send abbreviated URL for payments, not using session ID

server-ca/chocolate.py

@@ -422,7 +422,8 @@ class session(object):
         chall.name = "payment"
         chall.succeeded = False
         # In payment, we send address of form to complete this payment
-        chall.data.append(str("%s/%s" % (payment_uri, self.id)))
+        abbreviation = sessions.hget(self.id, "shorturl")
+        chall.data.append(str("%s/%s" % (payment_uri, abbreviation)))
 
     def POST(self):
         web.header("Content-type", "application/x-protobuf+chocolate")

server-ca/payment.py

@@ -8,12 +8,41 @@
 import web, redis
 
 urls = (
+     '/([a-f0-9]{10})', 'shortform',
      '/([a-f0-9]{64})', 'form',
      '/submit=([a-f0-9]{64})', 'payment'
 )
 
 r = redis.Redis()
 
+class shortform(object):
+      def GET(self, what):
+          web.header("Content-type", "text/html")
+          expanded = r.get("shorturl-%s" % what)
+          if not expanded:
+              return "<html><h1>Unknown session ID</h1></html>"
+          return """
+          <html>
+          <h1>Payment required</h1>
+          Due to certificate authority policy, issuing this certificate requires a payment.
+          <p>
+          <hr width="70%%" />
+          <p>
+          A payment of <b>17.00 simoleons</b> is due now.
+          <p>
+          In order to process this payment, please pretend to enter a 16-digit credit-card
+          number below, and then click the Submit Payment button.
+          <p>
+          <form action="/payment.py/submit=%s" method="GET">
+          <i>Credit Card Type</i> <select name=""><option>Vista</option><option>MisterCard</option><option>Discovery</option></select> <br />
+          <i>Credit Card Number</i> <input type="text" name="" style="font-family:monospace" autocomplete="off" /><br />
+          <input type="submit" value="Submit Payment">
+          </form>
+          This payment will appear on your
+          credit card statement as TRUSTIFIABLE CERTIFICATE SERVICES.
+          </html>
+          """ % expanded
+
 class form(object):
       def GET(self, what):
           web.header("Content-type", "text/html")

server-ca/testchallenge-daemon.py

@@ -92,12 +92,23 @@ def testchallenge(session):
         # also have implicitly guaranteed this).
         if policy.payment_required(session):
             if debug: print "\t** All challenges satisfied; request %s NEEDS PAYMENT" % short(session)
+            # Try to get a unique abbreviated ID (10 hex digits)
+            for i in xrange(20):
+                abbreviation = random()[:10]
+                if r.hget("shorturl-%s" % abbreviation) is None:
+                    break
+            else:
+                # Mysteriously unable to get a unique abbreviated session ID!
+                r.hset(session, "live", "False")
+                return
+            r.set("shorturl-%s" % abbreviation, session)
+            r.expire("shorturl-%s" % abbreviation, 3600)
+            r.hset(session, "shorturl", abbreviation)
             r.hset(session, "state", "payment")
             # According to current practice, there is no pending-payment
             # queue because sessions can get out of payment state
             # instantaneously as soon as the payment system sends a "payments"
-            # pubsub message to
-            # the payments daemon.
+            # pubsub message to the payments daemon.
         else:
             if debug: print "\t** All challenges satisfied; request %s GRANTED" % short(session)
             r.hset(session, "state", "issue")