-
Notifications
You must be signed in to change notification settings - Fork 0
/
api.txt
489 lines (369 loc) · 15 KB
/
api.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
h1. API 10
h1. Admin API:
Calling convention for private API calls (sales.backtoshops.com)
Use corresponding server public key
Encrypt a random 256 bit AES key with it (RSA PKS1)
Encrypt the encrypted key with brand private key
Encrypt payload with the original AES key
Send the double encrypted AES key and encrypted payload
All calls return XML
Public keys available at the following URLs:
http://sales.backtoshops.com/apikey.pem
http://users.backtoshops.com/apikey.pem
The merchant has a private key, and the matching public key is stored on sales.backtoshops.com
Used for:
- adding items to the inventory
- removing items from the inventory
- accessing orders
- marking orders as delivered
- ...
Inventory
Scan the barcodes using a batch barcode scanner
Get the CSV
Upload the CSV using the backoffice
POS
iPhone/Android App
QRCode/Barcode reader
Call the online API to get order details
Mark the order as delivered/canceled/returned
h1. Public sales.backtoshops.com API:
The results of the public API should be cached by Django, and invalidated if a sale changes, stocks
The results of the calls are also cached in reddis or tokyo tyrant on the users.backtoshops.com side
h2. /webservice/1.0/pub/sales/list
h3. Parameters
* shop: id of a shop
* type: id of a product type
* category: id of a product category
* brand: id of a brand
h3. Returns
the list of current sales:
<pre>
<sales version="1.0">
<sale id="_id_sale">
<category id="_id_product_category">
<name>_name_product_category</name>
</category>
<type id="_id_product_type
<name>_name_product_type</name>
</type>
<name>_name_product</name>
<desc>_desc_product</desc>
<available from="_valid_from_sale" to="_valid_to_sale" />
<img url="_default_img_product" />
<seller id="_brand_sale">
<name>_name_seller</name>
<logo url="_logo_seller" />
</seller>
<price>_normal_price_product</price>
<discount type="ratio/fixed" amount="_amount_discount" price="_price_after_discount" />
<variant id="_id_brand_attribute"> <!-- list of brand attributes -->
<name>_brand_attribute_name</name>
<thumb url="_brand_attribute_texture" />
<img url="_brand_attribute_product_picture" />
<premium type="ratio/fixed" amount="_amount_discount" price="_price_after_discount" />
<variant>
</sale>
</sales>
</pre>
h2. /webservice/1.0/pub/shops/list : return the list of all the shops (all/by brand/by city)
h3. Parameters
* seller: id of a brand
* city: city name
h3. Returns
the list of current all the shops filtered by the parameters:
<pre>
<shops version="1.0">
<shop id="_id_shop">
<name>_name_shop</name>
<catcher>_catcher_shop</catcher>
<desc>_desc_shop</desc>
<img url="_url_logo_shop" />
<seller id="_brand_shop">
<name>_name_seller</name>
<logo url="_logo_seller" />
</seller>
<addr>_street_shop</addr>
<zip>_zipcode_shop</zip>
<city>_city_shop</city>
<country>_country_shop</country>
<code>_upc_shop</code>
<location lat="_latitude_shop" long="_longitude_shop" />
</shop>
</shops>
</pre>
* country: ISO 2 letters country code
h2. /webservice/1.0/pub/types/list
h3. Parameters
* seller: id of a brand
par exemple une marque peut ne vendre que des chaussures, dans ce cas on ne veut pas avoir le reste
h3. Returns
the list of product types:
<pre>
<types version="1.0">
<type id="_id_product_type">
<name>_name_product_type</name>
<attribute name="_name_attribute_for_this_type" /><!-- list of common attributes for this product type -->
</type>
<category id="_id_product_category">
<name>_name_product_category</name>
</category>
</types>
</pre>
h2. /webservice/1.0/pub/brand/list
h3. Parameters
* type: product type id
* category: product category id
h3. Returns
the list of all the brands: (Brands or Product Brands?)
