From 45c5cae232f6a9717590a9eae3474cee337cb3f4 Mon Sep 17 00:00:00 2001
From: Florian Dold <florian@dold.me>
Date: Sun, 8 Aug 2021 18:38:18 +0200
Subject: allow h_contract as auth once order is claimed

---
 merchant-spec/public-orders-get.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'merchant-spec')

diff --git a/merchant-spec/public-orders-get.ts b/merchant-spec/public-orders-get.ts
index 20b893a6..225cc253 100644
--- a/merchant-spec/public-orders-get.ts
+++ b/merchant-spec/public-orders-get.ts
@@ -65,7 +65,8 @@ function handlePublicOrdersGet(mos: MerchantOrderStore, req: Req): Resp {
   }
 
   if (!ord.paid) {
-    if (ord.requireClaimToken && ord.claimToken !== req.claimToken) {
+    const hcOk = ord.contractHash === req.contractHash;
+    if (!hcOk && ord.requireClaimToken && ord.claimToken !== req.claimToken) {
       // This can happen when the fulfillment URL page detects
       // the user has not paid under the current session.
       return {
@@ -109,8 +110,8 @@ function handlePublicOrdersGet(mos: MerchantOrderStore, req: Req): Resp {
           responseType: "StatusGotoResponse",
           response: {
             already_paid_order_id: alreadyPaidOrd.orderId,
-          }
-        }
+          },
+        };
       }
       return {
         httpStatus: "402 Payment Required",
-- 
cgit v1.2.3