Prevent duplicate buyer email addresses from recurring donations

[kumar303]

As of https://github.com/mozilla/payments-service/pull/150 we will accept recurring donations with only an email, no authentication. This implementation will not prevent someone from re-using an email that might already be attached to a Firefox Account buyer. This is because the email field on the buyer model is encrypted so we can't do a lookup on email. What do we do? Maybe it's ok? This bug is to figure out the best way to fix it.

Supports https://github.com/mozilla/payments/issues/117

[andymckay]

Would look for @amuntner input here. The obvious solutions are to unecrypt the email or to consistently hash the email. The original reason for encrypting the email was simple, when the solitude database gets compromised, you would still have to decrypt the email to find out who purchased what.

The email stored in the payments database is the users FxA identity email, not the users personal email address (except in the case of the marketplace). So the attacked would still need to figure out how to get that from FxA. I'm not sure how easy that is to do.

[amuntner]

Taking a look at FxA and thinking about this, thanks for the heads up.

[kumar303]

idea we talked about in IRC: add a new column which is an HMAC hash of the email to use for lookups.

[amuntner]

Had typed a response but not posted it, sorry.

Agree that this is a good solution.

The extra engineering that it would take to segregate which requests for which part of the site are using credentials that have/do not have access to the email address isn't worth the presumably low chance and the known low impact of email address exposure, in this context.