Skip to content

fix(theme): don't send Bearer token to cart/checkout/account proxy en…#8027

Open
gotesgan wants to merge 1 commit into
Shopify:mainfrom
gotesgan:main
Open

fix(theme): don't send Bearer token to cart/checkout/account proxy en…#8027
gotesgan wants to merge 1 commit into
Shopify:mainfrom
gotesgan:main

Conversation

@gotesgan

@gotesgan gotesgan commented Jul 7, 2026

Copy link
Copy Markdown

Fix cart AJAX authentication in theme dev proxy

WHY are these changes introduced?

Fixes #7568.

When running shopify theme dev, Cart AJAX endpoints (such as /cart/add.js, /cart.js, /cart.json, /cart/change.js, and /cart/update.js) return 401 or 403 responses.

The proxy currently attaches an Authorization: Bearer <storefrontToken> header to every request. However, Cart AJAX endpoints authenticate using the storefront session cookie rather than a Storefront API access token. Because the Bearer token is present, SFR attempts token-based authentication instead of cookie-based authentication. The CLI's storefront token does not include the required cart scopes, causing these requests to fail.

This behavior was previously fixed in commit d0e135b8f, but was later reverted in 11240b342. This PR restores the same behavior while adapting the implementation to the current codebase.

WHAT is this pull request doing?

  • Adds a CART_SESSION_PATTERN regex to match cart endpoints (/cart, /cart.js, /cart.json, and /cart/*).

  • Introduces a needsBearerToken() helper that determines whether a request should include the Authorization header.

  • Skips sending the Bearer token for:

    • Cart endpoints
    • Checkout endpoints
    • Customer account endpoints
  • Continues sending the Bearer token for all other requests that require Storefront API authentication.

  • Adds 9 new unit tests covering authentication behavior for:

    • Cart endpoints
    • Checkout endpoints
    • Customer account endpoints
    • CDN and asset requests
    • Theme extension requests

How to test your changes?

Run the proxy test suite:

pnpm vitest run packages/theme/src/cli/utilities/theme-environment/proxy.test.ts

Expected result:

  • All 47 tests pass.
  • Cart AJAX requests no longer return 401/403 while running shopify theme dev.
  • Non-cart requests continue to include the Bearer token and behave as before.

Post-release steps

None.

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — this is a bug fix, so a patch changeset has been added.

…dpoints

Cart AJAX endpoints (/cart/add.js, /cart.js, /cart.json, etc.) use
session-cookie auth. Sending Authorization: Bearer causes SFR to select
token auth, which lacks cart scopes and returns 401.

Previously fixed in d0e135b, reverted in 11240b3. Re-applying with
updated codebase context.
@gotesgan gotesgan requested review from a team as code owners July 7, 2026 17:34
@gotesgan

gotesgan commented Jul 7, 2026

Copy link
Copy Markdown
Author

I have signed the CLA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

POST /cart/add returns 401 → 403 with Clear-Site-Data header via local dev proxy

1 participant