Skip to content

feat(checkout): CHECKOUT-9821 Add B2B Dev Tool#3252

Merged
bc-peng merged 1 commit into
masterfrom
B2B-DEV-TOOL
May 17, 2026
Merged

feat(checkout): CHECKOUT-9821 Add B2B Dev Tool#3252
bc-peng merged 1 commit into
masterfrom
B2B-DEV-TOOL

Conversation

@bc-peng

@bc-peng bc-peng commented May 15, 2026

Copy link
Copy Markdown
Contributor

What/Why?

Add a removable B2B dev tool to enable calling B2B API.

This tool will be removed as part of CHECKOUT-9979.

Rollout/Rollback

Revert.

Testing

CI.


Note

Medium Risk
Introduces a dev-only path that can override B2B API base URL and client ID at runtime via a URL param, which risks accidental use in non-dev environments and changes how B2B tokens are requested.

Overview
Adds a temporary b2b-dev-tools module that enables a dev-only “B2B Dev Mode” when the enableB2bDevMode URL param is present, hardcoding a B2B baseUrl and appClientId override (with unit tests).

Updates B2BTokenActionCreator.loadB2BToken to resolve b2bApiSettings.clientId/baseUrl through these helpers before calling getB2BToken, so token requests can be redirected to the dev B2B API without changing store config.

Reviewed by Cursor Bugbot for commit 4b73a9f. Bugbot is set up for automated code reviews on this repo. Configure here.

@bc-peng
bc-peng requested a review from a team as a code owner May 15, 2026 05:56

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 4b73a9f. Configure here.

return false;
} catch {
return false;
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev mode lacks environment guard, activatable in production

High Severity

isB2bDevModeEnabled has no environment guard (e.g., process.env.NODE_ENV !== 'production'), so any end user in production can add ?enableB2bDevMode to the checkout URL. This causes the B2B token flow to use a hardcoded dev appClientId and redirect authentication requests to a different API base URL. The hardcoded credential B2B_DEV_MODE_APP_CLIENT_ID will also be embedded in the production JavaScript bundle.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 4b73a9f. Configure here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think it's fine.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah client id is meant to be public.

@bc-donfran bc-donfran left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks safe from a sec perspective

@bc-peng
bc-peng merged commit 4dd221e into master May 17, 2026
9 checks passed
@bc-peng
bc-peng deleted the B2B-DEV-TOOL branch May 17, 2026 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants