Provide cart session management without user sessions

This needs some testing. To enable, alter your site's sites/default/services.yml. Enable the new service:

parameters:
  commerce_cart_api.token_cart_session: true

Rebuild your cache.

I was able to use Postman to add an item to my cart and retrieve it without cookies or a session. Here I used a token called fruitloops. Normally it'd be a token, like the one from /session/token

Add to cart

curl -X POST \
  'http://commerce2x.ddev.local/cart/add?_format=json' \
  -H 'Content-Type: application/json' \
  -H 'X-Cart-Token: fruitloops' \
  -d '[
          {
            "purchased_entity_type": "commerce_product_variation",
            "purchased_entity_id": 49,
            "quantity": 1
          }
        ]'

Carts collection

curl -X GET \
  'http://commerce2x.ddev.local/cart?_format=json' \
  -H 'Postman-Token: 595417e3-5448-4078-a5a9-c070989888c4' \
  -H 'X-Cart-Token: fruitloops'

Response (after two add to carts)

[
    {
        "order_id": 18,
        "uuid": "81b9ed25-f7dd-41d5-b82e-35dbe5ccb327",
        "order_number": null,
        "store_id": 1,
        "total_price": {
            "number": "50.000000",
            "currency_code": "USD",
            "formatted": "$50.00"
        },
        "order_items": [
            {
                "order_item_id": 20,
                "uuid": "127217a5-bb80-40d2-b7fe-90cb338f5b92",
                "order_id": 18,
                "purchased_entity": {
                    "variation_id": 49,
                    "uuid": "47b14b42-b9ab-470d-9a7b-93f2aeb3760b",
                    "type": "simple",
                    "product_id": 44,
                    "sku": "UT-KnitHat-MNPlum",
                    "title": "Knit Hat in Midnight Plum",
                    "list_price": {
                        "number": null,
                        "currency_code": null
                    },
                    "price": {
                        "number": "25.000000",
                        "currency_code": "USD",
                        "formatted": "$25.00"
                    },
                    "field_images": [
                        51
                    ],
                    "weight": {
                        "number": "1.000000",
                        "unit": "kg"
                    }
                },
                "title": "Knit Hat in Midnight Plum",
                "quantity": "2.00",
                "unit_price": {
                    "number": "25.000000",
                    "currency_code": "USD",
                    "formatted": "$25.00"
                },
                "total_price": {
                    "number": "50.000000",
                    "currency_code": "USD",
                    "formatted": "$50.00"
                }
            }
        ]
    }
]

The only problem is this: we do not have a checkout API, and you couldn't redirect to the checkout form and proceed with the order unless you setup a route to "claim" an order. That's also kind of hard because \Drupal\commerce_checkout\Controller\CheckoutController::checkAccess dips into the Cart Session class. The header will not always be present.

We could pass the token as a query parameter, but that would disappear after the first request. What would be nice is if there was a way to support the PHP session based storage and a token-based one. This way you could have a fully decoupled frontend that linked to your backend (directly, iframe, etc) for checkout.

The private.tempstore requires a session

  protected function getOwner() {
    $owner = $this->currentUser->id();
    if ($this->currentUser->isAnonymous()) {
      $this->startSession();
....

  protected function startSession() {
    $has_session = $this->requestStack
      ->getCurrentRequest()
      ->hasSession();
    if (!$has_session) {
      /** @var \Symfony\Component\HttpFoundation\Session\SessionInterface $session */
      $session = \Drupal::service('session');
      $this->requestStack->getCurrentRequest()->setSession($session);
      $session->start();
    }
  }

\Drupal\commerce_cart_api\TokenCartSession could extend or decorate the default \Drupal\commerce_cart\CartSession. Each method could ensure the session is populated.

The session cookie is not transmitted during XHR requests, but it is still respected on the server. This might allow for fully decoupled cart management but still enable using the coupled checkout form.

Thanks to gabesullice who pointed me to https://tools.ietf.org/html/rfc6648. The header should be renamed something like Commerce-Cart-Token.

Okay, changed the service parameter to:

parameters:
  commerce_cart_api:
    use_token_cart_session: false

This now decorates the core service. Should allow working with fully decoupled and preserve progressively decoupled if enabled. Also the idea of cross-origin domain requests but a single checkout form.

This still does not work, as the private tempstore relies on a session, which cannot be tracked. Add to cart is still working.. but fetching the carts via the token does not work.

