Skip to content

Worker Expenses API #933

New issue
New issue
Open
Open
Worker Expenses API#933
@srkirkland

Description

@srkirkland
srkirkland
opened on Jul 28, 2025

Need some API endpoints that our iPhone app can use.

Auth:
Going to generate our own api keys which will be generated on a new /linkapp page. Hashes will be stored on the Permission obj or a new table, so each permission can have their own key which is scoped to that permission

Fields needed for api key

  • Hash (binary)
  • Salt (binary)
  • Lookup (binary)

So basically user will ask for a new key for a given permission. If existing key exists, it is revoked/overwritten. New key is generated by:

  1. Generate a random key, say by just creating random 32B string
var = stackalloc byte[32];
RandomNumberGenerator.Fill(secret);
 Base64UrlEncode(secret); // our secret

That secret will never be stored in webapp but we'll show to the user and send it to the iosApp to be stored

  1. Create a random salt and use it to create a hash Rfc2898DeriveBytes.Pbkdf2(....) and we store the salt & hash
  2. In order to lookup the key, we should also create a lookup like
  byte[] lookupHmac;
  using (var h = new HMACSHA256(_lookupHmacKey))
      lookupHmac = h.ComputeHash(secret.ToArray());

where secret is that secret binary and our key is just some random server secret.
4. phone app user sends their secret along in a header and we validate by generating the lookup, finding the associated record, and then verifying their secret is valid according to our hash (by basically hashing their secret and checking it matches our hash)

All /api/[team]/*

  • /projects (active projects)
  • GET /rates (rates for team) - will be one query including all types of rates. basically same as existing endpoint info
  • POST /expenses - similar structure to https://harvest-test.azurewebsites.net/api/caes/Expense/Create/91 except needs to include GUID and hopefully who submitted can be derived from the JWT or something.

For /expenses

  • allow expense to post w/o checking rate table - just record sent values
  • [maybe] on approval page, get all rates by rateId and check that price == current price for that rate, check that totals match up. if not, flag the line somehow.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions