reactioncommerce · kieckhafer · Sep 23, 2019 · Sep 16, 2019 · Sep 16, 2019 · Sep 16, 2019
diff --git a/imports/node-app/core/ReactionNodeApp.js b/imports/node-app/core/ReactionNodeApp.js
@@ -142,8 +142,10 @@ export default class ReactionNodeApp {
     });
   }
 
-  disconnectFromMongo() {
-    return this.mongoClient.close();
+  async disconnectFromMongo() {
+    if (this.mongoClient) {
+      await this.mongoClient.close();
+    }
   }
 
   /**

diff --git a/imports/node-app/core/util/buildContext.js b/imports/node-app/core/util/buildContext.js
@@ -44,5 +44,10 @@ export default async function buildContext(context, request = {}) {
   context.rootUrl = getRootUrl(request);
   context.getAbsoluteUrl = (path) => getAbsoluteUrl(context.rootUrl, path);
 
-  context.requestHeaders = request.headers;
+  // Make some request headers available to resolvers on context, but remove any
+  // with potentially sensitive information in them.
+  context.requestHeaders = { ...request.headers };
+  delete context.requestHeaders.authorization;
+  delete context.requestHeaders.cookie;
+  delete context.requestHeaders["meteor-login-token"];
 }
diff --git a/imports/node-app/core/util/buildContext.test.js b/imports/node-app/core/util/buildContext.test.js
@@ -21,6 +21,7 @@ test("properly mutates the context object without user", async () => {
     queries: {
       primaryShopId: jasmine.any(Function)
     },
+    requestHeaders: {},
     rootUrl: "http://localhost:3000/",
     shopId: "PRIMARY_SHOP_ID",
     shopsUserHasPermissionFor: jasmine.any(Function),
@@ -50,6 +51,7 @@ test("properly mutates the context object with user", async () => {
     queries: {
       primaryShopId: jasmine.any(Function)
     },
+    requestHeaders: {},
     shopId: "PRIMARY_SHOP_ID",
     shopsUserHasPermissionFor: jasmine.any(Function),
     user: fakeUser,

diff --git a/imports/plugins/core/cart/server/no-meteor/util/xformCartGroupToCommonOrder.js b/imports/plugins/core/cart/server/no-meteor/util/xformCartGroupToCommonOrder.js
@@ -10,7 +10,7 @@ import ReactionError from "@reactioncommerce/reaction-error";
  */
 export default async function xformCartGroupToCommonOrder(cart, group, context) {
   const { collections } = context;
-  const { currencyCode } = cart;
+  const { accountId, currencyCode } = cart;
 
   let items = group.itemIds.map((itemId) => cart.items.find((item) => item._id === itemId));
   items = items.filter((item) => !!item); // remove nulls
@@ -131,6 +131,7 @@ export default async function xformCartGroupToCommonOrder(cart, group, context)
 
 
   return {
+    accountId,
     billingAddress: null,
     cartId: cart._id,
     currencyCode: cart.currencyCode,

diff --git a/imports/plugins/core/graphql/server/no-meteor/xforms/cart.js b/imports/plugins/core/graphql/server/no-meteor/xforms/cart.js
@@ -130,8 +130,7 @@ function xformCartFulfillmentGroup(fulfillmentGroup, cart) {
       displayName: option.method.label || option.method.name,
       group: option.method.group || null,
       name: option.method.name,
-      // For now, this is always shipping. Revisit when adding download, pickup, etc. types
-      fulfillmentTypes: ["shipping"]
+      fulfillmentTypes: option.method.fulfillmentTypes
     },
     handlingPrice: {
       amount: option.handlingPrice || 0,
@@ -156,8 +155,7 @@ function xformCartFulfillmentGroup(fulfillmentGroup, cart) {
         displayName: fulfillmentGroup.shipmentMethod.label || fulfillmentGroup.shipmentMethod.name,
         group: fulfillmentGroup.shipmentMethod.group || null,
         name: fulfillmentGroup.shipmentMethod.name,
-        // For now, this is always shipping. Revisit when adding download, pickup, etc. types
-        fulfillmentTypes: ["shipping"]
+        fulfillmentTypes: fulfillmentGroup.shipmentMethod.fulfillmentTypes
       },
       handlingPrice: {
         amount: fulfillmentGroup.shipmentMethod.handling || 0,

diff --git a/imports/plugins/core/orders/server/no-meteor/mutations/addOrderFulfillmentGroup.js b/imports/plugins/core/orders/server/no-meteor/mutations/addOrderFulfillmentGroup.js
@@ -59,7 +59,7 @@ export default async function addOrderFulfillmentGroup(context, input) {
     throw new ReactionError("access-denied", "Access Denied");
   }
 
