fix(customer): restore storefront login and session auth#321
Open
Ibochkarev wants to merge 9 commits into
Open
fix(customer): restore storefront login and session auth#321Ibochkarev wants to merge 9 commits into
Ibochkarev wants to merge 9 commits into
Conversation
Member
|
Вань, серьезные изменения. А ты это проверял руками? Или как всегда только теоритическая автоматизированная проверка? |
Member
Author
Привет! Давай пока не вливать, дополнительно все протестирую |
Unify token/session binding after login and registration, restore SSR auth from cookie without minting guest tokens, and align email/password handling between manager and storefront.
Prevent guest token mint and middleware from wiping an authenticated customer session, fail register auto-login when session bind fails, and add focused regression tests for email normalize and API payload shape.
Snippet and API logout now revoke tokens, mint a guest cookie, and extend TTL in DB on refresh. Registration keeps the account if auto-login session bind fails and points the user to the login page.
5c0654f to
fa8e4f9
Compare
Member
Author
|
@biz87, учёл твой комментарий: в описание PR добавил обязательный ручной чеклист перед merge (logout через сайдбар, пароль из менеджера, reload ЛК, token/get после login). В этой итерации дополнительно:
Автоматически прогнал |
Fail register auto-login when session bind fails, clear customer_id on guest token hydrate, enforce active/blocked checks in TokenMiddleware, and harden save/TTL/session observability around auth flows.
Route login/logout/guest mint through TokenService::persistApiToken so session/cookie hydrate from one DB row, move normalizeEmail to AuthManager, and drop the misplaced PHP ApiClient payload test.
Return distinct blocked/inactive login messages without lockout increment, add legacy email lookup with soft normalize on success, drop dead remember checkbox, and add smoke tests for guest wipe and token reuse guards.
Mint a fresh token on establishCustomerSession, transfer guest/own draft cart then revoke the old token, require session token ownership in middleware/checkAuth, and clear local session after password reset revoke.
Pass raw email into authenticate/register for legacy case lookup, always revoke the previous browser token after login rotation, enforce token expiry in session ownership checks, and harden logout/clearAuthSession.
Expose POST /api/v1/customer/logout so AuthUI and API clients can revoke the session token after login; closes the 404 gap found during #285 QA.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Описание
Починена авторизация покупателя на витрине и в ЛК (#285): после входа сессия не держалась, редирект возвращал на login, повторный вход падал, пароль из менеджера не сходился с проверкой на витрине.
Корневые причины
AuthUIчиталresult.object, Web API отдаёт payload вdatatoken/get/ middleware могли затереть auth guest-токеном?action=logoutчистил только PHP-сессию и оставлял auth cookie (сrestoreSessionFromCookieэто снова логинило)POST /api/v1/customer/logout(API logout → 404)Backend
AuthManager::establishCustomerSession()— bind customer ↔ token ↔ cookie ↔ session ↔ draft; ротация токена на loginAuthManager::logoutCurrentCustomer()— общий logout для API и snippetTokenService::restoreSessionFromCookie()+ restore-before-mint; guest token не затирает authcustomer_idTokenService::persistApiToken()/sessionTokenBelongsToCustomer()— единый mint/hydrate pathPasswordAuthProvider::normalizeEmail()/hashPassword(); manager update через тот же pathSessionHelper::ensureActive();session_regenerate_id(true)после loginweb.php:POST /api/v1/customer/logout→Logoutprocessor (+tokenMiddleware)Frontend
ApiClient.getPayload()—dataс fallback наobjectAuthUIберёт redirect изgetPayloadТесты
CustomerAuthNormalizeEmailTest.phpCustomerAuthSessionSemanticsTest.php(policy smoke, не full MODX E2E)Тип изменений
Связанные Issues
Closes #285
Как это было протестировано?
https://project.test, 2026-07-16)Конфигурация:
fix/285-customer-auth(tip152fdc4+ локальноweb.phplogout route)project.test#2051(ms3-customer-auth-test.html,[[!msCustomer]])#433(http-order1779591899@test.local)Gate (exit 0):
php -lна затронутых PHPphp core/components/minishop3/tests/CustomerAuthNormalizeEmailTest.phpphp core/components/minishop3/tests/CustomerAuthSessionSemanticsTest.phpРучной чеклист — результаты
MgrPass285!→ вход на витрине#2051, профиль?action=logout) → снова открыть ЛКPOST /customer/logoutПримечания по стенду
ms3_customer_redirect_after_login = 2051msCustomerсинхронизированы с файлами в БД MODXweb.phpпроверен на live; в ветке пока uncommitted — нужен отдельный commit перед mergeСкриншоты (если применимо)
Чеклист
Дополнительные заметки
bindDraftToCustomer().ms3_customer_register_success_login_requiredи redirect на login (не «email занят» при повторе).TokenService/ snippet secrets; email-verification path с legacymsCustomer.token.logoutCurrentCustomer().