Closed
Bug 777133
Opened 12 years ago
Closed 12 years ago
Create a solitude proxy
Categories
(Marketplace Graveyard :: Payments/Refunds, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: andy+bugzilla, Unassigned)
References
Details
We need to have a proxy between solitude and Paypal. So that solitude doesn't actually communicate with Paypal directly, it calls the proxy. The proxy then adds in the headers and passes the requests on to Paypal, returning them to solitude. The goal is that the paypal information is never in solitude, but only in this proxy. The proxy will need to do the header auth, which for some API's is the almost (but not quite) Paypal oAuth headers. For the get personal data API's this is a bit trickier which is why we are going for Python not some custom nginx module. It also gives us more freedom to cope with whatever BlueVia needs. Solitude will point at a server like: http://our.paypal.proxy.com/ And that server will point at https://paypal.com and do the HTTPS work. Other notes: - It would be nice if this was just an option in solitude to run with or without this, so dev's don't need it. - I don't think we need a seperate code base for this, we can just run solitude with different flags to be the proxy. - There are few different API calls: ones that need auth, ones that do OAuth and IPN calls all of which need different headers.
Reporter | ||
Updated•12 years ago
|
Priority: -- → P1
Comment 1•12 years ago
|
||
What protection does it afford us separating this information out from a server that will already be barricaded off pretty well? If we do this then I am all for doing it in the same code base and running with flags, this makes it much simpler to make it so it works without the proxy running for developers. I'd like to heard more about what sorts of attacks and such we are hoping to prevent with this setup before I stand behind doing it.
Reporter | ||
Comment 2•12 years ago
|
||
rforbes is the main man on this so I'll let him answer but I think the answer is... Its just yet another layer, if you get into solitude you still don't actually know the paypal username and password, that's on yet another locked down box. For what its worth, I plan on making solitude configurable for us developers so that it will work with or without the proxy, because it would a pain for us to develop with the proxy.
Reporter | ||
Comment 3•12 years ago
|
||
https://github.com/mozilla/solitude/commit/a0f9a5
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 4•12 years ago
|
||
basically, there isn't one machine that can be compromised that would allow access to both the database of user data AND the paypal auth info.
You need to log in
before you can comment on or make changes to this bug.
Description
•