Delete cart return ok but nothing is deleted

[yaroldlord]

Prerequisites

• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• The issue still exists against the latest master branch of Cart REST-API for WooCommerce on Github (this is not the same version as on WordPress.org!)
• I have attempted to find the simplest possible steps to reproduce the issue.
• I have included a failing test as a pull request (Optional)
• I have installed the requirements to run this plugin.

Steps to reproduce the issue

1. add a product in cart
2. get cart_item_key
3. call delete with cart_item_key

Expected/actual behaviour

When I follow those steps, I see: http 200 and the response is "Item has been removed from cart." but the product is still in the cart

I was expecting to see : the product diseapear from the cart

Isolating the problem

• This bug happens with only WooCommerce and Cart REST-API for WooCommerce plugin are active.
• This bug happens with a default WordPress theme active.
• This bug happens with the WordPress theme Storefront active.
• This bug happens with the latest release of WooCommerce active.
• I can reproduce this bug consistently using the steps above.

Add, update and get works fine.

WordPress Environment

` ### WordPress Environment ###

WC Version: 3.4.4
Log Directory Writable: ✔
WP Version: 4.9.8
WP Multisite: –
WP Memory Limit: 256 MB
WP Debug Mode: –
WP Cron: ✔
Language: en_US
External object cache: –

Server Environment

Server Info: nginx/1.12.2
PHP Version: 5.4.16 - ❌ WooCommerce will run under this version of PHP
however
it has reached end of life. We recommend using PHP version 7.2 or above for greater performance and security. How to update your PHP version

PHP Post Max Size: 8 MB
PHP Time Limit: 30
PHP Max Input Vars: 1000
cURL Version: 7.29.0
NSS/3.34

SUHOSIN Installed: –
MySQL Version: 5.5.60-MariaDB
Max Upload Size: 2 MB
Default Timezone is UTC: ✔
fsockopen/cURL: ✔
SoapClient: ❌ Your server does not have the SoapClient class enabled - some gateway plugins which use SOAP may not work as expected.
DOMDocument: ❌ Your server does not have the DOMDocument class enabled - HTML/Multipart emails
and also some extensions
will not work without DOMDocument.

GZip: ✔
Multibyte String: ❌ Your server does not support the mbstring functions - this is required for better character encoding. Some fallbacks will be used instead for it.
Remote Post: ✔
Remote Get: ✔

Database

WC Database Version: 3.4.4
WC Database Prefix: wp_
MaxMind GeoIP Database: ✔
Total Database Size: 10.84MB
Database Data Size: 5.80MB
Database Index Size: 5.04MB
wp_woocommerce_sessions: Data: 0.02MB + Index: 0.02MB
wp_woocommerce_api_keys: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_attribute_taxonomies: Data: 0.02MB + Index: 0.02MB
wp_woocommerce_downloadable_product_permissions: Data: 0.02MB + Index: 0.05MB
wp_woocommerce_order_items: Data: 0.02MB + Index: 0.02MB
wp_woocommerce_order_itemmeta: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_tax_rates: Data: 0.02MB + Index: 0.06MB
wp_woocommerce_tax_rate_locations: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_shipping_zones: Data: 0.02MB + Index: 0.00MB
wp_woocommerce_shipping_zone_locations: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_shipping_zone_methods: Data: 0.02MB + Index: 0.00MB
wp_woocommerce_payment_tokens: Data: 0.02MB + Index: 0.02MB
wp_woocommerce_payment_tokenmeta: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_log: Data: 0.02MB + Index: 0.02MB
wp_commentmeta: Data: 0.02MB + Index: 0.03MB
wp_comments: Data: 0.02MB + Index: 0.09MB
wp_links: Data: 0.02MB + Index: 0.02MB
wp_options: Data: 2.03MB + Index: 0.02MB
wp_postmeta: Data: 2.02MB + Index: 4.05MB
wp_posts: Data: 1.19MB + Index: 0.20MB
wp_termmeta: Data: 0.02MB + Index: 0.03MB
wp_terms: Data: 0.02MB + Index: 0.03MB
wp_term_relationships: Data: 0.08MB + Index: 0.05MB
wp_term_taxonomy: Data: 0.02MB + Index: 0.03MB
wp_usermeta: Data: 0.02MB + Index: 0.03MB
wp_users: Data: 0.02MB + Index: 0.05MB
wp_wc_download_log: Data: 0.02MB + Index: 0.03MB
wp_wc_webhooks: Data: 0.02MB + Index: 0.02MB

