From 0c9c5a643937f2a59c3d69f645fa0bd43bd5310c Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Tue, 9 Jun 2026 23:25:13 +0200
Subject: [PATCH 1/2] Return Hub license via URL fragment and stash billing
 params to avoid long-token URL breakage

---
 assets/js/hubsubscription.js     | 49 +++++++++++++++++++++++++++++---
 layouts/hub-billing/single.html  |  4 +--
 layouts/hub-register/single.html |  4 +--
 3 files changed, 49 insertions(+), 8 deletions(-)

diff --git a/assets/js/hubsubscription.js b/assets/js/hubsubscription.js
index 2edc6d4cf..d839b460a 100644
--- a/assets/js/hubsubscription.js
+++ b/assets/js/hubsubscription.js
@@ -6,14 +6,15 @@ const GENERATE_PAY_LINK_URL = LEGACY_STORE_URL + '/hub/generate-pay-link';
 const MANAGE_SUBSCRIPTION_URL = LEGACY_STORE_URL + '/hub/manage-subscription';
 const UPDATE_PAYMENT_METHOD_URL = LEGACY_STORE_URL + '/hub/update-payment-method';
 const REFRESH_LICENSE_URL = API_BASE_URL + '/licenses/hub/refresh';
+const FRAGMENT_PARAMS_STORAGE_KEY = 'hubSubscriptionParams';
 
 class HubSubscription {
 
   constructor(form, subscriptionData, searchParams) {
     this._form = form;
     this._subscriptionData = subscriptionData;
-    let fragmentParams = new URLSearchParams(location.hash.substring(1));
-    this._subscriptionData.oldLicense = fragmentParams.get('oldLicense');
+    let restoredParams = this.resolveParams();
+    this._subscriptionData.oldLicense = restoredParams.oldLicense;
     if (this._subscriptionData.oldLicense) {
       try {
         let base64 = this._subscriptionData.oldLicense.split('.')[1].replace(/-/g, '+').replace(/_/g, '/');
@@ -24,9 +25,10 @@ class HubSubscription {
       }
     }
     this._subscriptionData.hubId = this._subscriptionData.hubId ?? searchParams.get('hub_id');
-    let returnUrl = fragmentParams.get('returnUrl') ?? searchParams.get('return_url');
+    let returnUrl = restoredParams.returnUrl ?? searchParams.get('return_url');
     if (returnUrl) {
       this._subscriptionData.returnUrl = returnUrl;
+      this._subscriptionData.returnUrlFromFragment = restoredParams.returnUrlFromFragment;
     }
     this._subscriptionData.session = searchParams.get('session');
     if (this._subscriptionData.hubId && this._subscriptionData.hubId.length > 0 && this._subscriptionData.returnUrl && this._subscriptionData.returnUrl.length > 0) {
@@ -46,6 +48,39 @@ class HubSubscription {
     });
   }
 
+  resolveParams() {
+    let fragmentParams = new URLSearchParams(location.hash.substring(1));
+    let oldLicense = fragmentParams.get('oldLicense');
+    let returnUrl = fragmentParams.get('returnUrl');
+    if (oldLicense || returnUrl) {
+      let params = { oldLicense: oldLicense, returnUrl: returnUrl, returnUrlFromFragment: returnUrl != null };
+      try {
+        sessionStorage.setItem(FRAGMENT_PARAMS_STORAGE_KEY, JSON.stringify(params));
+      } catch (e) {
+        console.error('Failed to persist hub billing parameters:', e);
+      }
+      // The oldLicense token is long enough that leaving it in the page URL breaks Paddle checkout, so we drop the fragment regardless of whether the stash succeeded.
+      history.replaceState(null, '', location.pathname + location.search);
+      return params;
+    }
+    let searchParams = new URLSearchParams(location.search);
+    let emptyParams = { oldLicense: null, returnUrl: null, returnUrlFromFragment: false };
+    try {
+      if (searchParams.has('hub_id') || searchParams.has('return_url')) {
+        // A fresh flow carries its own query params, so any stashed fragment from an earlier, abandoned flow is stale and must not override it.
+        sessionStorage.removeItem(FRAGMENT_PARAMS_STORAGE_KEY);
+        return emptyParams;
+      }
+      let stored = sessionStorage.getItem(FRAGMENT_PARAMS_STORAGE_KEY);
+      if (stored) {
+        return JSON.parse(stored);
+      }
+    } catch (e) {
+      console.error('Failed to restore hub billing parameters:', e);
+    }
+    return emptyParams;
+  }
+
   loadSubscription() {
     this.loadCustomBilling(() => {
       this.loadPrice(() => {
@@ -535,7 +570,13 @@ class HubSubscription {
   }
 
