Update cart.py

cart.py

@@ -1,8 +1,18 @@
-from flask import Blueprint, render_template, request, session, jsonify  # Added jsonify import
+from flask import Blueprint, render_template, request, session, jsonify, redirect, url_for
 from salesforce import get_salesforce_connection
-sf = get_salesforce_connection()
+import re
 
+sf = get_salesforce_connection()
 cart_blueprint = Blueprint('cart', __name__)
+
+# Utility function to sanitize SOQL inputs
+def sanitize_input(value):
+    """Remove potentially dangerous characters for SOQL injection."""
+    if value:
+        # Remove quotes, semicolons, and other dangerous characters
+        value = re.sub(r'[;\'"\\]', '', value)
+    return value
+
 @cart_blueprint.route("/cart", methods=["GET"])
 def cart():
     email = session.get('user_email')
@@ -10,11 +20,13 @@ def cart():
         return redirect(url_for("login"))
 
     try:
+        # Sanitize email input
+        sanitized_email = sanitize_input(email)
         # Fetch cart items with Category and Section
         result = sf.query(f"""
             SELECT Name, Price__c, Quantity__c, Add_Ons__c, Add_Ons_Price__c, Image1__c, Instructions__c, Category__c, Section__c
             FROM Cart_Item__c
-            WHERE Customer_Email__c = '{email}'
+            WHERE Customer_Email__c = '{sanitized_email}'
         """)
         cart_items = result.get("records", [])
 
@@ -24,13 +36,13 @@ def cart():
         customer_result = sf.query(f"""
             SELECT Reward_Points__c 
             FROM Customer_Login__c
-            WHERE Email__c = '{email}'
+            WHERE Email__c = '{sanitized_email}'
         """)
         reward_points = customer_result['records'][0].get('Reward_Points__c', 0) if customer_result['records'] else 0
 
         # Fetch coupons for the user
         coupon_result = sf.query(f"""
-            SELECT Coupon_Code__c FROM Referral_Coupon__c WHERE Referral_Email__c = '{email}'
+            SELECT Coupon_Code__c FROM Referral_Coupon__c WHERE Referral_Email__c = '{sanitized_email}'
         """)
         if coupon_result["records"]:
             raw_coupons = coupon_result["records"][0].get("Coupon_Code__c", "")
@@ -43,10 +55,10 @@ def cart():
 
         # If there are items in the cart, fetch suggestions
         if cart_items:
-            # Get the category and section of the first item in the cart (You can choose which item you want to base suggestions on)
+            # Get the category and section of the first item in the cart
             first_item = cart_items[0]
-            item_category = first_item.get('Category__c', 'All')  # Default to 'All' if not found
-            item_section = first_item.get('Section__c', 'Biryanis')  # Default to 'Biryanis' if not found
+            item_category = first_item.get('Category__c', 'All')
+            item_section = first_item.get('Section__c', 'Biryanis')
 
             # Define section-to-complementary section mapping
             complementary_sections = {
@@ -58,7 +70,7 @@ def cart():
                 'Soft Drinks': ['Starters', 'Biryanis', 'Curries']
             }
 
-            # Get the complementary sections for the selected section
+            # Get the complementary sections
             suggested_sections = complementary_sections.get(item_section, [])
 
             # Fetch suggestions from the complementary sections
@@ -68,7 +80,7 @@ def cart():
                         query = f"""
                             SELECT Name, Price__c, Image1__c
                             FROM Menu_Item__c
-                            WHERE Section__c = '{suggested_section}' 
+                            WHERE Section__c = '{sanitize_input(suggested_section)}' 
                             AND (Veg_NonVeg__c = 'Veg' OR Veg_NonVeg__c = 'Non veg')
                             LIMIT 4
                         """
@@ -76,14 +88,14 @@ def cart():
                         query = f"""
                             SELECT Name, Price__c, Image1__c
                             FROM Menu_Item__c
-                            WHERE Section__c = '{suggested_section}' 
-                            AND Veg_NonVeg__c = '{item_category}'
+                            WHERE Section__c = '{sanitize_input(suggested_section)}' 
+                            AND Veg_NonVeg__c = '{sanitize_input(item_category)}'
                             LIMIT 4
                         """
                     suggestion_result = sf.query(query)
-                    suggestions.extend(suggestion_result.get("records", []))  # Add suggestions from each section
+                    suggestions.extend(suggestion_result.get("records", []))
 
-                # Limit the number of suggestions to 4
+                # Limit to 4 suggestions
                 if len(suggestions) > 4:
                     suggestions = suggestions[:4]
 
@@ -104,24 +116,65 @@ def cart():
         print(f"Error fetching cart items: {e}")
         return render_template("cart.html", cart_items=[], subtotal=0, reward_points=0, coupons=[], suggestions=[])
 
+@cart_blueprint.route("/fetch_menu_items", methods=["GET"])
+def fetch_menu_items():
+    try:
+        # Get query parameters for filtering (optional)
+        category = request.args.get('category', 'All')
+        section = request.args.get('section', '')
+
+        # Sanitize inputs
+        category = sanitize_input(category)
+        section = sanitize_input(section)
+
+        # Build SOQL query
+        query = """
+            SELECT Name, Price__c, Image1__c, Veg_NonVeg__c, Section__c
+            FROM Menu_Item__c
+            WHERE Active__c = true
+        """
+        if category != 'All':
+            query += f" AND Veg_NonVeg__c = '{category}'"
+        if section:
+            query += f" AND Section__c = '{section}'"
+        query += " LIMIT 20"
+
+        result = sf.query(query)
+        menu_items = result.get("records", [])
+
+        return jsonify({"success": True, "menu_items": menu_items})
+
+    except Exception as e:
+        print(f"Error fetching menu items: {e}")
+        return jsonify({"success": False, "error": str(e)}), 500
+
 @cart_blueprint.route("/add_suggestion_to_cart", methods=["POST"])
 def add_suggestion_to_cart():
     try:
         # Get data from the request
         data = request.get_json()
-        item_name = data.get('item_name').strip()
+        item_name = sanitize_input(data.get('item_name').strip())
         item_price = data.get('item_price')
         item_image = data.get('item_image')
-        item_id = data.get('item_id')
-        customer_email = data.get('customer_email')
+        customer_email = sanitize_input(data.get('customer_email'))
         addons = data.get('addons', [])
-        instructions = data.get('instructions', "")
+        instructions = sanitize_input(data.get('instructions', ""))
+
+        # Validate inputs
+        if not all([item_name, item_price, customer_email]):
+            return jsonify({"success": False, "error": "Missing required fields"}), 400
 
-        # Default values if addons and instructions are not provided
+        # Process add-ons
         addons_price = 0
-        addons_string = "None"
+        addons_string = ", ".join(addons) if addons else "None"
+
+        if addons:
+            # Assuming addons are in format "Name ($Price)"
+            addons_price = sum(
+                float(addon.split("($")[1][:-1]) for addon in addons if "($" in addon
+            )
 
-        # Check if the customer already has this item in their cart
+        # Check if item exists in cart
         query = f"""
             SELECT Id, Quantity__c, Add_Ons__c, Add_Ons_Price__c, Instructions__c 
             FROM Cart_Item__c
@@ -130,41 +183,37 @@ def add_suggestion_to_cart():
         result = sf.query(query)
         cart_items = result.get("records", [])
 
-        # If item already exists in the cart, update its quantity and other details
         if cart_items:
+            # Update existing item
             cart_item_id = cart_items[0]['Id']
             existing_quantity = cart_items[0]['Quantity__c']
             existing_addons = cart_items[0].get('Add_Ons__c', "None")
             existing_addons_price = cart_items[0].get('Add_Ons_Price__c', 0)
             existing_instructions = cart_items[0].get('Instructions__c', "")
 
-            # Combine existing and new addons
+            # Combine add-ons
             combined_addons = existing_addons if existing_addons != "None" else ""
             if addons:
-                combined_addons = f"{combined_addons}; {addons}".strip("; ")
+                combined_addons = f"{combined_addons}, {addons_string}".strip(", ")
 
+            # Combine instructions
             combined_instructions = existing_instructions
             if instructions:
                 combined_instructions = f"{combined_instructions} | {instructions}".strip(" | ")
 
