View Issue Details

IDProjectCategoryView StatusLast Update
0006468Talermerchant backend API (HTTP specification)public2021-08-24 16:23
ReporterChristian Grothoff Assigned ToFlorian Dold  
Status closedResolutionfixed 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product Versiongit (master) 
Target Version0.8Fixed in Version0.8 
Summary0006468: Use 410 Gone if token is provided for claimed order in public GET /orders/{order_id} page
DescriptionRight now, we give a 403 Forbidden. However, we don't actually know if the token is invalid, as we may have forgotten it (once the order was paid). This may result in a very confusing error for users that may have bookmarked the page with the token in the URL. Hence, we should change the logic to detect that a token was provided for a claimed order and return 410 Gone instead of 403. Additionally, we _eventually_ should provide a nice HTML reply (if requested content-type is HTML), and there detail what went wrong (order already claimed), instead of always returning JSON.
TagsNo tags attached.


Florian Dold

2020-08-11 21:36

manager   ~0016589

The description of this is outdated, as the suggested approach doesn't work with NoJS, and also breaks when reloading the page at inopportune times.

We should first agree on a clearer specification for what /orders/{order_id} does, depending on the state of the order and and authentication given.

Christian Grothoff

2020-08-16 17:43

manager   ~0016640

I fixed the flow for WooCommerce today, and updated the spec.

We cannot return 302 with the fulfillment URL if the client requests JSON due to CORS issues. So I am now:
- returning 302 to fulfillment if the order is paid and we are arriving with a claim token and HTML is requested
- return 202 with a JSON body giving the fulfillment URL if the order is paid, we are arriving with a claim token, and HTML is NOT requested.

Christian Grothoff

2020-08-16 17:44

manager   ~0016642

Florian, please confirm this works for you.

Florian Dold

2020-08-18 16:42

manager   ~0016657

Christian: The spec and implementation works for me like this.

The integration test is also finally passing now.

Issue History

Date Modified Username Field Change
2020-08-09 14:20 Christian Grothoff New Issue
2020-08-09 14:20 Christian Grothoff Status new => assigned
2020-08-09 14:20 Christian Grothoff Assigned To => jonathanbuchanan
2020-08-11 20:48 Florian Dold Assigned To jonathanbuchanan => Florian Dold
2020-08-11 21:36 Florian Dold Note Added: 0016589
2020-08-16 17:43 Christian Grothoff Note Added: 0016640
2020-08-16 17:44 Christian Grothoff Status assigned => feedback
2020-08-16 17:44 Christian Grothoff Note Added: 0016642
2020-08-18 16:42 Florian Dold Status feedback => resolved
2020-08-18 16:42 Florian Dold Resolution open => fixed
2020-08-18 16:42 Florian Dold Note Added: 0016657
2020-10-03 14:09 Christian Grothoff Fixed in Version => 0.8
2021-08-24 16:23 Christian Grothoff Status resolved => closed