From 4940b61ee09be2f8054a8f63a6026de58567f0a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mats=20T=C3=B6rnberg?= <mats@tornberg.me>
Date: Wed, 3 Dec 2025 18:14:04 +0100
Subject: [PATCH] update

---
 .gitea/workflows/build.yaml |  1 +
 cmd/checkout/pool-server.go | 25 ++++++++++++-------------
 cmd/checkout/utils.go       | 37 +++++++++++++++++++++++++++----------
 3 files changed, 40 insertions(+), 23 deletions(-)

diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
index aba3342..5a25abd 100644
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -25,6 +25,7 @@ jobs:
         run: |
           kubectl rollout restart deployment/cart-backoffice-x86 -n cart
           kubectl rollout restart deployment/cart-actor-x86 -n cart
+          kubectl rollout restart deployment/checkout-actor-x86 -n cart
 
   BuildAndDeployArm64:
     runs-on: arm64
diff --git a/cmd/checkout/pool-server.go b/cmd/checkout/pool-server.go
index 2edf443..13041de 100644
--- a/cmd/checkout/pool-server.go
+++ b/cmd/checkout/pool-server.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
-	"fmt"
 	"log"
 	"net/http"
 	"os"
@@ -227,7 +226,7 @@ func (s *CheckoutPoolServer) StartCheckoutHandler(w http.ResponseWriter, r *http
 	}
 
 	// Set checkout cookie
-	w.Header().Set("Set-Cookie", fmt.Sprintf("checkout_id=%s; Path=/; HttpOnly; SameSite=Lax", checkoutId.String()))
+	setCheckoutCookie(w, result.Result.Id, r.TLS != nil)
 
 	if err := s.WriteResult(w, result.Result); err != nil {
 		logger.Error("failed to write result", "error", err)
@@ -365,7 +364,7 @@ func (s *CheckoutPoolServer) Serve(mux *http.ServeMux) {
 			handlerFunc(w, r)
 		}))
 	}
-	handleFunc("/payment/adyen/session", CheckoutIdHandler(s.AdyenSessionHandler))
+	handleFunc("/payment/adyen/session", CookieCheckoutIdHandler(s.AdyenSessionHandler))
 	handleFunc("/payment/adyen/push", s.AdyenHookHandler)
 	handleFunc("/payment/adyen/return", s.AdyenReturnHandler)
 	//handleFunc("/payment/adyen/cancel", s.AdyenCancelHandler)
@@ -383,17 +382,17 @@ func (s *CheckoutPoolServer) Serve(mux *http.ServeMux) {
 	orderHandler.DefineQueue()
 
 	handleFunc("POST /api/checkout/start/{cartid}", s.StartCheckoutHandler)
-	handleFunc("GET /api/checkout", CheckoutIdHandler(s.ProxyHandler(s.GetCheckoutHandler)))
-	handleFunc("POST /api/checkout/delivery", CheckoutIdHandler(s.ProxyHandler(s.SetDeliveryHandler)))
-	handleFunc("DELETE /api/checkout/delivery", CheckoutIdHandler(s.ProxyHandler(s.RemoveDeliveryHandler)))
-	handleFunc("POST /api/checkout/pickup-point", CheckoutIdHandler(s.ProxyHandler(s.SetPickupPointHandler)))
-	handleFunc("POST /api/checkout/initialize", CheckoutIdHandler(s.ProxyHandler(s.InitializeCheckoutHandler)))
-	handleFunc("POST /api/checkout/inventory-reserved", CheckoutIdHandler(s.ProxyHandler(s.InventoryReservedHandler)))
-	handleFunc("POST /api/checkout/order-created", CheckoutIdHandler(s.ProxyHandler(s.OrderCreatedHandler)))
-	handleFunc("POST /api/checkout/confirmation-viewed", CheckoutIdHandler(s.ProxyHandler(s.ConfirmationViewedHandler)))
+	handleFunc("GET /api/checkout", CookieCheckoutIdHandler(s.ProxyHandler(s.GetCheckoutHandler)))
+	handleFunc("POST /api/checkout/delivery", CookieCheckoutIdHandler(s.ProxyHandler(s.SetDeliveryHandler)))
+	handleFunc("DELETE /api/checkout/delivery", CookieCheckoutIdHandler(s.ProxyHandler(s.RemoveDeliveryHandler)))
+	handleFunc("POST /api/checkout/pickup-point", CookieCheckoutIdHandler(s.ProxyHandler(s.SetPickupPointHandler)))
+	handleFunc("POST /api/checkout/initialize", CookieCheckoutIdHandler(s.ProxyHandler(s.InitializeCheckoutHandler)))
+	handleFunc("POST /api/checkout/inventory-reserved", CookieCheckoutIdHandler(s.ProxyHandler(s.InventoryReservedHandler)))
+	handleFunc("POST /api/checkout/order-created", CookieCheckoutIdHandler(s.ProxyHandler(s.OrderCreatedHandler)))
+	handleFunc("POST /api/checkout/confirmation-viewed", CookieCheckoutIdHandler(s.ProxyHandler(s.ConfirmationViewedHandler)))
 
