OrderMerger not restarting the checkout flow

[cedum]

When performing a checkout as a guest user, then signing in at the confirm step, the guest payment source ownership isn't updated for the newly authenticated user, hence leaves the order in an inconsistent state: order in confirm state (associated to a user) having a payment with a payment source w/o an associated user.

Solidus Version: reproduced on v2.9.2 and master.

To Reproduce

• as a guest user, follow the checkout steps til confirm step;
• at "confirm" step log in (ensure the logged in user doesn't have an active cart);
• go back to /checkout/confirm and confirm the order;
• an exception should be raised: Validation failed: Payment source does not belong to the user associated with the order;
• and the order remains in an inconsistent state: state: 'completed', completed_at: nil (there're some other data inconsistencies I think, I didn't dig them all).

Expected behavior There might be two ways to solve this when merging:

1. restart the checkout flow ensuring there's no way to go back to confirm step and confirm the order;
2. assign all dependencies to the authenticated user, ensuring the merged order is always in a valid state after merge.

[kennyadsl]

Hey @cedum, restarting the checkout flow when the order is merged looks like a good trade-off IMO.