MozillaWiki

Apps/WebApplicationReceipt: Difference between revisions

Page Discussion

Apps/WebApplicationReceipt (view source)

Revision as of 18:15, 17 August 2011

114 bytes added ,  17 August 2011
m
→‎Interaction with the verify URL
(Created page with "A ''Web Application Receipt'' is a portable, verifiable proof of purchase token. Receipts are created by payment services providers, distributed to clients, and verified by vend...")
 
Line 93: Line 93:
* <tt>status</tt>: A string, containing one of the values "ok", "pending", "refunded", or "invalid".
* <tt>status</tt>: A string, containing one of the values "ok", "pending", "refunded", or "invalid".


This verification is not required, but is provided to support real-time queries.  Receipt issuers SHOULD require application authentication on this call, to prevent enumeration attack.  Receipt issuers are encouraged to use a sparse, non-guessible receipt sequence ID if they do not authenticate verification calls.
This verification is not required, but is provided to support real-time queries.  Receipt issuers SHOULD require application authentication on this call, to prevent enumeration attack.  Receipt issuers are encouraged to use a sparse, non-guessible receipt sequence ID if they do not authenticate verification calls. (TODO: If it's just a status field, does enumeration really matter?  Perhaps none of this language is required.)


== References ==
== References ==
Mhanson
348

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/340805"