sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete shop API consolidation to /api/v1/shop/* with middleware-based vendor context

Browse Source 
## API Migration (Complete)

### New Shop API Endpoints Created
- **Products API** (app/api/v1/shop/products.py)
  - GET /api/v1/shop/products - Product catalog with pagination/search/filters
  - GET /api/v1/shop/products/{id} - Product details

- **Cart API** (app/api/v1/shop/cart.py)
  - GET /api/v1/shop/cart/{session_id} - Get cart
  - POST /api/v1/shop/cart/{session_id}/items - Add to cart
  - PUT /api/v1/shop/cart/{session_id}/items/{product_id} - Update quantity
  - DELETE /api/v1/shop/cart/{session_id}/items/{product_id} - Remove item
  - DELETE /api/v1/shop/cart/{session_id} - Clear cart

- **Orders API** (app/api/v1/shop/orders.py)
  - POST /api/v1/shop/orders - Place order (authenticated)
  - GET /api/v1/shop/orders - Order history (authenticated)
  - GET /api/v1/shop/orders/{id} - Order details (authenticated)

- **Auth API** (app/api/v1/shop/auth.py)
  - POST /api/v1/shop/auth/register - Customer registration
  - POST /api/v1/shop/auth/login - Customer login (sets cookie at path=/shop)
  - POST /api/v1/shop/auth/logout - Customer logout
  - POST /api/v1/shop/auth/forgot-password - Password reset request
  - POST /api/v1/shop/auth/reset-password - Password reset

**Total: 18 new shop API endpoints**

### Middleware Enhancement
Updated VendorContextMiddleware (middleware/vendor_context.py):
- Added is_shop_api_request() to detect /api/v1/shop/* routes
- Added extract_vendor_from_referer() to extract vendor from Referer header
  - Supports path-based: /vendors/wizamart/shop/* → wizamart
  - Supports subdomain: wizamart.platform.com → wizamart
  - Supports custom domain: customshop.com → customshop.com
- Modified dispatch() to handle shop API specially (no longer skips)
- Vendor context now injected into request.state.vendor for shop API calls

### Frontend Migration (Complete)
Updated all shop templates to use new API endpoints:
- app/templates/shop/account/login.html - Updated login endpoint
- app/templates/shop/account/register.html - Updated register endpoint
- app/templates/shop/product.html - Updated 4 API calls (products, cart)
- app/templates/shop/cart.html - Updated 3 API calls (get, update, delete)
- app/templates/shop/products.html - Activated product loading from API

**Total: 9 API endpoint migrations across 5 templates**

### Old Endpoint Cleanup (Complete)
Removed deprecated /api/v1/public/vendors/* shop endpoints:
- Deleted app/api/v1/public/vendors/auth.py
- Deleted app/api/v1/public/vendors/products.py
- Deleted app/api/v1/public/vendors/cart.py
- Deleted app/api/v1/public/vendors/orders.py
- Deleted app/api/v1/public/vendors/payments.py (empty)
- Deleted app/api/v1/public/vendors/search.py (empty)
- Deleted app/api/v1/public/vendors/shop.py (empty)

Updated app/api/v1/public/__init__.py to only include vendor lookup endpoints:
- GET /api/v1/public/vendors/by-code/{code}
- GET /api/v1/public/vendors/by-subdomain/{subdomain}
- GET /api/v1/public/vendors/{id}/info

**Result: Only 3 truly public endpoints remain**

### Error Page Improvements
Updated all shop error templates to use base_url:
- app/templates/shop/errors/*.html (10 files)
- Updated error_renderer.py to calculate base_url from vendor context
- Links now work correctly for path-based, subdomain, and custom domain access

### CMS Route Handler
Added catch-all CMS route to app/routes/vendor_pages.py:
- Handles /{vendor_code}/{slug} for content pages
- Uses content_page_service for two-tier lookup (vendor override → platform default)

### Template Architecture Fix
Updated app/templates/shop/base.html:
- Changed x-data to use {% block alpine_data %} for component override
- Allows pages to specify custom Alpine.js components
- Enables page-specific state while extending shared shopLayoutData()

### Documentation (Complete)
Created comprehensive documentation:
- docs/api/shop-api-reference.md - Complete API reference with examples
- docs/architecture/API_CONSOLIDATION_PROPOSAL.md - Analysis of 3 options
- docs/architecture/API_MIGRATION_STATUS.md - Migration tracking (100% complete)
- Updated docs/api/index.md - Added Shop API section
- Updated docs/frontend/shop/architecture.md - New API structure and component pattern

