Merge branch 'master' into next

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 5 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['javascript']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file. 
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

CHANGELOG.md

@@ -1,3 +1,19 @@
+## <small>0.15.2 (2020-09-30)</small>
+
+
+#### Fixes
+
+* **admin-ui** Allow cancellation from custom Order states ([117264f](https://github.com/vendure-ecommerce/vendure/commit/117264f)), closes [#472](https://github.com/vendure-ecommerce/vendure/issues/472)
+* **admin-ui** Fix address dialog issues ([0d61f47](https://github.com/vendure-ecommerce/vendure/commit/0d61f47)), closes [#463](https://github.com/vendure-ecommerce/vendure/issues/463)
+* **admin-ui** Fix asset drag/drop support in safari ([55304c5](https://github.com/vendure-ecommerce/vendure/commit/55304c5))
+* **core** Fix handling of JobRecord ids when using UUID strategy ([30e6e70](https://github.com/vendure-ecommerce/vendure/commit/30e6e70)), closes [#478](https://github.com/vendure-ecommerce/vendure/issues/478)
+* **email-plugin** Include shipping method in order receipt handler ([ea907a4](https://github.com/vendure-ecommerce/vendure/commit/ea907a4)), closes [#473](https://github.com/vendure-ecommerce/vendure/issues/473)
+
+#### Features
+
+* **core** Add `totalQuantity` field to Order type ([829ac96](https://github.com/vendure-ecommerce/vendure/commit/829ac96)), closes [#465](https://github.com/vendure-ecommerce/vendure/issues/465)
+* **elasticsearch-plugin** Allow full client options to be passed ([c686509](https://github.com/vendure-ecommerce/vendure/commit/c686509)), closes [#474](https://github.com/vendure-ecommerce/vendure/issues/474)
+
 ## <small>0.15.1 (2020-09-09)</small>
 
 

docs/content/article/faq.md

@@ -41,6 +41,6 @@ We're not yet offering general support packages, but if you are planning a Vendu
 
 **No**, out-of-the box Vendure does not support multi-vendor. We have a [Channels feature]({{< relref "channels" >}}) which allows a single vendor to define multiple sales channels. 
 
-It _would_ be possible to add multi-vendor support by way of a plugin, but bear in mind that this would entail a fair amount of custom development.
+Currently there is ongoing work by community contributors to put in place the internal infrastructure to support multi-vendor, but as of this writing (September 2020) it is not yet considered complete. It _would_ be possible to add multi-vendor support by way of a plugin, but bear in mind that this would entail a fair amount of custom development.
+
 
-An official multi-vendor plugin is under consideration for after the v1.0 release.

docs/content/article/roadmap.md

@@ -11,13 +11,13 @@ Here is a list of some of the main outstanding tasks that are planned for the v1
 * Complete the Channels implementation
 * Back order handling
 * Administrator creation & editing of orders
-* Custom authentication support
+* ~~Custom authentication support~~ ✅
 * Improved promotions support
 * Improved tax calculation support
 * Improved support for running Vendure in cloud environments
 * Performance improvements
 
-We currently hope to **reach v1.0 in the latter half of 2020**. For an up-to-date overview of where we stand, refer to the [GitHub milestones page](https://github.com/vendure-ecommerce/vendure/milestones).
+We currently hope to **reach v1.0 by the end of 2020**. For an up-to-date overview of where we stand, refer to the [GitHub milestones page](https://github.com/vendure-ecommerce/vendure/milestones).
 
 ## Post v1.0
 

docs/content/docs/developer-guide/channels.md

@@ -11,6 +11,7 @@ Channels are a feature of Vendure which allows multiple sales channels to be rep
 * Assign only specific Products to the Channel (with Channel-specific prices)
 * Create Administrator roles limited to the Channel
 * Assign only specific Promotions, Collections & ShippingMethods to the Channel (to be implemented)
+* Have Orders and Customers associated with specific Channels.
 
 Every Vendure server always has a **default Channel**, which contains _all_ entities. Subsequent channels can then contain a subset of the above entities.
 
