From 549fd27a1a03d11184e56edd1e2513abb685b50c Mon Sep 17 00:00:00 2001
From: Ben Firth <bfirth@squareup.com>
Date: Fri, 19 Jan 2024 12:01:32 +1030
Subject: [PATCH] Prevent cookie props from overwriting existing query params.

---
 src/HTTP/Response/CreateCheckout.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/HTTP/Response/CreateCheckout.php b/src/HTTP/Response/CreateCheckout.php
index 596ed05..9e5ccd2 100644
--- a/src/HTTP/Response/CreateCheckout.php
+++ b/src/HTTP/Response/CreateCheckout.php
@@ -57,14 +57,18 @@ public function afterReceive()
                         $cookieObj = json_decode($decodedCookie, false);
                         $urlChanged = false;
 
-                        if (isset($cookieObj->deviceId) && preg_match('/^[0-9a-z-]*$/i', $cookieObj->deviceId)) {
+                        $query_str = parse_url($bodyObj->redirectCheckoutUrl, PHP_URL_QUERY);
+                        $query_arr = array();
+                        parse_str($query_str, $query_arr);
+
+                        if (isset($cookieObj->deviceId) && !array_key_exists('device_id', $query_arr) && preg_match('/^[0-9a-z-]*$/i', $cookieObj->deviceId)) {
                             $bodyObj->redirectCheckoutUrl .= "&device_id={$cookieObj->deviceId}";
                             $urlChanged = true;
                         }
 
                         if (isset($cookieObj->checkout) && is_object($cookieObj->checkout)) {
                             foreach ($cookieObj->checkout as $prop => $val) {
-                                if (preg_match('/^[0-9a-z]+$/i', $prop) && preg_match('/^[0-9a-z-]*$/i', $val)) {
+                                if (!array_key_exists($prop, $query_arr) && preg_match('/^[0-9a-z]+$/i', $prop) && preg_match('/^[0-9a-z-]*$/i', $val)) {
                                     $bodyObj->redirectCheckoutUrl .= "&{$prop}={$val}";
                                     $urlChanged = true;
                                 }