From 073aa76a62874a9f830c946100c48b83fca7fa1c Mon Sep 17 00:00:00 2001
From: "g.prenaj" <gentianprenaj@gmail.com>
Date: Mon, 23 Feb 2026 15:24:15 +0100
Subject: [PATCH 1/2] test token issue

---
 src/Resources/config/services.xml             |  4 ++
 .../PaymentContextCookieSubscriber.php        | 60 +++++++++++++++++++
 .../PaymentContextRestoreSubscriber.php       |  2 +-
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 src/Subscribers/PaymentContextCookieSubscriber.php

diff --git a/src/Resources/config/services.xml b/src/Resources/config/services.xml
index c7f271c4..eec0aef3 100644
--- a/src/Resources/config/services.xml
+++ b/src/Resources/config/services.xml
@@ -175,6 +175,10 @@
             <tag name="kernel.event_subscriber"/>
         </service>
 
+        <service id="Buckaroo\Shopware6\Subscribers\PaymentContextCookieSubscriber">
+            <tag name="kernel.event_subscriber"/>
+        </service>
+
         <service id="Buckaroo\Shopware6\Events\OrderStateChangeEvent">
             <argument type="service" id="Buckaroo\Shopware6\Service\TransactionService"/>
             <argument type="service" id="Buckaroo\Shopware6\Service\InvoiceService"/>
diff --git a/src/Subscribers/PaymentContextCookieSubscriber.php b/src/Subscribers/PaymentContextCookieSubscriber.php
new file mode 100644
index 00000000..314616dd
--- /dev/null
+++ b/src/Subscribers/PaymentContextCookieSubscriber.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Buckaroo\Shopware6\Subscribers;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\Cookie;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+/**
+ * Sets the sw-context-token cookie when we restored it from the URL (payment return).
+ * With SameSite=lax, the session cookie may not be sent on cross-site redirect from Buckaroo.
+ * By explicitly setting this cookie in the response, the next request (redirect to cart)
+ * will have it, allowing context restoration without cookie_samesite: null.
+ */
+class PaymentContextCookieSubscriber implements EventSubscriberInterface
+{
+    private const CONTEXT_TOKEN_LIFETIME_DAYS = 1;
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            KernelEvents::RESPONSE => ['onKernelResponse', -5],
+        ];
+    }
+
+    public function onKernelResponse(ResponseEvent $event): void
+    {
+        $request = $event->getRequest();
+        $contextToken = $request->attributes->get('sw-context-token');
+
+        if (!is_string($contextToken) || $contextToken === '') {
+            return;
+        }
+
+        // Only set cookie when we restored from URL (token was in query, not cookie)
+        $tokenFromUrl = $request->query->has('sw-context-token')
+            || $request->query->has('add_sw-context-token')
+            || $request->request->has('sw-context-token')
+            || $request->request->has('add_sw-context-token');
+        if (!$tokenFromUrl) {
+            return;
+        }
+
+        $response = $event->getResponse();
+        $expire = new \DateTimeImmutable('+' . self::CONTEXT_TOKEN_LIFETIME_DAYS . ' days');
+
+        $cookie = Cookie::create('sw-context-token')
+            ->withValue($contextToken)
+            ->withExpires($expire)
+            ->withPath('/')
+            ->withSecure($request->isSecure())
+            ->withHttpOnly(false)
+            ->withSameSite(Cookie::SAMESITE_LAX);
+
+        $response->headers->setCookie($cookie);
+    }
+}
diff --git a/src/Subscribers/PaymentContextRestoreSubscriber.php b/src/Subscribers/PaymentContextRestoreSubscriber.php
index ba8ede33..30977059 100644
--- a/src/Subscribers/PaymentContextRestoreSubscriber.php
+++ b/src/Subscribers/PaymentContextRestoreSubscriber.php
@@ -19,7 +19,7 @@ class PaymentContextRestoreSubscriber implements EventSubscriberInterface
     public static function getSubscribedEvents(): array
     {
         return [
-            KernelEvents::REQUEST => ['onKernelRequest', 50],
+            KernelEvents::REQUEST => ['onKernelRequest', 5],
         ];
     }
 

From ad0c78de29abe9f28508328b7306292382a9a2af Mon Sep 17 00:00:00 2001
From: "g.prenaj" <gentianprenaj@gmail.com>
Date: Mon, 23 Feb 2026 15:53:58 +0100
Subject: [PATCH 2/2] release 3.2.3

---
 CHANGELOG.md  | 10 +++++++++-
 composer.json |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9bc64c2..46bb3a83 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -402,4 +402,12 @@ Compatible from Shopware 6.5.0 up to 6.5.6.1
 
 # 3.2.2
 
-- Fix: OAuth token requests now use the correct storefront base URL including language prefix (e.g. /en) when using shop.com/en-style domains.
\ No newline at end of file
+- Fix: OAuth token requests now use the correct storefront base URL including language prefix (e.g. /en) when using shop.com/en-style domains.
+
+# 3.2.3
+
+- Fix: Session/token loss on payment cancel for multiple storefronts with different domains. Cancel URL now uses the order's sales channel domain (same approach as push URL).
+- Fix: SalesChannelContextServiceDecorator now uses context token from URL on payment return routes (buckaroo/cancel, checkout/finish, /payment/) to restore session when cookies are not sent.
+- Fix: PaymentContextRestoreSubscriber runs earlier (priority 5) to restore context before Shopware resolves the sales channel.
+- Fix: PaymentReturnContextSubscriber now appends context token to all storefront redirects (checkout, account), not just checkout/finish.
+- Added: PaymentContextCookieSubscriber to explicitly set sw-context-token cookie when restored from URL, enabling use of cookie_samesite: lax without requiring null.
\ No newline at end of file
diff --git a/composer.json b/composer.json
index 1235c0b9..c5f4b1db 100644
--- a/composer.json
+++ b/composer.json
@@ -2,7 +2,7 @@
     "name": "buckaroo/shopware6",
     "description": "Buckaroo payment provider plugin for Shopware 6",
     "type": "shopware-platform-plugin",
-    "version": "3.2.2",
+    "version": "3.2.3",
     "license": "proprietary",
     "minimum-stability": "stable",
     "require": {