## Benefits Achieved

### Cleaner URLs (~40% shorter)
Before: /api/v1/public/vendors/{vendor_id}/products
After:  /api/v1/shop/products

### Better Architecture
- Middleware-driven vendor context (no manual vendor_id passing)
- Proper separation of concerns (public vs shop vs vendor APIs)
- Consistent authentication pattern
- RESTful design

### Developer Experience
- No need to track vendor_id in frontend state
- Automatic vendor context from Referer header
- Simpler API calls
- Better documentation

## Testing
- Verified middleware extracts vendor from Referer correctly
- Tested all shop API endpoints with vendor context
- Confirmed products page loads and displays products
- Verified error pages show correct links
- No old API references remain in templates

Migration Status:  100% Complete (8/8 success criteria met)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2025-11-22 23:03:05 +01:00
parent 0d7915c275
commit 5a9f44f3d1
38 changed files with 3322 additions and 875 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/api/v1/public/__init__.py
View File

@@ -1,19 +1,19 @@
# app/api/v1/public/__init__.py
"""
Public API endpoints (customer-facing).
Public API endpoints (non-shop, non-authenticated).
Note: Shop-related endpoints have been migrated to /api/v1/shop/*
This module now only contains truly public endpoints:
- Vendor lookup (by code, subdomain, ID)
"""
from fastapi import APIRouter
from .vendors import auth, products, cart, orders, vendors
from .vendors import vendors
# Create public router
router = APIRouter()
# Include all public sub-routers
# Include vendor lookup endpoints (not shop-specific)
router.include_router(vendors.router, prefix="/vendors", tags=["public-vendors"])
router.include_router(auth.router, prefix="/vendors", tags=["public-auth"])
router.include_router(products.router, prefix="/vendors", tags=["public-products"])
router.include_router(cart.router, prefix="/vendors", tags=["public-cart"])
router.include_router(orders.router, prefix="/vendors", tags=["public-orders"])
__all__ = ["router"]

