Retrieving/storing cart data over REST api

Question

I am managing multiple stores and since that is becoming a hassle I want to move to a new setup where there is one API that is consumed by all the stores. I want to use Laravel for the stores as well as for the API. Since the app's are E-commerce focussed I do need to store the customer carts somewhere and I want them to be available trough the API as well. The thing is that I don't have lots of experience with 'Restfull' and stateless programming/thinking, especially not on the subject of saving something like cart data, but I'm really eager to learn about it.

So the carts can't be stored in a PHP/Laravel session like they would be in a normal web app since the API is stateless. Therefore I came up with the following solution (example of adding a product to a cart):

1. When performing a call to a cart endpoint check if there is a cart identifier in the session of the client app and if there is not, create one. Always sent this unique identifier along when requesting a cart related endpoint on the API.

   // On the client app
   $http->post('https://api.mainapp.com/cart/add', 'json' => [
     'product_id' => 1,
     'cart_identifier' => session()->get('cart_identifier'),
   ]);
   

2. The cart endpoints check if a unique identifier is provided and retrieve a cart from the database by the unique identifier

   // On the API server
   $cart = Cart::where(['cart_identifier', 'qgbwaqt4jibijycDhY4U'])->firstOrFail();
   return $cart->addToCart(['product_id' => 1]);
   

3.1. If there is no cart for the unique identifier create a new cart and perform the action on the new cart.

    // On the API server
    $newCart = Cart::create(['cart_identifier' => 'qgbwaqt4jibijycDhY4U']);
    $newCart->addToCart(['product_id' => 1]);

4. Laravel uses timestamps so the cart table's timestamps will be modified when something is added to the cart. therefore I just want to run a script that cleans up the db table removing all the old carts that have a updated_at timestamp that is older then for example 3 months. By then the client app's session is long expired and these carts won't be accessed anyway.

   // On the API server
   $cart = Cart::where(['updated_at', '<=', Carbon::now()->subMonths(3)])->delete();
   

So now my question: is this a good solution (and I know that is really subjective) for retrieving and storing cart data over an RESTfull API? Is it safe or does it have any vulnerabilities? I've never programmed something like this before and I just want to check if my way of thinking fits in the stateless/RESTfull mindset and if I'm on track.

Thanks in advance!!

Answer 1

Sounds like you've got something that works... so you can leave it at that. However, if we're just brainstorming ~ I might have done something like this...

1. Put state in redis with 3 month TTL on records.
2. Keep cart_identifier in localstorage
3. Use node/redis to populate card on site load or periodically.

Something like above would:

• keep state outside of sessions, which you are correct to be doing already so that you can scale.
• allow php/server side events (like out-of-stock) to update redis and push to browser from node.
• another fantastic benefit goes here to complete a list of 3!

Answer 2

Alternative solution:

May be try to use: Laravel Cashier in backend part.

My experience says that using RESTfull API is good for this, however you should make some protection against CSRF, XSS, XST attack (by using for instance http-only cookies with CSRF_TOKEN etc.) in frontend-backend edge part.