Closed Bug 738368 Opened 10 years ago Closed 10 years ago

Allow developers to revoke compromised in-app payment secret

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect, P2)

x86
macOS
defect

Tracking

(Not tracked)

VERIFIED FIXED
2012-06-14

People

(Reporter: kumar, Assigned: kumar)

References

Details

Attachments

(2 files)

If an app developer *knows* their in-app payment secret has been compromised, they need a way to disable the secret ASAP. This should be a feature on the developer hub management screen.

The management screen for key/secret was built in bug 703093
Blocks: 698116
Is this documented somewhere?  https://wiki.mozilla.org/Apps/WebApplicationReceipt/GenerationService covers our keys, but I haven't seen anything about in-app purchases.  I'm curious about effects for the end user - will they migrate to a new key, or..?
In this case I think the app developer would just regenerate the key/secret and update their hopefully no longer compromised app. This feature would need to be documented on https://developer.mozilla.org/en/Apps/In-app_payments
Priority: -- → P3
Assignee: nobody → kumar.mcmillan
Target Milestone: --- → 6.5.2
Target Milestone: 6.5.2 → 6.5.3
I have added info on how to handle a compromised app secret to MDN here:
https://developer.mozilla.org/en/Apps/In-app_payments#section_5
Target Milestone: 6.5.3 → 6.5.4
Target Milestone: 2012-05-10 → 2012-05-17
Target Milestone: 2012-05-17 → 2012-05-24
Target Milestone: 2012-05-24 → 2012-05-31
Target Milestone: 2012-05-31 → 2012-06-07
Priority: P3 → P2
Fixed:
https://github.com/mozilla/zamboni/commit/e576444a5397490e8d9f9634d8f78adafdf8c674

Devs now get a button to reset their credentials on the Manage In-App Payments page, like this: https://marketplace-dev.allizom.org/en-US/developers/app/in-app-payment-tester-10/in-app-config

I've updated the MDN docs too: https://developer.mozilla.org/en/Apps/In-app_payments#Revoking_a_compromised_app_secret
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: 2012-06-07 → 2012-06-14
verified at https://marketplace-dev.allizom.org/en-US/developers/app/in-app-payment-tester/in-app-config

Checked that in-app payments are unsuccessful if Application secret is revoked.
Status: RESOLVED → VERIFIED
Attached image post-fix screenshot
Attached image post-fix screenshot
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.