@blamejs/blamejs-shop 0.1.5 → 0.1.6

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.1.x
 
+- v0.1.6 (2026-05-25) — **Claim past guest orders when a shopper signs in.** A shopper who checked out as a guest and later signs in with a provider-verified email now finds those past orders attached to their account. Checkout records a hash of the buyer's email on the order; on Google sign-in, orders placed under that same email — and not yet owned by anyone — are claimed into the account. Linking happens only on an email the identity provider verified, never on an unverified one, so it can't be used to steal another shopper's order history. **Added:** *Guest-order reconciliation on sign-in* — Orders now carry a `customer_email_hash` (migration 0206), written at checkout from the buyer's email with the same key the customers table uses. On a verified Google sign-in, `order.linkGuestOrdersByEmailHash` claims every ownerless order under that email into the account — so prior guest purchases appear in /account and satisfy customer-scoped checks (e.g. verified-buyer reviews). Only ownerless orders are touched (an order already attached to a customer is never reassigned), and only a provider-verified email triggers a link.
+
 - v0.1.5 (2026-05-25) — **Tell operators how to turn each integration on.** Every third-party integration (Stripe card checkout, Apple/Google Pay, Sign in with Google) is off by default and only activates when you supply its credentials. This release documents exactly what to set for each — in the README, in a new .env.example, and in the admin console itself. A signed-in operator opens /admin/integrations to see, at a glance, which integrations are live and the precise environment variables (or one-time action) needed to enable the rest. Nothing is enabled without your keys. **Added:** *Admin integrations status page* — `/admin/integrations` lists each integration with a live Enabled / Not configured status and the exact variables or action to turn it on — Stripe keys, the payment-method-domain registration for wallets, the Google OAuth client + redirect URI. Read-only; secrets are never rendered. Linked from the admin landing. · *Operator setup docs* — A README "Optional integrations" section and a top-level `.env.example` enumerate every environment variable, what capability it unlocks, and the external setup (e.g. the Google OAuth redirect URI, the Stripe webhook path). Both note that Apple sign-in + PayPal are planned and that Shop Pay / "Sign in with Shop" isn't available to a self-hosted store.
 
 - v0.1.4 (2026-05-25) — **Sign in with Google.** Customers can sign in with Google alongside passkeys. The account login page gains a Continue with Google button; the OIDC authorization-code flow (PKCE, state, nonce, ID-token verification) runs through the framework's OAuth adapter, and the verified identity becomes a shop session. Accounts are keyed on the provider's stable subject, and an existing account is only ever linked on an email the provider has verified — an unverified email that collides with an existing account is refused rather than linked. A cart built before signing in is adopted into the account, so checkout attaches the order to the customer. **Added:** *Google sign-in* — Mounts `/account/login/google` + `/account/auth/google/callback` when the operator sets `GOOGLE_OAUTH_CLIENT_ID`, `GOOGLE_OAUTH_CLIENT_SECRET`, and `SHOP_ORIGIN`. The in-flight state (CSRF state + nonce + PKCE verifier) rides a sealed, /account-scoped, SameSite=Lax cookie; the callback verifies the state before exchanging the code. A forged or stale callback is dropped to the login page. On success the guest session cart is adopted into the account (`cart.setCustomer`), matching the passkey path. · *Federated identity model + safe account linking* — `customers.signInWithOIDC` resolves a verified sign-in to a customer: an existing `(provider, subject)` link, else — only on a provider-verified email — an existing account with that email, else a new account. It never links to an existing account on an unverified email (account-takeover defense). New `customer_oauth_identities` table (migration 0205) + `customers.byOAuthIdentity`.

package/README.md

@@ -93,6 +93,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 - `migrations-d1/0026_customer_addresses.sql` — per-customer address book (default shipping/billing flags)
 - `migrations-d1/0023_returns.sql` — return authorizations + lines (RMA lifecycle FSM)
 - `migrations-d1/0205_customer_oauth_identities.sql` — federated sign-in identities (provider + subject, verified-email gating)
+- `migrations-d1/0206_orders_email_hash.sql` — queryable buyer-email hash on orders (guest-order reconciliation key)
 - `migrations-d1/0043_collections.sql` — manual + smart product collections (members + rules + sort strategy)
 - `migrations-d1/0050_recently_viewed.sql` — per-customer / per-session product browse history (dedup + per-subject cap)
 

package/lib/checkout.js

@@ -96,6 +96,10 @@ function create(deps) {
   var payment       = deps.payment;
   var order         = deps.order;
   var subscriptions = deps.subscriptions || null;
+  // Optional — when wired, the buyer email is hashed (via the same
+  // customers.hashEmail keying the customers table) and stored on the
+  // order so a later verified-email sign-in can claim the guest order.
+  var customers     = deps.customers || null;
 
