spree_api 5.4.3 → 5.5.0.rc1

data/config/routes.rb

@@ -6,7 +6,6 @@ Spree::Core::Engine.add_routes do
         post 'auth/login', to: 'auth#create'
         post 'auth/refresh', to: 'auth#refresh'
         post 'auth/logout', to: 'auth#logout'
-        post 'auth/oauth/callback', to: 'auth#oauth_callback'
 
         # Markets
         resources :markets, only: [:index, :show] do
@@ -60,6 +59,13 @@ Spree::Core::Engine.add_routes do
         # Customers
         resources :customers, only: [:create]
 
+        # Newsletter Subscriptions (guest-accessible: subscribe + verify by token)
+        resources :newsletter_subscribers, only: [:create] do
+          collection do
+            post :verify
+          end
+        end
+
         # Current customer profile and nested resources (/customers/me/...)
         namespace :customer, path: 'customers/me' do
           get '/', action: :show, controller: '/spree/api/v3/store/customers'
@@ -90,6 +96,234 @@ Spree::Core::Engine.add_routes do
         resources :feeds, only: [:show], controller: 'data_feeds', param: :slug
       end
 
+      namespace :admin do
+        # Mounts a nested `custom_fields` resource on parents that include
+        # Spree::Metafields. See docs/plans/5.4-6.0-custom-fields-rename.md.
+        concern :custom_fieldable do
+          resources :custom_fields
+        end
+
+        # Definitions are per resource type, not per instance.
+        resources :custom_field_definitions
+
+        # Authentication
+        post 'auth/login', to: 'auth#create'
+        post 'auth/refresh', to: 'auth#refresh'
+        post 'auth/logout', to: 'auth#logout'
+
+        # Public invitation acceptance — unauthenticated; the prefixed ID +
+        # token in the URL act as the credential. Mounted under `auth/` so
+        # the issued refresh-token cookie's path matches `/auth/refresh`.
+        get 'auth/invitations/:id/lookup', to: 'invitation_acceptances#lookup'
+        post 'auth/invitations/:id/accept', to: 'invitation_acceptances#accept'
+
+        # Dashboard
+        namespace :dashboard do
+          get :analytics
+        end
+
+        # Current admin user + permissions (for UI permission checks)
+        get 'me', to: 'me#show'
+
+        # Store Settings
+        resource :store, only: [:show, :update], controller: 'store'
+
+        # Staff & access (invitations, admin users, roles, API keys)
+        resources :admin_users, only: [:index, :show, :update, :destroy]
+        resources :invitations, only: [:index, :show, :create, :destroy] do
+          member do
+            patch :resend
+          end
+        end
+        resources :api_keys, only: [:index, :show, :create, :destroy] do
+          member do
+            patch :revoke
+          end
+        end
+        resources :allowed_origins
+        resources :webhook_endpoints do
+          member do
+            post :send_test
+            patch :enable
+            patch :disable
+          end
+          resources :deliveries, controller: 'webhook_deliveries', only: [:index, :show] do
+            member do
+              post :redeliver
+            end
+          end
+        end
+        resources :roles, only: [:index, :show]
+
+        # Direct Uploads (Active Storage)
+        resources :direct_uploads, only: [:create]
+
+        # CSV Exports — see docs/plans/5.5-admin-spa-csv-export.md
+        resources :exports, only: [:index, :show, :create, :destroy] do
+          member do
+            get :download
+          end
+        end
+
+        # Products
+        resources :products, concerns: :custom_fieldable do
+          member do
+            post :clone
+          end
+          collection do
+            post :bulk_status_update
+            post :bulk_add_to_categories
+            post :bulk_remove_from_categories
+            post :bulk_add_to_channels
+            post :bulk_remove_from_channels
+            post :bulk_add_tags
+            post :bulk_remove_tags
+            delete :bulk_destroy
+          end
+          resources :variants, controller: 'products/variants' do
+            resources :media, controller: 'media', only: [:index, :create, :update, :destroy]
+          end
+          resources :media, controller: 'media', only: [:index, :create, :update, :destroy]
+        end
+
+        # Categories
+        resources :categories, only: [:index, :show], concerns: :custom_fieldable
+
+        # Option Types (with nested option_values in payload)
+        resources :option_types, concerns: :custom_fieldable
+
+        # Tax Categories
+        resources :tax_categories
+
+        # Markets
+        resources :markets
+
+        # Store Credit Categories (read-only — for store credit dropdowns)
+        resources :store_credit_categories, only: [:index, :show]
+
+        # Inventory
+        resources :stock_locations
+        resources :stock_reservations, only: [:index, :show]
+        resources :stock_items, only: [:index, :show, :update, :destroy]
+        resources :stock_transfers, only: [:index, :show, :create, :destroy]
+
+        # Payment Methods
+        resources :payment_methods do
+          collection do
+            get :types
+          end
+        end
+
+        # Promotions, with nested actions/rules/coupon codes.
+        resources :promotions do
+          resources :promotion_actions, only: [:index, :show, :create, :update, :destroy]
+          resources :promotion_rules, only: [:index, :show, :create, :update, :destroy]
+          resources :coupon_codes, only: [:index, :show]
+        end
+
+        # Subclass discovery for the promotion editor: `/promotion_actions/types`
+        # and `/promotion_rules/types` enumerate registered subclasses with
+        # their preference schemas. Top-level so the SPA can build the
+        # "Add action / Add rule" pickers without a parent promotion.
+        get 'promotion_actions/types', to: 'promotion_actions#types'
+        get 'promotion_rules/types',   to: 'promotion_rules#types'
+
+        # Calculator catalog for actions that include CalculatedAdjustments
+        # (CreateAdjustment, CreateItemAdjustments). Returns the registered
+        # calculator subclasses for the given action type along with each
+        # calculator's preference schema, so the SPA can render the picker
+        # + nested calculator preferences.
+        get 'promotion_actions/calculators', to: 'promotion_actions#calculators'
+
+        # Tags (autocomplete for product/order/user tag inputs)
+        resources :tags, only: [:index]
+
+        # Customers
+        resources :customers, concerns: :custom_fieldable do
+          resources :addresses, controller: 'customers/addresses'
+          resources :credit_cards, controller: 'customers/credit_cards', only: [:index, :show, :destroy]
+          resources :store_credits, controller: 'customers/store_credits'
+
+          collection do
+            post :bulk_add_to_groups
+            post :bulk_remove_from_groups
+            post :bulk_add_tags
+            post :bulk_remove_tags
+          end
+        end
+
+        # Customer groups (segmentation; used by promotion rules + bulk customer ops)
+        resources :customer_groups
+
+        # Price lists
+        resources :price_lists do
+          collection do
+            get :price_rule_types
+          end
+          member do
+            patch :activate
+            patch :deactivate
+          end
+        end
+
+        # Prices (generic — covers base prices AND price-list overrides).
+        resources :prices do
+          collection do
+            post :bulk_upsert
+            delete :bulk_destroy
+          end
+        end
+
+        # Gift cards
+        resources :gift_cards
+        resources :gift_card_batches, only: [:index, :show, :create]
+
+        # Channels (per-store distribution surfaces)
+        resources :channels do
+          member do
+            post :add_products
+            post :remove_products
+          end
+        end
+
+        # Variants (top-level, for search/autocomplete across all products)
+        resources :variants, only: [:index, :show], concerns: :custom_fieldable
+
+        # Countries (with ?expand=states for state/province dropdown)
+        resources :countries, only: [:index, :show]
+
+        # Orders
+        resources :orders, concerns: :custom_fieldable do
+          member do
+            patch :complete
+            patch :cancel
+            patch :approve
+            patch :resume
+            post :resend_confirmation
+          end
+
+          resources :items, only: [:index, :show, :create, :update, :destroy], controller: 'orders/items'
+          resources :fulfillments, controller: 'orders/fulfillments', only: [:index, :show, :update] do
+            member do
+              patch :fulfill
+              patch :cancel
+              patch :resume
+              patch :split
+            end
+          end
+          resources :payments, controller: 'orders/payments', only: [:index, :show, :create] do
+            member do
+              patch :capture
+              patch :void
+            end
+          end
+          resources :refunds, controller: 'orders/refunds', only: [:index, :create]
+          resources :adjustments, controller: 'orders/adjustments', only: [:index, :show]
+          resources :gift_cards, controller: 'orders/gift_cards', only: [:create, :destroy]
+          resource :store_credits, controller: 'orders/store_credits', only: [:create, :destroy]
+        end
+      end
+
       # Webhooks (outside of store namespace — no API key authentication)
       namespace :webhooks do
         post 'payments/:payment_method_id', to: 'payments#create', as: :payment_webhook

data/lib/spree/api/configuration.rb

@@ -9,7 +9,8 @@ module Spree
       preference :api_v2_content_type, :string, default: 'application/vnd.api+json'
       preference :api_v2_per_page_limit, :integer, default: 500
 
