spree_api 5.4.3 → 5.5.0.rc2

data/app/controllers/spree/api/v3/store/newsletter_subscribers_controller.rb

@@ -0,0 +1,77 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class NewsletterSubscribersController < Store::BaseController
+          rate_limit to: Spree::Api::Config[:rate_limit_register],
+                     within: Spree::Api::Config[:rate_limit_window].seconds,
+                     store: Rails.cache,
+                     only: [:create, :verify],
+                     with: RATE_LIMIT_RESPONSE
+
+          # POST /api/v3/store/newsletter_subscribers
+          def create
+            subscriber = Spree::NewsletterSubscriber.subscribe(
+              email: params[:email],
+              user: current_user,
+              store: current_store,
+              redirect_url: validated_redirect_url
+            )
+
+            if subscriber.errors.any?
+              render_errors(subscriber.errors)
+            else
+              render json: serialize_resource(subscriber), status: :created
+            end
+          end
+
+          # POST /api/v3/store/newsletter_subscribers/verify
+          def verify
+            token = params[:token]
+
+            if token.blank?
+              return render_error(
+                code: ERROR_CODES[:parameter_missing],
+                message: 'token is required',
+                status: :unprocessable_content
+              )
+            end
+
+            subscriber = Spree::NewsletterSubscriber.for_store(current_store).unverified.find_by(verification_token: token)
+
+            unless subscriber
+              return render_error(
+                code: ERROR_CODES[:invalid_token],
+                message: Spree.t(:newsletter_verification_token_invalid, scope: :api),
+                status: :unprocessable_content
+              )
+            end
+
+            Spree::Newsletter::Verify.new(subscriber: subscriber).call
+
+            render json: serialize_resource(subscriber)
+          end
+
+          protected
+
+          def serializer_class
+            Spree::Api::V3::NewsletterSubscriberSerializer
+          end
+
+          private
+
+          # Drop redirect_url when it isn't in the store's allow-list — secure-by-default,
+          # mirrors password_resets. Returning nil omits it from the webhook payload rather
+          # than rejecting the request, so callers can't probe the allow-list via 4xx errors.
+          def validated_redirect_url
+            redirect_url = params[:redirect_url]
+            return nil if redirect_url.blank?
+            return nil unless current_store.allowed_origin?(redirect_url)
+
+            redirect_url
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/products/filters_controller.rb

@@ -29,7 +29,7 @@ module Spree
 
             def filters_cache_key
               products_table = Spree::Product.table_name
-              stats = current_store.products.active(current_currency)
+              stats = current_store.products.available(Time.current, current_currency)
                         .pick(Arel.sql("MAX(#{products_table}.updated_at)"), Arel.sql("COUNT(DISTINCT #{products_table}.id)"))
               max_updated = stats&.first&.to_i
               product_count = stats&.last || 0
@@ -50,7 +50,7 @@ module Spree
             end
 
             def filters_scope
-              scope = current_store.products.active(current_currency)
+              scope = current_store.products.available(Time.current, current_currency)
               scope = scope.in_category(category) if category.present?
               scope.accessible_by(current_ability, :show)
             end

data/app/controllers/spree/api/v3/store/products_controller.rb

@@ -29,15 +29,16 @@ module Spree
           end
 
           def scope
-            super.active(Spree::Current.currency)
+            super.available(Time.current, Spree::Current.currency)
           end
 
           # these scopes are not automatically picked by ar_lazy_preload gem and we need to explicitly include them
           def scope_includes
             [
+              product_publications: [],
               primary_media: [attachment_attachment: :blob],
-              master: [:prices, stock_items: :stock_location],
-              variants: [:prices, stock_items: :stock_location]
+              master: [:prices, stock_items: [:stock_location, :active_stock_reservations]],
+              variants: [:prices, stock_items: [:stock_location, :active_stock_reservations]]
             ]
           end
 

