wix wework oauth and billing onboarding

1. oauth-steps.md

Pre Registration:

To make this flow, WeWork will provide to Wix redirect url and we in return will give them app id and app secret.

Step 1:

WeWork client will open new tab to:
https://users.wix.com/signin/oauth?loginDialogContext=signup&appId=[appId]&state=[csrfToken]&scope=Billing.Manage&redirectUri=[redirectUri]&color=wework&defaultEmail=[email]

appId = the app id we provided
defaultEmail = email to be filled in our login page
redirectUri = one of the pre-registered redirect URLs
csrfToken = a csrf token that WeWork will need to generate and store (probably inside a session) so they can compare with the returning 'state' to protect from cross site request forgery

After we authenticate the user, we will redirect to the pre-registered redirect URI followed by code=[authorizationCode]&state=[csrfToken]

csrf_token = The value WeWork provided in the request (explained above)
authorizationCode = authorization code that will be valid for 1 minute

Step 2:

WeWork will send a POST request to:

https://www.wix.com/oauth/refreshTokens

BODY =>
{
    "appId":"[appId]",
    "appSecret":"[appSecret]",
    "authorizationCode":"[authorizationCode]"
}

appId = the app id we provided
appSecret = the app secret we provided
authorizationCode = the authorization code we provided in phase 1

We will return a JSON containing access token and refresh token:

{
  "accessToken":"[accessToken]",
  "refreshToken":"[refreshToken]"
}

Refresh Access Token:

Send a POST request to:

https://www.wix.com/oauth/accessTokens

BODY =>
{
    "appId":"[appId]",
    "appSecret":"[appSecret]",
    "refreshToken":"[refreshToken]"
}

appId = the app id we provided
appSecret = the app secret we provided
refreshToken = the refresh token we provided in step 2

We will return a JSON containing access token and expiration:

{
  "accessToken":"[accessToken]",
  "expiration":"[expiration]"
}

2. billing-onboarding.md

Step 3:

Register Credit Card API

API to register a default credit card to a Wix user.

• URL

  https://billing-onboarding.wix.com/api/v1/defaultBillingAccount

• Method:

  POST

• Header

  X-Wix-OnBoarding-AccessToken=[string] - user JWT accessToken from signup step
X-Wix-OnBoarding-Signature=[string] - HMAC SHA256 hash of the body
  

• Data Params

  Request JSON payload

  Structure:

  {
    "partnerId": [string],
    "creditCard": {
        "number": [string],
        "network": [string],
        "expiration": {
            "year": [integer],
            "month": [integer]
        }
    },
    "firstName": [string],
    "lastName": [string],
    "phone": [string],
    "countryCode": [string],
    "address": [string],
    "city": [string],
    "zip": [string],
    "stateCode": [string],
    "company": [string]
  }

  ** email will be deduced from the email user provided at signup

  Required:

  partnerId=[string] - the id of the partner => wework
creditCard=[CreditCard] - creidt card objejct
creditCard.number=[string] - full credit card number. must pass luhn validation
creditCard.network=[string] - credit card type => visa, amex, masterCard (full list in external links)
creditCard.expiration=[YearMonth] - creidt card expiration objejct
creditCard.expiration.month=[integer] - credit card expiration month, 1 based numbering (1 for January)
creditCard.expiration.year=[integer] - credit card expiration year
  

  firstName=[string] - user first name
lastName=[string] - user last name
phone=[string] - user phone number - must pass regex validation (^[+]{0,1})([ \.-]|[0-9]){7,25}
countryCode=[string] - ISO_3166-1_alpha-2 country code (e.g. US). This field affects VAT calculation
address=[string] - user billing address
city=[string] - user billing city
zip=[string] - user billing postal code
  

  Optional:

  stateCode=[string] - user billing state code according to ISO 3166-2:US
company=[string] - name of the company
  

  Example:

  HEADER => 
  "X-Wix-OnBoarding-AccessToken": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJzdmxhZGFAZ21haWwuY29tIiwic2NvcGVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1BSRU1JVU1fTUVNQkVSIl0sImlzcyI6Imh0dHA6Ly9zdmxhZGEuY29tIiwiaWF0IjoxNDcyMDMzMzA4LCJleHAiOjE0NzIwMzQyMDh9.41rxtplFRw55ffqcw1Fhy2pnxggssdWUU8CDOherC0Kw4sgt3-rw_mPSWSgQgsR0NLndFcMPh7LSQt5mkYqROQ",
  "X-Wix-OnBoarding-Signature": "4B108B7E406F9475E1B53552A66835C479396FF8C862001C2530ACC1402B8A55"
  BODY =>
  {
      "partnerId": "WeWork",
      "creditCard": {
          "number": "4111111111111111",
          "network": "visa",
          "expiration": {
                  "year": 2018,
                  "month": 1
          }
      },
      "firstName": "John",
      "lastName": "Doe",
      "countryCode": "US",
      "stateCode": "US-NY",
      "address": "1 road",
      "city": "New York",
      "zip": "12345",
      "phone": "8682827123",
      "company": "Tesla"
  }

• Success Response:

  • Code: 200
    Content: { "success": true, "billingAccountId": "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" }

• Error Response Examples:

  • Code: 401 UNAUTHORIZED
    Description: User Authentication / Authorization failed
    Content: { "success": false, errorDescription : "Invalid access token" }

  • Code: 400 BAD REQUEST
    Description: User Authentication / Authorization failed
    Content: { "success": false, errorDescription : "Missing parameter: 'ccNumber'" }

  • Code: 400 BAD REQUEST
    Description: Invalid Card Number
    Content: { "success": false, errorDescription : "Invalid Card Number" }

  • Code: 400 BAD REQUEST
    Description: Phone Number Too Short
    Content: { "success": false, errorDescription : "Phone Number Too Short" }

• Sample Call:

    $ https://billing-onboarding.wix.com/api/v1/defaultBillingAccount -X POST
    -H "Content-Type: application/json" "X-Wix-OnBoarding-Signature: 4B108B7E406F9475E1B53552A66835C479396FF8C862001C2530ACC1402B8A55" "X-Wix-OnBoarding-AccessToken: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJzdmxhZGFAZ21haWwuY29tIiwic2NvcGVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1BSRU1JVU1fTUVNQkVSIl0sImlzcyI6Imh0dHA6Ly9zdmxhZGEuY29tIiwiaWF0IjoxNDcyMDMzMzA4LCJleHAiOjE0NzIwMzQyMDh9.41rxtplFRw55ffqcw1Fhy2pnxggssdWUU8CDOherC0Kw4sgt3-rw_mPSWSgQgsR0NLndFcMPh7LSQt5mkYqROQ"
    -d '{"partnerId": "WeWork", "ccNumber": "4111111111111111","creditCardNetwork": "visa","ccExpirationMonth": "1","ccExpirationYear": "2018","countryCode": "US","firstName": "John","lastName": "Doe","address1": "1 road","city": "New York","zip": "12345","phone1": "8682827123","stateCode": "US-NY","company": "Tesla"}'

  
  

  Update Credit Card API

  API to update a default credit card to a Wix user. Create and Update API's have the same specification and they differentiated by Http Method

  • URL

    https://billing-onboarding.wix.com/api/v1/defaultBillingAccount

  • Method:

    PUT

  
  

• Notes:

  • Test / live URL will be provided accordingly as soon as it's ready
    
  • The X-Wix-OnBoarding-AccessToken is the access_token that was received during oauth process
  • The X-Wix-OnBoarding-Signature is the result of calling sign() function (the secret will be provided upon request)

    def sign(secret: String, message: String): String = {
      val mac = javax.crypto.Mac.getInstance("HmacSHA256")
      mac.init(new SecretKeySpec(secret.getBytes("UTF-8"), "HmacSHA256"))
      mac.doFinal(message.getBytes("UTF-8")).map("%02X" format _).mkString
    }
    
    sign("xxxxx", "yyy") => "4B108B7E406F9475E1B53552A66835C479396FF8C862001C2530ACC1402B8A55"

• External Links:
  • https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
    
  • https://en.wikipedia.org/wiki/ISO_3166-2:US
    
  • https://en.wikipedia.org/wiki/Luhn_algorithm
    
  • https://github.com/wix/credit-card-networks/blob/master/src/main/scala/com/wix/pay/creditcard/networks/Networks.scala#L21
    

WeWork Diagram.png