https://solidus.io logo
Join Slack
Powered by
The <API documentation> indicates that `/api/order...
# support
m
The API documentation indicates that 
/api/orders/current
should accept a guest token — 
X-Spree-Order-Token
— for authorization, however that endpoint returns a 401 when using a guest token. I would expect it to return the guest order associated with that token, no?
c
What is the message you are getting in the response body? That might help you narrow the issue down https://github.com/solidusio/solidus/blob/master/api/app/controllers/spree/api/base_controller.rb#L53-L57
m
Copy code
{
  "error": "You are not authorized to perform that action."
}
c
Using an order token for 
/api/orders/current
doesn’t make much sense, you may just want to fetch the order that token belongs to
m
Right, I was hoping to get the guest order without using the order ID.
c
It seems like you are getting an authorization error, not an authentication error, so it may be that the order you are getting back doesn’t correspond to the token you are providing
m
That’s weird. Since the endpoint doesn’t take any order ID or number in the body, I was thinking that it would just return whatever current order is associated with that token. There’s no way to specify an order using that endpoint anyway.
So seems strange that it would accept a guest token at all.
c
Yeah, I feel like this came up recently in a discussion or an issue, but I can’t seem to find it now.
m
Probably why I should be asking on GH discussions rather than here, since Slack messages are ephemeral.
👍🏼 1
c
Looking at the controller, it looks like you are maybe getting an error from this before filter https://github.com/solidusio/solidus/blob/master/api/app/controllers/spree/api/base_controller.rb#L24
At least based on the error message you shared, that’s my best guess. A 
pry
might help confirm what is going on
Though, if no 
order_id
or 
order_number
is provided I am not sure how that would do the right thing 😕
m
Right. And if you include an API token in the auth headers, then it looks up the order for the API user, not the guest.
👍🏼 1
c
I think this is worthwhile bringing up in an issue and if there is intention behind this we can convert to a discussion
It’s possible the inclusion of the order token for this action as a means of authentication was an oversight.
m
Ok. I’ll make an issue and see what folks say. In the meantime, probably easier to reserve use of that endpoint for logged-in users. I’ll just store the order number in a cookie for guest users and hit 
/api/orders/:number
rather than try to use the same endpoint for both — though it would be nice.
👍🏼 1
c
The whole body of this controller action is conditional on 
current_api_user
so I agree with you 👍 https://github.com/solidusio/solidus/blob/master/api/app/controllers/spree/api/orders_controller.rb#L89-L93
🙏 1
k
I think we just fixed the api documentation on that endpoint, which should be available live on the next Solidus release.
👍🏼 1
m
Ahhh, so it’s working as expected then?
k
If I remember correctly, yes!
There should be some motivation around that in the PR itself
c
Thanks for digging this up @kennyadsl! I knew this came up recently but my search failed me 😂
👍 1
m
All makes sense now. Thanks!
🙏 1
Open in Slack
PreviousNext
Powered by