From 0919fe8b52588bd8f3adb83817158abc9434ac5b Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Fri, 31 Dec 2021 18:26:49 +0100 Subject: document and shorten default payment timeout (fixes #7073) --- doc/sphinx/rest.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/sphinx/rest.rst b/doc/sphinx/rest.rst index 9127354..605fc9f 100644 --- a/doc/sphinx/rest.rst +++ b/doc/sphinx/rest.rst @@ -216,7 +216,7 @@ In the following, UUID is always defined and used according to `RFC 4122`_. :query timeout_ms=NUMBER: *Optional.* If specified, the Anastasis server will wait up to ``timeout_ms`` milliseconds for completion of the payment before sending the HTTP response. A client must never rely on this behavior, as the - backend may return a response immediately. + backend may return a response immediately. If a ``timeout_ms`` is not given, the Anastasis server may apply a default timeout (usually 30s) when talking to the merchant backend. *If-None-Match*: This header MUST be present and set to the SHA512 hash (Etag) of the body by the client. The client SHOULD also set the ``Expect: 100-Continue`` header and wait for ``100 continue`` @@ -227,7 +227,7 @@ In the following, UUID is always defined and used according to `RFC 4122`_. *Anastasis-Policy-Signature*: The client must provide Base-32 encoded EdDSA signature over hash of body with ``$ACCOUNT_PRIV``, affirming desire to upload an encrypted recovery document. - *Payment-Identifier*: Base-32 encoded 32-byte payment identifier that was included in a previous payment (see ``402`` status code). Used to allow the server to check that the client paid for the upload (to protect the server against DoS attacks) and that the client knows a real secret of financial value (as the **kdf_id** might be known to an attacker). If this header is missing in the client's request (or the associated payment has exceeded the upload limit), the server must return a ``402`` response. When making payments, the server must include a fresh, randomly-generated payment-identifier in the payment request. + *Payment-Identifier*: Base-32 encoded 32-byte payment identifier that was included in a previous payment (see ``402`` status code). Used to allow the server to check that the client paid for the upload (to protect the server against DoS attacks) and that the client knows a real secret of financial value (as the **kdf_id** might be known to an attacker). If this header is missing in the client's request (or the associated payment has exceeded the upload limit), the server must return a ``402`` response. When making payments, the server must include a fresh, randomly-generated payment-identifier in the payment request. If a payment identifier is given, the Anastasis backend may block for the payment to be confirmed by Taler as specified by the ``timeout_ms`` argument. **Response**: -- cgit v1.2.3