-      preference :jwt_expiration, :integer, default: 3600 # 1 hour in seconds
+      preference :jwt_expiration, :integer, default: 3600 # 1 hour in seconds (customer/store JWT default)
+      preference :admin_jwt_expiration, :integer, default: 300 # 5 minutes — admin tokens have higher blast radius
       preference :jwt_secret_key, :string, default: nil
       preference :refresh_token_expiry, :integer, default: 2_592_000 # 30 days in seconds
 
@@ -19,7 +20,6 @@ module Spree
       preference :rate_limit_login, :integer, default: 5 # per IP
       preference :rate_limit_register, :integer, default: 3 # per IP
       preference :rate_limit_refresh, :integer, default: 10 # per IP
-      preference :rate_limit_oauth, :integer, default: 5 # per IP
       preference :rate_limit_password_reset, :integer, default: 3 # per IP
 
       # Request body size limit in bytes

data/lib/spree/api/dependencies.rb

@@ -113,6 +113,8 @@ module Spree
         address_serializer: 'Spree::Api::V3::AddressSerializer',
         customer_serializer: 'Spree::Api::V3::CustomerSerializer',
         country_serializer: 'Spree::Api::V3::CountrySerializer',
+        channel_serializer: 'Spree::Api::V3::ChannelSerializer',
+        product_publication_serializer: 'Spree::Api::V3::ProductPublicationSerializer',
         market_serializer: 'Spree::Api::V3::MarketSerializer',
         state_serializer: 'Spree::Api::V3::StateSerializer',
         wishlist_serializer: 'Spree::Api::V3::WishlistSerializer',
@@ -153,6 +155,7 @@ module Spree
         return_item_serializer: 'Spree::Api::V3::ReturnItemSerializer',
         stock_item_serializer: 'Spree::Api::V3::StockItemSerializer',
         stock_movement_serializer: 'Spree::Api::V3::StockMovementSerializer',
+        stock_reservation_serializer: 'Spree::Api::V3::StockReservationSerializer',
         stock_transfer_serializer: 'Spree::Api::V3::StockTransferSerializer',
 