   transferTokenToHub() {
-    window.open(this._subscriptionData.returnUrl + '?token=' + this._subscriptionData.token, '_self');
+    try {
+      sessionStorage.removeItem(FRAGMENT_PARAMS_STORAGE_KEY);
+    } catch (e) {
+      console.error('Failed to clear hub billing parameters:', e);
+    }
+    let separator = this._subscriptionData.returnUrlFromFragment ? '#' : '?';
+    location.href = this._subscriptionData.returnUrl + separator + 'token=' + this._subscriptionData.token;
   }
 
 }
diff --git a/layouts/hub-billing/single.html b/layouts/hub-billing/single.html
index b237b57d8..fcc2a2be7 100644
--- a/layouts/hub-billing/single.html
+++ b/layouts/hub-billing/single.html
@@ -3,7 +3,7 @@
 {{ end }}
 {{ define "main" }}
   <div class="container pt-12 pb-24">
-    <form x-data="{subscriptionData: {state: 'MISSING_PARAMS', captcha: null, hubId: null, returnUrl: null, session: null, oldLicense: null, customBilling: null, billingInterval: 'yearly', savingsPercent: null, errorMessage: '', inProgress: false, restartModal: {open: false, nextPayment: null}, changeSeatsModal: {open: false, confirmation: false, immediatePayment: null}, token: null, details: null, quantity: 5, email: '', needsTokenRefresh: false, shouldTransferToHub: false}, acceptTerms: false, hubSubscription: null, captchaState: null}" x-init="hubSubscription = new HubSubscription($refs.form, subscriptionData, new URLSearchParams(location.search))" x-ref="form" @submit.prevent="hubSubscription.createSession(); $refs.captcha.reset()">
+    <form x-data="{subscriptionData: {state: 'MISSING_PARAMS', captcha: null, hubId: null, returnUrl: null, returnUrlFromFragment: false, session: null, oldLicense: null, customBilling: null, billingInterval: 'yearly', savingsPercent: null, errorMessage: '', inProgress: false, restartModal: {open: false, nextPayment: null}, changeSeatsModal: {open: false, confirmation: false, immediatePayment: null}, token: null, details: null, quantity: 5, email: '', needsTokenRefresh: false, shouldTransferToHub: false}, acceptTerms: false, hubSubscription: null, captchaState: null}" x-init="hubSubscription = new HubSubscription($refs.form, subscriptionData, new URLSearchParams(location.search))" x-ref="form" @submit.prevent="hubSubscription.createSession(); $refs.captcha.reset()">
       <template x-if="subscriptionData.state == 'MISSING_PARAMS'">
         <div class="text-center max-w-xl mx-auto">
           <h3 class="font-headline text-xl md:text-2xl leading-relaxed mb-4">
@@ -354,7 +354,7 @@ <h3 class="font-h3 mb-4 md:mb-0">
                       {{ i18n "hub_billing_checkout_community_cta" . }}
                     </p>
                   </div>
-                  <a :href="`{{ "hub/register" | relLangURL }}#oldLicense=${encodeURIComponent(subscriptionData.oldLicense)}&returnUrl=${encodeURIComponent(subscriptionData.returnUrl)}`" role="button" class="btn btn-primary w-full">
+                  <a :href="`{{ "hub/register" | relLangURL }}#oldLicense=${encodeURIComponent(subscriptionData.oldLicense)}&returnUrl=${encodeURIComponent(subscriptionData.returnUrl)}&returnUrlFromFragment=${subscriptionData.returnUrlFromFragment}`" role="button" class="btn btn-primary w-full">