-            combined_addons_list = combined_addons.split("; ")
-            combined_addons_price = sum(
-                float(addon.split("($")[1][:-1]) for addon in combined_addons_list if "($" in addon
-            )
+            combined_addons_price = existing_addons_price + addons_price
 
-            # Update the cart item
+            # Update cart item
             sf.Cart_Item__c.update(cart_item_id, {
                 "Quantity__c": existing_quantity + 1,
-                "Add_Ons__c": combined_addons,
+                "Add_Ons__c": combined_addons if combined_addons else "None",
                 "Add_Ons_Price__c": combined_addons_price,
                 "Instructions__c": combined_instructions,
                 "Price__c": (existing_quantity + 1) * float(item_price) + combined_addons_price
             })
         else:
-            # If item doesn't exist in cart, create a new cart item
+            # Create new cart item
             total_price = float(item_price) + addons_price
-
-            # Create a new cart item in Salesforce
             sf.Cart_Item__c.create({
                 "Name": item_name,
                 "Price__c": total_price,
@@ -181,24 +230,26 @@ def add_suggestion_to_cart():
 
     except Exception as e:
         print(f"Error adding item to cart: {str(e)}")
-        return jsonify({"success": False, "error": str(e)})
-@cart_blueprint.route('/remove/<item_name>', methods=['POST'])
+        return jsonify({"success": False, "error": str(e)}), 500
+
+@cart_blueprint.route("/remove/<item_name>", methods=["POST"])
 def remove_cart_item(item_name):
     try:
         customer_email = session.get('user_email')
         if not customer_email:
             return jsonify({'success': False, 'message': 'User email not found. Please log in again.'}), 400
         
+        sanitized_email = sanitize_input(customer_email)
+        sanitized_item_name = sanitize_input(item_name)
         query = f"""
             SELECT Id FROM Cart_Item__c 
-            WHERE Customer_Email__c = '{customer_email}' AND Name = '{item_name}'
+            WHERE Customer_Email__c = '{sanitized_email}' AND Name = '{sanitized_item_name}'
         """
         result = sf.query(query)
         
         if result['totalSize'] == 0:
             return jsonify({'success': False, 'message': 'Item not found in cart.'}), 400
         
-        # If item exists, delete it
         cart_item_id = result['records'][0]['Id']
         sf.Cart_Item__c.delete(cart_item_id)
         return jsonify({'success': True, 'message': f"'{item_name}' removed successfully!"}), 200
@@ -209,22 +260,19 @@ def remove_cart_item(item_name):
 @cart_blueprint.route("/update_quantity", methods=["POST"])
 def update_quantity():
     print("Handling update_quantity request...")
-    data = request.json  # Extract JSON data from the request
-    email = data.get('email')
-    item_name = data.get('item_name')
+    data = request.json
+    email = sanitize_input(data.get('email'))
+    item_name = sanitize_input(data.get('item_name'))
 
     try:
-        # Convert quantity to an integer
         quantity = int(data.get('quantity'))
     except (ValueError, TypeError):
         return jsonify({"success": False, "error": "Invalid quantity provided."}), 400
 
-    # Validate inputs
     if not email or not item_name or quantity is None:
         return jsonify({"success": False, "error": "Email, item name, and quantity are required."}), 400
 
     try:
-        # Query the cart item in Salesforce
         cart_items = sf.query(
             f"SELECT Id, Quantity__c, Price__c, Base_Price__c, Add_Ons_Price__c FROM Cart_Item__c "
             f"WHERE Customer_Email__c = '{email}' AND Name = '{item_name}'"
@@ -233,190 +281,197 @@ def update_quantity():
         if not cart_items:
             return jsonify({"success": False, "error": "Cart item not found."}), 404
 
-        # Retrieve the first matching record
         cart_item_id = cart_items[0]['Id']
         base_price = cart_items[0]['Base_Price__c']
         addons_price = cart_items[0].get('Add_Ons_Price__c', 0)
 
-        # Calculate the new item price
         new_item_price = (base_price * quantity) + addons_price
 
