 description: Spree's API
 email:
 - hello@spreecommerce.org
@@ -136,6 +136,7 @@ files:
 - app/controllers/spree/api/v3/store/customer/credit_cards_controller.rb
 - app/controllers/spree/api/v3/store/customer/gift_cards_controller.rb
 - app/controllers/spree/api/v3/store/customer/orders_controller.rb
+- app/controllers/spree/api/v3/store/customer/password_resets_controller.rb
 - app/controllers/spree/api/v3/store/customer/payment_setup_sessions_controller.rb
 - app/controllers/spree/api/v3/store/customers_controller.rb
 - app/controllers/spree/api/v3/store/digitals_controller.rb
@@ -155,13 +156,14 @@ files:
 - app/serializers/spree/api/v3/admin/address_serializer.rb
 - app/serializers/spree/api/v3/admin/adjustment_serializer.rb
 - app/serializers/spree/api/v3/admin/admin_user_serializer.rb
+- app/serializers/spree/api/v3/admin/allowed_origin_serializer.rb
 - app/serializers/spree/api/v3/admin/asset_serializer.rb
 - app/serializers/spree/api/v3/admin/category_serializer.rb
 - app/serializers/spree/api/v3/admin/credit_card_serializer.rb
 - app/serializers/spree/api/v3/admin/customer_serializer.rb
 - app/serializers/spree/api/v3/admin/digital_link_serializer.rb
-- app/serializers/spree/api/v3/admin/image_serializer.rb
 - app/serializers/spree/api/v3/admin/line_item_serializer.rb
+- app/serializers/spree/api/v3/admin/media_serializer.rb
 - app/serializers/spree/api/v3/admin/metafield_serializer.rb
 - app/serializers/spree/api/v3/admin/option_type_serializer.rb
 - app/serializers/spree/api/v3/admin/option_value_serializer.rb
@@ -199,13 +201,13 @@ files:
 - app/serializers/spree/api/v3/export_serializer.rb
 - app/serializers/spree/api/v3/gift_card_batch_serializer.rb
 - app/serializers/spree/api/v3/gift_card_serializer.rb
-- app/serializers/spree/api/v3/image_serializer.rb
 - app/serializers/spree/api/v3/import_row_serializer.rb
 - app/serializers/spree/api/v3/import_serializer.rb
 - app/serializers/spree/api/v3/invitation_serializer.rb
 - app/serializers/spree/api/v3/line_item_serializer.rb
 - app/serializers/spree/api/v3/locale_serializer.rb
 - app/serializers/spree/api/v3/market_serializer.rb
+- app/serializers/spree/api/v3/media_serializer.rb
 - app/serializers/spree/api/v3/metafield_serializer.rb
 - app/serializers/spree/api/v3/newsletter_subscriber_serializer.rb
 - app/serializers/spree/api/v3/option_type_serializer.rb
@@ -266,9 +268,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.beta7
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.beta8
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.beta7
+  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.beta8
 post_install_message:
 rdoc_options: []
 require_paths:

data/app/serializers/spree/api/v3/admin/image_serializer.rb

@@ -1,10 +0,0 @@
-module Spree
-  module Api
-    module V3
-      module Admin
-        class ImageSerializer < V3::ImageSerializer
-        end
-      end
-    end
-  end
-end

data/app/serializers/spree/api/v3/image_serializer.rb

@@ -1,43 +0,0 @@
-module Spree
-  module Api
-    module V3
-      class ImageSerializer < AssetSerializer
-        typelize position: :number, alt: [:string, nullable: true], viewable_type: :string, viewable_id: :string,
-                 original_url: [:string, nullable: true], mini_url: [:string, nullable: true],
-                 small_url: [:string, nullable: true], medium_url: [:string, nullable: true],
-                 large_url: [:string, nullable: true], xlarge_url: [:string, nullable: true],
-                 og_image_url: [:string, nullable: true]
-
-        attribute :viewable_id do |image|
-          image.viewable&.prefixed_id
-        end
-
-        attributes :position, :alt, :viewable_type,
-                   created_at: :iso8601, updated_at: :iso8601
-
-        attribute :original_url do |image|
-          image_url_for(image)
-        end
-
-        # Dynamically define attributes for each configured image variant
-        # Uses named variants from Spree::Config.product_image_variant_sizes
-        # (e.g., mini, small, medium, large, xlarge)
-        Spree::Config.product_image_variant_sizes.each_key do |variant_name|
-          attribute :"#{variant_name}_url" do |image|
-            variant_url(image, variant_name)
-          end
-        end
-
-        private
-
-        def variant_url(image, variant_name)
-          return nil unless image&.attachment&.attached?
-
-          Rails.application.routes.url_helpers.cdn_image_url(
-            image.attachment.variant(variant_name)
-          )
-        end
-      end
-    end
-  end
-end