Add token-based security for cart loading

lukeholder · lukeholder · commit 5f09dd0a60fc · 2026-01-20T15:36:34.000+08:00
- Require valid token or logged-in cart owner to load a cart via load-cart action
- Add cartLinkExpiry setting (default 24 hours) for token expiration
- Add getLoadCartUrl() method to Carts service that generates secure token URLs
- Update Order::getLoadCartUrl() to return secure token URL
- Add email challenge flow for cart recovery when token is missing/expired
- Register commerce_cart_recovery system message for recovery emails
- Add _cart/email-challenge.twig and email-sent.twig templates
diff --git a/src/Plugin.php b/src/Plugin.php
@@ -862,6 +862,12 @@ function(RegisterEmailMessagesEvent $event) {
                         'subject' => Craft::t('commerce', 'Your Order PDF Download Link'),
                         'body' => $this->_getDefaultPdfDownloadMessage(),
                     ],
+                    [
+                        'key' => 'commerce_cart_recovery',
+                        'heading' => Craft::t('commerce', 'Cart Recovery Link'),
+                        'subject' => Craft::t('commerce', 'Your Cart Recovery Link'),
+                        'body' => $this->_getDefaultCartRecoveryMessage(),
+                    ],
                 ]);
             }
         );
@@ -1308,4 +1314,18 @@ private function _getDefaultPdfDownloadMessage(): string
             "**Please note:** This link will expire for security purposes.\n\n" .
             "Thank you!";
     }
+
+    /**
+     * Returns the default message body for the cart recovery email.
+     *
+     * @return string
+     */
+    private function _getDefaultCartRecoveryMessage(): string
+    {
+        return "Hello,\n\n" .
+            "You requested a link to recover your shopping cart. Click the link below to continue shopping:\n\n" .
+            "[Recover My Cart]({{ link }})\n\n" .
+            "**Please note:** This link will expire for security purposes.\n\n" .
+            "Thank you!";
+    }
 }
diff --git a/src/controllers/CartController.php b/src/controllers/CartController.php
@@ -31,6 +31,7 @@
 use yii\web\HttpException;
 use yii\web\NotFoundHttpException;
 use yii\web\Response;
+use craft\web\View;
 
 /**
  * Class Cart Controller
@@ -372,16 +373,15 @@ public function actionLoadCart(): ?Response
     {
         $carts = Plugin::getInstance()->getCarts();
         $number = $this->request->getParam('number');
+        $token = $this->request->getParam('token');
         $loadCartRedirectUrl = Plugin::getInstance()->getSettings()->loadCartRedirectUrl ?? '';
         $redirect = UrlHelper::siteUrl($loadCartRedirectUrl);
 
         if (!$number) {
             $error = Craft::t('commerce', 'A cart number must be specified.');
-
             if ($this->request->getAcceptsJson()) {
                 return $this->asFailure($error);
             }
-
             $this->setFailFlash($error);
             return $this->request->getIsGet() ? $this->redirect($redirect) : null;
         }
@@ -390,18 +390,59 @@ public function actionLoadCart(): ?Response
 
         if (!$cart) {
             $error = Craft::t('commerce', 'Unable to retrieve cart.');
-
             if ($this->request->getAcceptsJson()) {
                 return $this->asFailure($error);
             }
+            $this->setFailFlash($error);
+            return $this->request->getIsGet() ? $this->redirect($redirect) : null;
+        }
 
+        // Carts without email cannot be recovered
+        if (!$cart->getEmail()) {
+            $error = Craft::t('commerce', 'Unable to retrieve cart.');
+            if ($this->request->getAcceptsJson()) {
+                return $this->asFailure($error);
+            }
             $this->setFailFlash($error);
             return $this->request->getIsGet() ? $this->redirect($redirect) : null;
         }
 
-        // If we have a cart, use the site for that cart for the URL redirect.
-        $redirect = UrlHelper::siteUrl(path: $loadCartRedirectUrl, siteId: $cart->orderSiteId);
+        $currentUser = Craft::$app->getUser()->getIdentity();
+        $hasValidToken = false;
+
+        // Check token if provided
+        if ($token) {
+            $tokenData = Craft::$app->getTokens()->getTokenRoute($token);
+
+            if (!$tokenData || !isset($tokenData[1]['cartNumber']) || $tokenData[1]['cartNumber'] !== $number) {
+                Craft::$app->getSession()->setError(Craft::t('commerce', 'The cart recovery link is invalid. Please request a new one.'));
+                return $this->redirect(UrlHelper::actionUrl('commerce/cart/email-challenge', ['number' => $number]));
+            }
+
+            if (isset($tokenData[1]['expiresAt'])) {
+                $now = (new \DateTime())->getTimestamp();
+                if ($now > $tokenData[1]['expiresAt']) {
+                    return $this->redirect(UrlHelper::actionUrl('commerce/cart/email-challenge', ['number' => $number]));
+                }
+            }
+
+            $hasValidToken = true;
+        }
 
