From 2740dc5fd3b56607946a79fb15d3ea40d78944f0 Mon Sep 17 00:00:00 2001
From: Claude <claude@firefrostgaming.com>
Date: Fri, 10 Apr 2026 15:05:40 +0000
Subject: [PATCH] fix: Use OAuth state parameter instead of session for tier

Session was being lost between /stripe/auth and /auth/discord/callback.
Now passes tier through Discord OAuth state parameter which survives
the redirect.

Chronicler #75
---
 services/arbiter-3.0/src/routes/auth.js | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/services/arbiter-3.0/src/routes/auth.js b/services/arbiter-3.0/src/routes/auth.js
index 6a391d8..354b485 100644
--- a/services/arbiter-3.0/src/routes/auth.js
+++ b/services/arbiter-3.0/src/routes/auth.js
@@ -5,15 +5,25 @@ const router = express.Router();
 /**
  * Standard Discord OAuth - redirects to admin after login
  */
-router.get('/discord', passport.authenticate('discord'));
+router.get('/discord', (req, res, next) => {
+  // Check if there's a checkout tier to pass through
+  const tier = req.session.pendingCheckoutTier;
+  
+  passport.authenticate('discord', {
+    state: tier ? `checkout:${tier}` : undefined
+  })(req, res, next);
+});
 
 router.get('/discord/callback', passport.authenticate('discord', {
   failureRedirect: '/'
 }), (req, res) => {
-  // Check if this was a checkout flow (tier stored in session)
-  if (req.session.pendingCheckoutTier) {
-    const tierLevel = req.session.pendingCheckoutTier;
-    delete req.session.pendingCheckoutTier; // Clean up
+  // Check for checkout flow via state parameter
+  const state = req.query.state;
+  
+  if (state && state.startsWith('checkout:')) {
+    const tierLevel = state.replace('checkout:', '');
+    // Clear any session data
+    delete req.session.pendingCheckoutTier;
     
     // Redirect to checkout creation with Discord ID now available
     return res.redirect(`/stripe/checkout?tier=${tierLevel}`);