   // Compose a quote from a cart + ship-to + (optional) selected
   // shipping service. Pure read — no DB writes.
@@ -219,6 +223,9 @@ function create(deps) {
         grand_total_minor: quote.totals.grand_total_minor,
         payment_intent_id: pi.id,
         ship_to:           input.ship_to,
+        // Hash of the buyer email (same key as the customers table) so a
+        // later verified-email sign-in can claim this guest order.
+        customer_email_hash: customers ? customers.hashEmail(email) : null,
         lines:             quote.lines.map(function (l) {
           return {
             variant_id:        l.variant_id,

package/lib/order.js

@@ -174,13 +174,14 @@ function create(opts) {
       await query(
         "INSERT INTO orders (id, cart_id, customer_id, session_id, status, currency, " +
         "subtotal_minor, discount_minor, tax_minor, shipping_minor, grand_total_minor, " +
-        "payment_intent_id, ship_to_json, created_at, updated_at) " +
-        "VALUES (?1, ?2, ?3, ?4, 'pending', ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?13)",
+        "payment_intent_id, ship_to_json, customer_email_hash, created_at, updated_at) " +
+        "VALUES (?1, ?2, ?3, ?4, 'pending', ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?14)",
         [
           id, input.cart_id, input.customer_id || null, input.session_id,
           input.currency, input.subtotal_minor, input.discount_minor,
           input.tax_minor, input.shipping_minor, input.grand_total_minor,
-          input.payment_intent_id || null, JSON.stringify(input.ship_to), ts,
+          input.payment_intent_id || null, JSON.stringify(input.ship_to),
+          input.customer_email_hash || null, ts,
         ],
       );
       for (var i = 0; i < input.lines.length; i += 1) {
@@ -369,6 +370,26 @@ function create(opts) {
       return await this.get(orderId);
     },
 
+    // Claim guest orders into a customer account by matching the
+    // recorded buyer-email hash. The CALLER must only pass a hash for an
+    // email the identity provider VERIFIED — this method does not (and
+    // cannot) re-verify; linking an unverified email would be account
+    // takeover. Only touches orders with no owner yet (customer_id IS
+    // NULL), so it never re-assigns another customer's order. Returns
+    // the count linked.
+    linkGuestOrdersByEmailHash: async function (customerId, emailHash) {
+      _uuid(customerId, "customer id");
+      if (typeof emailHash !== "string" || !emailHash.length) {
+        throw new TypeError("order.linkGuestOrdersByEmailHash: emailHash must be a non-empty string");
+      }
+      var r = await query(
+        "UPDATE orders SET customer_id = ?1, updated_at = ?2 " +
+        "WHERE customer_id IS NULL AND customer_email_hash = ?3",
+        [customerId, _now(), emailHash],
+      );
+      return Number(r.rowCount || 0);
+    },
+
     // Has this customer purchased this product? True iff an order
     // line for any variant of the product sits in an order owned by
     // the customer whose status is a real purchase — anything except

package/lib/storefront.js

@@ -3294,6 +3294,15 @@ function mount(router, deps) {
             if (anonCart) await deps.cart.setCustomer(anonCart.id, rv.customer.id);
           } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
         }
+        // Claim prior guest orders placed under this email — ONLY because
+        // the provider verified it (claims.email_verified). Links orders
+        // with no owner yet whose recorded email hash matches; best-effort.
+        if (claims.email_verified === true && claims.email && deps.order &&
+            typeof deps.order.linkGuestOrdersByEmailHash === "function") {
+          try {
+            await deps.order.linkGuestOrdersByEmailHash(rv.customer.id, deps.customers.hashEmail(claims.email));
+          } catch (_e) { /* best-effort reconciliation; sign-in succeeds regardless */ }
+        }
         _setAuthCookie(res, { customer_id: rv.customer.id, exp: Date.now() + _b().constants.TIME.days(14) });
         res.status(303); res.setHeader && res.setHeader("location", "/account");
         return res.end ? res.end() : res.send("");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {