various fixes for checkout

resources/js/pages/auth/RegisterForm.tsx

@@ -45,18 +45,12 @@ const getCookieValue = (name: string): string | null => {
   return match ? decodeURIComponent(match[1]) : null;
 };
 
-const resolveCsrfToken = (): string => {
+const resolveMetaCsrfToken = (): string => {
   if (typeof document === 'undefined') {
     return '';
   }
 
-  const metaToken = (document.querySelector('meta[name="csrf-token"]') as HTMLMetaElement | null)?.content;
-
-  if (metaToken && metaToken.length > 0) {
-    return metaToken;
-  }
-
-  return getCookieValue('XSRF-TOKEN') ?? '';
+  return (document.querySelector('meta[name="csrf-token"]') as HTMLMetaElement | null)?.content ?? '';
 };
 
 export default function RegisterForm({ packageId, onSuccess, privacyHtml, locale, prefill, onClearGoogleProfile }: RegisterFormProps) {
@@ -180,12 +174,13 @@ export default function RegisterForm({ packageId, onSuccess, privacyHtml, locale
     setIsSubmitting(true);
     clearErrors();
 
-    const csrfToken = resolveCsrfToken();
+    const metaToken = resolveMetaCsrfToken();
+    const cookieToken = getCookieValue('XSRF-TOKEN');
     const body = {
       ...data,
       locale: resolvedLocale,
       package_id: data.package_id ?? packageId ?? null,
-      _token: csrfToken,
+      _token: metaToken || undefined,
     };
 
     try {
@@ -194,8 +189,11 @@ export default function RegisterForm({ packageId, onSuccess, privacyHtml, locale
         headers: {
           'Content-Type': 'application/json',
           Accept: 'application/json',
-          'X-CSRF-TOKEN': csrfToken,
-          'X-XSRF-TOKEN': csrfToken,
+          ...(cookieToken
+            ? { 'X-XSRF-TOKEN': cookieToken }
+            : metaToken
+              ? { 'X-CSRF-TOKEN': metaToken }
+              : {}),
         },
         credentials: 'same-origin',
         body: JSON.stringify(body),