path: root/design-documents/007-payment.rst
diff options
authorFlorian Dold <>2020-08-10 20:41:34 +0530
committerFlorian Dold <>2020-08-10 20:41:34 +0530
commit8a3b86d72cfd274d78a0bef7776774bef74852c7 (patch)
tree1b2f62e43cc3585d1e525c752c26ac9743d76603 /design-documents/007-payment.rst
parent25def8ac73c2ae3b2420d5f9bbd05f32871c96ad (diff)
make paywall payment flow NoJS compatible
Diffstat (limited to 'design-documents/007-payment.rst')
1 files changed, 9 insertions, 3 deletions
diff --git a/design-documents/007-payment.rst b/design-documents/007-payment.rst
index dd01b60..83cf01e 100644
--- a/design-documents/007-payment.rst
+++ b/design-documents/007-payment.rst
@@ -19,6 +19,7 @@ Requirements
* A simple API should be offered to shops
* Sharing of links or re-visiting of bookmarks should result in well-defined
behavior instead of random, ugly error messages.
+* The payment flow must degrade gracefully when JavaScript is disabled.
Proposed Solution
@@ -143,13 +144,18 @@ The merchant backend runs the following steps to generate the HTML page for
4. If *order-ID* identifies an *claimed* and *unpaid* order, run these steps:
- 1. If the order is *claimed* and the *contract-hash* request parameter does not
+ 1. If the *claim-token* request parameter is given and the *contract-hash* requesst parameter is
+ not given, redirect to the fulfillment URL of the order. (**Note**: We do not check
+ the claim token, as the merchant might have already deleted it when the order is paid,
+ and the fulfillment URL is not considered to be secret/private.)
+ 2. If the *contract-hash* request parameter does not
match the contract hash of the order, return a 403 Forbidden response. **Terminate**.
- 2. If there is a non-null *already-paid-order-ID* for *session-ID* stored under the current order,
+ 3. If there is a non-null *already-paid-order-ID* for *session-ID* stored under the current order,
redirect to the *fulfillment-URL* of *already-paid-order-ID*. **Terminate**.
- 3. Prompt the URI
+ 4. Prompt the URI