Broadleaf Microservices

Guest Checkout Token

Given guest carts are managed by cart ID, a would-be attacker could use this cart ID to retrieve a guest’s cart, or make modifications. The vulnerability of a stolen cart ID could be an attacker extracting billing address information, or changing the shipping address before checkout is finalized. Of course, this cart ID is a ULID, which is virtually impossible for an attacker to guess, but they could potentially extract it in other ways depending on how the cart ID is stored and logged. That is why Broadleaf provides an optional mechanism to add a layer of security for guest carts entering the checkout phase, the Guest Checkout Token.

Prior to checkout, a new guest token may be generated using generateGuestToken, and then validated using validateGuestToken. This token should then be sent along for all future checkout and cart operations using the X-Guest-Token header. This header value is parsed by the GuestTokenHandlerMethodArgumentResolver and then validated against the resolved cart during checkout operations using GuestCartTokenValidator. If a guest token is not provided to a checkout operation, such as updating the billing address, the request will fail with an unauthorized status. If a guest token is not provided to a normal cart operation, such as adding an item to the cart, the request will succeed, but any personal information will be scrubbed out of the returned cart.

If the token is lost, and a new token is generated, then the previous token will then be revoked, and any personal information within the cart will be scrubbed permanently. This is done to ensure that a would-be attacker does not try to generate their own guest token to get access to the user’s personal information.

This additional guest token mechanism can be enabled or disabled using the broadleaf.cartoperation.validation.guest-token.enabled property. There may be good reasons to disable this for your use case. ULIDs are difficult to guess, and validating the guest token adds additional overhead to cart and checkout operations. However, if you want to error on the side of lower risk, this mechanism is a useful tool to make use of.