spree_api 5.4.0.beta7 → 5.4.0.beta9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f27a3d636c9e7fdac4e297ba4820d97f91831b4124a1b6aafcc734b4f3906bc
-  data.tar.gz: a436eac6eee920191894f256c587c12f852b5b86f3a978d6af43f032cff1908b
+  metadata.gz: 7630000b76a8d6596d6a94e2e5ef3b928ad55035995a777d79a855da0b83e707
+  data.tar.gz: 5621ebbdb257e9c69518e3ad71a9368954c0fbf7db6ad7a3b4adb237b00cb83b
 SHA512:
-  metadata.gz: adce2c15462e5c368813c95419047c83e686254e93af752832e370a2ed19aa7f5893659ed8b79c982bbe37294695b245d87671d196d93e92d759b9d8fe79caa9
-  data.tar.gz: 1cdec354c04bd65e731b2ee0309170e597012047ede52184ca0cbe2f8323d9af4c0f5ed967cb13fade6c74c3a1206aa058a803992c983b1ae351fc887f77b934
+  metadata.gz: ecdbc7f8b2e6792a1e8641ebaabfcc69423705f032435bb960ff3f2ae36eb19c89dc224b8af79278b3e74536ca95112442139278e847cca9710f437300d9395e
+  data.tar.gz: 8264257bdf243e8bc504880ceed1f99233baaf09bf6e7264714ab9395b59429e0c9c553269012015d9e870dd3dc797b19224d204b7a33518681878533200e71e

data/app/controllers/concerns/spree/api/v3/error_handler.rb

@@ -12,7 +12,10 @@ module Spree
           access_denied: 'access_denied',
           invalid_token: 'invalid_token',
           invalid_provider: 'invalid_provider',
+          invalid_refresh_token: 'invalid_refresh_token',
           current_password_invalid: 'current_password_invalid',
+          password_reset_token_invalid: 'password_reset_token_invalid',
+          redirect_url_not_allowed: 'redirect_url_not_allowed',
 
           # Resource errors
           record_not_found: 'record_not_found',

data/app/controllers/spree/api/v3/store/auth_controller.rb

@@ -7,9 +7,9 @@ module Spree
           rate_limit to: Spree::Api::Config[:rate_limit_login], within: Spree::Api::Config[:rate_limit_window].seconds, store: Rails.cache, only: :create, with: RATE_LIMIT_RESPONSE
           rate_limit to: Spree::Api::Config[:rate_limit_refresh], within: Spree::Api::Config[:rate_limit_window].seconds, store: Rails.cache, only: :refresh, with: RATE_LIMIT_RESPONSE
           rate_limit to: Spree::Api::Config[:rate_limit_oauth], within: Spree::Api::Config[:rate_limit_window].seconds, store: Rails.cache, only: :oauth_callback, with: RATE_LIMIT_RESPONSE
+          rate_limit to: Spree::Api::Config[:rate_limit_refresh], within: Spree::Api::Config[:rate_limit_window].seconds, store: Rails.cache, only: :logout, with: RATE_LIMIT_RESPONSE
 
-          skip_before_action :authenticate_user, only: [:create, :oauth_callback]
-          prepend_before_action :require_authentication!, only: [:refresh]
+          skip_before_action :authenticate_user, only: [:create, :refresh, :oauth_callback]
 
           # POST  /api/v3/store/auth/login
           # Supports multiple authentication providers via :provider param
@@ -23,11 +23,7 @@ module Spree
 
             if result.success?
               user = result.value
-              token = generate_jwt(user)
-              render json: {
-                token: token,
-                user: user_serializer.new(user, params: serializer_params).to_h
-              }
+              render json: auth_response(user)
             else
               render_error(
                 code: ERROR_CODES[:authentication_failed],
@@ -38,21 +34,55 @@ module Spree
           end
 
