diff options
| -rw-r--r-- | core/api-bank-merchant.rst | 122 | ||||
| -rw-r--r-- | core/api-common.rst | 454 | ||||
| -rw-r--r-- | core/api-exchange.rst | 1603 | ||||
| -rw-r--r-- | core/api-merchant.rst | 55 | ||||
| -rw-r--r-- | core/api-wire.rst | 41 | ||||
| -rw-r--r-- | core/index.rst | 5 | ||||
| -rw-r--r-- | design-documents/013-peer-to-peer-payments.rst | 521 | ||||
| -rw-r--r-- | design-documents/018-contract-json.rst | 36 | ||||
| -rw-r--r-- | frags/installing-debian.rst | 8 | ||||
| -rw-r--r-- | frags/installing-ubuntu.rst | 14 | ||||
| -rw-r--r-- | manpages/taler-exchange-offline.1.rst | 31 | ||||
| -rw-r--r-- | manpages/taler-fakebank-run.1.rst | 62 | ||||
| -rw-r--r-- | taler-auditor-manual.rst | 37 | ||||
| -rw-r--r-- | taler-exchange-manual.rst | 6 | ||||
| -rw-r--r-- | taler-merchant-manual.rst | 13 |
15 files changed, 2781 insertions, 227 deletions
diff --git a/core/api-bank-merchant.rst b/core/api-bank-merchant.rst new file mode 100644 index 00000000..790d3f74 --- /dev/null +++ b/core/api-bank-merchant.rst @@ -0,0 +1,122 @@ +.. + This file is part of GNU TALER. + Copyright (C) 2021 Taler Systems SA + + TALER is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 2.1, or (at your option) any later version. + + TALER is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License along with + TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + +============================ +Taler Bank Merchant HTTP API +============================ + +This section describes an API offered by the Taler wire gateway. The API is +used by the merchant to query for incoming transactions. + +This API is TO BE implemented by the Taler Demo Bank, as well as by +LibEuFin (work in progress). + + +-------------- +Authentication +-------------- + +The bank library authenticates requests to the bank merchant API using +`HTTP basic auth <https://tools.ietf.org/html/rfc7617>`_. + +-------------------------------- +Querying the transaction history +-------------------------------- + + +.. http:get:: ${BASE_URL}/history + + Return a list of transactions made from an exchange to the merchant. + + Incoming transactions must contain a valid wire transfer identifier and + exchange base URL. If a bank transaction does not conform to the right + syntax, the wire gateway must not report it to the merchant via this + endpoint. + + The bank account of the merchant is determined via the base URL and/or the + user name in the ``Authorization`` header. In fact, the transaction history + might come from a "virtual" account, where multiple real bank accounts are + merged into one history. + + Transactions are identified by an opaque numeric identifier, referred to here + as *row ID*. The semantics of the row ID (including its sorting order) are + determined by the bank server and completely opaque to the client. + + The list of returned transactions is determined by a row ID *starting point* + and a signed non-zero integer *delta*: + + * If *delta* is positive, return a list of up to *delta* transactions (all matching + the filter criteria) strictly **after** the starting point. The transactions are sorted + in **ascending** order of the row ID. + * If *delta* is negative, return a list of up to *-delta* transactions (all matching + the filter criteria) strictly **before** the starting point. The transactions are sorted + in **descending** order of the row ID. + + If *starting point* is not explicitly given, it defaults to: + + * A value that is **smaller** than all other row IDs if *delta* is **positive**. + * A value that is **larger** than all other row IDs if *delta* is **negative**. + + **Request** + + :query start: *Optional.* + Row identifier to explicitly set the *starting point* of the query. + :query delta: + The *delta* value that determines the range of the query. + :query long_poll_ms: *Optional.* If this parameter is specified and the + result of the query would be empty, the bank will wait up to ``long_poll_ms`` + milliseconds for new transactions that match the query to arrive and only + then send the HTTP response. A client must never rely on this behavior, as + the bank may return a response immediately or after waiting only a fraction + of ``long_poll_ms``. + + **Response** + + :http:statuscode:`200 OK`: JSON object of type `MerchantIncomingHistory`. + :http:statuscode:`400 Bad request`: Request malformed. The bank replies with an `ErrorDetail` object. + :http:statuscode:`401 Unauthorized`: Authentication failed, likely the credentials are wrong. + :http:statuscode:`404 Not found`: The endpoint is wrong or the user name is unknown. The bank replies with an `ErrorDetail` object. + + .. ts:def:: MerchantIncomingHistory + + interface MerchantIncomingHistory { + + // Array of incoming transactions. + incoming_transactions : MerchantIncomingBankTransaction[]; + + } + + .. ts:def:: MerchantIncomingBankTransaction + + interface MerchantIncomingBankTransaction { + + // Opaque identifier of the returned record. + row_id: SafeUint64; + + // Date of the transaction. + date: Timestamp; + + // Amount transferred. + amount: Amount; + + // Payto URI to identify the sender of funds. + debit_account: string; + + // Base URL of the exchange where the transfer originated form. + exchange_url: string; + + // The wire transfer identifier. + wtid: WireTransferIdentifierRawP; + } diff --git a/core/api-common.rst b/core/api-common.rst index 19f6bf55..9c23b905 100644 --- a/core/api-common.rst +++ b/core/api-common.rst @@ -64,6 +64,8 @@ handle the error as if an internal error (500) had been returned. changed, the client MUST follow the link to the new location. If possible, the client SHOULD remember the new URL for the reserve for future requests. + :http:statuscode:`400 Bad request`: + One of the arguments to the request is missing or malformed. :http:statuscode:`500 Internal server error`: This always indicates some serious internal operational error of the exchange, such as a program bug, database problems, etc., and must not be used for @@ -75,10 +77,7 @@ handle the error as if an internal error (500) had been returned. although the auditor API for this is not yet specified. However, as internal server errors are always reported to the exchange operator, a good operator should naturally be able to address them in a timely fashion, especially - within 24h. When generating an internal server error, the exchange responds with - a JSON object containing the following fields: FIXME: What are the fields? - :http:statuscode:`400 Bad request`: - One of the arguments to the request is missing or malformed. + within 24h. Unless specified otherwise, all error status codes (4xx and 5xx) have a message body with an `ErrorDetail` JSON object. @@ -500,6 +499,13 @@ uses 512-bit hash codes (64 bytes). uint8_t hash[64]; // usually SHA-512 }; +.. _TALER_EcdhEphemeralPublicKeyP: +.. sourcecode:: c + + struct TALER_EcdhEphemeralPublicKeyP { + uint8_t ecdh_pub[32]; + }; + .. _reserve-pub: .. sourcecode:: c @@ -584,6 +590,13 @@ uses 512-bit hash codes (64 bytes). uint32_t value[4]; }; +.. _WadId: +.. sourcecode:: c + + struct TALER_WadId wad_id { + uint32_t value[6]; + }; + .. _eddsa-coin-pub: .. sourcecode:: c @@ -706,11 +719,6 @@ within the struct TALER_MerchantPublicKeyP merchant; }; -.. _TALER_RefreshCommitmentP: -.. sourcecode:: c - - // FIXME: put definition here - .. _TALER_RefreshMeltCoinAffirmationPS: .. sourcecode:: c @@ -753,6 +761,9 @@ within the struct TALER_ExchangePublicKeyP signkey_pub; }; +.. _TALER_ExchangeKeySetPS: +.. sourcecode:: c + struct TALER_ExchangeKeySetPS { /** * purpose.purpose = TALER_SIGNATURE_EXCHANGE_KEY_SET @@ -793,7 +804,6 @@ within the struct GNUNET_HashCode h_wire_details; }; - .. _TALER_MasterWireFeePS: .. sourcecode:: c @@ -814,7 +824,7 @@ within the struct TALER_DepositTrackPS { /** - * purpose.purpose = TALER_SIGNATURE_MASTER_SEPA_DETAILS || TALER_SIGNATURE_MASTER_TEST_DETAILS + * purpose.purpose = TALER_SIGNATURE_MERCHANT_TRACK_TRANSACTION */ struct GNUNET_CRYPTO_EccSignaturePurpose purpose; struct GNUNET_HashCode h_contract_terms; @@ -834,7 +844,6 @@ within the struct TALER_AmountNBO deposit_fee; }; - .. _TALER_WireDepositDataPS: .. _TALER_SIGNATURE_EXCHANGE_CONFIRM_WIRE_DEPOSIT: .. sourcecode:: c @@ -917,12 +926,31 @@ within the .. _TALER_SIGNATURE_EXCHANGE_CONFIRM_REFUND: .. sourcecode:: c - // FIXME: put definition here + struct TALER_RefundConfirmationPS { + /** + * purpose.purpose = TALER_SIGNATURE_EXCHANGE_CONFIRM_REFUND. + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_HashCode h_contract_terms; + struct TALER_CoinSpendPublicKeyP coin_pub; + struct TALER_MerchantPublicKeyP merchant; + uint64_t rtransaction_id; + struct TALER_AmountNBO refund_amount; + }; .. _TALER_SIGNATURE_MERCHANT_TRACK_TRANSACTION: .. sourcecode:: c - // FIXME: put definition here + struct TALER_DepositTrackPS { + /** + * purpose.purpose = TALER_SIGNATURE_MERCHANT_TRACK_TRANSACTION. + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_HashCode h_contract_terms; + struct GNUNET_HashCode h_wire; + struct TALER_MerchantPublicKeyP merchant; + struct TALER_CoinSpendPublicKeyP coin_pub; + }; .. _TALER_RefundRequestPS: .. sourcecode:: c @@ -940,6 +968,9 @@ within the struct TALER_AmountNBO refund_fee; }; +.. _TALER_MerchantRefundConfirmationPS: +.. sourcecode:: c + struct TALER_MerchantRefundConfirmationPS { /** * purpose.purpose = TALER_SIGNATURE_MERCHANT_REFUND_OK @@ -969,7 +1000,6 @@ within the .. sourcecode:: c struct TALER_RecoupRefreshConfirmationPS { - /** * purpose.purpose = TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP_REFRESH */ @@ -985,7 +1015,7 @@ within the struct TALER_RecoupConfirmationPS { /** - * purpose.purpose = TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP + * purpose.purpose = TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP */ struct GNUNET_CRYPTO_EccSignaturePurpose purpose; struct GNUNET_TIME_AbsoluteNBO timestamp; @@ -995,6 +1025,33 @@ within the }; +.. _TALER_DenominationUnknownAffirmationPS: +.. sourcecode:: c + + struct TALER_DenominationUnknownAffirmationPS { + /** + * purpose.purpose = TALER_SIGNATURE_EXCHANGE_AFFIRM_DENOM_UNKNOWN + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO timestamp; + struct GNUNET_HashCode h_denom_pub; + }; + + +.. _TALER_DenominationExpiredAffirmationPS: +.. sourcecode:: c + + struct TALER_DenominationExpiredAffirmationPS { + /** + * purpose.purpose = TALER_SIGNATURE_EXCHANGE_GENERIC_DENOMINATIN_EXPIRED + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO timestamp; + char operation[8]; + struct GNUNET_HashCode h_denom_pub; + }; + + .. _TALER_ReserveCloseConfirmationPS: .. sourcecode:: c @@ -1022,3 +1079,368 @@ within the struct TALER_TransferPublicKeyP transfer_pub; struct GNUNET_HashCode coin_envelope_hash; }; + + + + +.. _TALER_ReserveStatusRequestSignaturePS: +.. sourcecode:: c + + struct TALER_ReserveStatusRequestSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_RESERVE_STATUS_REQUEST + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO request_timestamp; + }; + + +.. _TALER_ReserveHistoryRequestSignaturePS: +.. sourcecode:: c + + struct TALER_ReserveHistoryRequestSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_RESERVE_HISTORY_REQUEST + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_AmountNBO history_fee; + struct GNUNET_TIME_AbsoluteNBO request_timestamp; + }; + + +.. _TALER_PurseStatusRequestSignaturePS: +.. sourcecode:: c + + struct TALER_PurseStatusRequestSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_PURSE_STATUS_REQUEST + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + }; + + +.. _TALER_PurseStatusResponseSignaturePS: +.. sourcecode:: c + + struct TALER_PurseStatusResponseSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_PURSE_STATUS_RESPONSE + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_AmountNBO total_purse_amount; + struct TALER_AmountNBO total_deposit_amount; + struct TALER_AmountNBO max_deposit_fees; + struct GNUNET_TIME_AbsoluteNBO purse_expiration; + struct GNUNET_TIME_AbsoluteNBO status_timestamp; + struct GNUNET_HashCode h_contract_terms; + }; + + +.. _TALER_ReserveCloseRequestSignaturePS: +.. sourcecode:: c + + struct TALER_ReserveCloseRequestSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_RESERVE_CLOSE + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + }; + +.. _TALER_RefreshCommitmentP: +.. sourcecode:: c + + struct TALER_RefreshCommitmentP { + struct GNUNET_HashCode session_hash; + }; + + +.. _TALER_PurseRequestSignaturePS: +.. sourcecode:: c + + struct TALER_PurseRequestSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_PURSE_REQUEST + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO purse_expiration; + struct TALER_AmountNBO merge_value_after_fees; + struct GNUNET_HashCode h_contract_terms; + }; + + +.. _TALER_PurseDepositSignaturePS: +.. sourcecode:: c + + struct TALER_PurseDepositSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_PURSE_DEPOSIT + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_AmountNBO coin_contribution; + struct GNUNET_TIME_AbsoluteNBO purse_expiration; + struct TALER_PursePublicKey purse_pub; + struct GNUNET_HashCode h_contract_terms; + }; + + +.. _TALER_PurseDepositConfirmedSignaturePS: +.. sourcecode:: c + + struct TALER_PurseDepositConfirmedSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_PURSE_DEPOSIT_CONFIRMED + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_AmountNBO total_purse_amount; + struct TALER_AmountNBO total_deposit_fees; + struct TALER_PursePublicKey purse_pub; + struct GNUNET_TIME_AbsoluteNBO purse_expiration; + struct GNUNET_HashCode h_contract_terms; + }; + +.. _TALER_PurseMergeSignaturePS: +.. sourcecode:: c + + struct TALER_PurseMergeSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_PURSE_MERGE + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_ReservePublicKey reserve_pub; + struct GNUNET_TIME_AbsoluteNBO merge_timestamp; + struct GNUNET_TIME_AbsoluteNBO purse_expiration; + struct TALER_AmountNBO merge_value_after_fees; + struct GNUNET_HashCode h_contract_terms; + struct GNUNET_HashCode h_wire; + }; + + +.. _TALER_AccountMergeSignaturePS: +.. sourcecode:: c + + struct TALER_AccountMergeSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_ACCOUNT_MERGE + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_PursePublicKey purse_pub; + struct GNUNET_TIME_AbsoluteNBO merge_timestamp; + struct GNUNET_TIME_AbsoluteNBO purse_expiration; + struct TALER_AmountNBO merge_value_after_fees; + struct GNUNET_HashCode h_contract_terms; + struct GNUNET_HashCode h_wire; + }; + + +.. _TALER_PurseMergeSuccessSignaturePS: +.. sourcecode:: c + + struct TALER_PurseMergeSuccessSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_PURSE_MERGE_SUCCESS + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_ReservePublicKey reserve_pub; + struct TALER_PursePublicKey purse_pub; + struct TALER_AmountNBO merge_amount_after_fees; + struct GNUNET_TIME_AbsoluteNBO contract_time; + struct GNUNET_HashCode h_contract_terms; + struct GNUNET_HashCode h_wire; + }; + + +.. _TALER_AccountSetupRequestSignaturePS: +.. sourcecode:: c + + struct TALER_AccountSetupRequestSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_ACCOUNT_SETUP_REQUEST + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO kyc_timestamp; + struct TALER_AmountNBO kyc_fee; + struct GNUNET_HashCode h_wire; + }; + + +.. _TALER_AccountSetupSuccessSignaturePS: +.. sourcecode:: c + + struct TALER_AccountSetupRequestSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_ACCOUNT_SETUP_SUCCESS + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_ReservePublicKey reserve_pub; + struct GNUNET_TIME_AbsoluteNBO now; + }; + + +.. _TALER_WadDataSignaturePS: +.. sourcecode:: c + + struct TALER_WadDataSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_WAD_DATA + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO wad_execution_time; + struct TALER_AmountNBO total_amount; + struct GNUNET_HashCode h_items; + struct TALER_WadId wad_id; + }; + +.. _TALER_WadPartnerSignaturePS: +.. sourcecode:: c + + struct TALER_WadPartnerSignaturePS { + /** + * purpose.purpose = TALER_SIGNATURE_MASTER_PARTNER_DETAILS + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_HashCode h_partner_base_url; + struct TALER_MasterPublicKeyP master_public_key; + struct GNUNET_TIME_AbsoluteNBO start_date; + struct GNUNET_TIME_AbsoluteNBO end_date; + struct TALER_AmountNBO wad_fee; + struct GNUNET_TIME_RelativeNBO wad_frequency; + }; + + +.. _TALER_P2PFeesPS: +.. sourcecode:: c + + struct TALER_P2PFeesPS { + /** + * purpose.purpose = TALER_SIGNATURE_P2P_FEES + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO start_date; + struct GNUNET_TIME_AbsoluteNBO end_date; + struct TALER_AmountNBO kyc_fee; + struct TALER_AmountNBO purse_fee; + struct TALER_AmountNBO account_history_fee; + struct TALER_AmountNBO account_annual_fee; + struct GNUNET_TIME_RelativeNBO account_kyc_timeout; + struct GNUNET_TIME_RelativeNBO purse_timeout; + uint32_t purse_account_limit; + }; + + +.. _TALER_SIGNATURE_EXCHANGE_CONFIRM_PURSE_REFUND: +.. sourcecode:: c + + struct TALER_CoinPurseRefundConfirmationPS { + /** + * purpose.purpose = TALER_SIGNATURE_EXCHANGE_CONFIRM_PURSE_REFUND. + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_PursePublicKey purse_pub; + struct TALER_CoinSpendPublicKeyP coin_pub; + struct TALER_MerchantPublicKeyP merchant; + struct TALER_AmountNBO remaining_amount; + struct TALER_AmountNBO purse_fee_share; + struct TALER_AmountNBO refund_fee; + }; + + +.. _TALER_DenominationKeyAnnouncementPS: +.. sourcecode:: c + + struct TALER_DenominationKeyAnnouncementPS { + /** + * purpose.purpose = TALER_SIGNATURE_SM_DENOMINATION_KEY + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_HashCode h_denom_pub; + struct GNUNET_HashCode h_section_name; + struct GNUNET_TIME_AbsoluteNBO anchor_time; + struct GNUNET_TIME_RelativeNBO duration_withdraw; + }; + + +.. _TALER_SigningKeyAnnouncementPS: +.. sourcecode:: c + + struct TALER_SigningKeyAnnouncementPS { + /** + * purpose.purpose = TALER_SIGNATURE_SM_SIGNING_KEY . + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_ExchangePublicKeyP exchange_pub; + struct GNUNET_TIME_AbsoluteNBO anchor_time; + struct GNUNET_TIME_RelativeNBO duration; + }; + +.. _TALER_MasterDenominationKeyRevocationPS: +.. sourcecode:: c + + struct TALER_MasterDenominationKeyRevocationPS { + /** + * purpose.purpose = TALER_SIGNATURE_MASTER_DENOMINATION_KEY_REVOKED. + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_HashCode h_denom_pub; + }; + + +.. _TALER_MasterSigningKeyRevocationPS: +.. sourcecode:: c + + struct TALER_MasterSigningKeyRevocationPS { + /** + * purpose.purpose = TALER_SIGNATURE_MASTER_SIGNING_KEY_REVOKED. + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct TALER_ExchangePublicKeyP exchange_pub; + }; + + +.. _TALER_MasterAddAuditorPS: +.. sourcecode:: c + + struct TALER_MasterAddAuditorPS { + /** + * purpose.purpose = TALER_SIGNATURE_MASTER_ADD_AUDITOR + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO start_date; + struct TALER_AuditorPublicKeyP auditor_pub; + struct GNUNET_HashCode h_auditor_url; + }; + +.. _TALER_MasterDelAuditorPS: +.. sourcecode:: c + + struct TALER_MasterDelAuditorPS { + /** + * purpose.purpose = TALER_SIGNATURE_MASTER_DEL_AUDITOR + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO end_date; + struct TALER_AuditorPublicKeyP auditor_pub; + }; + +.. _TALER_MasterAddWirePS: +.. sourcecode:: c + + struct TALER_MasterAddWirePS { + /** + * purpose.purpose = TALER_SIGNATURE_MASTER_ADD_WIRE. + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO start_date; + struct GNUNET_HashCode h_wire GNUNET_PACKED; + }; + +.. _TALER_MasterDelWirePS: +.. sourcecode:: c + + struct TALER_MasterDelWirePS { + /** + * purpose.purpose = TALER_SIGNATURE_MASTER_DEL_WIRE. + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; + struct GNUNET_TIME_AbsoluteNBO end_date; + struct GNUNET_HashCode h_wire GNUNET_PACKED; + }; diff --git a/core/api-exchange.rst b/core/api-exchange.rst index 1e9db1d9..ce482837 100644 --- a/core/api-exchange.rst +++ b/core/api-exchange.rst @@ -127,8 +127,8 @@ possibly by using HTTPS. // in ``denoms`` and ``signkeys``. master_public_key: EddsaPublicKey; - // Relative duration until inactive reserves are closed; not signed, expressed as - // a string in relative time in microseconds, i.e. "/Delay(1000)/" for 1 second. + // Relative duration until inactive reserves are closed; + // not signed (!), can change without notice. reserve_closing_delay: RelativeTime; // Denominations offered by this exchange. @@ -137,6 +137,11 @@ possibly by using HTTPS. // Denominations for which the exchange currently offers/requests recoup. recoup: Recoup[]; + // Fees relevant for wallet-to-wallet (or peer-to-peer) payments. + // If no fees are provided for a given time range, then the + // exchange simply does not support purses/p2p-payments at that time. + p2p_fees: P2PFees[]; + // The date when the denomination keys were last updated. list_issue_date: Timestamp; @@ -155,6 +160,7 @@ possibly by using HTTPS. // is sabotaging end-user anonymity by giving disjoint denomination keys to // different users. If an exchange were to do this, this signature allows the // clients to demonstrate to the public that the exchange is dishonest. + // Signature of `TALER_ExchangeKeySetPS` eddsa_sig: EddsaSignature; // Public EdDSA key of the exchange that was used to generate the signature. @@ -164,6 +170,66 @@ possibly by using HTTPS. eddsa_pub: EddsaPublicKey; } + .. ts:def:: P2PFees + + interface P2PFees { + + // What date (inclusive) does these fees go into effect? + start_date: Timestamp; + + // What date (exclusive) does this fees stop going into effect? + end_date: Timestamp; + + // KYC fee, charged when a user wants to create an account. + // The first year of the account_annual_fee after the KYC is + // always included. + kyc_fee: Amount; + + // Account history fee, charged when a user wants to + // obtain the full account history, and not just the + // recent transactions in an account. + account_history_fee: Amount; + + // Annual fee charged for having an open account at the + // exchange. Charged to the account. If the account + // balance is insufficient to cover this fee, the account + // is automatically deleted/closed. (Note that the exchange + // will keep the account history around for longer for + // regulatory reasons.) + account_annual_fee: Amount; + + // How long will the exchange preserve the account history? + // After an account was deleted/closed, the exchange will + // retain the account history for legal reasons until this time. + legal_history_retention: RelativeTime; + + // How long does the exchange promise to keep funds + // an account for which the KYC has never happened + // after a purse was merged into an account? Basically, + // after this time funds in an account without KYC are + // forfeit. + account_kyc_timeout: RelativeTime; + + // Purse fee, charged only if a purse is abandoned + // and was not covered by the account limit. + purse_fee: Amount; + + // Non-negative number of concurrent purses that any + // account holder is allowed to create without having + // to pay the purse_fee. + purse_account_limit: Integer; + + // How long does an exchange keep a purse around after a purse + // has expired (or been successfully merged)? A 'GET' request + // for a purse will succeed until the purse expiration time + // plus this value. + purse_timeout: RelativeTime; + + // Signature of `TALER_P2PFeesPS`. + master_sig: EddsaSignature; + + } + .. ts:def:: Denom interface Denom { @@ -241,6 +307,7 @@ possibly by using HTTPS. stamp_end: Timestamp; // Signature over ``key`` and ``stamp_expire`` by the exchange master key. + // Signature of `TALER_ExchangeSigningKeyValidityPS`. // Must have purpose ``TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY``. master_sig: EddsaSignature; } @@ -317,6 +384,10 @@ possibly by using HTTPS. // Object mapping names of wire methods (i.e. "sepa" or "x-taler-bank") // to wire fees. fees: { method : AggregateTransferFee }; + + // List of exchanges that this exchange is partnering + // with to enable wallet-to-wallet transfers. + wads: ExchangePartner[]; } The specification for the account object is: @@ -327,7 +398,8 @@ possibly by using HTTPS. // ``payto://`` URI identifying the account and wire method payto_uri: string; - // Signature using the exchange's offline key + // Signature using the exchange's offline key over + // a `TALER_MasterWireDetailsPS` // with purpose ``TALER_SIGNATURE_MASTER_WIRE_DETAILS``. master_sig: EddsaSignature; } @@ -361,6 +433,35 @@ possibly by using HTTPS. sig: EddsaSignature; } + .. ts:def:: ExchangePartner + + interface ExchangePartner { + // Base URL of the partner exchange. + partner_base_url: string; + + // Public master key of the partner exchange. + partner_master_pub: EddsaPublicKey; + + // Wallet-to-wallet transfer wad fee charged. + wad_fee: Amount; + + // Exchange-to-exchange wad (wire) transfer frequency. + wad_frequency: RelativeTime; + + // When did this partnership begin (under these conditions)? + start_date: Timestamp; + + // How long is this partnership expected to last? + end_date: Timestamp; + + // Signature using the exchange's offline key over + // `TALER_WadPartnerSignaturePS` + // with purpose ``TALER_SIGNATURE_MASTER_PARTNER_DETAILS``. + master_sig: EddsaSignature; + } + + + ---------------------------------------------- Management operations authorized by master key @@ -443,7 +544,10 @@ Management operations authorized by master key // Fee charged by the exchange for refunding a coin of this denomination. fee_refund: Amount; - // Signature over this denomination by the denomination security module. + // Signature by the denomination security module + // over `TALER_DenominationKeyAnnouncementPS` + // for this denomination with purpose + // ``TALER_SIGNATURE_SM_DENOMINATION_KEY``. denom_secmod_sig: EddsaSignature; } @@ -465,7 +569,9 @@ Management operations authorized by master key // henceforth no longer be considered valid in legal disputes. stamp_end: Timestamp; - // Signature over this signing key by the signkey security module. + // Signature over `TALER_SigningKeyAnnouncementPS` + // for this signing key by the signkey security + // module using purpose ``TALER_SIGNATURE_SM_SIGNING_KEY``. signkey_secmod_sig: EddsaSignature; } @@ -508,7 +614,8 @@ Management operations authorized by master key // Hash of the public (RSA) key of the denomination. h_denom_pub: HashCode; - // Signature of `TALER_DenominationKeyValidityPS`. + // Signature over `TALER_DenominationKeyValidityPS`. + // Must have purpose ``TALER_SIGNATURE_MASTER_DENOMINATION_KEY_VALIDITY`` master_sig: EddsaSignature; } @@ -519,7 +626,8 @@ Management operations authorized by master key // The actual exchange's EdDSA signing public key. key: EddsaPublicKey; - // Signature by the exchange master key. + // Signature by the exchange master key over + // `TALER_ExchangeSigningKeyValidityPS`. // Must have purpose ``TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY``. master_sig: EddsaSignature; @@ -547,7 +655,8 @@ Management operations authorized by master key interface DenomRevocationSignature { - // Signature by the exchange master key. + // Signature by the exchange master key over a + // `TALER_MasterDenominationKeyRevocationPS`. // Must have purpose ``TALER_SIGNATURE_MASTER_DENOMINATION_KEY_REVOKED``. master_sig: EddsaSignature; @@ -574,7 +683,8 @@ Management operations authorized by master key interface SignkeyRevocationSignature { - // Signature by the exchange master key. + // Signature by the exchange master key over a + // `TALER_MasterSigningKeyRevocationPS`. // Must have purpose ``TALER_SIGNATURE_MASTER_SIGN_KEY_REVOKED``. master_sig: EddsaSignature; @@ -613,8 +723,9 @@ Management operations authorized by master key // The auditor's EdDSA signing public key. auditor_pub: EddsaPublicKey; - // Signature by the exchange master key. - // Must have purpose ``TALER_SIGNATURE_MASTER_AUDITOR_ADD``. + // Signature by the exchange master ke yover a + // `TALER_MasterAddAuditorPS`. + // Must have purpose ``TALER_SIGNATURE_MASTER_ADD_AUDITOR``. master_sig: EddsaSignature; // When does the auditor become active? @@ -657,7 +768,8 @@ Management operations authorized by master key interface AuditorTeardownMessage { - // Signature by the exchange master key. + // Signature by the exchange master key over a + // `TALER_MasterDelAuditorPS`. // Must have purpose ``TALER_SIGNATURE_MASTER_AUDITOR_DEL``. master_sig: EddsaSignature; @@ -747,10 +859,12 @@ Management operations authorized by master key payto_uri: string; // Signature using the exchange's offline key + // over a `TALER_MasterWireDetailsPS` // with purpose ``TALER_SIGNATURE_MASTER_WIRE_DETAILS``. master_sig_wire: EddsaSignature; - // Signature using the exchange's offline key + // Signature using the exchange's offline key over a + // `TALER_MasterAddWirePS` // with purpose ``TALER_SIGNATURE_MASTER_WIRE_ADD``. master_sig_add: EddsaSignature; @@ -797,7 +911,8 @@ Management operations authorized by master key // ``payto://`` URL identifying the account and wire method payto_uri: string; - // Signature using the exchange's offline key + // Signature using the exchange's offline key over a + // `TALER_MasterDelWirePS`. // with purpose ``TALER_SIGNATURE_MASTER_WIRE_DEL``. master_sig_del: EddsaSignature; @@ -811,6 +926,44 @@ Management operations authorized by master key } +.. http:post:: /management/p2pfees + + Provides fee configuration for purses. + + **Request:** + + The request must be a `P2PFees` message. + + **Response** + + :http:statuscode:`204 No content`: + The configuration update has been processed successfully. The body is empty. + :http:statuscode:`403 Forbidden`: + The signature is invalid. + :http:statuscode:`409 Conflict`: + The exchange has previously received a conflicting configuration message or the currency does not match. + + +.. http:post:: /management/partners + + Enables a partner exchange for wad transfers. + + **Request:** + + The request must be an `ExchangePartner` message. + + **Response** + + :http:statuscode:`204 No content`: + The partner has been added successfully. + :http:statuscode:`403 Forbidden`: + The signature is invalid. + :http:statuscode:`409 Conflict`: + The exchange has previously received a conflicting configuration message or the currency does not match. + + + + --------------- Auditor actions --------------- @@ -840,6 +993,7 @@ This part of the API is for the use by auditors interacting with the exchange. The auditor signature is invalid. :http:statuscode:`404 Not found`: The denomination key for which the auditor is providing a signature is unknown. + The response will be a `DenominationUnkownMessage`. :http:statuscode:`410 Gone`: This auditor is no longer supported by the exchange. :http:statuscode:`412 Precondition failed`: @@ -847,12 +1001,37 @@ This part of the API is for the use by auditors interacting with the exchange. **Details:** + .. ts:def:: DenominationUnknownMessage + + interface DenominationUnknownMessage { + + // Taler error code. + code: number; + + // Signature by the exchange over a + // `TALER_DenominationUnknownAffirmationPS`. + // Must have purpose ``TALER_SIGNATURE_EXCHANGE_AFFIRM_DENOM_UNKNOWN``. + exchange_sig: EddsaSignature; + + // Public key of the exchange used to create + // the 'exchange_sig. + exchange_pub: EddsaPublicKey; + + // Hash of the denomination public key that is unknown. + h_denom_pub: HashCode; + + // When was the signature created. + timestamp: Timestamp; + + } + .. ts:def:: AuditorSignatureAddMessage interface AuditorSignatureAddMessage { - // Signature by the auditor. - // Must have purpose ``TALER_SIGNATURE_AUDITOR_XXX``. + // Signature by the auditor over a + // `TALER_ExchangeKeyValidityPS`. + // Must have purpose ``TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS``. auditor_sig: EddsaSignature; } @@ -879,37 +1058,66 @@ exchange. advertise those terms of service. -.. http:get:: /reserves/$RESERVE_PUB +.. http:post:: /reserves/$RESERVE_PUB/status - Request information about a reserve. - - .. note:: - The client currently does not have to demonstrate knowledge of the private - key of the reserve to make this request, which makes the reserve's public - key privileged information known only to the client, their bank, and the - exchange. In the future, we might wish to revisit this decision to improve - security, such as by having the client EdDSA-sign an ECDHE key to be used - to derive a symmetric key to encrypt the response. This would be useful if - for example HTTPS were not used for communication with the exchange. + Request information about a reserve or an account. **Request:** + :query history=BOOLEAN: *Optional.* If specified, the exchange + will return the recent account history. + This is still free of charge. + :query full_history=BOOLEAN: *Optional.