[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] WebEx wallet can't POST on Django site

From: Christian Grothoff
Subject: Re: [Taler] WebEx wallet can't POST on Django site
Date: Thu, 4 Feb 2016 16:36:00 +0100
User-agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.5.1

Hi Marcello,

If you recall, we had discussed that we needed to add a way for the bank
to ask for a PIN code to authenticate the transaction.  So the
first frontend page allows the user to specify the amount. Then we go to
the background page to allow the user to select the mint (and show the
mint's terms and conditions and check for currency/auditor
compatibility, etc.).  Then, instead of having that background page do
the post, we should go BACK to a frontend-page from the mint, this time
to allow the mint to ask for a PIN to authenticate the given amount
going to the now selected mint.

Then, from the PIN/transaction-authentication page the POST should go to
the bank frontend/Django.

Given this, all we really need is a mechanism for the first frontend
page to pass the URI of the PIN page to the backend. The PIN page would
then be fetched via GET and passed (via URI arguments?) the necessary
transaction details, just like we do with the deposit process.

I hope this helps!


On 02/04/2016 04:17 PM, Marcello Stanisci wrote:
> Hi Folks,
> The WX wallet shows the following problem when trying to withdraw
> coins from the experimental Django bank's website.
> As it should be clear, the first step to withdraw coins is to trigger
> the script, on the bank's web server, that fakes out the wire transfer
> to the mint.
> That should be done by POSTing data from the client to a script which is
> managed by Django.
> Normally, that POST is simply performed by a form residing in the bank's
> homepage; the WX wallet instead uses that form just to fetch data and not
> to actually POST from it. The actual POST (in the WX case) is made by an
> internal-to-the-wallet page called 'background' page, and the CSRF
> prevention makes Django return a '403 Forbidden'.
> How to deal with that?
> PS: the payment already suffered from something similar
> Marcello

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]