diff options
| author | Christian Grothoff <christian@grothoff.org> | 2020-10-13 12:32:09 +0200 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2020-10-13 12:32:17 +0200 |
| commit | 60092876f45ad3b0657adab1e07eb3364c5b4709 (patch) | |
| tree | 4b62349d90859ce73f72b379eb331f09f37737e9 /src | |
| parent | d1642d0fd0937d87a56914263361dc5985da0247 (diff) | |
| download | merchant-60092876f45ad3b0657adab1e07eb3364c5b4709.tar.gz merchant-60092876f45ad3b0657adab1e07eb3364c5b4709.tar.bz2 merchant-60092876f45ad3b0657adab1e07eb3364c5b4709.zip | |
generate refund URI with http/https status based on the merchant_base_url instead of trusting the client to use the same protocol for the request (which can be wrong if the browser decides to prefer https over http)
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/taler-merchant-httpd_get-orders-ID.c | 91 | ||||
| -rw-r--r-- | src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c | 21 | ||||
| -rw-r--r-- | src/backenddb/plugin_merchantdb_postgres.c | 2 |
3 files changed, 63 insertions, 51 deletions
diff --git a/src/backend/taler-merchant-httpd_get-orders-ID.c b/src/backend/taler-merchant-httpd_get-orders-ID.c index a6f0c3b2..42e56200 100644 --- a/src/backend/taler-merchant-httpd_get-orders-ID.c +++ b/src/backend/taler-merchant-httpd_get-orders-ID.c @@ -21,6 +21,7 @@ */ #include "platform.h" #include <jansson.h> +#include <gnunet/gnunet_uri_lib.h> #include <taler/taler_signatures.h> #include <taler/taler_json_lib.h> #include <taler/taler_exchange_service.h> @@ -204,68 +205,55 @@ suspend_god (struct GetOrderData *god) /** * Create a taler://refund/ URI for the given @a con and @a order_id - * and @a instance_id. + * and @a instance_id. * - * @param con HTTP connection + * @param merchant_base_url URL to take host and path from; + * we cannot take it from the MHD connection as a browser + * may have changed 'http' to 'https' and we MUST be consistent + * with what the merchant's frontend used initially * @param order_id the order id - * @param instance_id instance, may be "default" * @return corresponding taler://refund/ URI, or NULL on missing "host" */ static char * -make_taler_refund_uri (struct MHD_Connection *con, - const char *order_id, - const char *instance_id) +make_taler_refund_uri (const char *merchant_base_url, + const char *order_id) { - const char *host; - const char *forwarded_host; - const char *uri_path; struct GNUNET_Buffer buf = { 0 }; + char *url; + struct GNUNET_Uri uri; - host = MHD_lookup_connection_value (con, - MHD_HEADER_KIND, - "Host"); - forwarded_host = MHD_lookup_connection_value (con, - MHD_HEADER_KIND, - "X-Forwarded-Host"); - - uri_path = MHD_lookup_connection_value (con, - MHD_HEADER_KIND, - "X-Forwarded-Prefix"); - if (NULL != forwarded_host) - host = forwarded_host; - if (NULL == host) + url = GNUNET_strdup (merchant_base_url); + if (-1 == GNUNET_uri_parse (&uri, + url)) { GNUNET_break (0); + GNUNET_free (url); return NULL; } - - GNUNET_assert (NULL != instance_id); GNUNET_assert (NULL != order_id); GNUNET_buffer_write_str (&buf, "taler"); - if (GNUNET_NO == TALER_mhd_is_https (con)) + if (0 == strcasecmp ("http", + uri.scheme)) GNUNET_buffer_write_str (&buf, "+http"); GNUNET_buffer_write_str (&buf, "://refund/"); GNUNET_buffer_write_str (&buf, - host); - if (NULL != uri_path) + uri.host); + if (0 != uri.port) + GNUNET_buffer_write_fstr (&buf, + ":%u", + (unsigned int) uri.port); + if (NULL != uri.path) GNUNET_buffer_write_path (&buf, - uri_path); - if (0 != strcmp ("default", - instance_id)) - { - GNUNET_buffer_write_path (&buf, - "instances"); - GNUNET_buffer_write_path (&buf, - instance_id); - } + uri.path); GNUNET_buffer_write_path (&buf, order_id); GNUNET_buffer_write_path (&buf, ""); // Trailing slash + GNUNET_free (url); return GNUNET_buffer_reap_str (&buf); } @@ -507,7 +495,7 @@ send_pay_request (struct GetOrderData *god, * with another order_id. */ GNUNET_log (GNUNET_ERROR_TYPE_INFO, - "Sending payment request in /poll-payment\n"); + "Sending payment request\n"); taler_pay_uri = TMH_make_taler_pay_uri (god->sc.con, god->order_id, god->session_id, @@ -529,6 +517,9 @@ send_pay_request (struct GetOrderData *god, struct MHD_Response *reply; MHD_RESULT ret; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Redirecting to already paid order %s\n", + already_paid_order_id); reply = MHD_create_response_from_buffer (0, NULL, MHD_RESPMEM_PERSISTENT); @@ -675,6 +666,7 @@ TMH_get_orders_ID (const struct TMH_RequestHandler *rh, bool