Closed Bug 901083 Opened 11 years ago Closed 11 years ago

A saved credit card information is available after an account logout (Seahorse)

Categories

(Marketplace Graveyard :: Payments/Refunds, defect, P1)

Product:
Marketplace Graveyard
Component:
Payments/Refunds
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: karina.filipe, Assigned: keir)

References

Details

Attachments

(4 files)

ezboot-http-ccinfostored.log
362.36 KB, text/plain
Details
2013-08-02-15-39-52-ccinfostored.png
69.93 KB, image/png
Details
Logcat
711.58 KB, text/plain
Details
Credicard_issue.zip
111.09 KB, application/octet-stream
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130618035212

Steps to reproduce:

1. Start Marketplace
2. Login with k39@intertek.com account
3. Seach for a paid app
4. Purchase the app and set the credit card info to be remembered
5. Logout 
6. Login with k32@intertek.com account
7. Search for a paid app
8. Click to purchase the app



Actual results:

The credit card information was stored after the logout


Expected results:

The credit card information should be set only for the particular account, and a logout should delete the information.

    
    

    
  
This should not be happening because we request a bango logout and because of user ID handling (bug 880007). However, I do not see an HTTP request in the log. Karina, can you attach a logcat from the device?
Assignee: nobody → kumar.mcmillan
Priority: -- → P1

    
    

    
  
Hi Kumar,

Unfortunately, the purchase feature didn't work yesterday or today.
When we see this working again, I'll take logs for you!

    
  
Flags: affects-seahorse+

    
    

    
  
Keir, while I'm waiting for a log to see if we had a problem calling the Bango logout URL, can you verify that this assumption is correct or not:

- user makes a payment in Seahorse on device
- user saves the credit card
- user logs out and logs in with a new account (this sends Bango a new MOZ_USER_ID)
- Mozilla requests http://bango/logout to clear cookies
- user makes a second payment on the same device
- Bango should not provide access to the stored credit card

Correct?

    
    

    
  

      
      
      
      

        Attached file
          
        Logcat
      

    


  

    
    

    
  
(In reply to Kumar McMillan [:kumar] from comment #4)
> Correct?

Basically correct, although it should be 

- user logs out 
- Mozilla requests http://bango/logout to clear cookies
- user logs in with a new account (this sends Bango a new MOZ_USER_ID)
- user makes a payment on the same device with the new account

    
    

    
  
Karina, it looks like you don't have the console logging activated. Can you double check by going into settings -> device info -> more info -> developer and tick the box for Console Enabled? And capture a new logcat.

    
  
Blocks: 898605

    
  
Depends on: 895486

    
  
Version: 1.0 → 1.3

    
  
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(karina.filipe)

    
    

    
  
Per comment #6, as long as Mozilla's pay flow does a Bango logout between two users then the card should be cleared. I verified that the logout is happening:

E/GeckoConsole(  109): Content JS LOG at https://marketplace-cdn.allizom.org/mozpay/media/js/pay-min.js?build=46ac41c-520d269d:4 in anonymous: do bango.logout()
E/GeckoConsole(  109): Content JS LOG at https://marketplace-cdn.allizom.org/mozpay/media/js/pay-min.js?build=46ac41c-520d269d:4 in anonymous: Logging out of Bango
E/GeckoConsole(  109): Content JS LOG at https://marketplace-cdn.allizom.org/mozpay/media/js/pay-min.js?build=46ac41c-520d269d:4 in anonymous: Bango logout responded: 200

Keir, this means Bango is either not clearing the cookie or something else is causing the old Bango ID to going on device. Can you investigate further?
Flags: needinfo?(karina.filipe)

    
  
Assignee: kumar.mcmillan → keir

    
    

    
  
Hold up on this. After further analysis I think this is a dupe of bug 888036, the tester here was testing too fast and thus her PIN was unlocked (the unlock window is 5 minutes). Switching users within the unlock window will not trigger a logout until bug 888036 is fixed. Before I dupe it, Krupa is going to confirm this by re-testing tomorrow.

    
    

    
  

      
      
      
      

        Attached file
          
        Credicard_issue.zip
      

    


  
Used a reflashed sample, the credicard data was restored, but when changed the user the same saved CC data was not erased and diplayed again.
This behavior does not occur all the times

    
    

    
  
Hi Vinicius. You must wait at least 5 minutes after switching users when testing for this specific bug. Otherwise, you will encounter bug 888036 which is a separate issue (and is about to be fixed)

    
    

    
  
Vinicius, have you retested 5 minutes after switching users? Can you let us know before 5.30pm UK?
Flags: needinfo?(vinicius.varjao)

    
    

    
  
Hi Steve, I retested it after 5 minutes and the behavior does not occurred, according separete issue discribed by Kumar I think it is the core problem.
Flags: needinfo?(vinicius.varjao)

    
    

    
  
Thanks. This confirms my hypothesis. This bug is invalid -- you were running into bug 888036 (which is less severe)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: