Use signed urls for remote orders with parameters (like card alias or name) #128
Description
Some applications (like QuizWitz) add query parameters to the remote order URL's, adding card alias and order name etc to the order. This data should be signed.
- Split up the order token in a public part that defines the url of the order form + a secret that should not be visible to the end user. Split with dash (-)
- when additional information like card or name are provided in the url, add a signature using the shared secret. Validate the secret both on load of the form as on the order itself. Verification should obviously happen on the server
- write documentation for event organisers on how the signature must be calculated
- add ample tests and documentation in .ai folder and in readme