spree_core 5.4.0.beta7 → 5.4.0.beta8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a75c8667f68e7a71143adec2c78694c99308dbc73fa9afd625e1c5e339e2fb8
-  data.tar.gz: '04229df0b73d148776d498157514ed592db0ffb551dc347a2aca782cafb80f01'
+  metadata.gz: d8297e501dfb71ba02dbd003c3f2a6fa035585a07cca4cf3f7e039eb92bb55c6
+  data.tar.gz: 87546d3659afc8573cf33cd9b3b2ceac6e351f7f8e30969626991c7c39da8773
 SHA512:
-  metadata.gz: b237c3ae83b130df90180833997bd0301335689e620e2da1956f67881bb44031962895c5de052d807d886ae00682a35c3b1c6fea5541acdbde4347abd871875a
-  data.tar.gz: d57fc57c99f2a3466e482965bc1a6bec9a40f91b277669ae2c24dfa93d1b68790f95bb3d50f15f2648abb32b1cf5c3f99cd646bfecf7b34c3d0949417550e25f
+  metadata.gz: 8983ae8234112c480dc54e302bd7d56557b11418af19a0ca6d65aa182ed06195c828ae69dc122209c23057149febb28b4c9e410a460e9dba2b09978240788997
+  data.tar.gz: e62cdc311fe8a2a256442b38e84df024e5c145ef47dc3c2cf5981e923bf5e3558c3b6937c3a64d101eb0783f5c493fdfbc3e75db004740d45599fa9d8ddfc80a

data/app/helpers/spree/base_helper.rb

@@ -114,10 +114,8 @@ module Spree
 
       base_url = if options[:relative]
                    ''
-                 elsif store.respond_to?(:formatted_custom_domain) && store.formatted_custom_domain.present?
-                   store.formatted_custom_domain
                  else
-                   store.formatted_url
+                   store.storefront_url
                  end
 
       localize = if options[:locale].present?
@@ -151,15 +149,15 @@ module Spree
     # we should always try to render image of the default variant
     # same as it's done on PDP
     def default_image_for_product(product)
-      Spree::Deprecation.warn('BaseHelper#default_image_for_product is deprecated and will be removed in Spree 5.5. Please use product.default_image instead')
+      Spree::Deprecation.warn('BaseHelper#default_image_for_product is deprecated and will be removed in Spree 6.0. Please use product.primary_media instead')
 
-      product.default_image
+      product.primary_media
     end
 
     def default_image_for_product_or_variant(product_or_variant)
-      Spree::Deprecation.warn('BaseHelper#default_image_for_product_or_variant is deprecated and will be removed in Spree 5.5. Please use product_or_variant.default_image instead')
+      Spree::Deprecation.warn('BaseHelper#default_image_for_product_or_variant is deprecated and will be removed in Spree 6.0. Please use product_or_variant.primary_media instead')
 
-      product_or_variant.default_image
+      product_or_variant.primary_media
     end
 
     def base_cache_key

data/app/mailers/spree/base_mailer.rb

@@ -37,7 +37,7 @@ module Spree
     # this is only a fail-safe solution if developer didn't set this in environment files
     # http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views
     def ensure_default_action_mailer_url_host(store_url = nil)
-      host_url = store_url.presence || current_store.try(:url_or_custom_domain)
+      host_url = store_url.presence || current_store.try(:storefront_url)
 
       return if host_url.blank?
 

data/app/models/concerns/spree/user_methods.rb

@@ -18,6 +18,13 @@ module Spree
       # Enable lifecycle events for user models
       publishes_lifecycle_events
 
+      # Password reset token (Rails 7.1+ signed token, no DB column needed)
+      # Token auto-invalidates when password changes (salt changes)
+      # Expiration is configurable via Spree::Config.customer_password_reset_expires_in (in minutes)
+      generates_token_for :password_reset, expires_in: Spree::Config.customer_password_reset_expires_in.minutes do
+        password_salt&.last(10) || encrypted_password&.last(10)
+      end
+
       # we need to have this callback before any dependent: :destroy associations
       # https://github.com/rails/rails/issues/3458
       before_validation :clone_billing_address, if: :use_billing?
@@ -59,6 +66,14 @@ module Spree
       #
       attr_accessor :confirm_email, :terms_of_service
 
+      def self.find_by_password_reset_token(token)
+        find_by_token_for(:password_reset, token)
+      end
+
+      def self.find_by_password_reset_token!(token)
+        find_by_token_for!(:password_reset, token)
+      end
+
       def self.multi_search(query)
         sanitized_query = sanitize_query_for_multi_search(query)
         return none if query.blank?

