Closed Bug 838066 Opened 7 years ago Closed 7 years ago

Make all notification postbacks POST form data

Categories

(Marketplace Graveyard :: Payments/Refunds, defect, P2)

x86
macOS
defect

Tracking

(Not tracked)

RESOLVED FIXED
2013-02-14

People

(Reporter: kumar, Assigned: kumar)

References

Details

(Whiteboard: p=)

Currently all postbacks receive JWT as raw post data. This is awkward to deal with in most web frameworks. Instead, let's POST regular form data like {jwt: theJWTData}. This will be easier to work.
Priority: -- → P2
How do developers trust that the POST came from us? Signed JWT allows some level of trust.
oh, the jwt would still be signed. I just meant that in the postback you currently have to do this:

def postback(request):
    jwt = request.read()
    # check signature

I'm suggesting the following:

def postback(request):
    jwt = request.POST['jwt']
    # check signature

I was trying to implement the raw post approach in node.js and found it pretty difficult to do without hacks. I looked at ruby and a couple other langs and it's really not straight forward to parse raw post body. Besides, what is the content type? application/jwt? We'd have to make one up or use octet stream. That's where it starts to get messy if we want to make this easy on developers.
Ah ok that's fine.  In solitude I did add application/jwt fwiw :)
Version: 1.0 → 1.2
Whiteboard: p=
pulls:
webpay: https://github.com/mozilla/webpay/pull/63
zamboni: https://github.com/mozilla/zamboni/pull/592

r?
Assignee: nobody → kumar.mcmillan
Target Milestone: --- → 2013-02-14
The parameter I decided on is 'notice'. So the code above looks like:

def postback(request):
    notice = request.POST['notice']
    # check signature
You need to log in before you can comment on or make changes to this bug.