spree_cm_commissioner 2.6.2.pre.pre.4 → 2.6.2.pre.pre.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4c381df113afbf82a9586168ede0e86f1bfee87849e50d3f9aed7a4b5455c2ab
-  data.tar.gz: 8466ba5865693c20fe012ca0463b584c9be3fe1aed6e25f3d37d31ef3ad76121
+  metadata.gz: '0319481a07b3f09bd6c82a11919c71d903c5fba255975a9b8c2125b0d34b8c56'
+  data.tar.gz: 4bdb018d9d105aa5a0afb1105f24d4dd5870654528f34c1928256ac4232c61de
 SHA512:
-  metadata.gz: e8ad8ac4e47e7a75a68f60244bf4033fb5d035bbd722e7f7d8ecebad7f81d08634990087a47e8702d47fb919bea1c60e3ba81f35fc1f772c2d0e0efa41c59b2f
-  data.tar.gz: 4a0ae2cd87ccca4f91cd2604a979771192cabffaf63978290a86dae624e25e18c1cf581f2d09a5f9805fa32f159b6e7f4b1982b3bc85958dd53da3b1385764c3
+  metadata.gz: 323de4c2e82ca9f643216ca00a8da7f7de5985ffb38da8388ba09549b1cf1b2878634c1ab61c1178f77f9728fd40442b062784db3af7a1ffa694f9308c50b874
+  data.tar.gz: 67ade5a70dcbfd1faf99bb89f41ab68db83e7cc6bf51ec997ba16f233c16d696fa92534c15c2d6d8c98d9f68078ef826264f72d9f6a815e99fb375b8676f6702

data/.github/workflows/test_and_build_gem.yml

@@ -244,8 +244,6 @@ jobs:
         with:
           path: spec/dummy
           key: test-app-${{ runner.os }}-${{ hashFiles('Gemfile.lock', 'db/migrate/*.rb') }}
-          restore-keys: |
-            test-app-${{ runner.os }}-
 
       # Generate dummy Rails app for testing (cacheable part)
       # This step checks if spec/dummy exists and skips generation if found

data/.gitignore

@@ -33,3 +33,4 @@ vendor/bundle/
 
 # Cursor
 .cursor
+dump.rdb

data/Gemfile.lock

@@ -34,7 +34,7 @@ GIT
 PATH
   remote: .
   specs:
-    spree_cm_commissioner (2.6.2.pre.pre.4)
+    spree_cm_commissioner (2.6.2.pre.pre.5)
       activerecord-multi-tenant
       activerecord_json_validator (~> 2.1, >= 2.1.3)
       aws-sdk-cloudfront

data/README.md

@@ -153,8 +153,38 @@ PIN_CODE_DEBUG_NOTIFIY_TELEGRAM_ENABLE="yes"
 EXCEPTION_NOTIFY_ENABLE="yes" # yes or no
 EXCEPTION_TELEGRAM_BOT_TOKEN=""
 EXCEPTION_NOTIFIER_TELEGRAM_CHANNEL_ID=""
+
+TURNSTILE_SECRET_KEY="" # Cloudflare Turnstile secret key (server-side verification)
+TURNSTILE_ENABLED="no" # Kill switch: `yes` to enforce Turnstile validation, `no` to bypass all validation without a code deploy (e.g. during a Cloudflare outage). Default: `no` (disabled)
 ```
 
+### Cloudflare Turnstile
+
+Cloudflare Turnstile is used to protect sensitive API endpoints from bots. The server-side validation is handled by `SpreeCmCommissioner::TurnstileTokenValidator` and the concern `SpreeCmCommissioner::TurnstileProtectable`.
+
+**Protected endpoints:**
+
+- `POST /api/v2/storefront/pin_code_generators`
+- `POST /api/v2/storefront/pin_code_otp_generators`
+- `POST /api/v2/storefront/user_registration_with_pin_codes`
+- `PUT  /api/v2/storefront/reset_passwords`
+- `PATCH /api/v2/storefront/checkout/complete`
+
+**How it works:**
+
+1. The client sends a Turnstile token via the `X-Turnstile-Token` HTTP header
+2. `TurnstileProtectable` reads the header and calls `TurnstileTokenValidator`
+3. The validator POSTs to Cloudflare's siteverify API with the token and `TURNSTILE_SECRET_KEY`
+4. Returns 403 if verification fails
+
+**Configuration:**
+
+1. Set `TURNSTILE_SECRET_KEY` in `.env` (obtained from [Cloudflare Turnstile dashboard](https://dash.cloudflare.com/))
+2. For local development testing, use Cloudflare's test keys:
+   - Always pass: `1x0000000000000000000000000000000AA`
+   - Always fail: `2x0000000000000000000000000000000AA`
+   - Token spent: `3x0000000000000000000000000000000AA`
+
 ## JSON Format Examples For Store and Tenant Preferences
 
 ### Asset Links Format
@@ -234,6 +264,12 @@ bundle update
 bundle exec rake test_app
 ```
 