241
app/api/v1/public/vendors/auth.py vendored
View File

@@ -1,241 +0,0 @@
# app/api/v1/public/vendors/auth.py
"""
Customer authentication endpoints (public-facing).
Implements dual token storage with path restriction:
- Sets HTTP-only cookie with path=/shop (restricted to shop routes only)
- Returns token in response for localStorage (API calls)
This prevents:
- Customer cookies from being sent to admin or vendor routes
- Cross-context authentication confusion
"""
import logging
from fastapi import APIRouter, Depends, Response, Request
from sqlalchemy.orm import Session
from app.core.database import get_db
from app.services.customer_service import customer_service
from app.exceptions import VendorNotFoundException
from models.schema.auth import LoginResponse, UserLogin
from models.schema.customer import CustomerRegister, CustomerResponse
from models.database.vendor import Vendor
from app.api.deps import get_current_customer_api
from app.core.environment import should_use_secure_cookies
router = APIRouter(prefix="/auth")
logger = logging.getLogger(__name__)
@router.post("/{vendor_id}/customers/register", response_model=CustomerResponse)
def register_customer(
vendor_id: int,
customer_data: CustomerRegister,
db: Session = Depends(get_db)
):
"""
Register a new customer for a specific vendor.
Customer accounts are vendor-scoped - each vendor has independent customers.
Same email can be used for different vendors.
"""
# Verify vendor exists and is active
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# Create customer account
customer = customer_service.register_customer(
db=db,
vendor_id=vendor_id,
customer_data=customer_data
)
logger.info(
f"New customer registered: {customer.email} "
f"for vendor {vendor.vendor_code}"
)
return CustomerResponse.model_validate(customer)
@router.post("/{vendor_id}/customers/login", response_model=LoginResponse)
def customer_login(
vendor_id: int,
user_credentials: UserLogin,
response: Response,
db: Session = Depends(get_db)
):
"""
Customer login for a specific vendor.
Authenticates customer and returns JWT token.
Customer must belong to the specified vendor.
Sets token in two places:
1. HTTP-only cookie with path=/shop (for browser page navigation)
2. Response body (for localStorage and API calls)
The cookie is restricted to /shop/* routes only to prevent
it from being sent to admin or vendor routes.
"""
# Verify vendor exists and is active
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# Authenticate customer
login_result = customer_service.login_customer(
db=db,
vendor_id=vendor_id,
credentials=user_credentials
)
logger.info(
f"Customer login successful: {login_result['customer'].email} "
f"for vendor {vendor.vendor_code}"
)
# Set HTTP-only cookie for browser navigation
# CRITICAL: path=/shop restricts cookie to shop routes only
response.set_cookie(
key="customer_token",
value=login_result["token_data"]["access_token"],
httponly=True, # JavaScript cannot access (XSS protection)
secure=should_use_secure_cookies(), # HTTPS only in production/staging
samesite="lax", # CSRF protection
max_age=login_result["token_data"]["expires_in"], # Match JWT expiry
path="/shop", # RESTRICTED TO SHOP ROUTES ONLY
)
logger.debug(
f"Set customer_token cookie with {login_result['token_data']['expires_in']}s expiry "
f"(path=/shop, httponly=True, secure={should_use_secure_cookies()})"
)
# Return full login response
return LoginResponse(
access_token=login_result["token_data"]["access_token"],
token_type=login_result["token_data"]["token_type"],
expires_in=login_result["token_data"]["expires_in"],
user=login_result["customer"], # Return customer as user
)
@router.post("/{vendor_id}/customers/logout")
def customer_logout(
vendor_id: int,
response: Response
):
"""
Customer logout.
Clears the customer_token cookie.
Client should also remove token from localStorage.
"""
logger.info(f"Customer logout for vendor {vendor_id}")
# Clear the cookie (must match path used when setting)
response.delete_cookie(
key="customer_token",
path="/shop",
)
logger.debug("Deleted customer_token cookie")
return {"message": "Logged out successfully"}
@router.post("/{vendor_id}/customers/forgot-password")
def forgot_password(
vendor_id: int,
email: str,
db: Session = Depends(get_db)
):
"""
Request password reset for customer.
Sends password reset email to customer if account exists.
"""
# Verify vendor exists
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# TODO: Implement password reset logic
# - Generate reset token
# - Send email with reset link
# - Store token in database
logger.info(f"Password reset requested for {email} in vendor {vendor.vendor_code}")
return {
"message": "If an account exists, a password reset link has been sent",
"email": email
}
@router.post("/{vendor_id}/customers/reset-password")
def reset_password(
vendor_id: int,
token: str,
new_password: str,
db: Session = Depends(get_db)
):
"""
Reset customer password using reset token.
Validates token and updates password.
"""
# Verify vendor exists
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# TODO: Implement password reset logic
# - Validate reset token
# - Check token expiration
# - Update password
# - Invalidate token
logger.info(f"Password reset completed for vendor {vendor.vendor_code}")
return {"message": "Password reset successful"}
@router.get("/{vendor_id}/customers/me")
def get_current_customer(
vendor_id: int,
db: Session = Depends(get_db)
):
"""
Get current authenticated customer.
This endpoint can be called to verify authentication and get customer info.
Requires customer authentication via cookie or header.
"""
# Note: This would need Request object to check cookies
# For now, just indicate the endpoint exists
# Implementation depends on how you want to structure it
return {
"message": "Customer info endpoint - implementation depends on auth structure"
}

