Currently verifyReceipt is implemented, but only for the native-shell: https://github.com/mozilla/openwebapps/blob/develop/addons/jetpack/data/native-install/XUL/content/window.js#L142
This code should be shared across all the other mozApps implementations, which are currently the add-on and HTML5 shim.
*** Bug 710289 has been marked as a duplicate of this bug. ***
Did this feature get implemented? What's the status on this?
(In reply to Jason Smith from comment #2)
> Did this feature get implemented? What's the status on this?
It's not implemented on m-c.
There's an open design question here: do we still want to implement verifyReceipt?
(In reply to Ian Bicking (:ianb) from comment #4)
> There's an open design question here: do we still want to implement
What benefits does our stakeholders using verifyReceipt get for it existing? What cost is lost for it not existing?
Clarification - Is verifyReceipt a convenience function to operate against marketplace's receipt validation service? Or it something else?
For the most part, verifyReceipt could be implemented as a JS file, a kind of helper that we provide, but don't need to specifically include as part of the mozApps API. That is, there's no special abilities we need, and no hard security advantage to providing it natively (though there might be some soft advantages).
I believe the actual verifyReceipt function was probably too complicated to be part of the mozApps API - it also included some options for various levels of app security. We'd want to distill a smaller API from it, and allow supporting libraries cover app policies.
Ian is right, there are no hard advantages to including it as part of the mozApps API (and is definitely not part of the spec). The original implementation in the add-on served two purposes:
- A vehicle to prototype apps that depended on receipt validation quickly
- Provide sample code to app developers who wanted to know what the "right" way to validate a receipt was
Most serious developers will want to do receipt verification themselves, but for some smaller scale apps the thinking was that verifyReceipt() would serve as a nice convenience function, when the app developer trusts the web run-time to a certain extent.
Is this bug still valid, given that Ian is actively working on https://github.com/mozilla/receiptverifier to be integrated into mozmarket.js per bug 755006 and bug 758733?
I believe the library supersedes this function.
Okay. Resolving as a won't fix then.