+To completely remove the dummy app and rebuild it from scratch, you can use:
+
+```sh
+bundle exec rake test_app:reset
+```
+
 When testing your applications integration with this extension you may use it's factories.
 Simply add this require statement to your spec_helper:
 

data/Rakefile

@@ -88,6 +88,15 @@ namespace :test_app do
       puts '✓ Database setup complete'
     end
   end
+
+  desc 'Remove spec/dummy and run test_app'
+  task :reset do
+    puts 'Removing spec/dummy...'
+    FileUtils.rm_rf('spec/dummy')
+
+    puts 'Rebuilding test app...'
+    Rake::Task['test_app'].invoke
+  end
 end
 
 desc 'Generates a dummy app for testing'

data/app/controllers/concerns/spree/admin/service_calendars_concern.rb

@@ -44,6 +44,8 @@ module Spree
       private
 
       def build_exception_rules(exception_rules)
+        return [] if exception_rules.nil?
+
         exception_rules.values.reject! { |rule| rule['from'].blank? || rule['to'].blank? || rule['type'].blank? } || exception_rules.values
       end
 
@@ -57,7 +59,7 @@ module Spree
       end
 
       def set_exception_rules
-        @exception_rules = [{ from: DateTime.now, to: DateTime.now, type: 'exclusion', reason: nil }]
+        @exception_rules = (@object.exception_rules.presence || [{ from: DateTime.now, to: DateTime.now, type: 'exclusion', reason: nil }])
       end
 
       def build_resource

data/app/controllers/concerns/spree_cm_commissioner/adaptive_turnstile.rb

@@ -0,0 +1,37 @@
+module SpreeCmCommissioner
+  module AdaptiveTurnstile
+    extend ActiveSupport::Concern
+    include TurnstileProtectable
+
+    FAILED_ATTEMPT_THRESHOLD = 3
+
+    private
+
+    # Only require Turnstile if the user has exceeded the failed attempt threshold.
+    # This reduces latency for normal logins while catching brute force attacks.
+    # Only applies to password grant; other OAuth flows (refresh_token, client_credentials) are skipped.
+    def verify_turnstile_if_suspicious!
+      return unless params[:grant_type] == 'password'
+
+      user = Spree::User.find_by(email: params[:username]&.downcase&.strip)
+
+      # No user found -- require Turnstile to prevent email enumeration
+      if user.nil?
+        verify_turnstile!
+        return
+      end
+
+      # User has too many failed attempts -- require Turnstile
+      if user.respond_to?(:failed_attempts) && user.failed_attempts >= FAILED_ATTEMPT_THRESHOLD
+        verify_turnstile!
+        return
+      end
+
+      # Also check Redis for IP-level failed attempt tracking
+      return unless defined?(::Rack::Attack) && ::Rack::Attack.respond_to?(:cache)
+
+      ip_attempts = ::Rack::Attack.cache.count("failed_auth/ip:#{request.remote_ip}", 15.minutes)
+      verify_turnstile! if ip_attempts >= FAILED_ATTEMPT_THRESHOLD
+    end
+  end
+end