-        # Update the record in Salesforce
         sf.Cart_Item__c.update(cart_item_id, {
             "Quantity__c": quantity,
-            "Price__c": new_item_price,  # Update base price
+            "Price__c": new_item_price,
         })
 
-        # Recalculate the subtotal for all items in the cart
         cart_items = sf.query(f"""
             SELECT Price__c, Add_Ons_Price__c 
             FROM Cart_Item__c 
             WHERE Customer_Email__c = '{email}'
         """)['records']
-        new_subtotal = sum(item['Price__c'] for item in cart_items) 
+        new_subtotal = sum(item['Price__c'] for item in cart_items)
 
-        # Return updated item price and subtotal
         return jsonify({"success": True, "new_item_price": new_item_price, "subtotal": new_subtotal})
 
     except Exception as e:
         print(f"Error updating quantity: {str(e)}")
         return jsonify({"success": False, "error": str(e)}), 500
 
-
 @cart_blueprint.route("/checkout", methods=["POST"])
 def checkout():
     email = session.get('user_email')
-    user_id = session.get('user_name')
-    table_number = session.get('table_number')  # Retrieve table number
-
-    print(f"Session Email: {email}, User ID: {user_id}, Table Number: {table_number}")  # Debugging session data
-
-    if not email or not user_id:
-        print("User not logged in")
-        return jsonify({"success": False, "message": "User not logged in"})
+    if not email:
+        return jsonify({"success": False, "message": "User not logged in"}), 401
 
     try:
-        # Fetch the selected coupon (if any)
+        sanitized_email = sanitize_input(email)
+        # Fetch selected coupon
         data = request.json
         selected_coupon = data.get("selectedCoupon", "").strip() if data.get("selectedCoupon") else None
-        # Now selected_coupon will be None if it's not provided or empty, or a valid string otherwise
-        print(f"Selected Coupon: {selected_coupon}")  # Debugging selected coupon
 
-        # Fetch cart items for the current user
+        # Fetch cart items
         result = sf.query(f"""
             SELECT Id, Name, Price__c, Add_Ons_Price__c, Quantity__c, Add_Ons__c, Instructions__c, Image1__c
             FROM Cart_Item__c
-            WHERE Customer_Email__c = '{email}'
+            WHERE Customer_Email__c = '{sanitized_email}'
         """)
-        
-        # Log the cart items to see if they are fetched correctly
         cart_items = result.get("records", [])
-        print(f"Cart Items Retrieved: {cart_items}")  # Debugging log
-
         if not cart_items:
-            print("Cart is empty")
-            return jsonify({"success": False, "message": "Cart is empty"})
-
-        total_price = sum(item['Price__c'] for item in cart_items)
-        print(f"Total Price: {total_price}")  # Debugging total price calculation
+            return jsonify({"success": False, "message": "Cart is empty"}), 400
 
+        subtotal = sum(item['Price__c'] for item in cart_items)
         discount = 0
 