data/app/models/spree/allowed_origin.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Spree
+  class AllowedOrigin < Spree.base_class
+    has_prefix_id :ao
+
+    include Spree::SingleStoreResource
+
+    belongs_to :store, class_name: 'Spree::Store'
+
+    validates :store, :origin, presence: true
+    validates :origin, uniqueness: { scope: [:store_id, *spree_base_uniqueness_scope] }
+    validate :origin_must_be_valid_http_url
+
+    private
+
+    def origin_must_be_valid_http_url
+      return if origin.blank?
+
+      uri = URI.parse(origin)
+
+      unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+        errors.add(:origin, :invalid)
+        return
+      end
+
+      if uri.host.blank?
+        errors.add(:origin, :invalid)
+        return
+      end
+
+      # Origins must not have a path, query, or fragment
+      if uri.path.present? && uri.path != '/'
+        errors.add(:origin, :must_be_origin_only)
+      end
+
+      if uri.query.present? || uri.fragment.present?
+        errors.add(:origin, :must_be_origin_only)
+      end
+    rescue URI::InvalidURIError
+      errors.add(:origin, :invalid)
+    end
+  end
+end

data/app/models/spree/asset.rb

@@ -1,20 +1,42 @@
 module Spree
   class Asset < Spree.base_class
-    has_prefix_id :asset  # Stripe: file_
+    has_prefix_id :media
 
     include Support::ActiveStorage
+    include Rails.application.routes.url_helpers
+    include Spree::ImageMethods # legacy, will be removed in Spree 6
     include Spree::Metafields
     include Spree::Metadata
 
+    # Legacy styles support (was in Spree::Image::Configuration::ActiveStorage)
+    # @deprecated Will be removed in Spree 6
+    def self.styles
+      @styles ||= Spree::Config.product_image_variant_sizes.transform_values do |dimensions|
+        "#{dimensions[0]}x#{dimensions[1]}>"
+      end
+    end
+
+    def default_style
+      :small
+    end
+
     publishes_lifecycle_events
 
     EXTERNAL_URL_METAFIELD_KEY = 'external.url'
+    MEDIA_TYPES = %w[image video external_video].freeze
+
+    after_initialize { self.media_type ||= 'image' }
 
     belongs_to :viewable, polymorphic: true, touch: true
     acts_as_list scope: [:viewable_id, :viewable_type]
 
     delegate :key, :attached?, :variant, :variable?, :blob, :filename, :variation, to: :attachment
 
+    validates :media_type, inclusion: { in: MEDIA_TYPES }
+    validates :attachment, attached: true, content_type: Rails.application.config.active_storage.web_image_content_types,
+              if: -> { media_type == 'image' }
+    validates :external_video_url, presence: true, if: -> { media_type.in?(%w[video external_video]) }
+
     WEBP_SAVER_OPTIONS = {
       strip: true,
       quality: 75,
@@ -43,14 +65,46 @@ module Spree
 
     default_scope { includes(attachment_attachment: :blob) }
 
+    # STI was disabled in Spree::Image, keep it disabled here
+    self.inheritance_column = nil
+
     store_accessor :private_metadata, :session_uploaded_assets_uuid
     scope :with_session_uploaded_assets_uuid, lambda { |uuid|
       where(session_id: uuid)
     }
     scope :with_external_url, ->(url) { url.present? ? with_metafield_key_value(EXTERNAL_URL_METAFIELD_KEY, url.strip) : none }
 
+    # Callbacks merged from Spree::Image
+    after_commit :touch_product_variants, if: :should_touch_product_variants?, on: :update
+    after_commit :update_viewable_thumbnail_on_create, on: :create
+    after_commit :update_viewable_thumbnail_on_destroy, on: :destroy
+    after_commit :update_viewable_thumbnail_on_reorder, on: :update, if: :saved_change_to_position?
+    after_commit :update_viewable_thumbnail_on_viewable_change, on: :update, if: :saved_change_to_viewable_id?
+
+    after_create :increment_viewable_media_count
+    after_destroy :decrement_viewable_media_count
+
     def product
-      @product ||= viewable_type == 'Spree::Variant' ? viewable&.product : nil
+      @product ||= case viewable_type
+                   when 'Spree::Variant' then viewable&.product
+                   when 'Spree::Product' then viewable
+                   end
+    end
+
+    def focal_point
+      return nil if focal_point_x.nil? || focal_point_y.nil?
+
+      { x: focal_point_x, y: focal_point_y }
+    end
+
+    def focal_point=(point)
+      if point.nil?
+        self.focal_point_x = nil
+        self.focal_point_y = nil
+      else
+        self.focal_point_x = point[:x]
+        self.focal_point_y = point[:y]
+      end
     end
 
