cart: do not allow cart mutations via GET, use POST instead (#343)

i-love-flamingo · Oct 8, 2021 · afe9d21 · afe9d21
1 parent 438149d
commit afe9d21
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -30,6 +30,14 @@
   * **Breaking**: Remove the fields `getAdditionalData, additionalDataKeys, additionalDeliveryInfoKeys` from the `Commerce_CartDeliveryInfo` type
   * **Breaking**: `Commerce_Cart_UpdateDeliveryShippingOptions` mutation responded with slice of `Commerce_Cart_DeliveryAddressForm` which was incorrect as we don't process any form data within the mutation. It responds now rightly only with `processed` state.
 * **Breaking**: Upgrade github.com/go-playground/form to v4, all types are fully compatible, but import paths have to be changed
+* **Breaking**: Do not allow cart mutations via GET anymore. All Add, Update, Delete and Clean actions are affected:
+  * `/cart/add/:marketplaceCode`
+  * `/cart/update/:id`
+  * `/cart/delete/all`
+  * `/cart/clean`
+  * `/cart/delivery/:deliveryCode`
+  * `/cart/delete/delivery/:deliveryCode`
+  * `/cart/delete/:id`
 
 **checkout**
 * Introducing Flamingo events on final states of the place order process

diff --git a/cart/module.go b/cart/module.go
@@ -162,25 +162,25 @@ func (r *routes) Routes(registry *web.RouterRegistry) {
 	registry.HandleAny("cart.view", r.viewController.ViewAction)
 	registry.MustRoute("/cart", "cart.view")
 
-	registry.HandleAny("cart.add", r.viewController.AddAndViewAction)
+	registry.HandlePost("cart.add", r.viewController.AddAndViewAction)
 	registry.MustRoute("/cart/add/:marketplaceCode", `cart.add(marketplaceCode,variantMarketplaceCode?="",qty?="1",deliveryCode?="")`)
 
-	registry.HandleAny("cart.updateQty", r.viewController.UpdateQtyAndViewAction)
+	registry.HandlePost("cart.updateQty", r.viewController.UpdateQtyAndViewAction)
 	registry.MustRoute("/cart/update/:id", `cart.updateQty(id,qty?="1",deliveryCode?="")`)
 
-	registry.HandleAny("cart.deleteAllItems", r.viewController.DeleteAllAndViewAction)
+	registry.HandlePost("cart.deleteAllItems", r.viewController.DeleteAllAndViewAction)
 	registry.MustRoute("/cart/delete/all", "cart.deleteAllItems")
 
-	registry.HandleAny("cart.clean", r.viewController.CleanAndViewAction)
+	registry.HandlePost("cart.clean", r.viewController.CleanAndViewAction)
 	registry.MustRoute("/cart/clean", "cart.clean")
 
 	registry.HandleDelete("cart.clean", r.viewController.CleanAndViewAction)
 	registry.MustRoute("/cart/delivery/:deliveryCode", "cart.clean")
 
-	registry.HandleAny("cart.cleanDelivery", r.viewController.CleanDeliveryAndViewAction)
+	registry.HandlePost("cart.cleanDelivery", r.viewController.CleanDeliveryAndViewAction)
 	registry.MustRoute("/cart/delete/delivery/:deliveryCode", `cart.cleanDelivery(deliveryCode?="")`)
 
-	registry.HandleAny("cart.deleteItem", r.viewController.DeleteAndViewAction)
+	registry.HandlePost("cart.deleteItem", r.viewController.DeleteAndViewAction)
 	registry.MustRoute("/cart/delete/:id", `cart.deleteItem(id,deliveryCode?="")`)
 	r.apiRoutes(registry)
 }

diff --git a/test/integrationtest/projecttest/tests/frontend/testutil_test.go b/test/integrationtest/projecttest/tests/frontend/testutil_test.go
@@ -12,9 +12,9 @@ import (
 )
 
 type (
-	//CartItems list of CartItem
+	// CartItems list of CartItem
 	CartItems []CartItem
-	//CartItem used as simple CartItem representation during test
+	// CartItem used as simple CartItem representation during test
 	CartItem struct {
 		ProductName     string
 		MarketplaceCode string
@@ -29,10 +29,10 @@ const (
 	routeCheckoutSuccess    = "/en/checkout/success"
 )
 
-//CartAddProduct helper
+// CartAddProduct helper
 func CartAddProduct(t *testing.T, e *httpexpect.Expect, marketplaceCode string, qty int, variantMarketplaceCode string, deliveryCode string) {
 	t.Helper()
-	request := e.GET("/en/cart/add/"+marketplaceCode).WithQuery("qty", qty)
+	request := e.POST("/en/cart/add/"+marketplaceCode).WithQuery("qty", qty)
 	if deliveryCode != "" {
 		request = request.WithQuery("deliveryCode", deliveryCode)
 	}
@@ -43,14 +43,14 @@ func CartAddProduct(t *testing.T, e *httpexpect.Expect, marketplaceCode string,
 		Status(http.StatusOK)
 }
 
-//CartApplyVoucher applies a voucher via api
+// CartApplyVoucher applies a voucher via api
 func CartApplyVoucher(t *testing.T, e *httpexpect.Expect, code string) {
 	t.Helper()
 	request := e.POST("/en/api/cart/applyvoucher").WithQuery("couponCode", code)
 	request.Expect().Status(http.StatusOK)
 }
 
-//CartGetItems testhelper
+// CartGetItems testhelper
 func CartGetItems(t *testing.T, e *httpexpect.Expect) CartItems {
 	t.Helper()
 	var items CartItems
@@ -72,7 +72,7 @@ func CartGetItems(t *testing.T, e *httpexpect.Expect) CartItems {
 	return items
 }
 
-//MustContain checks and returns CartItem by marketplaceCode
+// MustContain checks and returns CartItem by marketplaceCode
 func (c CartItems) MustContain(t *testing.T, marketplaceCode string) *CartItem {
 	t.Helper()
 	for _, v := range c {