Post Type Counts

attachment: 323
page: 26
post: 2
product: 452
revision: 31

Security

Secure connection (HTTPS): ❌
Your store is not using HTTPS. Learn more about HTTPS and SSL Certificates.
Hide errors from visitors: ✔

Active Plugins (2)

Cart REST API for WooCommerce: by Sébastien Dumont – 1.0.4
WooCommerce: by Automattic – 3.4.4

Settings

API Enabled: –
Force SSL: –
Currency: EUR (€)
Currency Position: right
Thousand Separator:
Decimal Separator: ,
Number of Decimals: 2
Taxonomies: Product Types: external (external)
grouped (grouped)
simple (simple)
variable (variable)

Taxonomies: Product Visibility: exclude-from-catalog (exclude-from-catalog)
exclude-from-search (exclude-from-search)
featured (featured)
outofstock (outofstock)
rated-1 (rated-1)
rated-2 (rated-2)
rated-3 (rated-3)
rated-4 (rated-4)
rated-5 (rated-5)

WC Pages

Shop base: #5 - /shop/
Cart: #6 - /divers/cart/
Checkout: #7 - /divers/checkout/
My account: #8 - /divers/my-account/
Terms and conditions: ❌ Page not set

Theme

Name: Shop Isle
Version: 1.1.46
Author URL: https://themeisle.com
Child Theme: ❌ – If you are modifying WooCommerce on a parent theme that you did not build personally we recommend using a child theme. See: How to create a child theme
WooCommerce Support: ✔

Templates

Overrides: –
`

[seb86]

@yaroldlord Are you able to remove it using Postman?

[yaroldlord]

I don't know how to use postman.

I use a simple javascript call

jQuery.each( [ "put", "delete" ], function( i, method ) {
    jQuery[ method ] = function( url, data, callback, type ) {
        if ( jQuery.isFunction( data ) ) {
            type = type || callback;
            callback = data;
            data = undefined;
        }

        return jQuery.ajax({
            url: url,
            type: method,
            dataType: type,
            data: data,
            success: callback
        });
    };
});

function remove_clicked(cart_item_key) {
    return function () {
        // noinspection JSUnresolvedFunction
        $.delete("/wp-json/wc/v2/cart/cart-item", {cart_item_key: cart_item_key}, function () {
            updateCart();
        });
    }

I try also with a curl call. it is the same:

curl "http://xxxxxx/wp-json/wc/v2/cart/cart-item" -X DELETE -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" -H "Accept: */*" -H "Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3" --compressed -H "Referer: http://xxxxx/yyyy/private/projects/view/20180716021" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "X-Requested-With: XMLHttpRequest" -H "Cookie: wordpress_test_cookie=WP+Cookie+check; sid=xxxxxxx; wordpress_logged_in_xxxxx=xxxxx; wp-settings-1=libraryContent"%"3Dbrowse; wp-settings-time-1=1535320895; woocommerce_items_in_cart=1; woocommerce_cart_hash=xxxxxx; wp_woocommerce_session_xxxxxx=xxxxxx" -H "Connection: keep-alive" --data "cart_item_key=e8fd4a8a5bab2b3785d794ab51fef55c"

Update work fine but it is not possible to have a quantity of 0 so it cannot be a workaround.

[yaroldlord]

I just success to use postman. It is the same. I receive a http 200 with "Item has been removed from cart." but the product is still in the cart.

[seb86]

I just tried in Postman and it works fine. Can you try without authorization applied?

[seb86]

@yaroldlord Have you tried without authorization using Postman yet?

[yaroldlord]

I just try and I have a strange behavior: If I try just after refreshing the page in my browser, I get in postman "Item has been removed from cart". (but the article is not removed) !!! If I try again, I receive "Unable to remove item from cart".

I'm also trying to debug the code of WC_REST_Cart_Controller::remove_item but I do not understand where the problem comes from: The code runs without error, the article is removed from the cart and yet when I ask again the cart it still contains the Article !!

Another point I corrected the error that prevented the update from working with a quantity to 0 ($product_data is not defined in WC_REST_Cart_Controller :: update_item) and the behavior is the same as with remove_item: the request runs without error but the item is not removed from the cart.

What's even stranger is that adding article and changing quantity work without error !!!