                     <i class="fa-solid fa-user-plus"></i>
                     {{ i18n "hub_billing_checkout_community_action" . }}
                   </a>
diff --git a/layouts/hub-register/single.html b/layouts/hub-register/single.html
index b6b7ec40d..eec8aedcf 100644
--- a/layouts/hub-register/single.html
+++ b/layouts/hub-register/single.html
@@ -2,7 +2,7 @@
   {{ partial "altcha-css.html" . }}
 {{ end }}
 {{ define "main" }}
-  <section x-data="{steps: ['{{ i18n "hub_ce_registration_step_1_nav_title" }}', '{{ i18n "hub_ce_registration_step_2_confirmation_nav_title" }}', '{{ i18n "hub_ce_registration_step_3_license_nav_title" }}'], feedbackData: {currentStep: 0, success: false, inProgress: false, errorMessage: '', licenseText: null, emailSent: false, emailVerified: false}, submitData: {captcha: null, oldLicense: '', email: '', acceptNewsletter: false}, acceptTerms: false, hubCE: null, captchaState: null, returnUrl: null}" x-init="const params = new URLSearchParams(location.hash.substring(1)); returnUrl = params.get('returnUrl'); hubCE = new HubCE($refs.form, feedbackData, submitData, params)" class="container py-12">
+  <section x-data="{steps: ['{{ i18n "hub_ce_registration_step_1_nav_title" }}', '{{ i18n "hub_ce_registration_step_2_confirmation_nav_title" }}', '{{ i18n "hub_ce_registration_step_3_license_nav_title" }}'], feedbackData: {currentStep: 0, success: false, inProgress: false, errorMessage: '', licenseText: null, emailSent: false, emailVerified: false}, submitData: {captcha: null, oldLicense: '', email: '', acceptNewsletter: false}, acceptTerms: false, hubCE: null, captchaState: null, returnUrl: null, returnUrlFromFragment: false}" x-init="const params = new URLSearchParams(location.hash.substring(1)); returnUrl = params.get('returnUrl'); returnUrlFromFragment = params.get('returnUrlFromFragment') === 'true'; hubCE = new HubCE($refs.form, feedbackData, submitData, params)" class="container py-12">
     <header class="mb-6">
       <h1 class="font-h1 mb-8">{{ .Title }}</h1>
       <p class="lead">{{ i18n "hub_ce_registration_description" }}</p>
@@ -188,7 +188,7 @@ <h2 class="font-h2 mb-6">
                 <p class="font-p mb-4">{{ i18n "hub_ce_registration_step_3_success" }}</p>
                 <textarea class="block input-box w-full h-32 md:h-48 mb-8" x-text="feedbackData.licenseText" readonly></textarea>
                 <div class="mt-auto">
-                  <a :href="returnUrl + '?token=' + encodeURIComponent(feedbackData.licenseText)" class="btn btn-primary w-full md:w-64" data-umami-event="hub-ce-registration-return-to-hub">
+                  <a :href="returnUrl + (returnUrlFromFragment ? '#' : '?') + 'token=' + encodeURIComponent(feedbackData.licenseText)" class="btn btn-primary w-full md:w-64" data-umami-event="hub-ce-registration-return-to-hub">
                     <i class="fa-solid fa-chevron-right" aria-hidden="true"></i>
                     Todo: Return to Hub
                   </a>

From cd957f064d5e9194f033b03d6316feec19186a18 Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Wed, 10 Jun 2026 10:59:01 +0200
Subject: [PATCH 2/2] Split Hub billing param resolution into explicit helpers
 and build return URLs via URL API

---
 assets/js/hubce.js               | 13 +++++-
 assets/js/hubsubscription.js     | 74 ++++++++++++++++++++++----------
 layouts/hub-register/single.html | 12 +++---
 3 files changed, 70 insertions(+), 29 deletions(-)

diff --git a/assets/js/hubce.js b/assets/js/hubce.js
index f650a8260..37cf7ea68 100644
--- a/assets/js/hubce.js
+++ b/assets/js/hubce.js
@@ -13,6 +13,7 @@ class HubCE {
     this._searchParams = searchParams;
     this._submitData.oldLicense = searchParams.get('oldLicense');
     this._submitData.returnUrl = searchParams.get('returnUrl');
+    this._submitData.returnUrlFromFragment = searchParams.get('returnUrlFromFragment') === 'true';
 
     // continue after email verified:
     if (searchParams.get('verifiedEmail')) {
@@ -111,4 +112,14 @@ class HubCE {
     this._feedbackData.errorMessage = '';
   }
 
-}
\ No newline at end of file
+  returnToHubUrl() {
+    let url = new URL(this._submitData.returnUrl);
+    if (this._submitData.returnUrlFromFragment) {
+      url.hash = 'token=' + encodeURIComponent(this._feedbackData.licenseText);
+    } else {
+      url.searchParams.set('token', this._feedbackData.licenseText);
+    }
+    return url.href;
+  }
+
+}
diff --git a/assets/js/hubsubscription.js b/assets/js/hubsubscription.js
index d839b460a..506433b8f 100644
--- a/assets/js/hubsubscription.js
+++ b/assets/js/hubsubscription.js
@@ -7,6 +7,7 @@ const MANAGE_SUBSCRIPTION_URL = LEGACY_STORE_URL + '/hub/manage-subscription';
 const UPDATE_PAYMENT_METHOD_URL = LEGACY_STORE_URL + '/hub/update-payment-method';
 const REFRESH_LICENSE_URL = API_BASE_URL + '/licenses/hub/refresh';
 const FRAGMENT_PARAMS_STORAGE_KEY = 'hubSubscriptionParams';
+const EMPTY_PARAMS = { oldLicense: null, returnUrl: null, returnUrlFromFragment: false };
 
 class HubSubscription {
 
@@ -49,28 +50,54 @@ class HubSubscription {
   }
 
   resolveParams() {
+    let fragmentParams = this.parseFragmentParams();
+    if (fragmentParams) {
+      this.persistParams(fragmentParams);
+      return fragmentParams;
+    }
+    if (this.isFreshFlow()) {
+      // A fresh flow carries its own query params, so any stashed fragment from an earlier, abandoned flow is stale and must not override it.
+      this.clearPersistedParams();
+      return EMPTY_PARAMS;
+    }
+    return this.restorePersistedParams();
+  }
+
+  parseFragmentParams() {
     let fragmentParams = new URLSearchParams(location.hash.substring(1));
     let oldLicense = fragmentParams.get('oldLicense');
     let returnUrl = fragmentParams.get('returnUrl');
-    if (oldLicense || returnUrl) {
-      let params = { oldLicense: oldLicense, returnUrl: returnUrl, returnUrlFromFragment: returnUrl != null };
-      try {
-        sessionStorage.setItem(FRAGMENT_PARAMS_STORAGE_KEY, JSON.stringify(params));
-      } catch (e) {
-        console.error('Failed to persist hub billing parameters:', e);
-      }
-      // The oldLicense token is long enough that leaving it in the page URL breaks Paddle checkout, so we drop the fragment regardless of whether the stash succeeded.
-      history.replaceState(null, '', location.pathname + location.search);
-      return params;
+    if (!oldLicense && !returnUrl) {
+      return null;
     }
+    return { oldLicense: oldLicense, returnUrl: returnUrl, returnUrlFromFragment: returnUrl != null };
+  }
+
+  persistParams(params) {
+    try {
+      sessionStorage.setItem(FRAGMENT_PARAMS_STORAGE_KEY, JSON.stringify(params));
+    } catch (e) {
+      console.error('Failed to persist hub billing parameters:', e);
+    }
+    // The oldLicense token is long enough that leaving it in the page URL breaks Paddle checkout, so we drop the fragment regardless of whether the stash succeeded.
+    history.replaceState(null, '', location.pathname + location.search);
+  }
+
+  isFreshFlow() {
     let searchParams = new URLSearchParams(location.search);
-    let emptyParams = { oldLicense: null, returnUrl: null, returnUrlFromFragment: false };
+    return searchParams.has('hub_id') || searchParams.has('return_url');
+  }
+
+  clearPersistedParams() {
+    try {
+      sessionStorage.removeItem(FRAGMENT_PARAMS_STORAGE_KEY);
+    } catch (e) {
+      console.error('Failed to clear hub billing parameters:', e);
+    }
+  }
+
+  restorePersistedParams() {
     try {
-      if (searchParams.has('hub_id') || searchParams.has('return_url')) {
-        // A fresh flow carries its own query params, so any stashed fragment from an earlier, abandoned flow is stale and must not override it.
-        sessionStorage.removeItem(FRAGMENT_PARAMS_STORAGE_KEY);
-        return emptyParams;
-      }
       let stored = sessionStorage.getItem(FRAGMENT_PARAMS_STORAGE_KEY);
       if (stored) {
         return JSON.parse(stored);
@@ -78,7 +105,7 @@ class HubSubscription {
     } catch (e) {
       console.error('Failed to restore hub billing parameters:', e);
     }
-    return emptyParams;
+    return EMPTY_PARAMS;
   }
 