data/app/controllers/concerns/spree_cm_commissioner/turnstile_protectable.rb

@@ -0,0 +1,55 @@
+module SpreeCmCommissioner
+  module TurnstileProtectable
+    extend ActiveSupport::Concern
+
+    private
+
+    # Verify the Turnstile token from the X-Turnstile-Token header.
+    # Renders 403 and halts the request if verification fails.
+    #
+    # Usage:
+    #   before_action -> { verify_turnstile! }, only: :create
+    #
+    def verify_turnstile!
+      # Kill switch: set TURNSTILE_ENABLED='no' env var to disable globally.
+      return unless turnstile_feature_enabled?
+
+      token = request.headers['X-Turnstile-Token']
+
+      # Skip verification if no token and Turnstile is not enforced
+      return if token.blank? && turnstile_optional?
+
+      result = TurnstileTokenValidator.call(
+        token: token,
+        remote_ip: request.remote_ip
+      )
+
+      return unless result.failure?
+
+      render json: {
+        errors: [{
+          status: '403',
+          error_code: 'human_verification_failed',
+          title: I18n.t('turnstile.verification_failed'),
+          detail: result.message
+        }
+]
+      }, status: :forbidden
+    end
+
+    # Override in controllers to make Turnstile optional for specific actions.
+    # Default: required (returns false).
+    def turnstile_optional?
+      false
+    end
+
+    # Turnstile verification is enabled only when both conditions are met:
+    # 1. TURNSTILE_ENABLED environment variable is set to 'yes'
+    # 2. TURNSTILE_SECRET_KEY is present
+    # Default: disabled (no). Set TURNSTILE_ENABLED='yes' and provide
+    # TURNSTILE_SECRET_KEY to enable verification.
+    def turnstile_feature_enabled?
+      ENV.fetch('TURNSTILE_ENABLED', 'no') == 'yes' && ENV.fetch('TURNSTILE_SECRET_KEY', '').present?
+    end
+  end
+end

data/app/controllers/spree/admin/inventory_items_controller.rb

@@ -66,8 +66,8 @@ module Spree
 
         errors = []
         inventory_items.each do |inventory_item|
-          result = SpreeCmCommissioner::Stock::InventoryItemResetter.call(inventory_item: inventory_item)
-          errors << result.message unless result.success?
+          result = SpreeCmCommissioner::InventoryItems::Reset.call(inventory_item: inventory_item)
+          errors << result.error.to_s unless result.success?
         end
 
         if errors.empty?

data/app/controllers/spree/admin/inventory_monitorings_controller.rb

@@ -24,7 +24,7 @@ module Spree
         authorize! :manage, SpreeCmCommissioner::InventoryItem
 
         inventory_item = SpreeCmCommissioner::InventoryItem.find(params[:id])
-        result = SpreeCmCommissioner::Stock::InventoryItemResetter.call(inventory_item: inventory_item)
+        result = SpreeCmCommissioner::InventoryItems::Reset.call(inventory_item: inventory_item)
 
         if result.success?
           flash[:success] = "Successfully reset inventory for #{inventory_item.variant.product.name}"

data/app/controllers/spree/admin/product_service_calendars_controller.rb

@@ -6,6 +6,7 @@ module Spree
       before_action :load_product
       before_action :ensure_product_type_supports_calendar
       before_action :ensure_product_has_no_calendar, only: %i[new create]
+      before_action :set_exception_rules, only: %i[edit update]
 
       create.before :set_calendarable
       update.before :set_calendarable

data/app/controllers/spree/admin/system/cache_controller.rb

@@ -0,0 +1,30 @@
+module Spree
+  module Admin
+    module System
+      class CacheController < Spree::Admin::BaseController
+        def show; end
+
+        def invalidate
+          @patterns = params[:patterns].to_s
+
+          patterns = @patterns.split("\n").map(&:strip).compact_blank
+
+          if patterns.empty?
+            flash.now[:error] = 'Please enter at least one pattern.' # rubocop:disable Rails/I18nLocaleTexts
+            render :show and return
+          end
+
+          result = SpreeCmCommissioner::InvalidateCacheRequest.call(patterns: patterns)
+
+          if result.success?
+            flash[:success] = "Cache invalidated successfully for #{patterns.size} pattern(s)."
+            redirect_to admin_system_cache_path
+          else
+            flash.now[:error] = result.message
+            render :show
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/admin/system/waiting_room_controller.rb

