spree_api 5.4.3 → 5.5.0.rc2

data/app/controllers/spree/api/v3/admin/stock_transfers_controller.rb

@@ -0,0 +1,75 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Inventory movement between stock locations, or vendor → location
+        # for receives. Pass `source_location_id` for transfers; omit it to
+        # record an external receive.
+        class StockTransfersController < ResourceController
+          scoped_resource :stock
+
+          def create
+            authorize!(:create, model_class)
+
+            destination = Spree::StockLocation.find_by_prefix_id!(params[:destination_location_id])
+            source = params[:source_location_id].present? ?
+              Spree::StockLocation.find_by_prefix_id!(params[:source_location_id]) : nil
+
+            variants_map = build_variants_map
+            if variants_map.empty?
+              return render_error(
+                code: 'invalid_variants',
+                message: Spree.t('stock_transfer.errors.must_have_variant'),
+                status: :unprocessable_content
+              )
+            end
+
+            @resource = source ?
+              Spree::StockTransfer.new(reference: params[:reference]).tap { |t| t.transfer(source, destination, variants_map) } :
+              Spree::StockTransfer.new(reference: params[:reference]).tap { |t| t.receive(destination, variants_map) }
+
+            if @resource.persisted?
+              render json: serialize_resource(@resource), status: :created
+            else
+              render_validation_error(@resource.errors)
+            end
+          end
+
+          protected
+
+          def model_class
+            Spree::StockTransfer
+          end
+
+          def serializer_class
+            Spree.api.admin_stock_transfer_serializer
+          end
+
+          def collection_includes
+            [:source_location, :destination_location]
+          end
+
+          private
+
+          # Variants the merchant doesn't have access to are dropped silently;
+          # if the resulting map is empty the action surfaces a 422
+          # `invalid_variants` so callers can distinguish "nothing supplied"
+          # from "all variants were rejected." A single SELECT covers any
+          # number of variants instead of N round-trips.
+          def build_variants_map
+            entries = params.permit(variants: [:variant_id, :quantity]).fetch(:variants, [])
+            quantities_by_id = entries.each_with_object({}) do |entry, hash|
+              decoded = Spree::PrefixedId.decode_prefixed_id(entry[:variant_id])
+              hash[decoded.to_i] = entry[:quantity].to_i if decoded
+            end
+
+            Spree::Variant.where(id: quantities_by_id.keys).each_with_object({}) do |variant, acc|
+              quantity = quantities_by_id[variant.id]
+              acc[variant] = quantity if quantity&.positive?
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/store_controller.rb

@@ -0,0 +1,53 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class StoreController < Admin::BaseController
+          scoped_resource :settings
+
+          # GET /api/v3/admin/store
+          def show
+            authorize! :show, current_store
+            render json: serialize_store
+          end
+
+          # PATCH /api/v3/admin/store
+          def update
+            authorize! :update, current_store
+
+            if current_store.update(permitted_params)
+              render json: serialize_store
+            else
+              render_validation_error(current_store.errors)
+            end
+          end
+
+          private
+
+          def serialize_store
+            serializer_class.new(current_store, params: serializer_params).to_h
+          end
+
+          def serializer_class
+            Spree.api.admin_store_serializer
+          end
+
+          def permitted_params
+            params.permit(
+              :name,
+              :preferred_admin_locale,
+              :preferred_timezone,
+              :preferred_weight_unit,
+              :preferred_unit_system,
+              :mail_from_address,
+              :customer_support_email,
+              :new_order_notifications_email,
+              :preferred_send_consumer_transactional_emails,
+              :mailer_logo
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/store_credit_categories_controller.rb

@@ -0,0 +1,21 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class StoreCreditCategoriesController < ResourceController
+          scoped_resource :settings
+
+          protected
+
+          def model_class
+            Spree::StoreCreditCategory
+          end
+
+          def serializer_class
+            Spree.api.admin_store_credit_category_serializer
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/tags_controller.rb

