Page MenuHomePhabricator

Amazon donor details missing when they donate after session timeout
Closed, ResolvedPublic1 Estimated Story Points

Description

For example, see this payment: https://sellercentral.amazon.com/hz/me/pmd/payment-details?orderReferenceId=P01-7912778-6884317

There was an initial (declined) auth, then a successful auth 6 hours later. The initial auth has the correct Seller Reference ID (our ct_id), but the later one has an Amazon-generated reference, as happens when we don't set any reference ID. The session has timed out on our side, so we don't remember the ct_id any more.

It would probably work to post back all of the hidden fields with the API call.

Event Timeline

Ejegg raised the priority of this task from to Needs Triage.
Ejegg updated the task description. (Show Details)
Ejegg added a subscriber: Ejegg.
Ejegg set Security to None.
Ejegg edited a custom field.

Ah dang, we're not checking session tokens at all in the Amazon gateway. Needs a slightly different fix.

Change 252109 had a related patch set uploaded (by Ejegg):
Add IDs to more inputs, remove duplicate

https://gerrit.wikimedia.org/r/252109

Change 252110 had a related patch set uploaded (by Ejegg):
Make Amazon use standard handleDonationRequest

https://gerrit.wikimedia.org/r/252110

Change 252111 had a related patch set uploaded (by Ejegg):
Amazon: check CSRF token, preserve data after expiry

https://gerrit.wikimedia.org/r/252111

Change 252109 merged by jenkins-bot:
Add IDs to more inputs, remove duplicate

https://gerrit.wikimedia.org/r/252109

Change 252110 merged by jenkins-bot:
Make Amazon use standard handleDonationRequest

https://gerrit.wikimedia.org/r/252110

Change 252111 merged by jenkins-bot:
Amazon: check CSRF token, preserve data after expiry

https://gerrit.wikimedia.org/r/252111

atgo added subscribers: MBeat33, atgo.

This is probably a hard one to test & replicate. Closing for now - @MBeat33 if you see another instance, please reopen or make new task.