ShopSite Forums

[abbaroo]

I'm working on a website that uses shopsite to sell their products. We also have our own database of registered customers, which uses php and mySQL.
We have an admin area so that we can manage customer accounts, etc. We would like to have a way for these admin people to view customer orders without having to login to shopsite, as we don't want to give them full access to this area. Do you have any examples of php scripts that can retrieve this order data?

[Jim]

There are 2 ways you could handle this.
You could use the Order API (Merchandising > Order API) method to capture the order just as it is being placed. The information from the order is passed in Name-Value pairs to script that you create. You can do just about anything with the data at that point, update a remote database, send email, etc.
See http://shopsite.com/help/11.1/en-US/sc/pro/order.api.html for help on using Order API

The second method would be to use the automated xml download functionality. You create an application that requests the data from the database and it is downloaded in an XML format. See the help at http://shopsite.com/help/11.1/en-US/sc/pro/orders.download.format.xml-auto.html .

[abbaroo]

I was thinking of using the second method, as I don't really need to capture the order as it happens. We just need to view orders at any given time.
I looked at the sample code in the example and it looks like C code, but I would like to do this as a php script from the web. I've been looking over the php socket functions, which I assume would work. Where do I get the client ID & authorization codes?

Thank you for the help.

[Jim]

What version of ShopSite will you be interfacing with? The help link I sent was for version 11. In that version you get the client ID & authorization codes under Utilities > Applications. You "Add" an application and the required field will be generated. I believe those are new fields for ShopSite 11.

If you have a previous version of ShopSite the specs are different, so you would need to look at the help for that version.
Here is a link to the ShopSite 10.2 help.
http://shopsite.com/help/10.2/en-US/sc/pro/orders.download.format.xml-auto.html
I don't think there are any special values required for this method other than the merchant key if that feature is enabled.

[abbaroo]

It's ShopSite® Pro 11 r1.2. I added an application and got the key values. Thank you very much.
Now to program it and see how that all goes.

[abbaroo]

Now that I'm getting more into this. I have more questions.

I do the first part, sending authorization request to the socket. Am I supposed to get a response? I checked and there was none.

For the next part, requesting the download data, there's this part
token = MTMwMjA5NjAyOHxkZWJiaWV8MnxCYWlsZXl8MjU2fA==
Is that a unique token value? If so, where do I get this from?

Then there's this one:
signature for download request (request URL and query string, signed with secret key, then base64 encoded) = LXIUwI9RSLqzd19GpOJnbO0hTQg=

How is that created?

[Jim]

Have you reviewed the code found in http://www.shopsite.com/help/11.0/en-US/sc/pro/oauth_sample.zip That may give you the information you are looking for.

[abbaroo]

I've looked at it a little bit, but I guess I need to figure it out a bit more.

[abbaroo]

Now I decided to try that sample program to figure this out. I open up the folder in Windows, and double click on oauth_sample.exe, but I get the error message - The parameter is incorrect. Which parameter? Maybe I'm supposed to run this at the command line. OK, so maybe I can figure it out by looking at the source code. I look for the normal main(argc, argv) in typical C programs, but there is none. So that makes it a little hard to see what I should enter as parameters, and to follow the overall flow of this program.

OK, fine. Now I decide to look at download.c, since I do want to download order information. In the Download() function it's using curl(), which is fine too, but the example at http://shopsite.com/help/11.1/en-US/sc/pro/index.htm?page=/help/11.1/en-US/sc/pro/orders.download.format.xml-auto.html
uses sockets. I don't see any socket code in the oauth_sample.zip files, so should I use curl? or use sockets?

As you can see, it's a bit frustrating. It would be nice if the sample code was a bit more documented to follow the sequence needed to do this.

[abbaroo]

I'm giving this a shot with curl. I got it to make the connection, but now I'm getting this error:

{ "error" : "invalid_client", "error_description" : "client authentication failed" }

I figure maybe I'm doing something wrong setting up the string to do the authorization, so I use the example code with secret key, etc. and I get this string:
grant_type=authorization_code&code=MTQxMDZ8ZGViYmllfDJ8&client_credentials=QjlEMzI5OUI6ODAwMjZiYzc=&signature=YWRmYzM0OTM2ZDY1ZjU4NzU3OTc0YWY2ZTM0NTMwZmI3NjlhZjQwZQ==

As you can see the signature value is a different value from what the example shows. In the C program there's a line that says:

Code: Select all

/* Decrypt the secret key */
  decrypt(encrypted_secret_key, &secret_key);  /* use your own encryption/decryption */


Maybe that's what I'm missing, so what would be the corresponding code to do this in a php script?