     def external_url
@@ -66,7 +120,71 @@ module Spree
     end
 
     def event_prefix
-      'asset'
+      'media'
+    end
+
+    # @deprecated
+    def styles
+      Spree::Deprecation.warn("Asset#styles is deprecated and will be removed in Spree 6.0. Please use active storage variants with cdn_image_url")
+
+      self.class.styles.map do |_, size|
+        width, height = size.chop.split('x').map(&:to_i)
+
+        {
+          url: generate_url(size: size),
+          size: size,
+          width: width,
+          height: height
+        }
+      end
+    end
+
+    private
+
+    def touch_product_variants
+      viewable.product.variants.touch_all
+    end
+
+    def should_touch_product_variants?
+      viewable.is_a?(Spree::Variant) &&
+        viewable.is_master? &&
+        viewable.product.has_variants? &&
+        saved_change_to_position?
+    end
+
+    def increment_viewable_media_count
+      case viewable_type
+      when 'Spree::Variant'
+        Spree::Variant.increment_counter(:media_count, viewable_id)
+        Spree::Product.increment_counter(:media_count, viewable.product_id)
+      when 'Spree::Product'
+        Spree::Product.increment_counter(:media_count, viewable_id)
+      end
+    end
+
+    def decrement_viewable_media_count
+      case viewable_type
+      when 'Spree::Variant'
+        Spree::Variant.decrement_counter(:media_count, viewable_id)
+        Spree::Product.decrement_counter(:media_count, viewable.product_id)
+      when 'Spree::Product'
+        Spree::Product.decrement_counter(:media_count, viewable_id)
+      end
     end
+
+    def update_viewable_thumbnail
+      case viewable_type
+      when 'Spree::Variant'
+        viewable.update_thumbnail!
+        viewable.product.update_thumbnail!
+      when 'Spree::Product'
+        viewable.update_thumbnail!
+      end
+    end
+
+    alias update_viewable_thumbnail_on_create update_viewable_thumbnail
+    alias update_viewable_thumbnail_on_destroy update_viewable_thumbnail
+    alias update_viewable_thumbnail_on_reorder update_viewable_thumbnail
+    alias update_viewable_thumbnail_on_viewable_change update_viewable_thumbnail
   end
 end

data/app/models/spree/image/configuration/active_storage.rb

@@ -1,22 +1,10 @@
+# @deprecated This module is now a no-op. All logic has been moved to Spree::Asset.
+# Will be removed in Spree 6.0.
 module Spree
   class Image < Asset
     module Configuration
       module ActiveStorage
         extend ActiveSupport::Concern
-
-        included do
-          # Returns image styles derived from Spree::Config.product_image_variant_sizes
-          # Format: { variant_name: 'WxH>' } for API compatibility
-          def self.styles
-            @styles ||= Spree::Config.product_image_variant_sizes.transform_values do |dimensions|
-              "#{dimensions[0]}x#{dimensions[1]}>"
-            end
-          end
-
-          def default_style
-            :small
-          end
-        end
       end
     end
   end

data/app/models/spree/image.rb

@@ -1,82 +1,6 @@
+# Backward compatibility — all logic now lives in Spree::Asset.
+# This class will be removed in Spree 6.0.
 module Spree
   class Image < Asset
-    include Spree::Image::Configuration::ActiveStorage # legacy to be removed in Spree 6
-    include Rails.application.routes.url_helpers
-    include Spree::ImageMethods # legacy, will be removed in Spree 6
-
-    validates :attachment, attached: true, content_type: Rails.application.config.active_storage.web_image_content_types
-
-    after_commit :touch_product_variants, if: :should_touch_product_variants?, on: :update
-    after_commit :update_variant_thumbnail, on: [:create, :destroy]
-    after_commit :update_variant_thumbnail_on_reorder, on: :update, if: :saved_change_to_position?
-    after_commit :update_variant_thumbnail_on_viewable_change, on: :update, if: :saved_change_to_viewable_id?
-
-    after_create :increment_viewable_image_count
-    after_destroy :decrement_viewable_image_count
-
-    # In Rails 5.x class constants are being undefined/redefined during the code reloading process
-    # in a rails development environment, after which the actual ruby objects stored in those class constants
-    # are no longer equal (subclass == self) what causes error ActiveRecord::SubclassNotFound
-    # Invalid single-table inheritance type: Spree::Image is not a subclass of Spree::Image.
-    # The line below prevents the error.
-    self.inheritance_column = nil
-
-    # @deprecated
-    def styles
-      Spree::Deprecation.warn("Image#styles is deprecated and will be removed in Spree 6.0. Please use active storage variants with cdn_image_url")
-
-      self.class.styles.map do |_, size|
-        width, height = size.chop.split('x').map(&:to_i)
-
-        {
-          url: generate_url(size: size),
-          size: size,
-          width: width,
-          height: height
-        }
-      end
-    end
-
-    private
-
-    def touch_product_variants
-      viewable.product.variants.touch_all
-    end
-
-    def should_touch_product_variants?
-      viewable.is_a?(Spree::Variant) &&
-        viewable.is_master? &&
-        viewable.product.has_variants? &&
-        saved_change_to_position?
-    end
-
-    def increment_viewable_image_count
-      return unless viewable.is_a?(Spree::Variant)
-
-      Spree::Variant.increment_counter(:image_count, viewable_id)
-      Spree::Product.increment_counter(:total_image_count, viewable.product_id)
-    end
-
-    def decrement_viewable_image_count
-      return unless viewable.is_a?(Spree::Variant)
-
-      Spree::Variant.decrement_counter(:image_count, viewable_id)
-      Spree::Product.decrement_counter(:total_image_count, viewable.product_id)
-    end
-
-    def update_variant_thumbnail
-      return unless viewable.is_a?(Spree::Variant)
-
-      viewable.update_thumbnail!
-      viewable.product.update_thumbnail!
-    end
-
-    def update_variant_thumbnail_on_reorder
-      update_variant_thumbnail
-    end
-
-    def update_variant_thumbnail_on_viewable_change
-      update_variant_thumbnail
-    end
   end
 end