* If 'true' is specified, + the exchange will return the full account history. This + may incur a fee that will be charged to the account. + + The request body must be a `ReserveStatusRequest` object. + **Response:** :http:statuscode:`200 OK`: The exchange responds with a `ReserveStatus` object; the reserve was known to the exchange. + :http:statuscode:`401 Unauthorized`: + The *Account-Request-Signature* is invalid. + This response comes with a standard `ErrorDetail` response. + :http:statuscode:`403 Forbidden`: + The provided timestamp is not close to the current time. :http:statuscode:`404 Not found`: The reserve key does not belong to a reserve known to the exchange. **Details:** + .. ts:def:: ReserveStatusRequest + + interface ReserveStatusRequest { + // Signature of purpose + // ``TALER_SIGNATURE_RESERVE_STATUS_REQUEST`` over + // a `TALER_ReserveStatusRequestSignaturePS`. + reserve_sig: EddsaSignature; + + // Time when the client made the request. + // Timestamp must be reasonably close to the time of + // the exchange, otherwise the exchange may reject + // the request. + request_timestamp: Timestamp; + } + .. ts:def:: ReserveStatus interface ReserveStatus { // Balance left in the reserve. balance: Amount; + // True if the owner of the account currently satisfies + // the required KYC checks. + kyc_passed: boolean; + + // True if the reserve history includes a merge of a purse + // and thus the owner must pass KYC checks before withdrawing. + kyc_required: boolean; + // Transaction history for this reserve. + // May be partial (!). history: TransactionHistoryItem[]; } @@ -918,12 +1126,99 @@ exchange. .. ts:def:: TransactionHistoryItem // Union discriminated by the "type" field. - type ReserveTransaction = + type TransactionHistoryItem = + | AccountMergeTransaction + | AccountSetupTransaction + | ReserveHistoryTransaction | ReserveWithdrawTransaction | ReserveCreditTransaction | ReserveClosingTransaction | ReserveRecoupTransaction; + .. ts:def:: ReserveHistoryTransaction + + interface ReserveHistoryTransaction { + type: "HISTORY"; + + // Fee agreed to by the reserve owner. + history_fee: Amount; + + // Time when the request was made. + request_timestamp: Timestamp; + + // Signature created with the reserve's private key. + // Must be of purpose ``TALER_SIGNATURE_RESERVE_HISTORY_REQUEST`` over + // a `TALER_ReserveHistoryRequestSignaturePS`. + reserve_sig: EddsaSignature; + + } + + .. ts:def:: AccountSetupTransaction + + interface AccountSetupTransaction { + type: "SETUP"; + + // KYC fee agreed to by the reserve owner. + kyc_fee: Amount; + + // Time when the KYC was triggered. + kyc_timestamp: Timestamp; + + // Hash of the wire details of the account. + // Note that this hash is unsalted and potentially + // private (as it could be inverted), hence access + // to this endpoint must be authorized using the + // private key of the reserve. + h_wire: HashCode; + + // Signature created with the reserve's private key. + // Must be of purpose ``TALER_SIGNATURE_ACCOUNT_SETUP_REQUEST`` over + // a `TALER_AccountSetupRequestSignaturePS`. + reserve_sig: EddsaSignature; + + } + + .. ts:def:: AccountMergeTransaction + + interface AccountMergeTransaction { + type: "MERGE"; + + // Actual amount merged (what was left after fees). + amount: Amount; + + // Minimum amount merged (amount signed by the + // reserve and purse signatures). + minimum_amount: Amount; + + // Purse that was merged. + purse_pub: EddsaPublicKey; + + // Time of the merge. + merge_timestamp: Timestamp; + + // Expiration time of the purse. + purse_expiration: Timestamp; + + // Hash of the contract. + h_contract: HashCode; + + // Hash of the wire details of the reserve. + h_wire: HashCode; + + // Signature created with the reserve's private key. + // Must be of purpose ``TALER_SIGNATURE_ACCOUNT_MERGE`` over + // a `TALER_AccountMergeSignaturePS`. + reserve_sig: EddsaSignature; + + // Signature created with the purse's private key. + // Must be of purpose ``TALER_SIGNATURE_PURSE_MERGE`` + // over a `TALER_PurseMergeSignaturePS`. + purse_sig: EddsaSignature; + + // Deposit fees that were charged to the purse. + deposit_fees: Amount; + } + .. ts:def:: ReserveWithdrawTransaction interface ReserveWithdrawTransaction { @@ -938,8 +1233,9 @@ exchange. // Hash of the blinded coin to be signed. h_coin_envelope: HashCode; - // Signature of ``TALER_WithdrawRequestPS`` created with the reserve's - // private key. + // Signature over a `TALER_WithdrawRequestPS` + // with purpose ``TALER_SIGNATURE_WALLET_RESERVE_WITHDRAW`` + // created with the reserve's private key. reserve_sig: EddsaSignature; // Fee that is charged for withdraw. @@ -985,11 +1281,11 @@ exchange. receiver_account_details: string; // This is a signature over a - // struct ``TALER_ReserveCloseConfirmationPS`` with purpose + // struct `TALER_ReserveCloseConfirmationPS` with purpose // ``TALER_SIGNATURE_EXCHANGE_RESERVE_CLOSED``. exchange_sig: EddsaSignature; - // Public key used to create ``exchange_sig``. + // Public key used to create 'exchange_sig'. exchange_pub: EddsaPublicKey; // Time when the reserve was closed. @@ -1006,11 +1302,11 @@ exchange. amount: Amount; // This is a signature over - // a struct ``TALER_PaybackConfirmationPS`` with purpose - // ``TALER_SIGNATURE_EXCHANGE_CONFIRM_PAYBACK``. + // a struct `TALER_RecoupConfirmationPS` with purpose + // ``TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP``. exchange_sig: EddsaSignature; - // Public key used to create ``exchange_sig``. + // Public key used to create 'exchange_sig'. exchange_pub: EddsaPublicKey; // Time when the funds were paid back into the reserve. @@ -1020,6 +1316,49 @@ exchange. coin_pub: CoinPublicKey; } + +.. http:post:: /reserves/$RESERVE_PUB/history + + Request information about the full history of + a reserve or an account. + + **Request:** + + The request body must be a `ReserveHistoryRequest` object. + + **Response:** + + :http:statuscode:`200 OK`: + The exchange responds with a `ReserveStatus` object; the reserve was known to the exchange. + :http:statuscode:`401 Unauthorized`: + The *Account-Request-Signature* is invalid. + This response comes with a standard `ErrorDetail` response. + :http:statuscode:`403 Forbidden`: + The provided timestamp is not close to the current time. + :http:statuscode:`404 Not found`: + The reserve key does not belong to a reserve known to the exchange. + :http:statuscode:`412 Precondition failed`: + The balance in the reserve is insufficient to pay for the history request. + This response comes with a standard `ErrorDetail` response. + + **Details:** + + .. ts:def:: ReserveHistoryRequest + + interface ReserveHistoryRequest { + // Signature of type + // ``TALER_SIGNATURE_RESERVE_HISTORY_REQUEST`` + // over a `TALER_ReserveHistoryRequestSignaturePS`. + reserve_sig: EddsaSignature; + + // Time when the client made the request. + // Timestamp must be reasonably close to the time of + // the exchange, otherwise the exchange may reject + // the request. + request_timestamp: Timestamp; + } + + .. http:post:: /reserves/$RESERVE_PUB/withdraw Withdraw a coin of the specified denomination. Note that the client should @@ -1037,13 +1376,23 @@ exchange. will again yield the same response, so if the network goes down during the transaction or before the client can commit the coin signature to disk, the coin is not lost. + :http:statuscode:`202 Accepted`: + This reserve has received funds from a purse and must + be upgraded to an account (with KYC) before the withdraw can + complete. Note that this response does NOT affirm that the + withdraw will ultimately complete with the requested amount. + The user should be redirected to the provided location to perform + the required KYC checks to open the account before withdrawing. + Afterwards, the request should be repeated. + The response will be an `AccountKycRedirect` object. :http:statuscode:`403 Forbidden`: The signature is invalid. :http:statuscode:`404 Not found`: The denomination key or the reserve are not known to the exchange. If the denomination key is unknown, this suggests a bug in the wallet as the - wallet should have used current denomination keys from ``/keys``. If the - reserve is unknown, the wallet should not report a hard error yet, but + wallet should have used current denomination keys from ``/keys``. + In this case, the response will be a `DenominationUnkownMessage`. + If the reserve is unknown, the wallet should not report a hard error yet, but instead simply wait for up to a day, as the wire transaction might simply not yet have completed and might be known to the exchange in the near future. In this case, the wallet should repeat the exact same request later again @@ -1052,12 +1401,45 @@ exchange. The balance of the reserve is not sufficient to withdraw a coin of the indicated denomination. The response is `WithdrawError` object. :http:statuscode:`410 Gone`: - The requested denomination key is no longer valid. It either expired or was revoked. - :http:statuscode:`412 Precondition failed`: - The requested denomination key is not yet valid. It is too early to withdraw. + The requested denomination key is not yet or no longer valid. + It either before the validity start, past the expiration or was revoked. The response is a + `DenominationExpiredMessage`. Clients must evaluate + the error code provided to understand which of the + cases this is and handle it accordingly. **Details:** + .. ts:def:: DenominationExpiredMessage + + interface DenominationExpiredMessage { + + // Taler error code. Note that beyond + // expiration this message format is also + // used if the key is not yet valid, or + // has been revoked. + code: number; + + // Signature by the exchange over a + // `TALER_DenominationExpiredAffirmationPS`. + // Must have purpose ``TALER_SIGNATURE_EXCHANGE_AFFIRM_DENOM_EXPIRED``. + exchange_sig: EddsaSignature; + + // Public key of the exchange used to create + // the 'exchange_sig. + exchange_pub: EddsaPublicKey; + + // Hash of the denomination public key that is unknown. + h_denom_pub: HashCode; + + // When was the signature created. + timestamp: Timestamp; + + // What kind of operation was requested that now + // failed? + oper: String; + } + + .. ts:def:: WithdrawRequest interface WithdrawRequest { @@ -1070,16 +1452,16 @@ exchange. coin_ev: CoinEnvelope; // Signature of `TALER_WithdrawRequestPS` created with - // the `reserves's private key <reserve-priv>`. + // the `reserves's private key <reserve-priv>` + // using purpose ``TALER_SIGNATURE_WALLET_RESERVE_WITHDRAW``. reserve_sig: EddsaSignature; } - .. ts:def:: WithdrawResponse interface WithdrawResponse { - // The blinded RSA signature over the ``coin_ev``, affirms the coin's + // The blinded RSA signature over the 'coin_ev', affirms the coin's // validity after unblinding. ev_sig: BlindedRsaSignature; @@ -1102,6 +1484,64 @@ exchange. history: TransactionHistoryItem[] } +.. _delete-reserve: + +.. http:DELETE:: /reserves/$RESERVE_PUB + + Forcefully closes a reserve. + The request header must contain an *Account-Request-Signature*. + + **Request:** + + *Account-Request-Signature*: The client must provide Base-32 encoded EdDSA signature made with ``$ACCOUNT_PRIV``, affirming its authorization to delete the account. The purpose used MUST be ``TALER_SIGNATURE_RESERVE_CLOSE``. + + :query force=BOOLEAN: *Optional.* If set to 'true' specified, the exchange + will delete the account even if there is a balance remaining. + + **Response:** + + :http:statuscode:`200 OK`: + The operation succeeded, the exchange provides details + about the account deletion. + The response will include a `ReserveClosedResponse` object. + :http:statuscode:`401 Unauthorized`: + The *Account-Request-Signature* is invalid. + This response comes with a standard `ErrorDetail` response. + :http:statuscode:`404 Not found`: + The account is unknown to the exchange. + :http:statuscode:`409 Conflict`: + The account is still has digital cash in it, the associated + wire method is ``void`` and the *force* option was not provided. + This response comes with a standard `ErrorDetail` response. + + **Details:** + + .. ts:def:: ReserveClosedResponse + + interface ReserveClosedResponse { + + // Final balance of the account. + closing_amount: Amount; + + // Current time of the exchange, used as part of + // what the exchange signs over. + close_time: Timestamp; + + // Hash of the wire account into which the remaining + // balance will be transferred. Note: may be the + // hash over ``payto://void/`, in which case the + // balance is forfeit to the profit of the exchange. + h_wire: HashCode; + + // This is a signature over a + // struct ``TALER_AccountDeleteConfirmationPS`` with purpose + // ``TALER_SIGNATURE_EXCHANGE_RESERVE_CLOSED``. + exchange_sig: EddsaSignature; + + } + + + .. _deposit-par: ------- @@ -1115,7 +1555,6 @@ credited an amount specified in the deposit permission, possibly a fraction of the total coin's value, minus the deposit fee as specified by the coin's denomination. - .. _deposit: .. http:POST:: /coins/$COIN_PUB/deposit @@ -1128,10 +1567,9 @@ denomination. exchange. The exchange MUST return a 307 or 308 redirection to the correct base URL if this is the case. - The request should contain a JSON object with the - following fields: + **Request:** - **Request:** The request body must be a `DepositRequest` object. + The request body must be a `DepositRequest` object. **Response:** @@ -1141,8 +1579,10 @@ denomination. :http:statuscode:`401 Unauthorized`: One of the signatures is invalid. :http:statuscode:`404 Not found`: - Either the denomination key is not recognized (expired or invalid) or - the wire type is not recognized. + Either the denomination key is not recognized (expired or invalid), + or the wire type is not recognized. + If the denomination key is unknown, the response will be + a `DenominationUnkownMessage`. :http:statuscode:`409 Conflict`: The deposit operation has either failed because the coin has insufficient residual value, or because the same public key of the coin has been @@ -1152,6 +1592,12 @@ denomination. The fields of the response are the same in both cases. The request should not be repeated again with this coin. In this case, the response is a `DepositDoubleSpendError`. + :http:statuscode:`410 Gone`: + The requested denomination key is not yet or no longer valid. + It either before the validity start, past the expiration or was revoked. The response is a + `DenominationExpiredMessage`. Clients must evaluate + the error code provided to understand which of the + cases this is and handle it accordingly. **Details:** @@ -1199,7 +1645,7 @@ denomination. // exchange, possibly zero if refunds are not allowed. refund_deadline: Timestamp; - // Signature of `TALER_DepositRequestPS`, made by the customer with the + // Signature over `TALER_DepositRequestPS`, made by the customer with the // `coin's private key <coin-priv>`. coin_sig: EddsaSignature; } @@ -1251,101 +1697,296 @@ denomination. .. ts:def:: CoinSpendHistoryItem - interface CoinSpendHistoryItem { - // Either "DEPOSIT", "MELT", "REFUND", "RECOUP", - // "OLD-COIN-RECOUP" or "RECOUP-REFRESH". - type: string; + // Union discriminated by the "type" field. + type CoinSpendHistoryItem = + | CoinDepositTransaction + | CoinMeltTransaction + | CoinRefundTransaction + | CoinRecoupTransaction + | CoinOldCoinRecoupTransaction + | CoinRecoupRefreshTransaction + | CoinPurseDepositTransaction + | CoinPurseRefundTransaction; + + + .. ts:def:: CoinDepositTransaction + + interface CoinDepositTransaction { + type: "DEPOSIT"; // The total amount of the coin's value absorbed (or restored in the // case of a refund) by this transaction. - // Note that for deposit and melt this means the amount given includes - // the transaction fee, while for refunds the amount given excludes - // the transaction fee. The current coin value can thus be computed by - // subtracting deposit and melt amounts and adding refund amounts from - // the coin's denomination value. + // The amount given includes + // the deposit fee. The current coin value can thus be computed by + // subtracting this amount. amount: Amount; - // Deposit fee in case of type "DEPOSIT". + // Deposit fee. deposit_fee: Amount; - // Public key of the merchant, for "DEPOSIT" operations. - merchant_pub?: EddsaPublicKey; + // Public key of the merchant. + merchant_pub: EddsaPublicKey; // Date when the operation was made. - // Only for "DEPOSIT", "RECOUP", "OLD-COIN-RECOUP" and - // "RECOUP-REFRESH" operations. - timestamp?: Timestamp; + timestamp: Timestamp; // Date until which the merchant can issue a refund to the customer via the - // exchange, possibly zero if refunds are not allowed. Only for "DEPOSIT" operations. - refund_deadline?: Timestamp; + // exchange, possibly zero if refunds are not allowed. + refund_deadline: Timestamp; - // Signature by the coin, only present if ``type`` is "DEPOSIT", "MELT", "RECOUP", - // or "RECOUP-REFRESH". - coin_sig?: EddsaSignature; + // Signature over `TALER_DepositRequestPS`, made by the customer with the + // `coin's private key <coin-priv>`. + coin_sig: EddsaSignature; - // Deposit fee in case of type "MELT". - melt_fee: Amount; + // Hash of the bank account from where we received the funds. + h_wire: HashCode; + + // Hash of the public denomination key used to sign the coin. + // Needed because 'coin_sig' signs over this, and + // that is important to fix the coin's denomination. + h_denom_pub: HashCode; + + // Hash over the proposal data of the contract that + // is being paid. + h_contract_terms: HashCode; + + } + + .. ts:def:: CoinMeltTransaction - // Commitment from the melt operation, only for "MELT". - rc?: TALER_RefreshCommitmentP; + interface CoinMeltTransaction { + type: "MELT"; - // Hash of the bank account from where we received the funds, - // only present if ``type`` is "DEPOSIT". - h_wire?: HashCode; + // The total amount of the coin's value absorbed by this transaction. + // Note that for melt this means the amount given includes + // the melt fee. The current coin value can thus be computed by + // subtracting the amounts. + amount: Amount; + + // Signature by the coin over a + // `TALER_RefreshMeltCoinAffirmationPS` of + // purpose ``TALER_SIGNATURE_WALLET_COIN_MELT``. + coin_sig: EddsaSignature; + + // Melt fee. + melt_fee: Amount; + + // Commitment from the melt operation. + rc: TALER_RefreshCommitmentP; // Hash of the public denomination key used to sign the coin. - // only present if ``type`` is "DEPOSIT", "RECOUP", - // "RECOUP-REFRESH", or "MELT". - h_denom_pub?: HashCode; + // Needed because 'coin_sig' signs over this, and + // that is important to fix the coin's denomination. + h_denom_pub: HashCode; - // Deposit fee in case of type "REFUND". - refund_fee?: Amount; + } - // Hash over the proposal data of the contract that - // is being paid (if type is "DEPOSIT") or refunded (if - // ``type`` is "REFUND"); otherwise absent. - h_contract_terms?: HashCode; + .. ts:def:: CoinRefundTransaction + + interface CoinRefundTransaction { + type: "REFUND"; + + // The total amount of the coin's value restored + // by this transaction. + // The amount given excludes the transaction fee. + // The current coin value can thus be computed by + // adding the amounts to the coin's denomination value. + amount: Amount; - // Refund transaction ID. Only present if ``type`` is - // "REFUND". - rtransaction_id?: Integer; + // Refund fee. + refund_fee: Amount; - // Coin blinding key. Only present if ``type`` is - // "RECOUP" or "RECOUP-REFRESH". - coin_blind?: DenominationBlindingKeyP; + // Hash over the proposal data of the contract that + // is being refunded. + h_contract_terms: HashCode; - // Reserve receiving the recoup. Only present if ``type`` is - // "RECOUP". - reserve_pub?: EddsaPublicKey; + // Refund transaction ID. + rtransaction_id: Integer; - // `EdDSA Signature <eddsa-sig>` authorizing the REFUND. Made with + // `EdDSA Signature <eddsa-sig>` authorizing the REFUND over a + // `TALER_MerchantRefundConfirmationPS` with + // purpose ``TALER_SIGNATURE_MERCHANT_REFUND_OK``. Made with // the `public key of the merchant <merchant-pub>`. - // Only present if ``type`` is "REFUND". - merchant_sig?: EddsaSignature; + merchant_sig: EddsaSignature; + + } + + .. ts:def:: CoinRecoupTransaction + + interface CoinRecoupTransaction { + type: "RECOUP"; + + // The total amount of the coin's value absorbed + // by this transaction. + // The current coin value can thus be computed by + // subtracting the amount from + // the coin's denomination value. + amount: Amount; + + // Date when the operation was made. + timestamp: Timestamp; + + // Signature by the coin over a + // `TALER_RecoupRequestPS` with purpose + // ``TALER_SIGNATURE_WALLET_COIN_RECOUP``. + coin_sig: EddsaSignature; + + // Hash of the public denomination key used to sign the coin. + // Needed because 'coin_sig' signs over this, and + // that is important to fix the coin's denomination. + h_denom_pub: HashCode; - // Public key of the reserve that will receive the funds, for "RECOUP" operations. - reserve_pub?: EddsaPublicKey; + // Coin blinding key. + coin_blind: DenominationBlindingKeyP; - // Signature by the exchange, only present if ``type`` is "RECOUP", - // "OLD-COIN-RECOUP" or "RECOUP-REFRESH". Signature is - // of type TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP for "RECOUP", - // and of type TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP_REFRESH otherwise. - exchange_sig?: EddsaSignature; + // Reserve receiving the recoup. + reserve_pub: EddsaPublicKey; - // Public key used to sign ``exchange_sig``, - // only present if ``exchange_sig`` present. - exchange_pub?: EddsaPublicKey; + // Signature by the exchange over a + // `TALER_RecoupConfirmationPS`, must be + // of purpose ``TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP``. + exchange_sig: EddsaSignature; + + // Public key of the private key used to create 'exchange_sig'. + exchange_pub: EddsaPublicKey; + + } + + .. ts:def:: CoinOldCoinRecoupTransaction + + interface CoinOldCoinRecoupTransaction { + type: "OLD-COIN-RECOUP"; + + // The total amount of the coin's value restored + // by this transaction. + // The current coin value can thus be computed by + // adding the amount to the coin's denomination value. + amount: Amount; + + // Date when the operation was made. + timestamp: Timestamp; - // Blinding factor of the revoked new coin, - // only present if ``type`` is "REFRESH_RECOUP". + // Signature by the exchange over a + // `TALER_RecoupRefreshConfirmationPS` + // of purpose ``TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP_REFRESH``. + exchange_sig: EddsaSignature; + + // Public key of the private key used to create 'exchange_sig'. + exchange_pub: EddsaPublicKey; + + } + + .. ts:def:: CoinRecoupRefreshTransaction + + interface CoinRecoupRefreshTransaction { + type: "RECOUP-REFRESH"; + + // The total amount of the coin's value absorbed + // by this transaction. + // The current coin value can thus be computed by + // subtracting this amounts from + // the coin's denomination value. + amount: Amount; + + // Date when the operation was made. + timestamp: Timestamp; + + // Signature by the coin over a `TALER_RecoupRequestPS` + // with purpose ``TALER_SIGNATURE_WALLET_COIN_RECOUP``. + coin_sig: EddsaSignature; + + // Hash of the public denomination key used to sign the coin. + // Needed because 'coin_sig' signs over this, and + // that is important to fix the coin's denomination. + h_denom_pub: HashCode; + + // Coin blinding key. + coin_blind: DenominationBlindingKeyP; + + // Signature by the exchange over a + // `TALER_RecoupRefreshConfirmationPS` + // of purpose ``TALER_SIGNATURE_EXCHANGE_CONFIRM_RECOUP_REFRESH``. + exchange_sig: EddsaSignature; + + // Public key used to sign 'exchange_sig'. + exchange_pub: EddsaPublicKey; + + // Blinding factor of the revoked new coin. new_coin_blinding_secret: RsaBlindingKeySecret; - // Blinded public key of the revoked new coin, - // only present if ``type`` is "REFRESH_RECOUP". + // Blinded public key of the revoked new coin. new_coin_ev: RsaBlindingKeySecret; } + .. ts:def:: CoinPurseDepositTransaction + + interface CoinPurseDepositTransaction { + type: "PURSE_DEPOSIT"; + + // The total amount of the coin's value absorbed + // by this transaction. + // Note that this means the amount given includes + // the deposit fee. The current coin value can thus be computed by + // subtracting the amount from + // the coin's denomination value. + amount: Amount; + + // Deposit fee. + deposit_fee: Amount; + + // Public key of the purse. + purse_pub: EddsaPublicKey; + + // Date when the purse was set to expire. + purse_expiration: Timestamp; + + // Signature by the coin over a + // `TALER_PurseDepositSignaturePS` of + // purpose ``TALER_SIGNATURE_PURSE_DEPOSIT``. + coin_sig: EddsaSignature; + + // Hash of the public denomination key used to sign the coin. + // Needed because 'coin_sig' signs over this, and + // that is important to fix the coin's denomination. + h_denom_pub: HashCode; + + } + + .. ts:def:: CoinPurseRefundTransaction + + interface CoinPurseRefundTransaction { + type: "PURSE_REFUND"; + + // The total amount of the coin's value restored + // by this transaction. + // The amount given excludes the refund fee. + // The current coin value can thus be computed by + // adding the amount to the coin's denomination value. + amount: Amount; + + // Refund fee (of the coin's denomination). The deposit + // fee will be waived. + refund_fee: Amount; + + // Share of the purse fee charged to this coin. + // The sum of all purse fee shares will match the + // total purse fee. + purse_fee_share: Amount; + + // Public key of the purse that expired. + purse_pub: EddsaPublicKey; + + // Signature by the exchange over a + // `TALER_CoinPurseRefundConfirmationPS` + // of purpose ``TALER_SIGNATURE_EXCHANGE_CONFIRM_PURSE_REFUND``. + exchange_sig: EddsaSignature; + + // Public key used to sign 'exchange_sig'. + exchange_pub: EddsaPublicKey; + + } + + ---------- Refreshing ---------- @@ -1382,6 +2023,8 @@ the API during normal operation. :http:statuscode:`404 Not found`: The exchange does not recognize the denomination key as belonging to the exchange, or it has expired. + If the denomination key is unknown, the response will be + a `DenominationUnkownMessage`. :http:statuscode:`409 Conflict`: The operation is not allowed as the coin has insufficient residual value, or because the same public key of the coin has been @@ -1389,6 +2032,12 @@ the API during normal operation. can be decided by looking at the error code (``TALER_EC_EXCHANGE_MELT_INSUFFICIENT_FUNDS`` or ``TALER_EC_EXCHANGE_GENERIC_COIN_CONFLICTING_DENOMINATION_KEY``). The response is `MeltForbiddenResponse` in both cases. + :http:statuscode:`410 Gone`: + The requested denomination key is not yet or no longer valid. + It either before the validity start, past the expiration or was revoked. The response is a + `DenominationExpiredMessage`. Clients must evaluate + the error code provided to understand which of the + cases this is and handle it accordingly. **Details:** @@ -1515,6 +2164,12 @@ the API during normal operation. rather verbose, as it includes most of the original /refresh/melt request, but of course expected to be primarily used for diagnostics. The response body is a `RevealConflictResponse`. + :http:statuscode:`410 Gone`: + The requested denomination key (for the fresh coins) is not yet or no longer valid. + It either before the validity start, past the expiration or was revoked. The response is a + `DenominationExpiredMessage`. Clients must evaluate + the error code provided to understand which of the + cases this is and handle it accordingly. **Details:** @@ -1659,16 +2314,24 @@ in using this API. :http:statuscode:`401 Unauthorized`: The coin's signature is invalid. :http:statuscode:`404 Not found`: - The denomination key is not in the set of denomination - keys where emergency pay back is enabled, or the blinded + The denomination key is unknown, or the blinded coin is not known to have been withdrawn. + If the denomination key is unknown, the response will be + a `DenominationUnkownMessage`. :http:statuscode:`409 Conflict`: The operation is not allowed as the coin has insufficient residual value, or because the same public key of the coin has been previously used with a different denomination. Which case it is can be decided by looking at the error code - (``TALER_EC_EXCHANGE_RECOUP_COIN_BALANCE_ZERO`` or ``TALER_EC_EXCHANGE_GENERIC_COIN_CONFLICTING_DENOMINATION_KEY``). + (``TALER_EC_EXCHANGE_RECOUP_COIN_BALANCE_ZERO`` or + ``TALER_EC_EXCHANGE_GENERIC_COIN_CONFLICTING_DENOMINATION_KEY``). The response is a `DepositDoubleSpendError`. + :http:statuscode:`410 Gone`: + The requested denomination key is not yet or no longer valid. + It either before the validity start, past the expiration or was not yet revoked. The response is a + `DenominationExpiredMessage`. Clients must evaluate + the error code provided to understand which of the + cases this is and handle it accordingly. **Details:** @@ -1707,6 +2370,7 @@ in using this API. interface RecoupWithdrawalConfirmation { // Tag to distinguish the `RecoupConfirmation` response type. refreshed: false; + // Public key of the reserve that will receive the recoup. reserve_pub: EddsaPublicKey; } @@ -1716,6 +2380,7 @@ in using this API. interface RecoupRefreshConfirmation { // Tag to distinguish the `RecoupConfirmation` response type. refreshed: true; + // Public key of the old coin that will receive the recoup. old_coin_pub: EddsaPublicKey; } @@ -1790,7 +2455,8 @@ typically also view the balance.) deposits: TrackTransferDetail[]; // Signature from the exchange made with purpose - // `TALER_SIGNATURE_EXCHANGE_CONFIRM_WIRE_DEPOSIT`. + // ``TALER_SIGNATURE_EXCHANGE_CONFIRM_WIRE_DEPOSIT`` + // over a `TALER_WireDepositDataPS`. exchange_sig: EddsaSignature; // Public EdDSA key of the exchange that was used to generate the signature. @@ -1826,7 +2492,7 @@ typically also view the balance.) **Request:** - :query merchant_sig: EdDSA signature of the merchant made with purpose ``TALER_SIGNATURE_MERCHANT_TRACK_TRANSACTION``, affirming that it is really the merchant who requires obtaining the wire transfer identifier. + :query merchant_sig: EdDSA signature of the merchant made with purpose ``TALER_SIGNATURE_MERCHANT_TRACK_TRANSACTION`` over a `TALER_DepositTrackPS`, affirming that it is really the merchant who requires obtaining the wire transfer identifier. **Response:** @@ -1839,7 +2505,7 @@ typically also view the balance.) merchant should come back later and ask again. The response body is a `TrackTransactionAcceptedResponse`. :http:statuscode:`401 Unauthorized`: - The signature is invalid. + A signature is invalid. :http:statuscode:`404 Not found`: The deposit operation is unknown to the exchange. @@ -1860,7 +2526,8 @@ typically also view the balance.) // Total amount transferred. total_amount: Amount; - // Binary-only Signature_ for purpose `TALER_SIGNATURE_EXCHANGE_CONFIRM_WIRE` + // Binary-only Signature_ with purpose ``TALER_SIGNATURE_EXCHANGE_CONFIRM_WIRE`` + // over a `TALER_ConfirmWirePS` // whereby the exchange affirms the successful wire transfer. exchange_sig: EddsaSignature; @@ -1932,7 +2599,10 @@ Refunds // EdDSA public key of the merchant. merchant_pub: EddsaPublicKey; - // EdDSA signature of the merchant affirming the refund. + // EdDSA signature of the merchant over a + // `TALER_RefundRequestPS` with purpose + // ``TALER_SIGNATURE_MERCHANT_REFUND`` + // affirming the refund. merchant_sig: EddsaPublicKey; } @@ -1942,7 +2612,9 @@ Refunds interface RefundSuccess { // The EdDSA :ref:`signature` (binary-only) with purpose - // `TALER_SIGNATURE_EXCHANGE_CONFIRM_REFUND` using a current signing key of the + // ``TALER_SIGNATURE_EXCHANGE_CONFIRM_REFUND`` over + // a `TALER_RecoupRefreshConfirmationPS` + // using a current signing key of the // exchange affirming the successful refund. exchange_sig: EddsaSignature; @@ -1971,3 +2643,692 @@ Refunds // the relevant subset of the transactions. history: CoinSpendHistoryItem[]; } + + +.. _exchange_w2w: + +-------------------------- +Wallet-to-wallet transfers +-------------------------- + +.. http:GET:: /purses/$PURSE_PUB + + Obtain information about a purse. The request header must + contain a *Purse-Request-Signature*. Endpoint used by + the party that did not create the purse. + + **Request:** + + *Purse-Request-Signature*: The client must provide Base-32 encoded EdDSA signature made with ``$PURSE_PRIV``, affirming its authorization to download the purse status. The purpose used MUST be ``TALER_SIGNATURE_PURSE_STATUS_REQUEST``. + + :query merge_timeout_ms=NUMBER: *Optional.* If specified, + the exchange + will wait up to ``timeout_ms`` milliseconds for completion + of a merge operation before sending the HTTP response. + :query deposit_timeout_ms=NUMBER: *Optional.* If specified, + the exchange + will wait up to ``timeout_ms`` milliseconds for completion + of a deposit operation before sending the HTTP response. + :query contract=BOOLEAN: *Optional.