refactor: extract cart storage to dedicated API controller with dynamic frontend URLs

- Added dedicated CartsController for session-based cart storage
- Refactored routes to use POST /api/v1/carts/store
- Updated ticket selection JS to use dynamic data attributes for URLs
- Fixed CSRF protection in API and checkout payment increment
- Made checkout button URLs dynamic via data attributes
- Updated tests for new cart storage endpoint
- Removed obsolete store_cart from EventsController

app/controllers/api/v1/carts_controller.rb

@@ -0,0 +1,25 @@
+module Api
+  module V1
+    class CartsController < ApiController
+      # Skip API key authentication for store_cart action (used by frontend forms)
+      skip_before_action :authenticate_api_key, only: [ :store ]
+
+      def store
+        event_id = params[:event_id]
+        @event = Event.find(event_id)
+
+        cart_data = params[:cart] || {}
+        session[:pending_cart] = cart_data
+        session[:event_id] = @event.id
+
+        render json: { status: "success", message: "Cart stored successfully" }
+      rescue ActiveRecord::RecordNotFound
+        render json: { status: "error", message: "Event not found" }, status: :not_found
+      rescue => e
+        error_message = e.message.present? ? e.message : "Unknown error"
+        Rails.logger.error "Error storing cart: #{error_message}"
+        render json: { status: "error", message: "Failed to store cart" }, status: 500
+      end
+    end
+  end
+end

app/controllers/api/v1/orders_controller.rb

@@ -4,9 +4,6 @@
 module Api
   module V1
     class OrdersController < ApiController
-      # Skip API key authentication for store_cart action (used by frontend forms)
-      skip_before_action :authenticate_api_key, only: [ :store_cart ]
-
       before_action :set_order, only: [ :show, :checkout, :retry_payment, :increment_payment_attempt ]
       before_action :set_event, only: [ :new, :create ]
 

app/controllers/api_controller.rb

@@ -2,7 +2,7 @@
 # Provides authentication and common functionality for API controllers
 class ApiController < ApplicationController
   # Disable CSRF protection for API requests (token-based authentication instead)
-  protect_from_forgery with: :null_session
+  protect_from_forgery prepend: true
 
   # Authenticate all API requests using API key
   # Must be called before any API action

app/javascript/controllers/ticket_selection_controller.js

@@ -10,7 +10,7 @@ export default class extends Controller {
     "checkoutButton",
     "form",
   ];
-  static values = { eventSlug: String, eventId: String };
+  static values = { eventSlug: String, eventId: String, orderNewUrl: String, storeCartUrl: String };
 
   // Initialize the controller and update the cart summary
   connect() {
@@ -117,9 +117,9 @@ export default class extends Controller {
       // Store cart data in session
       await this.storeCartInSession(cartData);
 
-      // Redirect to event-scoped orders/new page
+  // Redirect to event-scoped orders/new page
-      const OrderNewUrl = `/orders/new/events/${this.eventSlugValue}.${this.eventIdValue}`;
+  const orderNewUrl = this.orderNewUrlValue;
-      window.location.href = OrderNewUrl;
+  window.location.href = orderNewUrl;
     } catch (error) {
       console.error("Error storing cart:", error);
       alert("Une erreur est survenue. Veuillez réessayer.");
@@ -145,7 +145,7 @@ export default class extends Controller {
 
   // Store cart data in session via AJAX
   async storeCartInSession(cartData) {
-    const storeCartUrl = `/api/v1/events/${this.eventIdValue}/store_cart`;
+    const storeCartUrl = this.storeCartUrlValue;
 
     const response = await fetch(storeCartUrl, {
       method: "POST",
@@ -155,7 +155,7 @@ export default class extends Controller {
           .querySelector('meta[name="csrf-token"]')
           .getAttribute("content"),
       },
-      body: JSON.stringify({ cart: cartData }),
+      body: JSON.stringify({ cart: cartData, event_id: this.eventIdValue }),
     });
 
     if (!response.ok) {

app/views/events/show.html.erb

@@ -135,8 +135,12 @@
               controller: "ticket-selection",
               ticket_selection_target: "form",
               ticket_selection_event_slug_value: @event.slug,
-              ticket_selection_event_id_value: @event.id
+    ticket_selection_event_id_value: @event.id,
-            } do |form| %>
+    ticket_selection_order_new_url_value: event_order_new_path(@event.slug, @event.id),
+    ticket_selection_store_cart_url_value: api_v1_store_cart_path,
+    ticket_selection_order_new_url_value: event_order_new_path(@event.slug, @event.id),
+    ticket_selection_store_cart_url_value: api_v1_store_cart_path
+  } do |form| %>
 