         # v3 admin serializers (API v3 Admin)
@@ -166,16 +169,18 @@ module Spree
         admin_price_serializer: 'Spree::Api::V3::Admin::PriceSerializer',
         admin_price_history_serializer: 'Spree::Api::V3::Admin::PriceHistorySerializer',
         admin_custom_field_serializer: 'Spree::Api::V3::Admin::CustomFieldSerializer',
+        admin_custom_field_definition_serializer: 'Spree::Api::V3::Admin::CustomFieldDefinitionSerializer',
         admin_category_serializer: 'Spree::Api::V3::Admin::CategorySerializer',
         admin_line_item_serializer: 'Spree::Api::V3::Admin::LineItemSerializer',
         admin_option_type_serializer: 'Spree::Api::V3::Admin::OptionTypeSerializer',
         admin_option_value_serializer: 'Spree::Api::V3::Admin::OptionValueSerializer',
         admin_media_serializer: 'Spree::Api::V3::Admin::MediaSerializer',
-        admin_asset_serializer: 'Spree::Api::V3::Admin::AssetSerializer',
         admin_stock_item_serializer: 'Spree::Api::V3::Admin::StockItemSerializer',
+        admin_stock_transfer_serializer: 'Spree::Api::V3::Admin::StockTransferSerializer',
         admin_shipment_serializer: 'Spree::Api::V3::Admin::FulfillmentSerializer',
         admin_fulfillment_serializer: 'Spree::Api::V3::Admin::FulfillmentSerializer',
         admin_gift_card_serializer: 'Spree::Api::V3::Admin::GiftCardSerializer',
+        admin_gift_card_batch_serializer: 'Spree::Api::V3::Admin::GiftCardBatchSerializer',
         admin_payment_serializer: 'Spree::Api::V3::Admin::PaymentSerializer',
         admin_refund_serializer: 'Spree::Api::V3::Admin::RefundSerializer',
         admin_adjustment_serializer: 'Spree::Api::V3::Admin::AdjustmentSerializer',
@@ -185,17 +190,36 @@ module Spree
         admin_reimbursement_serializer: 'Spree::Api::V3::Admin::ReimbursementSerializer',
         admin_admin_user_serializer: 'Spree::Api::V3::Admin::AdminUserSerializer',
         admin_address_serializer: 'Spree::Api::V3::Admin::AddressSerializer',
+        admin_channel_serializer: 'Spree::Api::V3::Admin::ChannelSerializer',
+        admin_product_publication_serializer: 'Spree::Api::V3::Admin::ProductPublicationSerializer',
         admin_market_serializer: 'Spree::Api::V3::Admin::MarketSerializer',
         admin_shipping_method_serializer: 'Spree::Api::V3::Admin::DeliveryMethodSerializer',
         admin_delivery_method_serializer: 'Spree::Api::V3::Admin::DeliveryMethodSerializer',
         admin_stock_location_serializer: 'Spree::Api::V3::Admin::StockLocationSerializer',
+        admin_stock_reservation_serializer: 'Spree::Api::V3::Admin::StockReservationSerializer',
         admin_shipping_rate_serializer: 'Spree::Api::V3::Admin::DeliveryRateSerializer',
         admin_delivery_rate_serializer: 'Spree::Api::V3::Admin::DeliveryRateSerializer',
         admin_payment_method_serializer: 'Spree::Api::V3::Admin::PaymentMethodSerializer',
         admin_credit_card_serializer: 'Spree::Api::V3::Admin::CreditCardSerializer',
         admin_store_credit_serializer: 'Spree::Api::V3::Admin::StoreCreditSerializer',
+        admin_store_credit_category_serializer: 'Spree::Api::V3::Admin::StoreCreditCategorySerializer',
+        admin_customer_group_serializer: 'Spree::Api::V3::Admin::CustomerGroupSerializer',
         admin_payment_source_serializer: 'Spree::Api::V3::Admin::PaymentSourceSerializer',
         admin_digital_link_serializer: 'Spree::Api::V3::Admin::DigitalLinkSerializer',
+        admin_store_serializer: 'Spree::Api::V3::Admin::StoreSerializer',
+        admin_api_key_serializer: 'Spree::Api::V3::Admin::ApiKeySerializer',
+        admin_allowed_origin_serializer: 'Spree::Api::V3::Admin::AllowedOriginSerializer',
+        admin_webhook_endpoint_serializer: 'Spree::Api::V3::Admin::WebhookEndpointSerializer',
+        admin_webhook_delivery_serializer: 'Spree::Api::V3::Admin::WebhookDeliverySerializer',
+        admin_invitation_serializer: 'Spree::Api::V3::Admin::InvitationSerializer',
+        admin_role_serializer: 'Spree::Api::V3::Admin::RoleSerializer',
+        admin_export_serializer: 'Spree::Api::V3::Admin::ExportSerializer',
+        admin_promotion_serializer: 'Spree::Api::V3::Admin::PromotionSerializer',
+        admin_promotion_action_serializer: 'Spree::Api::V3::Admin::PromotionActionSerializer',
+        admin_promotion_rule_serializer: 'Spree::Api::V3::Admin::PromotionRuleSerializer',
+        admin_coupon_code_serializer: 'Spree::Api::V3::Admin::CouponCodeSerializer',
+        admin_price_list_serializer: 'Spree::Api::V3::Admin::PriceListSerializer',
+        admin_price_rule_serializer: 'Spree::Api::V3::Admin::PriceRuleSerializer',
 