@@ -0,0 +1,51 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class TagsController < BaseController
+          skip_scope_check!
+
+          MAX_RESULTS = 50
+
+          def index
+            taggable_type = params[:taggable_type].to_s
+            unless allowed_taggable_types.include?(taggable_type)
+              render_error(
+                code: 'invalid_taggable_type',
+                message: "taggable_type must be one of #{allowed_taggable_types.join(', ')}",
+                status: :unprocessable_content
+              )
+              return
+            end
+
+            scope = ActsAsTaggableOn::Tag.
+                    joins(:taggings).
+                    where(ActsAsTaggableOn.taggings_table => { taggable_type: taggable_type, context: 'tags' }).
+                    distinct.
+                    order(:name).
+                    limit(MAX_RESULTS)
+
+            if params[:q].present?
+              # Escape LIKE wildcards in user input so a query like "foo_" matches
+              # only the literal underscore, not any single character.
+              escaped = params[:q].to_s.downcase.gsub(/[\\%_]/) { |c| "\\#{c}" }
+              scope = scope.where('LOWER(name) LIKE ? ESCAPE ?', "%#{escaped}%", '\\')
+            end
+
+            render json: { data: scope.pluck(:name).map { |name| { name: name } } }
+          end
+
+          private
+
+          # Sourced from `Spree.taggable_types` (registered in
+          # `Spree::Core::Engine`'s after_initialize block). Apps extend the
+          # list in an initializer without overriding this controller:
+          #   Spree.taggable_types << 'MyApp::Vendor'
+          def allowed_taggable_types
+            Spree.taggable_types
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/tax_categories_controller.rb

@@ -0,0 +1,21 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class TaxCategoriesController < ResourceController
+          scoped_resource :settings
+
+          protected
+
+          def model_class
+            Spree::TaxCategory
+          end
+
+          def serializer_class
+            Spree.api.admin_tax_category_serializer
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/variants_controller.rb

@@ -0,0 +1,33 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class VariantsController < ResourceController
+          scoped_resource :products
+
+          protected
+
+          def model_class
+            Spree::Variant
+          end
+
+          def serializer_class
+            Spree.api.admin_variant_serializer
+          end
+
+          def scope
+            current_store.variants.eligible.accessible_by(current_ability, ability_action_for_request)
+          end
+
+          def scope_includes
+            [
+              :prices, stock_items: :stock_location,
+              option_values: :option_type,
+              primary_media: [attachment_attachment: :blob]
+            ]
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/webhook_deliveries_controller.rb

@@ -0,0 +1,49 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Nested under WebhookEndpoint — deliveries are always read in the
+        # context of their endpoint (the delivery log on the endpoint detail
+        # page) and never accessed by ID at the top level.
+        class WebhookDeliveriesController < ResourceController
+          scoped_resource :webhooks
+
+          # POST /api/v3/admin/webhook_endpoints/:webhook_endpoint_id/deliveries/:id/redeliver
+          #
+          # Creates a new delivery row with the same payload + event_name and
+          # queues it. The original row is preserved for audit history.
+          #
+          # @return [Hash] the serialized newly-queued {Spree::WebhookDelivery},
+          #   HTTP 201.
+          def redeliver
+            @resource = find_resource
+            authorize!(:update, webhook_endpoint)
+
+            new_delivery = @resource.redeliver!
+            render json: serialize_resource(new_delivery), status: :created
+          end
+
+          protected
+
+          def model_class
+            Spree::WebhookDelivery
+          end
+
+          def serializer_class
+            Spree.api.admin_webhook_delivery_serializer
+          end
+
+          def scope
+            webhook_endpoint.webhook_deliveries.recent
+          end
+
+          def webhook_endpoint
+            @webhook_endpoint ||= current_store.webhook_endpoints.find_by_prefix_id!(
+              params[:webhook_endpoint_id]
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/webhook_endpoints_controller.rb

@@ -0,0 +1,75 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Admin API for outbound webhook endpoints — CRUD plus the three
+        # endpoint-scoped actions the legacy admin had (send_test, enable,
+        # disable).
+        class WebhookEndpointsController < ResourceController
+          scoped_resource :webhooks
+
+          # POST /api/v3/admin/webhook_endpoints/:id/send_test
+          #
+          # Fires a synthetic `webhook.test` delivery so admins can verify the
+          # endpoint is reachable + their signature-verification code works.
+          #
+          # @return [Hash] the serialized {Spree::WebhookDelivery}, HTTP 201.
+          def send_test
+            @resource = find_resource
+            authorize!(:update, @resource)
+
+            delivery = @resource.send_test!
+            render json: Spree.api.admin_webhook_delivery_serializer.new(delivery).to_h, status: :created
+          end
+
+          # PATCH /api/v3/admin/webhook_endpoints/:id/enable
+          #
+          # Re-enables an endpoint that was auto-disabled after repeated failures.
+          #
+          # @return [Hash] the serialized {Spree::WebhookEndpoint}.
+          def enable
+            @resource = find_resource
+            authorize!(:update, @resource)
+
+            @resource.enable!
+            render json: serialize_resource(@resource)
+          end
+
+          # PATCH /api/v3/admin/webhook_endpoints/:id/disable
+          #
+          # Manual disable — separate from the auto-disable threshold so the
+          # caller can pause an endpoint without waiting for failures.
+          #
+          # @param reason [String] optional human-readable reason; defaults to
+          #   `"Manually disabled"` when blank.
+          # @return [Hash] the serialized {Spree::WebhookEndpoint}.
+          def disable
+            @resource = find_resource
+            authorize!(:update, @resource)
+
+            @resource.disable!(reason: params[:reason].presence || 'Manually disabled', notify: false)
+            render json: serialize_resource(@resource)
+          end
+
+          protected
+
+          def model_class
+            Spree::WebhookEndpoint
+          end
+
+          def serializer_class
+            Spree.api.admin_webhook_endpoint_serializer
+          end
+
+          def scope
+            current_store.webhook_endpoints.accessible_by(current_ability, :show)
+          end
+
+          def permitted_params
+            params.permit(:name, :url, :active, subscriptions: [])
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/resource_controller.rb