               <div class="bg-gradient-to-br from-purple-50 to-indigo-50 rounded-2xl border border-purple-100 p-6 shadow-sm">
                 <div class="flex justify-center sm:justify-start mb-6">

app/views/orders/checkout.html.erb

@@ -139,10 +139,13 @@
               </div>
             </div>
 
-            <button 
+  <button 
-              id="checkout-button" 
+    id="checkout-button" 
-              class="w-full btn btn-primary py-4 px-6 rounded-xl transition-all duration-200 transform hover:scale-105 active:scale-95 shadow-lg hover:shadow-xl"
+    data-order-id="<%= @order.id %>"
-            >
+    data-increment-url="/api/v1/orders/<%= @order.id %>/increment_payment_attempt"
+    data-session-id="<%= @checkout_session.id if @checkout_session.present? %>"
+    class="w-full btn btn-primary py-4 px-6 rounded-xl transition-all duration-200 transform hover:scale-105 active:scale-95 shadow-lg hover:shadow-xl"
+  >
               <div class="flex items-center justify-center">
                 <i data-lucide="credit-card" class="w-5 h-5 mr-2"></i>
                 Payer <%= @order.total_amount_euros %>€
@@ -199,13 +202,16 @@
 
                 try {
                   // Increment payment attempt counter
-                  console.log('Incrementing payment attempt for order:', '<%= @order.id %>');
+  const orderId = checkoutButton.dataset.orderId;
-                  const response = await fetch('/api/v1/orders/<%= @order.id %>/increment_payment_attempt', {
+  const incrementUrl = checkoutButton.dataset.incrementUrl;
-                    method: 'PATCH',
+  console.log('Incrementing payment attempt for order:', orderId);
-                    headers: {
+  const response = await fetch(incrementUrl, {
-                      'Content-Type': 'application/json'
+    method: 'PATCH',
-                    }
+    headers: {
-                  });
+      'Content-Type': 'application/json',
+      'X-CSRF-Token': document.querySelector('[name=csrf-token]').content
+    }
+  });
 
                   if (!response.ok) {
                     console.error('Payment attempt increment failed:', response.status, response.statusText);
@@ -226,10 +232,11 @@
                   `;
                   
                   // Redirect to Stripe
-                  console.log('Redirecting to Stripe with session ID:', '<%= @checkout_session&.id %>');
+  const sessionId = checkoutButton.dataset.sessionId;
-                  const stripeResult = await stripe.redirectToCheckout({
+  console.log('Redirecting to Stripe with session ID:', sessionId);
-                    sessionId: '<%= @checkout_session.id %>'
+  const stripeResult = await stripe.redirectToCheckout({
-                  });
+    sessionId: sessionId
+  });
 
                   if (stripeResult.error) {
                     throw new Error(stripeResult.error.message);

config/routes.rb

@@ -96,11 +96,8 @@ Rails.application.routes.draw do
   namespace :api do
     namespace :v1 do
       # RESTful routes for event management
-      resources :events, only: [ :index, :show, :create, :update, :destroy ] do
+      resources :events, only: [ :index, :show, :create, :update, :destroy ]
-        member do
+      post "carts/store", to: "carts#store", as: "store_cart"
-          post :store_cart
-        end
-      end
 
       # RESTful routes for order management
       resources :orders, only: [] do

test/controllers/api/v1/events_controller_test.rb

@@ -41,7 +41,7 @@ class Api::V1::EventsControllerTest < ActionDispatch::IntegrationTest
   end
 
   test "should store cart" do
-    post store_cart_api_v1_event_url(@event), params: { cart: { ticket_type_id: 1, quantity: 2 } }, as: :json
+    post api_v1_store_cart_path, params: { cart: { ticket_type_id: 1, quantity: 2 }, event_id: @event.id }, as: :json, headers: headers_api_key
     assert_response :success
     assert_equal @event.id, session[:event_id]
   end