data/app/controllers/spree/api/v3/store/resource_controller.rb

@@ -2,9 +2,17 @@ module Spree
   module Api
     module V3
       module Store
+        # Mirrors Store::BaseController's concerns. Both classes anchor parallel
+        # inheritance branches (V3::BaseController vs V3::ResourceController);
+        # any concern added here MUST also be added to Store::BaseController.
         class ResourceController < Spree::Api::V3::ResourceController
-          # Require publishable API key for all Store API requests
-          before_action :authenticate_api_key!
+          include Spree::Api::V3::ChannelResolution
+
+          protected
+
+          def authenticate_request!
+            authenticate_api_key!
+          end
         end
       end
     end

data/app/jobs/spree/webhook_delivery_job.rb

@@ -4,7 +4,12 @@ module Spree
   class WebhookDeliveryJob < Spree::BaseJob
     queue_as Spree.queues.webhooks
 
+    # Webhook delivery hits external endpoints; broad retry covers network timeouts,
+    # 5xx, DNS failures, etc.
     retry_on StandardError, wait: :polynomially_longer, attempts: 5
+    # Must come after `retry_on StandardError` so DeserializationError lands in discard
+    # (ActiveJob handler lookup is reverse-declaration-order).
+    discard_on ActiveJob::DeserializationError
 
     # Accept optional second argument for backward compatibility with jobs
     # enqueued before this change was deployed.

data/app/models/spree/api_key_ability.rb

@@ -0,0 +1,16 @@
+module Spree
+  # CanCanCan ability used for API-key-authenticated admin requests.
+  # Grants full access — authorization happens at the scope-check layer
+  # (Spree::Api::V3::ScopedAuthorization), not at the per-record CanCanCan
+  # layer. This exists so that `accessible_by(current_ability, :show)` in
+  # admin controllers returns the unrestricted scope (it would otherwise
+  # require a real Spree::Ability with role lookups, which doesn't apply
+  # to API key principals).
+  class ApiKeyAbility
+    include CanCan::Ability
+
+    def initialize(_options = {})
+      can :manage, :all
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/address_serializer.rb

@@ -5,18 +5,14 @@ module Spree
         class AddressSerializer < V3::AddressSerializer
           typelize label: [:string, nullable: true],
                    customer_id: [:string, nullable: true],
-                   metadata: 'Record<string, unknown> | null'
+                   metadata: 'Record<string, unknown>'
 
-          attributes :label,
+          attributes :label, :metadata,
                      created_at: :iso8601, updated_at: :iso8601
 
           attribute :customer_id do |address|
             address.user&.prefixed_id
           end
-
-          attribute :metadata do |address|
-            address.metadata.presence
-          end
         end
       end
     end

data/app/serializers/spree/api/v3/admin/adjustment_serializer.rb

@@ -4,31 +4,19 @@ module Spree
       module Admin
         class AdjustmentSerializer < V3::BaseSerializer
           typelize label: :string, amount: :string, display_amount: :string,
-                   state: :string, eligible: :boolean, mandatory: :boolean, included: :boolean,
-                   source_type: [:string, nullable: true],
-                   adjustable_type: :string, adjustable_id: :string,
-                   order_id: [:string, nullable: true],
-                   source_id: [:string, nullable: true]
+                   included: :boolean,
+                   order_id: [:string, nullable: true]
 
-          attributes :label, :display_amount, :state, :eligible, :mandatory, :included,
-                     :source_type, :adjustable_type,
+          attributes :label, :display_amount, :included,
                      created_at: :iso8601, updated_at: :iso8601
 
           attribute :amount do |adjustment|
             adjustment.amount.to_s
           end
 
-          attribute :adjustable_id do |adjustment|
-            adjustment.adjustable&.prefixed_id
-          end
-
           attribute :order_id do |adjustment|
             adjustment.order&.prefixed_id
           end
-
-          attribute :source_id do |adjustment|
-            adjustment.source&.prefixed_id
-          end
         end
       end
     end

data/app/serializers/spree/api/v3/admin/admin_user_serializer.rb

@@ -3,11 +3,27 @@ module Spree
     module V3
       module Admin
         class AdminUserSerializer < V3::BaseSerializer
-          typelize email: :string, first_name: [:string, nullable: true],
-                   last_name: [:string, nullable: true]
+          typelize email: :string,
+                   first_name: [:string, nullable: true],
+                   last_name: [:string, nullable: true],
+                   full_name: [:string, nullable: true],
+                   roles: 'Array<{ id: string; name: string }>'
 
