Web Monetization Community

loading...

Trying out receipt verifier service.

Xander Jake de los Santos
digital artist
・1 min read

The tutorial is really helpful! As I finished it, I realized that the event listener is firing so often and hitting my backend at least every second.

Is this the accepted standard? It doesn't feel right. My expectation is that I will check if one transaction is good, then I would assume all other transactions can also be trusted. Is this a bad strategy?

If you have more knowledge on this. Please do comment. Thanks!

Discussion (5)

Collapse
wilsonianb profile image
Brandon Wilson • Edited

My expectation is that I will check if one transaction is good, then I would assume all other transactions can also be trusted.

That wouldn't be safe since a user could do a single valid micropayment and then send you spoofed subsequent receipts with larger amounts.

Because receipt amounts represent the total amount paid, you don't have to verify every receipt from every monetizationprogress event. You could do something like: every five seconds, send the latest receipt to your backend to verify (in which case you may want to have the frontend decode the receipts to make sure it's tracking the latest one with the largest amount).

Collapse
yawnxyz profile image
Jan Zheng

Does a receipt's unique identifier show the entire history of transactions?

If it does, maybe one could ping the receipt with a timeout after a payment has stopped after a certain amount of time (e.g. after monetization is finished) before checking the receipt?

Otherwise you'd just be getting receipts with the wrong amount if you're not polling fast enough, or if you have many users you'll just overwhelm the server with polling...

Collapse
wilsonianb profile image
Brandon Wilson

Does a receipt's unique identifier show the entire history of transactions?

A receipt includes the total amount received
github.com/interledger/rfcs/blob/m...

maybe one could ping the receipt with a timeout after a payment has stopped after a certain amount of time (e.g. after monetization is finished) before checking the receipt?

Assuming the receipts were submitted in order, you can check the final receipt after monetization has finished.

Collapse
gfam profile image
gFam

We'll be looking to implement the receipt verifier in a couple of months... so we'd be interested to hear other people's experience in this too.

Collapse
cyberdees profile image
Desigan CHINNIAH

^^ One for @wilsonianb here...