When directly fetching the cart resource in browser I can get

[{"order_id":35,"uuid":"9a7807f4-132e-4a42-a52c-9b63d979e650","order_number":null,"store_id":1,"total_price":{"number":"299.940000","currency_code":"USD","formatted":"$299.94"},"order_items":[{"order_item_id":265,"uuid":"843f3eea-6c24-487e-b3b7-8b0f42786e4b","order_id":35,"purchased_entity":{"variation_id":36,"uuid":"af1f9528-cca6-4034-afc6-928adcc2e31e","type":"simple","product_id":31,"sku":"PT-GiganticFlamingo-001","title":"Gigantic Inflatable Flamingo","list_price":{"number":null,"currency_code":null},"price":{"number":"49.990000","currency_code":"USD","formatted":"$49.99"},"field_images":[38],"weight":{"number":"1.000000","unit":"kg"}},"title":"Gigantic Inflatable Flamingo","quantity":"6.00","unit_price":{"number":"49.990000","currency_code":"USD","formatted":"$49.99"},"total_price":{"number":"299.940000","currency_code":"USD","formatted":"$299.94"}}]}]

But over AJAX it is empty.

Using the shared tempstore did the trick! All endpoints were cached behind page_cache or internal_page_cache and busted appropriately. I was then able to click the link to enter checkout, such as http://commerce2x-api.ddev.local/checkout/36 and purchase my products.

There is one problem: when a new cart is created, the cart collection cache does not bust. This is only noticeable when page_cache is active, which normally is not present when a session is activated.

When setting the following to disable the page_cache, everything works fine.

$settings['container_yamls'][] = DRUPAL_ROOT . '/sites/development.services.yml';
$settings['cache']['bins']['page'] = 'cache.backend.null';

The cart collection's cache information is:

X-Drupal-Cache-Contexts: cart store
X-Drupal-Cache-Tags: commerce_order:38 config:rest.resource.commerce_cart_collection config:rest.settings http_response

page_cache does not respect contexts. Whatever tag is invalidated when an order is updated needs to be attached to the response. However, that would make it impossible to cache that endpoint.

Entities by default have the following cache tag: ENTITY_TYPE_ID:ENTITY_ID

  /**
   * {@inheritdoc}
   */
  public function getCacheTagsToInvalidate() {
    // @todo Add bundle-specific listing cache tag?
    //   https://www.drupal.org/node/2145751
    if ($this->isNew()) {
      return [];
    }
    return [$this->entityTypeId . ':' . $this->id()];
  }

  /**
   * {@inheritdoc}
   */
  public function getCacheTags() {
    if ($this->cacheTags) {
      return Cache::mergeTags($this->getCacheTagsToInvalidate(), $this->cacheTags);
    }
    return $this->getCacheTagsToInvalidate();
  }

This adds a page_cache_response_policy service to deny the cart collection from being cache under page_cache.

When testing this using a decoupled site:

• Chrome: add to cart, click link to API_DOMAIN/checkout/{order_id}: OK, can checkout.
• Firefox: add to cart, click link to API_DOMAIN/checkout/{order_id}: OK, can checkout.
• Brave: add to cart, click link to API_DOMAIN/checkout/{order_id}: FAILURE, access denied, cannot checkout.
• Safari: add to cart, click link to API_DOMAIN/checkout/{order_id}: FAILURE, access denied, cannot checkout.

If that is the case, it is worth removing the cart session decoration and just full on replacing it, and providing details on how to create an "order claim" controller.

This patch adds an event subscriber which allows passing ?cartToken to convert the token cart data to the user's session.

This takes the advice from #16 and decorates session_configuration so that the Commerce-Cart-Token header or cartToken query parameter additional specify if a session is active.

  public function hasSession(Request $request) {
    return $this->decorated->hasSession($request) || 
        $request->headers->has(CartTokenSession::HEADER_NAME) || 
        $request->query->has(CartTokenSession::QUERY_NAME);
  }

It does! The session is definitely being activated and page_cache is ignored. I'm having some weird problems on my remote for the entire process, but that's something else I think.

Bah, I had a horrible subscribed events definition in my event subscriber.

CartTokenClaimSubscriber needs to run before RouterListener which executes routing access checks.

HEAD fixed. Retesting

Commerce-Cart-Token needs to be added to the Vary header.

Adding a Vary that should bust reverse proxy caches if Drupal has a max page cache configured.

Bad patch, re-do!

Patch with clean up for commit.

🙌working like a charm.

P.S.: issue credit would be cool :)

D'oh! I thought I checked the box.

The code in #32 only exists when linking to the checkout via query parameter.

Cart token is fully supported and implemented on https://commerce-demo-decoupled.firebaseapp.com/. Reference here: https://github.com/mglaman/commerce_demo_decoupled

Can you open a new issue for your specific problem and we can track it there?

---

- I had to add a service parameter to activate the feature, which is undocumented

I thought I added that to https://www.drupal.org/docs/8/modules/commerce-cart-api/cart-token-sessions, but I did not. :) Sorry

- I have huge performance problems. Getting a cart takes multiple seconds on a plain new system
- I sometime have lock errors.

That's.. odd. The backend serving the demo has minimal setup and no additional performance items.

I had 15'000 copies of the same order ID in the tempstore.

😱That would do it!

This is definitely a more experimental feature, which is why it is off by default. So far it has been working for demos and initial "production" like usage. It would be worth investigating how the tempstore exploded.