<pre>
<brands version="1.0">
<brand id="_id_brand">
<name>_brand_name</name>
<logo url="_url_logo_brand" />
<category id="_id_product_category"> <!-- list -->
<name>_name_product_category</name>
</category>
<type id="_id_product_category">
<name>_name_product_category</name>
<variant id="_id_brand_attribute"> <!-- list of brand attributes -->
<name>_brand_attribute_name</name>
<thumb url="_brand_attribute_texture" />
<img url="_brand_attribute_product_picture" />
<premium type="ratio/fixed" amount="_amount_discount" price="_price_after_discount" />
<variant>
</type>
</brand>
</brands>
</pre>
h2. /webservice/1.0/pub/brand/info : get brand details, special attributes for each type of item
h3. Parameters
URL must look list that: /webservice/1.0/pub/brand/info/ *pk*
with pk the id of the brand
h3. Returns
<pre>
<brand version="1.0" id="_id_brand">
<name>_brand_name</name>
<logo url="_url_logo_brand" />
<category id="_id_product_category"> <!-- list -->
<name>_name_product_category</name>
</category>
<type id="_id_product_type">
<name>_name_product_type">
<variant id="_id_brand_attribute"> <!-- list of brand attributes -->
<name>_brand_attribute_name</name>
<thumb url="_brand_attribute_texture" />
<img url="_brand_attribute_product_picture" />
<premium type="ratio/fixed" amount="_amount_discount" price="_price_after_discount" />
<variant>
</type>
<shop id="_id_shop"> <!-- list of shops -->
<name>_name_shop</name>
<desc>_desc_shop</desc>
<logo url="_url_logo_shop" />
<addr>_street_shop</addr>
<zip>_zipcode_shop</zip>
<city>_city_shop</city>
<country>_country_shop</country>
<location lat="_latitude_shop" long="_longitude_shop" />
<code>_upc_shop</code>
</shop>
</brand>
</pre>
h2. /webservice/1.0/pub/sales/info : return details about an item (pictures/description/remaining stocks)
h3. Parameters
URL must look list that: /webservice/1.0/pub/sales/info/ *pk*
with pk the id of the sale
h3. Returns
the sale:
<pre>
<sale version="1.0" id="_id_sale">
<category id="_id_product_category">
<name>_name_product_category</name>
</category>
<type id="_id_product_type">
<name>_name_product_type</name>
</type>
<name>_name_product</name>
<desc>_desc_product</desc>
<available from="_valid_from_sale" to="_valid_to_sale" />
<img url="_picture_product_url" /> <!-- list of pictures -->
<seller id="_brand_sale">
<name>_name_seller</name>
<logo url="_logo_seller" />
</seller>
<price>_normal_price_product</price>
<discount type="ratio/fixed" amount="_amount_discount" price="_price_after_discount" />
<variant id="_id_brand_attribute"> <!-- list of brand attributes -->
<name>_brand_attribute_name</name>
<thumb url="_brand_attribute_texture" />
<img url="_brand_attribute_product_picture" />
<premium type="ratio/fixed" amount="_amount_discount" price="_price_after_discount" />
<variant>
<attribute id="_id_attribute" name="_name_attribute_for_this_product_category" /> <!-- list -->
<product variant="_id_brand_attribute" attribute="_id_common_attribute">
<code upc="_ucp_code_for_product" />
<stock shop="_id_shop" available="_rest_stock" /> <!-- list of stocks by shop -->
</product>
<shop id="_id_shop"> <!-- list of shops for this sale -->
<name>_name_shop</name>
<logo url="_logo_shop" />
<location lat="_latitude_shop" long="_longitude_shop" />
</shop>
</sale>
</pre>
h2. /webservice/1.0/pub/shops/info
h3. Parameters
URL must look list that: /webservice/1.0/pub/shops/info/ *pk*
with pk the id of the shop
h3. Returns
the shop details
<pre>
<shop version="1.0" id="_id_shop">
<name>_name_shop</name>
<catcher>_catcher_shop</catcher>
<desc>_desc_shop</desc>
<img url="_url_logo_shop" />
<seller id="_brand_shop">
<name>_name_seller</name>
<logo url="_logo_seller" />
</seller>
<addr>_street_shop</addr>
<zip>_zipcode_shop</zip>
<city>_city_shop</city>
<country>_country_shop</country>
<location lat="_latitude_shop" long="_longitude_shop" />
<code>_upc_shop</code>
<hours>_opening_hours_blob_json</hours>
</shop>
</pre>
h2. /webservice/1.0/pub/types/info : return the user preference attributes and their possible values (mainly for sizes)
h3. Parameters
URL must look list that: /webservice/1.0/pub/types/info/ *pk*
with pk the id of the product type
h3. Returns
the list of common attributes for this product type:
<pre>
<type version="1.0" id="_id_product_category">
<name>_name_product_category</name>
<attribute pk="_id_attribute"> <!-- list of common attributes -->
<name>_name_attribute_for_this_category"</name>
</attribute>
</type>
</pre>
h2. /webservice/1.0/vicinity/shops : return all the shops in a radius of X around the given coordinates (all/with sales/by brand) (Name - Adress - Hours - array of sales)
h3. Parameters
*TODO*
h3. Returns
*TODO*
h2. /webservice/1.0/vicinity/sales : return all the sales in a radius of X around the given coordinates (all/by brand/by name) (details, shops opened selling the thing)
h3. Parameters
*TODO*
h3. Returns
*TODO*
h1. Private sales.backtoshops.com API:
Called by the brand, the POS application...
