berrypod/lib/berrypod_web/controllers/order_lookup_controller.ex

defmodule BerrypodWeb.OrderLookupController do
  use BerrypodWeb, :controller

  alias Berrypod.EmailSession
  alias Berrypod.Orders
  alias Berrypod.Orders.OrderNotifier

  @salt "order_lookup"
  @max_age 3_600

  @doc """
  Looks up orders by email and sends a verification link (no-JS fallback).
  """
  def lookup(conn, %{"email" => email}) when is_binary(email) and email != "" do
    orders = Orders.list_orders_by_email(email)

    if orders == [] do
      conn
      |> put_flash(
        :error,
        "No orders found for that address. Make sure you use the same email you checked out with."
      )
      |> redirect(to: R.contact())
    else
      token = generate_token(email)
      link = BerrypodWeb.Endpoint.url() <> ~p"/orders/verify/#{token}"
      OrderNotifier.deliver_order_lookup(email, link)

      conn
      |> put_flash(
        :info,
        "We've sent a link to your email address. It'll expire after an hour."
      )
      |> redirect(to: R.contact())
    end
  end

  def lookup(conn, _params) do
    conn
    |> put_flash(:error, "Please enter your email address.")
    |> redirect(to: R.contact())
  end

  def verify(conn, %{"token" => token}) do
    case Phoenix.Token.verify(BerrypodWeb.Endpoint, @salt, token, max_age: @max_age) do
      {:ok, email} ->
        conn
        |> EmailSession.put_session(email)
        |> redirect(to: R.orders())

      {:error, :expired} ->
        conn
        |> put_flash(:error, "That link has expired. Please request a new one.")
        |> redirect(to: R.contact())

      {:error, _} ->
        conn
        |> put_flash(:error, "That link is invalid.")
        |> redirect(to: R.contact())
    end
  end

  @doc """
  Generates a signed, time-limited token for the given email address.
  """
  def generate_token(email) do
    Phoenix.Token.sign(BerrypodWeb.Endpoint, @salt, email)
  end
end