           # POST  /api/v3/store/auth/refresh
+          # Accepts: { "refresh_token": "rt_xxx" }
+          # Returns new access JWT + rotated refresh token
           def refresh
-            token = generate_jwt(current_user)
+            refresh_token_value = params[:refresh_token]
+
+            if refresh_token_value.blank?
+              return render_error(
+                code: ERROR_CODES[:invalid_refresh_token],
+                message: 'refresh_token is required',
+                status: :unauthorized
+              )
+            end
+
+            refresh_token = Spree::RefreshToken.active.find_by(token: refresh_token_value)
+
+            if refresh_token.nil?
+              return render_error(
+                code: ERROR_CODES[:invalid_refresh_token],
+                message: 'Invalid or expired refresh token',
+                status: :unauthorized
+              )
+            end
+
+            user = refresh_token.user
+            new_refresh_token = refresh_token.rotate!(request_env: request_env_for_token)
+
             render json: {
-              token: token,
-              user: user_serializer.new(current_user, params: serializer_params).to_h
+              token: generate_jwt(user),
+              refresh_token: new_refresh_token.token,
+              user: user_serializer.new(user, params: serializer_params).to_h
             }
           end
 
+          # POST  /api/v3/store/auth/logout
+          # Accepts: { "refresh_token": "rt_xxx" }
+          # Revokes the refresh token
+          def logout
+            refresh_token_value = params[:refresh_token]
+
+            if refresh_token_value.present?
+              Spree::RefreshToken.find_by(token: refresh_token_value)&.destroy
+            end
+
+            head :no_content
+          end
+
           # POST  /api/v3/store/auth/oauth/callback
           # OAuth callback endpoint for server-side OAuth flows
           def oauth_callback
-            # This endpoint is designed for OAuth flows where the server
-            # exchanges the authorization code for an access token
-            # For client-side flows, use the regular /login endpoint with id_token
-
             strategy = authentication_strategy
             return unless strategy # Error already rendered by determine_strategy
 
@@ -60,11 +90,7 @@ module Spree
 
             if result.success?
               user = result.value
-              token = generate_jwt(user)
-              render json: {
-                token: token,
-                user: user_serializer.new(user, params: serializer_params).to_h
-              }
+              render json: auth_response(user)
             else
               render_error(
                 code: ERROR_CODES[:authentication_failed],
@@ -88,6 +114,23 @@ module Spree
 
           private
 
+          def auth_response(user)
+            refresh_token = Spree::RefreshToken.create_for(user, request_env: request_env_for_token)
+
+            {
+              token: generate_jwt(user),
+              refresh_token: refresh_token.token,
+              user: user_serializer.new(user, params: serializer_params).to_h
+            }
+          end
+
+          def request_env_for_token
+            {
+              ip_address: request.remote_ip,
+              user_agent: request.user_agent&.truncate(255)
+            }
+          end
+
           def authentication_strategy
             strategy_class = determine_strategy
             strategy_class.new(

data/app/controllers/spree/api/v3/store/carts/{shipments_controller.rb → fulfillments_controller.rb}

@@ -3,31 +3,31 @@ module Spree
     module V3
       module Store
         module Carts
-          class ShipmentsController < Store::BaseController
+          class FulfillmentsController < Store::BaseController
             include Spree::Api::V3::CartResolvable
             include Spree::Api::V3::OrderLock
 
             before_action :find_cart!
 
-            # GET /api/v3/store/carts/:cart_id/shipments
+            # GET /api/v3/store/carts/:cart_id/fulfillments
             def index
-              shipments = @cart.shipments.includes(shipping_rates: :shipping_method)
+              fulfillments = @cart.shipments.includes(shipping_rates: :shipping_method)
               render json: {
-                data: shipments.map { |s| Spree.api.shipment_serializer.new(s, params: serializer_params).to_h },
-                meta: { count: shipments.size }
+                data: fulfillments.map { |s| Spree.api.fulfillment_serializer.new(s, params: serializer_params).to_h },
+                meta: { count: fulfillments.size }
               }
             end
 
-            # PATCH /api/v3/store/carts/:cart_id/shipments/:id
-            # Select a shipping rate for a specific shipment
+            # PATCH /api/v3/store/carts/:cart_id/fulfillments/:id
+            # Select a delivery rate for a specific fulfillment
             def update
               with_order_lock do
-                shipment = @cart.shipments.find_by_prefix_id!(params[:id])
+                fulfillment = @cart.shipments.find_by_prefix_id!(params[:id])
 
