Add waiting time after reward point redemption

[janno42]

After reward points have been redeemed, the next redemption should not be able for a short amount of time to prevent users from accidentally redeeming the selected number of points twice by sending a double post request.

When a redemption is attempted within 30 seconds of the last one, the redemption should not be performed. Instead, an error should be shown that the user should wait a moment before redeeming more points.

[richardebeling]

Edit: This comment is irrelevant: The issue is about client-side error of accidentally submitting multiple redemption requests without actually intending to, not about clients redeeming more points than they have available.

Have we actually observed double-redemption?

We have code in place that should prevent that from happening in rewards/tools.py:save_redemptions. I cannot confidently claim that this code is correct in all situations, but after quickly going through the docs again, I think it does the right thing.

IMO, an unsychronized timeout wouldn't solve the issue: For two parallel requests, how could one request know that the other one is also concurrently accessing the timeout? I'm certain this can only be solved by using proper synchronization -- and then we don't need the timeout.

[janno42]

Yes, we have observed them, that's why the issue was opened :)
The code we already have is fine for situations where the browser sends two posts almost at the same time for whatever reason. The problem which occurred here is that requests were sent about 10 seconds from each other (probably by clicking the button twice with a pause in between due to slow internet connection or any other reason). The two requests were correctly handled by the server, redeeming points unintentionally twice in a short period of time. Because it is very unlikely that this happens by intention, we should prevent two redemptions in a short amount of time between each other.

[richardebeling]

Ah, I see, so we want to gracefully handle an accidental repetition of partial redemptions by the user. Sorry, I misread the issue text.

I'm still not a fan of the timeout, since its amount is arbitrary. 30s would block me if I realize I forgot to set a higher count, but it wouldn't help if I have a tab open that shows an outdated redemption page, and thus think that I didn't redeem yet or something didn't work in my past attempt to redeem.

How about we add some more identifying information to the POST request, e.g. the reward points that the client thinks are redeemable, or the count of past redemptions by the user? This way, the server could check whether the request was issued from an up-to-date client, and deny processing it if it was outdated.