[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-docs] branch master updated: simplify public order spec and fix '
From: |
gnunet |
Subject: |
[taler-docs] branch master updated: simplify public order spec and fix 'already paid' logic |
Date: |
Thu, 12 Aug 2021 20:00:01 +0200 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository docs.
The following commit(s) were added to refs/heads/master by this push:
new 2953525 simplify public order spec and fix 'already paid' logic
2953525 is described below
commit 2953525355a1b8d7c667c535f48c1e0b628d3f61
Author: Florian Dold <florian@dold.me>
AuthorDate: Thu Aug 12 19:59:55 2021 +0200
simplify public order spec and fix 'already paid' logic
---
merchant-spec/public-orders-get.ts | 65 ++++++++++++++------------------------
1 file changed, 24 insertions(+), 41 deletions(-)
diff --git a/merchant-spec/public-orders-get.ts
b/merchant-spec/public-orders-get.ts
index ec7860b..84af854 100644
--- a/merchant-spec/public-orders-get.ts
+++ b/merchant-spec/public-orders-get.ts
@@ -50,56 +50,35 @@ function handlePublicOrdersGet(mos: MerchantOrderStore,
req: Req): Resp {
if (!ord) {
return respNotFound(req);
}
- if (!ord.claimed) {
- if (!!req.claimToken && !!req.contractHash && ord.publicReorderUrl) {
- return respGoto(req, ord.publicReorderUrl);
- }
- if (ord.requireClaimToken && ord.claimToken !== req.claimToken) {
- return respForbidden(req);
- }
- return respUnpaid(req, ord);
- }
- if (!ord.paid) {
- const hcOk = ord.contractHash === req.contractHash;
- const ctOk = ord.claimToken === req.claimToken;
- if (req.contractHash && !hcOk) {
- // Contract terms hash given but wrong
- return respForbidden(req);
- }
- if (req.claimToken && !ctOk) {
- // Claim token given but wrong
+ const authMissing = !!req.contractHash && !!req.claimToken;
+ const authOk =
+ ord.contractHash === req.contractHash ||
+ (ord.requireClaimToken && ord.claimToken === req.claimToken) ||
+ !ord.requireClaimToken;
+
+ if (authMissing) {
+ // Client is trying to get the order status of a claimed,
+ // unpaid order. However, the client is not showing authentication.
+ //
+ // This can happen when the fulfillment URL includes the order ID,
+ // and the storefront redirects the user to the backend QR code
+ // page, because the order is not paid under the current session.
+ // This happens on bookmarking / link sharing.
+ if (!ord.publicReorderUrl) {
return respForbidden(req);
}
- if (ord.requireClaimToken && !req.claimToken && !hcOk) {
- // Client is trying to get the order status of a claimed,
- // unpaid order. However, the client is not showing authentication.
- //
- // This can happen when the fulfillment URL includes the order ID,
- // and the storefront redirects the user to the backend QR code
- // page, because the order is not paid under the current session.
- // This happens on bookmarking / link sharing.
- if (!ord.publicReorderUrl) {
- return respForbidden(req);
- }
- return respGoto(req, ord.publicReorderUrl);
- }
- return respUnpaid(req, ord);
+ return respGoto(req, ord.publicReorderUrl);
}
- // Here, we know that the order is paid for.
- // But we still need the ord.claimToken, because
+ // Even if an order is paid for,
+ // we still need the ord.claimToken, because
// the QR code page will poll until it gets a
// fulfillment URL, but we decided that the
// fulfillment URL should only be returned
// when the client is authenticated.
// (Otherwise, guessing the order ID might leak the
// fulfillment URL).
-
- const authOk =
- ord.contractHash === req.contractHash ||
- (ord.requireClaimToken && ord.claimToken === req.claimToken);
-
if (!authOk) {
return respForbidden(req);
}
@@ -115,9 +94,13 @@ function handlePublicOrdersGet(mos: MerchantOrderStore,
req: Req): Resp {
return respAlreadyPaid(req, alreadyPaidOrd);
}
}
- return respUnpaid(req, ord);
}
- return respPaid(req, ord);
+
+ if (ord.paid) {
+ return respPaid(req, ord);
+ }
+
+ return respUnpaid(req, ord);
}
function respNotFound(req: Req): Resp {
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-docs] branch master updated: simplify public order spec and fix 'already paid' logic,
gnunet <=