Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement password check on subscription cancellation #1088

Open
lmorchard opened this issue May 13, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@lmorchard
Copy link
Member

commented May 13, 2019

The rough subscription management page merged in PR #961 did not include a password check when cancelling subscription. That will need to be implemented.

https://mozilla.invisionapp.com/share/K2RBDY3VU9X#/screens/361039175

Capture

@lmorchard

This comment has been minimized.

Copy link
Member Author

commented May 14, 2019

Something to think about here: How to implement the actual password check as an API. Would it be secure enough to have an API that checks a password if the API is restricted to the same scope as other subscription management APIs? (i.e. it couldn't be used as a public password scan)

@shane-tomlinson or @bbangert might have some input here?

@shane-tomlinson

This comment has been minimized.

Copy link
Member

commented May 15, 2019

It just dawned upon me that asking for the user's password on a subscription service page negates the entire reason we put the subscriptions service on it's own domain - isolating the payment provider from finding out the user's password, sessionToken or Sync key material. A payment provider that goes malicious could slurp up the user's password, which could in turn be used to impersonate the user.

Can we take an alternative approach to asking for the password, perhaps using the delete repository flow from Github as an example. Instead of asking for the user's password, Github asks for the name of the repository being deleted.

Screenshot 2019-05-15 at 08 53 05

@lmorchard

This comment has been minimized.

Copy link
Member Author

commented May 15, 2019

Adding the needs:product label, since this looks like we should consider tweaking things product-wise here.

Also made a comment on the wireframe slide linking to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.