-  const { billingAddress, cartId, currencyCode } = order;
+  const { accountId, billingAddress, cartId, currencyCode } = order;
 
   // If there are moveItemIds, find and pull them from their current groups
   let updatedGroups;
@@ -94,6 +94,7 @@ export default async function addOrderFulfillmentGroup(context, input) {
 
       // Update group shipping, tax, totals, etc.
       const { groupSurcharges } = await updateGroupTotals(context, {
+        accountId,
         billingAddress,
         cartId,
         currencyCode,
@@ -124,6 +125,7 @@ export default async function addOrderFulfillmentGroup(context, input) {
 
   // Now build the new group we are adding
   const { group: newGroup, groupSurcharges } = await buildOrderFulfillmentGroupFromInput(context, {
+    accountId,
     // If we are moving any items from existing groups to this new group, push those into
     // the newGroup items array.
     additionalItems: movingItems,

diff --git a/imports/plugins/core/orders/server/no-meteor/mutations/moveOrderItems.js b/imports/plugins/core/orders/server/no-meteor/mutations/moveOrderItems.js
@@ -37,7 +37,14 @@ export default async function moveOrderItems(context, input) {
     toFulfillmentGroupId
   } = input;
 
-  const { accountId, appEvents, collections, isInternalCall, userHasPermission, userId } = context;
+  const {
+    accountId: authAccountId,
+    appEvents,
+    collections,
+    isInternalCall,
+    userHasPermission,
+    userId
+  } = context;
   const { Orders } = collections;
 
   // First verify that this order actually exists
@@ -49,15 +56,15 @@ export default async function moveOrderItems(context, input) {
   // plugin, context.isInternalCall can be set to `true` to disable this check.
   if (
     !isInternalCall &&
-    (!accountId || accountId !== order.accountId) &&
+    (!authAccountId || authAccountId !== order.accountId) &&
     !userHasPermission(["orders", "order/fulfillment"], order.shopId)
   ) {
     throw new ReactionError("access-denied", "Access Denied");
   }
 
   // Is the account calling this mutation also the account that placed the order?
   // We need this check in a couple places below, so we'll get it here.
-  const accountIsOrderer = (order.accountId && accountId === order.accountId);
+  const accountIsOrderer = (order.accountId && authAccountId === order.accountId);
 
   // The orderer may only move items while the order status is still "new"
   if (accountIsOrderer && !orderStatusesThatOrdererCanMove.includes(order.workflow.status)) {
@@ -90,7 +97,7 @@ export default async function moveOrderItems(context, input) {
     throw new ReactionError("not-found", "Some order items not found");
   }
 
-  const { billingAddress, cartId, currencyCode } = order;
+  const { accountId, billingAddress, cartId, currencyCode } = order;
 
   // Find and move the items
   const orderSurcharges = [];
@@ -121,6 +128,7 @@ export default async function moveOrderItems(context, input) {
 
     // Update group shipping, tax, totals, etc.
     const { groupSurcharges } = await updateGroupTotals(context, {
+      accountId,
       billingAddress,
       cartId,
       currencyCode,

diff --git a/imports/plugins/core/orders/server/no-meteor/mutations/placeOrder.js b/imports/plugins/core/orders/server/no-meteor/mutations/placeOrder.js
@@ -208,6 +208,7 @@ export default async function placeOrder(context, input) {
   let shippingAddressForPayments = null;
   const finalFulfillmentGroups = await Promise.all(fulfillmentGroups.map(async (inputGroup) => {
     const { group, groupSurcharges } = await buildOrderFulfillmentGroupFromInput(context, {
+      accountId,
       billingAddress,
       cartId,
       currencyCode,

diff --git a/imports/plugins/core/orders/server/no-meteor/mutations/splitOrderItem.js b/imports/plugins/core/orders/server/no-meteor/mutations/splitOrderItem.js
@@ -56,7 +56,7 @@ export default async function splitOrderItem(context, input) {
     throw new ReactionError("access-denied", "Access Denied");
   }
 
-  const { billingAddress, cartId, currencyCode } = order;
+  const { accountId, billingAddress, cartId, currencyCode } = order;
 
