diff options
author | Antoine A <> | 2023-11-13 16:44:00 +0000 |
---|---|---|
committer | Antoine A <> | 2023-11-13 16:44:00 +0000 |
commit | 46c9b73e9e6e976ce7ddbe8d16bf0fa8f8270707 (patch) | |
tree | 732e8dfea501be83452da162abf94575f94f73df | |
parent | 97709e5251bc8c65d90142224e1f5a628415c128 (diff) | |
download | docs-fix_withdrawal.tar.gz docs-fix_withdrawal.tar.bz2 docs-fix_withdrawal.zip |
Fix withdrawal API securityfix_withdrawal
-rw-r--r-- | core/api-bank-integration.rst | 28 | ||||
-rw-r--r-- | core/api-corebank.rst | 47 |
2 files changed, 32 insertions, 43 deletions
diff --git a/core/api-bank-integration.rst b/core/api-bank-integration.rst index 4a9650dc..ae4c7c0e 100644 --- a/core/api-bank-integration.rst +++ b/core/api-bank-integration.rst @@ -64,11 +64,11 @@ Withdrawing Withdrawals with a Taler-integrated bank are based on withdrawal operations. Some user interaction (on the bank's website or a Taler-enabled ATM) creates a withdrawal operation record in the bank's database. The wallet can use a unique identifier -for the withdrawal operation (the ``wopid``) to interact with the withdrawal operation. +for the withdrawal operation (the ``OP_UUID``) to interact with the withdrawal operation. -.. http:get:: ${BANK_API_BASE_URL}/withdrawal-operation/${wopid} +.. http:get:: ${BANK_API_BASE_URL}/withdrawal-operation/${OP_UUID} - Query information about a withdrawal operation, identified by the ``wopid``. + Query information about a withdrawal operation, identified by the ``OP_UUID``. **Request:** @@ -91,17 +91,15 @@ for the withdrawal operation (the ``wopid``) to interact with the withdrawal ope .. ts:def:: BankWithdrawalOperationStatus export class BankWithdrawalOperationStatus { - // Indicates whether the withdrawal was aborted. - aborted: boolean; + // Account username + username: string; - // Has the wallet selected parameters for the withdrawal operation - // (exchange and reserve public key) and successfully sent it - // to the bank? - selection_done: boolean; - - // The transfer has been confirmed and registered by the bank. - // Does not guarantee that the funds have arrived at the exchange already. - transfer_done: boolean; + // Current status of the operation + // pending: the operation is pending parameters selection (exchange and reserve public key) + // selected: the operations has been selected and is pending confirmation + // aborted: the operation has been aborted + // confirmed: the transfer has been confirmed and registered by the bank + status: "pending" | "selected" | "aborted" | "confirmed"; // Amount that will be withdrawn with this operation // (raw amount without fee considerations). @@ -123,7 +121,7 @@ for the withdrawal operation (the ``wopid``) to interact with the withdrawal ope wire_types: string[]; } -.. http:post:: ${BANK_API_BASE_URL}/withdrawal-operation/${wopid} +.. http:post:: ${BANK_API_BASE_URL}/withdrawal-operation/${OP_UUID} **Request:** @@ -144,7 +142,7 @@ for the withdrawal operation (the ``wopid``) to interact with the withdrawal ope The bank has accepted the withdrawal operation parameters chosen by the wallet. The response is a `BankWithdrawalOperationPostResponse`. :http:statuscode:`404 Not found`: - The bank does not know about a withdrawal operation with the specified ``wopid``. + The bank does not know about a withdrawal operation with the specified ``OP_UUID``. :http:statuscode:`409 Conflict`: * ``TALER_EC_BANK_WITHDRAWAL_OPERATION_RESERVE_SELECTION_CONFLICT`` : The wallet selected a different exchange or reserve public key under the same withdrawal ID. diff --git a/core/api-corebank.rst b/core/api-corebank.rst index 07b43237..2f645227 100644 --- a/core/api-corebank.rst +++ b/core/api-corebank.rst @@ -595,20 +595,17 @@ Taler Withdrawals .. ts:def:: BankAccountCreateWithdrawalResponse interface BankAccountCreateWithdrawalResponse { - // ID of the withdrawal, can be used to view/modify the withdrawal operation. - // This ID will be globally unique and grant control over the operation to - // abort or confirm it. - withdrawal_id: string; + // ID identifying the operation being created + withdrawal_id: number; // URI that can be passed to the wallet to initiate the withdrawal. taler_withdraw_uri: string; } -.. http:post:: ${BANK_API_BASE_URL}/withdrawals/${withdrawal_id}/abort +.. http:post:: ${BANK_API_BASE_URL}/withdrawals/${OP_ID}/abort - Aborts ``withdrawal_id`` operation. Has no effect on an already aborted - operation. Does not require further authentication as knowledge - of the withdrawal ID serves as an authenticator. + Aborts ``OP_ID`` withdrawal operation. Has no effect on an already aborted + operation. **Response:** @@ -619,12 +616,11 @@ Taler Withdrawals :http:statuscode:`409 Conflict`: The withdrawal operation has been confirmed previously and can't be aborted. -.. http:post:: ${BANK_API_BASE_URL}/withdrawals/${withdrawal_id}/confirm +.. http:post:: ${BANK_API_BASE_URL}/withdrawals/${OP_ID}/confirm - Confirms ``withdrawal_id`` operation. Has no effect on an already confirmed + Confirms ``OP_ID`` withdrawal operation. Has no effect on an already confirmed withdrawal operation. This call is responsible for wiring the funds to the - exchange. Does not require further authentication as knowledge of the - withdrawal ID serves as an authenticator. + exchange. **Response:** @@ -637,10 +633,9 @@ Taler Withdrawals * ``TALER_EC_BANK_CONFIRM_INCOMPLETE`` : the withdraw operation cannot be confirmed because no exchange and reserve public key selection happened before. * ``TALER_EC_BANK_UNALLOWED_DEBIT`` : the account does not have sufficient funds. -.. http:get:: ${BANK_API_BASE_URL}/withdrawals/${withdrawal_id} +.. http:get:: ${BANK_API_BASE_URL}/withdrawals/${OP_ID} - Query the status of a withdrawal operation. Does not require further - authentication as knowledge of the withdrawal ID serves as an authenticator. + Query the status of a withdrawal operation. **Response:** @@ -657,25 +652,21 @@ Taler Withdrawals // Amount that will be withdrawn with this withdrawal operation. amount: Amount; - // Was the withdrawal aborted? - aborted: boolean; - - // Has the withdrawal been confirmed by the bank? - // The wire transfer for a withdrawal is only executed once - // both ``confirmation_done`` is ``true`` and ``selection_done`` is ``true``. - confirmation_done: boolean; - - // Did the wallet select reserve details? - selection_done: boolean; + // Current status of the operation + // pending: the operation is pending parameters selection (exchange and reserve public key) + // selected: the operations has been selected and is pending confirmation + // aborted: the operation has been aborted + // confirmed: the transfer has been confirmed and registered by the bank + status: "pending" | "selected" | "aborted" | "confirmed"; // Reserve public key selected by the exchange, - // only non-null if ``selection_done`` is ``true``. - selected_reserve_pub: string | null; + // only non-null if ``status`` is ``selected`` or ``confirmed``. + selected_reserve_pub?: string ; // Exchange account selected by the wallet, or by the bank // (with the default exchange) in case the wallet did not provide one // through the Integration API. - selected_exchange_account: string | null; + selected_exchange_account?: string; } Cashouts |