config to disable anonymous session creation to allow only authentica…

…ted users to add to cart. This helps preventing bot/scrapers to make operations on shop-api, allows only authenticated users to view products etc.
vendure-ecommerce · Aug 1, 2024 · 23d5e99 · 23d5e99
1 parent e508e36
commit 23d5e99
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/packages/core/src/api/middleware/auth-guard.ts b/packages/core/src/api/middleware/auth-guard.ts
@@ -50,13 +50,15 @@ export class AuthGuard implements CanActivate {
             return true;
         }
         const authDisabled = this.configService.authOptions.disableAuth;
+        const disableAnonymousSession = this.configService.authOptions.disableAnonymousSession;
+
         const isPublic = !!permissions && permissions.includes(Permission.Public);
         const hasOwnerPermission = !!permissions && permissions.includes(Permission.Owner);
         let requestContext: RequestContext;
         if (isFieldResolver) {
             requestContext = (req as any)[REQUEST_CONTEXT_KEY];
         } else {
-            const session = await this.getSession(req, res, hasOwnerPermission);
+            const session = await this.getSession(req, res, hasOwnerPermission, disableAnonymousSession);
             requestContext = await this.requestContextService.fromRequest(req, info, permissions, session);
 
             const requestContextShouldBeReinitialized = await this.setActiveChannel(requestContext, session);
@@ -134,6 +136,7 @@ export class AuthGuard implements CanActivate {
         req: Request,
         res: Response,
         hasOwnerPermission: boolean,
+        disableAnonymousSession: boolean,
     ): Promise<CachedSession | undefined> {
         const sessionToken = extractSessionToken(req, this.configService.authOptions.tokenMethod);
         let serializedSession: CachedSession | undefined;
@@ -153,7 +156,7 @@ export class AuthGuard implements CanActivate {
             });
         }
 
-        if (hasOwnerPermission && !serializedSession) {
+        if (hasOwnerPermission && !serializedSession && !disableAnonymousSession) {
             serializedSession = await this.sessionService.createAnonymousSession();
             setSessionToken({
                 sessionToken: serializedSession.token,

diff --git a/packages/core/src/config/vendure-config.ts b/packages/core/src/config/vendure-config.ts
@@ -2,7 +2,7 @@ import { ApolloServerPlugin } from '@apollo/server';
 import { RenderPageOptions } from '@apollographql/graphql-playground-html';
 import { DynamicModule, Type } from '@nestjs/common';
 import { CorsOptions } from '@nestjs/common/interfaces/external/cors-options.interface';
-import { LanguageCode } from '@vendure/common/lib/generated-types';
+import { LanguageCode, Permission } from '@vendure/common/lib/generated-types';
 import { ValidationContext } from 'graphql';
 import { DataSourceOptions } from 'typeorm';
 
@@ -473,6 +473,17 @@ export interface AuthOptions {
      * @default DefaultPasswordValidationStrategy
      */
     passwordValidationStrategy?: PasswordValidationStrategy;
+
+    /**
+     * @description
+     * When set to `true`, the built-in mechanism for allowing unauthenticated users to create
+     * orders (so-called "anonymous" sessions) is disabled.
+     * This is useful when you want to ensure that all orders are associated with an authenticated user.
+     *
+     * @since 3.0.0
+     * @default false
+     */
+    disableAnonymousSession?: boolean;
 }
 
 /**