[yaroldlord]

I found someone with the same problem as me:
I do not feel lonely anymore ;)

https://stackoverflow.com/questions/52029721/woocommerce-remove-cart-item-not-removing-items-when-logged-in

[yaroldlord]

I try with a new account (not logged as admin for the site) and the problem is still present!

[yaroldlord]

Here an other with the same probleme: https://wordpress.org/support/topic/sometimes-remove_cart_item-does-not-removeing-item

[yaroldlord]

And three! https://wordpress.org/support/topic/problem-with-removing-item-from-cart/

[yaroldlord]

And four! https://wordpress.org/support/topic/remove-cart-item-not-working

[seb86]

I just try and I have a strange behaviour: If I try just after refreshing the page in my browser, I get in postman "Item has been removed from cart". (but the article is not removed) !!! If I try again, I receive "Unable to remove item from cart".

The browser and postman do not connect so viewing the items in cart via the browser and removing them via postman will return false results.

Second, the articles that you have shared are issues with WooCommerce core. Nothing to do with the REST API that I have built.

Is your site or web app live or in a staging area that I can quickly examine?

[yaroldlord]

After running the API the changes are not kept in the wp_woocommerce_sessions table but only in the php session in all case (delete, update, add).

This error has the effect of making the add or update of a product work, but not the delete: the get_cart_from_session function has this behavior when it retrieves the information from the table it takes the information of the session php when they exist otherwise it take that of the table.

The fix is ​​not just a call to persistent_cart_update because the current user has been invalidated by rest_cookie_check_errors which checks for the presence of _wpnonce

[seb86]

So what needs to change?

[yaroldlord]

It's possible to disable persistant cart.
If I add in cart_rest_api_init:
add_filter( 'woocommerce_persistent_cart_enabled', '__return_false' );

The bug diseapear: The delete work fine.

Of course I lose the persistence of the cart at the end of a session.

It's just a bad workaround.

It seems to me that cart-rest-api has a structural flaw complicate to fix.

[seb86]

The issue you have is with WooCommerce, not the API. That filter is for the core of WooCommerce so something is wrong with your setup. I have already confirmed that the API works to remove items. I suggest that you also update your PHP version to fill the requirements WooCommerce needs.

[yaroldlord]

I'm not agree with you.
The mistake is not in wordpress or woocommerce.
It's cart-rest-api that has an error.

The filter rest_cookie_check_errors is call when a route registered by register_rest_route is present.
If you call wp-json/wc/v2 you will get all the registered route.

rest_cookie_check_errors is a general and standard protection against CSRF.

To avoid blocking a _wpnonce parameter must be inserted in the call parameters.
This attribute must contain a secret specific to the session.
https://codex.wordpress.org/WordPress_Nonces

[seb86]

I am able to remove items without the need of using nonces. So this is puzzling.

[yaroldlord]

Some plugin disable persistent cart. Perhaps...

I work with a fresh install of wordpress, woocommerce and cart-rest-api .and nothing else.

[seb86]

I will run more tests when I have more free time to spend on this project and make adjustments.

[yaroldlord]

Fr your information, i managed to use the API with persistant cart enabled by doing these operations:

1. Add a Rest call to get nonce (get_nonce)
2. Call get_nonce from my backend by copying the header of the customer call (ie acting as a proxy)
3. Add the _wpnonce attribute in API calls
4. Add a call to persistent_cart_update within the API

For the 1 I used the trick shown here:
https://wordpress.stackexchange.com/questions/295471/nonce-retrieved-from-the-rest-api-is-invalid-and-different-from-nonce-generated

<?php
/*
Plugin Name:  get_nonce Plugin
*/

$get_nonce = 'invalid';
$secret = 'mySecret';

add_action('wp_loaded', function () {
    global $get_nonce;
    $get_nonce = wp_create_nonce('wp_rest');
});

add_action('rest_api_init', function () {
    register_rest_route('get_nonce', '/call', array(
        'methods' => 'GET',
        'callback' => function ($data = array()) {
            global $get_nonce, $secret;
            $param_secret = !isset($data['secret']) ? '' : wc_clean($data['secret']);
            if ($secret == $param_secret) {
                return $get_nonce;
            }
            return 'erreur';
        },
        'args' => [
            'secret'
        ],
    ));
});

[seb86]

@yaroldlord You never did confirm if you had the same issue as a guest (not logged in).

[yaroldlord]

Sorry.
It works without error when I'm not connected. (with or without persistent cart)