-	handleFunc("GET /payment/klarna/session", CheckoutIdHandler(s.ProxyHandler(s.KlarnaSessionHandler)))
-	handleFunc("GET /payment/klarna/checkout", CheckoutIdHandler(s.ProxyHandler(s.KlarnaHtmlCheckoutHandler)))
+	handleFunc("GET /payment/klarna/session", CookieCheckoutIdHandler(s.ProxyHandler(s.KlarnaSessionHandler)))
+	handleFunc("GET /payment/klarna/checkout", CookieCheckoutIdHandler(s.ProxyHandler(s.KlarnaHtmlCheckoutHandler)))
 
 	handleFunc("GET /payment/klarna/confirmation/{order_id}", s.KlarnaConfirmationHandler)
 
diff --git a/cmd/checkout/utils.go b/cmd/checkout/utils.go
index d74073a..9b2e398 100644
--- a/cmd/checkout/utils.go
+++ b/cmd/checkout/utils.go
@@ -5,6 +5,7 @@ import (
 	"log"
 	"net/http"
 	"strings"
+	"time"
 
 	"git.k6n.net/go-cart-actor/pkg/cart"
 	"git.k6n.net/go-cart-actor/pkg/checkout"
@@ -64,29 +65,45 @@ func (a *CheckoutPoolServer) reserveInventory(ctx context.Context, grain *checko
 	return nil
 }
 
-func CheckoutIdHandler(fn func(w http.ResponseWriter, r *http.Request, checkoutId checkout.CheckoutId) error) func(w http.ResponseWriter, r *http.Request) {
+const checkoutCookieName = "checkoutid"
+
+func setCheckoutCookie(w http.ResponseWriter, checkoutId checkout.CheckoutId, tls bool) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     checkoutCookieName,
+		Value:    checkoutId.String(),
+		Secure:   tls,
+		HttpOnly: true,
+		Path:     "/",
+		Expires:  time.Now().AddDate(0, 0, 14),
+		SameSite: http.SameSiteLaxMode,
+	})
+}
+
+func CookieCheckoutIdHandler(fn func(w http.ResponseWriter, r *http.Request, checkoutId checkout.CheckoutId) error) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
+
 		var id checkout.CheckoutId
-		raw := r.PathValue("id")
-		if raw == "" {
-			id = checkout.CheckoutId(cart.MustNewCartId())
-			w.Header().Set("Set-Checkout-Id", id.String())
+		cookie, err := r.Cookie(checkoutCookieName)
+		if err != nil || cookie.Value == "" {
+			w.WriteHeader(http.StatusNotAcceptable)
+			return
 		} else {
-			if parsedId, ok := cart.ParseCartId(raw); !ok {
-				w.WriteHeader(http.StatusBadRequest)
-				w.Write([]byte("checkout id is invalid"))
+			parsed, ok := cart.ParseCartId(cookie.Value)
+			if !ok {
+				w.WriteHeader(http.StatusNotAcceptable)
 				return
 			} else {
-				id = checkout.CheckoutId(parsedId)
+				id = parsed
 			}
 		}
 
-		err := fn(w, r, id)
+		err = fn(w, r, id)
 		if err != nil {
 			log.Printf("Server error, not remote error: %v\n", err)
 			w.WriteHeader(http.StatusInternalServerError)
 			w.Write([]byte(err.Error()))
 		}
+
 	}
 }