- /webservice/1.0/private/stock/inc : increment the number of item in stock - does not cause cache invalidation unless the item was sold out (the it invalidates getsales and saleinfo)
- /webservice/1.0/private/stock/dec : decrement - invalidates the cache for saleinfo, and getsales only if the item becomes sold out
- /webservice/1.0/private/stock/ret : increment the number of items in stock and mark it as a returned item (same rules than inc for cache invalidations)
h1. Public users.backtoshops.com API:
The basket (cart) is implemented purely on the Front-End side. It is only mandatory to keep the list of item IDs and quantity of each item, but clients may want to cache the price to be able to present a total amount estimation to the user.
This means adding items to the cart, or viewing items, does not interact at all with the login system.
Only confirming an Order, or accessing the user profile requires logging in.
The system works as follow:
- the Front-End maintains its own session or persistent state to remember the basket content.
- When logging in, the user browser or client directly connects to users.backtoshops.com over https and sends a username and password
Account creation
Protected with an optional CAPTCHA
Call: /webservice/1.0/pub/account
POST request, parameters:
action=create
email=<email address>
password=<password>
captcha=<captcha text>
The call should only be made over SSL.
Does not require prior authentication (obviously) and no CSRF check.
The system generate a large cryptographically secure random number (256 bits minimum), to be used as salt.
This salt is added to the account.
Recursive iterated hash function:
H0(salt,password) = WHIRLPOOL(salt + password)
Hx(salt,password) = WHIRLPOOL(Hx-1(salt, password) + password)
The system records an iterated hash of the password: WHIRLPOOL(Hn), with n a random number between 2 and 256 (n is recorded in the account). This iterated hash is designed as authenticator z.
So, in database:
email: identifier
salt: a cryptographically secure 256+ bits random number
N: number of iterations used to compute the authenticator z
z: iterated hash of the password
res:
SUCCESS
FAILURE
err:
ERR_EMAIL
ERR_PASSW
ERR_SQLDB
- /webservice/1.0/pub/connect
The call should only be made over SSL.
Does not require prior authentication (obviously) and no CSRF check.
POST request, parameters:
id=<email address>
pw=<password of the user>
Login:
The user presents a user name, password and implicitly their IP address and HTTP headers to users.backtoshops.com
users.backtoshops.com calculates c = Hn(salt, password) with n the number of iterations recorded in the account. If WHIRLPOOL(c) = z (the authenticator in database), access is granted.
* A fingerprint of the terminal is recorded in database:
- time of access
- IP address
- hash of relevant HTTP headers
* A random CSRF token is recorded in database
* A cookie is issued to the client:
expiry=timestamp
csrf=CSRF token
auth=c
digest=MAC(k)(expiry + csrf + auth)
The digest is an HMAC computed using a MAC key k stored on the server, preferably as a file. The MAC key should be periodically renewed (every 24h?).
res:
SUCCESS
FAILURE
err:
ERR_LOGIN
Subsequent access:
The user submit the cookie with their request.
users.backtoshops.com checks the MAC, extracts c, compare WHIRLPOOL(c) to the authenticator z.
If they match, users.backtoshops.com check if the IP or the hash of the HTTP headers is still the same. If anything changed, the session is destroyed and the user will need to relogin.
If it is a POST request, verify the CSRF token.
Renew the CSRF token each time.
This scheme should provide decent protection against:
- spoofing (browser fingerprinting)
- replay attack (csrf token)
- cookie data tempering (hmac)
Account modification
Call: /webservice/1.0/pub/account
POST request, parameters:
action=modify
password=<password>
profile=<json array>
The call should only be made over SSL. It requires the authentication cookie.
Additionnally, the password will be verified.
The JSON object is simply a collection of key/value matching the keys retrieved with /pub/profile.
Account profile display/retrieval
Call: /webservice/1.0/pub/profile
GET request, parameters:
NONE
The call should only be made over SSL. It requires the authentication cookie.
Return a Profile JSON object containing a list of fields, their type, their current value and possible values. For example:
"email": { "type": "text", "value": "[email protected]", "accept": {} },
"gender": { "type": "select", "value": "F", "accept": { {"Male": "M"}, { "Female": "F" } }
This object can be used to construct a form and display/edit the profile data.
h1. Private users.backtoshops.com API:
Called by the merchant POS application
- webservice/1.0/private/order/detail : get all the details relative to an order
- webservice/1.0/private/order/cancel : cancel the order and cause the stocks to be updated, by calling the private API of sales.backtoshops.com in the background
- webservice/1.0/private/order/filled : the order has been completed
h1. "Protected" users.backtoshops.com API calling convention:
- Only used from sales.backtoshops.com to users.backtoshops.com
- Generate a 256 bits AES key
- Encrypt the parameters with it
- Encrypt the AES key with the server private key
- Send with this format:
[base64 encoded encrypted AES key]:[base 64 encoded encrypted blob]
h1. "Protected" users.backtoshops.com API:
- /webservice/protected/invalidate (name of the call for which the cache should be invalidated - drop it from reddis)