+        // Check permissions if no valid token
+        if (!$hasValidToken) {
+            if ($currentUser) {
+                $isCartCustomer = $cart->getCustomer() && $cart->getCustomer()->id === $currentUser->id;
+                if (!$isCartCustomer) {
+                    return $this->redirect(UrlHelper::actionUrl('commerce/cart/email-challenge', ['number' => $number]));
+                }
+            } else {
+                return $this->redirect(UrlHelper::actionUrl('commerce/cart/email-challenge', ['number' => $number]));
+            }
+        }
+
+        // Load the cart (existing logic)
+        $redirect = UrlHelper::siteUrl(path: $loadCartRedirectUrl, siteId: $cart->orderSiteId);
         $carts->forgetCart();
         $carts->setSessionCartNumber($number);
 
@@ -802,4 +843,106 @@ private function _setAddresses(): void
             }
         }
     }
+
+    /**
+     * Renders the cart email challenge template.
+     */
+    private function renderCartEmailChallenge(Order $cart, string $cartNumber): Response
+    {
+        return $this->renderTemplate('commerce/_cart/email-challenge', [
+            'cart' => $cart,
+            'cartNumber' => $cartNumber,
+        ], View::TEMPLATE_MODE_CP);
+    }
+
+    /**
+     * Displays the email challenge form for cart recovery.
+     * @since 5.x
+     */
+    public function actionEmailChallenge(): Response
+    {
+        $number = $this->request->getQueryParam('number');
+
+        if (!$number) {
+            throw new BadRequestHttpException('Cart number required');
+        }
+
+        $cart = Order::find()->number($number)->isCompleted(false)->one();
+
+        if (!$cart || !$cart->getEmail()) {
+            throw new HttpException(404, 'Cart not found');
+        }
+
+        return $this->renderCartEmailChallenge($cart, $number);
+    }
+
+    /**
+     * Handles the email challenge form submission for cart recovery.
+     * @since 5.x
+     */
+    public function actionCartChallenge(): Response
+    {
+        $this->requirePostRequest();
+
+        $cartNumberHash = $this->request->getBodyParam('cartNumberHash');
+
+        if (!$cartNumberHash) {
+            throw new BadRequestHttpException('Cart number hash is required');
+        }
+
+        $cartNumber = Craft::$app->getSecurity()->validateData($cartNumberHash);
+
+        if ($cartNumber === false) {
+            throw new BadRequestHttpException('Invalid cart number hash');
+        }
+
+        $cart = Order::find()->number($cartNumber)->isCompleted(false)->one();
+
+        if (!$cart) {
+            throw new HttpException(404, 'Cart not found');
+        }
+
+        $loadCartUrl = Plugin::getInstance()->getCarts()->getLoadCartUrl($cart);
+
+        if (!Craft::$app->getMailer()->composeFromKey('commerce_cart_recovery', [
+            'link' => $loadCartUrl,
+            'cart' => $cart,
+        ])->setTo($cart->email)->send()) {
+            Craft::$app->getSession()->setError(Craft::t('commerce', 'Failed to send email. Please try again.'));
+            return $this->renderCartEmailChallenge($cart, $cartNumber);
+        }
+
+        Craft::$app->getSession()->setNotice(Craft::t('commerce', 'A cart recovery link has been sent to {email}', ['email' => $cart->getMaskedEmail()]));
+
+        return $this->redirect(UrlHelper::actionUrl('commerce/cart/cart-sent', ['hash' => $cartNumberHash]));
+    }
+
+    /**
+     * Displays success page after cart recovery email is sent.
+     * @since 5.x
+     */
+    public function actionCartSent(): Response
+    {
+        $cartNumberHash = $this->request->getQueryParam('hash');
+
+        if (!$cartNumberHash) {
+            throw new BadRequestHttpException('Hash parameter required');
+        }
+
+        $cartNumber = Craft::$app->getSecurity()->validateData($cartNumberHash);
+
+        if ($cartNumber === false) {
+            throw new HttpException(400, 'Invalid hash parameter');
+        }
+
+        $cart = Order::find()->number($cartNumber)->isCompleted(false)->one();
+
+        if (!$cart) {
+            throw new HttpException(404, 'Cart not found');
+        }
+
+        return $this->renderTemplate('commerce/_cart/email-sent', [
+            'email' => $cart->getMaskedEmail(),
+        ], View::TEMPLATE_MODE_CP);
+    }
 }
diff --git a/src/elements/Order.php b/src/elements/Order.php
@@ -2460,9 +2460,9 @@ public function getPdfUrl(string $option = null, string $pdfHandle = null, bool
     }
 
     /**
-     * Returns the URL to the cart’s load action url
+     * Returns the URL to the cart's load action url with a secure token.
      *
-     * @return string|null The URL to the order’s load cart URL, or null if the cart is an order
+     * @return string|null The URL to the order's load cart URL, or null if the cart is an order
      * @noinspection PhpUnused
      */
     public function getLoadCartUrl(): ?string
@@ -2471,12 +2471,7 @@ public function getLoadCartUrl(): ?string
             return null;
         }
 
