Skip to content

[4.x] Add token-based security for cart loading #4207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
lukeholder wants to merge 4 commits into
base: 4.x
Choose a base branch
from
Draft

[4.x] Add token-based security for cart loading #4207

lukeholder wants to merge 4 commits into from
+354 −16

Conversation

@lukeholder
Copy link
Member

@lukeholder lukeholder commented Jan 21, 2026

  • Require valid token or logged-in cart owner to load a cart via load-cart action
  • Add cartLinkExpiry setting (default 24 hours) for token expiration
  • Add getLoadCartUrl() method to Carts service that generates secure token URLs
  • Update Order::getLoadCartUrl() to return secure token URL
  • Add email challenge flow for cart recovery when token is missing/expired
  • Register commerce_cart_recovery system message for recovery emails
  • Add _cart/email-challenge.twig and email-sent.twig templates
  • Carts that have no email/custom associated and not address information will load without needing to check token etc.

@lukeholder
Add token-based security for cart loading
ceab5e4 
- Add secure token validation to load-cart action
  - Carts with email/addresses require valid token or owner authentication
  - Carts without sensitive data can load without token
  - Add email challenge flow for unauthenticated cart recovery
  - Register commerce_cart_recovery system message for recovery emails
  - Add cartLinkExpiry setting (default 24 hours)
  - Add getLoadCartUrl() to Carts service for generating secure URLs
@lukeholder
Cleanup
0f6e621
@lukeholder
Cleanup
a5a24af
@lukeholder lukeholder changed the title Add token-based security for cart loading [4.x] Add token-based security for cart loading Jan 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukeholder