fix(medusa): Validate customer_id when completing a cart (#3967)

2023-05-07 13:12:06 +02:00
parent eff9f4c6f9
commit 0c58ead6d8
4 changed files with 43 additions and 4 deletions
--- a/.changeset/odd-plants-mate.md
+++ b/.changeset/odd-plants-mate.md
@@ -0,0 +1,5 @@
+---
+"@medusajs/medusa": patch
+---
+
+fix(medusa): validate `customer_id` when completing a cart
--- a/integration-tests/api/tests/store/cart/cart.js
+++ b/integration-tests/api/tests/store/cart/cart.js
@@ -2152,6 +2152,33 @@ describe("/store/carts", () => {
    })
  })

+  it("complete cart throws if there is no customer on the cart", async () => {
+    const api = useApi()
+    const product = await simpleProductFactory(dbConnection)
+    const region = await simpleRegionFactory(dbConnection, { tax_rate: 10 })
+    const cart = await simpleCartFactory(dbConnection, {
+      region: region.id,
+      line_items: [
+        {
+          variant_id: product.variants[0].id,
+          quantity: 1,
+          unit_price: 1000,
+        },
+      ],
+    })
+
+    await api.post(`/store/carts/${cart.id}/payment-sessions`)
+
+    try {
+      await api.post(`/store/carts/${cart.id}/complete`)
+    } catch (err) {
+      expect(err.response.status).toEqual(400)
+      expect(err.response.data.message).toEqual(
+        "Cannot create an order from the cart without a customer"
+      )
+    }
+  })
+
  describe("POST /store/carts/:id/shipping-methods", () => {
    beforeEach(async () => {
      await cartSeeder(dbConnection)
--- a/integration-tests/plugins/tests/inventory/cart/cart.js
+++ b/integration-tests/plugins/tests/inventory/cart/cart.js
@@ -222,8 +222,7 @@ describe("/store/carts", () => {
      expect(getRes.response.status).toEqual(400)
      expect(getRes.response.data).toEqual({
        type: "invalid_data",
-        message:
-          "Can't insert null value in field customer_id on insert in table order",
+        message: "Cannot create an order from the cart without a customer",
      })

      const inventoryService = appContainer.resolve("inventoryService")
@@ -232,6 +231,7 @@ describe("/store/carts", () => {
      })
      expect(count).toEqual(0)
    })
+
    it("fails to add a item on the cart if the inventory isn't enough", async () => {
      const api = useApi()

--- a/packages/medusa/src/services/order.ts
+++ b/packages/medusa/src/services/order.ts
@@ -637,6 +637,13 @@ class OrderService extends TransactionBaseService {
        )
      }

+      if (!cart.customer_id) {
+        throw new MedusaError(
+          MedusaError.Types.INVALID_DATA,
+          "Cannot create an order from the cart without a customer"
+        )
+      }
+
      const { payment, region, total } = cart

      // Would be the case if a discount code is applied that covers the item
@@ -667,7 +674,7 @@ class OrderService extends TransactionBaseService {
      // Is the cascade insert really used? Also, is it really necessary to pass the entire entities when creating or updating?
      // We normally should only pass what is needed?
      const shippingMethods = cart.shipping_methods.map((method) => {
-        (method.tax_lines as any) = undefined
+        ;(method.tax_lines as any) = undefined
        return method
      })

@@ -775,7 +782,7 @@ class OrderService extends TransactionBaseService {
            // TODO: Due to cascade insert we have to remove the tax_lines that have been added by the cart decorate totals.
            // Is the cascade insert really used? Also, is it really necessary to pass the entire entities when creating or updating?
            // We normally should only pass what is needed?
-            (method.tax_lines as any) = undefined
+            ;(method.tax_lines as any) = undefined
            return shippingOptionServiceTx.updateShippingMethod(method.id, {
              order_id: order.id,
            })