requests to /cart/remove are not protected by the order lock #71
Description
I see that requests that modify the user cart are protected by a lock using CartStateFilter.
This filter acquires the lock before request handlers execute, and release the lock afterward.
However, the lock is only applied to POST requests (see this and this); meanwhile, request for removing items is sent and handled using GET request (see this and this).
This is potentially a defeat as a cart can be modified while it is being checked out.
p.s. I know that as a demo site, this issue does not necessarily cause real problems. Still, I wonder if there are other mechanisms to mitigate consistency issues like this one.