-          attributes :email, :first_name, :last_name,
+          attributes :email, :first_name, :last_name, :full_name,
                      created_at: :iso8601, updated_at: :iso8601
+
+          # Roles assigned to this user *for the current store*. Each store
+          # gets its own role set via `Spree::RoleUser`, so this attribute is
+          # scoped against `current_store` rather than returning every role
+          # the user might have on other stores. Block receives `params`
+          # only when Alba passes it through the `serializer_params` hash —
+          # we fall back to `Spree::Current.store` if not.
+          attribute :roles do |user, params|
+            store = params&.dig(:store) || Spree::Current.store
+            scope = user.role_users
+            scope = scope.where(resource: store) if store
+            scope.includes(:role).map { |ru| { id: ru.role.prefixed_id, name: ru.role.name } }
+          end
         end
       end
     end

data/app/serializers/spree/api/v3/admin/allowed_origin_serializer.rb

@@ -5,13 +5,9 @@ module Spree
     module V3
       module Admin
         class AllowedOriginSerializer < V3::BaseSerializer
-          typelize store_id: :string
+          typelize origin: :string
 
-          attributes :id, :origin, created_at: :iso8601, updated_at: :iso8601
-
-          attribute :store_id do |allowed_origin|
-            allowed_origin.store&.prefixed_id
-          end
+          attributes :origin, created_at: :iso8601, updated_at: :iso8601
         end
       end
     end

data/app/serializers/spree/api/v3/admin/api_key_serializer.rb

@@ -0,0 +1,42 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Admin API serializer for {Spree::ApiKey}.
+        #
+        # Never exposes `token` or `token_digest` — only the 12-char
+        # `token_prefix` (e.g. `sk_abc123def`) so existing keys can be
+        # identified in the UI without leaking material that would let an
+        # attacker make requests. The full plaintext token is delivered
+        # exactly once, as the response body of `POST /api/v3/admin/api_keys`,
+        # via {#plaintext_token} below — it is `nil` everywhere else.
+        class ApiKeySerializer < V3::BaseSerializer
+          typelize name: :string,
+                   key_type: :string,
+                   token_prefix: [:string, nullable: true],
+                   plaintext_token: [:string, nullable: true],
+                   scopes: [:string, multi: true],
+                   revoked_at: [:string, nullable: true],
+                   last_used_at: [:string, nullable: true],
+                   created_by_email: [:string, nullable: true]
+
+          attributes :name, :key_type, :token_prefix, :scopes,
+                     created_at: :iso8601, updated_at: :iso8601,
+                     revoked_at: :iso8601, last_used_at: :iso8601
+
+          # Returned only on the create response — `plaintext_token` is held in
+          # memory on the model after `generate_token` and is never persisted
+          # for secret keys, so we serialize it whenever it's available rather
+          # than gating on the action.
+          attribute :plaintext_token do |key|
+            key.plaintext_token
+          end
+
+          attribute :created_by_email do |key|
+            key.created_by&.email
+          end
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/category_serializer.rb

@@ -5,10 +5,11 @@ module Spree
         # Admin API Category Serializer
         # Full category data including admin-only fields
         class CategorySerializer < V3::CategorySerializer
-          typelize lft: :number, rgt: :number
+          typelize pretty_name: :string, lft: :number, rgt: :number, sort_order: :string,
+                   metadata: 'Record<string, unknown>'
 
-          # Nested set columns for tree operations
-          attributes :lft, :rgt, created_at: :iso8601, updated_at: :iso8601
+          # Admin-only attributes
+          attributes :metadata, :pretty_name, :lft, :rgt, created_at: :iso8601, updated_at: :iso8601
 