data/app/models/spree/legacy_user.rb

@@ -12,6 +12,7 @@ module Spree
     attr_accessor :password, :password_confirmation
 
     validates :email, presence: true, uniqueness: { case_sensitive: false }
+    validates :password, confirmation: true, if: :password
 
     before_save :encrypt_password, if: :password
 

data/app/models/spree/line_item.rb

@@ -55,10 +55,10 @@ module Spree
     delegate :name, :description, :brand, :category, to: :product
 
     # Returns the thumbnail image for this line item
-    # Prefers variant thumbnail, falls back to product thumbnail
-    # @return [Spree::Image, nil]
+    # Prefers variant primary media, falls back to product primary media
+    # @return [Spree::Asset, nil]
     def thumbnail
-      variant.thumbnail || product.thumbnail
+      variant.primary_media || product.primary_media
     end
     delegate :tax_zone, to: :order
     delegate :digital?, :can_supply?, to: :variant

data/app/models/spree/product.rb

@@ -114,10 +114,12 @@ module Spree
     has_many :orders, through: :line_items
     has_many :completed_orders, -> { reorder(nil).distinct.complete }, through: :line_items, source: :order
 
+    has_many :media, -> { order(:position) }, as: :viewable, dependent: :destroy, class_name: 'Spree::Asset'
+
     has_many :variant_images, -> { order(:position) }, source: :images, through: :variants_including_master
     has_many :variant_images_without_master, -> { order(:position) }, source: :images, through: :variants
 
-    belongs_to :thumbnail, class_name: 'Spree::Image', optional: true
+    belongs_to :primary_media, class_name: 'Spree::Asset', optional: true, foreign_key: :primary_media_id
 
     has_many :option_value_variants, class_name: 'Spree::OptionValueVariant', through: :variants
     has_many :option_values, class_name: 'Spree::OptionValue', through: :variants
@@ -335,17 +337,26 @@ module Spree
       @default_variant_id ||= default_variant.id
     end
 
-    # Returns true if any variant (including master) has images.
-    # Uses loaded association when available, otherwise falls back to counter cache.
+    # Returns the product's media gallery.
+    # Uses product-level media if present, otherwise falls back to variant images.
+    # @return [ActiveRecord::Relation]
+    def gallery_media
+      return media if association(:media).loaded? ? media.any? : media.exists?
+
+      variant_images
+    end
+
+    # Returns true if the product has any media (product-level or variant-level).
+    # Uses counter cache for performance.
     # @return [Boolean]
-    def has_variant_images?
+    def has_media?
       return variant_images.any? if association(:variant_images).loaded?
 
-      total_image_count.positive?
+      media_count.positive?
     end
 
-    # Alias for has_variant_images? for consistency with Variant#has_images?
-    alias has_images? has_variant_images?
+    alias has_images? has_media?
+    alias has_variant_images? has_media?
 
     # Returns the variant that should be used for displaying images.
     # Priority: master > default_variant > first variant with images
@@ -354,47 +365,47 @@ module Spree
       @variant_for_images ||= find_variant_for_images
     end
 
-    # Returns default Image for Product.
-    # Uses cached thumbnail_id which is updated when images are added/removed/reordered.
-    # @return [Spree::Image, nil]
+    # @deprecated Use #primary_media instead.
     def default_image
-      thumbnail
+      Spree::Deprecation.warn('Spree::Product#default_image is deprecated and will be removed in Spree 6.0. Please use Spree::Product#primary_media instead.')
+      primary_media
     end
 
-    # Backward compatibility for Spree 5.2 and earlier.
-    # @deprecated Use Spree::Product#default_image instead.
+    # @deprecated Use #primary_media instead.
     def featured_image
-      Spree::Deprecation.warn('Spree::Product#featured_image is deprecated and will be removed in Spree 5.5. Please use Spree::Product#default_image instead.')
+      Spree::Deprecation.warn('Spree::Product#featured_image is deprecated and will be removed in Spree 6.0. Please use Spree::Product#primary_media instead.')
+      primary_media
+    end
 