@@ -2,6 +2,11 @@ module Spree
   module Api
     module V3
       class ResourceController < BaseController
+        include Spree::Api::V3::ParamsNormalizer
+
+        # Must run before +set_resource+: +scope+'s +accessible_by+ depends on
+        # the post-authentication +current_ability+.
+        before_action :authenticate_request!
         before_action :set_parent
         before_action :set_resource, only: [:show, :update, :destroy]
 
@@ -48,13 +53,36 @@ module Spree
         end
 
         # DELETE /api/v3/resource/:id
+        # Domain rules like "redeemed gift cards cannot be deleted" live on
+        # the model via `can_be_deleted?` and apply to all callers (JWT and
+        # API key). When `can_be_deleted?` returns false we render 422
+        # (resource state forbids the request) rather than 403, since the
+        # caller is authorized — it's the resource's state that's blocking
+        # the operation. Models that prefer CanCan-gated destroy can opt in
+        # via their ability (e.g. `can :destroy, Spree::Order, &:can_be_deleted?`),
+        # which raises before the controller hook fires and yields 403.
         def destroy
-          @resource.destroy
+          if @resource.respond_to?(:can_be_deleted?) && !@resource.can_be_deleted?
+            message = Spree.t(:cannot_delete, scope: 'api', model: @resource.class.model_name.human)
+            return render_error(
+              code: ERROR_CODES[:validation_error],
+              message: message,
+              status: :unprocessable_content
+            )
+          end
+
+          @resource.destroy!
           head :no_content
+        rescue ActiveRecord::RecordNotDestroyed => e
+          render_validation_error(e.record.errors.presence || e.message)
         end
 
         protected
 
+        def authenticate_request!
+          raise NotImplementedError, "#{self.class} must implement authenticate_request!"
+        end
+
         # No-op HTTP caching methods. Include Spree::Api::V3::HttpCaching
         # in specific controllers to enable HTTP caching for their actions.
         def cache_collection(_collection, **_options)
@@ -80,11 +108,16 @@ module Spree
 
         # Builds a new resource, using parent association when @parent is set
         def build_resource
-          if @parent.present?
-            @parent.send(parent_association).build(permitted_params)
-          else
-            model_class.new(permitted_params)
-          end
+          resource = if @parent.present?
+                       @parent.send(parent_association).build(permitted_params)
+                     else
+                       model_class.new(permitted_params)
+                     end
+          resource.store = current_store if resource.respond_to?(:store_id) && resource.store_id.blank?
+          # very ugly code we need to still support for promotion/payment_method until we migrate them into single store in spree 6.0
+          resource.store_ids = [current_store.id] if resource.respond_to?(:store_ids) && resource.store_ids.blank? && !resource.respond_to?(:store_id)
+          resource.created_by = try_spree_current_user if resource.respond_to?(:created_by_id)
+          resource
         end
 
         # Finds a single resource within scope using prefixed ID
@@ -133,8 +166,11 @@ module Spree
         # Ransack query parameters with sort translation.
         # Translates `-field` notation (JSON:API standard) to Ransack `s` format.
         # e.g., sort=-price,name → s=price desc,name asc
+        # Also decodes Stripe-style prefixed IDs found in keys like `*_id_eq`,
+        # `*_id_in`, `*_id_not_eq`, etc. so SPA filters can pass prefixed IDs.
         def ransack_params
           rp = params[:q]&.to_unsafe_h || params[:q] || {}
+          rp = decode_prefixed_id_predicates(rp)
           sort_value = sort_param
 
           if sort_value.present?
@@ -151,6 +187,37 @@ module Spree
           rp
         end
 
