[taler-docs] branch master updated: move order-ID into cookie

[gnunet]

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository docs.

The following commit(s) were added to refs/heads/master by this push:
     new cc67333  move order-ID into cookie
cc67333 is described below

commit cc673337e08b66d1adac3ae9bc4e5893e73ab835
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Sun Aug 9 13:15:10 2020 +0200

    move order-ID into cookie
---
 design-documents/007-payment.rst | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/design-documents/007-payment.rst b/design-documents/007-payment.rst
index 1de6f6f..a4091cb 100644
--- a/design-documents/007-payment.rst
+++ b/design-documents/007-payment.rst
@@ -36,23 +36,22 @@ Storefront
 
 When *resource-URL* is requested, the storefront runs the following steps:
 
-1. Extract the the *order-ID* (or null) and *resource name* from the 
*resource-URL*.
-2. Extract the *session-ID* (or null) from the request's validated cookie (for 
example, by using signed cookies).
-3. If *session-ID* and *order-ID* is non-null and the storefront's
+1. Extract the *resource name* from the *resource-URL*.
+2. Extract the *order-ID* and *session-ID* (or null) from the request's 
validated cookie (for example, by using signed cookies).
+3. If *session-ID* and *order-ID* are valid and the storefront's
    *session-payment-cache* contains the tuple (*order-ID*, *resource-name*, 
*session-ID*),
    return to the client the resource associated with *resource name*.  
**Terminate.**
-4. If the *session-ID* is null, assign a fresh session ID and set it in a 
cookie to be sent with the response.
-5. If *order-ID* is null, create a new order for *resource-name* by doing a 
``POST /private/orders`` to
-   the merchant backend.  Store the new order ID as *order-ID*.
-6. Check the status of the payment for *order-ID* under *session-ID* by doing 
a ``GET /private/orders/{order-ID}?session_id={session-ID}``.
+4. If *session-ID* and *order-ID* are invalid, assign a fresh session ID and 
create a new order for *resource name* by doing a ``POST /private/orders`` to
+   the merchant backend.  Set both in the cookie to be sent with the response.
+5. Check the status of the payment for *order-ID* under *session-ID* by doing 
a ``GET /private/orders/{order-ID}?session_id={session-ID}``.
    This results in the *order-status*, *refund-amount* and the 
*client-order-status-URL*.
-7. If the *order-status* is paid and *refund-amount* is non-zero,
+6. If the *order-status* is paid and *refund-amount* is non-zero,
    return to the client a page with an explanation that the payment has been 
refunded.
    If the client has not (fully) obtained the granted refunds yet, show a link 
to the public order page
    of the backend to allow the client to obtain the refund.  **Terminate.**
-8. If the *order-status* is paid, store the tuple (*order-ID*, 
*resource-name*, *session-ID*) in *session-payment-cache*
+7. If the *order-status* is paid, store the tuple (*order-ID*, 
*resource-name*, *session-ID*) in *session-payment-cache*
    and return to the client the resource associated with *resource name*.  
**Terminate.**
-9. Otherwise, the *order-status* is unpaid.  Redirect the client to 
*client-order-status-URL*. **Terminate.**
+8. Otherwise, the *order-status* is unpaid.  Redirect the client to 
*client-order-status-URL*. **Terminate.**
 
 .. note::
 
@@ -183,14 +182,6 @@ Covered Scenarios
 Problematic Scenarios
 ---------------------
 
-Link sharing
-^^^^^^^^^^^^
-
-Right now, sharing the /orders/{order-ID} link with the session ID will
-allow someone who did not purchase the order to still get a 'paid' response
-from the backend. (Will fulfillment then work? => Check!)
-
-
 Bookmarks of Lost Purchases / Social Sharing of Fulfillment URLs
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.