-      default_image
+    # @deprecated Use #primary_media instead.
+    def primary_image
+      Spree::Deprecation.warn('Spree::Product#primary_image is deprecated and will be removed in Spree 6.0. Please use Spree::Product#primary_media instead.')
+      primary_media
     end
 
-    # Returns secondary Image for Product (for hover effects).
-    # @return [Spree::Image, nil]
+    # Returns secondary media for Product (for hover effects).
+    # @return [Spree::Asset, nil]
     def secondary_image
       variant_for_images&.secondary_image
     end
 
-    # Alias for default_image for consistency.
-    alias primary_image default_image
-
-    # Returns the image count from the variant used for displaying images.
-    # @return [Integer]
+    # @deprecated Use media_count instead
     def image_count
-      variant_for_images&.image_count || 0
+      media_count
     end
 
-    # Updates the thumbnail_id to the first image from variant_images.
-    # Called when images are added, removed, or reordered on any variant.
+    # Updates primary_media_id to the first media item.
+    # Checks product-level media first, then falls back to variant images.
+    # Called when media is added, removed, or reordered.
     def update_thumbnail!
-      first_image = variant_images.order(:position).first
-      update_column(:thumbnail_id, first_image&.id)
+      first_media = media.order(:position).first || variant_images.order(:position).first
+      update_column(:primary_media_id, first_media&.id)
     end
 
-    # Finds first variant with images using preloaded data when available.
+    # Finds first variant with media using preloaded data when available.
     # @return [Spree::Variant, nil]
     def find_variant_with_images
-      return variants.find(&:has_images?) if variants.loaded?
+      return variants.find(&:has_media?) if variants.loaded?
 
       variants.joins(:images).first
     end
@@ -630,12 +641,12 @@ module Spree
 
     private
 
-    # Determines which variant should be used for displaying images.
-    # Priority: master > default_variant > first variant with images
+    # Determines which variant should be used for displaying media.
+    # Priority: master > default_variant > first variant with media
     def find_variant_for_images
-      return master if master.has_images?
-      return default_variant if has_variants? && default_variant.has_images?
-      return find_variant_with_images if has_variant_images?
+      return master if master.has_media?
+      return default_variant if has_variants? && default_variant.has_media?
+      return find_variant_with_images if has_media?
 
       nil
     end

data/app/models/spree/store.rb

@@ -109,6 +109,7 @@ module Spree
     has_many :customer_groups, class_name: 'Spree::CustomerGroup', dependent: :destroy, inverse_of: :store
 
     has_many :api_keys, class_name: 'Spree::ApiKey', dependent: :destroy
+    has_many :allowed_origins, class_name: 'Spree::AllowedOrigin', dependent: :destroy
 
     #
     # Validations
@@ -252,6 +253,36 @@ module Spree
       formatted_url
     end
 
+    # Returns the storefront origin URL for use in customer-facing emails and links.
+    # Uses the first allowed origin if configured, otherwise falls back to formatted_url.
+    #
+    # @return [String] e.g. "https://myshop.com"
+    def storefront_url
+      allowed_origins.order(:created_at).pick(:origin) || formatted_url
+    end
+
+    # Returns true if the given URL's origin matches one of the store's allowed origins.
+    # Comparison is port-less: only scheme + host are matched, so storing
+    # `http://localhost` will match `http://localhost:3000`, `http://localhost:4000`, etc.
+    #
+    # @param url [String] the full URL to check
+    # @return [Boolean]
+    def allowed_origin?(url)
+      return false if url.blank?
+
+      uri = URI.parse(url)
+      request_origin = "#{uri.scheme}://#{uri.host}"
+
+      allowed_origins.pluck(:origin).any? do |stored|
+        stored_uri = URI.parse(stored)
+        "#{stored_uri.scheme}://#{stored_uri.host}" == request_origin
+      rescue URI::InvalidURIError
+        false
+      end
+    rescue URI::InvalidURIError
+      false
+    end
+
     # Returns the states available for checkout for the store
     # @param country [Spree::Country] the country to get the states for
     # @return [Array<Spree::State>]

data/app/models/spree/variant.rb

@@ -48,8 +48,8 @@ module Spree
     has_many :option_value_variants, class_name: 'Spree::OptionValueVariant'
     has_many :option_values, through: :option_value_variants, dependent: :destroy, class_name: 'Spree::OptionValue'
 