@@ -22,6 +23,6 @@ Use-cases of Channels include:
 
 ## Multi-Tenant (Marketplace) Support
 
-In its current form, the Channels feature is not suitable for a multi-tenant or marketplace solution. This is because several entities which should be isolated in a true multi-tenant system are still shared across all Channels.
+In its current form, the Channels feature is not suitable for an out-fo-the-box multi-tenant or marketplace solution. This is because several entities which should be isolated in a true multi-tenant system are still shared across all Channels.
 
 Multi-tenancy could still be achieved through a dedicated plugin, and indeed there are some community projects underway in this direction, but would require significant custom work. An out-of-the-box solution will be considered for a future plugin offering.

docs/content/docs/developer-guide/deployment.md

@@ -23,6 +23,15 @@ For a production Vendure server, there are a few security-related points to cons
 * Set the [Superadmin credentials]({{< relref "auth-options" >}}#superadmincredentials) to something other than the default.
 * Consider taking steps to harden your GraphQL APIs against DOS attacks. Use the [ApiOptions]({{< relref "api-options" >}}) to set up appropriate Express middleware for things like [request timeouts](https://github.com/expressjs/express/issues/3330) and [rate limits](https://www.npmjs.com/package/express-rate-limit). A tool such as [graphql-query-complexity](https://github.com/slicknode/graphql-query-complexity) can be used to mitigate resource-intensive GraphQL queries. 
 * You may wish to restrict the Admin API to only be accessed from trusted IPs. This could be achieved for instance by configuring an nginx reverse proxy that sits in front of the Vendure server.
+* By default, Vendure uses auto-increment integer IDs as entity primary keys. While easier to work with in development, sequential primary keys can leak information such as the number of orders or customers in the system. For this reason you should consider using the [UuidIdStrategy]({{< relref "entity-id-strategy" >}}#uuididstrategy) for production.
+  ```TypeScript
+  import { UuidIdStrategy, VendureConfig } from '@vendure/core';
+
+  export const config: VendureConfig = {
+    entityIdStrategy: new UuidIdStrategy(),
+    // ...
+  }
+  ```
 
 ## Health/Readiness Checks
 

docs/content/docs/plugins/available-plugins.md

@@ -18,5 +18,5 @@ The Vendure monorepo contains a number of "core" plugins - that is, commonly-use
 
 Have you created a Vendure plugin that you'd like to share? Contact us and we can list it here! 
 
-For now, you'll find some community plugins in [these GitHub search results](https://github.com/search?q=vendure+-user%3Avendure-ecommerce&type=Repositories).
+For now, you'll find some community plugins in [these GitHub search results](https://github.com/search?q=vendure+plugin+-user%3Avendure-ecommerce&type=Repositories).
 

docs/layouts/partials/footer.html

@@ -31,6 +31,12 @@
                             Join us on Slack</a
                         >
                     </li>
+                    <li>
+                        <a href="https://github.com/vendure-ecommerce/vendure/discussions"
+                            ><img class="link-icon" alt="GitHub logo" src="/svg/icon-github-inverse.svg" />
+                            Support Forum</a
+                        >
+                    </li>
                     <li>
                         <a href="mailto:[email protected]" class="email-link"
                             ><img src="/svg/clr-icon-email-light.svg" class="link-icon" alt="email icon" />

docs/layouts/partials/top-bar.html

@@ -45,6 +45,10 @@
                         <img class="menu-icon" alt="icon" src="/svg/icon-github-inverse.svg" />
                         GitHub
                     </a>
+                    <a href="https://github.com/vendure-ecommerce/vendure/discussions">
+                        <img class="menu-icon" alt="icon" src="/svg/icon-github-inverse.svg" />
+                        Support Forum
+                    </a>
                     <a href="https://join.slack.com/t/vendure-ecommerce/shared_invite/enQtNzA1NTcyMDY3NTg0LTMzZGQzNDczOWJiMTU2YjAyNWJlMzdmZGE3ZDY5Y2RjMGYxZWNlYTI4NmU4Y2Q1MDNlYzE4MzQ5ODcyYTdmMGU">
                         <img class="menu-icon" alt="icon" src="/logo/slack-logo-icon-127x127.png" />
                         Community

lerna.json

@@ -2,7 +2,7 @@
   "packages": [
     "packages/*"
   ],
-  "version": "0.15.1",
+  "version": "0.15.2",
   "npmClient": "yarn",
   "useWorkspaces": true,
   "command": {

