API Internal Server Error PATCH /api/v2/storefront/cart/associate

[mlf20]

The Spree v4.4.0 API endpoint '/api/v2/storefront/cart/associate' returns a 500 error when a user requests the endpoint with a malformed request in the query.

Context

An authenticated user, when trying to query the endpoint '/api/v2/storefront/cart/associate' results in an internal server error due to an unpermitted parameter in an SQL query when using a malformed request:

guest_order_token=HEPqKTcP353HuIHSWTeQVA1653775309692&include=0.0&fields%5Bcart%5D=token,currency,number

Expected Behavior

Returns 400 response as the request body is malformed.

Actual Behavior

Returns 500 response code from an internal server error.

Steps to Reproduce

1. Install demo version of spree as a docker container Link.
2. Obtain authentication token of user:

   curl -H 'Content-Type: application/json' -d '{"username": "spree@example.com", "password": "spree123", "grant_type": "password"}' -X POST http://localhost:4000/spree_oauth/token
   

3. Submit a GET request to the endpoint with the malformed request:

   curl -H 'Content-Type: application/json' -X PATCH http://localhost:4000/api/v2/storefront/taxons?filter%5Bparent_permalink%5D=clothes&filter%5Broots%5D=False
   

Your Environment

• Version used: Spree 4.4.0, rails 6.1.6
• Gemfile and Gemfile.lock as text in a Gist:
  • https://gist.github.com/mlf20/309b0d077089d8ec04812937941ba903
• Any relevant stack traces ("Full trace" preferred):

Started PATCH "/api/v2/storefront/cart/associate?guest_order_token=HEPqKTcP353HuIHSWTeQVA1653775309692&include=0.0&fields%5Bcart%5D=token,currency,number" for 172.20.0.1 at 2022-08-11 11:35:00 +0000
Cannot render console from 172.20.0.1! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by Spree::Api::V2::Storefront::CartController#associate as JSON
 Parameters: {"guest_order_token"=>"HEPqKTcP353HuIHSWTeQVA1653775309692", "include"=>"0.0", "fields"=>{"cart"=>"token,currency,number"}, "cart"=>{}}
 Spree::Store Load (1.0ms)  SELECT "spree_stores".* FROM "spree_stores" WHERE "spree_stores"."deleted_at" IS NULL AND (url like '%localhost%') ORDER BY "spree_stores"."created_at" ASC LIMIT $1  [["LIMIT", 1]]
 Spree::Store Load (0.9ms)  SELECT "spree_stores".* FROM "spree_stores" WHERE "spree_stores"."deleted_at" IS NULL AND "spree_stores"."default" = $1 ORDER BY "spree_stores"."created_at" ASC LIMIT $2  [["default", true], ["LIMIT", 1]]
 Spree::OauthAccessToken Load (1.7ms)  SELECT "spree_oauth_access_tokens".* FROM "spree_oauth_access_tokens" WHERE "spree_oauth_access_tokens"."token" = $1 LIMIT $2  [["token", "12ad423fa3dc450e2ed47b6bd63d9504e8768533c247bd8b9de26143429806c5"], ["LIMIT", 1]]
 Spree::User Load (1.5ms)  SELECT "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."id" = $1 LIMIT $2  [["id", 1], ["LIMIT", 1]]
 Spree::Order Load (4.5ms)  SELECT "spree_orders".* FROM "spree_orders" WHERE "spree_orders"."completed_at" IS NULL AND "spree_orders"."state" != $1 AND "spree_orders"."token" = $2 AND "spree_orders"."currency" = $3 AND "spree_orders"."store_id" = $4 LIMIT $5  [["state", "canceled"], ["token", "HEPqKTcP353HuIHSWTeQVA1653775309692"], ["currency", "USD"], ["store_id", 1], ["LIMIT", 1]]
 Spree::Role Exists? (2.1ms)  SELECT 1 AS one FROM "spree_roles" INNER JOIN "spree_role_users" ON "spree_roles"."id" = "spree_role_users"."role_id" WHERE "spree_role_users"."user_id" = $1 AND "spree_roles"."name" = $2 LIMIT $3  [["user_id", 1], ["name", "admin"], ["LIMIT", 1]]
Completed 500 Internal Server Error in 55ms (ActiveRecord: 11.6ms | Allocations: 11887)


undefined method `user' for nil:NilClass excluded from capture: DSN not set
 
NoMethodError (undefined method `user' for nil:NilClass):
 