-    has_many :images, -> { order(:position) }, as: :viewable, dependent: :destroy, class_name: 'Spree::Image'
-    belongs_to :thumbnail, class_name: 'Spree::Image', optional: true
+    has_many :images, -> { order(:position) }, as: :viewable, dependent: :destroy, class_name: 'Spree::Asset'
+    belongs_to :primary_media, class_name: 'Spree::Asset', optional: true, foreign_key: :primary_media_id
 
     has_many :prices,
              class_name: 'Spree::Price',
@@ -279,26 +279,35 @@ module Spree
       is_master? ? name + ' - Master' : name + ' - ' + options_text
     end
 
-    # Returns true if the variant has images.
+    # Returns the variant's media gallery.
+    # Currently returns direct images. In 6.0 will use variant_media join table.
+    # @return [ActiveRecord::Relation]
+    def gallery_media
+      images
+    end
+
+    # Returns true if the variant has media.
     # Uses loaded association when available, otherwise falls back to counter cache.
     # @return [Boolean]
-    def has_images?
+    def has_media?
       return images.any? if images.loaded?
 
-      image_count.positive?
+      media_count.positive?
     end
 
-    # Returns default Image for Variant.
-    # @return [Spree::Image, nil]
+    alias has_images? has_media?
+
+    # @deprecated Use #primary_media instead.
     def default_image
-      thumbnail
+      Spree::Deprecation.warn('Spree::Variant#default_image is deprecated and will be removed in Spree 6.0. Please use Spree::Variant#primary_media instead.')
+      primary_media
     end
 
-    # Updates the thumbnail_id to the first image by position.
-    # Called when images are added, removed, or reordered.
+    # Updates primary_media_id to the first media item by position.
+    # Called when media is added, removed, or reordered.
     def update_thumbnail!
-      first_image = images.order(:position).first
-      update_column(:thumbnail_id, first_image&.id)
+      first_media = images.order(:position).first
+      update_column(:primary_media_id, first_media&.id)
     end
 
     # Returns first Image for Variant.

data/app/services/spree/seeds/all.rb

@@ -28,6 +28,7 @@ module Spree
           # add store resources
           PaymentMethods.call
           ApiKeys.call
+          AllowedOrigins.call
         end
       end
     end

data/app/services/spree/seeds/allowed_origins.rb

@@ -0,0 +1,14 @@
+module Spree
+  module Seeds
+    class AllowedOrigins
+      prepend Spree::ServiceModule::Base
+
+      def call
+        store = Spree::Store.default
+        return unless store&.persisted?
+
+        store.allowed_origins.find_or_create_by!(origin: 'http://localhost')
+      end
+    end
+  end
+end

data/app/views/spree/shared/_mailer_logo.html.erb

@@ -2,7 +2,7 @@
 <% height ||= 64 %>
 <% logo_css ||= '' %>
 
-<%= link_to current_store.url_or_custom_domain, id: 'site-logo', style: "text-decoration: none;" do %>
+<%= link_to current_store.storefront_url, id: 'site-logo', style: "text-decoration: none;" do %>
   <span style="display: none;"><%= current_store.name %></span>
   <% if logo.present? && logo.attached? && logo.variable? %>
     <% aspect_ratio = spree_asset_aspect_ratio(logo) %>

data/config/locales/en.yml

@@ -240,6 +240,10 @@ en:
       messages:
         blank: can't be blank
       models:
+        spree/allowed_origin:
+          attributes:
+            origin:
+              must_be_origin_only: must be an origin (scheme and host) without path, query, or fragment
         spree/calculator/tiered_flat_rate:
           attributes:
             base:
@@ -742,6 +746,8 @@ en:
     all_products: All products
     all_rights_reserved: All rights reserved
     all_time: All time
+    allowed_origin: Allowed Origin
+    allowed_origins: Allowed Origins
     already_have_account: Already have an account?
     alt_text: Alternative Text
     alternative_phone: Alternative Phone
@@ -976,6 +982,14 @@ en:
     customer_group_rule:
       choose_customer_groups: 'Select the customer group(s) to which this promotion should apply:'
     customer_groups: Customer Groups
+    customer_mailer:
+      password_reset_email:
+        action: Reset Password
+        expiry_notice: This password reset link will expire shortly. If you did not request this, no action is needed.
+        greeting: Hi %{name},
+        ignore_notice: If you did not request a password reset, you can safely ignore this email. Your password will not be changed.
+        instructions: We received a request to reset your password. Click the button below to choose a new password.
+        subject: Password Reset
     customer_removed_from_group: Customer removed from group
     customer_return: Customer Return
     customer_returns: Customer Returns
@@ -1104,6 +1118,7 @@ en:
         blank: can't be blank
         cannot_remove_icon: Cannot remove image
         could_not_create_taxon: Could not create taxon
+        must_be_origin_only: must be an origin (scheme and host) without path, query, or fragment
         no_shipping_methods_available: No shipping methods available for selected location, please change your address and try again.
         store_association_can_not_be_changed: The store association can not be changed
         store_is_already_set: Store is already set
@@ -1418,6 +1433,7 @@ en:
     new: New
     new_address: New address
     new_adjustment: New Adjustment
+    new_allowed_origin: New Allowed Origin
     new_api_key: New API Key
     new_balance: New balance
     new_billing_address: New Billing Address

