Place Order not using Customer token when logged in

[rain2o]

Note - I'm writing this from the perspective of a Magento 2 <> VSF integration. I can't speak to how this impacts other platforms.

When a user is logged in (for Magento), the Cart ID is numeric, as opposed to the alpha-numeric Cart ID for guests. Currently there is a check for isNumeric in the o2m.js file, which is used to determine if the user is logged in or not.

However, the customer's consumer token is not being used in this scenario, and as a result the adminRequest flag is set when callin the Magento 2 Rest Client, so it makes the call using the Integration Consumer Token for the application instead of the customer. This doesn't necessarily cause an issue immediately, because it still works, but this isn't ideal behavior and it could potentially cause "session" issues during the checkout. For example, Stripe updated their module to support using their Credit Card payment method through Magento's API, and in the scenario of 3D Secure, they are using session data to handle the back-and-forth of some data to complete the authentication flow. This means the customer's consumer token should be used when making API calls to place their order, so this data can be persisted via their customer session. This is just one example that we have seen, but overall it would be ideal if we could use the customer's token if available.

This does require a dependency in Vue Storefront, but it wouldn't be a breaking requirement. I have tested this in my current instance of Vue Storefront and Magento 2, and all that was needed was adding ?token={{token}} to the end of the orders.endpoint in local.json. Since this call is made through the Task process, this token variable will automatically be replaced with the user's token, if it exists. After doing that, we simply need to check for this parameter in the order API, and pass it along to proxy to be handled accordingly.

The Magento 2 Rest Client module already supports this capability, we just need to pass the token from Vue Storefront to the Rest Client call to complete the cycle.

I have a rough working version currently, and can try to submit a PR with a cleaned up version. But I don't know how this change will impact the agnostic approach to vsf-api.

[pkarw]

Hi Joel. Please work on the src/api/platform/* proxy level. We should just add the token as an optional parameter for placing the order and for now support it only in magento2 proxy driver; can you propose a PR please?