           # Override inherited associations to use admin serializers
           one :parent,

data/app/serializers/spree/api/v3/admin/channel_serializer.rb

@@ -0,0 +1,15 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class ChannelSerializer < V3::ChannelSerializer
+          typelize store_id: :string,
+                   preferred_order_routing_strategy: [:string, nullable: true]
+
+          attributes :preferred_order_routing_strategy,
+                     created_at: :iso8601, updated_at: :iso8601
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/country_serializer.rb

@@ -7,7 +7,7 @@ module Spree
 
           many :states,
                resource: Spree.api.admin_state_serializer,
-               if: proc { expand?(:states) }
+               if: proc { params[:expand]&.include?('states') }
         end
       end
     end

data/app/serializers/spree/api/v3/admin/coupon_code_serializer.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Coupon codes belong to multi-code promotions. Read-only here:
+        # codes are generated server-side based on the promotion's
+        # `code_prefix` + `number_of_codes`.
+        class CouponCodeSerializer < BaseSerializer
+          typelize code: :string,
+                   state: [:string, nullable: true],
+                   promotion_id: :string,
+                   order_id: [:string, nullable: true]
+
+          attributes :code, :state,
+                     created_at: :iso8601, updated_at: :iso8601
+
+          attribute :promotion_id do |coupon|
+            coupon.promotion&.prefixed_id
+          end
+
+          attribute :order_id do |coupon|
+            coupon.order&.prefixed_id
+          end
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/credit_card_serializer.rb

@@ -4,7 +4,8 @@ module Spree
       module Admin
         class CreditCardSerializer < V3::CreditCardSerializer
           typelize customer_id: [:string, nullable: true],
-                   payment_method_id: [:string, nullable: true]
+                   payment_method_id: [:string, nullable: true],
+                   metadata: 'Record<string, unknown>'
 
           attribute :customer_id do |credit_card|
             credit_card.user&.prefixed_id
@@ -14,7 +15,8 @@ module Spree
             credit_card.payment_method&.prefixed_id
           end
 
-          attributes created_at: :iso8601, updated_at: :iso8601
+          attributes :metadata,
+                     created_at: :iso8601, updated_at: :iso8601
         end
       end
     end

data/app/serializers/spree/api/v3/admin/custom_field_definition_serializer.rb

@@ -0,0 +1,21 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Admin API Custom Field Definition Serializer
+        # Schema-side metadata for custom fields (per resource type).
+        class CustomFieldDefinitionSerializer < BaseSerializer
+          typelize namespace: :string,
+                   key: :string,
+                   label: :string,
+                   field_type: Spree::Metafield::FIELD_TYPE_TOKENS,
+                   resource_type: :string,
+                   storefront_visible: :boolean
+
+          attributes :namespace, :key, :label, :field_type, :resource_type, :storefront_visible,
+                     created_at: :iso8601, updated_at: :iso8601
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/custom_field_serializer.rb

@@ -5,12 +5,17 @@ module Spree
         # Admin API Custom Field Serializer
         # Full custom field data including admin-only fields
         class CustomFieldSerializer < V3::CustomFieldSerializer
-          typelize storefront_visible: :boolean
+          typelize storefront_visible: :boolean,
+                   custom_field_definition_id: :string
 
           attributes created_at: :iso8601, updated_at: :iso8601
 
-          attribute :storefront_visible do |metafield|
-            metafield.display_on.in?(%w[both front_end])
+          attribute :storefront_visible do |custom_field|
+            custom_field.metafield_definition.available_on_front_end?
+          end
+
+          attribute :custom_field_definition_id do |custom_field|
+            custom_field.metafield_definition.prefixed_id
           end
         end
       end

data/app/serializers/spree/api/v3/admin/customer_group_serializer.rb

@@ -0,0 +1,27 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Serializes Spree::CustomerGroup for the admin pickers
+        # (e.g. promotion rule, customer-group filters). Surfaces only
+        # what the admin UI needs to display + select rows.
+        class CustomerGroupSerializer < V3::BaseSerializer
+          typelize name: :string,
+                   description: 'string | null',
+                   customers_count: :number
+
+          attributes :name, :description, :customers_count,
+                     created_at: :iso8601, updated_at: :iso8601
+
+          # Members are paginated separately via `/customers?customer_group_id_in=…`
+          # because a group can hold tens of thousands of users — embedding the
+          # whole list on every group fetch would explode the index payload.
+          # Pass `expand=customers` when you need them inline (single-record reads only).
+          many :customers,
+               resource: Spree.api.admin_customer_serializer,
+               if: proc { expand?('customers') }
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/customer_serializer.rb

