Does the API support timeout?

[ianbjacobs]

Raised in discussion with @Goosth:

• The transaction confirmation dialog opens
• The user does not authenticate or cancel within some time frame.

What happens? Are there timeout parameters?

[stephenmcgruer]

Given SPC is in some ways a special form of WebAuthn, I would be inclined to follow their lead: a timeout parameter that is a hint rather than an absolute (https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options). I must admit I don't know offhand their reasoning for having a timeout, so we should perhaps check that, but generally they're sensible folks that have thought about this much more than I have :D

[SensibleWood]

Timeouts make sense to me regardless of what has gone before - in many payment scenarios there will be a fixed amount of time to complete a given operation such as confirmation for obvious reasons.

Moreover in most Webauthn scenarios the timeout will kick in so I'm wondering if it will be difficult to unpick that behaviour given we are overlaying Webauthn with Payment Request.

[ianbjacobs]

@Goosth,

Do you have a particular scenario in mind?

Some questions:

• It seems to me that an SPC transaction confirmation dialog timeout would be distinct from a FIDO timeout.

• I suspect that there may be some regulatory requirements involving timeouts. For example, I see this [1]:

  'Article 4(3)(d) of the Commission Delegated Regulation (EU) 2018/389 states that where Payment Service Providers (PSPs) apply strong customer authentication in accordance with Article 97(1) of Directive (EU) 2015/2366 “the maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed 5 minutes”. '

I don't know whether SPC needs to be the locus of the timeout, but maybe it could be. And it sounds like being able to set a parameter to confirm with regulation would be useful. I wonder whether signing the parameter value would also be useful. Thus, there could be cryptographic evidence that an SPC assertion was generated within a specified time frame.

• Lastly, I don't know whether session time out would suffice to address the use case. In this case it would be worth mentioning in a future security and privacy consideration section.

[1] https://www.eba.europa.eu/single-rule-book-qa/-/qna/view/publicId/2018_4065

[rsolomakhin]

PaymentRequest object has an abort() method that can be triggered from a window.setTimeout() call. Would that satisfy the requirements of the API users?

[ianbjacobs]

@rsolomakhin,

Short answer: I don't know.

It might well suffice when SPC is used within PR API.

But see also potential uses of SPC outside of PR API:
#65

[ianbjacobs]

Closing this because the API supports timeout:
https://w3c.github.io/secure-payment-confirmation/#dom-securepaymentconfirmationrequest-timeout