Closed Bug 858273 Opened 12 years ago Closed 11 years ago

Logging out of webpay should log the user out of marketplace

Categories

(Marketplace Graveyard :: Payments/Refunds, defect, P3)

Other
Gonk (Firefox OS)

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: krupa.mozbugs, Unassigned)

References

Details

(Whiteboard: p=3)

steps to reproduce:
0. Tester is logged into marketplace (note the account you are logged in with)
2. Start the purchase of a paid app
3. Click on "Forgot PIN?" in the PIN screen
4. Click Continue in the reset confirmation screen
5. Identity-Sign in loads prompting the user to log in
6. Close the screen and return to marketplace
7. Navigate to Account Settings


expected behavior:
After step #4, user is logged out of webpay and marketplace. So, @ #7 user will see the sign in/sign up button.

observed behavior:
Signing out of webpay doesn't sign the user out of marketplace. After step #4, I can still add a review and change my profile settings but I'm prompted to log in if I trigger an app purchase.
Assignee: nobody → kumar.mcmillan
Priority: -- → P3
Target Milestone: --- → 2013-04-11
Whiteboard: p=3
Target Milestone: 2013-04-11 → ---
I don't know if this is possible with Persona. Since webpay and Marketplace are two different origins (correct me if I'm wrong), calling navigator.id.logout() will log you out of one or the other but not both. There'd need to be a way for webpay to tell Marketplace "you should log out now" so that the MP could reset its user token and tell Persona that it's logging out on the the other origin as well.
webpay and marketplace are on the same origin (well, they were when the app was hosted) but id.logout() still may not do what we want here. This needs some experimenting. We could make an API call to marketplace on webpay logout maybe.
(In reply to Kumar McMillan [:kumar] from comment #2)
> webpay and marketplace are on the same origin (well, they were when the app
> was hosted) but id.logout() still may not do what we want here. This needs
> some experimenting. We could make an API call to marketplace on webpay
> logout maybe.

Once the Marketplace is a true packaged app, it'll have the app:// scheme, so it's unlikely that they'd be on the same origin, right?

The other issue is that unless the Marketplace knows that you're logged out, we'll keep passing the user's email (that we got when they signed in) to navigator.id.watch(), which means that the user will not truly get logged out and Persona will probably automatically log the user back in. Unless Persona magically calls our onlogout method (I don't think they will, they don't keep an active connection to the server), we won't do that.
bug 879091 is related
Assignee: kumar.mcmillan → wraithan
Severity: normal → major
Version: 1.2 → 1.3
Assignee: wraithan → nobody
If I'm not mistaken, this should get fixed when we implement bug 912805, yeah?
(In reply to Matt Basta [:basta] from comment #5)
> If I'm not mistaken, this should get fixed when we implement bug 912805,
> yeah?

Nice, I didn't know about that. It just might.
Depends on: 912805
Version: 1.3 → 1.4
Realm support not happening in persona, still a valid issue.
No longer depends on: 912805
more importantly, if a user logs out of marketplace, we should ensure that the user is logged out of webpay as well.
It's not helpful (for my brain :)) to think about this in terms of who's logged in where. We need concrete user stories for scenarios we want to stop from happening. The story in comment #0 is weak because if they reset their PIN then they would re-login as the same marketplace user in the happy path. So based on this I say it's wontfix -- the current behavior is what I'd expect.
I agree with Kumar.

This also involves a technical issue: managing state between origins. Since Persona doesn't implement realms anymore, this isn't really possible for us to do on our own. The identity team needs to work on a solution for these types of requests before we can implement them on our end.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.