-                if permitted_params[:selected_shipping_rate_id].present?
-                  shipping_rate = shipment.shipping_rates.find_by_prefix_id!(permitted_params[:selected_shipping_rate_id])
-                  shipment.selected_shipping_rate_id = shipping_rate.id
-                  shipment.save!
+                if permitted_params[:selected_delivery_rate_id].present?
+                  delivery_rate = fulfillment.shipping_rates.find_by_prefix_id!(permitted_params[:selected_delivery_rate_id])
+                  fulfillment.selected_shipping_rate_id = delivery_rate.id
+                  fulfillment.save!
                 end
 
                 # Auto-advance (e.g. delivery → payment) after rate selection.
@@ -41,7 +41,7 @@ module Spree
             private
 
             def permitted_params
-              params.permit(:selected_shipping_rate_id)
+              params.permit(:selected_delivery_rate_id)
             end
 
             # Temporary — Spree 6 removes the checkout state machine.

data/app/controllers/spree/api/v3/store/customer/password_resets_controller.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      module Store
+        module Customer
+          class PasswordResetsController < Store::BaseController
+            rate_limit to: Spree::Api::Config[:rate_limit_password_reset],
+                       within: Spree::Api::Config[:rate_limit_window].seconds,
+                       store: Rails.cache,
+                       with: RATE_LIMIT_RESPONSE
+
+            skip_before_action :authenticate_user
+
+            # POST /api/v3/store/customer/password_resets
+            def create
+              redirect_url = params[:redirect_url]
+
+              # Validate redirect_url against allowed origins (secure by default).
+              # If no allowed origins are configured, redirect_url is silently ignored
+              # to prevent open redirect / token exfiltration attacks.
+              if redirect_url.present?
+                if current_store.allowed_origins.exists? && current_store.allowed_origin?(redirect_url)
+                  # redirect_url is valid — keep it
+                else
+                  redirect_url = nil
+                end
+              end
+
+              user = Spree.user_class.find_by(email: params[:email])
+
+              if user
+                token = user.generate_token_for(:password_reset)
+                event_payload = { reset_token: token, email: user.email }
+                event_payload[:redirect_url] = redirect_url if redirect_url.present?
+                user.publish_event('customer.password_reset_requested', event_payload)
+              end
+
+              # Always return 202 to prevent email enumeration
+              render json: { message: Spree.t(:password_reset_requested, scope: :api) }, status: :accepted
+            end
+
+            # PATCH /api/v3/store/customer/password_resets/:id
+            def update
+              user = Spree.user_class.find_by_password_reset_token(params[:id])
+
+              unless user
+                return render_error(
+                  code: ERROR_CODES[:password_reset_token_invalid],
+                  message: Spree.t(:password_reset_token_invalid, scope: :api),
+                  status: :unprocessable_content
+                )
+              end
+
+              if user.update(password: params[:password], password_confirmation: params[:password_confirmation])
+                jwt = generate_jwt(user)
+                refresh_token = Spree::RefreshToken.create_for(user, request_env: { ip_address: request.remote_ip, user_agent: request.user_agent&.truncate(255) })
+                user.publish_event('customer.password_reset')
+
+                render json: {
+                  token: jwt,
+                  refresh_token: refresh_token.token,
+                  user: serializer_class.new(user, params: serializer_params).to_h
+                }
+              else
+                render_errors(user.errors)
+              end
+            end
+
+            protected
+
+            def serializer_class
+              Spree.api.customer_serializer
+            end
+
+            def serializer_params
+              {
+                store: current_store,
+                locale: current_locale,
+                currency: current_currency,
+                user: nil,
+                includes: []
+              }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/customers_controller.rb