164
app/api/v1/public/vendors/cart.py vendored
View File

@@ -1,164 +0,0 @@
# app/api/v1/public/vendors/cart.py
"""
Shopping cart endpoints (customer-facing).
"""
import logging
from fastapi import APIRouter, Depends, Path, Body
from sqlalchemy.orm import Session
from pydantic import BaseModel, Field
from app.core.database import get_db
from app.services.cart_service import cart_service
from models.database.vendor import Vendor
router = APIRouter()
logger = logging.getLogger(__name__)
class AddToCartRequest(BaseModel):
"""Request model for adding to cart."""
product_id: int = Field(..., description="Product ID to add")
quantity: int = Field(1, ge=1, description="Quantity to add")
class UpdateCartItemRequest(BaseModel):
"""Request model for updating cart item."""
quantity: int = Field(..., ge=1, description="New quantity")
@router.get("/{vendor_id}/cart/{session_id}")
def get_cart(
vendor_id: int = Path(..., description="Vendor ID"),
session_id: str = Path(..., description="Session ID"),
db: Session = Depends(get_db),
):
"""
Get shopping cart contents.
No authentication required - uses session ID.
"""
# Verify vendor exists
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
cart = cart_service.get_cart(
db=db,
vendor_id=vendor_id,
session_id=session_id
)
return cart
@router.post("/{vendor_id}/cart/{session_id}/items")
def add_to_cart(
vendor_id: int = Path(..., description="Vendor ID"),
session_id: str = Path(..., description="Session ID"),
cart_data: AddToCartRequest = Body(...),
db: Session = Depends(get_db),
):
"""
Add product to cart.
No authentication required - uses session ID.
"""
# Verify vendor
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
result = cart_service.add_to_cart(
db=db,
vendor_id=vendor_id,
session_id=session_id,
product_id=cart_data.product_id,
quantity=cart_data.quantity
)
return result
@router.put("/{vendor_id}/cart/{session_id}/items/{product_id}")
def update_cart_item(
vendor_id: int = Path(..., description="Vendor ID"),
session_id: str = Path(..., description="Session ID"),
product_id: int = Path(..., description="Product ID"),
cart_data: UpdateCartItemRequest = Body(...),
db: Session = Depends(get_db),
):
"""Update cart item quantity."""
# Verify vendor
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
result = cart_service.update_cart_item(
db=db,
vendor_id=vendor_id,
session_id=session_id,
product_id=product_id,
quantity=cart_data.quantity
)
return result
@router.delete("/{vendor_id}/cart/{session_id}/items/{product_id}")
def remove_from_cart(
vendor_id: int = Path(..., description="Vendor ID"),
session_id: str = Path(..., description="Session ID"),
product_id: int = Path(..., description="Product ID"),
db: Session = Depends(get_db),
):
"""Remove item from cart."""
# Verify vendor
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
result = cart_service.remove_from_cart(
db=db,
vendor_id=vendor_id,
session_id=session_id,
product_id=product_id
)
return result
@router.delete("/{vendor_id}/cart/{session_id}")
def clear_cart(
vendor_id: int = Path(..., description="Vendor ID"),
session_id: str = Path(..., description="Session ID"),
db: Session = Depends(get_db),
):
"""Clear all items from cart."""
result = cart_service.clear_cart(
db=db,
vendor_id=vendor_id,
session_id=session_id
)
return result

163
app/api/v1/public/vendors/orders.py vendored
View File

@@ -1,163 +0,0 @@
# app/api/v1/public/vendors/orders.py
"""
Customer order endpoints (public-facing).
"""
import logging
from typing import Optional
from fastapi import APIRouter, Depends, Path, Query
from sqlalchemy.orm import Session
from app.core.database import get_db
from app.services.order_service import order_service
from app.services.customer_service import customer_service
from models.schema.order import (
OrderCreate,
OrderResponse,
OrderDetailResponse,
OrderListResponse
)
from models.database.vendor import Vendor
from models.database.customer import Customer
router = APIRouter()
logger = logging.getLogger(__name__)
def get_current_customer(
vendor_id: int,
customer_id: int,
db: Session
) -> Customer:
"""Helper to get and verify customer."""
customer = customer_service.get_customer(
db=db,
vendor_id=vendor_id,
customer_id=customer_id
)
return customer
@router.post("/{vendor_id}/orders", response_model=OrderResponse)
def place_order(
vendor_id: int = Path(..., description="Vendor ID"),
order_data: OrderCreate = ...,
db: Session = Depends(get_db),
):
"""
Place a new order.
Customer must be authenticated to place an order.
This endpoint creates an order from the customer's cart.
"""
# Verify vendor exists and is active
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# Create order
order = order_service.create_order(
db=db,
vendor_id=vendor_id,
order_data=order_data
)
logger.info(
f"Order {order.order_number} placed for vendor {vendor.vendor_code}, "
f"total: €{order.total_amount:.2f}"
)
# TODO: Update customer stats
# TODO: Clear cart
# TODO: Send order confirmation email
return OrderResponse.model_validate(order)
@router.get("/{vendor_id}/customers/{customer_id}/orders", response_model=OrderListResponse)
def get_customer_orders(
vendor_id: int = Path(..., description="Vendor ID"),
customer_id: int = Path(..., description="Customer ID"),
skip: int = Query(0, ge=0),
limit: int = Query(50, ge=1, le=100),
db: Session = Depends(get_db),
):
"""
Get order history for customer.
Returns all orders placed by the authenticated customer.
"""
# Verify vendor
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# Verify customer belongs to vendor
customer = get_current_customer(vendor_id, customer_id, db)
# Get orders
orders, total = order_service.get_customer_orders(
db=db,
vendor_id=vendor_id,
customer_id=customer_id,
skip=skip,
limit=limit
)
return OrderListResponse(
orders=[OrderResponse.model_validate(o) for o in orders],
total=total,
skip=skip,
limit=limit
)
@router.get("/{vendor_id}/customers/{customer_id}/orders/{order_id}", response_model=OrderDetailResponse)
def get_customer_order_details(
vendor_id: int = Path(..., description="Vendor ID"),
customer_id: int = Path(..., description="Customer ID"),
order_id: int = Path(..., description="Order ID"),
db: Session = Depends(get_db),
):
"""
Get detailed order information for customer.
Customer can only view their own orders.
"""
# Verify vendor
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# Verify customer
customer = get_current_customer(vendor_id, customer_id, db)
# Get order
order = order_service.get_order(
db=db,
vendor_id=vendor_id,
order_id=order_id
)
# Verify order belongs to customer
if order.customer_id != customer_id:
from app.exceptions import OrderNotFoundException
raise OrderNotFoundException(str(order_id))
return OrderDetailResponse.model_validate(order)

