Make all notification postbacks POST form data

RESOLVED FIXED in 2013-02-14

Status

Marketplace
Payments/Refunds
P2
normal
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: kumar, Assigned: kumar)

Tracking

2013-02-14
x86
Mac OS X
Points:
---

Details

(Whiteboard: p=)

Currently all postbacks receive JWT as raw post data. This is awkward to deal with in most web frameworks. Instead, let's POST regular form data like {jwt: theJWTData}. This will be easier to work.
Blocks: 775802
Priority: -- → P2

Comment 1

5 years ago
How do developers trust that the POST came from us? Signed JWT allows some level of trust.
oh, the jwt would still be signed. I just meant that in the postback you currently have to do this:

def postback(request):
    jwt = request.read()
    # check signature

I'm suggesting the following:

def postback(request):
    jwt = request.POST['jwt']
    # check signature

I was trying to implement the raw post approach in node.js and found it pretty difficult to do without hacks. I looked at ruby and a couple other langs and it's really not straight forward to parse raw post body. Besides, what is the content type? application/jwt? We'd have to make one up or use octet stream. That's where it starts to get messy if we want to make this easy on developers.

Comment 3

5 years ago
Ah ok that's fine.  In solitude I did add application/jwt fwiw :)
Version: 1.0 → 1.2
Whiteboard: p=
pulls:
webpay: https://github.com/mozilla/webpay/pull/63
zamboni: https://github.com/mozilla/zamboni/pull/592

r?
Assignee: nobody → kumar.mcmillan
Target Milestone: --- → 2013-02-14
Fixed in webpay: https://github.com/mozilla/webpay/commit/ffaa2f259688b4a80d4a4528f29435ae3ac49d24
Fixed in zamboni: https://github.com/mozilla/zamboni/commit/2ccfc974d4cd88b26255590ceea4ac96b3387515
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
The parameter I decided on is 'notice'. So the code above looks like:

def postback(request):
    notice = request.POST['notice']
    # check signature
You need to log in before you can comment on or make changes to this bug.