* If 'false' is specified, + the exchange will not return the encrypted contract, saving + bandwidth for clients that already know it. + + **Response:** + + :http:statuscode:`200 OK`: + The operation succeeded, the exchange provides details + about the purse. + The response will include a `PurseStatus` object. + :http:statuscode:`401 Unauthorized`: + The *Purse-Request-Signature* is invalid. + This response comes with a standard `ErrorDetail` response. + :http:statuscode:`404 Not found`: + The purse is unknown to the exchange. + + **Details:** + + .. ts:def:: PurseStatus + + interface PurseStatus { + + // Total amount deposited into the purse so far. + // If 'total_deposit_amount' minus 'deposit_fees' + // exceeds 'merge_value_after_fees', and a + // 'merge_request' exists for the purse, then the + // purse will (have been) merged with the account. + total_deposit_amount: Amount; + + // Indicative time by which the purse expires + // if it has not been merged into an account. At this + // point, all of the deposits made will be auto-refunded. + purse_expiration: Timestamp; + + // Desired total amount to be merged into the reserve. + // (excludes fees). + merge_value_after_fees: Amount; + + // Indicative time at which the exchange is answering the + // status request. Used as part of 'exchange_sig'. + status_timestamp: Timestamp; + + // Deposit fees charged so far to all deposited coins. + deposit_fees: Amount; + + // SHA-512 hash of the contact of the purse. + h_contract_terms: HashCode; + + // EdDSA signature of the exchange over a + // `TALER_PurseStatusResponseSignaturePS` + // with purpose ``TALER_SIGNATURE_PURSE_STATUS_RESPONSE`` + // affirming the purse status. + exchange_sig: EddsaSignature; + + // EdDSA public key exchange used for 'exchange_sig'. + exchange_pub: EddsaPublicKey; + + // AES-GCM Encrypted contract terms using encryption + // key derived from DH of 'contract_pub' and the 'purse_pub'. + // Optional, may be omitted if not desired by the client. + e_contract_terms?: string; + + // If a merge request was received, information about the + // merge request. Omitted if the purse has not yet received + // a merge request. + merge_request?: MergeRequest; + + } + + +.. http:POST:: /purses/$PURSE_PUB/deposit + + Deposit money into a purse. Endpoint used by the buyer. + + **Request:** + + The request body must be a `PurseRequest` object. + + **Response:** + + :http:statuscode:`200 OK`: + The operation succeeded, the exchange confirms that all + coins were deposited into the purse. + The response will include a `PurseDepositSuccess` object. + :http:statuscode:`202 Accepted`: + The payment was accepted, but insufficient to reach the + specified purse balance. If an encrypted contract was + provided, it will have been stored in the database. + The client should make further + purse deposits before the expiration deadline. + The response will include a `PurseDepositAccepted` object. + :http:statuscode:`401 Unauthorized`: + A coin signature is invalid. The response will + include a `PurseDepositSignatureErrorDetail` + :http:statuscode:`403 Forbidden`: + The server is denying the operation as a purse with a + different contract or total amount already exists. + This response comes with a standard `PurseConflict` response. + :http:statuscode:`404 Not found`: + FIXME: when exactly does this happen? + :http:statuscode:`409 Conflict`: + The deposit operation has either failed because a coin has insufficient + residual value, or because the same public key of the coin has been + previously used with a different denomination. Which case it is + can be decided by looking at the error code + (``TALER_EC_EXCHANGE_DEPOSIT_INSUFFICIENT_FUNDS`` or + ``TALER_EC_EXCHANGE_GENERIC_COIN_CONFLICTING_DENOMINATION_KEY``). + The fields of the response are the same in both cases. + The request should not be repeated again with this coin. + In this case, the response is a `PurseDepositDoubleSpendError`. + If the value of all successful coins is below the purse fee, + the exchange may not setup the purse at all. The encrypted + contract will not have been associated with the purse if this + status code is returned. However, all coins that were not + double-spent will have been deposited into the purse. + :http:statuscode:`425 Too Early`: + This response type is used if the given purse expiration time + is too far in the future (at least from the perspective + of the exchange). Thus, retrying at a later time may + succeed. The client should look at the ``Date:`` header of the response to see if a minor time difference is to blame and possibly adjust the request accordingly. + + + **Details:** + + .. ts:def:: PurseRequest + + interface PurseRequest { + + // EdDSA signature of the purse over a + // `TALER_PurseRequestSignaturePS` + // of purpose ``TALER_SIGNATURE_PURSE_REQUEST`` + // confirming the key + // invariants associated with the purse. + // (amount, h_contract_terms, expiration). + purse_sig: EddsaSignature; + + // Total amount to be paid into the purse. + // Clients may make several requests, i.e. if a + // first request failed with a double-spending error. + // The exchange will confirm the creation of the + // purse once the amount given here is reached. + merge_value_after_fees: Amount; + + // SHA-512 hash of the contact of the purse. + h_contract_terms: HashCode; + + // Client-side timestamp of when the payment was made. + payment_timestamp: Timestamp; + + // Indicative time by which the purse should expire + // if it has not been merged into an account. At this + // point, all of the deposits made will be auto-refunded. + purse_expiration: Timestamp; + + // Optional encrypted contract, in case the buyer is + // proposing the contract and thus establishing the + // purse with the payment. + contract?: EncryptedContract; + + // Array of coins being deposited into the purse. + // Maximum length is 128. + deposits: PurseDeposit[]; + } + + .. ts:def:: EncryptedContract + + interface EncryptedContract { + + // ECDH contract_public key used to encrypt the contract. + // Optional as the contract terms may already be known + // to the exchange or the other wallet from a different + // interaction. + contract_pub: TALER_EcdhEphemeralPublicKeyP; + + // AES-GCM Encrypted contract terms using encryption + // key derived from DH of ``contract_pub`` and the ``purse_pub``. + // Optional as the contract terms may already be known + // to the exchange or the other wallet from a different + // interaction. + e_contract_terms: string; + } + + .. ts:def:: PurseDeposit + + interface PurseDeposit { + + // Public key of the coin being deposited into the purse. + coin_pub: EddsaPublicKey; + + // Amount to be deposited, can be a fraction of the + // coin's total value. + contribution: Amount; + + // Hash of denomination RSA key with which the coin is signed. + denom_pub_hash: HashCode; + + // Exchange's unblinded RSA signature of the coin. + ub_sig: RsaSignature; + + // Signature over `TALER_PurseDepositSignaturePS` + // of purpose ``TALER_SIGNATURE_PURSE_DEPOSIT`` + // made by the customer with the + // `coin's private key <coin-priv>`. + coin_sig: EddsaSignature; + + } + + .. ts:def:: PurseDepositSuccess + + interface PurseDepositSuccess { + + // Total amount paid into the purse. + total_purse_amount: Amount; + + // Total deposit fees charged. + total_deposit_fees: Amount; + + // EdDSA signature of the exchange affirming the payment, + // of purpose ``TALER_SIGNATURE_PURSE_DEPOSIT_CONFIRMED`` + // over a `TALER_PurseDepositConfirmedSignaturePS`. + // Signs over the above and the purse public key and + // the hash of the contract terms. + exchange_sig: EddsaSignature; + + // public key used to create the signature. + exchange_pub: EddsaPublicKey; + + } + + .. ts:def:: PurseDepositAccepted + + interface PurseDepositAccepted { + + // Total amount paid so far into the purse, in this + // and previous requests. + total_amount_deposited: Amount; + + // Total amount contributed by the current request. + total_amount_contributed: Amount; + + } + + .. ts:def:: PurseConflict + + // Union discriminated by the "type" field. + type PurseConflict = + | PurseMergeConflict + | PurseRequestConflict; + + .. ts:def:: PurseMergeConflict + + interface PurseMergeConflict { + type: "MERGE"; + + // SHA-512 hash of the contact of the purse. + h_contract_terms: HashCode; + + // Hash of the wire details of the reserve. + h_wire: HashCode; + + // Reserve merging the purse. + reserve_pub: EddsaPublicKey; + + // Indicative time by which the purse should expire + // if it has not been merged into an account. At this + // point, all of the deposits made should be + // auto-refunded. + purse_expiration: Timestamp; + + // When was the merge request generated. + merge_timestamp: Timestamp; + + // Total amount to be merged into the reserve. + // (excludes fees). + merge_value_after_fees: Amount; + + // EdDSA signature of the purse over + // `TALER_PurseMergeSignaturePS` of + // purpose ``TALER_SIGNATURE_PURSE_MERGE`` + // confirming that the + // above details hold for this purse. + purse_sig: EddsaSignature; + } + + .. ts:def:: PurseRequestConflict + + interface PurseRequestConflict { + type: "REQUEST"; + + // SHA-512 hash of the contact of the purse. + h_contract_terms: HashCode; + + // Indicative time by which the purse should expire + // if it has not been merged into an account. At this + // point, all of the deposits made should be + // auto-refunded. + purse_expiration: Timestamp; + + // Total amount to be paid into the purse as per + // the previous request. + total_purse_amount: Amount; + + // EdDSA signature of the purse over + // `TALER_PurseRequestSignaturePS` of + // purpose ``TALER_SIGNATURE_PURSE_REQUEST`` + // confirming that the + // above details hold for this purse. + purse_sig: EddsaSignature; + + } + + .. ts:def:: PurseDepositDoubleSpendError + + interface DepositDoubleSpendError { + // Taler error code. + code: number; + + // Human-readable description of the error, i.e. "insufficient funds". + hint?: string; + + // Total amount contributed by the current request. + // Note that some coins may have been successfully + // deposited into the purse, so the total amount + // from these coins is listed here. + total_amount_contributed: Amount; + + // Public keys of coins that could not be deposited + // into the purse, mapped to the coin's histories. + coin_map: EddsaPublicKey -> CoinSpendHistoryItem[]; + } + + + .. ts:def:: PurseDepositSignatureErrorDetail + + interface PurseDepositSignatureErrorDetail { + // Taler error code, summarizing the problem. + // Note that for problems about specific + // coins, the 'coin_error_map' should be consulted. + // The 'coin_error_map' will be empty if the + // 'purse_sig' was invalid. In this case, + // the coins will not even have been checked by + // the exchange. + code: number; + + // Human-readable description of the error, i.e. "invalid siganture". + hint?: string; + + // Total amount contributed by the current request. + // Note that some coins may have been successfully + // deposited into the purse, so the total amount + // from these coins is listed here. + total_amount_contributed: Amount; + + // Public keys of coins that could not be deposited + // into the purse, mapped to the coin's histories. + coin_error_map: EddsaPublicKey -> ErrorDetail[]; + } + + +.. http:POST:: /purses/$PURSE_PUB/merge + + Merge purse with account, adding the value of the purse into + the account. Endpoint to be used by the seller. + + **Request:** + + The request body must be a `MergeRequest` object. + + :query timeout_ms=NUMBER: *Optional.* If specified, the exchange will + wait up to ``timeout_ms`` milliseconds to receive payment before + reporting on the completion of merge operation. Basically + forstalls returning a 202 response for up to timeout milliseconds + to possibly return a 200 response instead. + + **Response:** + + :http:statuscode:`200 OK`: + The operation succeeded, the exchange confirms that the + funds were merged into the account. + The response will include a `MergeSuccess` object. + :http:statuscode:`202 Accepted`: + The operation succeeded, the exchange confirms that the + merge request is valid. Alas, the purse was still not + funded and thus the actual merge is delayed. + The response will include a `MergeAccepted` object. + :http:statuscode:`401 Unauthorized`: + Account signature is invalid. + This response comes with a standard `ErrorDetail` response. + :http:statuscode:`404 Not found`: + The refund operation failed as we could not find the purse. + This response comes with a standard `ErrorDetail` response. + :http:statuscode:`410 Gone`: + The purse has already expired and thus can no longer be merged. + This response comes with a standard `ErrorDetail` response. + :http:statuscode:`429 Too Many Requests`: + This account is not at this exchange, has not yet passed the + KYC checks, or it has exceeded the number of open purses. + The client must include payment to create another purse or + wait until existing purses have expired. + + **Details:** + + .. ts:def:: MergeRequest + + interface MergeRequest { + + // payto://-URI of the account the purse is to be merged into. + // Must be of the form: 'payto://taler/$EXCHANGE_URL/$RESERVE_PUB'. + payto_uri: string; + + // EdDSA signature of the account/reserve affirming the merge + // over a `TALER_AccountMergeSignaturePS`. + // Must be of purpose ``TALER_SIGNATURE_ACCOUNT_MERGE`` + reserve_sig: EddsaSignature; + + // EdDSA signature of the purse private key affirming the merge + // over a `TALER_PurseMergeSignaturePS`. + // Must be of purpose ``TALER_SIGNATURE_PURSE_MERGE``. + purse_sig: EddsaSignature; + + // Minimum amount that must be credited to the reserve, that is + // the total value of the purse minus the deposit fees. + // If the deposit fees are lower, the contribution to the + // reserve can be higher! + merge_value_after_fees: Amount; + + // SHA-512 hash of the contact of the purse. + h_contract_terms: HashCode; + + // Client-side timestamp of when the merge request was made. + merge_timestamp: Timestamp; + + // Indicative time by which the purse should expire + // if it has not been paid. + purse_expiration: Timestamp; + + // Optional encrypted contract, in case the seller is + // proposing the contract and thus establishing the + // purse with the payment. + contract?: EncryptedContract; + + } + + .. ts:def:: MergeSuccess + + interface MergeSuccess { + + // Amount merged (excluding deposit fees). + merge_amount: Amount; + + // SHA-512 hash of the contact of the purse. + h_contract_terms: HashCode; + + // Time at which the merge came into effect. + // Maximum of the "payment_timestamp" and the + // "merge_timestamp". + contract_time: Timestamp; + + // EdDSA signature of the exchange affirming the merge of + // purpose ``TALER_SIGNATURE_PURSE_MERGE_SUCCESS`` + // over `TALER_PurseMergeSuccessSignaturePS`. + // Signs over the above and the account public key. + exchange_sig: EddsaSignature; + + // public key used to create the signature. + exchange_pub: EddsaPublicKey; + + } + + .. ts:def:: MergeAccepted + + interface MergeAccepted { + + // The number of remaining purses that can still be opened + // under the given account. + remaining_purses: Integer; + + } + + +.. http:POST:: /reserves/$RESERVE_PUB/kyc + + Upgrade a reserve to an *account*. The reserve must + (from wire transfers or merges of purses) already have a + sufficient balance to cover the KYC fee. The signature + affirms that the KYC fee can and should be charged to the reserve. + The request always updates the payto URI associated with + the reserve, even if the KYC process fails or is not completed. + + **Request:** The request body must be a `AccountSetupRequest` object. + + :query timeout_ms=NUMBER: *Optional.