Fix withdrawal API securitydev/antoine/fix_withdrawal

2 files changed, 58 insertions, 53 deletions

diff --git a/core/api-bank-integration.rst b/core/api-bank-integration.rst
index ef2f7e02..9d8e1b91 100644
--- a/core/api-bank-integration.rst
+++ b/core/api-bank-integration.rst
@@ -74,9 +74,11 @@ for the withdrawal operation (the ``WITHDRAWAL_ID``) to interact with the withdr
 
   :query long_poll_ms:
     *Optional.*  If specified, the bank will wait up to ``long_poll_ms``
-    milliseconds for completion of the transfer before sending the HTTP
+    milliseconds for operationt state to be different from ``old_state`` before sending the HTTP
     response.  A client must never rely on this behavior, as the bank may
     return a response immediately.
+  :query old_state:
+    *Optional.* Default to "pending".
 
   **Response:**
 
@@ -91,17 +93,12 @@ for the withdrawal operation (the ``WITHDRAWAL_ID``) to interact with the withdr
   .. ts:def:: BankWithdrawalOperationStatus
 
     export class BankWithdrawalOperationStatus {
-      // Indicates whether the withdrawal was aborted.
-      aborted: boolean;
-
-      // Has the wallet selected parameters for the withdrawal operation
-      // (exchange and reserve public key) and successfully sent it
-      // to the bank?
-      selection_done: boolean;
-
-      // The transfer has been confirmed and registered by the bank.
-      // Does not guarantee that the funds have arrived at the exchange already.
-      transfer_done: boolean;
+      // Current status of the operation
+      // pending: the operation is pending parameters selection (exchange and reserve public key)
+      // selected: the operations has been selected and is pending confirmation
+      // aborted: the operation has been aborted
+      // confirmed: the transfer has been confirmed and registered by the bank
+      status: "pending" | "selected" | "aborted" | "confirmed";
 
       // Amount that will be withdrawn with this operation
       // (raw amount without fee considerations).
@@ -121,6 +118,29 @@ for the withdrawal operation (the ``WITHDRAWAL_ID``) to interact with the withdr
 
       // Wire transfer types supported by the bank.
       wire_types: string[];
+
+      // Reserve public key selected by the exchange,
+      // only non-null if ``status`` is ``selected`` or ``confirmed``.
+      selected_reserve_pub?: string;
+
+      // Exchange account selected by the wallet
+      // only non-null if ``status`` is ``selected`` or ``confirmed``.
+      selected_exchange_account?: string;
+
+      // Deprecated field use ``status`` instead
+      // Indicates whether the withdrawal was aborted.
+      aborted: boolean;
+
+      // Deprecated field use ``status`` instead
+      // Has the wallet selected parameters for the withdrawal operation
+      // (exchange and reserve public key) and successfully sent it
+      // to the bank?
+      selection_done: boolean;
+
+      // Deprecated field use ``status`` instead
+      // The transfer has been confirmed and registered by the bank.
+      // Does not guarantee that the funds have arrived at the exchange already.
+      transfer_done: boolean;
     }
 
 .. http:post:: /withdrawal-operation/$WITHDRAWAL_ID
@@ -156,14 +176,22 @@ for the withdrawal operation (the ``WITHDRAWAL_ID``) to interact with the withdr
   .. ts:def:: BankWithdrawalOperationPostResponse
 
     interface BankWithdrawalOperationPostResponse {
-      // The transfer has been confirmed and registered by the bank.
-      // Does not guarantee that the funds have arrived at the exchange already.
-      transfer_done: boolean;
+      // Current status of the operation
+      // pending: the operation is pending parameters selection (exchange and reserve public key)
+      // selected: the operations has been selected and is pending confirmation
+      // aborted: the operation has been aborted
+      // confirmed: the transfer has been confirmed and registered by the bank
+      status: "selected" | "aborted" | "confirmed";
 
