Skip to content

Checkout carts are email-bound, not customer-linked (cart.customer_id unset) #284

Description

@kilbot

Surfaced by a Codex review during the save-card work (wcpos-com#283 / wcpos-medusa#67).

Problem

/api/store/cart creates carts with email: customer.email but does not forward the customer JWT to Medusa's createCart (src/services/core/external/medusa-client.ts). So cart.customer_id stays unset — carts (and the orders completed from them) are email-bound guests, not linked to the authenticated Medusa customer.

All storefront ownership checks already cope by comparing cart.email === customer.email, and the CustomerSession endpoint was just aligned to that model (wcpos-medusa#67). So this isn't blocking anything today.

Why it's worth fixing

Fix direction

Forward the auth token on createCart (and updateCart) the way createPaymentCollection/createPaymentSession already do (buildAuthHeaders(authToken) in the /api/store/cart route). Medusa then sets cart.customer_id from the auth context. Verify no side effects on the existing checkout, and that completed orders become customer-linked.

Medium change to a working flow — its own PR, with care.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions