Update cart empties shipping_method & payment_sessions

[BorisKamp]

Medusa 1.13.1.

Kosek on Discord suggested to put this up here. Here's the discord thread

When calling update cart {{strapi-auth-host}}/medusa/store/carts/cart_01H7B8CKY62W5TA3TCK83VKPS5 after you set shipping_methods and/or payment_sessions, they both get lost .

This is probably because of security or something? But now how am I supposed to add meta info to my cart such as order reference, message & other fields? I have agreement items on my payment step as well that I would like to save to the cart's context.

At the end, the info should be visible in the order on the frontend. The cart's context is the way to go right?

update 1
More info, when I already set a shipping_address, and I update the context, the shipping_address's country_code is set to null, this might be why the shipping_methods is emptied as well. Does this also explain payment_sessions resetting?

Can somebody reproduce this:

1. Set shipping_address
2. Update cart with {"context": "test"} in the body
3. The shipping_address.country_code is null

Maybe related: #2683

Update 2
I am using Strapi for authentication. so my calls go trough there. I send along a header from Strapi to Medusa and use that header to set the using in Medusa by using middleware in Medusa:

export function setCustomerMiddleware(req, res, next) {
  if (req.get('medusa-customer-id')) {
    req.user = {
      customer_id: req.get('medusa-customer-id')
    }
  }

  next()
}

This way I set the user on the medusa side.

When I do not use Strapi for the call, but medusa straight away, it does not occur, so it looks like it because of the middleware part?

However, I just found out that I don't even need to authorize to update a cart using {{medusa-host}}/store/carts/cart_01H7CPN30XGXAFXZ2PATHAXGZN? When I omit the Authorization and medusa-customer-id header, it still succeeds. Is that intended?