From 058f0a1d8a1d5c57f67efc7fb8232b9cb7a318d2 Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Sat, 21 Feb 2026 21:13:00 +0000
Subject: [PATCH] Add csrf_exempt to SumUp webhook endpoint

SumUp POSTs to /checkout/webhook/ externally with no session,
causing CSRF rejection. Mark endpoint as exempt.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 bp/cart/global_routes.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bp/cart/global_routes.py b/bp/cart/global_routes.py
index a05fe46..684f663 100644
--- a/bp/cart/global_routes.py
+++ b/bp/cart/global_routes.py
@@ -31,6 +31,7 @@ from .services.checkout import (
     get_order_with_details,
 )
 from shared.browser.app.payments.sumup import create_checkout as sumup_create_checkout
+from shared.browser.app.csrf import csrf_exempt
 
 
 def register(url_prefix: str) -> Blueprint:
@@ -205,6 +206,7 @@ def register(url_prefix: str) -> Blueprint:
 
         return redirect(hosted_url)
 
+    @csrf_exempt
     @bp.post("/checkout/webhook/<int:order_id>/")
     async def checkout_webhook(order_id: int):
         """Webhook endpoint for SumUp CHECKOUT_STATUS_CHANGED events."""