Here is my code to do this:

Code: Select all

$host_url = "https://slate.secure-host.com";
$port = 443;   // https port
$auth_nonce = "80026bc7";
$auth_link = "/cgi-wellnesscenter/sb/authorize.cgi";

$client_id = "B9D3299B";
$secret_key = "CCAB-DFB5-C73A-5228";
$auth_code = "MTQxMDZ8ZGViYmllfDJ8";

$client_nonce = sprintf("%s:%s", $client_id, $auth_nonce);
$client_cred = base64_encode($client_nonce);

$sig_hash = hash_hmac('sha1', $client_cred, $secret_key);
$signature = base64_encode($sig_hash);

$auth_message = "grant_type=authorization_code&code=" . $auth_code;
$auth_message .= "&client_credentials=" . $client_cred;
$auth_message .= "&signature=" . $signature;

/* Initialize curl */
$ch = curl_init();

/* Make request to the authorization server */
$auth_url = $host_url . $auth_link;
curl_setopt($ch, CURLOPT_URL, $auth_url);
curl_setopt($ch, CURLOPT_PORT, $port);

/* POST is required, no other method is accepted */
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $auth_message);

$curl_rc = curl_exec($ch);
echo "curl_rc: $curl_rc <br>\n\n";

if ($curl_rc === false) {
   echo "Curl error : " . curl_error($ch);
}

echo $auth_message;


[loren_d_c]

Instead of:
$sig_hash = hash_hmac('sha1', $client_cred, $secret_key);

Try:
$sig_hash = hash_hmac('sha1', $client_cred, $secret_key, true);

With the 'true' parameter, the function will result in the actual binary data. So it won't look very good if you try to print the $sig_hash value to a file or to your terminal, but once you have base64_encode'd it, it should look better

-Loren

[abbaroo]

That fixed it. Thank you so much, Loren.

Now that I'm authorized, I'll see about actually getting the data.

[loren_d_c]

Note that one thing I have found is that the authorization data is not currently valid JSON, so the PHP json_decode function will not work with it, you will have to parse the authorization string for the tokens yourself using string functions (such as strstr and strtok), like the example .c files do.

-Loren

[loren_d_c]

Oh, and regarding the /* use your own encryption/decryption */ comments in the example .c files, this is only if your app uses a config file with the connection info in an encrypted format or something. If you haven't encrypted these values, then you don't have to worry about decrypting them, you can use the plain values straight from the Utilities -> Applications -> Edit menu.

-Loren

[abbaroo]

Ah yes, I did notice that the JSON that was returned was missing some commas, and json_decode() was returning null, so I was able to deal with that.
I got an access token from all that, and then tried to go to what I want to do, download some order information.
I put together the following code to do this, but I get

Error: access_denied, client and server signatures do not match

Code: Select all

$download_nonce = "503bb763";
$access_token = $auth_vals["access_token"];
$order_url = $auth_vals["download_url"];

$order_message = "clientApp=1&dbname=orders&version=11.0";
$order_message .= "&token=" . $access_token;
$order_message .= "&timestamp=" . time();
$order_message .= "&nonce=" . $download_nonce;
$order_message .= "&pay=no_cvv";

$order_string = $order_url . "?" . $order_message;
$order_hash = hash_hmac('sha1', $order_string, $secret_key, true);
$download_sig = base64_encode($order_hash);

$order_message .= "&signature=" . $download_sig;


I'm not positive about what to put for the version number. Apparently we have version 11 r1.2. So would should I put in the field there?

Then there's the part about creating the signature. I'm obviously doing something wrong. The help page says

signature for download request (request URL and query string, signed with secret key, then base64 encoded)

I'm combining the request URL and query string with a "?" in between, but I'm not sure what else it needs.