# SoftPOS App OAuth2.0 protected API for MyPinPad SoftPOS integration. ## Overview This application provides secure endpoints for MyPinPad to submit transaction processing requests. It implements OAuth2.0 authentication with both access and refresh tokens. ## Architecture - **OAuth2.0 Server**: Client credentials grant + refresh token flow - **Transaction Processing**: Endpoint to receive and process MyPinPad transactions - **Token Management**: JWT-based access and refresh tokens - **Client Management**: CLI tools for managing OAuth clients ## API Endpoints ### OAuth Token Endpoint ``` POST /api/soft-pos/oauth/token Content-Type: application/x-www-form-urlencoded # Client Credentials Grant grant_type=client_credentials&client_id=xxx&client_secret=xxx&scope=transaction:write # Refresh Token Grant grant_type=refresh_token&refresh_token=xxx&client_id=xxx&client_secret=xxx ``` ### Transaction Processing Endpoint ``` POST /api/soft-pos/transactions Authorization: Bearer {access_token} Content-Type: application/json { "transactionType": "purchase", "instanceRequest": { ... } } ``` ## Setup 1. Enable the app: ```bash export INCLUDE_SOFT_POS=true ``` 2. Set JWT secret: ```bash export SOFT_POS_JWT_SECRET="your-secret-key-min-32-characters-long" ``` 3. Run migrations: ```bash mix ecto.migrate ``` 4. Create OAuth client: ```bash mix soft_pos.gen.client "MyPinPad" "transaction:write" ``` ## Configuration for MyPinPad Provide the following to MyPinPad: - **Transaction Endpoint URL**: `https://your-domain.com/api/soft-pos/transactions` - **Access Token URL**: `https://your-domain.com/api/soft-pos/oauth/token` - **Client ID**: (generated from CLI) - **Client Secret**: (generated from CLI) - **Scope**: `transaction:write` - **Grant Type**: `client_credentials` - **Client Authentication**: `client_secret_post` (credentials in body) - **Header Prefix**: `Bearer` ## Security - All tokens are JWT-based - Client secrets are hashed with Argon2 - Tokens can be revoked - HTTPS required in production - Supports refresh token rotation