-        $originalCpRequest = Craft::$app->getRequest()->getIsCpRequest();
-        Craft::$app->getRequest()->setIsCpRequest(false);
-        $url = UrlHelper::actionUrl('commerce/cart/load-cart', ['number' => $this->number]);
-        Craft::$app->getRequest()->setIsCpRequest($originalCpRequest);
-
-        return $url;
+        return Plugin::getInstance()->getCarts()->getLoadCartUrl($this);
     }
 
     /**
diff --git a/src/models/Settings.php b/src/models/Settings.php
@@ -141,13 +141,22 @@ class Settings extends Model
     /**
      * @var string|null Default URL to be loaded after using the [load cart controller action](https://craftcms.com/docs/commerce/5.x/system/orders-carts.html#loading-a-cart).
      *
-     * If `null` (default), Craft’s default [`siteUrl`](config5:siteUrl) will be used.
+     * If `null` (default), Craft's default [`siteUrl`](config5:siteUrl) will be used.
      *
      * @group Cart
      * @since 3.1
      */
     public ?string $loadCartRedirectUrl = null;
 
+    /**
+     * @var int How long (in seconds) a cart recovery link should remain valid before expiring.
+     * Default is 86400 (24 hours).
+     *
+     * @group Cart
+     * @since 5.x
+     */
+    public int $cartLinkExpiry = 86400;
+
     /**
      * @var array|null ISO codes for supported payment currencies.
      *
diff --git a/src/services/Carts.php b/src/services/Carts.php
@@ -21,6 +21,7 @@
 use craft\helpers\ConfigHelper;
 use craft\helpers\DateTimeHelper;
 use craft\helpers\Db;
+use craft\helpers\UrlHelper;
 use DateTime;
 use Throwable;
 use yii\base\Component;
@@ -373,6 +374,32 @@ public function setSessionCartNumber(string $cartNumber): void
         }
     }
 
+    /**
+     * Returns a URL to load a cart with a secure token.
+     *
+     * @param Order $cart The cart to generate the load URL for
+     * @return string The URL with secure token
+     * @since 5.x
+     */
+    public function getLoadCartUrl(Order $cart): string
+    {
+        $linkExpiry = Plugin::getInstance()->getSettings()->cartLinkExpiry;
+        $expiryTimestamp = (new \DateTime())->add(new \DateInterval('PT' . $linkExpiry . 'S'))->getTimestamp();
+
+        $token = Craft::$app->getTokens()->createToken([
+            'commerce/cart/load-cart',
+            [
+                'cartNumber' => $cart->number,
+                'expiresAt' => $expiryTimestamp,
+            ],
+        ]);
+
+        return UrlHelper::siteUrl('actions/commerce/cart/load-cart', [
+            'number' => $cart->number,
+            'token' => $token,
+        ]);
+    }
+
     /**
      * Restores previous cart for the current user if their current cart is empty.
      * Ideally this is only used when a user logs in.
diff --git a/src/templates/_cart/email-challenge.twig b/src/templates/_cart/email-challenge.twig
diff --git a/src/templates/_cart/email-sent.twig b/src/templates/_cart/email-sent.twig

Original file line number	Diff line number	Diff line change
`@@ -2460,9 +2460,9 @@ public function getPdfUrl(string $option = null, string $pdfHandle = null, bool`
`2460`	`2460`	`}`
`2461`	`2461`
`2462`	`2462`	`/**`
`2463`		`- * Returns the URL to the cart’s load action url`
	`2463`	`+ * Returns the URL to the cart's load action url with a secure token.`
`2464`	`2464`	`*`
`2465`		`- * @return string\|null The URL to the order’s load cart URL, or null if the cart is an order`
	`2465`	`+ * @return string\|null The URL to the order's load cart URL, or null if the cart is an order`
`2466`	`2466`	`* @noinspection PhpUnused`
`2467`	`2467`	`*/`
`2468`	`2468`	`public function getLoadCartUrl(): ?string`
`@@ -2471,12 +2471,7 @@ public function getLoadCartUrl(): ?string`
`2471`	`2471`	`return null;`
`2472`	`2472`	`}`
`2473`	`2473`
`2474`		`- $originalCpRequest = Craft::$app->getRequest()->getIsCpRequest();`
`2475`		`- Craft::$app->getRequest()->setIsCpRequest(false);`
`2476`		`- $url = UrlHelper::actionUrl('commerce/cart/load-cart', ['number' => $this->number]);`
`2477`		`- Craft::$app->getRequest()->setIsCpRequest($originalCpRequest);`
`2478`		`-`
`2479`		`- return $url;`
	`2474`	`+ return Plugin::getInstance()->getCarts()->getLoadCartUrl($this);`
`2480`	`2475`	`}`
`2481`	`2476`
`2482`	`2477`	`/**`