View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006468 | Taler | specification | public | 2020-08-09 14:20 | 2021-08-24 16:23 |
Reporter | Christian Grothoff | Assigned To | Florian Dold | ||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Platform | i7 | OS | Debian GNU/Linux | OS Version | squeeze |
Product Version | git (master) | ||||
Target Version | 0.8 | Fixed in Version | 0.8 | ||
Summary | 0006468: Use 410 Gone if token is provided for claimed order in public GET /orders/{order_id} page | ||||
Description | Right now, we give a 403 Forbidden. However, we don't actually know if the token is invalid, as we may have forgotten it (once the order was paid). This may result in a very confusing error for users that may have bookmarked the page with the token in the URL. Hence, we should change the logic to detect that a token was provided for a claimed order and return 410 Gone instead of 403. Additionally, we _eventually_ should provide a nice HTML reply (if requested content-type is HTML), and there detail what went wrong (order already claimed), instead of always returning JSON. | ||||
Tags | No tags attached. | ||||
|
The description of this is outdated, as the suggested approach doesn't work with NoJS, and also breaks when reloading the page at inopportune times. We should first agree on a clearer specification for what /orders/{order_id} does, depending on the state of the order and and authentication given. |
|
I fixed the flow for WooCommerce today, and updated the spec. We cannot return 302 with the fulfillment URL if the client requests JSON due to CORS issues. So I am now: - returning 302 to fulfillment if the order is paid and we are arriving with a claim token and HTML is requested - return 202 with a JSON body giving the fulfillment URL if the order is paid, we are arriving with a claim token, and HTML is NOT requested. |
|
Florian, please confirm this works for you. |
|
Christian: The spec and implementation works for me like this. The integration test is also finally passing now. |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-08-09 14:20 | Christian Grothoff | New Issue | |
2020-08-09 14:20 | Christian Grothoff | Status | new => assigned |
2020-08-09 14:20 | Christian Grothoff | Assigned To | => jonathanbuchanan |
2020-08-11 20:48 | Florian Dold | Assigned To | jonathanbuchanan => Florian Dold |
2020-08-11 21:36 | Florian Dold | Note Added: 0016589 | |
2020-08-16 17:43 | Christian Grothoff | Note Added: 0016640 | |
2020-08-16 17:44 | Christian Grothoff | Status | assigned => feedback |
2020-08-16 17:44 | Christian Grothoff | Note Added: 0016642 | |
2020-08-18 16:42 | Florian Dold | Status | feedback => resolved |
2020-08-18 16:42 | Florian Dold | Resolution | open => fixed |
2020-08-18 16:42 | Florian Dold | Note Added: 0016657 | |
2020-10-03 14:09 | Christian Grothoff | Fixed in Version | => 0.8 |
2021-08-24 16:23 | Christian Grothoff | Status | resolved => closed |
2024-01-12 14:02 | Christian Grothoff | Category | merchant backend API (HTTP specification) => specification |