CartLoadRoute is called with unauthenticated SalesChannelContext via CacheResponseSubscriber after LoginRoute

[nyze2oo9]

PHP Version

8.3

Shopware Version

6.5.8.8

Expected behaviour

After the initial login (when there's no entry for a specific customer in sales_channel_api_context), the SalesChannelContext passed to CartLoadRoute->load() from CacheResponseSubscriber->setResponseCache() should be "re-fetched"/"rebuilt" before calling $cart = $this->cartService->getCart($context->getToken(), $context); to ensure that the correct authenticated SalesChannelContext (with customer and customerId correctly set) is available in CartLoadRoute->load().

Maybe it could also be feasible to relocate the check below, preceding the call to $this->cartService->getCart(), but I'm uncertain about the potential performance implications this may entail.

// We need to allow it on login, otherwise the state is wrong
if (!($route === 'frontend.account.login' || $request->getMethod() === Request::METHOD_GET)) {
  return;
}

Actual behaviour

Currently, after the initial login (when there's no entry in sales_channel_api_context), the SalesChannelContext passed to CartLoadRoute->load() from CacheResponseSubscriber->setResponseCache() does not include information about the newly logged-in customer. From the second login onwards (when an entry in sales_channel_api_context exists), the passed SalesChannelContext contains the accurate information about the currently logged-in customer.

How to reproduce

1. Remove all entries from sales_channel_api_context for a specific customer.
2. Add $context->ensureLoggedIn(false) to a RouteDecorator for store-api.checkout.cart.read.
3. Make a request to store-api.account.login.
4. The first request will fail with code store-api.account.login (because of the missing customer and customerId).
5. From the second request onward the request will succeed.

[shopware-issue-bot]

We found the following existing issues which may help or are related to your topic:

• SalesChannelRequestContextResolver does not resolve logged user after xhr request
• Unnecessary memoize cache for sales channel context in SalesChannelRequestContextResolver
• Loses Session in store-api/register route
• After logging out customer_id is now set to NULL in the sales_channel_api_context table
• CartPersister::load has unnecessary sales channel context requirement
• SalesChannel API guest-order does not login customer correctly
• refactor: Cleanup internals of SalesChannelRequestContextResolver
• [GitHub] refactor: Cleanup internals of SalesChannelRequestContextResolver
• Cookie-Consent for single Saleschannel doesn't work
• HandlePaymentMethodRoute does not contain correct RedirectResponse

[shyim]

Maybe we need to move this into the Login Route? 🤔

shopware/src/Storefront/Controller/AuthController.php

Lines 164 to 176 in 3ba890a

	$newContext = $this->salesChannelContextService->get(
	new SalesChannelContextServiceParameters(
	$context->getSalesChannelId(),
	$token,
	$context->getLanguageId(),
	$context->getCurrencyId(),
	$context->getDomainId(),
	$context->getContext()
	)
	);
	// Update the sales channel context for CacheResponseSubscriber
	$request->attributes->set(PlatformRequest::ATTRIBUTE_SALES_CHANNEL_CONTEXT_OBJECT, $newContext);

[nyze2oo9]

I can confirm, that it work with a RouteDecorator for the LoginRoute

  #[Route(path: '/store-api/account/login', name: 'store-api.account.login', methods: ['POST'])]
  public function login(RequestDataBag $data, SalesChannelContext $context): ContextTokenResponse
  {
    $result = $this->decorated->login($data, $context);

    $newContext = $this->salesChannelContextService->get(
      new SalesChannelContextServiceParameters(
        $context->getSalesChannelId(),
        $result->getToken(),
        $context->getLanguageId(),
        $context->getCurrencyId(),
        $context->getDomainId(),
        $context->getContext()
      )
    );
    $request = $this->requestStack->getCurrentRequest();
    $request->attributes->set(PlatformRequest::ATTRIBUTE_SALES_CHANNEL_CONTEXT_OBJECT, $newContext);

    return $result;
  }

One thing I don't like is the fact that I had to inject the RequestStack into the decorator because the login method only gets passed the RequestDataBag.

If desired, I can work on a PR in the next few days to get this fix into the original route and get rid of the decorator?

[shyim]

sounds good :)

I would also check that getCurrentRequest is not null, before using it