packages/admin-ui-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vendure/admin-ui-plugin",
-  "version": "0.15.1",
+  "version": "0.15.2",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
   "files": [
@@ -20,7 +20,7 @@
     "@types/express": "^4.0.39",
     "@types/fs-extra": "^8.0.1",
     "@vendure/common": "^0.15.0",
-    "@vendure/core": "^0.15.1",
+    "@vendure/core": "^0.15.2",
     "express": "^4.16.4",
     "rimraf": "^3.0.0",
     "typescript": "3.8.3"

packages/admin-ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vendure/admin-ui",
-  "version": "0.15.1",
+  "version": "0.15.2",
   "license": "MIT",
   "scripts": {
     "ng": "ng",

packages/admin-ui/src/lib/core/src/common/version.ts

@@ -1,2 +1,2 @@
 // Auto-generated by the set-version.js script.
-export const ADMIN_UI_VERSION = '0.15.1';
+export const ADMIN_UI_VERSION = '0.15.2';

packages/admin-ui/src/lib/core/src/shared/components/asset-file-input/asset-file-input.component.ts

@@ -51,8 +51,9 @@ export class AssetFileInputComponent implements OnInit {
         this.fitDropZoneToTarget();
     }
 
+    // DragEvent is not supported in Safari, see https://github.com/vendure-ecommerce/vendure/pull/284
     @HostListener('document:dragleave', ['$event'])
-    onDragLeave(event: DragEvent) {
+    onDragLeave(event: any) {
         if (!event.clientX && !event.clientY) {
             this.dragging = false;
         }
@@ -62,15 +63,16 @@ export class AssetFileInputComponent implements OnInit {
      * Preventing this event is required to make dropping work.
      * See https://developer.mozilla.org/en-US/docs/Web/API/HTML_Drag_and_Drop_API#Define_a_drop_zone
      */
-    onDragOver(event: DragEvent) {
+    onDragOver(event: any) {
         event.preventDefault();
     }
 
-    onDrop(event: DragEvent) {
+    // DragEvent is not supported in Safari, see https://github.com/vendure-ecommerce/vendure/pull/284
+    onDrop(event: any) {
         event.preventDefault();
         this.dragging = false;
         this.overDropZone = false;
-        const files = Array.from(event.dataTransfer ? event.dataTransfer.items : [])
+        const files = Array.from<DataTransferItem>(event.dataTransfer ? event.dataTransfer.items : [])
             .map(i => i.getAsFile())
             .filter(notNullOrUndefined);
         this.selectFiles.emit(files);

packages/admin-ui/src/lib/customer/src/components/address-card/address-card.component.ts

@@ -4,11 +4,15 @@ import {
     Component,
     EventEmitter,
     Input,
+    OnChanges,
     OnInit,
     Output,
+    SimpleChanges,
 } from '@angular/core';
 import { FormControl, FormGroup } from '@angular/forms';
 import { CustomFieldConfig, GetAvailableCountries, ModalService } from '@vendure/admin-ui/core';
+import { BehaviorSubject } from 'rxjs';
+import { filter, take } from 'rxjs/operators';
 
 import { AddressDetailDialogComponent } from '../address-detail-dialog/address-detail-dialog.component';
 
@@ -18,21 +22,37 @@ import { AddressDetailDialogComponent } from '../address-detail-dialog/address-d
     styleUrls: ['./address-card.component.scss'],
     changeDetection: ChangeDetectionStrategy.OnPush,
 })
-export class AddressCardComponent implements OnInit {
+export class AddressCardComponent implements OnInit, OnChanges {
     @Input() addressForm: FormGroup;
     @Input() customFields: CustomFieldConfig;
     @Input() availableCountries: GetAvailableCountries.Items[] = [];
     @Input() isDefaultBilling: string;
     @Input() isDefaultShipping: string;
     @Output() setAsDefaultShipping = new EventEmitter<string>();
     @Output() setAsDefaultBilling = new EventEmitter<string>();
+    private dataDependenciesPopulated = new BehaviorSubject<boolean>(false);
 
     constructor(private modalService: ModalService, private changeDetector: ChangeDetectorRef) {}
 
     ngOnInit(): void {
         const streetLine1 = this.addressForm.get('streetLine1') as FormControl;
+        // Make the address dialog display automatically if there is no address line
+        // as is the case when adding a new address.
         if (!streetLine1.value) {
-            this.editAddress();
+            this.dataDependenciesPopulated
+                .pipe(
+                    filter(value => value),
+                    take(1),
+                )
+                .subscribe(() => {
+                    this.editAddress();
+                });
+        }
+    }
+
+    ngOnChanges(changes: SimpleChanges) {
+        if (this.customFields != null && this.availableCountries != null) {
+            this.dataDependenciesPopulated.next(true);
         }
     }
 

packages/admin-ui/src/lib/customer/src/components/customer-detail/customer-detail.component.ts

