Impact: minor
Type: feature|bugfix

Changes

Resolves a few small issues that have come up recently.

• The cart GraphQL transforms no longer force the fulfillmentTypes field on the FulfillmentMethod type to always be ["shipping"]. You will not notice any difference here because it is always ["shipping"] in the database for now, too, but this fix allows exploration of supporting other fulfillment types such as "pickup" or "digital".
• The CommonOrder passed to many different types of plugin calculation functions now has accountId set on it if the source cart or order belongs to an account. This allows you to do pricing, shipping options, discounts, surcharges, etc. based on which account is placing the order.
• Request headers are and have been available to GraphQL resolvers on context.requestHeaders. We now remove the authorization, cookie, and meteor-login-token headers, which contain sensitive information, from this object as a precaution.

Breaking changes

None, unless you have a custom plugin relying on the headers that were removed from context.requestHeaders, which is unlikely.

Testing

• The fulfillmentTypes change does not need testing.
• No built-in plugins use the CommonOrder accountId, but you can temporarily log commonOrder.accountId somewhere to verify that it is set as you go through checkout while logged in.
• Log context.requestHeaders in any resolver, and make a GraphQL request that will call that resolver, passing authorization header with your request. Verify that no headers with sensitive information are logged.