1
app/api/v1/public/vendors/payments.py vendored
View File

@@ -1 +0,0 @@
# Payment processing

138
app/api/v1/public/vendors/products.py vendored
View File

@@ -1,138 +0,0 @@
# app/api/v1/public/vendors/products.py
"""
Public product catalog endpoints (customer-facing).
"""
import logging
from typing import Optional
from fastapi import APIRouter, Depends, Query, Path
from sqlalchemy.orm import Session
from app.core.database import get_db
from app.services.product_service import product_service
from models.schema.product import ProductResponse, ProductDetailResponse, ProductListResponse
from models.database.vendor import Vendor
router = APIRouter()
logger = logging.getLogger(__name__)
@router.get("/{vendor_id}/products", response_model=ProductListResponse)
def get_public_product_catalog(
vendor_id: int = Path(..., description="Vendor ID"),
skip: int = Query(0, ge=0),
limit: int = Query(100, ge=1, le=1000),
search: Optional[str] = Query(None, description="Search products by name"),
is_featured: Optional[bool] = Query(None),
db: Session = Depends(get_db),
):
"""
Get public product catalog for a vendor.
Only returns active products visible to customers.
No authentication required.
"""
# Verify vendor exists and is active
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# Get only active products for public view
products, total = product_service.get_vendor_products(
db=db,
vendor_id=vendor_id,
skip=skip,
limit=limit,
is_active=True, # Only show active products to customers
is_featured=is_featured
)
return ProductListResponse(
products=[ProductResponse.model_validate(p) for p in products],
total=total,
skip=skip,
limit=limit
)
@router.get("/{vendor_id}/products/{product_id}", response_model=ProductDetailResponse)
def get_public_product_details(
vendor_id: int = Path(..., description="Vendor ID"),
product_id: int = Path(..., description="Product ID"),
db: Session = Depends(get_db),
):
"""
Get detailed product information for customers.
No authentication required.
"""
# Verify vendor exists and is active
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
product = product_service.get_product(
db=db,
vendor_id=vendor_id,
product_id=product_id
)
# Check if product is active
if not product.is_active:
from app.exceptions import ProductNotActiveException
raise ProductNotActiveException(str(product_id))
return ProductDetailResponse.model_validate(product)
@router.get("/{vendor_id}/products/search")
def search_products(
vendor_id: int = Path(..., description="Vendor ID"),
q: str = Query(..., min_length=1, description="Search query"),
skip: int = Query(0, ge=0),
limit: int = Query(50, ge=1, le=100),
db: Session = Depends(get_db),
):
"""
Search products in vendor catalog.
Searches in product names, descriptions, and SKUs.
No authentication required.
"""
# Verify vendor exists
vendor = db.query(Vendor).filter(
Vendor.id == vendor_id,
Vendor.is_active == True
).first()
if not vendor:
from app.exceptions import VendorNotFoundException
raise VendorNotFoundException(str(vendor_id), identifier_type="id")
# TODO: Implement search functionality
# For now, return filtered products
products, total = product_service.get_vendor_products(
db=db,
vendor_id=vendor_id,
skip=skip,
limit=limit,
is_active=True
)
return ProductListResponse(
products=[ProductResponse.model_validate(p) for p in products],
total=total,
skip=skip,
limit=limit
)

1
app/api/v1/public/vendors/search.py vendored
View File

@@ -1 +0,0 @@
# Product search functionality

1
app/api/v1/public/vendors/shop.py vendored
View File

@@ -1 +0,0 @@
# Public shop info