Enable product verification for in-app purchase receipts

RESOLVED FIXED

Status

P2
normal
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: kumar, Assigned: jkerim)

Tracking

x86
Mac OS X
Points:
---

Details

An in-app purchase receipt currently gets validated for having the right signature and for having an existing contribution object in the Marketplace db. A vendor also needs a way to verify that the receipt is for the right *product*. In other words, an attacker could pass a perfectly valid in-app receipt to the vendor but one for the wrong product. The vendor needs a way to prevent that.

For app purchases, the vendor does this by verifying the productURL. See https://github.com/mozilla/receiptverifier#options

We need to think of what data to put in the receipt to enable in-app product verification.
(Assignee)

Updated

4 years ago
Assignee: nobody → jkerim

Updated

4 years ago
Priority: -- → P2
(Assignee)

Comment 1

4 years ago
Merged in https://github.com/mozilla/zamboni/pull/2190
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.