various fixes for checkout

resources/js/pages/auth/LoginForm.tsx

@@ -32,7 +32,17 @@ type SharedPageProps = {
 
 type FieldErrors = Record<string, string>;
 
-const csrfToken = () => (document.querySelector('meta[name="csrf-token"]') as HTMLMetaElement | null)?.content ?? "";
+const metaCsrfToken = () =>
+  (document.querySelector('meta[name="csrf-token"]') as HTMLMetaElement | null)?.content ?? "";
+
+const xsrfCookieToken = () => {
+  if (typeof document === "undefined") {
+    return "";
+  }
+
+  const match = document.cookie.match(/(?:^|; )XSRF-TOKEN=([^;]*)/);
+  return match ? decodeURIComponent(match[1]) : "";
+};
 
 export default function LoginForm({ onSuccess, canResetPassword = true, locale, packageId }: LoginFormProps) {
   const page = usePage<SharedPageProps>();
@@ -91,12 +101,19 @@ export default function LoginForm({ onSuccess, canResetPassword = true, locale,
     setIsSubmitting(true);
 
     try {
+      const cookieToken = xsrfCookieToken();
+      const metaToken = metaCsrfToken();
+
       const response = await fetch(loginEndpoint, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Accept: "application/json",
-          "X-CSRF-TOKEN": csrfToken(),
+          ...(cookieToken
+            ? { "X-XSRF-TOKEN": cookieToken }
+            : metaToken
+              ? { "X-CSRF-TOKEN": metaToken }
+              : {}),
         },
         credentials: "same-origin",
         body: JSON.stringify({

resources/js/pages/auth/RegisterForm.tsx

@@ -45,18 +45,12 @@ const getCookieValue = (name: string): string | null => {
   return match ? decodeURIComponent(match[1]) : null;
 };
 
-const resolveCsrfToken = (): string => {
+const resolveMetaCsrfToken = (): string => {
   if (typeof document === 'undefined') {
     return '';
   }
 
-  const metaToken = (document.querySelector('meta[name="csrf-token"]') as HTMLMetaElement | null)?.content;
-
-  if (metaToken && metaToken.length > 0) {
-    return metaToken;
-  }
-
-  return getCookieValue('XSRF-TOKEN') ?? '';
+  return (document.querySelector('meta[name="csrf-token"]') as HTMLMetaElement | null)?.content ?? '';
 };
 
 export default function RegisterForm({ packageId, onSuccess, privacyHtml, locale, prefill, onClearGoogleProfile }: RegisterFormProps) {
@@ -180,12 +174,13 @@ export default function RegisterForm({ packageId, onSuccess, privacyHtml, locale
     setIsSubmitting(true);
     clearErrors();
 
-    const csrfToken = resolveCsrfToken();
+    const metaToken = resolveMetaCsrfToken();
+    const cookieToken = getCookieValue('XSRF-TOKEN');
     const body = {
       ...data,
       locale: resolvedLocale,
       package_id: data.package_id ?? packageId ?? null,
-      _token: csrfToken,
+      _token: metaToken || undefined,
     };
 
     try {
@@ -194,8 +189,11 @@ export default function RegisterForm({ packageId, onSuccess, privacyHtml, locale
         headers: {
           'Content-Type': 'application/json',
           Accept: 'application/json',
-          'X-CSRF-TOKEN': csrfToken,
-          'X-XSRF-TOKEN': csrfToken,
+          ...(cookieToken
+            ? { 'X-XSRF-TOKEN': cookieToken }
+            : metaToken
+              ? { 'X-CSRF-TOKEN': metaToken }
+              : {}),
         },
         credentials: 'same-origin',
         body: JSON.stringify(body),