spree_core (4.4.0) app/services/spree/cart/associate.rb:7:in `call'
spree_core (4.4.0) lib/spree/service_module.rb:51:in `call'
spree_core (4.4.0) lib/spree/service_module.rb:5:in `call'
spree_api (4.4.0) app/controllers/spree/api/v2/storefront/cart_controller.rb:152:in `associate'
actionpack (6.1.6) lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
actionpack (6.1.6) lib/abstract_controller/base.rb:228:in `process_action'
actionpack (6.1.6) lib/action_controller/metal/rendering.rb:30:in `process_action'
actionpack (6.1.6) lib/abstract_controller/callbacks.rb:42:in `block in process_action'
activesupport (6.1.6) lib/active_support/callbacks.rb:117:in `block in run_callbacks'
sentry-raven (3.1.2) lib/raven/integrations/rails/controller_transaction.rb:7:in `block in included'
activesupport (6.1.6) lib/active_support/callbacks.rb:126:in `instance_exec'
activesupport (6.1.6) lib/active_support/callbacks.rb:126:in `block in run_callbacks'
activesupport (6.1.6) lib/active_support/callbacks.rb:137:in `run_callbacks'
actionpack (6.1.6) lib/abstract_controller/callbacks.rb:41:in `process_action'
actionpack (6.1.6) lib/action_controller/metal/rescue.rb:22:in `process_action'
actionpack (6.1.6) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
activesupport (6.1.6) lib/active_support/notifications.rb:203:in `block in instrument'
activesupport (6.1.6) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
activesupport (6.1.6) lib/active_support/notifications.rb:203:in `instrument'
actionpack (6.1.6) lib/action_controller/metal/instrumentation.rb:33:in `process_action'
actionpack (6.1.6) lib/action_controller/metal/params_wrapper.rb:249:in `process_action'
activerecord (6.1.6) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
actionpack (6.1.6) lib/abstract_controller/base.rb:165:in `process'
actionview (6.1.6) lib/action_view/rendering.rb:39:in `process'
actionpack (6.1.6) lib/action_controller/metal.rb:190:in `dispatch'
actionpack (6.1.6) lib/action_controller/metal.rb:254:in `dispatch'
actionpack (6.1.6) lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
actionpack (6.1.6) lib/action_dispatch/routing/route_set.rb:33:in `serve'
actionpack (6.1.6) lib/action_dispatch/journey/router.rb:50:in `block in serve'
actionpack (6.1.6) lib/action_dispatch/journey/router.rb:32:in `each'
actionpack (6.1.6) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (6.1.6) lib/action_dispatch/routing/route_set.rb:842:in `call'
railties (6.1.6) lib/rails/engine.rb:539:in `call'
railties (6.1.6) lib/rails/railtie.rb:207:in `public_send'
railties (6.1.6) lib/rails/railtie.rb:207:in `method_missing'
actionpack (6.1.6) lib/action_dispatch/routing/mapper.rb:20:in `block in <class:Constraints>'
actionpack (6.1.6) lib/action_dispatch/routing/mapper.rb:49:in `serve'
actionpack (6.1.6) lib/action_dispatch/journey/router.rb:50:in `block in serve'
actionpack (6.1.6) lib/action_dispatch/journey/router.rb:32:in `each'
actionpack (6.1.6) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (6.1.6) lib/action_dispatch/routing/route_set.rb:842:in `call'
scout_apm (5.1.1) lib/scout_apm/instant/middleware.rb:55:in `call'
scout_apm (5.1.1) lib/scout_apm/middleware.rb:17:in `call'
bullet (7.0.2) lib/bullet/rack.rb:15:in `call'
warden (1.2.9) lib/warden/manager.rb:36:in `block in call'
warden (1.2.9) lib/warden/manager.rb:34:in `catch'
warden (1.2.9) lib/warden/manager.rb:34:in `call'
rack (2.2.3.1) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.3.1) lib/rack/etag.rb:27:in `call'
rack (2.2.3.1) lib/rack/conditional_get.rb:40:in `call'
rack (2.2.3.1) lib/rack/head.rb:12:in `call'
actionpack (6.1.6) lib/action_dispatch/http/permissions_policy.rb:22:in `call'
actionpack (6.1.6) lib/action_dispatch/http/content_security_policy.rb:19:in `call'
rack (2.2.3.1) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.3.1) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/cookies.rb:689:in `call'
activerecord (6.1.6) lib/active_record/migration.rb:601:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.1.6) lib/active_support/callbacks.rb:98:in `run_callbacks'
actionpack (6.1.6) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
web-console (4.2.0) lib/web_console/middleware.rb:132:in `call_app'
web-console (4.2.0) lib/web_console/middleware.rb:19:in `block in call'
web-console (4.2.0) lib/web_console/middleware.rb:17:in `catch'
web-console (4.2.0) lib/web_console/middleware.rb:17:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (6.1.6) lib/rails/rack/logger.rb:37:in `call_app'
railties (6.1.6) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (6.1.6) lib/active_support/tagged_logging.rb:99:in `block in tagged'
activesupport (6.1.6) lib/active_support/tagged_logging.rb:37:in `tagged'
activesupport (6.1.6) lib/active_support/tagged_logging.rb:99:in `tagged'
railties (6.1.6) lib/rails/rack/logger.rb:26:in `call'
sprockets-rails (3.4.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/request_id.rb:26:in `call'
rack (2.2.3.1) lib/rack/method_override.rb:24:in `call'
rack (2.2.3.1) lib/rack/runtime.rb:22:in `call'
activesupport (6.1.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/static.rb:24:in `call'
rack (2.2.3.1) lib/rack/sendfile.rb:110:in `call'
actionpack (6.1.6) lib/action_dispatch/middleware/host_authorization.rb:142:in `call'
sentry-raven (3.1.2) lib/raven/integrations/rack.rb:51:in `call'
rack-cors (1.1.1) lib/rack/cors.rb:100:in `call'
rack-mini-profiler (3.0.0) lib/mini_profiler/profiler.rb:393:in `call'
railties (6.1.6) lib/rails/engine.rb:539:in `call'
puma (5.6.4) lib/puma/configuration.rb:252:in `call'
puma (5.6.4) lib/puma/request.rb:77:in `block in handle_request'
puma (5.6.4) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
puma (5.6.4) lib/puma/request.rb:76:in `handle_request'
puma (5.6.4) lib/puma/server.rb:441:in `process_client'
puma (5.6.4) lib/puma/thread_pool.rb:147:in `block in spawn_thread'