   loadSubscription() {
@@ -570,13 +597,14 @@ class HubSubscription {
   }
 
   transferTokenToHub() {
-    try {
-      sessionStorage.removeItem(FRAGMENT_PARAMS_STORAGE_KEY);
-    } catch (e) {
-      console.error('Failed to clear hub billing parameters:', e);
+    this.clearPersistedParams();
+    let url = new URL(this._subscriptionData.returnUrl);
+    if (this._subscriptionData.returnUrlFromFragment) {
+      url.hash = 'token=' + encodeURIComponent(this._subscriptionData.token);
+    } else {
+      url.searchParams.set('token', this._subscriptionData.token);
     }
-    let separator = this._subscriptionData.returnUrlFromFragment ? '#' : '?';
-    location.href = this._subscriptionData.returnUrl + separator + 'token=' + this._subscriptionData.token;
+    location.href = url.href;
   }
 
 }
diff --git a/layouts/hub-register/single.html b/layouts/hub-register/single.html
index eec8aedcf..ff354b425 100644
--- a/layouts/hub-register/single.html
+++ b/layouts/hub-register/single.html
@@ -2,7 +2,7 @@
   {{ partial "altcha-css.html" . }}
 {{ end }}
 {{ define "main" }}
-  <section x-data="{steps: ['{{ i18n "hub_ce_registration_step_1_nav_title" }}', '{{ i18n "hub_ce_registration_step_2_confirmation_nav_title" }}', '{{ i18n "hub_ce_registration_step_3_license_nav_title" }}'], feedbackData: {currentStep: 0, success: false, inProgress: false, errorMessage: '', licenseText: null, emailSent: false, emailVerified: false}, submitData: {captcha: null, oldLicense: '', email: '', acceptNewsletter: false}, acceptTerms: false, hubCE: null, captchaState: null, returnUrl: null, returnUrlFromFragment: false}" x-init="const params = new URLSearchParams(location.hash.substring(1)); returnUrl = params.get('returnUrl'); returnUrlFromFragment = params.get('returnUrlFromFragment') === 'true'; hubCE = new HubCE($refs.form, feedbackData, submitData, params)" class="container py-12">
+  <section x-data="{steps: ['{{ i18n "hub_ce_registration_step_1_nav_title" }}', '{{ i18n "hub_ce_registration_step_2_confirmation_nav_title" }}', '{{ i18n "hub_ce_registration_step_3_license_nav_title" }}'], feedbackData: {currentStep: 0, success: false, inProgress: false, errorMessage: '', licenseText: null, emailSent: false, emailVerified: false}, submitData: {captcha: null, oldLicense: '', email: '', acceptNewsletter: false}, acceptTerms: false, hubCE: null, captchaState: null, returnUrl: null}" x-init="const params = new URLSearchParams(location.hash.substring(1)); returnUrl = params.get('returnUrl'); hubCE = new HubCE($refs.form, feedbackData, submitData, params)" class="container py-12">
     <header class="mb-6">
       <h1 class="font-h1 mb-8">{{ .Title }}</h1>
       <p class="lead">{{ i18n "hub_ce_registration_description" }}</p>
@@ -188,10 +188,12 @@ <h2 class="font-h2 mb-6">
                 <p class="font-p mb-4">{{ i18n "hub_ce_registration_step_3_success" }}</p>
                 <textarea class="block input-box w-full h-32 md:h-48 mb-8" x-text="feedbackData.licenseText" readonly></textarea>
                 <div class="mt-auto">
-                  <a :href="returnUrl + (returnUrlFromFragment ? '#' : '?') + 'token=' + encodeURIComponent(feedbackData.licenseText)" class="btn btn-primary w-full md:w-64" data-umami-event="hub-ce-registration-return-to-hub">
-                    <i class="fa-solid fa-chevron-right" aria-hidden="true"></i>
-                    Todo: Return to Hub
-                  </a>
+                  <template x-if="returnUrl">
+                    <a :href="hubCE.returnToHubUrl()" class="btn btn-primary w-full md:w-64" data-umami-event="hub-ce-registration-return-to-hub">
+                      <i class="fa-solid fa-chevron-right" aria-hidden="true"></i>
+                      Todo: Return to Hub
+                    </a>
+                  </template>
                 </div>
               </div>
             </div>