* If specified, the exchange will + wait up to ``timeout_ms`` milliseconds for the KYC gateway to + confirm completion of the KYC process. + + **Response:** + + :http:statuscode:`200 Ok`: + The operation succeeded, the exchange confirms that the account + can now be used. + The response will be an `AccountKycStatus` object. + :http:statuscode:`202 Accepted`: + The user should be redirected to the provided location to perform + the required KYC checks to open the account. Afterwards, the + request should be repeated. + The response will be an `AccountKycRedirect` object. + :http:statuscode:`504 Gateway Timeout`: + The exchange did not receive a confirmation from the KYC service + within the specified time period. Used when long-polling for the + result. + + **Details:** + + .. ts:def:: AccountSetupRequest + + interface AccountSetupRequest { + + // Time of the request to perform the KYC. Determines + // the KYC fee charged by the exchange. Must be + // reasonably close to the current time of the exchange. + kyc_timestamp: Timestamp; + + // Bank account to be associated with the account. + // Can be 'payto://void/' to not associate the + // account with any bank account. In this case, + // closing the account will result in the balance + // being forfeit. If the provided wire method is + // not supported by the exchange *and* not 'void', + // this is a ``Bad Request`` (HTTP status 400). + payto_uri: string; + + // EdDSA signature of the reserve affirming the request + // to create the account, must be of purpose + // ``TALER_SIGNATURE_ACCOUNT_SETUP_REQUEST`` + // and over `TALER_AccountSetupRequestSignaturePS`. + reserve_sig: EddsaPublicKey; + + } + + .. ts:def:: AccountKycStatus + + interface AccountKycStatus { + + // Current time of the exchange, used as part of + // what the exchange signs over. + now: Timestamp; + + // EdDSA signature of the exchange affirming the account + // is KYC'ed, must be of purpose + // ``TALER_SIGNATURE_ACCOUNT_SETUP_SUCCESS`` + // and over `TALER_AccountSetupRequestSignaturePS`. + exchange_sig: EddsaSignature; + + // public key used to create the signature. + exchange_pub: EddsaPublicKey; + } + + .. ts:def:: AccountKycRedirect + + interface AccountKycRedirect { + + // URL that the user should open in a browser to + // proceed with the KYC process. + kyc_url: string; + + } + + + + + +.. _exchange_wads: + + +Wads +^^^^ + +These endpoints are used to manage exchange-to-exchange payments in support of +wallet-to-wallet payments. Only another exchange should access this endpoint. + + +.. http:GET:: /wads/$WAD_ID + + Obtain information about a wad. + + **Request:** + + **Response:** + + :http:statuscode:`200 OK`: + The operation succeeded, the exchange provides details + about the wad. + The response will include a `WadDetails` object. + :http:statuscode:`404 Not found`: + The wad is unknown to the exchange. + + **Details:** + + .. ts:def:: WadDetails + + interface WadDetails { + + // Total transfer amount claimed by the exchange. + total: Amount; + + // Indicative time by which the wad was given to the + // bank to execute the wire transfer. + wad_execution_time: Timestamp; + + // Transfers aggregated in the wad. + items: WadItem[]; + + // EdDSA signature of the exchange affirming the wad + // data is correct, must be over `TALER_WadDataSignaturePS` + // and of purpose ``TALER_SIGNATURE_WAD_DATA``. + exchange_sig: EddsaSignature; + + // public key used to create the signature. + exchange_pub: EddsaPublicKey; + } + + Objects in the wad item list have the following format: + + .. ts:def:: WadItem + + interface WadItem { + + // Amount in the purse. + amount: Amount; + + // payto://-URI of the account the purse is to be merged into. + // Must be of the form: 'payto://taler/EXCHANGE_URL/RESERVE_PUB'. + payto_uri: string; + + // Purse public key. + purse_pub: EddsaPublicKey; + + // Hash of the contract. + h_contract: HashCode; + + // Indicative time by which the purse should expire + // if it has not been paid. + purse_expiration: Timestamp; + + // Client-side timestamp of when the merge request was made. + merge_timestamp: Timestamp; + + // Signature created with the reserve's private key. + // Must be of purpose ``TALER_SIGNATURE_ACCOUNT_MERGE`` + // and over `TALER_AccountMergeSignaturePS`. + reserve_sig: EddsaSignature; + + // Signature created with the purse's private key. + // Must be of purpose ``TALER_SIGNATURE_PURSE_MERGE`` + // and over `TALER_PurseMergeSignaturePS`. + purse_sig: EddsaSignature; + + // Deposit fees that were charged to the purse. + deposit_fees: Amount; + + // Wad fees that was charged to the purse. + wad_fees: Amount; + } diff --git a/core/api-merchant.rst b/core/api-merchant.rst index 5a55e2d2..d8e3c910 100644 --- a/core/api-merchant.rst +++ b/core/api-merchant.rst @@ -1546,12 +1546,21 @@ Creating orders The backend has successfully created the proposal. The response is a :ts:type:`PostOrderResponse`. :http:statuscode:`404 Not found`: - The order given used products from the inventory, but those were not found - in the inventory. Or the merchant instance is unknown (including possibly the instance being not configured for new orders). Details in the - error code. NOTE: no good way to find out which product is not in the - inventory, we MAY want to specify that in the reply. + Possible reasons are: + + (1) The order given used products from the inventory, but those were + not found in the inventory. + (2) The merchant instance is unknown (including possibly the instance + being not configured for new orders). + (3) The wire method specified is not supported by the backend. + + Details in the error code. + NOTE: currently the client has no good way to find out which product + is not in the inventory, we MAY want to specify that in the reply. :http:statuscode:`409 Conflict`: - A different proposal already exists under the specified order ID. + A different proposal already exists under the specified order ID, + or the requested currency is not supported by this backend. Details in + the error code. :http:statuscode:`410 Gone`: The order given used products from the inventory that are out of stock. The response is a :ts:type:`OutOfStockResponse`. @@ -1622,7 +1631,7 @@ Creating orders fulfillment_url?: string; } - The following `ProductSpecification` can be provided if the parts of the + The following `MinimalInventoryProduct` can be provided if the parts of the order are inventory-based, that is if the `PostOrderRequest` uses ``inventory_products``. For such products, which must be in the backend's inventory, the backend can automatically fill in the amount and other details about @@ -1968,6 +1977,9 @@ the contract!) to minimize risks from information leakage. :http:statuscode:`200 OK`: The merchant deleted the specified fields from the contract of order $ORDER_ID. + :http:statuscode:`204 No content`: + The merchant had already deleted the specified fields + from the contract of order $ORDER_ID. :http:statuscode:`400 Bad request`: The request is malformed or one of the paths is invalid. :http:statuscode:`404 Not found`: @@ -2103,10 +2115,11 @@ Informing the backend about incoming wire transfers resolve it. So in that respect, 202 is the right status code as more work remains to be done for a final resolution.) :http:statuscode:`404 Not found`: - The instance is unknown to the exchange. + The instance or account are unknown to the exchange. :http:statuscode:`409 Conflict`: The wire transfer identifier is already known to us, but for a different amount, - wire method or exchange. + wire method or exchange, or the amount reported by the exchange differs from + the amount reported by the merchant. :http:statuscode:`502 Bad gateway`: The exchange returned an error when we asked it about the ``GET /transfer`` status for this wire transfer. Details of the exchange error are returned. @@ -2352,7 +2365,7 @@ Querying known wire transfers exchange_url: string; // Serial number identifying the transfer in the merchant backend. - // Used for filgering via ``offset``. + // Used for filtering via ``offset``. transfer_serial_id: number; // Time of the execution of the wire transfer by the exchange, according to the exchange @@ -2371,6 +2384,30 @@ Querying known wire transfers } +Deleting wire transfer +---------------------- + +Deleting a wire transfer can be useful in case of a data entry +mistake. In particular, if the exchange base URL was entered +badly, deleting the old entry and adding a correct one is a +good idea. Note that deleting wire transfers is no longer possible +once we got a reply from the exchange. + +.. http:delete:: [/instances/$INSTANCE]/private/transfers/$TID + + Here, the TID ist the 'transfer_serial_id' of the transfer + to delete. + + **Response:** + + :http:statuscode:`204 No content`: + The transfer was deleted. + :http:statuscode:`404 Not found`: + The transfer was already unknown. + :http:statuscode:`409 Conflict`: + The transfer cannot be deleted anymore. + + -------------------- Backend: Giving tips -------------------- diff --git a/core/api-wire.rst b/core/api-wire.rst index fbf27469..654d72f3 100644 --- a/core/api-wire.rst +++ b/core/api-wire.rst @@ -175,7 +175,15 @@ Querying the transaction history .. ts:def:: IncomingBankTransaction - interface IncomingBankTransaction { + // Union discriminated by the "type" field. + type IncomingBankTransaction = + | IncomingReserveTransaction + | IncomingWadTransaction; + + .. ts:def:: IncomingReserveTransaction + + interface IncomingReserveTransaction { + type: "RESERVE"; // Opaque identifier of the returned record. row_id: SafeUint64; @@ -195,6 +203,35 @@ Querying the transaction history // The reserve public key extracted from the transaction details. reserve_pub: EddsaPublicKey; + + } + + .. ts:def:: IncomingWadTransaction + + interface IncomingWadTransaction { + type: "WAD"; + + // Opaque identifier of the returned record. + row_id: SafeUint64; + + // Date of the transaction. + date: Timestamp; + + // Amount transferred. + amount: Amount; + + // Payto URI to identify the receiver of funds. + // This must be one of the exchange's bank accounts. + credit_account: string; + + // Payto URI to identify the sender of funds. + debit_account: string; + + // Base URL of the exchange that originated the wad. + origin_exchange_url: string; + + // The reserve public key extracted from the transaction details. + wad_id: WadId; } @@ -308,6 +345,8 @@ exposed by bank gateways in production. Authentication failed, likely the credentials are wrong. :http:statuscode:`404 Not found`: The endpoint is wrong or the user name is unknown. The bank replies with an `ErrorDetail` object. + :http:statuscode:`409 Conflict`: + The 'reserve_pub' argument was used previously in another transfer, and the specification mandates that reserve public keys must not be reused. .. ts:def:: AddIncomingRequest diff --git a/core/index.rst b/core/index.rst index 95037d48..7ead2193 100644 --- a/core/index.rst +++ b/core/index.rst @@ -32,12 +32,13 @@ interfaces between the core components of Taler. api-common api-error api-exchange - api-wire api-merchant api-auditor + api-sync + api-wire + api-bank-merchant api-bank-integration api-bank-access wireformats - api-sync taler-uri errors diff --git a/design-documents/013-peer-to-peer-payments.rst b/design-documents/013-peer-to-peer-payments.rst index 914d87fe..68c75643 100644 --- a/design-documents/013-peer-to-peer-payments.rst +++ b/design-documents/013-peer-to-peer-payments.rst @@ -19,28 +19,25 @@ This will be used for payments via e-mail and other messaging apps, as well as possibly for transfers via NFC/QR code between mobile phones. Invoice Flow User Experience ----------------------------------- +---------------------------- .. graphviz:: digraph invoice { - settings [ - label = "Invoice flow"; - ]; ranksep="0.5" { rank = same; "inbox"; "begin"; } { rank = same; "sending"; "receiving2"; } { rank = same; "receiving"; "paying"; } { rank = same; "mid"; "midbox"; } { rank = same; "body"; "amount"; } - begin [label="Seller Inbox",shape=box]; + begin [label="Payer Inbox",shape=box]; body [label="compose\nE-mail message"]; amount [label="specify\ninvoice details"]; receiving [label="receiving...",shape=diamond]; sending [label="transmitting...",shape=diamond]; - mid [label="Seller Inbox",shape=box]; + mid [label="Payee Inbox",shape=box]; notified [label="Notification:\npayment received"]; - end [label="Seller Inbox",shape=box]; + end [label="Payee Inbox",shape=box]; begin -> body [label="(1) new"]; body -> amount [label="(2) attach invoice"]; amount -> body [label="(3) Ok"]; @@ -49,14 +46,14 @@ Invoice Flow User Experience mid -> receiving [style=dashed]; receiving -> notified [style=dashed]; notified -> end [label="(9) Acknowledge"]; - inbox [label="Buyer Inbox",shape=box]; + inbox [label="Payer Inbox",shape=box]; receiving2 [label="receiving...",shape=diamond]; - midbox [label="Buyer Inbox",shape=box]; + midbox [label="Payer Inbox",shape=box]; open [label="message with\nattached invoice"]; confirm [label="review invoice"]; paying [label="paying...", shape=diamond]; paid [label="message with\npaid invoice"]; - finbox [label="Buyer Inbox",shape=box]; + finbox [label="Payer Inbox",shape=box]; inbox -> receiving2 [style=dashed]; receiving2 -> sending [label="Internet\n(pEp)",style=dashed,dir=back]; receiving2 -> midbox [style=dashed]; @@ -69,15 +66,12 @@ Invoice Flow User Experience } Donation Flow User Experience -------------------------------------- +----------------------------- .. graphviz:: digraph donation { ranksep="0.5" - settings [ - label = "Donation flow"; - ]; { rank = same; "inbox"; "begin"; } { rank = same; "sending"; "receiving2"; } { rank = same; "body"; "amount"; } @@ -278,29 +272,44 @@ Contract metadata for W2W payments can be exchanged in three ways: Account creation ---------------- -1. The payee generates an account key, which also yields a - ``payto://taler/$EXCHANGE_BASE_URL/$ACCOUNT_PUB`` +An account is simply a reserve that has been subjected to +KYC. A reserve that has seen a purse merged into it must +be upgraded to an account before further withdraw (or close) +operations are allowed. The usual closure deadline for a +reserve is extended to the KYC deadline. + +1. The payee generates a reserve key, which also yields a + ``payto://taler/$EXCHANGE_BASE_URL/$RESERVE_PUB`` target address (for which the payee knows the corresponding - account private key). -2. When withdrawing from an account, the exchange first checks if the - customer has satisfied the KYC requirements. If not, the customer - is redirected to a Web page where they can perform the necessary - KYC operation. + reserve private key). +2. When withdrawing from a reserve that has experienced + merge operations and thus must be an account, the exchange + first checks if the customer has satisfied the KYC requirements. + If not, the customer is redirected to a Web page where they + can perform the necessary KYC operation. 3. For this, the exchange wire gateway is extended with a request to - check the KYC status of a customer based on an ``ACCOUNT_PUB``. - Possible replies are ``in-progress`` and ``succeeded``. An ``in-progress`` - status should be accompanied with + check the KYC status of a customer based on an ``RESERVE_PUB``. + Possible replies are ``in-progress`` and ``succeeded``. + An ``in-progress`` status should be accompanied with information how the customer may complete the KYC check. -4. A new exchange endpoint ``/account/$ACCOUNT_PUB/kyc`` - allows wallets to request a KYC for an - ``$ACCOUNT_PUB``. Such a request may include the requirement to pay - a **KYC fee**. The KYC fee may be charged to that account (if it exists), - or could be waved if the account was established via a wire transfer - from a partner bank. -5. If the account owner fails to perform the KYC check, the funds - in an account remain inaccessible. After a configurable duration, +4. A new exchange endpoint ``/reserves/$RESERVE_PUB/kyc`` + allows wallets to request a KYC for a + ``$RESERVE_PUB``. Such a request may include the requirement to pay + a **KYC fee**. + The KYC fee may be charged to the reserve (a sufficient + balance can be provided by the wallet by creating a purse + and merging the purse with the reserve, if needed), + or could be waved if the reserve was established via a wire transfer + from a partner bank where KYC is free. For this, the Wire + gateway API is extended with a flag that informs the exchange + that the incoming wire transfer implies a free KYC check. +5. If the account owner fails to perform the KYC check, all funds + in an reserve remain inaccessible. After a configurable duration, the funds may be considered forfeit and become the property of - the exchange where the account is located. + the exchange where the reserve is located. +6. The exchange may charge an annual **account fee**, and can + close accounts where the account balance is insufficient to + cover the account fee. Withdrawing from accounts @@ -328,21 +337,27 @@ Withdrawing from accounts Account deletion ---------------- -1. The account owner can delete an account by signing a deletion message - with the account private key. -2. This basically resets the KYC data at the exchange, preventing further use of - the account. This is helpful in case a user is concerned about having - accidentally disclosed the account private key to a third party. -3. If funds remain in the account, an error message is generated instead. The - user can pass an extra override parameter to delete accounts even if - they still contain funds. +1. A reserve owner can delete a reserve by signing a deletion message + with the reserve private key. +2. This basically resets the KYC data at the exchange, preventing + further use of the account. This is helpful in case a user is + concerned about having + accidentally disclosed the reserve private key to a third party. +3. If funds remain in the reserve, the exchange will close the + reserve and wire the funds to the associated bank account. + If no bank account is associated with the reserve, + an error message is generated instead. The + user can pass an extra override parameter to delete reserves + even if they still contain funds. 