Fix login and order

docs/features/USER_API.md

@@ -120,21 +120,20 @@ The scheduler does not call agents directly at runtime. It stores cron lines on
 
 This makes `ogp_api.php` part of the internal scheduler runtime contract.
 
-## Website Account, SSO, And Order Entry
+## Website Account And Order Entry
 
 | Endpoint | Auth | Purpose | Parameters | Returns |
 |---|---|---|---|---|
 | `Panel/modules/website/login.php` | Panel user credentials | create a website session against the shared Panel user table | username/password form | website session and redirect |
 | `Panel/modules/website/logout.php` | website session | destroy website session | none | redirect to website home |
-| `Panel/modules/website/sso.php?destination=panel` | website session | create a one-time token for Panel login | optional trusted return path | redirect to `Panel/sso.php` |
-| `Panel/sso.php?token=...` | one-time SSO token | create normal Panel session | token | redirect to Panel page |
-| `Panel/sso.php?destination=website` | Panel session | create a one-time token for website login | optional trusted return path | redirect to website SSO endpoint |
-| `Panel/modules/website/sso.php?token=...` | one-time SSO token | create website session | token | redirect to website page |
-| `Panel/modules/website/order.php` | website session for checkout continuation | validate catalog service and start order intent | `service_id` | order page or login redirect |
+| `Panel/modules/website/sso.php` | none | compatibility redirect for old SSO links | safe `destination` / `return` values | direct website or Panel redirect |
+| `Panel/sso.php` | none | compatibility redirect for old Panel-to-website SSO links | safe `destination` / `return` values | direct website or Panel redirect |
+| `Panel/modules/website/order.php` | anonymous website session | validate catalog service and configure order intent | `service_id`, slots/location POST | order page or cart redirect |
+| `Panel/modules/website/cart.php` | anonymous website session; website login required only for checkout | review cart and begin checkout intent | cart actions | cart page or login redirect |
 
-SSO tokens are stored in `OGP_DB_PREFIXsso_tokens` as SHA-256 hashes, expire in 30-60 seconds, and are marked used after successful validation. Tokens never contain passwords, password hashes, permanent API keys, or PHP session IDs.
+SSO is deferred in the current implementation because `gameservers.world` and `panel.iaregamer.com` cannot share one PHP session cookie. Users can use the same Panel-backed credentials on both sites, but website and Panel sessions are separate.
 
-The old `Website/api/create_order.php`, `Website/api/capture_order.php`, `Website/api/log_error.php`, and `Website/webhook.php` compatibility files are not present in this repository checkout. Until an active payment runtime is connected, the website order page validates service intent and sends customers to support rather than claiming checkout is complete.
+The old `Website/api/create_order.php`, `Website/api/capture_order.php`, `Website/api/log_error.php`, and `Website/webhook.php` compatibility files are not present in this repository checkout. Until an active payment runtime is connected, the website cart preserves validated order intent and displays a friendly checkout-unavailable message rather than claiming checkout is complete.
 
 ### Webhooks
 
@@ -149,7 +148,7 @@ The old `Website/api/create_order.php`, `Website/api/capture_order.php`, `Websit
 | token auth | `Panel/ogp_api.php` |
 | host allowlist | `api_authorized.hosts`, `api_authorized.fwd_hosts`, `settings/api_hosts.php` |
 | role / ownership checks | inside `api_*` handlers in `ogp_api.php` |
-| one-time SSO token hash storage | `OGP_DB_PREFIXsso_tokens` |
+| website session cart | `$_SESSION['website_cart']` |
 
 ## Search Coverage Used For This Document