account type is permanent and password registration is now working at checkout

src/controllers/checkout.rs

@@ -1,6 +1,7 @@
 //! Public checkout flow: the checkout form, placing an order, and the order
 //! confirmation page.
 
+use axum::extract::Query;
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
 use loco_rs::prelude::*;
 use sea_orm::{ColumnTrait, EntityTrait, QueryFilter, QueryOrder};
@@ -9,9 +10,13 @@ use serde_json::json;
 use time::Duration as TimeDuration;
 
 use crate::{
-    controllers::account::normalize_account_type,
     controllers::cart::{resolve_cart, CART_COOKIE},
-    models::{customer_profiles::{self, ProfileFields}, order_items, orders, shipping_methods},
+    mailers::auth::AuthMailer,
+    models::{
+        customer_profiles::{self, ProfileFields},
+        order_items, orders, shipping_methods,
+        users::{self, normalize_account_type},
+    },
     controllers::i18n::current_lang,
     shared::{guard, money::format_price, settings},
     views::checkout as view,
@@ -41,6 +46,8 @@ struct CheckoutForm {
     pickup_point_name: Option<String>,
     // Present (as "on") only when a logged-in customer ticks "save my address".
     save_profile: Option<String>,
+    // Present only when a guest ticks "create an account from this order".
+    create_account: Option<String>,
 }
 
 fn trimmed(value: &str) -> Option<String> {
@@ -119,9 +126,13 @@ async fn checkout_page(
             "packeta_api_key": settings::get(&ctx, "packeta_api_key").unwrap_or(""),
             "logged_in_admin": is_admin,
             "logged_in_customer": is_customer,
+            // A logged-in customer's account type is fixed; only guests pick it
+            // and may opt to create an account from the order.
+            "account_fixed": is_customer,
+            "can_create_account": user.is_none(),
             "prefill_email": user.as_ref().filter(|_| is_customer).map(|u| u.email.clone()),
             "prefill_name": user.as_ref().filter(|_| is_customer).map(|u| u.name.clone()),
-            "prefill_account_type": profile.as_ref().map_or("personal", |x| x.account_type.as_str()),
+            "prefill_account_type": user.as_ref().filter(|_| is_customer).map_or("personal", |u| u.account_type.as_str()),
             "prefill_company_name": p(|x| x.company_name.clone()),
             "prefill_company_id": p(|x| x.company_id.clone()),
             "prefill_tax_id": p(|x| x.tax_id.clone()),
@@ -169,9 +180,20 @@ async fn place_order(
     let zip = require(&form.zip, "zip")?;
     let country = require(&form.country, "country")?;
 
+    // The account type is fixed for a logged-in customer (taken from their
+    // account, never the form); a guest picks it on the form. Admins are treated
+    // as guests here.
+    let current_user = guard::current_user(&ctx, &jar).await;
+    let logged_in_customer = current_user
+        .as_ref()
+        .filter(|u| !guard::is_admin(&ctx, u));
+    let account_type = match logged_in_customer {
+        Some(u) => u.account_type.clone(),
+        None => normalize_account_type(form.account_type.as_deref()),
+    };
+
     // Company purchases must carry the invoicing identifiers (IČO + DIČ
     // required, IČ DPH optional). Personal orders carry none.
-    let account_type = normalize_account_type(form.account_type.as_deref());
     let (company_name, company_id, tax_id, vat_id) = if account_type == "company" {
         (
             Some(require(form.company_name.as_deref().unwrap_or(""), "company name")?),
@@ -207,29 +229,70 @@ async fn place_order(
         (None, None)
     };
 