4. A related endpoint should exist for the exchange operator, possibly - using messages signed with the exchange offline key. This could be - useful in case customers die or are otherwise in need for manual - intervention that requires an account to be deleted. In this case, + using messages signed with a new exchange management key. + This could be useful in case customers die or are otherwise + in need for manual intervention that requires an account to + be deleted. In this case, remaining funds in the account should be wired to a bank account - designated in the message with the offline signature. The audit - report should contain a special note for all of these account deletions. + designated in the message with the management signature. The audit + report should contain a special note for all of these types of + account deletions. @@ -597,6 +612,409 @@ Additional considerations Taler's "one-hop withdrawal loohole". +Exchange database schema changes +-------------------------------- + +We need to exchange the existing reserves table to include bits for KYC-needed +and KYC-passed. Also, we need to store the payto://-URI of the bank account. + +Finally, we may need to keep some link to the KYC data, even though the +exchange technically does not need it, but likely there might be regulatory +reasons to have that association for legal inquiries. (However, it would +also be possible to keep that link only in the external KYC service's +database.) + +.. sourcecode:: sql + + -- Everything in one big transaction + BEGIN; + -- Check patch versioning is in place. + SELECT _v.register_patch('exchange-TBD', NULL, NULL); + -- + CREATE TABLE IF NOT EXISTS partners + (partner_serial_id BIGSERIAL UNIQUE + ,partner_master_pub BYTEA NOT NULL CHECK(LENGTH(reserve_pub)=32) + ,start_date INT8 NOT NULL + ,end_date INT8 NOT NULL + ,wad_frequency INT8 NOT NULL + ,wad_fee_val INT8 NOT NULL + ,wad_fee_frac INT4 NOT NULL + ,master_sig BYTEA NOT NULL CHECK (LENGTH(master_sig)=64)) + ,partner_base_url TEXT NOT NULL + ); + COMMENT ON TABLE partners + IS 'exchanges we do wad transfers to'; + COMMENT ON COLUMN partners.partner_master_pub + IS 'offline master public key of the partner'; + COMMENT ON COLUMN partners.start_date + IS 'starting date of the partnership'; + COMMENT ON COLUMN partners.end_date + IS 'end date of the partnership'; + COMMENT ON COLUMN partners.wad_frequency + IS 'how often do we promise to do wad transfers'; + COMMENT ON COLUMN partners.wad_fee_val + IS 'how high is the fee for a wallet to be added to a wad to this partner'; + COMMENT ON COLUMN partners.partner_base_url + IS 'base URL of the REST API for this partner'; + COMMENT ON COLUMN partners.master_sig + IS 'signature of our master public key affirming the partnership, of purpose TALER_SIGNATURE_MASTER_PARTNER_DETAILS'; + -- + ALTER TABLE reserves + ADD COLUMN kyc_needed BOOLEAN NOT NULL DEFAULT (false) + ADD COLUMN kyc_passed BOOLEAN NOT NULL DEFAULT (false) + ADD COLUMN payto_uri TEXT DEFAULT (NULL) + ADD COLUMN kyc_link TEXT DEFAULT (NULL); + COMMENT ON COLUMN reserves.kyc_needed + IS 'set to true once a reserve was merged with a purse'; + COMMENT ON COLUMN reserves.kyc_passed + IS 'set to true once the user performed the KYC check'; + COMMENT ON COLUMN reserves.payto_uri + IS 'bank account details to use in case reserve is closed'; + COMMENT ON COLUMN reserves.kyc_link + IS 'optional link to KYC data'; + -- + CREATE TABLE IF NOT EXISTS kyc_requests + (kyc_request_serial_id BIGSERIAL UNIQUE + ,reserve_uuid INT8 NOT NULL REFERENCES reserves (reserve_uuid) ON DELETE CASCADE + ,kyc_date INT8 NOT NULL + ,kyc_retry INT8 NOT NULL + ,kyc_fee_val INT8 NOT NULL + ,kyc_fee_frac INT4 NOT NULL + ,reserve_sig BYTEA NOT NULL CHECK (LENGTH(reserve_sig)=64)) + ,kyc_id TEXT NOT NULL + ,PRIMARY KEY (reserve_uuid, kyc_date) + ); + COMMENT ON TABLE kyc_requests + IS 'KYC processes initiated by the owner of a reserve'; + COMMENT ON COLUMN kyc_requests.reserve_uuid + IS 'Reserve for which the KYC request was triggered.'; + COMMENT ON COLUMN kyc_requests.reserve_sig + IS 'Signature affirming the KYC request'; + COMMENT ON COLUMN kyc_requests.kyc_fee_val + IS 'Amount paid by the reserve for the KYC process.'; + COMMENT ON COLUMN kyc_requests.kyc_date + IS 'When was the KYC process originally initiated.'; + COMMENT ON COLUMN kyc_requests.kyc_retry + IS 'Timestamp when we should next query the KYC backend for the KYC status. The maximum possible numeric value indicates that we do not need to ever check the status of this KYC process again.'; + COMMENT ON COLUMN kyc_requests.kyc_id + IS 'ID of the KYC process, used to compute the URL returned to the client as well as for the exchange to check if the KYC has completed. Format depends on the KYC process of the bank.'; + -- + CREATE TABLE IF NOT EXISTS mergers + (merge_request_serial_id BIGSERIAL UNIQUE + ,reserve_uuid BYTEA NOT NULL REFERENCES reserves (reserve_uuid) ON DELETE CASCADE + ,partner_serial_id INT8 REFERENCES partners(partner_serial_id) ON DELETE CASCADE, + ,reserve_url TEXT NOT NULL, + ,reserve_pub BYTEA NOT NULL CHECK (LENGTH(reserve_pub)=32), + ,purse_pub BYTEA NOT NULL CHECK (LENGTH(purse_pub)=32), + ,reserve_sig BYTEA NOT NULL CHECK (LENGTH(reserve_sig)=64)) + ,purse_sig BYTEA NOT NULL CHECK (LENGTH(purse_sig)=64)) + ,merge_timestamp INT8 NOT NULL + ,purse_expiration INT8 NOT NULL + ,h_contract_terms BYTEA NOT NULL CHECK (LENGTH(h_contract_terms)=64)) + ,purse_val INT8 NOT NULL + ,purse_frac INT4 NOT NULL + ,PRIMARY KEY (purse_pub) + ); + COMMENT ON TABLE mergers + IS 'Merge requests where a purse- and account-owner requested merging the purse into the account'; + COMMENT ON COLUMN mergers.reserve_uuid + IS 'identifies the reserve'; + COMMENT ON COLUMN mergers.partner_serial_id + IS 'identifies the partner exchange, NULL in case the target reserve lives at this exchange'; + COMMENT ON COLUMN mergers.reserve_url + IS 'payto://-URL of the reserve, identifies the exchange and the reserve'; + COMMENT ON COLUMN mergers.reserve_pub + IS 'public key of the target reserve'; + COMMENT ON COLUMN mergers.purse_pub + IS 'public key of the purse'; + COMMENT ON COLUMN mergers.reserve_sig + IS 'signature by the reserve private key affirming the merge'; + COMMENT ON COLUMN mergers.purse_sig + IS 'signature by the purse private key affirming the merge'; + COMMENT ON COLUMN mergers.merge_timestamp + IS 'when was the merge message signed'; + COMMENT ON COLUMN mergers.purse_expiration + IS 'when is the purse set to expire'; + COMMENT ON COLUMN mergers.h_contract_terms + IS 'hash of the contract terms both sides are to agree upon'; + COMMENT ON COLUMN mergers.purse_val + IS 'amount to be transferred from the purse to the reserve (excludes deposit fees)'; + CREATE INDEX IF NOT EXISTS mergers_reserve_uuid + ON mergers (reserve_uuid); + COMMENT ON INDEX mergers_reserve_uuid + IS 'needed in reserve history computation'; + -- + CREATE TABLE IF NOT EXISTS contracts + (contract_serial_id BIGSERIAL UNIQUE + ,purse_pub BYTEA NOT NULL CHECK (LENGTH(purse_pub)=32), + ,pub_ckey BYTEA NOT NULL CHECK (LENGTH(pub_ckey)=32)), + ,e_contract BYTEA NOT NULL, + ,PRIMARY KEY (purse_pub) + ); + COMMENT ON TABLE contracts + IS 'encrypted contracts associated with purses'; + COMMENT ON COLUMN contracts.purse_pub + IS 'public key of the purse that the contract is associated with'; + COMMENT ON COLUMN contracts.pub_ckey + IS 'Public ECDH key used to encrypt the contract, to be used with the purse private key for decryption'; + COMMENT ON COLUMN contracts.e_contract + IS 'AES-GCM encrypted contract terms (contains gzip compressed JSON after decryption)'; + -- + CREATE TABLE IF NOT EXISTS history_requests + (reserve_uuid INT8 NOT NULL REFERENCES reserves(reserve_uuid) ON DELETE CASCADE, + ,request_timestamp INT8 NOT NULL + ,reserve_sig BYTEA NOT NULL CHECK (LENGTH(reserve_sig)=64)) + ,history_fee_val INT8 NOT NULL + ,history_fee_frac INT4 NOT NULL + ,PRIMARY KEY (reserve_uuid,request_timestamp) + ); + COMMENT ON TABLE history_requests + IS 'Paid history requests issued by a client against a reserve'; + COMMENT ON COLUMN history_requests.request_timestamp + IS 'When was the history request made'; + COMMENT ON COLUMN history_requests.reserve_sig + IS 'Signature approving payment for the history request'; + COMMENT ON COLUMN history_requests.history_fee_val + IS 'History fee approved by the signature'; + -- + CREATE TABLE IF NOT EXISTS close_requests + (reserve_uuid INT8 NOT NULL REFERENCES reserves(reserve_uuid) ON DELETE CASCADE, + ,close_timestamp INT8 NOT NULL + ,reserve_sig BYTEA NOT NULL CHECK (LENGTH(reserve_sig)=64)) + ,close_val INT8 NOT NULL + ,close_frac INT4 NOT NULL + ,PRIMARY KEY (reserve_uuid,close_timestamp) + ); + COMMENT ON TABLE close_requests + IS 'Explicit requests by a reserve owner to close a reserve immediately'; + COMMENT ON COLUMN close_requests.close_timestamp + IS 'When the request was created by the client'; + COMMENT ON COLUMN close_requests.reserve_sig + IS 'Signature affirming that the reserve is to be closed'; + COMMENT ON COLUMN close_requests.close_val + IS 'Balance of the reserve at the time of closing, to be wired to the associated bank account (minus the closing fee)'; + + -- + CREATE TABLE IF NOT EXISTS purse_requests + (purse_deposit_serial_id BIGSERIAL UNIQUE + ,purse_pub BYTEA NOT NULL CHECK (LENGTH(purse_pub)=32), + ,purse_expiration INT8 NOT NULL + ,h_contract_terms BYTEA NOT NULL CHECK (LENGTH(h_contract_terms)=64) + ,amount_with_fee_val INT8 NOT NULL + ,amount_with_fee_frac INT4 NOT NULL + ,purse_sig BYTEA NOT NULL CHECK(LENGTH(purse_sig)=64) + ,PRIMARY KEY (purse_pub,coin_pub) + ); + COMMENT ON TABLE purse_requests + IS 'Requests establishing purses, associating them with a contract but without a target reserve'; + COMMENT ON COLUMN purse_requests.purse_pub + IS 'Public key of the purse'; + COMMENT ON COLUMN purse_requests.purse_expiration + IS 'When the purse is set to expire'; + COMMENT ON COLUMN purse_requests.h_contract_terms + IS 'Hash of the contract the parties are to agree to'; + COMMENT ON COLUMN purse_requests.amount_with_fee_val + IS 'Total amount expected to be in the purse'; + COMMENT ON COLUMN purse_requests.purse_sig + IS 'Signature of the purse affirming the purse parameters, of type TALER_SIGNATURE_PURSE_REQUEST'; + -- + CREATE TABLE IF NOT EXISTS purse_deposits + (purse_deposit_serial_id BIGSERIAL UNIQUE + ,purse_pub BYTEA NOT NULL CHECK (LENGTH(purse_pub)=32), + ,purse_expiration INT8 NOT NULL + ,coin_pub BYTEA NOT NULL REFERENCES known_coins (coin_pub) ON DELETE CASCADE + ,amount_with_fee_val INT8 NOT NULL + ,amount_with_fee_frac INT4 NOT NULL + ,coin_sig BYTEA NOT NULL CHECK(LENGTH(coin_sig)=64) + ,PRIMARY KEY (purse_pub,coin_pub) + ); + COMMENT ON TABLE purse_deposits + IS 'Requests depositing coins into a purse'; + COMMENT ON COLUMN purse_deposits.purse_pub + IS 'Public key of the purse'; + COMMENT ON COLUMN purse_deposits.purse_expiration + IS 'When the purse is set to expire'; + COMMENT ON COLUMN purse_deposits.coin_pub + IS 'Public key of the coin being deposited'; + COMMENT ON COLUMN purse_deposits.amount_with_fee_val + IS 'Total amount being deposited'; + COMMENT ON COLUMN purse_deposits.coin_sig + IS 'Signature of the coin affirming the deposit into the purse, of type TALER_SIGNATURE_PURSE_DEPOSIT'; + -- + CREATE TABLE IF NOT EXISTS wads_out + (wad_out_serial_id BIGSERIAL UNIQUE + ,wad_id BYTEA PRIMARY KEY CHECK (LENGTH(wad_id)=24) + ,partner_serial_id INT8 NOT NULL REFERENCES partners(partner_serial_id) ON DELETE CASCADE, + ,amount_val INT8 NOT NULL + ,amount_frac INT4 NOT NULL + ,execution_time INT8 NOT NULL + ,UNIQUE (exchange_url, execution_time) + ); + COMMENT ON TABLE wads_out + IS 'Wire transfers made to another exchange to transfer purse funds'; + COMMENT ON COLUMN wads_out.wad_id + IS 'Unique identifier of the wad, part of the wire transfer subject'; + COMMENT ON COLUMN wads_out.partner_serial_id + IS 'target exchange of the wad'; + COMMENT ON COLUMN wads_out.amount_val + IS 'Amount that was wired'; + COMMENT ON COLUMN wads_out.execution_time + IS 'Time when the wire transfer was scheduled'; + -- + CREATE TABLE IF NOT EXISTS wad_out_entries + (wad_out_entry_serial_id BIGSERIAL UNIQUE + ,wad_out_serial_id INT8 REFERENCES wads_out (wad_out_serial_id) ON DELETE CASCADE + ,reserve_pub BYTEA NOT NULL CHECK(LENGTH(reserve_pub)=32) + ,purse_pub BYTEA PRIMARY KEY CHECK(LENGTH(purse_pub)=32) + ,h_contract BYTEA NOT NULL CHECK(LENGTH(h_contract)=64) + ,purse_expiration INT8 NOT NULL + ,merge_timestamp INT8 NOT NULL + ,amount_with_fee_val INT8 NOT NULL + ,amount_with_fee_frac INT4 NOT NULL + ,wad_fee_val INT8 NOT NULL + ,wad_fee_frac INT4 NOT NULL + ,deposit_fees_val INT8 NOT NULL + ,deposit_fees_frac INT4 NOT NULL + ,reserve_sig BYTEA NOT NULL CHECK (LENGTH(reserve_sig)=64)) + ,purse_sig BYTEA NOT NULL CHECK (LENGTH(purse_sig)=64)) + ); + CREATE INDEX IF NOT EXISTS wad_out_entries_index_by_wad + ON wad_out_entries (wad_out_serial_id); + COMMENT ON TABLE wad_out_entries + IS 'Purses combined into a wad'; + COMMENT ON COLUMN wad_out_entries.wad_out_serial_id + IS 'Wad the purse was part of'; + COMMENT ON COLUMN wad_out_entries.reserve_pub + IS 'Target reserve for the purse'; + COMMENT ON COLUMN wad_out_entries.purse_pub + IS 'Public key of the purse'; + COMMENT ON COLUMN wad_out_entries.h_contract + IS 'Hash of the contract associated with the purse'; + COMMENT ON COLUMN wad_out_entries.purse_expiration + IS 'Time when the purse expires'; + COMMENT ON COLUMN wad_out_entries.merge_timestamp + IS 'Time when the merge was approved'; + COMMENT ON COLUMN wad_out_entries.amount_with_fee_val + IS 'Total amount in the purse'; + COMMENT ON COLUMN wad_out_entries.wad_fee_val + IS 'Wat fee charged to the purse'; + COMMENT ON COLUMN wad_out_entries.deposit_fees_val + IS 'Total deposit fees charged to the purse'; + COMMENT ON COLUMN wad_out_entries.reserve_sig + IS 'Signature by the receiving reserve, of purpose TALER_SIGNATURE_ACCOUNT_MERGE'; + COMMENT ON COLUMN wad_out_entries.purse_sig + IS 'Signature by the purse of purpose TALER_SIGNATURE_PURSE_MERGE'; + -- + CREATE TABLE IF NOT EXISTS wads_in + (wad_in_serial_id BIGSERIAL UNIQUE + ,wad_id BYTEA PRIMARY KEY CHECK (LENGTH(wad_id)=24) + ,origin_exchange_url TEXT NOT NULL + ,amount_val INT8 NOT NULL + ,amount_frac INT4 NOT NULL + ,arrival_time INT8 NOT NULL + ,UNIQUE (wad_id, origin_exchange_url) + ); + COMMENT ON TABLE wads_in_entries + IS 'Incoming exchange-to-exchange wad wire transfers'; + COMMENT ON COLUMN wads_in.wad_id + IS 'Unique identifier of the wad, part of the wire transfer subject'; + COMMENT ON COLUMN wads_in.origin_exchange_url + IS 'Base URL of the originating URL, also part of the wire transfer subject'; + COMMENT ON COLUMN wads_in.amount_val + IS 'Actual amount that was received by our exchange'; + COMMENT ON COLUMN wads_in.arrival_time + IS 'Time when the wad was received'; + -- + CREATE TABLE IF NOT EXISTS wad_in_entries + (wad_in_entry_serial_id BIGSERIAL UNIQUE + ,wad_in_serial_id INT8 REFERENCES wads_in (wad_serial_id) ON DELETE CASCADE + ,reserve_pub BYTEA NOT NULL CHECK(LENGTH(reserve_pub)=32) + ,purse_pub BYTEA PRIMARY KEY CHECK(LENGTH(purse_pub)=32) + ,h_contract BYTEA NOT NULL CHECK(LENGTH(h_contract)=64) + ,purse_expiration INT8 NOT NULL + ,merge_timestamp INT8 NOT NULL + ,amount_with_fee_val INT8 NOT NULL + ,amount_with_fee_frac INT4 NOT NULL + ,wad_fee_val INT8 NOT NULL + ,wad_fee_frac INT4 NOT NULL + ,deposit_fees_val INT8 NOT NULL + ,deposit_fees_frac INT4 NOT NULL + ,reserve_sig BYTEA NOT NULL CHECK (LENGTH(reserve_sig)=64)) + ,purse_sig BYTEA NOT NULL CHECK (LENGTH(purse_sig)=64)) + ); + COMMENT ON TABLE wad_in_entries + IS 'list of purses aggregated in a wad according to the sending exchange'; + COMMENT ON COLUMN wad_in_entries.wad_in_serial_id + IS 'wad for which the given purse was included in the aggregation'; + COMMENT ON COLUMN wad_in_entries.reserve_pub + IS 'target account of the purse (must be at the local exchange)'; + COMMENT ON COLUMN wad_in_entries.purse_pub + IS 'public key of the purse that was merged'; + COMMENT ON COLUMN wad_in_entries.h_contract + IS 'hash of the contract terms of the purse'; + COMMENT ON COLUMN wad_in_entries.purse_expiration + IS 'Time when the purse was set to expire'; + COMMENT ON COLUMN wad_in_entries.merge_timestamp + IS 'Time when the merge was approved'; + COMMENT ON COLUMN wad_in_entries.amount_with_fee_val + IS 'Total amount in the purse'; + COMMENT ON COLUMN wad_in_entries.wad_fee_val + IS 'Total wad fees paid by the purse'; + COMMENT ON COLUMN wad_in_entries.deposit_fees_val + IS 'Total deposit fees paid when depositing coins into the purse'; + COMMENT ON COLUMN wad_in_entries.reserve_sig + IS 'Signature by the receiving reserve, of purpose TALER_SIGNATURE_ACCOUNT_MERGE'; + COMMENT ON COLUMN wad_in_entries.purse_sig + IS 'Signature by the purse of purpose TALER_SIGNATURE_PURSE_MERGE'; + CREATE INDEX IF NOT EXISTS wad_in_entries_wad_in_serial + ON wad_in_entries (wad_in_serial_id); + CREATE INDEX IF NOT EXISTS wad_in_entries_reserve_pub + ON wad_in_entries (reserve_pub); + COMMENT ON INDEX wad_in_entries_wad_in_serial + IS 'needed to lookup all transfers associated with a wad'; + COMMENT ON INDEX wad_in_entries_reserve_pub + IS 'needed to compute reserve history'; + -- + CREATE TABLE IF NOT EXISTS p2pfees + (p2pfees_serial_id BIGSERIAL UNIQUE + ,start_date INT8 NOT NULL + ,end_date INT8 NOT NULL + ,kyc_timeout INT8 NOT NULL + ,purse_timeout INT8 NOT NULL + ,history_retention INT8 NOT NULL + ,purse_account_limit INT NOT NULL + ,kyc_fee_val INT8 NOT NULL + ,kyc_fee_frac INT4 NOT NULL + ,history_fee_val INT8 NOT NULL + ,history_fee_frac INT4 NOT NULL + ,account_fee_val INT8 NOT NULL + ,account_fee_frac INT4 NOT NULL + ,purse_fee_val INT8 NOT NULL + ,purse_fee_frac INT4 NOT NULL + ,master_sig BYTEA NOT NULL CHECK (LENGTH(master_sig)=64)) + ); + -- + CREATE TABLE IF NOT EXISTS partner_accounts + (payto_uri VARCHAR PRIMARY KEY + ,partner_serial_id INT8 REFERENCES partners(partner_serial_id) ON DELETE CASCADE, + ,partner_master_sig BYTEA CHECK (LENGTH(partner_master_sig)=64) + ,last_seen INT8 NOT NULL + ); + CREATE INDEX IF NOT EXISTS partner_accounts_index_by_partner_and_time + ON partner_accounts (partner_serial_id,last_seen); + COMMENT ON TABLE partner_accounts + IS 'Table with bank accounts of the partner exchange. Entries never expire as we need to remember the signature for the auditor.'; + COMMENT ON COLUMN wire_accounts.payto_uri + IS 'payto URI (RFC 8905) with the bank account of the partner exchange.'; + COMMENT ON COLUMN wire_accounts.partner_master_sig + IS 'Signature of purpose TALER_SIGNATURE_MASTER_WIRE_DETAILS by the partner master public key'; + COMMENT ON COLUMN wire_accounts.last_seen + IS 'Last time we saw this account as being active at the partner exchange. Used to select the most recent entry, and to detect when we should check again.'; + -- Complete transaction + COMMIT; + + + Alternatives ============ @@ -698,8 +1116,17 @@ Q / A * Q: What determines when a wad transfer can happen between two exchanges? - * Exchanges should explicitly state which other exchanges they are willing + * Exchanges explicitly state which other exchanges they are willing to do wad transfers with (and how often, at what cost). This may involve abstract policies like sharing an auditor, using the same currency and the same (banking) protocol, or other constraints (like a specific list of exchanges). + +* Q: What happens if the owner of a reserve never drains it? + + * Reserves are eventually closed. If the reserve is associated + with a bank account, the remaining funds are sent to that bank + account. If the reserve was created via a merge, and the owner + failed to associate a bank account with it (say because the + KYC step never happened), then the reserve balance is forfeit + to the exchange upon expiration. diff --git a/design-documents/018-contract-json.rst b/design-documents/018-contract-json.rst index 4208febc..2162d6ed 100644 --- a/design-documents/018-contract-json.rst +++ b/design-documents/018-contract-json.rst @@ -102,7 +102,7 @@ member of the parent object. }, } - => + => { ...props, @@ -146,6 +146,40 @@ resulting bytes are terminated with a single 0-byte and then hashed with SHA512. +Test vector +----------- + +The follwing input contains top-level and nested forgettable +fields, as well as booleans, integers, strings and objects +as well as non-forgettable fields. It is thus suitable as +a minimal interoperability test: + +.. code-block:: json + + { + "k1": 1, + "_forgettable": { + "k1": "SALT" + }, + "k2": { + "n1": true, + "_forgettable": { + "n1": "salt" + } + }, + "k3": { + "n1": "string" + } + } + +Hashing the above contract results in the following Crockford base32 encoded +hash +``287VXK8T6PXKD05W8Y94QJNEFCMRXBC9S7KNKTWGH2G2J2D7RYKPSHNH1HG9NT1K2HRHGC67W6QM6GEC4BSN1DPNEBCS0AVDT2DBP5G''. + +Note that typically the salt values must be chosen at random, only for this test we use static salt values. + + + Discussion / Q&A ================ diff --git a/frags/installing-debian.rst b/frags/installing-debian.rst index 2c36e98a..bd6f8796 100644 --- a/frags/installing-debian.rst +++ b/frags/installing-debian.rst @@ -23,15 +23,11 @@ set your ``/etc/apt/preferences`` as follows: Pin: release l=Debian-Security Pin-Priority: 1000 -A typical ``/etc/apt/sources.list`` file for this setup +A typical ``/etc/apt/sources.list.d/taler.list`` file for this setup would look like this: .. code-block:: - deb http://ftp.ch.debian.org/debian/ buster main - deb http://security.debian.org/debian-security buster/updates main - deb http://ftp.ch.debian.org/debian/ testing main - deb http://ftp.ch.debian.org/debian/ unstable main deb https://deb.taler.net/apt/debian sid main The last line is crucial, as it adds the GNU Taler packages. @@ -41,7 +37,7 @@ into your keyring and update the package lists: .. code-block:: console - # wget -O - https://taler.net/static/taler-systems.gpg.key | apt-key add - + # wget -O - https://taler.net/taler-systems.gpg.key | apt-key add - # apt update .. note:: diff --git a/frags/installing-ubuntu.rst b/frags/installing-ubuntu.rst index a72579da..12831043 100644 --- a/frags/installing-ubuntu.rst +++ b/frags/installing-ubuntu.rst @@ -2,21 +2,11 @@ To install the GNU Taler Ubuntu packages, first ensure that you have the right Ubuntu distribution. At this time, the packages are built for Ubuntu 20.04 LTS (Focal Fossa). -A typical ``/etc/apt/sources.list`` file for this setup +A typical ``/etc/apt/sources.list.d/taler.list`` file for this setup would look like this: .. code-block:: - deb http://ch.archive.ubuntu.com/ubuntu/ focal main restricted - deb http://ch.archive.ubuntu.com/ubuntu/ focal-updates main restricted - deb http://ch.archive.ubuntu.com/ubuntu/ focal-security main restricted - deb http://ch.archive.ubuntu.com/ubuntu/ focal universe restricted - deb http://ch.archive.ubuntu.com/ubuntu/ focal-updates universe restricted - deb http://ch.archive.ubuntu.com/ubuntu/ focal-security universe restricted - deb http://ch.archive.ubuntu.com/ubuntu/ focal multiverse restricted - deb http://ch.archive.ubuntu.com/ubuntu/ focal-updates multiverse restricted - deb http://ch.archive.ubuntu.com/ubuntu/ focal-security multiverse restricted - deb https://deb.taler.net/apt/ubuntu/ focal-fossa main The last line is crucial, as it adds the GNU Taler packages. @@ -26,7 +16,7 @@ into your keyring and update the package lists: .. code-block:: console - # wget -O - https://taler.net/static/taler-systems.gpg.key | apt-sign add - + # wget -O - https://taler.net/taler-systems.gpg.key | apt-key add - # apt update .. note:: diff --git a/manpages/taler-exchange-offline.1.rst b/manpages/taler-exchange-offline.1.rst index 6d800f5b..027316b6 100644 --- a/manpages/taler-exchange-offline.1.rst +++ b/manpages/taler-exchange-offline.1.rst @@ -270,6 +270,37 @@ It outputs the signature affirming the wire fees, in a format suitable for the ``upload`` subcommand. +enable-partner +-------------- + +This subcommand informs an exchange about the wad fee and frequency to apply +to a partner exchange. The arguments provided must include: + + (1) Partner exchange base URL. + (2) Partner exchange master public key. + (3) Calendar year for which the fee applies, 'now' for the current year. + (4) Wad frequency, in minutes (for example, '30'). + (5) Wad fee (for example, 'KUDOS:0.1'). + + +p2p-fees +-------- + +This subcommand configures fees related to wallet-to-wallet payments. If this configuration is not provided, wallet-to-wallet payments will be disabled by the exchange. + +The arguments provided must include: + + (1) Calendar year for which the fee applies, 'now' for the current year. + (2) KYC timeout. How long does the exchange keep a reserve open that is waiting for the KYC. + (3) KYC fee. How much will the exchange charge for performing KYC. + (4) Purse timeout. How long does the exchange keep information about a purse around after it expired or was successfully merged? + (5) Purse fee. How much will the exchange charge for an abandoned purse. Also the minimum amount that can be in a purse that is not associated with an account. + (6) Number of free purses per account. + (7) Annual fee charged to an open account. + (8) How long will the exchange preserve an account history. + (9) History fee charged when inquiring about non-recent account history. + + upload ------ diff --git a/manpages/taler-fakebank-run.1.rst b/manpages/taler-fakebank-run.1.rst new file mode 100644 index 00000000..240c7142 --- /dev/null +++ b/manpages/taler-fakebank-run.1.rst @@ -0,0 +1,62 @@ +taler-fakebank-run(1) +##################### + +.. only:: html + + Name + ==== + + **taler-fakebank-run** - run Taler "in memory" bank (with RESTful API) + +Synopsis +======== + +**taler-fakebank-run** +[**-c** *FILENAME* | **––config=**\ \ *FILENAME*] +[**-h** | **––help**] +[**-L** *LOGLEVEL* | **––loglevel=**\ \ *LOGLEVEL*] +[**-l** *FILENAME* | **––logfile=**\ \ *FILENAME*] +[**-n** *N* | **––num-threads=**\ \ *N*] +[**-v** | **––version**] + +Description +=========== + +**taler-fakebank-run** is a command-line tool to run a Taler "bank" API (HTTP REST service). The program is useful to provide the bank functionality for benchmarking or testing when LibEuFin is unavailable or otherwise unsuitable. + +Its options are as follows: + +**-C** \| **––connection-close** + Force each HTTP connection to be closed after each request (useful in + combination with **-f** to avoid having to wait for nc to time out). + +**-c** *FILENAME* \| **––config=**\ \ *FILENAME* + Use the configuration and other resources for the merchant to operate + from FILENAME. + +**-h** \| **––help** + Print short help on options. + +**-L** *LOGLEVEL* \| **––loglevel=**\ \ *LOGLEVEL* + Specifies the log level to use. Accepted values are: ``DEBUG``, ``INFO``, + ``WARNING``, ``ERROR``. + +**-l** *FILENAME* \| **––logfile=**\ \ *FILENAME* + Send logging output to *FILENAME*. + +**-n** *N* \| **––num-threads=**\ \ *N* + Use *N* threads in the thread pool. + +**-v** \| **––version** + Print version information. + +See Also +======== + +taler-exchange-httpd(1), taler.conf(5). + +Bugs +==== + +Report bugs by using https://bugs.taler.net or by sending electronic +mail to <taler@gnu.org>. diff --git a/taler-auditor-manual.rst b/taler-auditor-manual.rst index 3fe835c9..c6d73c0e 100644 --- a/taler-auditor-manual.rst +++ b/taler-auditor-manual.rst @@ -209,13 +209,31 @@ To install the Taler auditor, you can now simply run: .. code-block:: console - # apt install taler-auditor + # apt install -t sid taler-auditor For the auditor, you must manually configure access to the exchange database, the HTTP reverse proxy (typically with TLS certificates) and offline signing. Sample configuration files for the HTTP reverse proxy can be found in -``/etc/taler-exchange/``. +``/etc/taler-auditor/``. + + +Installing the GNU Taler binary packages on Ubuntu +-------------------------------------------------- + +.. include:: frags/installing-ubuntu.rst + +To install the Taler exchange, you can now simply run: + +.. code-block:: console + + # apt install -t focal-fossa taler-auditor + +For the auditor, you must manually configure access to the exchange database, +the HTTP reverse proxy (typically with TLS certificates) and offline signing. + +Sample configuration files for the HTTP reverse proxy can be found in +``/etc/taler-auditor/``. Configuration @@ -232,6 +250,19 @@ This section discusses configuration options related to the auditor. .. include:: frags/using-taler-config.rst +.. _SetupBaseUrl: + +Initial configuration +--------------------- + +You need to tell the Taler auditor configuration where the +REST API of the auditor will be available to the public: + +.. code-block:: console + + # taler-config -s auditor -o BASE_URL -V https://auditor.example.com/ + + .. _AuditorKeys: Keys @@ -294,7 +325,7 @@ choosing the backend, it is mandatory to supply the connection string - via an environment variable: ``TALER_AUDITORDB_POSTGRES_CONFIG``. -- via configuration option ``CONFIG``, under section ``[auditordb-BACKEND]``. +- via configuration option ``CONFIG``, under section ``[auditordb-$BACKEND]``. For example, the demo exchange is configured as follows: .. code-block:: ini diff --git a/taler-exchange-manual.rst b/taler-exchange-manual.rst index a143d498..c28ddaa2 100644 --- a/taler-exchange-manual.rst +++ b/taler-exchange-manual.rst @@ -319,7 +319,7 @@ To install the Taler exchange, you can now simply run: .. code-block:: console - # apt install taler-exchange + # apt install -t sid taler-exchange Note that the package does not perform any configuration work except for setting up the various users and the systemd service scripts. You still must @@ -340,7 +340,7 @@ To install the Taler exchange, you can now simply run: .. code-block:: console - # apt install taler-exchange + # apt install -t focal-fossa taler-exchange Note that the package does not perform any configuration work except for setting up the various users and the systemd service scripts. You still must @@ -442,7 +442,7 @@ choosing the backend, it is mandatory to supply the connection string - via an environment variable: ``TALER_EXCHANGEDB_POSTGRES_CONFIG``. -- via configuration option ``CONFIG``, under section ``[exchangedb-BACKEND]``. +- via configuration option ``CONFIG``, under section ``[exchangedb-$BACKEND]``. For example, the demo exchange is configured as follows: .. code-block:: ini diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst index 6782c7ef..f8e2eb30 100644 --- a/taler-merchant-manual.rst +++ b/taler-merchant-manual.rst @@ -778,16 +778,17 @@ If everything worked as expected, the command .. code-block:: console - $ curl http://localhost:8888/ + $ curl http://localhost:8888/config -should return the message +should return some basic configuration status data about the service. -.. code-block:: none +Please note that your backend is right now likely globally reachable. You can either: - Hello, I'm a merchant's Taler backend. This HTTP server is not for humans. + * Use the ``--auth=$TOKEN`` command-line option to set an access token to be provided in an ``Authorize: Bearer $TOKEN`` HTTP header. Note that this can be used at anytime to override access control, but remains only in effect until a first instance is created or an existing instance authentication setting is modified. + * Set the ``TALER_MERCHANT_TOKEN`` environment variable to ``$TOKEN`` for the same effect. This method has the advantage of ``$TOKEN`` not being visible as a command-line interface to other local users on the same machine. + * Set up an instance with an authentication token before some unauthorized person has a chance to access the backend. As the backend is useless without any instance and the chances of remote attackers during the initial configuration is low, this is probably sufficient for most use-cases. Still, keep the first two scenarios in mind in case you ever forget your access token! -Please note that your backend is right now likely globally reachable. -Production systems should be configured to bind to a UNIX domain socket +Production systems should additionally be configured to bind to a UNIX domain socket and use TLS for improved network privacy, see :ref:`Secure setup <Secure-setup>`. |