Closed Bug 745319 Opened 12 years ago Closed 6 years ago

mozApps API should handle receipt refresh

Categories

(Core Graveyard :: DOM: Apps, defect, P2)

Product:
Core Graveyard
Component:
DOM: Apps
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mhanson, Unassigned)

References

Details

(Whiteboard: [blocked-on-input Bill Walker]) 

The currently-planned digital receipt model is documented here:
https://wiki.mozilla.org/Apps/WebApplicationReceipt/GenerationService

In that plan, receipts may expire.  If a receipt has expired, the user agent is the only entity that has the power to refresh it.

Therefore we need the ability for the user agent to initiate a refresh of a receipt.

I propose that getSelf() checks the expiry date of the receipt, and if it is less than X days in the future and the device is online, the mozApps runtime initiates a background GET request to a "refresh" URL embedded in the receipt.

The refresh request could fail at the network or authentication levels; the UA may need to reauthenticate the user to a marketplace to complete the refresh.  This will need some user experience work - at worst, a modal dialog that blocks the user's attempt to launch the app.

Note that receipt refresh could also be done by an individual marketplace from its own content - it could inspect the list of apps it has installed on the device and quietly refresh the receipts for any that it feels the need to change.  This wouldn't need any new mozApps work but would require the UA to visit the marketplace's content.
Blocks: 746465
If a receipt is expiring and has correct crypto, do we still need to re-authenticate the user? We can trust the receipt that's provided. This would allow the receipt to be recreated quickly with no user interaction and could occur frequently.

In the case that we revoke a certificated and can no longer trust incoming receipts, we'll need to re-authenticate the client. This would be a very rare event.
Nominating for k9o - This involves receipts for web applications (e.g. paid applications)
blocking-kilimanjaro: --- → ?
blocking-kilimanjaro: ? → +
Blocks: k9o-webrt
No longer blocks: 746465
Component: DOM: Mozilla Extensions → DOM: Apps
blocking-basecamp: --- → ?
Whiteboard: [blocked-on-input]
Currently receipts generated by the marketplace expire, we are just ignoring them. Security were very keen on having this to limit the possible exposure in the case of malicious signing and it was kind of promised it would happen.
Whiteboard: [blocked-on-input]
This should block basecamp as not refreshing receipts will lead to the user unable to use an app who's receipt has expired.
Sounds good - looks like there's general agreement this should block. Who could work on this?
blocking-basecamp: ? → +
Depends on: 757226
Anant, can you take this one?
Whats the mitigation here? I assume we can for now issue receipts with no expiration until this is fixed, so I will make this P2. Please upgrade to P1 if you disagree.
Priority: -- → P2
Depends on: 781258
Renom if you think we can't ship a v1 without this.
blocking-basecamp: + → ---
Per IRC conversations with a few other folks, I think the best course of action if there is disagreement on whether this blocks or not is to do the following:

- Move the blocking-basecamp flag to ? for re-evaluation
- Indicate a rationale for why you disagree
blocking-basecamp: --- → ?
Whiteboard: [blocked-on-input Bill Walker]
(In reply to Andreas Gal :gal from comment #7)
> Whats the mitigation here? I assume we can for now issue receipts with no
> expiration until this is fixed, so I will make this P2. Please upgrade to P1
> if you disagree.

That's right, for now we can issue receipts with very long expiration times.

The ability refresh receipts remains part of our architecture for dealing with signing key compromise, as documented at:

https://wiki.mozilla.org/Apps/WebApplicationReceipt/GenerationService
Per talking with Bill, this is a firm requirement needed for payments.
Whiteboard: [blocked-on-input Bill Walker]
Still need more input on why this is needed for basecamp. Blocked on Bill Walker.
Whiteboard: [blocked-on-input Bill Walker]
Basecamp- kilimanjaro+ per Bill Walker.

We'll work around this in basecamp by using long-expiring receipts.
blocking-basecamp: ? → -
Product: Core → Core Graveyard
Core Graveyard / DOM: Apps is inactive. Closing all bugs in this component.
Status: NEW → RESOLVED
blocking-basecamp: - → ---
blocking-kilimanjaro: + → ---
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.