Software Center Agent

HIB coupons go to the wrong account when logged into different accounts with USC and SCA

Bug #1084987 reported by Selene ToyKeeper
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Software Center Agent
Confirmed
Undecided
Unassigned

Bug Description

Over the past couple HIB releases, I've had several reports that
customers could not redeem their HIB coupons, or that USC still
required them to buy the titles after redeeming the coupon. Not
just the usual 'button says "buy" instead of "install"' issue,
but genuinely requiring payment.

I think I've determined the causes of these issues.

First, SCA requires that the user has an address on their SSO
account which matches the address they use at the Humble Bundle
site. When this isn't the case, they can't redeem the coupons
until they add that address to their SSO account.

Second, when the user has more than one account, SCA attaches the
subscription to the account with the HIB address even if it's not
the account they're logged in to in Software Center.

The former can be fixed by redeeming for whatever account the
user is logged in to, regardless of whether the address matches.
This does, however, make it theoretically possible to steal the
coupon by sniffing the URL out of their email and using it first.

The multiple-account issue may be trickier though, since we have
no way to guarantee that they're using the same account in both
Software Center and their web browser.

This is somewhat related to Software Center's lack of a "log out"
button (recently fixed for 13.04), and its lack of indication
about which account is being used.

So, ideas? Do both of these cases have a common solution?

Selene ToyKeeper (toykeeper)
tags: added: u1-support
removed: u1
Changed in software-center-agent:
status: New → Confirmed
Revision history for this message
Matthew Paul Thomas (mpt) wrote :

The design I did for the "Sign Out" function would also show the ID of your account. <https://wiki.ubuntu.com/SoftwareCenter#store-account>

Revision history for this message
Selene ToyKeeper (toykeeper) wrote :

If I understand correctly, the coupons get redeemed directly in SCA before USC is executed... and the account the user is logged into in USC is irrelevant to which account SCA redeems the coupons for.

Julien Funk (jaboing)
tags: added: u1-by-support
Joshua Hoover (joshuahoover)
tags: removed: u1-support
Revision history for this message
Selene ToyKeeper (toykeeper) wrote :

The current code does not behave this way any more. It now redeems coupons for whichever account the user is logged into in SCA, regardless of whether the email addresses match.

This approach seems less likely to fail in the general case, but still runs into issues if the user has multiple accounts and uses a different account for USC than they are logged into in their browser when trying to redeem coupons. This happened to one of our vendors, who uploaded apps to dev.u.c via his work account then tried to install a Humble Bundle using his personal account, and found that the subscriptions went to the wrong account.

Is there any way we could check what account the user is using for USC, and use that for the coupon instead? Or, possibly allow users to override the owner of a coupon after the fact if they were logged in to the wrong account on the first click? Or any other ideas? My first idea seems like it'd be a pretty big and complicated code change, and the second idea seems risky for abuse, so I'd like other suggestions.

I'd at least like to give the support team a way to re-assign coupons and subscriptions, so we can clean up the rare instances of this issue.

summary: - HIB coupons redeem only for the user's HIB address
+ HIB coupons go to the wrong account when logged into different accounts
+ with USC and SCA
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.