data/db/migrate/20260315000000_create_spree_allowed_origins.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class CreateSpreeAllowedOrigins < ActiveRecord::Migration[7.2]
+  def change
+    create_table :spree_allowed_origins do |t|
+      t.references :store, null: false
+      t.string :origin, null: false
+      t.timestamps
+    end
+
+    add_index :spree_allowed_origins, [:store_id, :origin], unique: true,
+              name: 'index_spree_allowed_origins_on_store_id_and_origin'
+  end
+end

data/db/migrate/20260315100000_add_product_media_support.rb

@@ -0,0 +1,21 @@
+class AddProductMediaSupport < ActiveRecord::Migration[7.2]
+  def change
+    add_column :spree_assets, :media_type, :string
+    add_column :spree_assets, :focal_point_x, :decimal, precision: 5, scale: 4
+    add_column :spree_assets, :focal_point_y, :decimal, precision: 5, scale: 4
+    add_column :spree_assets, :external_video_url, :string
+
+    add_index :spree_assets, :media_type
+
+    rename_column :spree_variants, :image_count, :media_count
+    rename_column :spree_products, :total_image_count, :media_count
+    rename_column :spree_variants, :thumbnail_id, :primary_media_id
+    rename_column :spree_products, :thumbnail_id, :primary_media_id
+
+    reversible do |dir|
+      dir.up do
+        Spree::Asset.unscoped.where(media_type: nil).update_all(media_type: 'image')
+      end
+    end
+  end
+end

data/lib/spree/core/configuration.rb

@@ -107,6 +107,9 @@ module Spree
       preference :coupon_codes_web_limit, :integer, default: 500 # number of coupon codes to be generated in the web process, more than this will be generated in a background job
       preference :coupon_codes_total_limit, :integer, default: 5000 # the maximum number of coupon codes to be generated
 
+      # password reset
+      preference :customer_password_reset_expires_in, :integer, default: 15 # password reset token expiration time in minutes
+
       # gift cards
       preference :gift_card_batch_web_limit, :integer, default: 500 # number of gift card codes to be generated in the web process, more than this will be generated in a background job
       preference :gift_card_batch_limit, :integer, default: 50_000

data/lib/spree/core/version.rb

@@ -1,5 +1,5 @@
 module Spree
-  VERSION = '5.4.0.beta7'.freeze
+  VERSION = '5.4.0.beta8'.freeze
 
   def self.version
     VERSION

data/lib/spree/permitted_attributes.rb

@@ -2,6 +2,7 @@ module Spree
   module PermittedAttributes
     ATTRIBUTES = [
       :address_attributes,
+      :allowed_origin_attributes,
       :api_key_attributes,
       :asset_attributes,
       :checkout_attributes,
@@ -87,9 +88,12 @@ module Spree
         state: [:name, :abbr] }
     ]
 
+    @@allowed_origin_attributes = [:origin]
+
     @@api_key_attributes = [:name, :key_type]
 
-    @@asset_attributes = [:type, :viewable_id, :viewable_type, :attachment, :alt, :position]
+    @@asset_attributes = [:type, :viewable_id, :viewable_type, :attachment, :alt, :position,
+                          :media_type, :focal_point_x, :focal_point_y, :external_video_url]
 
     @@checkout_attributes = [
       :coupon_code, :email, :shipping_method_id, :special_instructions, :use_billing, :use_shipping,

data/lib/spree/testing_support/factories/allowed_origin_factory.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :allowed_origin, class: Spree::AllowedOrigin do
+    store
+    sequence(:origin) { |n| "https://storefront#{n}.example.com" }
+  end
+end

data/lib/spree/testing_support/factories/asset_factory.rb

@@ -1,15 +1,12 @@
 FactoryBot.define do
   factory :asset, class: Spree::Asset do
-    viewable_type {}
-    viewable_id {}
-    attachment_width { 340 }
-    attachment_height { 280 }
-    attachment_file_size { 128 }
     position { 1 }
-    attachment_content_type { '.jpg' }
-    attachment_file_name { 'attachment.jpg' }
-    type {}
-    attachment_updated_at {}
     alt {}
+
+    after(:build) do |asset|
+      if asset.media_type == 'image' && !asset.attachment.attached?
+        asset.attachment.attach(io: File.new(Spree::Core::Engine.root + 'spec/fixtures' + 'thinking-cat.jpg'), filename: 'thinking-cat.jpg')
+      end
+    end
   end
 end

