From 42c38f7da867795ee5714ab891b173e7f3f1bb4d Mon Sep 17 00:00:00 2001
From: Parsa Nazer <parsa.nazerrr@gmail.com>
Date: Fri, 22 May 2026 19:16:08 +0330
Subject: [PATCH] fix torob

---
 backend/product/torob_api.py | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/backend/product/torob_api.py b/backend/product/torob_api.py
index 3920cd5..28d2527 100644
--- a/backend/product/torob_api.py
+++ b/backend/product/torob_api.py
@@ -53,15 +53,16 @@ class TorobProductsRequestSerializer(serializers.Serializer):
         modes = [name for name in ("page_urls", "page_uniques", "page") if name in attrs]
 
         if len(modes) != 1:
-            raise serializers.ValidationError(
-                "invalid request body"
-            )
+            raise serializers.ValidationError("invalid request body")
 
         if "page" in attrs and "sort" not in attrs:
-            raise serializers.ValidationError({"sort": "sort parameter is not provided"})
+            raise serializers.ValidationError({"sort": ["sort parameter is not provided"]})
 
         if "page" not in attrs and "sort" in attrs:
-            raise serializers.ValidationError({"sort": "sort parameter is invalid"})
+            raise serializers.ValidationError({"sort": ["sort parameter is invalid"]})
+
+        if ("page_urls" in attrs or "page_uniques" in attrs) and "sort" in attrs:
+            raise serializers.ValidationError("invalid request body")
 
         return attrs
 
@@ -226,7 +227,6 @@ def _serialize_variant(request, product: ProductModel, variant: ProductVariant)
         "date_added": _variant_date_added(product, variant),
         "date_updated": _variant_date_updated(product, variant),
         "seller_name": product.shop.shop_name if product.shop else None,
-        "seller_city": _truncate_text(product.shop.city if product.shop else None, 200),
     }
 
     if old_price is not None and old_price > current_price:
@@ -253,11 +253,18 @@ def _validate_torob_token(request) -> None:
             key=TOROB_PUBLIC_KEY,
             algorithms=["EdDSA"],
             audience=_get_hostname_from_request(request),
+            options={"require": ["exp", "nbf", "aud"]},
         )
         logger.debug("Token validated successfully")
+    except jwt.MissingRequiredClaimError as exc:
+        logger.warning(f"Missing required JWT claim: {exc}")
+        raise
     except jwt.ExpiredSignatureError:
         logger.warning("Token has expired")
         raise
+    except jwt.ImmatureSignatureError:
+        logger.warning("Token is not yet valid")
+        raise
     except jwt.InvalidAudienceError:
         logger.warning(f"Audience mismatch for request from {request.get_host()}")
         raise
@@ -284,15 +291,6 @@ class TorobProductSyncView(APIView):
     permission_classes = []
 
     def post(self, request):
-        # Validate Content-Type header
-        content_type = request.META.get('CONTENT_TYPE', '').split(';')[0].strip()
-        if content_type != 'application/json':
-            logger.warning(f"Invalid Content-Type: {content_type}")
-            return Response(
-                {"error": "Content-Type must be application/json"},
-                status=status.HTTP_400_BAD_REQUEST
-            )
-
         try:
             _validate_torob_token(request)
         except TorobTokenError as exc: