Closed
Bug 1429265
Opened 7 years ago
Closed 6 years ago
Re-authenticate the user with the OS before sending the payment information to the merchant
Categories
(Firefox :: WebPayments UI, enhancement, P1)
Firefox
WebPayments UI
Tracking
()
RESOLVED
FIXED
Firefox 65
People
(Reporter: MattN, Assigned: timdream)
References
(Depends on 2 open bugs)
Details
(Whiteboard: [webpayments-reserve])
User Story
* Windows and macOS only as Linux doesn't have platform support yet * It would be great to test from a Windows 7 account that doesn't have a Windows password set. * Testing with TouchID on MacOS would be good * Testing with Windows Hello face or other biometrics on Windows 10 would be good
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
Since the full credit card number is encrypted, we need to ask the user for their master password (have it unlocked) in order to send the plaintext number to the merchant page in a PaymentResponse. The decrypted number should never go to the unprivileged dialog contents as it's not necessary and breaks the separation of privileges.
Reporter | ||
Updated•7 years ago
|
Priority: P3 → P1
Reporter | ||
Comment 1•7 years ago
|
||
I implemented the basic behaviour showing the existing modal master password dialog in bug 1429195. See the TODO comment in that patch to handle when a user hits cancel in the dialog. For bug 1429205 the processing page should either not be shown or the dialog should go from processing back to the summary view if the master password dialog is cancelled.
Updated•7 years ago
|
Priority: P1 → P2
Whiteboard: [webpayments]
Updated•7 years ago
|
Product: Toolkit → Firefox
Updated•7 years ago
|
Priority: P2 → P3
Whiteboard: [webpayments] → [webpayments-reserve]
Reporter | ||
Updated•6 years ago
|
Depends on: 1494478
Summary: If the user has a Master Password, request it before sending the payment information to the merchant → Re-authenticate the user with the OS before sending the payment information to the merchant
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → timdream
Status: NEW → ASSIGNED
Updated•6 years ago
|
Priority: P3 → P1
Assignee | ||
Comment 2•6 years ago
|
||
This patch restores the re-auth test pref previously comment out,
and redirect the re-auth to nsIOSReauthenticator on Windows.
Assignee | ||
Comment 3•6 years ago
|
||
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Assignee | ||
Comment 6•6 years ago
|
||
Assignee | ||
Comment 7•6 years ago
|
||
There is still some unknown timeout to find out.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=02af000c1026158bff1131ab242e627910ee1dcc
Assignee | ||
Comment 8•6 years ago
|
||
The change in OSKeystore.jsm where the front end is hook to nsIOSReauthenticator is ready for review.
I have been spending time on reviving the re-auth test setup and make sure it passes on all platforms. It's rather unrelated, actually, since we don't call into nsIOSReauthenticator during tests anyway.
Matt, let me know if you would like to review the patch given the status, or if you would like to wait. Thanks.
Flags: needinfo?(MattN+bmo)
Assignee | ||
Comment 9•6 years ago
|
||
The patch should be ready for review. This should pass.
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=208563056&revision=baa96282ea6aa3edbeff586a4aed281591f18f7e
Updated•6 years ago
|
Attachment #9020176 -
Attachment description: Bug 1429265 - Re-authenticate the user on Windows before decryption → Bug 1429265 - Re-authenticate the user on Windows and macOS before decryption
Reporter | ||
Updated•6 years ago
|
status-firefox63:
--- → disabled
status-firefox64:
--- → disabled
Assignee | ||
Comment 11•6 years ago
|
||
Review comments addressed.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=71028967efce79b0df0647b6323573a346f95fe5
Comment 12•6 years ago
|
||
Pushed by tchien@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2ed53dbf2b95
Re-authenticate the user on Windows and macOS before decryption r=MattN
Comment 13•6 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
Reporter | ||
Updated•6 years ago
|
User Story: (updated)
Flags: qe-verify+
QA Contact: hani.yacoub
Comment 14•6 years ago
|
||
Removing the "qe-verify+" flag since this feature is disabled.
Flags: qe-verify+
You need to log in
before you can comment on or make changes to this bug.
Description
•