commit 8a3b86d72cfd274d78a0bef7776774bef74852c7
parent 25def8ac73c2ae3b2420d5f9bbd05f32871c96ad
Author: Florian Dold <florian.dold@gmail.com>
Date: Mon, 10 Aug 2020 20:41:34 +0530
make paywall payment flow NoJS compatible
Diffstat:
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/design-documents/007-payment.rst b/design-documents/007-payment.rst
@@ -19,6 +19,7 @@ Requirements
* A simple API should be offered to shops
* Sharing of links or re-visiting of bookmarks should result in well-defined
behavior instead of random, ugly error messages.
+* The payment flow must degrade gracefully when JavaScript is disabled.
Proposed Solution
=================
@@ -143,13 +144,18 @@ The merchant backend runs the following steps to generate the HTML page for
4. If *order-ID* identifies an *claimed* and *unpaid* order, run these steps:
- 1. If the order is *claimed* and the *contract-hash* request parameter does not
+ 1. If the *claim-token* request parameter is given and the *contract-hash* requesst parameter is
+ not given, redirect to the fulfillment URL of the order. (**Note**: We do not check
+ the claim token, as the merchant might have already deleted it when the order is paid,
+ and the fulfillment URL is not considered to be secret/private.)
+
+ 2. If the *contract-hash* request parameter does not
match the contract hash of the order, return a 403 Forbidden response. **Terminate**.
- 2. If there is a non-null *already-paid-order-ID* for *session-ID* stored under the current order,
+ 3. If there is a non-null *already-paid-order-ID* for *session-ID* stored under the current order,
redirect to the *fulfillment-URL* of *already-paid-order-ID*. **Terminate**.
- 3. Prompt the URI
+ 4. Prompt the URI
::
