Partly using API in an oscar website about django-oscar-api HOT 18 CLOSED

BUMP

from django-oscar-api.

This problem you are having, is it while using oscarapi.middleware.HeaderSessionMiddleware or without?

from django-oscar-api.

By the way your remark about 'clients not using cookies' is spot on.
This api was designed more towards backend systems as consumers instead of web clients as consumers.

What you are seeing now is that you can use the api mixed with the website for AUTHENTICATED users, but for anonymous users you can not mix regular oscar views with api views. That is because oscar keeps the basket id in a cookie, since there might not be any cookies, that mechanism can not be used by the api.

from django-oscar-api.

Is there any easy fix for this ? On the top of my head, it would be to actually create a user for anonymouse users, maybe with a special role and then log them in automatically ? Maybe i'm overthinking this

from django-oscar-api.

@jakobholmelund 👍 Nice idea.

from django-oscar-api.

I think you could write a middleware that copies the basket id from the cookie to the session?

from django-oscar-api.

Hmm after fidling a bit it seems that my oscar_open_basket cookie is in the format "15:_1bd6Cc9NYDQkEfFP4KdAOR7fSw" . When trying to copy this to the session with (taken from the login handler)

anonymous_basket = operations.get_anonymous_basket(request)

It seems to expect an integer. I haven't used the login handler since i'm using the api for a mixed web/api approach, so i don't know if i'm supposed to split the id myself ?

from django-oscar-api.

you need to unsign the cookie id, look here: https://github.com/django-oscar/django-oscar/blob/1.0.2/oscar/apps/basket/middleware.py#L174

Most likely you should extend that middleware

from django-oscar-api.

Just so i don't misunderstand. What i wan't to do, is open up that /oscarapi/basket/ to anonymouse users on the current domain. I would think that the HeaderSessionMiddleware would take care of this ? my middleware config is

MIDDLEWARE_CLASSES = (
# 'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'oscarapi.middleware.HeaderSessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'sonofatailor.middleware.BasketMiddleware',
'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.middleware.gzip.GZipMiddleware',
'pipeline.middleware.MinifyHTMLMiddleware',
)

from django-oscar-api.

I'm an idiot.. i had

REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAdminUser',),
'CHARSET': 'utf-8'
}

in my config.. No wonder it didn't work :/

With that line removed, and the modified middleware, everything seems to work..

from django-oscar-api.

Which middleware? The one you made or mine (HeaderSessionMiddleware)?
If it is yours, maybe you can contribute it?

from django-oscar-api.

@jakobholmelund did you create a middleware that implements this, or did HeaderSessionMiddleware work for you?

from django-oscar-api.

Hi again. Sorry i didn't get back before.

Right now i'm using the HeaderSessionMiddleware as well as 2 other custom middlewares. At this point i'm not really sure if both of my own Middlewares are needed, but i haven't had time to consolidate what it is that makes it work. In on of my custom middlewares i am overriding the Core BasketMiddleware with

  class BasketMiddleware(CoreBasketMiddleware):
      def get_cookie_basket(self, cookie_key, request, manager):
           """
          Looks for a basket which is referenced by a cookie.
          If a cookie key is found with no matching basket, then we add
          it to the list to be deleted.
          """
          basket = None
          if cookie_key in request.COOKIES:
              basket_hash = request.COOKIES[cookie_key]
              try:
                  basket_id = Signer().unsign(basket_hash)
                  basket = Basket.objects.get(pk=basket_id,
                                            owner=None,
                                            status=Basket.OPEN)

                  # Store basket in session
                  operations.store_basket_in_session(basket, request.session)
              except (BadSignature, Basket.DoesNotExist):
                  request.cookies_to_delete.append(cookie_key)
          return basket

and my other Middleware helps with Anonymous users.

  class AnonymouseBasketMiddleware(object):
      def process_request(self, request):
          if not request.user.is_authenticated():
              request.basket = get_basket(request)

I'll be happy to contribute after i find out exactly what makes it work. But right now i have to focus 100% to get my company's new site launched.

from django-oscar-api.

This is what we are using that works. In our website we use ember app just for the basket, which uses oscar-api.
Checkout and other pages are rendered from the server along with basket's content.
Also, we don't use the Session-Id protocol and HeaderSessionMiddleware.
HeaderSessionMiddleware works and we were using it when the app was completely a SPA using ember. Django Session Authentication works well except when the API domain is different than the website domain.

from django.conf import settings
from oscar.apps.basket.middleware import BasketMiddleware as CoreBasketMiddleware
from oscar.core.loading import get_model
from oscarapi.basket import operations

Basket = get_model('basket', 'basket')

class BasketMiddleware(CoreBasketMiddleware):
    """
    Here we manage the basket in session so that it will work for both api and browser

    Following steps will be taken
    1. Check for OPEN basket in session, if found use the same.
    2. If user is authenticated, merge session basket and remove the basket from session

    """

    def get_basket(self, request):
        """
        Return the open basket for this request
        """
        if request._basket_cache is not None:
            return request._basket_cache

        # get anonymous basket before actual basket
        # else operations.prepare will overwrite the session basket with user basket
        anonymous_basket = operations.get_anonymous_basket(request)

        basket = operations.get_basket(request, True)

        # since the operations.get_basket doesnt merge the
        # anonymous basket with user basket, we need to check and merge here
        if request.user and request.user.is_authenticated():
            if anonymous_basket and anonymous_basket.id != basket.id:
                self.merge_baskets(basket, anonymous_basket)

        return basket


    def process_response(self, request, response):
        return response

from django-oscar-api.

I think I've solved the issue in this pull request: #34

If anyone can confirm this solves the problem, I will merge that feature.

from django-oscar-api.

I'll close this issue after documentation on this is done

from django-oscar-api.

@shahaamir @jakobholmelund Can you confirm that this issue is solved with #34 ?

from django-oscar-api.

https://django-oscar-api.readthedocs.org/en/latest/usage/middleware.html#basket-middleware

from django-oscar-api.