App based validations and access to cart.metafields

[elvonkh]

We require validation for the shopping cart and checkout to ensure that access to cart.metafields is controlled via Input. At present, Storefront users have the ability to easily modify line item properties, which serve as crucial keys in various applications, particularly when it comes to applying discounts or utilizing app features. To enhance security and prevent potential vulnerabilities, it's imperative to introduce a property that can only be manipulated by the app itself, much like the use of metafields for the cart.

Within cart.metafields applications can securely store data that's essential for conducting cart and checkout validation. This safeguards the integrity of the data, as Storefront users won't have the ability to make unauthorized changes to it.

[nickwesselman]

Hi @elvonkh -- Thanks for the feature request. Support for cart metafields is planned, but keep in mind that they don't have a significant security benefit. They can be set from the client, so they could be manipulated from the browser console or a browser extension.

Data from the client should always be validated. If your application business logic can't be replicated in the function itself, you should sign the values you store on the cart from the server-side of your application, then validate the signature in the function.

[elvonkh]

@nickwesselman Thank you for responding back. Signature is great work around. Will be moving forward with this solution. Thanks!

[sabir-nagarro]

we also wanted to query cart metafields on input query.

[nickwesselman]

Reopening as cart metafields are still an open feature request.

[Cyclodex]

I have checkout-UI-Extension where the user can define that the order is a business order, with some additional fields we attach if so.
These values are saved on metafields during checkout, so I guess its saved on the "Cart", and moved later to the Order when checkout finishes. (When the order is placed, I see the metafields there)

Now I wanted to put a validation function where I would check, if it is a business order (the metafield) and place a validation error on the users company field ($.cart.deliveryGroups[0].deliveryAddress.company) if it is still empty.

I struggled getting this done, and found this discussion here.
So my question, is this a similar problem, that we currently can't access the carts metafield?
I guess there is no other workaround or would have any idea how to reach it this metafield information?
Any est until when this feature might be available?

Thanks a lot!

[Cyclodex]

I found a workaround putting the related value from the checkout extension, into the cart using "attributes", these are accessible in the functions.
But its not 100% perfect, as they appear now in the order details page, which I would not need.
I tried using the private __ prefix, (which hides it from the user) but this has no impact to the order detail page - but I guess I can live with that for the moment.

[patryk-smc]

We have a similar use case. Attributes are not a perfect solution though, would love to read metafields so we have a single source of truth to validate.

[patryk-smc]

Bump for cart.metafields

[psppro26]

@nickwesselman Hi Nick ! any news regarding cart.metafields ?