Since the Bango cookie is tied to device and a cookie allows repeat purchases, one simple security fix we can do is tell Bango "a new user has logged in" so that they can disregard and delete their cookie. This is important for the case of resetting a PIN which requires users to re-authenticate (bug 822491).
What is the best way to do this? Maybe we can use a new billing config API option?
The other reason I can think why this might not be a good idea is if somehow the users can back button to a pre existing billing config id after logging out? We could expose a url like http://mozbango/mozpayments/logout which you could make a GET to in the cb of your log out?
Yeah, the logout URL would cover this situation better. Let's do that. Thanks.
(In reply to Kumar McMillan [:kumar] from comment #3) > Yeah, the logout URL would cover this situation better. Let's do that. > Thanks. Now available at http://mozilla.test.bango.org/mozpayments/logout/
Awesome, thanks! I assume that a 200 http response we get from this means it worked? I will integrate this into the various webpay logout flows.
Here is a logout for the reset PIN flow https://github.com/mozilla/webpay/commit/b0e6085f676d601a1122a3ee2b4516d9b7007672