Authentication and Authorization

Exploitation of access control vulnerabilities is a core skill of attackers. To combat this, enforce server-side access control checks for business functions such as account management operations, order management operations, and purchasing operations.

If you use the Storefront Reference Architecture (SFRA) in your cartridge path, you can use its userLoggedIn middleware capability to check whether the request is from an authenticated user. This middleware exposes the validateLoggedIn function to check whether the user is authenticated to invoke the function, and the validateLoggedInAjax function to validate whether a user is authenticated from an AJAX request.

var userLoggedIn = require('*/cartridge/scripts/middleware/userLoggedIn');
server.get(
     'Show',
     server.middleware.https,
     userLoggedIn.validateLoggedIn,
     consentTracking.consent,
     function (req, res, next) {
        var CustomerMgr = require('dw/customer/CustomerMgr');
        var Resource = require('dw/web/Resource');
        var URLUtils = require('dw/web/URLUtils');

This code snippet includes the middleware userLoggedIn for an exposed business function.

If you use SiteGenesis in your cartridge path, you can use guards to wrap controller functions when they are exported. The functions specified in the guard module act as a request filter. You can specify multiple levels of access to controller functionality.

This example shows an edit profile controller that requires HTTPS and that the user is logged in.

exports.EditProfile = guard.ensure(['get', 'https', 'loggedIn'], editProfile);
X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.