User Stories
High level diagrams
Manufacturing process
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Entone has a certificate authority (CA).
At the time of manufacture an RSA keypair signed by this CA will be added to the box.
User provisioning
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The user purchases a STB.
The retail partner provisions a user account by calling the user management API (documentation)
The retail partner links the STB to the user (documentation)
The retail partner only needs to inform Amino of the STB mac addressserial number
| Info |
|---|
You can see details of how to manage the user account here on this page. |
User login
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Note:
The Entone API will include the STB public key as one of the claims of the signed JWT token.
Detailed flow
Details of logging in with JWT
Sequence overview
- STB client Client calls the Entone API to get a signed JWT token
- STB client calls the Move STB Authentication endpoint with the token and the public key
Move API verifies the supplied public key by checking against a stored (trusted) version of the Entone public key
- Move API verifies the JWT with the public key
- Move API matches the supplied STB serial number to the user
- Move API logs in the userJWT used for logging in
- Client sends login JWT token to Middleware
- Middleware responds with two tokens that can be used to authenticate future requests
This is diagrammed in the section "user login" above.
Entone API
The View team will add a new function to the API with the following signature:
String ENTONE.stb.createJWT(algorithm, claim) Where claim is a object containing the payload of the JWT, algorithm is the mechanism to sign the signature.
The returned string is a JWT which is based64 encoded string.
Parameters to pass to Entone API
The algorithm must be one of the values supported as the "alg" parameter in the JWT spec (here). The only algorithm supported is RSA with sha-256 and so the algorithm parameter value should always be "RS256".
The client MUST use this format for the claim object:
| Code Block | ||
|---|---|---|
| ||
$claim = [
"iss" => "EntoneAPI",
"iat" => time(),
"exp" => time() + TEN_MINUTES,
"aud" => "www.aminocom.com",
"sn" => "Serial number 25-1234567",
"cdsn" => "Client Device-allocated Serial Number 48318382081",
'certificate' => "String containing the STB public key"
'batchCACertificate' => "String containing the STB batch CA certificate",
]; |
It will receive a JWT from EntoneAPI and must then call the MoveAPI endpoint as below.
Example of generating a JWT
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
let passwordlessLoginHandle = null;
export const passwordlessLogin = async () => {
if (!ENTONE) {
return Promise.reject();
}
// Combine concurrent login requests
if (passwordlessLoginHandle) {
return passwordlessLoginHandle;
}
const now = sdk.time.get();
const claim = {
iss: "EntoneAPI",
iat: now,
exp: now + 60 * 10,
aud: "www.aminocom.com",
sn: ENTONE.stb.getFullSerialNumber(),
cdsn: ENTONE.system.getIrdetoCDSN() || "",
certificate: ENTONE.stb.getPublicKey(),
batchCACertificate: ENTONE.stb.getBatchCACertificate()
};
const token = ENTONE.stb.createJWT(ENTONE.stb.ALG_RS256, claim);
passwordlessLoginHandle = sdk.user.stbLogin(token);
try {
const user = await passwordlessLoginHandle;
setUserCallback && setUserCallback(user);
passwordlessLoginHandle = null;
} catch (error) {
passwordlessLoginHandle = null;
throw error;
}
};
window.passwordlessLogin = passwordlessLogin; |
What is the STB serial number?
Amino STBs with Irdeto Chipset contain several identifiers, two of them are:
- SN - basic serial number (printed on the STB) (73-2345532)
- CDSN - secure SN, which is stored on the device. STB UI gets it via Entone JS API, sends it to Amino backend. Entitlements with Irdeto are based on this identifier (6454386863). This is device id.
The basic STB serial number is composed of two parts: the hw model prefix and the ESN. e.g. 87(hw model)-6593553 (ESN). and the mac address is derived from the ESN of the STB.
