Closed Bug 1429265 Opened 3 years ago Closed 2 years ago
Re-authenticate the user with the OS before sending the payment information to the merchant
* Windows and macOS only as Linux doesn't have platform support yet * It would be great to test from a Windows 7 account that doesn't have a Windows password set. * Testing with TouchID on MacOS would be good * Testing with Windows Hello face or other biometrics on Windows 10 would be good
46 bytes, text/x-phabricator-request
|Details | Review|
Since the full credit card number is encrypted, we need to ask the user for their master password (have it unlocked) in order to send the plaintext number to the merchant page in a PaymentResponse. The decrypted number should never go to the unprivileged dialog contents as it's not necessary and breaks the separation of privileges.
I implemented the basic behaviour showing the existing modal master password dialog in bug 1429195. See the TODO comment in that patch to handle when a user hits cancel in the dialog. For bug 1429205 the processing page should either not be shown or the dialog should go from processing back to the summary view if the master password dialog is cancelled.
See Also: → 1429205
Priority: P2 → P3
Whiteboard: [webpayments] → [webpayments-reserve]
Depends on: 1494478
Summary: If the user has a Master Password, request it before sending the payment information to the merchant → Re-authenticate the user with the OS before sending the payment information to the merchant
Assignee: nobody → timdream
Status: NEW → ASSIGNED
This patch restores the re-auth test pref previously comment out, and redirect the re-auth to nsIOSReauthenticator on Windows.
There is still some unknown timeout to find out. https://treeherder.mozilla.org/#/jobs?repo=try&revision=02af000c1026158bff1131ab242e627910ee1dcc
The change in OSKeystore.jsm where the front end is hook to nsIOSReauthenticator is ready for review. I have been spending time on reviving the re-auth test setup and make sure it passes on all platforms. It's rather unrelated, actually, since we don't call into nsIOSReauthenticator during tests anyway. Matt, let me know if you would like to review the patch given the status, or if you would like to wait. Thanks.
The patch should be ready for review. This should pass. https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=208563056&revision=baa96282ea6aa3edbeff586a4aed281591f18f7e
Attachment #9020176 - Attachment description: Bug 1429265 - Re-authenticate the user on Windows before decryption → Bug 1429265 - Re-authenticate the user on Windows and macOS before decryption
I reviewed the patch today.
Review comments addressed. https://treeherder.mozilla.org/#/jobs?repo=try&revision=71028967efce79b0df0647b6323573a346f95fe5
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/autoland/rev/2ed53dbf2b95 Re-authenticate the user on Windows and macOS before decryption r=MattN
User Story: (updated)
QA Contact: hani.yacoub
You need to log in before you can comment on or make changes to this bug.