From 7b717b8bfc69b8b9509d32976cc0c271f55343a8 Mon Sep 17 00:00:00 2001
From: Ben Halverson <benhalverson@me.com>
Date: Wed, 10 Dec 2025 00:42:57 -0800
Subject: [PATCH 1/2] refactor checkout

---
 src/pages/Checkout.tsx | 5 ++---
 src/pages/Payment.tsx  | 4 +++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/pages/Checkout.tsx b/src/pages/Checkout.tsx
index 3a36311..6826edc 100644
--- a/src/pages/Checkout.tsx
+++ b/src/pages/Checkout.tsx
@@ -230,17 +230,16 @@ export default function Checkout() {
         navigate(data.checkout_url);
         return;
       }
-      // If backend returned a Stripe client secret, navigate to a route that can handle it
       const clientSecret = data.clientSecret ?? data.client_secret;
       if (clientSecret) {
-        // Navigate to the payment page which loads Stripe Elements and completes confirmation
-        navigate(`/payment?client_secret=${encodeURIComponent(clientSecret)}`);
+        navigate(`/payment`, { state: { clientSecret } });
         return;
       }
       // Fallback: optionally navigate if order id provided
       if (data.orderId) {
         navigate(`/order/${data.orderId}`);
       }
+      console.log('data', data);
     } catch (err: unknown) {
       setCartError(err instanceof Error ? err.message : "Payment intent failed");
     } finally {
diff --git a/src/pages/Payment.tsx b/src/pages/Payment.tsx
index 2bec04c..498ce7f 100644
--- a/src/pages/Payment.tsx
+++ b/src/pages/Payment.tsx
@@ -66,7 +66,9 @@ function PaymentForm() {
 export default function PaymentPage() {
   const loc = useLocation();
   const q = useMemo(() => new URLSearchParams(loc.search), [loc.search]);
-  const clientSecret = q.get("client_secret");
+  // Prefer router state (in-memory) to avoid exposing secrets in the URL.
+  const state = (loc.state as { clientSecret?: string } | null) ?? null;
+  const clientSecret = state?.clientSecret ?? q.get("client_secret");
 
   if (!publishableKey) {
     return (

From f606fa1fd747e908a8189447725b327df7369de8 Mon Sep 17 00:00:00 2001
From: Ben Halverson <7907232+benhalverson@users.noreply.github.com>
Date: Wed, 10 Dec 2025 00:48:53 -0800
Subject: [PATCH 2/2] Update src/pages/Checkout.tsx

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 src/pages/Checkout.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/pages/Checkout.tsx b/src/pages/Checkout.tsx
index 6826edc..50741f0 100644
--- a/src/pages/Checkout.tsx
+++ b/src/pages/Checkout.tsx
@@ -239,7 +239,6 @@ export default function Checkout() {
       if (data.orderId) {
         navigate(`/order/${data.orderId}`);
       }
-      console.log('data', data);
     } catch (err: unknown) {
       setCartError(err instanceof Error ? err.message : "Payment intent failed");
     } finally {