add persistent email session for order lookup and reviews

Replaces the short-lived (1 hour) session-based order lookup with a persistent cookie-based email session lasting 30 days. This foundation enables customers to leave reviews and view orders without re-verifying their email each time. - Add EmailSession module for signed cookie management - Add EmailSession plug to load verified email into session - Set email session on order lookup verification - Set email session on checkout completion (via /checkout/complete) - Update orders and order detail pages to use email session - Add reviews system plan document Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-04-01 09:44:53 +01:00
parent 3b23a413ed
commit 34822254e3
13 changed files with 811 additions and 5 deletions
--- a/lib/berrypod_web/controllers/checkout_controller.ex
+++ b/lib/berrypod_web/controllers/checkout_controller.ex
@@ -71,7 +71,7 @@ defmodule BerrypodWeb.CheckoutController do
      %{
        mode: "payment",
        line_items: line_items,
-        success_url: R.url(R.checkout_success()) <> "?session_id={CHECKOUT_SESSION_ID}",
+        success_url: R.url("/checkout/complete") <> "?session_id={CHECKOUT_SESSION_ID}",
        cancel_url: R.url(R.cart()),
        metadata: %{"order_id" => order.id},
        shipping_address_collection: %{
--- a/lib/berrypod_web/controllers/checkout_success_controller.ex
+++ b/lib/berrypod_web/controllers/checkout_success_controller.ex
@@ -0,0 +1,32 @@
+defmodule BerrypodWeb.CheckoutSuccessController do
+  @moduledoc """
+  Handles the redirect back from Stripe checkout.
+
+  This controller intercepts the Stripe redirect to set the email session
+  cookie before forwarding to the checkout success LiveView. This allows
+  customers to later view their orders and leave reviews without needing
+  to re-verify their email.
+  """
+
+  use BerrypodWeb, :controller
+
+  alias Berrypod.{EmailSession, Orders}
+
+  def show(conn, %{"session_id" => session_id}) do
+    # Look up the order to get the customer email
+    order = Orders.get_order_by_stripe_session(session_id)
+
+    conn =
+      if order && order.customer_email do
+        EmailSession.put_session(conn, order.customer_email)
+      else
+        conn
+      end
+
+    redirect(conn, to: R.checkout_success() <> "?session_id=#{session_id}")
+  end
+
+  def show(conn, _params) do
+    redirect(conn, to: R.home())
+  end
+end
--- a/lib/berrypod_web/controllers/order_lookup_controller.ex
+++ b/lib/berrypod_web/controllers/order_lookup_controller.ex
@@ -1,6 +1,7 @@
 defmodule BerrypodWeb.OrderLookupController do
  use BerrypodWeb, :controller

+  alias Berrypod.EmailSession
  alias Berrypod.Orders
  alias Berrypod.Orders.OrderNotifier

@@ -44,7 +45,7 @@ defmodule BerrypodWeb.OrderLookupController do
    case Phoenix.Token.verify(BerrypodWeb.Endpoint, @salt, token, max_age: @max_age) do
      {:ok, email} ->
        conn
-        |> put_session(:order_lookup_email, email)
+        |> EmailSession.put_session(email)
        |> redirect(to: R.orders())

      {:error, :expired} ->