+        def decode_prefixed_id_predicates(hash)
+          return hash unless hash.is_a?(Hash)
+
+          hash.each_with_object({}) do |(key, value), result|
+            result[key] = if ransack_id_predicate?(key)
+                            Array(value).map { |v| Spree::PrefixedId.prefixed_id?(v) ? Spree::PrefixedId.decode_prefixed_id(v) || v : v }.then { |arr|
+                              value.is_a?(Array) ? arr : arr.first
+                            }
+                          elsif value.is_a?(Hash)
+                            decode_prefixed_id_predicates(value)
+                          else
+                            value
+                          end
+          end
+        end
+
+        # Matches both prefixed-FK predicates (`product_id_in`, `tax_category_id_eq`)
+        # and the bare-`id` predicates (`id_in`, `id_eq`) on the resource's
+        # primary key. Without the bare-id branch, `q[id_in][]=prod_x` would
+        # be passed to Ransack verbatim and never match any row.
+        #
+        # Requires a Ransack-predicate suffix (`_eq`, `_in`, ...) — bare
+        # `_id`/`_ids` keys without a suffix are scope names, not predicates
+        # (e.g. `with_option_value_ids` is a custom scope that handles its
+        # own decoding). Decoding those would double-strip prefixes and
+        # break downstream filter code.
+        RANSACK_ID_PREDICATE_RE = /(?:\A|_)id(?:s)?_(?:eq|not_eq|in|not_in|lt|lteq|gt|gteq)\z/.freeze
+        def ransack_id_predicate?(key)
+          RANSACK_ID_PREDICATE_RE.match?(key.to_s)
+        end
+
         # Sort parameter from the request
         def sort_param
           params[:sort]
@@ -194,12 +261,54 @@ module Spree
                        else
                          model_class.for_store(current_store)
                        end
-          base_scope = base_scope.accessible_by(current_ability, :show) unless @parent.present?
+          base_scope = base_scope.accessible_by(current_ability, ability_action_for_request) unless @parent.present?
           base_scope = base_scope.includes(scope_includes) if scope_includes.any?
           base_scope = base_scope.preload_associations_lazily
           model_class.include?(Spree::TranslatableResource) ? base_scope.i18n : base_scope
         end
 
+        # Action names treated as reads. Override in subclasses with custom
+        # read-only member/collection actions (e.g. add `analytics`, `types`)
+        # so they map to the `:show` ability instead of a write.
+        def read_actions
+          %w[index show]
+        end
+
+        # Maps the current request to the CanCanCan action used to scope the
+        # collection. Read actions (see +read_actions+) map to `:show`; every
+        # other request maps by HTTP method. Exposed so controllers that
+        # override +scope+ can keep the same `accessible_by` action as the
+        # base implementation.
+        def ability_action_for_request
+          return :show if read_actions.include?(action_name)
+
+          case request.method
+          when 'GET', 'HEAD' then :show
+          when 'POST' then :create
+          when 'PATCH', 'PUT' then :update
+          when 'DELETE' then :destroy
+          else
+            raise ActionController::MethodNotAllowed, request.method
+          end
+        end
+
+        # The ability action a nested resource needs on its PARENT: read
+        # actions (see +read_actions+) need only `:show`; every write needs
+        # `:update`, since mutating a nested collection is an update to the
+        # parent (not a create/destroy of it). Distinct from
+        # +ability_action_for_request+, which maps POST/DELETE to
+        # `:create`/`:destroy` for the resource itself.
+        def parent_ability_action
+          read_actions.include?(action_name) ? :show : :update
+        end
+
+        # Authorizes the parent resource for nested controllers: a role that
+        # can view a parent can't mutate its nested collection. Call from
+        # +set_parent+ after loading the parent.
+        def authorize_parent!(parent)
+          authorize!(parent_ability_action, parent)
+        end
+
         # Override to specify the association name on @parent
         # Defaults to controller_name (e.g., 'wished_items' for WishlistItemsController)
         def parent_association
@@ -228,7 +337,7 @@ module Spree
         #
         # Override in subclass for custom parameter handling
         def permitted_params
-          params.permit(permitted_attributes)
+          normalize_params(params.permit(permitted_attributes))
         end
 