@@ -13,9 +13,13 @@ module Spree
             user = Spree.user_class.new(create_params)
 
             if user.save
-              token = generate_jwt(user)
+              refresh_token = Spree::RefreshToken.create_for(user, request_env: {
+                ip_address: request.remote_ip,
+                user_agent: request.user_agent&.truncate(255)
+              })
               render json: {
-                token: token,
+                token: generate_jwt(user),
+                refresh_token: refresh_token.token,
                 user: user_serializer.new(user, params: serializer_params).to_h
               }, status: :created
             else

data/app/controllers/spree/api/v3/store/products_controller.rb

@@ -41,7 +41,7 @@ module Spree
           # these scopes are not automatically picked by ar_lazy_preload gem and we need to explicitly include them
           def scope_includes
             [
-              thumbnail: [attachment_attachment: :blob],
+              primary_media: [attachment_attachment: :blob],
               master: [:prices, stock_items: :stock_location],
               variants: [:prices, stock_items: :stock_location]
             ]

data/app/serializers/spree/api/v3/admin/address_serializer.rb

@@ -4,13 +4,13 @@ module Spree
       module Admin
         class AddressSerializer < V3::AddressSerializer
           typelize label: [:string, nullable: true],
-                   user_id: [:string, nullable: true],
+                   customer_id: [:string, nullable: true],
                    metadata: 'Record<string, unknown> | null'
 
           attributes :label,
                      created_at: :iso8601, updated_at: :iso8601
 
-          attribute :user_id do |address|
+          attribute :customer_id do |address|
             address.user&.prefixed_id
           end
 

data/app/serializers/spree/api/v3/admin/allowed_origin_serializer.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      module Admin
+        class AllowedOriginSerializer < V3::BaseSerializer
+          typelize store_id: :string
+
+          attributes :id, :origin
+
+          attribute :store_id do |allowed_origin|
+            allowed_origin.store&.prefixed_id
+          end
+
+          attributes created_at: :iso8601, updated_at: :iso8601
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/credit_card_serializer.rb

@@ -3,10 +3,10 @@ module Spree
     module V3
       module Admin
         class CreditCardSerializer < V3::CreditCardSerializer
-          typelize user_id: [:string, nullable: true],
+          typelize customer_id: [:string, nullable: true],
                    payment_method_id: [:string, nullable: true]
 
-          attribute :user_id do |credit_card|
+          attribute :customer_id do |credit_card|
             credit_card.user&.prefixed_id
           end
 

data/app/serializers/spree/api/v3/admin/{shipping_method_serializer.rb → delivery_method_serializer.rb}

@@ -2,7 +2,7 @@ module Spree
   module Api
     module V3
       module Admin
-        class ShippingMethodSerializer < V3::ShippingMethodSerializer
+        class DeliveryMethodSerializer < V3::DeliveryMethodSerializer
           attributes created_at: :iso8601, updated_at: :iso8601
         end
       end

data/app/serializers/spree/api/v3/admin/delivery_rate_serializer.rb

@@ -0,0 +1,11 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class DeliveryRateSerializer < V3::DeliveryRateSerializer
+          one :shipping_method, key: :delivery_method, resource: Spree.api.admin_delivery_method_serializer, if: proc { expand?('delivery_method') }
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/{shipment_serializer.rb → fulfillment_serializer.rb}

@@ -2,7 +2,7 @@ module Spree
   module Api
     module V3
       module Admin
-        class ShipmentSerializer < V3::ShipmentSerializer
+        class FulfillmentSerializer < V3::FulfillmentSerializer
           typelize metadata: 'Record<string, unknown> | null',
                    order_id: [:string, nullable: true],
                    stock_location_id: [:string, nullable: true],
@@ -26,9 +26,9 @@ module Spree
           end
 
           # Override inherited associations to use admin serializers
-          one :shipping_method, resource: Spree.api.admin_shipping_method_serializer, if: proc { expand?('shipping_method') }
+          one :shipping_method, key: :delivery_method, resource: Spree.api.admin_delivery_method_serializer, if: proc { expand?('delivery_method') }
           one :stock_location, resource: Spree.api.admin_stock_location_serializer, if: proc { expand?('stock_location') }
-          many :shipping_rates, resource: Spree.api.admin_shipping_rate_serializer, if: proc { expand?('shipping_rates') }
+          many :shipping_rates, key: :delivery_rates, resource: Spree.api.admin_delivery_rate_serializer, if: proc { expand?('delivery_rates') }
 
           one :order,
               resource: Spree.api.admin_order_serializer,

data/app/serializers/spree/api/v3/admin/media_serializer.rb

@@ -0,0 +1,17 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class MediaSerializer < V3::MediaSerializer
+          typelize viewable_type: :string, viewable_id: :string
+
+          attribute :viewable_id do |asset|
+            asset.viewable&.prefixed_id
+          end
+
+          attributes :viewable_type
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/order_serializer.rb

