commit ad8ea421101daa78f2a97045c3644926c23c0b49
parent 8775ed722072c70cd0e89f2ddc85937f9ab4dc62
Author: Sebastian <sebasjm@gmail.com>
Date: Sat, 2 Aug 2025 18:31:14 +0200
more questions in self prov
Diffstat:
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/design-documents/067-merchant-self-provisioning.rst b/design-documents/067-merchant-self-provisioning.rst
@@ -33,6 +33,7 @@ Implementation tasks:
* Merchant backend
+ * New configuration option ALLOW_SIGNUP: boolean in ``[merchant]`` section with default to ``false``
* New public endpoint for self-provisioned instance creation
* New (private) endpoints for 2FA channel confirmation
* New public endpoints for password reset
@@ -150,6 +151,8 @@ Explicitly out of scope *for now* are:
* 2FA for login
* 2FA for particular operations (e.g. changing bank account)
+But we may want to restrict the phone number area code so we should handle the case that some particular phone can't be use for signup.
+
Integration Tests
=================
@@ -157,7 +160,8 @@ These are scenarios that we consider basic and we should have an integration tes
- A merchant doing an account's registration should get an email/phone notification with the comfirmation code. The merchant account should be in created state and only after using the confirmation code the account can be activated.
- A merchant with an activated account can call "forgot password". Merchant should get a notification with the confirmation code that can be used to call the endpoint to change the password. A new login the with new password needs to be tested.
- - An user that is that makes an amount of request about the threshold should get 429 to "sign up" or "forgot password" endpoints.
+ - An user that makes an amount of request above the threshold should get 429 for "sign up" or "forgot password" endpoints.
+ - A merchant that doesn't have an activated account may be able to set and change all the configuration. But backend won't take any action with it (for example, it won't check KYC status). It may be also possible to delete the instance.
Related Efforts
@@ -172,5 +176,4 @@ Discussion / Q&A
* Can the merchant delete their own instance? Or is it some support request via e-mail?
* How does the instance user known the admin/support contact? Is there some page for that in the side-bar?
Or is this external to the feature?
-* What happens while the 2FA channels aren't confirmed yet?
-
+* What happens while the 2FA channels aren't confirmed yet? What happens if ONE of the channels is not confirmed?
