Description
Affected plugin: wpackagist-plugin/cocart-jwt-authentication
Broken version: 2.5.0
Working version: 2.4.0
Stack: WooCommerce + CoCart + WP REST Cache (disabled during testing)
Hosting: AWS (us-east-1)
Reproducibility: Always
π Problem description
After upgrading to 2.5.0 of the cocart-jwt-authentication plugin, guest (non-authenticated) users are no longer able to interact with the cart. Specifically, the following request fails:
GET /wp-json/cocart/v1/get-cart
Response:
HTTP/1.1 500 Internal Server Error
This occurs even with WP REST Cache fully disabled and no other caching layer interfering.
β Rollback confirmation
Rolling back to version 2.4.0 immediately resolves the issue:
- Guest cart sessions (
wp_cocart_session) work as expected - Cart can be used without authentication
GET /get-cartreturns valid JSON
π§ͺ Additional curl test
curl -i https://yourdomain.com/wp-json/cocart/v1/get-cart- On
2.5.0: returns 500 Internal Server Error - On
2.4.0: returns expected cart object
π‘ Hypothesis
Version 2.5.0 may have altered how anonymous sessions are initialized in CoCart, or it may unintentionally enforce authentication headers (JWT) even when none are provided.
π Request
Please investigate changes introduced in 2.5.0 related to session handling for non-authenticated users. If this is a bug, a patch release (e.g., 2.5.1) would be greatly appreciated. Otherwise, please document any new behavior or breaking changes introduced.
βοΈ Temporary solution
Reverting to cocart-jwt-authentication version 2.4.0 fixes the issue and restores expected cart behavior for guest users.