Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does the API support timeout? #67

Closed
ianbjacobs opened this issue May 10, 2021 · 6 comments
Closed

Does the API support timeout? #67

ianbjacobs opened this issue May 10, 2021 · 6 comments

Comments

@ianbjacobs
Copy link
Collaborator

Raised in discussion with @Goosth:

  • The transaction confirmation dialog opens
  • The user does not authenticate or cancel within some time frame.

What happens? Are there timeout parameters?
@stephenmcgruer
Copy link
Collaborator

stephenmcgruer commented May 10, 2021
edited
Loading

Given SPC is in some ways a special form of WebAuthn, I would be inclined to follow their lead: a timeout parameter that is a hint rather than an absolute (https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options). I must admit I don't know offhand their reasoning for having a timeout, so we should perhaps check that, but generally they're sensible folks that have thought about this much more than I have :D

@SensibleWood
Copy link

Timeouts make sense to me regardless of what has gone before - in many payment scenarios there will be a fixed amount of time to complete a given operation such as confirmation for obvious reasons.

Moreover in most Webauthn scenarios the timeout will kick in so I'm wondering if it will be difficult to unpick that behaviour given we are overlaying Webauthn with Payment Request.

@ianbjacobs
Copy link
Collaborator Author

@Goosth,

Do you have a particular scenario in mind?

Some questions:

  • It seems to me that an SPC transaction confirmation dialog timeout would be distinct from a FIDO timeout.

  • I suspect that there may be some regulatory requirements involving timeouts. For example, I see this [1]:

    'Article 4(3)(d) of the Commission Delegated Regulation (EU) 2018/389 states that where Payment Service Providers (PSPs) apply strong customer authentication in accordance with Article 97(1) of Directive (EU) 2015/2366 “the maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed 5 minutes”. '

I don't know whether SPC needs to be the locus of the timeout, but maybe it could be. And it sounds like being able to set a parameter to confirm with regulation would be useful. I wonder whether signing the parameter value would also be useful. Thus, there could be cryptographic evidence that an SPC assertion was generated within a specified time frame.

  • Lastly, I don't know whether session time out would suffice to address the use case. In this case it would be worth mentioning in a future security and privacy consideration section.

[1] https://www.eba.europa.eu/single-rule-book-qa/-/qna/view/publicId/2018_4065

@rsolomakhin
Copy link
Collaborator

PaymentRequest object has an abort() method that can be triggered from a window.setTimeout() call. Would that satisfy the requirements of the API users?

@ianbjacobs
Copy link
Collaborator Author

@rsolomakhin,

Short answer: I don't know.

It might well suffice when SPC is used within PR API.

But see also potential uses of SPC outside of PR API:
#65

@ianbjacobs
Copy link
Collaborator Author

Closing this because the API supports timeout:
https://w3c.github.io/secure-payment-confirmation/#dom-securepaymentconfirmationrequest-timeout

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stephenmcgruer @rsolomakhin @SensibleWood @ianbjacobs