-    // If a logged-in customer opted in, persist this address to their profile
-    // so the next checkout is prefilled. Phone is stored split (prefix + number)
-    // to match the profile/checkout fields. Best-effort: a failure here is logged
-    // but must not block the order.
-    if form.save_profile.is_some() {
-        if let Some(user) = guard::current_user(&ctx, &jar).await {
-            if !guard::is_admin(&ctx, &user) {
-                let fields = ProfileFields {
-                    account_type: account_type.clone(),
-                    company_name: company_name.clone(),
-                    company_id: company_id.clone(),
-                    tax_id: tax_id.clone(),
-                    vat_id: vat_id.clone(),
-                    phone_prefix: trimmed(&form.phone_prefix),
-                    phone: Some(number.clone()),
-                    address: Some(address.clone()),
-                    city: Some(city.clone()),
-                    zip: Some(zip.clone()),
-                    country: Some(country.clone()),
-                };
-                if let Err(err) = customer_profiles::Model::upsert(&ctx.db, user.id, fields).await {
-                    tracing::error!(error = %err, user_id = user.id, "failed to save checkout profile");
+    // The address/contact captured here, ready to seed a profile (for the
+    // logged-in "save my address" opt-in or a freshly created guest account).
+    let entered_profile = || ProfileFields {
+        company_name: company_name.clone(),
+        company_id: company_id.clone(),
+        tax_id: tax_id.clone(),
+        vat_id: vat_id.clone(),
+        phone_prefix: trimmed(&form.phone_prefix),
+        phone: Some(number.clone()),
+        address: Some(address.clone()),
+        city: Some(city.clone()),
+        zip: Some(zip.clone()),
+        country: Some(country.clone()),
+    };
+
+    // Resolve the account that will own this order. A logged-in customer always
+    // owns their orders. A guest may opt to create an account from the order;
+    // the new account's type matches what they bought as, its profile is seeded
+    // from the entered details, and a "set your password" link is emailed. If
+    // the email already belongs to an account we silently fall back to a guest
+    // order (no hijacking an existing account).
+    let mut order_user_id = logged_in_customer.map(|u| u.id);
+    let mut account_created = false;
+    if order_user_id.is_none() && form.create_account.is_some() {
+        match users::Model::create_guest_account(&ctx.db, &email, &customer_name, &account_type)
+            .await
+        {
+            Ok(new_user) => {
+                if let Err(err) =
+                    customer_profiles::Model::upsert(&ctx.db, new_user.id, entered_profile()).await
+                {
+                    tracing::error!(error = %err, user_id = new_user.id, "failed to seed guest profile");
                 }
+                let user_id = new_user.id;
+                match new_user.into_active_model().set_forgot_password_sent(&ctx.db).await {
+                    Ok(user) => {
+                        if let Err(err) = AuthMailer::send_set_password(&ctx, &user).await {
+                            tracing::error!(error = %err, "failed to send set-password email");
+                        }
+                        order_user_id = Some(user_id);
+                        account_created = true;
+                    }
+                    Err(err) => {
+                        tracing::error!(error = %err, "failed to issue set-password token");
+                        order_user_id = Some(user_id);
+                    }
+                }
+            }
+            Err(ModelError::EntityAlreadyExists {}) => {
+                tracing::info!(email = %email, "checkout account-create skipped: email already registered");
+            }
+            Err(err) => tracing::error!(error = %err, "failed to create checkout account"),
+        }
+    }
+
+    // If a logged-in customer opted in, persist this address to their profile so
+    // the next checkout is prefilled. Best-effort: a failure here is logged but
+    // must not block the order.
+    if form.save_profile.is_some() {
+        if let Some(user) = logged_in_customer {
+            if let Err(err) =
+                customer_profiles::Model::upsert(&ctx.db, user.id, entered_profile()).await
+            {
+                tracing::error!(error = %err, user_id = user.id, "failed to save checkout profile");
             }
         }
     }
@@ -241,6 +304,7 @@ async fn place_order(
             email,
             phone,
             customer_name: Some(customer_name),
+            user_id: order_user_id,
             account_type,
             company_name,
             company_id,
@@ -259,9 +323,14 @@ async fn place_order(
     )
     .await?;
 
+    let target = if account_created {
+        format!("/orders/{}?account_created=1", order.order_number)
+    } else {
+        format!("/orders/{}", order.order_number)
+    };
     format::render()
         .cookies(&[cleared_cart_cookie()])?
-        .redirect(&format!("/orders/{}", order.order_number))
+        .redirect(&target)
 }
 
 #[debug_handler]
@@ -269,6 +338,7 @@ async fn order_confirmation(
     jar: CookieJar,
     ViewEngine(v): ViewEngine<TeraView>,
     Path(order_number): Path<String>,
+    Query(params): Query<std::collections::HashMap<String, String>>,
     State(ctx): State<AppContext>,
 ) -> Result<Response> {
     let order = orders::Entity::find()
@@ -281,6 +351,7 @@ async fn order_confirmation(
         .all(&ctx.db)
         .await?;
     let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
+    let account_created = params.contains_key("account_created");
 
     format::view(
         &v,
@@ -294,6 +365,7 @@ async fn order_confirmation(
             "items": view::items(&items),
             "logged_in_admin": logged_in_admin,
             "logged_in_customer": logged_in_customer,
+            "account_created": account_created,
             "lang": current_lang(&jar),
         }),
     )