Last Comment Bug 838066 - Make all notification postbacks POST form data
: Make all notification postbacks POST form data
Status: RESOLVED FIXED
p=
:
Product: Marketplace
Classification: Server Software
Component: Payments/Refunds (show other bugs)
: 1.2
: x86 Mac OS X
P2 normal (vote)
: 2013-02-14
Assigned To: Kumar McMillan [:kumar] (needinfo all the things)
:
:
Mentors:
Depends on:
Blocks: marketplace-payments
  Show dependency treegraph
 
Reported: 2013-02-04 20:43 PST by Kumar McMillan [:kumar] (needinfo all the things)
Modified: 2013-02-13 13:19 PST (History)
2 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description User image Kumar McMillan [:kumar] (needinfo all the things) 2013-02-04 20:43:13 PST
Currently all postbacks receive JWT as raw post data. This is awkward to deal with in most web frameworks. Instead, let's POST regular form data like {jwt: theJWTData}. This will be easier to work.
Comment 1 User image Andy McKay [:andym] 2013-02-05 09:22:22 PST
How do developers trust that the POST came from us? Signed JWT allows some level of trust.
Comment 2 User image Kumar McMillan [:kumar] (needinfo all the things) 2013-02-05 10:59:41 PST
oh, the jwt would still be signed. I just meant that in the postback you currently have to do this:

def postback(request):
    jwt = request.read()
    # check signature

I'm suggesting the following:

def postback(request):
    jwt = request.POST['jwt']
    # check signature

I was trying to implement the raw post approach in node.js and found it pretty difficult to do without hacks. I looked at ruby and a couple other langs and it's really not straight forward to parse raw post body. Besides, what is the content type? application/jwt? We'd have to make one up or use octet stream. That's where it starts to get messy if we want to make this easy on developers.
Comment 3 User image Andy McKay [:andym] 2013-02-05 11:20:43 PST
Ah ok that's fine.  In solitude I did add application/jwt fwiw :)
Comment 4 User image Kumar McMillan [:kumar] (needinfo all the things) 2013-02-11 09:59:28 PST
pulls:
webpay: https://github.com/mozilla/webpay/pull/63
zamboni: https://github.com/mozilla/zamboni/pull/592

r?
Comment 6 User image Kumar McMillan [:kumar] (needinfo all the things) 2013-02-13 13:19:52 PST
The parameter I decided on is 'notice'. So the code above looks like:

def postback(request):
    notice = request.POST['notice']
    # check signature

Note You need to log in before you can comment on or make changes to this bug.