Closed
Bug 838066
Opened 11 years ago
Closed 11 years ago
Make all notification postbacks POST form data
Categories
(Marketplace Graveyard :: Payments/Refunds, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
2013-02-14
People
(Reporter: kumar, Assigned: kumar)
References
Details
(Whiteboard: p=)
Currently all postbacks receive JWT as raw post data. This is awkward to deal with in most web frameworks. Instead, let's POST regular form data like {jwt: theJWTData}. This will be easier to work.
Assignee | ||
Updated•11 years ago
|
Blocks: marketplace-payments
Priority: -- → P2
Comment 1•11 years ago
|
||
How do developers trust that the POST came from us? Signed JWT allows some level of trust.
Assignee | ||
Comment 2•11 years ago
|
||
oh, the jwt would still be signed. I just meant that in the postback you currently have to do this: def postback(request): jwt = request.read() # check signature I'm suggesting the following: def postback(request): jwt = request.POST['jwt'] # check signature I was trying to implement the raw post approach in node.js and found it pretty difficult to do without hacks. I looked at ruby and a couple other langs and it's really not straight forward to parse raw post body. Besides, what is the content type? application/jwt? We'd have to make one up or use octet stream. That's where it starts to get messy if we want to make this easy on developers.
Comment 3•11 years ago
|
||
Ah ok that's fine. In solitude I did add application/jwt fwiw :)
Updated•11 years ago
|
Version: 1.0 → 1.2
Updated•11 years ago
|
Whiteboard: p=
Assignee | ||
Comment 4•11 years ago
|
||
pulls: webpay: https://github.com/mozilla/webpay/pull/63 zamboni: https://github.com/mozilla/zamboni/pull/592 r?
Assignee: nobody → kumar.mcmillan
Target Milestone: --- → 2013-02-14
Assignee | ||
Comment 5•11 years ago
|
||
Fixed in webpay: https://github.com/mozilla/webpay/commit/ffaa2f259688b4a80d4a4528f29435ae3ac49d24 Fixed in zamboni: https://github.com/mozilla/zamboni/commit/2ccfc974d4cd88b26255590ceea4ac96b3387515
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•11 years ago
|
||
The parameter I decided on is 'notice'. So the code above looks like: def postback(request): notice = request.POST['notice'] # check signature
You need to log in
before you can comment on or make changes to this bug.
Description
•