-        # Fetch the user's existing coupons
-        coupon_query = sf.query(f"""
-            SELECT Id, Coupon_Code__c FROM Referral_Coupon__c WHERE Referral_Email__c = '{email}'
+        # Apply coupon if selected
+        if selected_coupon:
+            discount = subtotal * 0.10  # 10% discount
+
+        total = subtotal - discount
+
+        # Prepare cart items for response
+        bill_items = [
+            {
+                "name": item['Name'],
+                "quantity": item['Quantity__c'],
+                "price": item['Price__c'],
+                "addons": item.get('Add_Ons__c', 'None'),
+                "instructions": item.get('Instructions__c', 'None'),
+                "image": item['Image1__c']
+            } for item in cart_items
+        ]
+
+        # Fetch menu items for "Anything else you want?"
+        menu_query = """
+            SELECT Name, Price__c, Image1__c, Veg_NonVeg__c, Section__c
+            FROM Menu_Item__c
+            WHERE Active__c = true
+            LIMIT 20
+        """
+        menu_result = sf.query(menu_query)
+        menu_items = menu_result.get("records", [])
+
+        return jsonify({
+            "success": True,
+            "cart": {
+                "items": bill_items,
+                "subtotal": subtotal,
+                "discount": discount,
+                "total": total,
+                "selected_coupon": selected_coupon
+            },
+            "menu_items": menu_items
+        })
+
+    except Exception as e:
+        print(f"Error during checkout: {str(e)}")
+        return jsonify({"success": False, "error": str(e)}), 500
+
+@cart_blueprint.route("/submit_order", methods=["POST"])
+def submit_order():
+    email = session.get('user_email')
+    user_id = session.get('user_name')
+    table_number = session.get('table_number')
+
+    if not email or not user_id:
+        return jsonify({"success": False, "message": "User not logged in"}), 401
+
+    try:
+        sanitized_email = sanitize_input(email)
+        data = request.json
+        cart = data.get("cart")
+        if not cart:
+            return jsonify({"success": False, "message": "Cart data is required"}), 400
+
+        # Fetch cart items to validate
+        result = sf.query(f"""
+            SELECT Id, Name, Price__c, Add_Ons_Price__c, Quantity__c, Add_Ons__c, Instructions__c, Image1__c
+            FROM Cart_Item__c
+            WHERE Customer_Email__c = '{sanitized_email}'
         """)
-        print(f"Coupon Query Results: {coupon_query}")  # Debugging coupon query results
+        cart_items = result.get("records", [])
+        if not cart_items:
+            return jsonify({"success": False, "message": "Cart is empty"}), 400
 
-        has_coupons = bool(coupon_query["records"])
-        print(f"Has Coupons: {has_coupons}")  # Debugging coupon presence check
+        subtotal = cart.get("subtotal")
+        discount = cart.get("discount", 0)
+        total = cart.get("total")
+        selected_coupon = cart.get("selected_coupon")
 
+        # Handle coupon redemption
         if selected_coupon:
-            # Apply 10% discount if a valid coupon is selected
-            discount = total_price * 0.10  # Example: 10% discount
-            print(f"Discount Applied: {discount}")  # Debugging discount calculation
-            
-            referral_coupon_id = coupon_query["records"][0]["Id"]
-            print(f"Referral Coupon ID: {referral_coupon_id}")  # Debugging referral coupon ID
-
-            existing_coupons = coupon_query["records"][0]["Coupon_Code__c"].split("\n")
-            print(f"Existing Coupons Before Removal: {existing_coupons}")  # Debugging existing coupons
-
-            # Remove the selected coupon from the list of existing coupons
-            updated_coupons = [coupon for coupon in existing_coupons if coupon.strip() != selected_coupon]
-            updated_coupons_str = "\n".join(updated_coupons).strip()
-
-            print(f"Updated Coupons After Removal: {updated_coupons}")  # Debugging updated coupons
-
-            # If no coupons remain, set the field to None (not empty string)
-            if not updated_coupons:
-                updated_coupons_str = None  # Set to None if no coupons are left
-                print("No Coupons Remaining. Setting to None")  # Debugging no coupons left
-
-            # Update the Referral_Coupon__c record
-            print(f"Updating Referral Coupon: {updated_coupons_str}")  # Debugging update to Salesforce
-            sf.Referral_Coupon__c.update(referral_coupon_id, {
-                "Coupon_Code__c": updated_coupons_str
-            })
-        else:
-            # If no coupon is selected, add reward points
-            reward_points_to_add = total_price * 0.10  # Example: 10% reward points
-            print(f"Reward Points to Add: {reward_points_to_add}")  # Debugging reward points
+            coupon_query = sf.query(f"""
+                SELECT Id, Coupon_Code__c FROM Referral_Coupon__c WHERE Referral_Email__c = '{sanitized_email}'
+            """)
+            if coupon_query["records"]:
+                referral_coupon_id = coupon_query["records"][0]["Id"]
+                existing_coupons = coupon_query["records"][0]["Coupon_Code__c"].split("\n")
+                updated_coupons = [coupon for coupon in existing_coupons if coupon.strip() != selected_coupon]
+                updated_coupons_str = "\n".join(updated_coupons).strip() or None
+                sf.Referral_Coupon__c.update(referral_coupon_id, {
+                    "Coupon_Code__c": updated_coupons_str
+                })
 
