On Fri, Apr 27, 2012 at 12:45 PM, Jim Straus <
jst...@mozilla.com> wrote:
> Hello Ian -
> Just clarifying some points and a point.
>
> On Apr 25, 2012, at 1:49 PM, Ian Bicking wrote:
>
> For the case of updating a receipt with a new/fresh receipt, I imagine the
> flow going like this:
>
> 1. User arrives at site, mozApps.getSelf is called, app sends receipt(s)
> back via XHR
>
>
> Do we want to provide a Gecko service to handle the receipts? See below.
>
We attach receipts to the application object at install time. These
receipts are also stored at the Marketplace, and in the Apps-in-the-Cloud
server. To actually get the receipts you do:
navigator.mozApps.getSelf().onsuccess = function () {
if (! this.result) {
// the app isn't installed
return;
}
var receipts = this.result.receipts;
// then send the receipts via XHR or something
};
> 2. On the backend, the app makes a call to marketplace (via a verification
> URL embedded in the receipt) to validate the receipt
>
>
> I assume this is the server backend or is the device app validating the
> receipt as well?
>
To actually ensure the receipt is valid the application's backend server
does need to validate the receipt. If an application developer isn't as
concerned with fraud they could also rely only on client-side checking
(you'd need something like an addon or greasemonkey script to reliably
defeat client-side checking – not terribly hard, but not something
mainstream customers would be likely to do).
> 3. The marketplace sees the receipt has expired or for some reason can be
> refreshed without any user intervention, and gives a response to the
> application with the new receipt that should replace the old one
>
>
> How does the marketplace give a response to the application on the device?
>
Each receipt contains a URL that can be used to verify the receipt. You
can potentially verify the receipt cryptographically without asking the
marketplace, and you could tell that the receipt was expired though you
need the marketplace to actually reissue the receipt. Some cases like a
chargeback can only be detected by asking the marketplace.
>
> 4. The app's server responds to the XHR with the new receipt that should
> replace the old on
>
> 5. This invokes client-side Javascript that calls
> app.replaceReceipt(oldReceipt, newReceipt)
>
>
> This should probably not happen in the app, but in the Gecko App service.
>
I'm not exactly sure what you mean by Gecko App service. There's the
mozApps API, but I think you might mean something more?
> -----
> I presume that receipt verification is normally only done at the app
> provider's site?
>
Yes
> In thinking about it, should the receipt verification (from the app's
> perspective) be something that Gecko should provide as a service?
> mozApps.sendReceipt(url). The Gecko code could validate that the URL is
> associated with the app developer's domain. Or are there use cases where
> an app may want to send the receipt to arbitrary servers?
>
I'm sure there could be operational reasons to send it to arbitrary
servers, and potentially receipt verification could be a centralized server
service. For instance, I can imagine a static-HTML game hosting service
that might handle this verification centrally. Something that just
occurred to me, would be if the user agent could connect to the
Marketplace, have its receipts verified, and the Marketplace would respond
with some signed value with an expiration that was sooner than the receipt
as a whole. Then the user agent could send that with its requests as a
kind of authentication token, and the app server could stick to purely
cryptographic checks.
Also, we can definitely provide a library that handles some of this receipt
flow. I don't think it needs to be part of the DOM/Gecko API. But one of
the problems with packaging up server calls in an API is that developers
can be quite opinionated about what their servers receive, and how some of
that flow works. We had an experimental verifyReceipt flow that tried to
handle this, with a bunch of different sorts of hooks. We could revive it.
> For security reasons we may not want the update transaction going through
> the app provider's site nor through the app itself. If we provide a reject
> with a specific type of "Update Receipt" to the server and that gets sent
> to the Gecko code, then the Gecko code kicks off a transaction with the
> market place. Once the transaction is complete, the sending of the
> receipts to the original server can be re-started. There may be a delay in
> this case, but hopefully receipt refreshes don't occur very often.
>
For this case I guess my intuition is that Gecko is less secure than the
other components, so I'm not sure I see the advantage of going through the
user agent with everything. There might be situations I'm not thinking
about, but I am not sure how to respond without something more concrete.
Well, I can see some danger to XSS holes in the application allowing an
attacker to get other people's receipts, or simply to do vandalism by
deleting receipts.