         # Returns the permitted attributes list for the model

data/app/controllers/spree/api/v3/store/auth_controller.rb

@@ -6,10 +6,9 @@ module Spree
           # Tighter rate limits for auth endpoints (per IP to prevent brute force)
           rate_limit to: Spree::Api::Config[:rate_limit_login], within: Spree::Api::Config[:rate_limit_window].seconds, store: Rails.cache, only: :create, with: RATE_LIMIT_RESPONSE
           rate_limit to: Spree::Api::Config[:rate_limit_refresh], within: Spree::Api::Config[:rate_limit_window].seconds, store: Rails.cache, only: :refresh, with: RATE_LIMIT_RESPONSE
-          rate_limit to: Spree::Api::Config[:rate_limit_oauth], within: Spree::Api::Config[:rate_limit_window].seconds, store: Rails.cache, only: :oauth_callback, with: RATE_LIMIT_RESPONSE
           rate_limit to: Spree::Api::Config[:rate_limit_refresh], within: Spree::Api::Config[:rate_limit_window].seconds, store: Rails.cache, only: :logout, with: RATE_LIMIT_RESPONSE
 
-          skip_before_action :authenticate_user, only: [:create, :refresh, :oauth_callback]
+          skip_before_action :authenticate_user, only: [:create, :refresh, :logout]
 
           # POST  /api/v3/store/auth/login
           # Supports multiple authentication providers via :provider param
@@ -69,37 +68,17 @@ module Spree
 
           # POST  /api/v3/store/auth/logout
           # Accepts: { "refresh_token": "rt_xxx" }
-          # Revokes the refresh token
+          # Revokes the submitted refresh token. The token itself is the
+          # credential — no access JWT is required, so clients with an expired
+          # access token can still log out.
           def logout
             refresh_token_value = params[:refresh_token]
 
-            if refresh_token_value.present?
-              Spree::RefreshToken.find_by(token: refresh_token_value)&.destroy
-            end
+            Spree::RefreshToken.find_by(token: refresh_token_value)&.destroy if refresh_token_value.present?
 
             head :no_content
           end
 
-          # POST  /api/v3/store/auth/oauth/callback
-          # OAuth callback endpoint for server-side OAuth flows
-          def oauth_callback
-            strategy = authentication_strategy
-            return unless strategy # Error already rendered by determine_strategy
-
-            result = strategy.authenticate
-
-            if result.success?
-              user = result.value
-              render json: auth_response(user)
-            else
-              render_error(
-                code: ERROR_CODES[:authentication_failed],
-                message: result.error,
-                status: :unauthorized
-              )
-            end
-          end
-
           protected
 
           def serializer_params
@@ -133,6 +112,8 @@ module Spree
 
           def authentication_strategy
             strategy_class = determine_strategy
+            return nil unless strategy_class
+
             strategy_class.new(
               params: params,
               request_env: request.headers.env,
@@ -142,10 +123,9 @@ module Spree
 
           def determine_strategy
             provider = params[:provider].presence || 'email'
-            provider_key = provider.to_sym
 
             # Retrieve pre-loaded strategy class from configuration
-            strategy_class = Rails.application.config.spree.store_authentication_strategies[provider_key]
+            strategy_class = Spree.store_authentication_strategies[provider]
 
             unless strategy_class
               render_error(

data/app/controllers/spree/api/v3/store/base_controller.rb

@@ -3,6 +3,12 @@ module Spree
     module V3
       module Store
         class BaseController < Spree::Api::V3::BaseController
+          # Channel resolution is a Store API concern — admin endpoints return
+          # data across all channels and filter via Ransack instead. Including
+          # this here keeps the +X-Spree-Channel+ header from accidentally
+          # narrowing admin queries.
+          include Spree::Api::V3::ChannelResolution
+
           # Require publishable API key for all Store API requests
           before_action :authenticate_api_key!
         end

data/app/controllers/spree/api/v3/store/carts_controller.rb

@@ -34,6 +34,7 @@ module Spree
               params: permitted_params.merge(
                 user: current_user,
                 store: current_store,
+                channel: current_channel,
                 currency: current_currency,
                 locale: current_locale
               )

data/app/controllers/spree/api/v3/store/customers_controller.rb

@@ -13,6 +13,7 @@ module Spree
             user = Spree.user_class.new(permitted_params.except(:current_password))
 
             if user.save
+              link_matching_newsletter_subscriber!(user)
               refresh_token = Spree::RefreshToken.create_for(user, request_env: {
                 ip_address: request.remote_ip,
                 user_agent: request.user_agent&.truncate(255)
@@ -94,6 +95,11 @@ module Spree
           def user_serializer
             Spree.api.customer_serializer
           end
+
+          def link_matching_newsletter_subscriber!(user)
+            subscriber = Spree::NewsletterSubscriber.find_by(email: user.email, store: current_store)
+            Spree::Newsletter::LinkUser.new(subscriber: subscriber, user: user).call
+          end
         end
       end
     end