Changed to use token: Spree.api_key

[sanchojaf]

authenticity_token: AUTH_TOKEN by token: Spree.api_key

[jhawthorn]

These aren't the same thing. AUTH_TOKEN/authenticity_token is the form_authenticity_token, token/Spree.api_key is a key for the api.

Spree.ajax will already send an API key (via the X-Spree-Token header).

Is there an issue this is attempting to solve?

[sanchojaf]

Hi

I had several issues in my migration from spree to solidus with

authenticity_token: AUTH_TOKEN, with different methods.

I added this comment in solidus slack channel:

Do you have any recommendation, when should be used in JS for authorization:
token: Spree.api_key
instead of
authenticity_token: AUTH_TOKEN

In the backend (not only for the API) both approaches are used, looks like some authenticity_token: AUTH_TOKEN in Spree are now 'token: Spree.api_key', but not all have been changed, then I am not clear if I have to use one over the other in some contexts

One of the answer was:

gmacdougall [10:49 AM] miguel: Spree.api_key is preferred
I don't know if the other one still works at all

I reviewed and I found only 3 place where is keep used
authenticity_token: AUTH_TOKEN
I suppose that is an issue.

[cbrunsdon]

@sanchojaf without this change whats the actual error you're experiencing? some kind of CSRF error? are you able to write a spec that would fail without the change in it? I'm also having a hard time understanding why we want to change this.

[cbrunsdon]

Hey @sanchojaf, I looked into this a bit more and talked with @jhawthorn IRL to give me a bit of background.

The Spree.ajax call should already append the Spree.api_key as the token:, so I think to achieve your fix all you should need to do is remove the authenticity_token without also adding the token.

If you can update your PR to do just that I'd be 👍 on it.

[sanchojaf]

Thanks @cbrunsdon for your feedback. I updated the pull request. Thanks.

[cbrunsdon]

Cool, this is good by me now, thanks @sanchojaf 👍

[jhawthorn]

Thanks @sanchojaf