@@ -0,0 +1,35 @@
+module Spree
+  module Admin
+    module System
+      class WaitingRoomController < Spree::Admin::BaseController
+        def show
+          @fetcher = SpreeCmCommissioner::WaitingRoomSystemMetadataFetcher.new
+          @fetcher.load_document_data
+
+          @active_sesions_count = SpreeCmCommissioner::WaitingRoomSession.active.count
+        end
+
+        def modify_multiplier
+          modifier = params[:multiplier]&.to_i || 0
+          SpreeCmCommissioner::WaitingRoomSystemMetadataSetter.new.modify_multiplier(modifier)
+
+          redirect_back fallback_location: admin_system_waiting_room_path
+        end
+
+        def modify_max_thread_count
+          modifier = params[:max_thread_count]&.to_i || 0
+          SpreeCmCommissioner::WaitingRoomSystemMetadataSetter.new.modify_max_thread_count(modifier)
+
+          redirect_back fallback_location: admin_system_waiting_room_path
+        end
+
+        def force_pull
+          SpreeCmCommissioner::WaitingRoomLatestSystemMetadataPullerJob.perform_now
+          SpreeCmCommissioner::WaitingGuestsCallerJob.perform_now
+
+          redirect_back fallback_location: admin_system_waiting_room_path
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v2/organizer/invite_guests_controller.rb

@@ -0,0 +1,91 @@
+module Spree
+  module Api
+    module V2
+      module Organizer
+        class InviteGuestsController < ::Spree::Api::V2::Organizer::BaseController
+          before_action :load_invite_guest_by_token, only: :show
+          before_action :load_invite_guest, :assign_line_item_data, only: :update
+
+          def show
+            render_serialized_payload { serialize_resource(@invite_guest) }
+          end
+
+          def update
+            return render_error(:revoked) if @invite_guest.revoked?
+            return render_error(:closed) if @invite_guest.expired?
+            return render_error(:fully_claimed) if @invite_guest.fully_claimed?
+
+            guest = @line_item.guests.new(guest_params)
+            guest.event_id = @invite_guest.event_id
+
+            if guest.save
+              @invite_guest.update(claimed_status: :claimed) if @line_item.guests.count == @invite_guest.quantity
+              send_guest_claimed_invitation_telegram_alert_to_vendor(guest) if guest.event.vendor.preferred_telegram_chat_id.present?
+
+              render json: SpreeCmCommissioner::V2::Storefront::GuestSerializer.new(guest.reload).serializable_hash
+            else
+              render_error_payload(guest.errors.full_messages.to_sentence)
+            end
+          end
+
+          private
+
+          def send_guest_claimed_invitation_telegram_alert_to_vendor(guest)
+            title = '📣 --- [NEW GUEST CLAIMED INVITATION] ---' # Style/StringLiterals
+            chat_id = guest.event.vendor.preferred_telegram_chat_id
+            return if chat_id.blank?
+
+            factory = SpreeCmCommissioner::InviteGuestClaimedTelegramMessageFactory.new(
+              title: title,
+              order: @invite_guest.order,
+              guest: guest,
+              vendor: guest.event.vendor
+            )
+            SpreeCmCommissioner::TelegramNotificationSenderJob.perform_later(
+              chat_id: chat_id,
+              message: factory.message,
+              parse_mode: factory.parse_mode
+            )
+          end
+
+          def load_invite_guest_by_token
+            @invite_guest = SpreeCmCommissioner::InviteGuest.find_by(token: params[:id])
+          rescue ActiveRecord::RecordNotFound
+            render_error_payload(I18n.t('invite.url_not_found'))
+          end
+
+          def load_invite_guest
+            @invite_guest = SpreeCmCommissioner::InviteGuest.find(params[:id])
+          end
+
+          def assign_line_item_data
+            @line_item = @invite_guest.order.line_items.first
+            @guests = @line_item.guests
+          end
+
+          def render_error(message)
+            render json: { errors: message }
+          end
+
+          def guest_params
+            params.require(:invite_guest).permit(
+              :first_name,
+              :last_name,
+              :dob,
+              :gender,
+              :age,
+              :emergency_contact,
+              :phone_number,
+              :address,
+              :other_organization
+            )
+          end
+
+          def resource_serializer
+            ::Spree::V2::Organizer::InviteGuestSerializer
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v2/storefront/access_tokens_controller.rb

