About
This is the official blog for Spreedly. We cover everything relevant to subscriptions, payment collection and the Spreedly platform in general.
Have a topic you'd like to see covered? Drop us a line at support@spreedly.com!
Go to Spreedly.com
Follow Spreedly on Twitter
Tightening Up The Subscribe Link
February 4th, 2010
One of the things you have to do constantly when working on a product over the long haul is update your outdated legacy assumptions. One of those assumptions in the early days of Spreedly was that there wasn’t anything terribly sensitive shown on the subscribe page, so it didn’t have to be authenticated to a particular subscriber. Even if we pre-filled it with data, the most anyone would see is someone else’s name. Also, was a miscreant really going to pony up their credit card in order to buy someone else a subscription? <sarcasm>That would just be so mean!</sarcasm>
But when we originally made that decision it was before we collected a subscriber’s email (a long time ago!). There is a privacy concern with emails leaking if someone figures out another user’s Spreedly customer id. Also, what about when we do start to pre-fill credit card data, i.e. allow someone to upgrade/downgrade without re-entering their details? Since we plan on adding that ability soon, we knew we had to tighten up the subscribe page’s security.
At the same time, we didn’t want to complicate getting started with Spreedly, and we didn’t want to break everyone currently using it. The subscribe url as it is today is still a great solution so long as no data is pre-filled. So here’s what we came up with:
First of all, regular old subscribe urls still work great, they just don’t pre-fill any existing subscriber data any more. So this url:
https://spreedly.com/terralien-test/subscribers/44763/subscribe/41/fred
Will always show an unfilled subscribe page:
But if you include the subscriber’s token like so:
https://spreedly.com/terralien-test/subscribers/44763/f76e19a456351a01dbcca9168999a4077dfc680b/subscribe/41/fred
The name and email fields will get pre-filled:
This is only the beginning – our goal with this is to allow upgrades/downgrades without re-entering credit card data that is already on file, so expect that to be coming down the pike soon.
We think this is a big win from a lot of angles, but we’d love to hear your feedback – any concerns or questions?