There seemingly shouldn't be any case where this controller actually receives a token param. There's only one place that creates urls that direct to this controller (Stripe authorization emails), and they do not attach any kind of token to the URL.
If the user is not logged in here (or doesn't have an access_token in their session), they get asked to log in.
Note to future devs: see previous commit for additional context.
There are 4 or 5 different places in the app where we reference a :token and params[:token] for completely different purposes (they're not even vaguely the *same* token).
This is an attempt to clarify the places in the app where we use params[:token] in relation to *orders*, for allowing guest users (who are not logged in) to view details of an order they have placed (like after checkout completion), and differentiate it from the various other places where params[:token] can actually be used for something entirely different!
This construct was previously used in Spree to switch out the user class with a dummy class during certain tests. We don't use this any more, so it's just mess.
🔥
The code here runs from a callback which was originally designed to make sure the checkout page was set up correctly in the "normal" checkout workflow. It wasn't really designed to be run when the page is being loaded a second time due to the user being redirected back from Stripe (with SCA). The things it's doing here are necessary in the former case, but a really bad idea in the latter (potentially messing up the order's ship and bill addresses in certain cases like guest checkout).
A little micro-optimisation: `@order.checkout_allowed?` requires a database query, whereas `@order.completed?` does not. So in cases where the order is completed we can return early here before hitting the database.
This `session[:guest_token]` doesn't seem to ever be assigned anywhere in the codebase, and it doesn't seem to be read at any point either..? There are some various places where `current_order.token` is used and `session[:access_token]` is used, but not this.
As far as I can tell: it was part of an old version of Spree and related to the spree_auth_devise gem (which we no longer use).
Calling `when variant.id in enterprise_rules` raised an error when
enterprise_rules was null.
Fixing this then revealed a missing require statement in a controller.