contract_match = false; bool token_match = false; bool contract_available = false; + const char *merchant_base_url; if (NULL == god) { @@ -902,6 +894,17 @@ TMH_get_orders_ID (const struct TMH_RequestHandler *rh, &god->claim_token)); } /* end unclaimed order logic */ + merchant_base_url = json_string_value (json_object_get (god->contract_terms, + "merchant_base_url")); + if (NULL == merchant_base_url) + { + GNUNET_break (0); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_INTERNAL_SERVER_ERROR, + TALER_EC_GET_ORDERS_CONTRACT_CONTENT_INVALID, + order_id); + } + if (NULL == god->fulfillment_url) god->fulfillment_url = json_string_value (json_object_get ( god->contract_terms, @@ -947,6 +950,9 @@ TMH_get_orders_ID (const struct TMH_RequestHandler *rh, struct MHD_Response *reply; MHD_RESULT ret; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Contract claimed, redirecting to fulfillment page for order %s\n", + order_id); reply = MHD_create_response_from_buffer (0, NULL, MHD_RESPMEM_PERSISTENT); @@ -977,6 +983,9 @@ TMH_get_orders_ID (const struct TMH_RequestHandler *rh, { /* Order is unclaimed, no need to check for payments or even refunds, simply always generate payment request */ + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Order unclaimed, sending pay request for order %s\n", + order_id); return send_pay_request (god, NULL); } @@ -1052,6 +1061,9 @@ TMH_get_orders_ID (const struct TMH_RequestHandler *rh, &god->h_contract_terms)); if (! paid) { + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Order claimed but unpaid, sending pay request for order %s\n", + order_id); return send_pay_request (god, NULL); } @@ -1115,9 +1127,8 @@ TMH_get_orders_ID (const struct TMH_RequestHandler *rh, char *uri; GNUNET_assert (NULL != god->contract_terms); - uri = make_taler_refund_uri (god->sc.con, - order_id, - hc->instance->settings.id); + uri = make_taler_refund_uri (merchant_base_url, + order_id); if (NULL == uri) { GNUNET_break (0); diff --git a/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c b/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c index 06845bb8..59b82752 100644 --- a/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c +++ b/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c @@ -121,7 +121,7 @@ TMH_private_post_orders_ID_refund (const struct TMH_RequestHandler *rh, uint64_t order_serial; struct GNUNET_TIME_Absolute refund_deadline; struct GNUNET_TIME_Absolute timestamp; - + qs = TMH_db->lookup_contract_terms (TMH_db->cls, hc->instance->settings.id, hc->infix, @@ -130,11 +130,11 @@ TMH_private_post_orders_ID_refund (const struct TMH_RequestHandler *rh, if (GNUNET_DB_STATUS_SUCCESS_ONE_RESULT == qs) { struct GNUNET_JSON_Specification spec[] = { - TALER_JSON_spec_absolute_time ("refund_deadline", - &refund_deadline), - TALER_JSON_spec_absolute_time ("timestamp", - ×tamp), - GNUNET_JSON_spec_end () + TALER_JSON_spec_absolute_time ("refund_deadline", + &refund_deadline), + TALER_JSON_spec_absolute_time ("timestamp", + ×tamp), + GNUNET_JSON_spec_end () }; if (GNUNET_YES != @@ -163,7 +163,8 @@ TMH_private_post_orders_ID_refund (const struct TMH_RequestHandler *rh, #endif NULL); } - if (0 == GNUNET_TIME_absolute_get_remaining (refund_deadline).rel_value_us) + if (0 == GNUNET_TIME_absolute_get_remaining ( + refund_deadline).rel_value_us) { /* it is too late for refunds */ /* NOTE: We MAY still be lucky that the exchange did not yet @@ -178,7 +179,7 @@ TMH_private_post_orders_ID_refund (const struct TMH_RequestHandler *rh, hc->infix); } } - + { enum GNUNET_GenericReturnValue res; @@ -251,9 +252,9 @@ TMH_private_post_orders_ID_refund (const struct TMH_RequestHandler *rh, NULL); case TALER_MERCHANTDB_RS_NO_SUCH_ORDER: { - /* We know the order exists from the + /* We know the order exists from the "lookup_contract_terms" at the beginning; - so if we get 'no such order' here, it + so if we get 'no such order' here, it must be read as "no PAID order" */ return TALER_MHD_reply_with_error (connection, MHD_HTTP_CONFLICT, diff --git a/src/backenddb/plugin_merchantdb_postgres.c b/src/backenddb/plugin_merchantdb_postgres.c index 2d63ad06..2c5b9e93 100644 --- a/src/backenddb/plugin_merchantdb_postgres.c +++ b/src/backenddb/plugin_merchantdb_postgres.c @@ -7506,7 +7506,7 @@ postgres_connect (void *cls, " (SELECT order_serial" " FROM merchant_contract_terms" " WHERE order_id=$2" - " AND paid=true" + " AND paid=TRUE" " AND merchant_serial=" " (SELECT merchant_serial" " FROM merchant_instances" |