Closed plopcas closed 4 years ago
The wallets you mentioned (and the Coil extension) should soon support "receipt"s
See here for details: https://github.com/interledger/rfcs/issues/568 https://github.com/WICG/webmonetization/pull/51
Essentially you stick an intermediary between the wallet's SPSP endpoint, adding headers to the SPSP request with a connection specific nonce and shared secret. So rather than embedding your payment pointer in a page, you embed a pointer to the proxy.
The monetizationprogress
events will soon have a "receipt" field added which a client application can submit to the server. The receipt includes a hmac over the fields using the shared secret. If you can trust the wallet you can easily do server side validation by recomputing the receipt hmac.
If you don't mind messing around a bit, building an extension from source, there's a demo of receipts here: https://github.com/coilhq/web-monetization-projects/tree/master/packages/web-monetization-demo
If you have any questions, feel free to open an issue at that repository
Very useful, thanks.
Hi, in this part of the documentation there is a reference to a server side validation, particularly the methods
isValidSession
andisValidPayment
.https://github.com/interledger/webmonetization.org/blob/master/docs/explainer.md#handle-payments
I suppose those two methods are just calling the back-end service passing all the parameters via AJAX or similar. But I can't find anywhere an example of how to do that validation in the back-end with the paymentPointer and requestId. What am I supposed to call, my wallet? Would that be a call to the Uphold / GateHub / StrongHold APIs?