wip

app/api/montonio/verify-token/route.ts

@@ -38,6 +38,9 @@ export const POST = enhanceRouteHandler(
     const body = await request.json();
     const namespace = 'montonio.verify-token';
 
+    const activeCartId = request.cookies.get('_medusa_cart_id')?.value;
+    console.info('cart id', activeCartId);
+
     try {
       const { token } = BodySchema.parse(body);
 
@@ -58,6 +61,12 @@ export const POST = enhanceRouteHandler(
         algorithms: ['HS256'],
       }) as MontonioOrderToken;
 
+      const [, cartId] = decoded.merchantReferenceDisplay.split(':');
+      console.info('active cart id parsed', {cartId, activeCartId, decoded:decoded.merchantReferenceDisplay});
+      if (cartId !== activeCartId) {
+        throw new Error('Invalid cart id');
+      }
+
       logger.info(
         {
           name: namespace,