Closed Bug 1429265 Opened 3 years ago Closed 2 years ago

Re-authenticate the user with the OS before sending the payment information to the merchant

Categories

(Firefox :: WebPayments UI, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
Firefox 65
Tracking Status
firefox63 --- disabled
firefox64 --- disabled
firefox65 --- fixed

People

(Reporter: MattN, Assigned: timdream)

References

(Depends on 3 open bugs)

Details

(Whiteboard: [webpayments-reserve])

User Story

* Windows and macOS only as Linux doesn't have platform support yet
* It would be great to test from a Windows 7 account that doesn't have a Windows password set.
* Testing with TouchID on MacOS would be good
* Testing with Windows Hello face or other biometrics on Windows 10 would be good

Attachments

(1 file)

Since the full credit card number is encrypted, we need to ask the user for their master password (have it unlocked) in order to send the plaintext number to the merchant page in a PaymentResponse. The decrypted number should never go to the unprivileged dialog contents as it's not necessary and breaks the separation of privileges.
Priority: P3 → P1
I implemented the basic behaviour showing the existing modal master password dialog in bug 1429195. See the TODO comment in that patch to handle when a user hits cancel in the dialog. For bug 1429205 the processing page should either not be shown or the dialog should go from processing back to the summary view if the master password dialog is cancelled.
See Also: → 1429205
Priority: P1 → P2
Whiteboard: [webpayments]
Product: Toolkit → Firefox
Priority: P2 → P3
Whiteboard: [webpayments] → [webpayments-reserve]
Depends on: 1486954
Depends on: 1494478
Summary: If the user has a Master Password, request it before sending the payment information to the merchant → Re-authenticate the user with the OS before sending the payment information to the merchant
Assignee: nobody → timdream
Status: NEW → ASSIGNED
Priority: P3 → P1
This patch restores the re-auth test pref previously comment out,
and redirect the re-auth to nsIOSReauthenticator on Windows.
The change in OSKeystore.jsm where the front end is hook to nsIOSReauthenticator is ready for review.

I have been spending time on reviving the re-auth test setup and make sure it passes on all platforms. It's rather unrelated, actually, since we don't call into nsIOSReauthenticator during tests anyway.

Matt, let me know if you would like to review the patch given the status, or if you would like to wait. Thanks.
Flags: needinfo?(MattN+bmo)
Attachment #9020176 - Attachment description: Bug 1429265 - Re-authenticate the user on Windows before decryption → Bug 1429265 - Re-authenticate the user on Windows and macOS before decryption
I reviewed the patch today.
Flags: needinfo?(MattN+bmo)
Pushed by tchien@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2ed53dbf2b95
Re-authenticate the user on Windows and macOS before decryption r=MattN
https://hg.mozilla.org/mozilla-central/rev/2ed53dbf2b95
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
User Story: (updated)
Flags: qe-verify+
QA Contact: hani.yacoub
Depends on: 1504268
Depends on: 1506602
Depends on: 1506609
Depends on: 1506637
Depends on: 1510470
Depends on: 1527743

Removing the "qe-verify+" flag since this feature is disabled.

Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.