         # platform serializers
         platform_metafield_serializer: 'Spree::Api::V2::Platform::MetafieldSerializer',

data/lib/spree/api/openapi/path_sorter.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module OpenAPI
+      # Reorders the `paths:` block of a generated OpenAPI YAML so paths are grouped
+      # by tag, in the same order as the top-level `tags:` array.
+      #
+      # rswag emits paths in the order specs are loaded (alphabetical by filename),
+      # which doesn't match the curated `tags:` array order in swagger_helper.rb.
+      # Mintlify groups sidebar sections by the *first appearance* of each tag in
+      # `paths:` — so after this sort runs, the sidebar matches the `tags:` array.
+      #
+      # The reorder is line-based to preserve the exact text formatting that
+      # rswag/Psych produced (indentation, multi-line string wrapping, etc.).
+      module PathSorter
+        module_function
+
+        # Sort the `paths:` block in `path` so each path's first-operation primary
+        # tag follows the order defined in the document's top-level `tags:` array.
+        # Returns true if the file was rewritten, false if already sorted.
+        def sort_file!(path)
+          original = File.read(path)
+          sorted = sort_text(original)
+          return false if sorted == original
+
+          File.write(path, sorted)
+          true
+        end
+
+        # Pure-string variant: sort a YAML document's `paths:` block by tag order.
+        def sort_text(yaml)
+          lines = yaml.lines
+          tag_rank = extract_tag_rank(lines)
+          return yaml if tag_rank.empty?
+
+          paths_start = lines.index { |l| l.start_with?('paths:') }
+          return yaml unless paths_start
+
+          paths_end_exclusive = (paths_start + 1...lines.size).find do |i|
+            line = lines[i]
+            line.match?(/\A[A-Za-z]/) || line.start_with?('x-')
+          end || lines.size
+
+          blocks = collect_path_blocks(lines, paths_start + 1, paths_end_exclusive)
+          return yaml if blocks.empty?
+
+          unknown_rank = tag_rank.size
+          sorted_blocks = blocks.each_with_index.sort_by do |block, original_index|
+            [tag_rank.fetch(block[:tag], unknown_rank), original_index]
+          end.map(&:first)
+
+          prefix = lines[0..paths_start].join
+          suffix = lines[paths_end_exclusive..].to_a.join
+          prefix + sorted_blocks.map { |b| b[:text] }.join + suffix
+        end
+
+        # Parse the top-level `tags:` block and return { tag_name => index } in
+        # declared order. Returns {} if not found.
+        def extract_tag_rank(lines)
+          start = lines.index { |l| l.start_with?('tags:') }
+          return {} unless start
+
+          rank = {}
+          i = start + 1
+          while i < lines.size
+            line = lines[i]
+            if line.start_with?('- name: ')
+              rank[line.sub('- name: ', '').strip] = rank.size
+            elsif line.match?(/\A[A-Za-z]/) || line.start_with?('x-')
+              break
+            end
+            i += 1
+          end
+          rank
+        end
+
+        # Collect each path block as { tag:, text: } from lines[range].
+        # A path block starts on a line beginning with two spaces + a quote.
+        def collect_path_blocks(lines, start_idx, end_idx_exclusive)
+          blocks = []
+          current_start = nil
+
+          (start_idx...end_idx_exclusive).each do |i|
+            if path_header?(lines[i])
+              blocks << build_block(lines, current_start, i) if current_start
+              current_start = i
+            end
+          end
+          blocks << build_block(lines, current_start, end_idx_exclusive) if current_start
+
+          blocks
+        end
+
+        def path_header?(line)
+          line.start_with?('  "/') || line.start_with?('  /')
+        end
+
+        def build_block(lines, from, to_exclusive)
+          slice = lines[from...to_exclusive]
+          {
+            tag: extract_primary_tag(slice),
+            text: slice.join
+          }
+        end
+
+        # Within a path block, find the first `tags:` line and return the first
+        # tag value following it (the path block's "primary" tag).
+        def extract_primary_tag(slice)
+          slice.each_with_index do |line, idx|
+            next unless line.match?(/\A {6}tags:\s*$/)
+
+            slice[(idx + 1)..].each do |next_line|
+              if next_line.start_with?('      - ')
+                value = next_line[8..].strip
+                return value unless value.empty?
+              end
+              break if next_line.match?(/\A {0,4}\S/)
+            end
+          end
+          nil
+        end
+      end
+    end
+  end
+end