Guard checkout payment step behind login

2026-01-04 12:43:04 +01:00
parent 1afd49bd24
commit cbb010acca
5 changed files with 56 additions and 1 deletions
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
@@ -22,6 +22,7 @@
 {"id":"fotospiel-app-5hk","title":"Fix staging coupon seed 500 for E2E","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-03T15:12:53.643644221+01:00","created_by":"soeren","updated_at":"2026-01-03T15:12:53.643644221+01:00"}
 {"id":"fotospiel-app-5iy","title":"Security review: confirm env/header defaults","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:03:20.808188183+01:00","created_by":"soeren","updated_at":"2026-01-01T16:03:26.388002115+01:00","closed_at":"2026-01-01T16:03:26.388002115+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-5s3","title":"Localized SEO: canonical/hreflang tags + localized navigation","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:02:03.909947355+01:00","created_by":"soeren","updated_at":"2026-01-01T16:02:09.550647107+01:00","closed_at":"2026-01-01T16:02:09.550647107+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-5zl","title":"Ensure checkout step 3 requires login for Paddle checkout","description":"Problem: Paddle checkout on step 3 fails when user is not logged in. Step 3 must enforce authentication before initializing Paddle checkout.\\n\\nSuggestions:\\n- Protect step 3 route/controller with auth middleware and redirect to login with intended return URL.\\n- Gate step 3 UI/CTA on auth state; show inline login prompt and disable Paddle until authenticated.\\n- Require auth in backend endpoint that creates Paddle transaction/session; return 401 and send user to login.\\n- Optionally preflight at end of step 2 to prompt login before advancing.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-04T12:31:43.215017311+01:00","created_by":"soeren","updated_at":"2026-01-04T12:42:45.088723058+01:00","closed_at":"2026-01-04T12:42:45.088723058+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-64l","title":"SEC-FE-01 CSP nonce/hashing rollout","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:54:47.607047443+01:00","created_by":"soeren","updated_at":"2026-01-01T15:55:56.477104351+01:00","closed_at":"2026-01-01T15:55:56.477104351+01:00","close_reason":"Completed in codebase (verified) - duplicate of fotospiel-app-zli"}
 {"id":"fotospiel-app-6dp","title":"Coupon ops enhancements (redemption service, preview endpoint, widget, export)","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:09:09.275919717+01:00","created_by":"soeren","updated_at":"2026-01-01T16:09:14.882264149+01:00","closed_at":"2026-01-01T16:09:14.882264149+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-6oj","title":"Security review: media pipeline code audit (AV/EXIF, signed URLs, storage separation)","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:31.390878341+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:31.390878341+01:00"}
--- a/.beads/last-touched
+++ b/.beads/last-touched
@@ -1 +1 @@
-fotospiel-app-99o
+fotospiel-app-5zl
--- a/resources/js/pages/marketing/checkout/CheckoutWizard.tsx
+++ b/resources/js/pages/marketing/checkout/CheckoutWizard.tsx
@@ -10,6 +10,7 @@ import { AuthStep } from "./steps/AuthStep";
 import { ConfirmationStep } from "./steps/ConfirmationStep";
 import { useAnalytics } from '@/hooks/useAnalytics';
 import { cn } from "@/lib/utils";
+import toast from 'react-hot-toast';

 const PaymentStep = lazy(() => import('./steps/PaymentStep').then((module) => ({ default: module.PaymentStep })));

@@ -80,6 +81,7 @@ const WizardBody: React.FC<{
    authUser,
    isAuthenticated,
    paymentCompleted,
+    goToStep,
  } = useCheckoutWizard();
  const progressRef = useRef<HTMLDivElement | null>(null);
  const hasMountedRef = useRef(false);
@@ -114,6 +116,13 @@ const WizardBody: React.FC<{
    });
  }, [currentStep, trackEvent]);

+  useEffect(() => {
+    if (currentStep === 'payment' && !isAuthenticated) {
+      toast.error(t('checkout.payment_step.auth_required'));
+      goToStep('auth');
+    }
+  }, [currentStep, goToStep, isAuthenticated, t]);
+
  useEffect(() => {
    if (typeof window === 'undefined' || !progressRef.current) {
      return;
--- a/resources/js/pages/marketing/checkout/tests/CheckoutWizard.guard.test.tsx
+++ b/resources/js/pages/marketing/checkout/tests/CheckoutWizard.guard.test.tsx
@@ -83,6 +83,21 @@ describe('CheckoutWizard auth step navigation guard', () => {
    nextButtons.forEach((button) => expect(button).not.toBeDisabled());
  });

+  it('redirects to the auth step when the user is not authenticated on the payment step', async () => {
+    render(
+      <CheckoutWizard
+        initialPackage={basePackage}
+        packageOptions={[basePackage]}
+        privacyHtml="<p>privacy</p>"
+        initialAuthUser={null}
+        initialStep="payment"
+      />,
+    );
+
+    await screen.findByTestId('auth-step');
+    expect(screen.queryByTestId('payment-step')).not.toBeInTheDocument();
+  });
+
  it('only renders the next button on the payment step after the payment is completed', async () => {
    const paidPackage = { ...basePackage, id: 2, price: 99 };

--- a/resources/js/pages/marketing/checkout/steps/PaymentStep.tsx
+++ b/resources/js/pages/marketing/checkout/steps/PaymentStep.tsx
@@ -191,6 +191,8 @@ export const PaymentStep: React.FC = () => {
    nextStep,
    paddleConfig,
    authUser,
+    isAuthenticated,
+    goToStep,
    setPaymentCompleted,
    checkoutSessionId,
    setCheckoutSessionId,
@@ -368,6 +370,13 @@ export const PaymentStep: React.FC = () => {
  }, [couponCode]);

  const handleFreeActivation = async () => {
+    if (!isAuthenticated || !authUser) {
+      const message = t('checkout.payment_step.auth_required');
+      toast.error(message);
+      goToStep('auth');
+      return;
+    }
+
    if (!selectedPackage) {
      return;
    }
@@ -420,6 +429,15 @@ export const PaymentStep: React.FC = () => {
      return;
    }

+    if (!isAuthenticated || !authUser) {
+      const message = t('checkout.payment_step.auth_required');
+      setStatus('error');
+      setMessage(message);
+      toast.error(message);
+      goToStep('auth');
+      return;
+    }
+
    if (!acceptedTerms) {
      setConsentError(t('checkout.legal.checkbox_terms_error'));
      return;
@@ -466,6 +484,18 @@ export const PaymentStep: React.FC = () => {
      });

      const rawBody = await response.text();
+      if (
+        response.status === 401 ||
+        response.status === 419 ||
+        (response.redirected && response.url.includes('/login'))
+      ) {
+        const message = t('checkout.payment_step.auth_required');
+        setStatus('error');
+        setMessage(message);
+        toast.error(message);
+        goToStep('auth');
+        return;
+      }
      if (typeof window !== 'undefined') {
         
        console.info('[Checkout] Hosted checkout response', { status: response.status, rawBody });