@@ -11,7 +11,7 @@ module Spree
                    store_owner_notification_delivered: :boolean,
                    internal_note: [:string, nullable: true], approver_id: [:string, nullable: true],
                    canceler_id: [:string, nullable: true], created_by_id: [:string, nullable: true],
-                   user_id: [:string, nullable: true],
+                   customer_id: [:string, nullable: true],
                    canceled_at: [:string, nullable: true], approved_at: [:string, nullable: true],
                    payment_total: :string, display_payment_total: :string,
                    metadata: 'Record<string, unknown> | null'
@@ -38,14 +38,14 @@ module Spree
             order.created_by&.prefixed_id
           end
 
-          attribute :user_id do |order|
+          attribute :customer_id do |order|
             order.user&.prefixed_id
           end
 
           # Override inherited associations to use admin serializers
           many :order_promotions, key: :promotions, resource: Spree.api.admin_order_promotion_serializer, if: proc { expand?('promotions') }
           many :line_items, key: :items, resource: Spree.api.admin_line_item_serializer, if: proc { expand?('items') }
-          many :shipments, resource: Spree.api.admin_shipment_serializer, if: proc { expand?('shipments') }
+          many :shipments, key: :fulfillments, resource: Spree.api.admin_fulfillment_serializer, if: proc { expand?('fulfillments') }
           many :payments, resource: Spree.api.admin_payment_serializer, if: proc { expand?('payments') }
 
           one :bill_address, resource: Spree.api.admin_address_serializer, if: proc { expand?('bill_address') }
@@ -54,8 +54,9 @@ module Spree
           many :payment_methods, resource: Spree.api.admin_payment_method_serializer, if: proc { expand?('payment_methods') }
 
           one :user,
+              key: :customer,
               resource: Spree.api.admin_customer_serializer,
-              if: proc { expand?('user') }
+              if: proc { expand?('customer') }
 
           one :approver,
               resource: Spree.api.admin_customer_serializer,

data/app/serializers/spree/api/v3/admin/product_serializer.rb

@@ -32,15 +32,14 @@ module Spree
               resource: Spree.api.admin_variant_serializer,
               if: proc { expand?('default_variant') }
 
-          one :master,
-              key: :master_variant,
-              resource: Spree.api.admin_variant_serializer,
-              if: proc { expand?('master_variant') }
-
-          many :variant_images,
-               key: :images,
-               resource: Spree.api.admin_image_serializer,
-               if: proc { expand?('images') }
+          one :primary_media,
+              resource: Spree.api.admin_media_serializer,
+              if: proc { expand?('primary_media') }
+
+          many :gallery_media,
+               key: :media,
+               resource: Spree.api.admin_media_serializer,
+               if: proc { expand?('media') }
 
           many :option_types,
                resource: Spree.api.admin_option_type_serializer,

data/app/serializers/spree/api/v3/admin/store_credit_serializer.rb

@@ -3,11 +3,11 @@ module Spree
     module V3
       module Admin
         class StoreCreditSerializer < V3::StoreCreditSerializer
-          typelize user_id: [:string, nullable: true],
+          typelize customer_id: [:string, nullable: true],
                    created_by_id: [:string, nullable: true],
                    metadata: 'Record<string, unknown> | null'
 