@@ -3,6 +3,9 @@ module Spree
     module V2
       module Storefront
         class AccessTokensController < Doorkeeper::TokensController
+          include SpreeCmCommissioner::AdaptiveTurnstile
+
+          before_action :verify_turnstile_if_suspicious!, only: :create
         end
       end
     end

data/app/controllers/spree/api/v2/storefront/pin_code_generators_controller.rb

@@ -3,6 +3,10 @@ module Spree
     module V2
       module Storefront
         class PinCodeGeneratorsController < ::Spree::Api::V2::ResourceController
+          include SpreeCmCommissioner::TurnstileProtectable
+
+          before_action :verify_turnstile!, only: :create
+
           # :phone_number, :email, :type, :tenant
           def create
             context = SpreeCmCommissioner::PinCodeGenerator.call(pin_code_attrs)

data/app/controllers/spree/api/v2/storefront/pin_code_otp_generators_controller.rb

@@ -3,6 +3,10 @@ module Spree
     module V2
       module Storefront
         class PinCodeOtpGeneratorsController < ::Spree::Api::V2::ResourceController
+          include SpreeCmCommissioner::TurnstileProtectable
+
+          before_action :verify_turnstile!, only: :create
+
           # :phone_number, :email, :type, :recaptcha_token, :recaptcha_action, :recaptcah_site_key
           def create
             options = otp_attrs

data/app/controllers/spree/api/v2/storefront/reset_passwords_controller.rb

@@ -3,6 +3,10 @@ module Spree
     module V2
       module Storefront
         class ResetPasswordsController < Spree::Api::V2::ResourceController
+          include SpreeCmCommissioner::TurnstileProtectable
+
+          before_action :verify_turnstile!, only: :update
+
           def update
             context = SpreeCmCommissioner::UserForgottenPasswordUpdater.call(update_params)
 

data/app/controllers/spree/api/v2/storefront/saved_guests_controller.rb

@@ -0,0 +1,77 @@
+module Spree
+  module Api
+    module V2
+      module Storefront
+        class SavedGuestsController < ::Spree::Api::V2::ResourceController
+          before_action :require_spree_current_user
+          before_action :load_saved_guest, only: %i[show update destroy]
+
+          def collection
+            spree_current_user.saved_guests.order(created_at: :desc)
+                              .page(params[:page])
+                              .per(params[:per_page])
+          end
+
+          def create
+            saved_guest = spree_current_user.saved_guests.new(saved_guest_params)
+
+            if saved_guest.save
+              render_serialized_payload(201) { serialize_resource(saved_guest) }
+            else
+              render_error_payload(saved_guest.errors.full_messages.to_sentence, 422)
+            end
+          end
+
+          def update
+            if @saved_guest.update(saved_guest_params)
+              render_serialized_payload { serialize_resource(@saved_guest) }
+            else
+              render_error_payload(@saved_guest.errors.full_messages.to_sentence, 400)
+            end
+          end
+
+          def destroy
+            @saved_guest.destroy
+            head :no_content
+          end
+
+          private
+
+          def model_class
+            SpreeCmCommissioner::SavedGuest
+          end
+
+          def collection_serializer
+            resource_serializer
+          end
+
+          def resource_serializer
+            SpreeCmCommissioner::V2::Storefront::SavedGuestSerializer
+          end
+
+          def load_saved_guest
+            @saved_guest = spree_current_user.saved_guests.find(params[:id])
+          end
+
+          def saved_guest_params
+            params.require(:saved_guest).permit(
+              :first_name,
+              :last_name,
+              :dob,
+              :age,
+              :gender,
+              :email,
+              :country_code,
+              :phone_number,
+              :intel_phone_number,
+              :nationality_id,
+              :occupation_id,
+              :nationality_group,
+              :age_group
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v2/storefront/trip_search_controller.rb

