Closed Bug 703093 Opened 13 years ago Closed 13 years ago

Allow apps to request key/secret to make in-app payments

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect, P1)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kumar, Assigned: kumar)

References

Details

If an app operator wants to make in-app payments they need a page on devhub where they can request an application key and secret.

They will keep the secret safe on the server and use it to encode JWT requests to the AMO market.  All requests will contain the application key so that AMO knows what secret to use when decoding JWTs.

More info: https://github.com/mozilla/apps-payment-server/blob/master/DESIGN.md

The secret needs to be very strong.  We will need to quickly revoke application keys if a secret gets compromised.
Blocks: 698116
Depends on: 703073
Priority: -- → P2
This page should be logging with prejudice. And maybe send an email to the developer.
We also need them to register their postback URL (bug 703083) and chargeback URL (bug 703084)
Priority: P2 → P1
Target Milestone: --- → 6.4.0
Assignee: nobody → kumar.mcmillan
Blocks: 710074
Target Milestone: 6.4.0 → 6.4.1
Brian Warner gave me the Python code for generating a strong key and he provided the best way with os.urandom() so that it is a truly random key.

andym, I didn't add any logging because I realized everything is time-stamped in the database. We are not [yet] regenerating keys so it's only DB inserts. If and when we regenerate keys we should log that.

To see the new page in devhub, turn on the in-app-payments switch.

Fixed in https://github.com/mozilla/zamboni/commit/218b379
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.