@@ -8,10 +8,19 @@ module Spree
           typelize login: [:string, nullable: true],
                    last_sign_in_at: [:string, nullable: true], current_sign_in_at: [:string, nullable: true],
                    sign_in_count: :number, failed_attempts: :number,
-                   last_sign_in_ip: [:string, nullable: true], current_sign_in_ip: [:string, nullable: true]
+                   last_sign_in_ip: [:string, nullable: true], current_sign_in_ip: [:string, nullable: true],
+                   tags: [:string, multi: true],
+                   internal_note_html: [:string, nullable: true],
+                   metadata: 'Record<string, unknown>',
+                   orders_count: :number,
+                   total_spent: :string,
+                   display_total_spent: :string,
+                   last_order_completed_at: [:string, nullable: true],
+                   default_billing_address_id: [:string, nullable: true],
+                   default_shipping_address_id: [:string, nullable: true]
 
           # Admin-only attributes
-          attributes :login,
+          attributes :login, :metadata,
                      last_sign_in_at: :iso8601, current_sign_in_at: :iso8601,
                      created_at: :iso8601, updated_at: :iso8601
 
@@ -31,6 +40,45 @@ module Spree
             user.current_sign_in_ip
           end
 
+          attribute :tags do |user|
+            user.tag_list.to_a
+          end
+
+          attribute :internal_note_html do |user|
+            user.respond_to?(:internal_note) ? user.internal_note&.body&.to_s.presence : nil
+          end
+
+          attribute :default_billing_address_id do |user|
+            user.bill_address&.prefixed_id
+          end
+
+          attribute :default_shipping_address_id do |user|
+            user.ship_address&.prefixed_id
+          end
+
+          # Order aggregates: prefer attributes precomputed on the scope (see
+          # CustomersController#scope) to avoid N+1 on list endpoints. Fall
+          # back to per-user queries when not preloaded (e.g. show endpoint
+          # for a freshly loaded record).
+          attribute :orders_count do |user|
+            user.attributes['orders_count']&.to_i || user.orders.complete.count
+          end
+
+          attribute :total_spent do |user|
+            (user.attributes['total_spent'] || user.orders.complete.sum(:total)).to_s
+          end
+
+          attribute :display_total_spent do |user|
+            amount = user.attributes['total_spent'] || user.orders.complete.sum(:total)
+            currency = Spree::Current.currency || Spree::Current.store&.default_currency || Spree::Config[:currency]
+            Spree::Money.new(amount, currency: currency).to_s
+          end
+
+          attribute :last_order_completed_at do |user|
+            value = user.attributes.key?('last_order_completed_at') ? user.attributes['last_order_completed_at'] : user.orders.complete.maximum(:completed_at)
+            value.respond_to?(:iso8601) ? value.iso8601 : value
+          end
+
           # Override inherited associations to use admin serializers
           many :addresses, resource: Spree.api.admin_address_serializer, if: proc { expand?('addresses') }
           one :bill_address, key: :default_billing_address, resource: Spree.api.admin_address_serializer, if: proc { expand?('default_billing_address') }
@@ -39,6 +87,14 @@ module Spree
           many :orders,
                resource: Spree.api.admin_order_serializer,
                if: proc { expand?('orders') }
+
+          many :store_credits,
+               resource: Spree.api.admin_store_credit_serializer,
+               if: proc { expand?('store_credits') }
+
+          many :customer_groups,
+               resource: Spree.api.admin_customer_group_serializer,
+               if: proc { expand?('customer_groups') }
         end
       end
     end