MoveAPI
Endpoint
| Method type | URL | Authorization | Parameters |
|---|---|---|---|
| POST | https://domain.tld/api/stb/auth | Service-Token | The JWT must be passed as POST body parameter named "Token" |
Validation rules
The MoveAPI must validate the JWT as follows:
- Decode the JWT
- Retrieve the supplied public key from the "certificate" claim
- Retrieve the suppled CA certificate from the "batchCACertificate" claim
- If it is omitted then read the CA certificate for batch 0133 from disk
- Verify that:
- The issuer is EntoneAPI
- The audience is www.aminocom.com
- The token has not expired
- The token was issued in the past, or otherwise within a tolerable window to allow for server time drift
- JWT was signed with the key you obtained in step 2
- Verify that the CA certificate is signed by the Entone CA certificate
- Obtain the "sn" claim
- Find the user associated with the STB serial code indicated in the "sn" claim
It is important that the JWT is signed with the supplied key AND that the key was generated from the Entone root CA
| Info |
|---|
If the CDSN is stored in the STBDevice table then the API needs to compare the "cdsn" claim |
Response
The Move Middleware will respond with two JWT tokens that can be used for authentication in future requests.
| 200 | { | JWT token both jwt and refresh_token are encrypted using a pass phrase and HS256 encryption. Pass phrase is configurable by config file and will be shared separately. JWT Sample Data { |
| 401 | none | - |
Refreshing the access token
The JWT is valid for an hour, configurable at deployment time. The client should use the refresh token to obtain a new access token when access token is expired or about to expire.
This can be done by calling
POST https://domain.tld/api/stb/auth/refresh_token?refresh_token=123abc...
The refresh token should be supplied as a query string parameter.
The API will respond with a new access token and refresh token
Logout STB
API to handle logout request of STB
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://booxcustomer.fidomain/api/stb/logout | STB (Using JWT), Service (Using service_token) |
POST Body
Please note that M is for Mandatory and O is for Optional.
| Body Fields | M/O | Description | Values | ||
|---|---|---|---|---|---|
service_token | M | Token generated for a service. For example DNA has own service_token. This token is generated from Backend and provided to application developers.
| String of Alpha numeric values. Mostly MD5 or SHA1 string. e.g. 8f9cf3f5789e16124f38936954a98668 |
Headers
Please note that M is for Mandatory and O is for Optional.
| Header | M/O | Description |
|---|---|---|
Authorization: Bearer | M | JWT json web token provided by backend after STB authenticated successfully |
Response
| HTTP Code | Response |
|---|---|
| 200 | none |
| 401 | none |
Link STB to a User
After user bought a STB this API need to be called. This API link or grant ownership of a STB to a user.
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://boox.fi/api/management/stb/link_user | IP, Service (Digest Authentication) |
POST Data Parameters
Please note that M is for Mandatory and O is for Optional.
| Parameters | M/O | Description | Values | ||
|---|---|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. | ||
serial_no | M | Serial Number of STB. If device does not exists with provided serial no then it will be added. | Alpha numeric string. | ||
| M | Email address (being used as an user identifier in AminoTV) of user who is provisioned for using the STB | Valid email address. e.g. john.doe@example.com | |||
public_keys | MO | 8 Public keys which will be used to authenticate the STB.
Maximum 8 keys. | key0_base64;key1_base64;...........;key7_base64 (no limit on max length). where each public key is base-64 encoded,semicolon(;) is used between keys as separator. | ||
| chipset_id | O | STB device chipset number/ID. | chipset_id is a random list of characters (max 32 characters). | ||
| mac | O | Ethernet interface MAC address. | mac is a random list of characters (max 18 characters). |
Response
| HTTP Code | Response |
|---|---|
| 200 | { |
| 400 | |
| 401 | none |
Error Codes
| Error Code | Description |
|---|---|
| 1414 | Email does not exist |
| 1426 | Parameter is required |
| 1427 | Invalid length of chipset_id |
| 1428 | Invalid length of mac |
| 1433 | STB exists and linked |
| 1434 | Record already exists for value |
| 1435 | STB is already assigned |
| 1436 | Invalid email address format |
Unlink STB from User
This API remove ownership of a STB from an user. Use cases: when user sells his/her device, when a device got stolen.
