From 2953525355a1b8d7c667c535f48c1e0b628d3f61 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Thu, 12 Aug 2021 19:59:55 +0200 Subject: simplify public order spec and fix 'already paid' logic --- merchant-spec/public-orders-get.ts | 65 ++++++++++++++------------------------ 1 file changed, 24 insertions(+), 41 deletions(-) diff --git a/merchant-spec/public-orders-get.ts b/merchant-spec/public-orders-get.ts index ec7860b0..84af8543 100644 --- a/merchant-spec/public-orders-get.ts +++ b/merchant-spec/public-orders-get.ts @@ -50,56 +50,35 @@ function handlePublicOrdersGet(mos: MerchantOrderStore, req: Req): Resp { if (!ord) { return respNotFound(req); } - if (!ord.claimed) { - if (!!req.claimToken && !!req.contractHash && ord.publicReorderUrl) { - return respGoto(req, ord.publicReorderUrl); - } - if (ord.requireClaimToken && ord.claimToken !== req.claimToken) { - return respForbidden(req); - } - return respUnpaid(req, ord); - } - if (!ord.paid) { - const hcOk = ord.contractHash === req.contractHash; - const ctOk = ord.claimToken === req.claimToken; - if (req.contractHash && !hcOk) { - // Contract terms hash given but wrong - return respForbidden(req); - } - if (req.claimToken && !ctOk) { - // Claim token given but wrong + const authMissing = !!req.contractHash && !!req.claimToken; + const authOk = + ord.contractHash === req.contractHash || + (ord.requireClaimToken && ord.claimToken === req.claimToken) || + !ord.requireClaimToken; + + if (authMissing) { + // Client is trying to get the order status of a claimed, + // unpaid order. However, the client is not showing authentication. + // + // This can happen when the fulfillment URL includes the order ID, + // and the storefront redirects the user to the backend QR code + // page, because the order is not paid under the current session. + // This happens on bookmarking / link sharing. + if (!ord.publicReorderUrl) { return respForbidden(req); } - if (ord.requireClaimToken && !req.claimToken && !hcOk) { - // Client is trying to get the order status of a claimed, - // unpaid order. However, the client is not showing authentication. - // - // This can happen when the fulfillment URL includes the order ID, - // and the storefront redirects the user to the backend QR code - // page, because the order is not paid under the current session. - // This happens on bookmarking / link sharing. - if (!ord.publicReorderUrl) { - return respForbidden(req); - } - return respGoto(req, ord.publicReorderUrl); - } - return respUnpaid(req, ord); + return respGoto(req, ord.publicReorderUrl); } - // Here, we know that the order is paid for. - // But we still need the ord.claimToken, because + // Even if an order is paid for, + // we still need the ord.claimToken, because // the QR code page will poll until it gets a // fulfillment URL, but we decided that the // fulfillment URL should only be returned // when the client is authenticated. // (Otherwise, guessing the order ID might leak the // fulfillment URL). - - const authOk = - ord.contractHash === req.contractHash || - (ord.requireClaimToken && ord.claimToken === req.claimToken); - if (!authOk) { return respForbidden(req); } @@ -115,9 +94,13 @@ function handlePublicOrdersGet(mos: MerchantOrderStore, req: Req): Resp { return respAlreadyPaid(req, alreadyPaidOrd); } } - return respUnpaid(req, ord); } - return respPaid(req, ord); + + if (ord.paid) { + return respPaid(req, ord); + } + + return respUnpaid(req, ord); } function respNotFound(req: Req): Resp { -- cgit v1.2.3