laterpay / laterpay-client-python Goto Github PK

On Python 3, when singing a request containing a byte string (b'foo') the value is casted into a string, resulting in "b'foo'", instead of properly decoding the string to 'foo'.

laterpay.signing.time_independent_HMAC_compare() treats hashes 12ab3 and 12AB3 as different. Let's not do that.

As of python-requests 2.11 headers that are neither string not bytes are not accepted anymore. See kennethreitz/requests#3477

We have American English every where. Let's stick to that.

The muid parameter is currently primarily used as AMP_READER_ID. We should thus add a validator to utils.py that checks for '^[a-zA-Z0-9_-]{1,80}$'

Through an email conversation I was pointed at the following incongruity between our published docs and the Python client implementation:

This URL is valid

https://web.sandbox.laterpaytest.net/dialog/add?article_id=jmc_laterpay_demo_article_01&cp=rwSqG6pcYFjcp5wMKFjMxe&pricing=EUR5&purchasedatetime=1409912245&title=Ein+Artikel+%C3%BCber+Heiz%C3%B6lr%C3%BCcksto%C3%9Fabd%C3%A4mpfung&ts=1409912245&url=http%3A%2F%2Flocalhost%3A3000%2Fmodule%2Fdemo%2F&vat=DE19&hmac=2840f1d2d51c72a5d43d358fa449f98bb9aca45d8d7d450a3ea50684

However, it contains "+" for spaces in the article title. Our documentation specifically says we don't do that. This happens because of sign_and_encode calling compat.urlencode. Presumably it should call urllib.quote on these values.

As we use the signing module internally to check signatures as well, we have to measure the impact first before we make a decision on how to proceed. Our existing clients which create verifiable signatures might implement the same bug in their client implementations right now.

(+CC @doismellburning because we discussed this just now on IRC and @haraball because iirc he's the initial author of the above)

Deprecate the lptoken instance attribute on the LaterPayClient as all methods needing lptoken should explicitly accept it as a method argument.

We raise a couple of deprecation warnings for a long time now. We should actually clean up the code base and get rid of those function.

Sometimes it's desirable to use requests.Session() over requests.get().

Only one of lptoken and muid is allowed to the API's /access calls. Not both.

All methods of the LaterPay Python client should have proper inline documentation.