Developer forum

Forum » Dynamicweb 10 » DW Api /dwapi/ecommerce/carts/{secret} returning that current user does not have access to cart

DW Api /dwapi/ecommerce/carts/{secret} returning that current user does not have access to cart

E-mail notifications
Pedro Meias
Pedro Meias
Reply
Posted on 12/04/2023 00:07:11

Hello

Using DW Version 9.15.3

Testing on https://dev-altria.mydwsite5.com/

We are using the API method /dwapi/ecommerce/carts/{secret} , in some of the carts we are getting the message that the user does not have permissions to access this cart.

Example below

The API documentation mentions that No Authorization header required.

But while looking at the code, we have the imperssion that it is.

Witch one is correct? API documentation or the code?

Thank you.

 


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 12/04/2023 15:39:51
Reply

Both.

If you access the endpoint using a secret that belongs to a cart that has a user marked on it, the cart userid will be validated against the bearer token sent with the request. If there is no bearer token, there is no user, but the cart belongs to that user - so you are not allowed.

If the cart has no userid on it, and you do not send a bearer token, the cart is anonymous and gives you access.

If the cart has a userid and you do send a bearer token that matches that userid, you also have access.

So - my guess is that you are running in mixed mode - cart created by a logged in user in regular DW and then you try to get hold of that cart using anonymous webapi requests?

BR Nicolai

 
Pedro Meias
Pedro Meias
Posted on 12/04/2023 17:23:32
Reply

Hi Nicolai,

Thank you for explanation. Honestly I got confused by the API Documentation.

I am now trying to get a bearer token for the user, my issue is that I cannot get the user password to send on the request.

User.Password is giving me an encrypted password and the API is returning user not found. 

User.Decripted password is returning an empty value.

What am I doing wrong?

Thank you

 

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 13/04/2023 09:37:14
Reply
This post has been marked as an answer

Hi Pedro

Currently you can maybe do it like this:

If you reference the Dynamicweb.Ecommerce.WebAPI.Controllers dll, it contains a static JwtService class that has a GetToken(LimitedUser user, int expirationInSeconds) method that will give you a bearer token for a user - the expirationInSeconds parameter defines for how many seconds the token can be used. Be careful not to make it last too long as it will be a security issue. Using the webapi the max allowed is 86400 seconds = 24h.

BR Nicolai

Votes for this answer: 1
 
Pedro Meias
Pedro Meias
Posted on 13/04/2023 16:47:03
Reply

Hi Nicolai,

Thank you! This works perflectly for the scnenario we have.

 

You must be logged in to post in the forum