Full Website GameHosting With Pterodacty v2.0.2

Added

• Stripe payments (Checkout) across the whole flow: new orders, single-server, renewals, and upgrades — fully integrated with invoicing
• Multiple payment methods auto-shown by Stripe (Card, Google Pay, iDEAL, Bancontact…) based on customer country
• "Pay with Card" appears automatically when Stripe keys are set

Fixed

• CSRF token handling (double-submit cookie + no-store) — resolves random 403 errors
• Login sessions now persist correctly behind a proxy / Cloudflare
• Server provisioning 422 (split_limit) on newer Pterodactyl panels
• Pterodactyl user linking when a panel user already exists
• Free orders ($0 after wallet/discount) now activate correctly (cart + single)
• Client server deletion 403
• Removed leftover Cloudflare email-decode script

Setup

• Add STRIPE_SECRET_KEY, STRIPE_PUBLISHABLE_KEY, STRIPE_WEBHOOK_SECRET to .env, then run: npm install
• See SETUP.md for full Stripe setup steps

This update fixes authentication reliability and a few setup-related issues.

What's fixed

• Fixed login sessions not persisting behind a reverse proxy / Cloudflare. Sessions are now saved correctly after login, with proper trust-proxy handling and secure cookie auto-detection.
• Fixed the "Invalid or missing CSRF token" error across login, registration and all forms. The CSRF token endpoint is now cache-proof and uses a double-submit cookie so the token is always valid.
• Unified CSRF token handling across all front-end scripts so no page can send an empty token.
• Removed a leftover Cloudflare email-decode script that was accidentally baked into index.html and caused a console error.

Notes for setup

• Registration and Google/Discord login require a Pterodactyl Application API key with "Users: Read & Write" permission (Admin Area > Application API). A read-only key will cause registration to fail.
• If your mail server blocks port 465, use SMTP_PORT=587 in your .env.

This is a drop-in update.

Upgrade
1. Replace your files with this version.
2. npm install
3. pm2 restart tovhost
4. Make sure BASE_URL in .env matches your real HTTPS domain.

No database changes required.

This update resolves an authentication edge case and hardens the CSRF protection layer across the entire platform.

What's fixed

• Fixed the "Invalid or missing CSRF token" error that could appear on login, register, and other form submissions.
• The CSRF token endpoint is now fully cache-proof (no-store), preventing CDN/Cloudflare from ever serving a cached token to the wrong session — the root cause of intermittent token mismatches behind a reverse proxy.
• Added a readable per-session CSRF cookie (double-submit pattern) so every page and script always has a fresh, valid token, even when the page HTML is served from cache.
• CSRF validation now uses constant-time comparison for stronger security.

What's improved

• Unified CSRF token handling across all front-end modules (login, account, console, wallet, tickets, services, admin panels) — no page can send an empty token anymore.
• Added a resilient fallback so a temporary session-store hiccup no longer breaks form submissions.
• Login, registration, 2FA, Google/Discord OAuth, and all dashboard actions verified working end-to-end.

Security is fully preserved — invalid or missing tokens are still rejected (403). This is a drop-in update.

Upgrade
1. Replace your project files with this version.
2. Run: npm install
3. Restart: pm2 restart tovhost
4. Make sure BASE_URL in your .env matches your real HTTPS domain.

No database changes required.