   // Find and split the item
   let foundItem = false;
@@ -107,6 +107,7 @@ export default async function splitOrderItem(context, input) {
 
     // Update group shipping, tax, totals, etc.
     const { groupSurcharges } = await updateGroupTotals(context, {
+      accountId,
       billingAddress,
       cartId,
       currencyCode,

diff --git a/imports/plugins/core/orders/server/no-meteor/simpleSchemas.js b/imports/plugins/core/orders/server/no-meteor/simpleSchemas.js
@@ -116,6 +116,10 @@ const CommonOrderTotals = new SimpleSchema({
  *   caring whether it is for a Cart or an Order.
  */
 export const CommonOrder = new SimpleSchema({
+  accountId: {
+    type: String,
+    optional: true
+  },
   billingAddress: {
     type: Address,
     optional: true

diff --git a/imports/plugins/core/orders/server/no-meteor/util/addShipmentMethodToGroup.js b/imports/plugins/core/orders/server/no-meteor/util/addShipmentMethodToGroup.js
@@ -4,6 +4,7 @@ import xformOrderGroupToCommonOrder from "./xformOrderGroupToCommonOrder";
 /**
  * @summary Sets `shipmentMethod` object for a fulfillment group
  * @param {Object} context An object containing the per-request state
+ * @param {String} [accountId] ID of account that is placing or already did place the order
  * @param {Object} [billingAddress] The primary billing address for the order, if known
  * @param {String|null} [cartId] ID of the cart from which the order is being placed, if applicable
  * @param {String} currencyCode Currency code for all money values
@@ -14,6 +15,7 @@ import xformOrderGroupToCommonOrder from "./xformOrderGroupToCommonOrder";
  * @returns {undefined}
  */
 export default async function addShipmentMethodToGroup(context, {
+  accountId,
   billingAddress,
   cartId,
   currencyCode,
@@ -25,6 +27,7 @@ export default async function addShipmentMethodToGroup(context, {
   const { collections, queries } = context;
 
   const commonOrder = await xformOrderGroupToCommonOrder({
+    accountId,
     billingAddress,
     cartId,
     collections,

diff --git a/imports/plugins/core/orders/server/no-meteor/util/addTaxesToGroup.js b/imports/plugins/core/orders/server/no-meteor/util/addTaxesToGroup.js
@@ -3,6 +3,7 @@ import xformOrderGroupToCommonOrder from "./xformOrderGroupToCommonOrder";
 /**
  * @summary Adds taxes to a fulfillment group
  * @param {Object} context An object containing the per-request state
+ * @param {String} [accountId] ID of account that is placing or already did place the order
  * @param {Object} [billingAddress] The primary billing address for the order, if known
  * @param {String|null} [cartId] ID of the cart from which the order is being placed, if applicable
  * @param {String} currencyCode Currency code for all money values
@@ -12,6 +13,7 @@ import xformOrderGroupToCommonOrder from "./xformOrderGroupToCommonOrder";
  * @returns {Object} An object with `taxTotal` and `taxableAmount` numeric properties
  */
 export default async function addTaxesToGroup(context, {
+  accountId,
   billingAddress,
   cartId,
   currencyCode,
@@ -22,6 +24,7 @@ export default async function addTaxesToGroup(context, {
   const { collections, mutations } = context;
 
   const commonOrder = await xformOrderGroupToCommonOrder({
+    accountId,
     billingAddress,
     cartId,
     collections,

diff --git a/imports/plugins/core/orders/server/no-meteor/util/buildOrderFulfillmentGroupFromInput.js b/imports/plugins/core/orders/server/no-meteor/util/buildOrderFulfillmentGroupFromInput.js
@@ -5,6 +5,7 @@ import updateGroupTotals from "./updateGroupTotals";
 /**
  * @summary Builds an order fulfillment group from fulfillment group input.
  * @param {Object} context an object containing the per-request state
+ * @param {String} [accountId] ID of account placing the order
  * @param {Object[]} [additionalItems] Additional already-created order items to push into the group
  *   items array before calculating shipping, tax, surcharges, and totals.
  * @param {Object} [billingAddress] The primary billing address for the order, if known
@@ -16,6 +17,7 @@ import updateGroupTotals from "./updateGroupTotals";
  * @returns {Promise<Object>} The fulfillment group
  */
 export default async function buildOrderFulfillmentGroupFromInput(context, {
+  accountId,
   additionalItems,
   billingAddress,
   cartId,
@@ -56,6 +58,7 @@ export default async function buildOrderFulfillmentGroupFromInput(context, {
     taxableAmount,
     taxTotal
   } = await updateGroupTotals(context, {
+    accountId,
     billingAddress,
     cartId,
     currencyCode,

diff --git a/imports/plugins/core/orders/server/no-meteor/util/getSurchargesForGroup.js b/imports/plugins/core/orders/server/no-meteor/util/getSurchargesForGroup.js
@@ -3,6 +3,7 @@ import xformOrderGroupToCommonOrder from "./xformOrderGroupToCommonOrder";
 /**
  * @summary Gets surcharge information for a fulfillment group
  * @param {Object} context An object containing the per-request state
+ * @param {String} [accountId] ID of account that is placing or already did place the order
  * @param {Object} [billingAddress] The primary billing address for the order, if known
  * @param {String|null} [cartId] ID of the cart from which the order is being placed, if applicable
  * @param {String} currencyCode Currency code for all money values
@@ -12,6 +13,7 @@ import xformOrderGroupToCommonOrder from "./xformOrderGroupToCommonOrder";
  * @returns {undefined}
  */
 export default async function getSurchargesForGroup(context, {
+  accountId,
   billingAddress,
   cartId,
   currencyCode,
@@ -23,6 +25,7 @@ export default async function getSurchargesForGroup(context, {
 
   // Get surcharges to apply to group, if applicable
   const commonOrder = await xformOrderGroupToCommonOrder({
+    accountId,
     billingAddress,
     cartId,
     collections,

diff --git a/imports/plugins/core/orders/server/no-meteor/util/updateGroupTotals.js b/imports/plugins/core/orders/server/no-meteor/util/updateGroupTotals.js
@@ -9,6 +9,7 @@ import getSurchargesForGroup from "./getSurchargesForGroup";
  *   something else relevant about the group may have changed. All shipping, tax,
  *   and surcharge values will be recalculated and invoice totals updated.
  * @param {Object} context App context
+ * @param {String} [accountId] ID of account that is placing or already did place the order
  * @param {Object} [billingAddress] The primary billing address for the order, if known
  * @param {String} [cartId] ID of the cart from which the order is being placed, if applicable
  * @param {String} currencyCode Currency code for all money values
@@ -20,6 +21,7 @@ import getSurchargesForGroup from "./getSurchargesForGroup";
  * @returns {Promise<Object>} Object with surcharge and tax info on it
  */
 export default async function updateGroupTotals(context, {
+  accountId,
   billingAddress = null,
   cartId = null,
   currencyCode,
@@ -31,6 +33,7 @@ export default async function updateGroupTotals(context, {
 }) {
   // Apply shipment method
   await addShipmentMethodToGroup(context, {
+    accountId,
     billingAddress,
     cartId,
     currencyCode,
@@ -44,6 +47,7 @@ export default async function updateGroupTotals(context, {
     groupSurcharges,
     groupSurchargeTotal
   } = await getSurchargesForGroup(context, {
+    accountId,
     billingAddress,
     cartId,
     currencyCode,
@@ -55,6 +59,7 @@ export default async function updateGroupTotals(context, {
 
   // Calculate and set taxes. Mutates group object in addition to returning the totals.
   const { taxTotal, taxableAmount } = await addTaxesToGroup(context, {
+    accountId,
     billingAddress,
     cartId,
     currencyCode,

diff --git a/imports/plugins/core/orders/server/no-meteor/util/xformOrderGroupToCommonOrder.js b/imports/plugins/core/orders/server/no-meteor/util/xformOrderGroupToCommonOrder.js
@@ -9,7 +9,16 @@ import { toFixed } from "accounting-js";
  * @param {String} orderId The order ID
  * @returns {Object} Valid CommonOrder for the given order group
  */
-export default async function xformOrderGroupToCommonOrder({ billingAddress = null, cartId, collections, currencyCode, group, orderId, discountTotal }) {
+export default async function xformOrderGroupToCommonOrder({
+  accountId = null,
+  billingAddress = null,
+  cartId,
+  collections,
+  currencyCode,
+  group,
+  orderId,
+  discountTotal
+}) {
   // ** If you add any data here, be sure to add the same data to the matching xformCartGroupToCommonOrder xform
   const items = group.items.map((item) => ({
     _id: item._id,
@@ -94,6 +103,7 @@ export default async function xformOrderGroupToCommonOrder({ billingAddress = nu
   };
 
   return {
+    accountId,
     billingAddress,
     cartId,
     currencyCode,