       // URL that the user needs to navigate to in order to
       // complete some final confirmation (e.g. 2FA).
       //
-      // Only applicable when ``transfer_done`` is ``false``.
+      // Only applicable when ``status`` is ``selected``.
       // It may contain withdrawal operation id
       confirm_transfer_url?: string;
+
+      // Deprecated field use ``status`` instead
+      // The transfer has been confirmed and registered by the bank.
+      // Does not guarantee that the funds have arrived at the exchange already.
+      transfer_done: boolean;
     }
diff --git a/core/api-corebank.rst b/core/api-corebank.rst
index 1a0bae01..fd11bea9 100644
--- a/core/api-corebank.rst
+++ b/core/api-corebank.rst
@@ -589,20 +589,17 @@ Taler Withdrawals
   .. ts:def:: BankAccountCreateWithdrawalResponse
 
     interface BankAccountCreateWithdrawalResponse {
-      // ID of the withdrawal, can be used to view/modify the withdrawal operation.
-      // This ID will be globally unique and grant control over the operation to
-      // abort or confirm it.
+      // ID identifying the operation being created
       withdrawal_id: string;
 
-      // URI that can be passed to the wallet to initiate the withdrawal.
+      // URI that can be passed to the wallet to initiate the withdrawal
       taler_withdraw_uri: string;
     }
 
-.. http:post:: /withdrawals/$WITHDRAWAL_ID/abort
+.. http:post:: /accounts/$USERNAME/withdrawals/$WITHDRAWAL_ID/abort
 
   Aborts ``WITHDRAWAL_ID`` operation.  Has no effect on an already aborted
-  operation.  Does not require further authentication as knowledge
-  of the withdrawal ID serves as an authenticator.
+  operation.
 
   **Response:**
 
@@ -613,12 +610,11 @@ Taler Withdrawals
   :http:statuscode:`409 Conflict`: 
     The withdrawal operation has been confirmed previously and can't be aborted.
 
-.. http:post:: /withdrawals/$WITHDRAWAL_ID/confirm
+.. http:post:: /accounts/$USERNAME/withdrawals/$WITHDRAWAL_ID/confirm
 
   Confirms ``WITHDRAWAL_ID`` operation.  Has no effect on an already confirmed
   withdrawal operation.  This call is responsible for wiring the funds to the
-  exchange.  Does not require further authentication as knowledge of the
-  withdrawal ID serves as an authenticator.
+  exchange.
 
   **Response:**
 
@@ -633,43 +629,24 @@ Taler Withdrawals
 
 .. http:get:: /withdrawals/$WITHDRAWAL_ID
 
-  Query the status of a withdrawal operation. Does not require further
-  authentication as knowledge of the withdrawal ID serves as an authenticator.
+  Retrieve public information about ``WITHDRAWAL_ID`` withdrawal operation.  
+  Does not require further authentication as knowledge of ``WITHDRAWAL_ID``
+  serves as an authenticator.
 
   **Response:**
 
   :http:statuscode:`200 Ok`:
-    The bank responds with an `BankAccountGetWithdrawalResponse` object.
+    The bank responds with an `WithdrawalPublicInfo` object.
   :http:statuscode:`404 Not found`:
     The operation was not found.
 
   **Details:**
 
-  .. ts:def:: BankAccountGetWithdrawalResponse
-
-    interface BankAccountGetWithdrawalResponse {
-      // Amount that will be withdrawn with this withdrawal operation.
-      amount: Amount;
-
-      // Was the withdrawal aborted?
-      aborted: boolean;
+  .. ts:def:: WithdrawalPublicInfo
 
-      // Has the withdrawal been confirmed by the bank?
-      // The wire transfer for a withdrawal is only executed once
-      // both ``confirmation_done`` is ``true`` and ``selection_done`` is ``true``.
-      confirmation_done: boolean;
-
-      // Did the wallet select reserve details?
-      selection_done: boolean;
-
-      // Reserve public key selected by the exchange,
-      // only non-null if ``selection_done`` is ``true``.
-      selected_reserve_pub: string | null;
-
-      // Exchange account selected by the wallet, or by the bank
-      // (with the default exchange) in case the wallet did not provide one
-      // through the Integration API.
-      selected_exchange_account: string | null;
+    interface WithdrawalPublicInfo {
+      // Account username
+      username: string;
     }
 
 Cashouts