-            # Fetch current reward points
+        # Add reward points if no coupon
+        if not selected_coupon:
+            reward_points_to_add = subtotal * 0.10
             customer_record = sf.query(f"""
                 SELECT Id, Reward_Points__c FROM Customer_Login__c
-                WHERE Email__c = '{email}'
+                WHERE Email__c = '{sanitized_email}'
             """)
-            print(f"Customer Reward Points Query: {customer_record}")  # Debugging customer reward points query
-            
-            customer = customer_record.get("records", [])[0] if customer_record else None
-            if customer:
-                current_reward_points = customer.get("Reward_Points__c") or 0
-                print(f"Current Reward Points: {current_reward_points}")  # Debugging current reward points
+            if customer_record["records"]:
+                customer = customer_record["records"][0]
+                current_reward_points = customer.get("Reward_Points__c", 0)
                 new_reward_points = current_reward_points + reward_points_to_add
-                print(f"New Reward Points: {new_reward_points}")  # Debugging new reward points calculation
-
-                # Update reward points
                 sf.Customer_Login__c.update(customer["Id"], {
                     "Reward_Points__c": new_reward_points
                 })
 
-        # Final total bill calculation
-        total_bill = total_price - discount
-        print(f"Total Bill After Discount: {total_bill}")  # Debugging final total bill
-
-        # Store all order details (before deleting cart items)
+        # Prepare order details
         order_details = "\n".join(
             f"{item['Name']} x{item['Quantity__c']} | Add-Ons: {item.get('Add_Ons__c', 'None')} | "
             f"Instructions: {item.get('Instructions__c', 'None')} | "
             f"Price: ${item['Price__c']} | Image: {item['Image1__c']}"
             for item in cart_items
         )
-        print(f"Order Details: {order_details}")  # Debugging order details
 
-        # Fetch Customer ID from Customer_Login__c
+        # Fetch Customer ID
         customer_query = sf.query(f"""
             SELECT Id FROM Customer_Login__c
-            WHERE Email__c = '{email}'
+            WHERE Email__c = '{sanitized_email}'
         """)
-        
         customer_id = customer_query["records"][0]["Id"] if customer_query["records"] else None
-        print(f"Customer ID: {customer_id}")  # Debugging customer ID retrieval
-
         if not customer_id:
-            print("Customer record not found")
-            return jsonify({"success": False, "message": "Customer record not found in Salesforce"})
-        table_number = table_number if table_number != 'null' else None  # Ensure 'null' string is replaced with None
-        # Store order data
+            return jsonify({"success": False, "message": "Customer record not found"}), 404
+
+        table_number = table_number if table_number != 'null' else None
         order_data = {
             "Customer_Name__c": user_id,
             "Customer_Email__c": email,
-            "Total_Amount__c": total_price,
+            "Total_Amount__c": subtotal,
             "Discount__c": discount,
-            "Total_Bill__c": total_bill,
+            "Total_Bill__c": total,
             "Order_Status__c": "Pending",
             "Customer2__c": customer_id,
             "Order_Details__c": order_details,
-            "Table_Number__c": table_number  # Store table number
+            "Table_Number__c": table_number
         }
-        print(f"Order Data: {order_data}")  # Debugging order data
-
-        # Create the order in Salesforce
         order_response = sf.Order__c.create(order_data)
-        print(f"Order Response: {order_response}")  # Debugging order creation response
 
-        # Ensure the order was created successfully before deleting cart items
+        # Delete cart items
         if order_response:
-            # Only delete cart items after the order is created
             for item in cart_items:
-                print(f"Deleting Cart Item: {item['Id']}")  # Debugging cart item deletion
                 sf.Cart_Item__c.delete(item["Id"])
 
-        return jsonify({"success": True, "message": "Order placed successfully!", "discount": discount, "totalBill": total_bill})
+        return jsonify({"success": True, "message": "Order placed successfully!"})
 
     except Exception as e:
-        print(f"Error during checkout: {str(e)}")  # Debugging error message
-        return jsonify({"success": False, "error": str(e)})
-
-
+        print(f"Error during order submission: {str(e)}")
+        return jsonify({"success": False, "error": str(e)}), 500