PHP application for apps.com - features and rakes

Once, in a beautiful (or not) day, a new task flew in to me. "Vlad, congratulations, you will be cutting the QuickBooks application." “Quickbooks? What the ... "- I thought, but could not refuse, the task is a task. “Well, I’ll google what a quickbook is, then what a quickbook application is, then I read an article on Habré about everything, then find sdk, and it's in the bag,” I thought, and opened Google. How wrong I was ...



The first - Habr knows nothing about all this. No, there are three and a half articles in which QuickBooks are mentioned (hereinafter simply QB), but I did not find anything useful in them. I was immediately embarrassed - as so, like a well-known thing - but Habr is silent. Strange.

Second, I had to kill some time to understand what QuickBooks Application is, and what they eat it with. I don’t know, maybe it’s just me tightly reaching, but I didn’t immediately understand that the “application” is just a website, a web service. When I said the word “application,” I immediately had thoughts about something else, about some kind of hosting from QB, about a tricky, tricky apishka. It turned out easier. Oh, this mod to call everything in the web - application.

And the third is the official PHP SDK for QuickBooks Online. And it is not. More precisely, how it is, that is, but it is so incomplete, poorly documented and unfinished that it was not possible to use it. It completely lacked the API part I needed. I do not know, it may have already been finished, but I doubt it very much. At the time of writing the post - it remains miserable.

In general, this post is for those who need to also create an application for QB in PHP. It will help to quickly understand the main points and the rake on which I stepped. In some places there will be just obvious things from the documentation - but I chose to clarify them again.

Wait ... what a QuickBooks, what apps.com, are you talking about?

Everything in order. QuickBooks is an American online bookkeeping service. Serious service, not the work of two students. And although we have almost no one knows it, but on the other side of the ocean it is a very famous product. I even remember someone's post on habre about emigration to the United States, and the intricacies of bookkeeping. That person wrote that with the help of QB he managed to keep accounts on his own, almost without thinking about it.

Apps.com is, roughly speaking, a directory of sites with QB integration. Something like App Store or Play Market, only more highly specialized. I already wonder how they grabbed such a domain.

So, what is the QuickBooks Application, and what does it eat?

As I said above - in essence, the QuickBooks Application is a website. This can be a separate site (as it happened in my case) or part of it. If you summarize, it’s just a tight integration of the site with QB which allows you to log in through it, receive some data and perform operations. And if everything is intuit Feng Shui (intuit - the company owning QB) - you will be allowed to host your application on Apps.com .

PHP issues

As I already wrote above, there is some problem with PHP. In fact, you cannot use the official PHP-SDK for QuickBooks Online (hereinafter referred to as QBO). I do not know, maybe it will be enough for someone’s needs, but he is so incomplete and poorly documented that I doubt his purposefulness.

UPD. in 2017 - they, like, drank a little this whole thing, but it seems that the PHP SDK is still incomplete. We must look more precisely for certain needs.

So, about PHP. Everything would be really bad if it were not for the guys from ConsoliByte (do not consider it an advertisement). Judging by their website, they offer their services in QB, then they are just consultants, I don’t know in general, but the fact is that they created the OpenSource QBOv3 PHP-SDK. Moreover, the link to it was placed even in the Quickbook documentation itself, as “3-rd party contibuted”. So despite the fact that the code of this SDK is not a sample of the beautiful, we use it. Tyts . There is also a ready-made mini-example in which you only need to slip the api-keys.

My ugly screenshot

The essence of the application

The essence of the application is the following - the user connects to your application (allows him access to his data, to put it more simply) and then works with it. It's simple!

To connect, use a proprietary button from QB. The interesting thing is that you can use it ONLY. The user can connect to you directly from apps.com, via the QBO interface, or directly from the application through this button. You do not have the right to change its appearance, size, labels - only use such as gives QB (available in two colors and four sizes). You do not have the right to somehow otherwise initialize the connection of your application. Only through the button “Connect to QB” which in the documentation is called as “C2QB Widget”. This is the first. Secondly, as it turns out later, this button cannot be used for user authentication in your application. In our application there was no authentication system - it is simply not separate from the main site and other users. Therefore, initially I did everything this way - we connect the user, if he is new - we write it to the database, and it’s gone. That was enough for my needs. As it turned out later - it is impossible. For authentication, you need to use only the “Sign in using QB” widget, and the C2QB button should be inside the application, and only this way. It was unpleasant to find out at the very end.

Connect To QuickBooks will work through OAuth (everything is hidden under the hood of the SDK, quite convenient), Sign in - via OpenId. I used the LightOpenId library, again - OpenSource.

When I was working with an example from the SDK, I didn’t go deep into the config, and skipped past the_tenant parameter. I did not see it in the documentation or the readme, so I did not attach much importance to it. I don’t know, maybe it’s a generally accepted name - but I haven’t seen it before. As it turned out later, this is the identifier of our user who made the connection to our application. Each user must provide it. I had a funny story with this - I had a static tenant, in the config file, and I sent the application to the review. I went - logged in as a Quikbuksov user of some kind. “Chu” - I thought, and forgot. And then I began to notice that I was constantly already logged in under someone. Logged out, asked a colleague to log in from his computer, then updated the page - and I am logged in! Oh you are a hedgehog ...

Review for posting on apps.com

In order for your application to be allowed on apps.com, it must pass 3 types of checks. Marketing, Security and Functional reviews. It happens like this - you submit your application. After a while, you begin to write with three emails (3 checks) about what is wrong with you.

Marketing check looks at your application description, screenshots from it, availability of support, and so on. Roughly speaking - check that you beautifully represent him.

The security audit is conducted by the external company cigital.com, by hiring intuitively. They do an audit and then send you a report that states where what is bad, how to register it and how to fix it. Excellent, in general, a report. Testing seems to be some kind of scripts, check all possible vulnerabilities. We have an open form in the application - for feedback. So, apparently, their script attacks all forms that it finds, because we received thousands and a half letters from the form in which only the text in the style changed. 4 fields in the form - stupid search of each of 300+ (approximately) options for each field. To be honest - I still do not understand what they checked with this. The form is not displayed anywhere in the application, how do they know if something works? By the way, I read something on the forums about what they are doing and the code review, but probably it was before - because we did not ask for any code. Rakes on which we stepped:

1) Server: Apache / 2.4.7 (Ubuntu)
X-Powered-By: PHP / 5.5.9-1ubuntu4.12 - these are the headers in response from the server. This is a vulnerability such as "Extra information given by the server", albeit with minimal pririty.
2) Cookie not via https. With this is another story. For some reason, they conducted an audit not on the prod app, but on our staging. Naturally, no one will buy ssl for steding, so https was not there. What got 5 or 6 entries. To be honest, it didn’t make up the problems, we just wrote that it was staging, and there would be all the rules on the sale, and we were taken to the word.
3) The ability to replace cookies. the_tenant (about which I wrote above) is stored in cookies, and if you change it - the application successfully accepted it. It did not pose any danger, in fact, and they themselves wrote that this is the lowest priority, but still.

Review of the functional. People (manually) check and click on everything that your application can and can do. If something goes wrong (the layout floated, the error got out, did not work at all, etc.) - they say they say this and that. Sometimes even videos attach as they reproduce it. And yes, one more thing - check the word QuickBooks! The rules say that no abbreviations are allowed, and QuickBooks should be written as QuickBooks, and nothing else. I had Quickbooks (“b” with a small one) in several places - this was immediately indicated by the alleged problem. So you need to follow.

UPD. 2017 - as it turned out, such a review takes place every year, and not only when published. Pretty logical.

Total

C a little more than a month later, I recorded everything that was found here, and we successfully passed the review. Now our application is successfully hosted on apps.com. Show, alas, I can not - for the NDA. What is interesting - after placing you can do anything in the code, you do not need to re-review. To change the description, you need it, and the functionality changes as much as you like. The next review will be only one year after publication.

I hope my post will be useful to someone and thanks to him he will save a few hours of his life. If something goes wrong - write in the comments, it is quite possible that I described something incorrectly.