@@ -161,6 +161,13 @@ export class CustomerDetailComponent extends BaseDetailComponent<CustomerWithOrd
             defaultShippingAddress: false,
             defaultBillingAddress: false,
         });
+        if (this.addressCustomFields.length) {
+            const customFieldsGroup = this.formBuilder.group({});
+            for (const fieldDef of this.addressCustomFields) {
+                customFieldsGroup.addControl(fieldDef.name, new FormControl(''));
+            }
+            newAddress.addControl('customFields', customFieldsGroup);
+        }
         addressFormArray.push(newAddress);
     }
 

packages/admin-ui/src/lib/order/src/components/order-detail/order-detail.component.html

@@ -37,7 +37,7 @@
                 >
                     <clr-icon shape="error-standard" class="is-error"></clr-icon>
                     <ng-container
-                        *ngIf="order.state !== 'PaymentAuthorized' && !order.active; else cancelOnly"
+                        *ngIf="orderHasSettledPayments(order); else cancelOnly"
                     >
                         {{ 'order.refund-and-cancel-order' | translate }}
                     </ng-container>

packages/admin-ui/src/lib/order/src/components/order-detail/order-detail.component.ts

@@ -234,7 +234,8 @@ export class OrderDetailComponent extends BaseDetailComponent<OrderDetail.Fragme
     }
 
     cancelOrRefund(order: OrderDetail.Fragment) {
-        if (order.state === 'PaymentAuthorized' || order.active === true) {
+        const isRefundable = this.orderHasSettledPayments(order);
+        if (order.state === 'PaymentAuthorized' || order.active === true || !isRefundable) {
             this.cancelOrder(order);
         } else {
             this.refundOrder(order);
@@ -338,6 +339,10 @@ export class OrderDetailComponent extends BaseDetailComponent<OrderDetail.Fragme
             });
     }
 
+    orderHasSettledPayments(order: OrderDetail.Fragment): boolean {
+        return !!order.payments?.find(p => p.state === 'Settled');
+    }
+
     private cancelOrder(order: OrderDetail.Fragment) {
         this.modalService
             .fromComponent(CancelOrderDialogComponent, {

packages/asset-server-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vendure/asset-server-plugin",
-  "version": "0.15.1",
+  "version": "0.15.2",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
   "files": [
@@ -23,7 +23,7 @@
     "@types/node-fetch": "^2.5.4",
     "@types/sharp": "^0.24.0",
     "@vendure/common": "^0.15.0",
-    "@vendure/core": "^0.15.1",
+    "@vendure/core": "^0.15.2",
     "aws-sdk": "^2.670.0",
     "express": "^4.16.4",
     "node-fetch": "^2.6.0",

packages/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vendure/core",
-  "version": "0.15.1",
+  "version": "0.15.2",
   "description": "A modern, headless ecommerce framework",
   "repository": {
     "type": "git",

packages/core/src/api/common/id-codec.ts

@@ -11,7 +11,7 @@ const ID_KEYS = ['id'];
  * (ProductService etc) all entity IDs are in the form used as the primary key in the database.
  */
 export class IdCodec {
-    constructor(private entityIdStrategy: EntityIdStrategy) {}
+    constructor(private entityIdStrategy: EntityIdStrategy<any>) {}
 
     /**
      * Decode an id from the client into the format used as the database primary key.

packages/core/src/api/schema/type/order.type.graphql

@@ -18,6 +18,7 @@ type Order implements Node {
     promotions: [Promotion!]!
     payments: [Payment!]
     fulfillments: [Fulfillment!]
+    totalQuantity: Int!
     subTotalBeforeTax: Int!
     "The subTotal is the total of the OrderLines, before order-level promotions and shipping has been applied."
     subTotal: Int!