Load order with guest token

This will be a more reliable way of loading the order. We pass in the
guest token and payment method id as additional params via
merchantReturnData so we can restore the session.

This should resolve issues where you could just complete any payment by
pasting in a url.

app/controllers/spree/adyen_redirect_controller.rb

@@ -1,5 +1,6 @@
 module Spree
   class AdyenRedirectController < StoreController
+    before_filter :restore_session
     before_filter :check_signature, only: :confirm
 
     skip_before_filter :verify_authenticity_token
@@ -10,17 +11,17 @@ def confirm
 
       unless source.authorised?
         flash.notice = Spree.t(:payment_processing_failed)
-        redirect_to checkout_state_path(current_order.state)
+        redirect_to checkout_state_path(@order.state)
         return
       end
 
       # payment is created in a 'checkout' state so that the payment method
       # can attempt to auth it. The payment of course is already auth'd and
       # adyen hpp's authorize implementation just returns a dummy response.
       payment =
-        current_order.payments.create!(
-          amount: current_order.total,
-          payment_method: payment_method,
+        @order.payments.create!(
+          amount: @order.total,
+          payment_method: @payment_method,
           source: source,
           response_code: params[:pspReference],
           state: "checkout",
@@ -34,47 +35,44 @@ def confirm
           # .order.update_totals after save the order is saved with its
           # previous values, causing payment_state and shipment_state to revert
           # to nil.
-          order: current_order
+          order: @order
         )
 
-      if current_order.complete
+      if @order.complete
         # We may have already recieved the authorization notification, so process
         # it now
         Spree::Adyen::NotificationProcessor.process_outstanding!(payment)
 
         flash.notice = Spree.t(:order_processed_successfully)
-        redirect_to order_path(current_order)
+        redirect_to order_path(@order)
       else
         #TODO void/cancel payment
-        redirect_to checkout_state_path(current_order.state)
+        redirect_to checkout_state_path(@order.state)
       end
     end
 
     private
 
     def check_signature
-      unless ::Adyen::Form.redirect_signature_check(params, payment_method.shared_secret)
+      unless ::Adyen::Form.redirect_signature_check(params, @payment_method.shared_secret)
         raise "Payment Method not found."
       end
     end
 
-    # TODO find a way to send the payment method id to Adyen servers and get
-    # it back here to make sure we find the right payment method
-    def payment_method
-      @payment_method ||= Gateway::AdyenHPP.last # find(params[:merchantReturnData])
-    end
+    # We pass the guest token and payment method id in, pipe seperated in the
+    # merchantReturnData parameter so that we can recover the session.
+    def restore_session
+      guest_token, payment_method_id =
+        params.fetch(:merchantReturnData).split("|")
 
-    def current_order
-      @__adyen_current_order ||=
-        Spree::Order.incomplete.find_by!(current_order_params)
-    end
+      cookies.permanent.signed[:guest_token] = guest_token
+
+      @payment_method = Spree::PaymentMethod.find(payment_method_id)
 
-    def current_order_params
-      { number: params[:merchantReference],
-        store_id: current_store.id,
-        user_id: try_spree_current_user.try(:id),
-        currency: current_currency
-      }
+      @order =
+        Spree::Order.
+        incomplete.
+        find_by!(guest_token: cookies.signed[:guest_token])
     end
 
     def source_params params

lib/spree/adyen/form.rb

@@ -96,9 +96,16 @@ def form_payment_method brand, order, payment_method, issuers
         end
 
         def params order, payment_method
+          merchant_return_data = [
+            order.guest_token,
+            payment_method.id
+          ].
+          join("|")
+
           Form.flat_payment_parameters default_params.
             merge(order_params order).
-            merge(payment_method_params payment_method)
+            merge(payment_method_params payment_method).
+            merge(merchant_return_data: merchant_return_data)
         end
 
         # TODO set this in the adyen config
@@ -111,14 +118,16 @@ def order_params order
           { currency_code: order.currency,
             merchant_reference: order.number.to_s,
             country_code: order.billing_address.country.iso,
-            payment_amount: (order.total * 100).to_int }
+            payment_amount: (order.total * 100).to_int
+          }
         end
 
         def payment_method_params payment_method
           { merchant_account: payment_method.merchant_account,
             skin_code: payment_method.skin_code,
             shared_secret: payment_method.shared_secret,
-            ship_before_date: payment_method.ship_before_date }
+            ship_before_date: payment_method.ship_before_date
+          }
         end
       end
     end

spec/controllers/spree/adyen_redirect_controller_spec.rb

@@ -16,11 +16,7 @@
   let(:gateway) { create :hpp_gateway }
 
   before do
-    allow(controller).to receive(:try_spree_current_user).
-      and_return order.user
     allow(controller).to receive(:check_signature)
-    allow(controller).to receive(:payment_method).
-      and_return gateway
   end
 
   describe "GET confirm" do
@@ -35,9 +31,11 @@
         paymentMethod: payment_method,
         authResult: auth_result,
         pspReference:  psp_reference,
-        merchantSig: "erewrwerewrewrwer"
+        merchantSig: "erewrwerewrewrwer",
+        merchantReturnData: merchantReturnData
       }
     end
+    let(:merchantReturnData) { [order.guest_token, gateway.id].join("|") }
 
     shared_examples "payments are pending" do
       it "has pending payments" do

spec/lib/spree/adyen/form_spec.rb

@@ -26,11 +26,17 @@
         skin_code: payment_method.skin_code,
         shared_secret: payment_method.shared_secret,
         country_code: order.billing_address.country.iso,
-        payment_amount: 3998 }
+        merchant_return_data: merchant_return_data,
+        payment_amount: 3998
+      }
 
        ::Adyen::Form.redirect_url(redirect_params)
     end
 
+    let(:merchant_return_data) do
+      [order.guest_token, payment_method.id].join("|")
+    end
+
     subject { described_class.directory_url order, payment_method  }
 
     it "has the same query options as Adyen gem's" do