-          attribute :user_id do |store_credit|
+          attribute :customer_id do |store_credit|
             store_credit.user&.prefixed_id
           end
 

data/app/serializers/spree/api/v3/admin/variant_serializer.rb

@@ -20,9 +20,14 @@ module Spree
           end
 
           # Override inherited associations to use admin serializers
-          many :images,
-               resource: Spree.api.admin_image_serializer,
-               if: proc { expand?('images') }
+          one :primary_media,
+              resource: Spree.api.admin_media_serializer,
+              if: proc { expand?('primary_media') }
+
+          many :gallery_media,
+               key: :media,
+               resource: Spree.api.admin_media_serializer,
+               if: proc { expand?('media') }
 
           many :option_values, resource: Spree.api.admin_option_value_serializer
 

data/app/serializers/spree/api/v3/base_serializer.rb

@@ -38,7 +38,7 @@ module Spree
         end
 
         # Check if an association should be expanded
-        # Supports dot notation: expand?('variants') matches both 'variants' and 'variants.images'
+        # Supports dot notation: expand?('variants') matches both 'variants' and 'variants.media'
         def expand?(name)
           name = name.to_s
           expands.any? { |e| e == name || e.start_with?("#{name}.") }

data/app/serializers/spree/api/v3/cart_serializer.rb

@@ -8,7 +8,7 @@ module Spree
                  special_instructions: [:string, nullable: true], currency: :string, locale: [:string, nullable: true], item_count: :number,
                  requirements: 'Array<{step: string, field: string, message: string}>',
                  item_total: :string, display_item_total: :string,
-                 ship_total: :string, display_ship_total: :string,
+                 delivery_total: :string, display_delivery_total: :string,
                  adjustment_total: :string, display_adjustment_total: :string,
                  promo_total: :string, display_promo_total: :string,
                  tax_total: :string, display_tax_total: :string,
@@ -24,12 +24,20 @@ module Spree
 
         attributes :number, :token, :email, :special_instructions,
                    :currency, :locale, :item_count,
-                   :item_total, :display_item_total, :ship_total, :display_ship_total,
+                   :item_total, :display_item_total,
                    :adjustment_total, :display_adjustment_total, :promo_total, :display_promo_total,
                    :tax_total, :display_tax_total, :included_tax_total, :display_included_tax_total,
                    :additional_tax_total, :display_additional_tax_total, :total, :display_total,
                    created_at: :iso8601, updated_at: :iso8601
 
+        attribute :delivery_total do |order|
+          order.ship_total
+        end
+
+        attribute :display_delivery_total do |order|
+          order.display_ship_total.to_s
+        end
+
         attribute :current_step do |order|
           order.current_checkout_step
         end
@@ -44,7 +52,7 @@ module Spree
 
         many :cart_promotions, key: :promotions, resource: Spree.api.cart_promotion_serializer
         many :line_items, key: :items, resource: Spree.api.line_item_serializer
-        many :shipments, resource: Spree.api.shipment_serializer
+        many :shipments, key: :fulfillments, resource: Spree.api.fulfillment_serializer
         many :payments, resource: Spree.api.payment_serializer
         one :bill_address, resource: Spree.api.address_serializer
         one :ship_address, resource: Spree.api.address_serializer

data/app/serializers/spree/api/v3/{shipping_method_serializer.rb → delivery_method_serializer.rb}

@@ -1,7 +1,7 @@
 module Spree
   module Api
     module V3
-      class ShippingMethodSerializer < BaseSerializer
+      class DeliveryMethodSerializer < BaseSerializer
         typelize name: :string, code: [:string, nullable: true]
 
         attributes :name, :code

data/app/serializers/spree/api/v3/{shipping_rate_serializer.rb → delivery_rate_serializer.rb}

@@ -1,11 +1,11 @@
 module Spree
   module Api
     module V3
-      class ShippingRateSerializer < BaseSerializer
-        typelize name: :string, selected: :boolean, shipping_method_id: :string,
+      class DeliveryRateSerializer < BaseSerializer
+        typelize name: :string, selected: :boolean, delivery_method_id: :string,
                  cost: :string, display_cost: :string
 
-        attribute :shipping_method_id do |shipping_rate|
+        attribute :delivery_method_id do |shipping_rate|
           shipping_rate.shipping_method&.prefixed_id
         end
 
@@ -15,7 +15,7 @@ module Spree
           shipping_rate.display_cost.to_s
         end
 
-        one :shipping_method, resource: Spree.api.shipping_method_serializer
+        one :shipping_method, key: :delivery_method, resource: Spree.api.delivery_method_serializer
       end
     end
   end