data/lib/spree/testing_support/factories/image_factory.rb

@@ -1,5 +1,7 @@
 FactoryBot.define do
-  factory :image, class: Spree::Image do
+  factory :image, class: Spree::Asset do
+    media_type { 'image' }
+
     before(:create) do |image|
       if image.class.method_defined?(:attachment)
         image.attachment.attach(io: File.new(Spree::Core::Engine.root + 'spec/fixtures' + 'thinking-cat.jpg'), filename: 'thinking-cat.jpg')

data/lib/tasks/images.rake

@@ -1,17 +1,17 @@
 namespace :spree do
-  namespace :images do
-    desc 'Backfill thumbnail_id for all variants and products'
-    task backfill_thumbnails: :environment do
-      puts 'Backfilling variant thumbnails...'
-      Spree::Variant.where(thumbnail_id: nil).where.not(image_count: 0).find_each do |variant|
-        first_image = variant.images.order(:position).first
-        variant.update_column(:thumbnail_id, first_image.id) if first_image
+  namespace :media do
+    desc 'Backfill primary_media_id for all variants and products'
+    task backfill_primary_media: :environment do
+      puts 'Backfilling variant primary_media...'
+      Spree::Variant.where(primary_media_id: nil).where.not(media_count: 0).find_each do |variant|
+        first_media = variant.gallery_media.first
+        variant.update_column(:primary_media_id, first_media.id) if first_media
       end
 
-      puts 'Backfilling product thumbnails...'
-      Spree::Product.where(thumbnail_id: nil).where.not(total_image_count: 0).find_each do |product|
-        first_image = product.variant_images.order(:position).first
-        product.update_column(:thumbnail_id, first_image.id) if first_image
+      puts 'Backfilling product primary_media...'
+      Spree::Product.where(primary_media_id: nil).where.not(media_count: 0).find_each do |product|
+        first_media = product.gallery_media.first
+        product.update_column(:primary_media_id, first_media.id) if first_media
       end
 
       puts 'Done!'

data/lib/tasks/products.rake

@@ -1,14 +1,16 @@
 namespace :spree do
   namespace :products do
-    desc 'Reset counter caches (variant_count, classification_count, total_image_count) on products'
+    desc 'Reset counter caches (variant_count, classification_count, media_count) on products'
     task reset_counter_caches: :environment do |_t, _args|
       puts 'Resetting product counter caches...'
 
       Spree::Product.find_each do |product|
+        total_media = product.media.count + product.variant_images.where.not(id: product.media.select(:id)).count
+
         product.update_columns(
           variant_count: product.variants.count,
           classification_count: product.classifications.count,
-          total_image_count: product.variant_images.count,
+          media_count: total_media,
           updated_at: Time.current
         )
         print '.'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spree_core
 version: !ruby/object:Gem::Version
-  version: 5.4.0.beta7
+  version: 5.4.0.beta8
 platform: ruby
 authors:
 - Sean Schofield
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-03-15 00:00:00.000000000 Z
+date: 2026-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: i18n-tasks
@@ -899,6 +899,7 @@ files:
 - app/models/spree/adjustable/adjustments_updater.rb
 - app/models/spree/adjustable/promotion_accumulator.rb
 - app/models/spree/adjustment.rb
+- app/models/spree/allowed_origin.rb
 - app/models/spree/api_key.rb
 - app/models/spree/asset.rb
 - app/models/spree/asset/support/active_storage.rb
@@ -1253,6 +1254,7 @@ files:
 - app/services/spree/sample_data/loader.rb
 - app/services/spree/seeds/admin_user.rb
 - app/services/spree/seeds/all.rb
+- app/services/spree/seeds/allowed_origins.rb
 - app/services/spree/seeds/api_keys.rb
 - app/services/spree/seeds/countries.rb
 - app/services/spree/seeds/default_reimbursement_types.rb
@@ -1445,6 +1447,8 @@ files:
 - db/migrate/20260220000000_create_spree_markets.rb
 - db/migrate/20260226000000_add_locale_to_spree_orders.rb
 - db/migrate/20260226100000_add_token_digest_to_spree_api_keys.rb
+- db/migrate/20260315000000_create_spree_allowed_origins.rb
+- db/migrate/20260315100000_add_product_media_support.rb
 - db/sample_data/customers.csv
 - db/sample_data/metafield_definitions.rb
 - db/sample_data/orders.rb
@@ -1530,6 +1534,7 @@ files:
 - lib/spree/testing_support/factories.rb
 - lib/spree/testing_support/factories/address_factory.rb
 - lib/spree/testing_support/factories/adjustment_factory.rb
+- lib/spree/testing_support/factories/allowed_origin_factory.rb
 - lib/spree/testing_support/factories/api_key_factory.rb
 - lib/spree/testing_support/factories/asset_factory.rb
 - lib/spree/testing_support/factories/calculator_factory.rb
@@ -1666,9 +1671,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.beta7
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.beta8
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.beta7
+  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.beta8
 post_install_message:
 rdoc_options: []
 require_paths: