The tutorial is really helpful! As I finished it, I realized that the event listener is firing so often and hitting my backend at least every second.
Is this the accepted standard? It doesn't feel right. My expectation is that I will check if one transaction is good, then I would assume all other transactions can also be trusted. Is this a bad strategy?
If you have more knowledge on this. Please do comment. Thanks!
Top comments (5)
That wouldn't be safe since a user could do a single valid micropayment and then send you spoofed subsequent receipts with larger amounts.
Because receipt amounts represent the total amount paid, you don't have to verify every receipt from every
monetizationprogressevent. You could do something like: every five seconds, send the latest receipt to your backend to verify (in which case you may want to have the frontend decode the receipts to make sure it's tracking the latest one with the largest amount).Does a receipt's unique identifier show the entire history of transactions?
If it does, maybe one could ping the receipt with a timeout after a payment has stopped after a certain amount of time (e.g. after monetization is finished) before checking the receipt?
Otherwise you'd just be getting receipts with the wrong amount if you're not polling fast enough, or if you have many users you'll just overwhelm the server with polling...
A receipt includes the total amount received
github.com/interledger/rfcs/blob/m...
Assuming the receipts were submitted in order, you can check the final receipt after monetization has finished.
We'll be looking to implement the receipt verifier in a couple of months... so we'd be interested to hear other people's experience in this too.
^^ One for @wilsonianb here...