My expectation is that I will check if one transaction is good, then I would assume all other transactions can also be trusted.
That wouldn't be safe since a user could do a single valid micropayment and then send you spoofed subsequent receipts with larger amounts.
Because receipt amounts represent the total amount paid, you don't have to verify every receipt from every monetizationprogress event. You could do something like: every five seconds, send the latest receipt to your backend to verify (in which case you may want to have the frontend decode the receipts to make sure it's tracking the latest one with the largest amount).
UX designer + full-stack engineer. Co-founder of Phage Directory, a platform and community for using viruses called "phages" to neutralize bacteria and reprogram microbiomes.
Does a receipt's unique identifier show the entire history of transactions?
If it does, maybe one could ping the receipt with a timeout after a payment has stopped after a certain amount of time (e.g. after monetization is finished) before checking the receipt?
Otherwise you'd just be getting receipts with the wrong amount if you're not polling fast enough, or if you have many users you'll just overwhelm the server with polling...
maybe one could ping the receipt with a timeout after a payment has stopped after a certain amount of time (e.g. after monetization is finished) before checking the receipt?
Assuming the receipts were submitted in order, you can check the final receipt after monetization has finished.
For further actions, you may consider blocking this person and/or reporting abuse
That wouldn't be safe since a user could do a single valid micropayment and then send you spoofed subsequent receipts with larger amounts.
Because receipt amounts represent the total amount paid, you don't have to verify every receipt from every
monetizationprogressevent. You could do something like: every five seconds, send the latest receipt to your backend to verify (in which case you may want to have the frontend decode the receipts to make sure it's tracking the latest one with the largest amount).Does a receipt's unique identifier show the entire history of transactions?
If it does, maybe one could ping the receipt with a timeout after a payment has stopped after a certain amount of time (e.g. after monetization is finished) before checking the receipt?
Otherwise you'd just be getting receipts with the wrong amount if you're not polling fast enough, or if you have many users you'll just overwhelm the server with polling...
A receipt includes the total amount received
github.com/interledger/rfcs/blob/m...
Assuming the receipts were submitted in order, you can check the final receipt after monetization has finished.