Add data Protection for checkout success
linuxluigi opened this issue · 7 comments
- longclaw version: 0.2.1
- Django version: 1.11.13
- Python version: 3.6
Description
After a successfully checkout you just need the order id to display the complete order, so when you need a extra uuid & the order id, it should protect the user / order data. This is important for the GDPR.
I made a commit with the idea
https://github.com/linuxluigi/longclaw/commit/3c5de878b74ca11cd5d67afd484c397087f5c3d3
So when a user complete a checkout the URL is r'checkout/success/(?P<pk>[0-9]+)/(?P<uuid>[0-9a-f-]+)/$ -> /checkout/success/8/bb8baaf9-73ad-4883-90ec-5df9affaab41/ and only when the order id & the uuid match the order details will be shown
Why do it that way instead of using Django/DRF permissions? The endpoint could be protected using for example IsAdminUser and some sort of IsOwner implementation.
Right know there is no user accounts for the customers, so it will get difficult to define permissions.
The beauty about a unique order link would that the customer could always check the order status & easy serve a invoice on the link.
Also could we send the link on a email, so that the customer could open the link everytime & on every device.
How does having a UUID offer more protection other than just being longer/not easily guessable when compared to the standard ID?
Would it be enough to make the PK of Order a UUID instead of the normal auto-incrementing ID?:
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
Thus meaning we have to make far fewer changes and the order link is a little simpler:
checkout/success/bb8baaf9-73ad-4883-90ec-5df9affaab41
@SamuelM333
I think the problem here is that the order details page (in longclaw it is termed the 'checkout success' page, but perhaps order details makes more sense here) that @linuxluigi is referring to is the public page a customer sees once making a successful checkout. There is nothing preventing the customer from coming back to that page (or any other customer, if they have the order ID, which right now, is easy to guess).
Another solution (or complimentary solution) is to also add the ability for the site admin to make the checkout success/order details page visible only for X amount of time after the order is made, or to be only visited once.
@JamesRamm if we just change the PK from auto-incrementing ID to UUID we will lost a continuous order number, but this number is very important for an invoice. So I think we would need both, for security & accounting.
Continuous order number isn't always desirable. I.e. you're exposing information that could potentially be considered confidential... for example order volume. Ideally it would be configurable to prevent this type of information from being leaked. A uuid primary key would be better imo and a setting to prevent the sequential order number from ever being shown. Or a way to override the way it is generated.
I plan to make the order ID (visible to a customer) a UUID, which is what the checkout URL's will be based on.
I'll preserver an auto-incrementing order number but only visible in the admin.