refactor: extract cart storage to dedicated API controller with dynamic frontend URLs

- Added dedicated CartsController for session-based cart storage
- Refactored routes to use POST /api/v1/carts/store
- Updated ticket selection JS to use dynamic data attributes for URLs
- Fixed CSRF protection in API and checkout payment increment
- Made checkout button URLs dynamic via data attributes
- Updated tests for new cart storage endpoint
- Removed obsolete store_cart from EventsController

app/controllers/api/v1/carts_controller.rb

@@ -0,0 +1,25 @@
+module Api
+  module V1
+    class CartsController < ApiController
+      # Skip API key authentication for store_cart action (used by frontend forms)
+      skip_before_action :authenticate_api_key, only: [ :store ]
+
+      def store
+        event_id = params[:event_id]
+        @event = Event.find(event_id)
+
+        cart_data = params[:cart] || {}
+        session[:pending_cart] = cart_data
+        session[:event_id] = @event.id
+
+        render json: { status: "success", message: "Cart stored successfully" }
+      rescue ActiveRecord::RecordNotFound
+        render json: { status: "error", message: "Event not found" }, status: :not_found
+      rescue => e
+        error_message = e.message.present? ? e.message : "Unknown error"
+        Rails.logger.error "Error storing cart: #{error_message}"
+        render json: { status: "error", message: "Failed to store cart" }, status: 500
+      end
+    end
+  end
+end

app/controllers/api/v1/orders_controller.rb

@@ -4,9 +4,6 @@
 module Api
   module V1
     class OrdersController < ApiController
-      # Skip API key authentication for store_cart action (used by frontend forms)
-      skip_before_action :authenticate_api_key, only: [ :store_cart ]
-
       before_action :set_order, only: [ :show, :checkout, :retry_payment, :increment_payment_attempt ]
       before_action :set_event, only: [ :new, :create ]