-
Notifications
You must be signed in to change notification settings - Fork 219
Store API - Cart JWT tokens/session handling #5953
Conversation
Size Change: 0 B Total Size: 916 kB ℹ️ View Unchanged
|
da37d8d
to
5e5349c
Compare
This is great Mike. In a mobile app, you'd want the Cart-Token to stay valid for longer than 48 hours, could there be a filter on that? If not, you'd need a way to save the cart locally in the app and restore it via API. |
Indeed, this is wonderful stuff. I'd say @scottopolis we'd save the cart, nonetheless. On communication failures or while on the run, going in and out of service, we'd like the cart to be updated locally, and then sync? |
# Conflicts: # docs/internal-developers/testing/releases/440.md # package-lock.json # src/StoreApi/Routes/V1/AbstractCartRoute.php # src/StoreApi/Routes/V1/Batch.php # src/StoreApi/docs/cart.md # src/StoreApi/docs/checkout.md # src/StoreApi/docs/nonce-tokens.md
This reverts commit e64086b.
…kens. Removed third party JWT library.
It could be that, we enabled this check recently but I'm not sure why it's not rebasing. |
So I reviewed this and while it works fine and all, it seems to return a new Cart Token on each GET/POST request, I was under the impression that the token would be somehow stable? I will investigate more if it's a sign of time or we're actually creating a new cart each time. |
Okay so I checked the session table and we still have a single session even if the token is changing, this should be fine, I honestly don't understand why, because old tokens still work fine :/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM,
@senadir this is expected behavior, all of those previous tokens point to the same session. The tokens change because with each request the expiration gets renewed, so the token hash is different. Still, all cart changes are made to the same session. We don't need to save tokens, as, being JWT, the signature is verified always. |
@mikejolley @wavvves With these changes, would it be possible to create and manage multiple WooCommerce Carts passing a token ID only? Context: p91TBi-5FD-p2#comment-5690 |
@asumaran It is possible to manage multiple carts, from different users. The Cart-Token, upon signature verification, loads up the corresponding session for it. The nonce must still be supplied for now though. |
@wavvves For my use case we need to be able to manage multiple WC Carts wether the user is logged in or not. Do you think this can be possible with these changes or adding additional code on top of it? |
Only the current Cart for each session can be accessed, but as long as Cart-Token header is provided along a valid nonce for that particular session, you can manipulate multiple Carts. An example, access GET |
* Re-apply token support * Updated nonce headers * Updated package-lock.json * test commit to debug failing git hooks * Revert "test commit to debug failing git hooks" This reverts commit e64086b. * JsonWebToken utility class for generating and validating HS256 JWT tokens. Removed third-party JWT library. * Add ext-hash to composer (required by hash_hmac()) * Removed unnecessary method param. * Tests for retrieving cart contents via Cart-Token * Removed token tests ( we can't properly test cart token functionality until we refactor the way it intercepts calls to replace the session object ) * Abstracted payload from JsonWebToken class. We can now use it to encode custom payloads and reuse them wherever we want. * Fixed missing check for token expiration in the payload. * MD lint error and config fix * Update composer.lock * Fixed bug using the wrong nonce header. * Refactor to properly save session data based on cart token. * Refactored DB queries to properly use prepared statement * Removed underscore prefix for class attributes * Fixed spaces instead of tabs indenting composer.json. Cleaned up .editorconfig * Cleaned up borked .md comments. * Comment for WP_SETUP_CONFIG check. * Reverted SQL prepared statement for including table names. * Used hash_equals() for signature comparison. Renamed some wrongly named properties. * Updated composer.lock * Reverted some accidentally removed lines on some documentation files. * Reverted accidentally removed line on docs/internal-developers/testing/releases/404.md * Changed param type from mixed to Co-authored-by: Paulo Arromba <[email protected]> Co-authored-by: Seghir Nadir <[email protected]>
Well done @senadir @mikejolley @wavvves this works well in woocommerce 7.2.2 🥳
with full API docs here https://github.com/woocommerce/woocommerce-blocks/tree/trunk/src/StoreApi Endless headless possibilities! |
This is great, thank you! Is there any official documentation mentioning this |
Hi @pierre-dekode, no official documentation has been released yet about Cart-Token. Still here is some information to help you get started: How to obtain a Cart-TokenCart endpoints will now return a Cart-Token header in the response headers. This contains a JSON Web Token (JWT), which can later be sent as a request header to the Store API Cart and Checkout endpoints. The quickest way to obtain one is to request GET /wp-json/wc/store/v1/cart and observe the response headers. You should see the Cart-Token header there. How to use a Cart-TokenInclude it in your request for GET /wp-json/wc/store/v1/cart, and the response will contain the current cart state from the session associated with the Cart-Token. Tip: Add things to a cart in the browser on a logged-in standard session. Take note of the Cart-Token value returned in the cart endpoints response. Supply that token as a header in a request made through a Rest client app or Curl to receive the cart contents from your previous browser session. Furthermore, you can manipulate cart contents (eg: POST /wp-json/wc/store/v1/cart/add-item) by submitting a valid Nonce request header along Cart-Token. The same method will allow you to checkout using JWT and Nonce via /wp-json/wc/store/v1/checkout |
Thank you @wavvves. That's what I ended up doing, but your message will surely help many other people :) |
@wavvves I am using the same method of 'cart-token' for cart apis but its giving error. I have checked the logs and it gives following error PHP Fatal error: Uncaught Error: Call to undefined method Automattic\WooCommerce\StoreApi\SessionHandler::has_session() in /wordpress/plugins/woocommerce-gift-cards/1.15.5/includes/class-wc-gc-cart.php:194 Please help me I am really stuck in this and I am new to woocommerce |
@jayostwalapporio thanks for reporting that. There is currently work in progress trying to fix that problem. Please create an issue for that so I can link it to the PR |
POC for #5683 Includes changes from #6020
Returns a header containing a
Cart-Token
valid for 48h, which can be added as a request header to load a specific cart.Works by extending the WC_Session class to intercept requests with a valid header.
Testing
Automated Tests
User Facing Testing
/wc/store/v1/cart/add-item
. Note down the value of theCart-Token
header./wc/store/v1/cart
Cart-Token
and the value you noted earlier.WooCommerce Visibility
Performance Impact
Changelog