@@ -15,7 +15,7 @@ module Spree
                   route_type: params[:route_type],
                   vendor_id: params[:vendor_id],
                   number_of_guests: params[:number_of_guests],
-                  params: params
+                  options: params
                 ).call
 
                 serialize_collection(trips)
@@ -72,7 +72,7 @@ module Spree
           def serialize_collection(collection)
             serialized_data = SpreeCmCommissioner::V2::Storefront::TripQueryResultSerializer.new(
               collection,
-              include: default_resource_includes,
+              include: resource_includes,
               params: serializer_params
             ).serializable_hash
             serialized_data[:meta] = {
@@ -87,6 +87,16 @@ module Spree
             serialized_data
           end
 
+          # From BaseController to always include defaults and merge request includes
+          # override
+
+          def resource_includes
+            (Array(super) + default_resource_includes)
+              .map { |path| path.to_s.strip }
+              .compact_blank
+              .uniq
+          end
+
           # override
           def serializer_params
             params.permit(:include).to_hash

data/app/controllers/spree/api/v2/storefront/user_registration_with_pin_codes_controller.rb

@@ -3,6 +3,9 @@ module Spree
     module V2
       module Storefront
         class UserRegistrationWithPinCodesController < Spree::Api::V2::ResourceController
+          include SpreeCmCommissioner::TurnstileProtectable
+
+          before_action :verify_turnstile!, only: :create
           before_action :validate_token_client!
 
           def validate_token_client!

data/app/controllers/spree/api/v2/tenant/popular_route_places_controller.rb

@@ -9,7 +9,8 @@ module Spree
           def collection
             @collection ||= collection_finder.new(
               tenant: @tenant,
-              route_type: params[:route_type]
+              route_type: params[:route_type],
+              include_route_prices: include_route_prices?
             ).execute
           end
 
@@ -37,7 +38,8 @@ module Spree
           def serializer_params
             super.merge(
               include_vendors: include_vendors?,
-              include_nearby_places: include_nearby_places?
+              include_nearby_places: include_nearby_places?,
+              include_route_prices: include_route_prices?
             )
           end
 
@@ -53,6 +55,10 @@ module Spree
           def include_nearby_places?
             resource_includes.include?(:nearby_places) || false
           end
+
+          def include_route_prices?
+            resource_includes.include?(:route_prices) || false
+          end
         end
       end
     end

data/app/controllers/spree/api/v2/tenant/routes_controller.rb

@@ -9,7 +9,8 @@ module Spree
           def collection
             @collection ||= collection_finder.new(
               tenant: @tenant,
-              params: params
+              params: params,
+              include_route_prices: include_route_prices?
             ).execute
           end
 
@@ -27,7 +28,8 @@ module Spree
           def serializer_params
             super.merge(
               include_vendors: include_vendors?,
-              include_nearby_places: include_nearby_places?
+              include_nearby_places: include_nearby_places?,
+              include_route_prices: include_route_prices?
             )
           end
 
@@ -43,6 +45,10 @@ module Spree
           def include_nearby_places?
             resource_includes.include?(:nearby_places) || false
           end
+
+          def include_route_prices?
+            resource_includes.include?(:route_prices) || false
+          end
         end
       end
     end

data/app/controllers/spree/api/v2/tenant/trip_search_controller.rb

@@ -15,7 +15,7 @@ module Spree
                   route_type: params[:route_type],
                   number_of_guests: params[:number_of_guests],
                   tenant_id: @tenant.id,
-                  params: params
+                  options: params
                 ).call
 
                 serialize_collection(trips)
@@ -72,7 +72,7 @@ module Spree
           def serialize_collection(collection)
             serialized_data = Spree::V2::Tenant::TripQueryResultSerializer.new(
               collection,
-              include: default_resource_includes,
+              include: resource_includes,
               params: serializer_params
             ).serializable_hash
             serialized_data[:meta] = {
@@ -87,6 +87,15 @@ module Spree
             serialized_data
           end
 
+          # From BaseController to always include defaults and merge request includes
+          # override
+          def resource_includes
+            (Array(super) + default_resource_includes)
+              .map { |path| path.to_s.strip }
+              .compact_blank
+              .uniq
+          end
+
           # override
           def serializer_params
             params.permit(:include).to_hash