fix: storefront login 403, cookie path, double-storefront URLs, and auth redirects

- Extract store/platform context from Referer header for storefront API requests (StoreContextMiddleware and PlatformContextMiddleware) so login POST works in dev mode where API paths lack /platforms/{code}/ prefix - Set customer token cookie path to "/" for cross-route compatibility - Fix double storefront in URLs: replace {{ base_url }}storefront/ with {{ base_url }} across all 24 storefront templates - Fix auth error redirect to include platform prefix and use store_code - Update seed script to output correct storefront login URLs - Add 20 new unit tests covering all fixes; fix 9 pre-existing test failures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 12:29:52 +01:00
parent 32e4aa6564
commit f47c680cb8
38 changed files with 759 additions and 165 deletions
--- a/middleware/store_context.py
+++ b/middleware/store_context.py
@@ -444,8 +444,42 @@ class StoreContextMiddleware(BaseHTTPMiddleware):
            request.state.clean_path = request.url.path
            return await call_next(request)

-        # Skip store detection for API routes (admin API, store API have store_id in URL)
+        # For API routes: skip most, but handle storefront API via Referer
        if StoreContextManager.is_api_request(request):
+            # Storefront API requests need store context from the Referer header
+            # (the page URL contains the store code, e.g. /storefront/FASHIONHUB/...)
+            if request.url.path.startswith("/api/v1/storefront/"):
+                referer_context = StoreContextManager.extract_store_from_referer(request)
+                if referer_context:
+                    db_gen = get_db()
+                    db = next(db_gen)
+                    try:
+                        store = StoreContextManager.get_store_from_context(db, referer_context)
+                        request.state.store = store
+                        request.state.store_context = referer_context
+                        request.state.clean_path = request.url.path
+                        if store:
+                            logger.debug(
+                                "[STORE] Store detected for storefront API via Referer",
+                                extra={
+                                    "store_id": store.id,
+                                    "store_name": store.name,
+                                    "path": request.url.path,
+                                },
+                            )
+                    finally:
+                        db.close()
+                    return await call_next(request)
+                logger.debug(
+                    f"[STORE] No Referer store context for storefront API: {request.url.path}",
+                    extra={"path": request.url.path},
+                )
+                request.state.store = None
+                request.state.store_context = None
+                request.state.clean_path = request.url.path
+                return await call_next(request)
+
+            # Non-storefront API routes: skip store detection
            logger.debug(
                f"[STORE] Skipping store detection for non-storefront API: {request.url.path}",
                extra={"path": request.url.path, "reason": "api"},