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://booxcustomer.fidomain/api/management/stb/unlink_user | IP, Service (Digest Authentication) |
POST Data Parameters
Please note that M is for Mandatory and O is for Optional.
| Parameters | M/O | Description | Values |
|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. |
serial_no | M | Serial Number of STB | Alpha numeric string. e.g. 615507895162 |
| M | Email address of user who is provisioned for using the STB | Valid email address. e.g. john.doe@example.com |
Response
| HTTP Code | Response |
|---|---|
| 200 | none |
| 400 | |
| 401 | none |
Error Codes
| Error Code | Description |
|---|---|
| 1414 | Email does not exist |
| 1426 | Parameter is required |
| 1432 | serial_no does not exists |
| 1418 | Invalid STB link |
| 1436 | Invalid email address format |
Add New User Account
| Info |
|---|
| Existing API link: https://dna.booxmedia.com:10086/docs/d5/d8b/user_management.html#add_account |
This API is used to add a new user account. Following rules apply:
- Email address or customer-id should not belong to any customer that is not in DELETED state; otherwise API will return an error.
- If the user with that email exists in DELETED state and his grace period is not expired, his previous registration state is restored.
- A new user is created in UNREGISTERED state.
Design Points (to be considered for future):
- The main problem with making the two pin params as mandatory is that this feature is very specific to DNA requirements, while other frontends don't expect them. Therefore, we need a way so that both parties remain happy by giving a better design
- For that we should make it configurable whether the two params are mandatory. So for DNA we will configure them as mandatory, so that if they are not provided by Visio when creating a new user API will return an error to provide the mandatory input param. While for others e.g. Delta we will configure them as optional so that if they don't provide the params, API will successfully create a user and set the pins in DB as NULL (empty). Also until DNA is not ready for the params to be mandatory we can keep it configured as optional for them
- It is easy to implement from effort point of view and much flexible and reliable
Request
https://boox.fi/api/management/userQuery Strings
Please note that M is for Mandatory and O for Optional.
| Parameter | M/O | Description | Values | |||||
|---|---|---|---|---|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. | |||||
| M | Emailaddress | of the user.Email address of the user | ||||||
| cid | M | Customer Identifier. | Numeric ID generated from Visio | |||||
| auth_pin | M | Authentication PIN code.
At the DNA TV Rel 2.9 publish time, the provisioning party (Visio) | Number with the length of 4. e.g. 8798 | |||||
| purchase_pin | M | Purchase PIN code.
At the DNA TV Rel 2.9 publish time, the provisioning party (Visio) | Number with the length of 4. e.g. 8798 | |||||
| dob | O | User Date of birth in YYYY-MM-DDformat | .SUSPEND or ACTIVATE keywords are allowed only. |
Error Codes
Edit Existing User Account
| Info |
|---|
| Existing API link: https://dna.booxmedia.com:10086/docs/d5/d8b/user_management.html#edit_account |
This API is used to suspend or activate a user account. It can also be used to change the email or customer-id of an existing account. Following rules apply:
- A user in DELETED state is not updated.
- "email" and "cid" parameters should not belong to any existing user, even if the user in in DELETED state
- If a user is suspended, his state is changed to DISABLED
- If a DISABLED user is activated and grace period has not expired, then previous registration state is restored, otherwise his state is changed to UNREGISTERED
- In other cases, if a user is activated, his state changed to REGISTERED.
Request
https://boox.fi/api/management/user/<email>Querystrings
Please note that M is for Mandatory and O for Optional.
Authentication PIN code.
| Info | ||
|---|---|---|
| ||
This is new field. |
Number with the length of 4.
e.g. 8798
Purchase PIN code.
| Info | ||
|---|---|---|
| ||
This is new field. |
e.g. 8798
Error Codes
| Error Code | Description |
|---|---|
| 1407 | action value is invalid |
| 100 | User not found in the system |
| 1404 | email is invalid |
| 1406 | cid is invlid