Cart is persistent across different user login/logout, tough sharing pricing/voucher

[AlexDigital974]

Bug report

Describe the bug

1)I login with a user i add product to my cart . I may or may not apply a voucher-discount or even add a price list.

2) i logout or switch user

3) i still have the cart with the voucher/pricelist(bypassing the pricelist restriction)

Additional context

Expected behavior

If i logout, or switch user my cart should be different and link to that user especially if pricing or voucher where used.

[winston0410]

+1 I notice this issue as well. And there seems not to be an endpoint that get the last cart of a customer, nor Medusa handle that automatically

[wildan-m]

Have you found any workaround?

[VariableVic]

This is due to the _medusa_cart_id cookie persisting after logout. If you want the cart to reset after logout, add the following line to the signOut Server Action in src/modules/account/actions.ts:

cookies().set("_medusa_cart_id", "", { maxAge: -1, })

Would you guys expect this to be the default behaviour?

[wildan-m]

@VariableVic In my case the users don't even log in, they share filled address info across devices and browsers. How can we sign out if the users are not logged in? It works fine when they are logged in.

[VariableVic]

@wildan-m Then I didn't understand your issue correctly. OP mentioned that the cart persists after logging out or switching accounts, which is correct and by design.

What is the exact issue you're facing? Please provide detailed steps on how to reproduce.

[wildan-m]

@VariableVic Some of the information in this section (usually email) can be seen by other visitors and auto-filled, even when they are using different browsers/devices. This happens when users are not in a logged-in state. The weird behavior does not occur when using localhost, but when deployed to the server, it occurs.

I use the Ubuntu server with pm2 to start the node.

[sumanchy88]

@wildan-m Have you found any solution for above issue? I'm facing similar issue.

[wildan-m]

@sumanchy88 Not resolved yet, my client understands that the issue does not come from my customization, so he just lets it go.

[szkiecin]

Hi @VariableVic any update on this? Customers can see each other e-mail address across sessions which is pretty hardcore...

[tomtwo]

I've tried to understand what's happening here and have a guess at a temporary fix to avoid the data leaking issues...

I think the issue is that the medusaClient initialised in server actions is reused across user requests. As an SDK that seems to be targeted at client-side usage, there is some behaviour which is unsafe for use on the server – namely the medusaClient.auth.getToken call. When getToken is called, the returned access_token is also stored in the library itself and attached to all future requests.

Instead of calling getToken through the medusaClient, instead make a request directly to your backend instance:

  const res = await fetch(`${medusaConfig.baseUrl}/store/auth/token`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "x-api-publishable-key": medusaConfig.publishableApiKey ?? "",
    },
    body: JSON.stringify(credentials),
  });
  const data = await res.json();

You still get the same data.access_token but now the medusaClient is still unauthorised, and won't accidentally attach the last logged in customer to guest checkout carts...