[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-merchant-frontend-examples] branch master updated (3
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-merchant-frontend-examples] branch master updated (3c196d9 -> b7b5532) |
|
Date: |
Mon, 27 Mar 2017 22:47:00 +0200 |
This is an automated email from the git hooks/post-receive script.
marcello pushed a change to branch master
in repository merchant-frontend-examples.
from 3c196d9 Security checks in python example. The frontend must generate
and save in the state the order_id, because it needs at /pay time to check if
it matches the one mentioned in the deposit permission.
new 7830e8b python example shows order id on fulfillment page
new b7b5532 php example shows order id in fulfillment page
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
php/fulfillment.php | 2 +-
php/generate-order.php | 2 +-
php/pay.php | 25 ++++++++++---------------
python/example/example.py | 19 +++++++++----------
4 files changed, 21 insertions(+), 27 deletions(-)
diff --git a/php/fulfillment.php b/php/fulfillment.php
index 3c0ecef..ce4174d 100644
--- a/php/fulfillment.php
+++ b/php/fulfillment.php
@@ -7,7 +7,7 @@
if(pull($_SESSION, 'paid', false)){
echo sprintf("<p>Thanks for your donation!</p>
- <br><p>The order ID is: %s; use it to
+ <br><p>The order ID is: <b>%s</b>; use it to
<a href=\"backoffice.html\">track</a> your money,
or make <a href=\"/\">another donation!</a></p>",
$_SESSION['order_id']);
diff --git a/php/generate-order.php b/php/generate-order.php
index 4d57998..017780f 100644
--- a/php/generate-order.php
+++ b/php/generate-order.php
@@ -5,7 +5,7 @@
include 'backend.php';
include 'error.php';
- $order_id = rand(1,90000); // simplified, do not do this!
+ $order_id = "tutorial-" . dechex(rand(0,99999999)) . date("-H_i_s");
session_start();
$_SESSION["order_id"] = $order_id;
// this variable is the JSON of a contract proposal,
diff --git a/php/pay.php b/php/pay.php
index 25b2d6a..921cc70 100644
--- a/php/pay.php
+++ b/php/pay.php
@@ -1,34 +1,29 @@
<?php
// This file is in the public domain.
- include 'backend.php';
- include 'error.php';
+ include "backend.php";
+ include "error.php";
session_start();
- if(!isset($_SESSION['paid'])){
+ if(!isset($_SESSION["paid"])){
echo "<p>No session active. Aborting.</p>";
return;
}
// Get coins.
- $body = json_decode(file_get_contents('php://input'));
-
- if ($_SESSION["order_id"] != $body->order_id){
- echo build_error($response,
- "Mismatch between the product ordered and the one
attempted to be paid",
- 406);
- return;
- }
+ $body = json_decode(file_get_contents("php://input"));
$response = post_to_backend("/pay", $body);
- http_response_code($response['status_code']);
+ $proposal_data = json_decode($response["body"])->proposal_data;
+ $_SESSION["order_id"] = $proposal_data->order_id;
+ http_response_code($response["status_code"]);
- if (200 != $response['status_code']){
+ if (200 != $response["status_code"]){
echo build_error($response,
"Could not send payment to backend",
- $response['status_code']);
+ $response["status_code"]);
return;
}
// Payment went through!
- $_SESSION['paid'] = true;
+ $_SESSION["paid"] = true;
return;
?>
diff --git a/python/example/example.py b/python/example/example.py
index e151e42..2090e94 100644
--- a/python/example/example.py
+++ b/python/example/example.py
@@ -7,6 +7,7 @@ import os
import logging
import json
from random import randint
+from datetime import datetime
app = flask.Flask(__name__)
@@ -16,7 +17,7 @@ logger = logging.getLogger(__name__)
CURRENCY = "PUDOS"
BACKEND_URL = "http://backend.test.taler.net/";
-def make_url(page, query_params=dict()):
+def make_url(page, *query_params):
"""
Return a URL to a page in the current Flask application with the given
query parameters (sequence of key/value pairs).
@@ -48,9 +49,9 @@ def donate():
def generate_proposal():
DONATION = amount.string_to_amount("0.1:%s" % CURRENCY)
MAX_FEE = amount.string_to_amount("0.05:%s" % CURRENCY)
- ORDER_ID = str(randint(0, 999999))
+ ORDER_ID = "tutorial-%X-%s" % (randint(0, 0xFFFFFFFF),
datetime.today().strftime("%H_%M_%S"))
order = dict(
- order_id = ORDER_ID,
+ order_id=ORDER_ID,
nonce=flask.request.args.get("nonce"),
amount=DONATION,
max_fee=MAX_FEE,
@@ -62,7 +63,7 @@ def generate_proposal():
price=DONATION,
),
],
- fulfillment_url=make_url("/fulfillment",
query_params=dict(order_id=ORDER_ID)),
+ fulfillment_url=make_url("/fulfillment", ("order_id", ORDER_ID)),
pay_url=make_url("/pay"),
merchant=dict(
instance="tutorial",
@@ -79,7 +80,6 @@ def generate_proposal():
logger.error("failed to POST to '%s'", url)
return r.text, r.status_code
proposal_resp = r.json()
- flask.session["order_id"] = ORDER_ID
return flask.jsonify(**proposal_resp)
@@ -87,7 +87,7 @@ def generate_proposal():
def fulfillment():
paid = flask.session.get("paid", False)
if paid:
- return "Thank you!"
+ return "Thank you! Your order id is: <b>%s</b>." %
flask.session["order_id"]
response = flask.Response(status=402)
response.headers["X-Taler-Contract-Url"] = make_url("/generate-contract")
@@ -103,14 +103,13 @@ def pay():
if deposit_permission is None:
e = flask.jsonify(error="no json in body")
return e, 400
- if (flask.session["order_id"] != deposit_permission["order_id"]):
- e = flask.jsonify(error="Attempting to pay a product different \
- from the ordered one (%s != %s)" % (flask.session["order_id"],
deposit_permission["order_id"]))
- return e, 406
+
r = requests.post(urljoin(BACKEND_URL, 'pay'), json=deposit_permission)
if 200 != r.status_code:
return r.text, r.status_code
+ proposal_data = r.json()["proposal_data"]
flask.session["paid"] = True
+ flask.session["order_id"] = proposal_data["order_id"]
return flask.Response(status=200)
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [taler-merchant-frontend-examples] branch master updated (3c196d9 -> b7b5532),
gnunet <=