Publish on the Store

Publishing your apps on the Store lets you quickly reach new customers who can discover, install, and use your apps. To start publishing, you must first join the Open2b Partnership program, after which you can propose to Open2b the apps you want to publish.

For an app to be published on the Store, it must meet stricter security and reliability requirements than external apps:

• All pages and content must be loaded over HTTPS with a valid certificate.
• It must have its own domain, different from the domain of other apps.
• It must never redirect to an address outside the app's domain.
• It must not open other windows, popups, or browser tabs.
• It must work correctly even with cookies disabled (since the app is contained in an iframe, in some browsers they would not work).
• It must be compatible with iPad and with the following desktop browsers: Internet Explorer 8 and later, Chrome, Firefox, Safari, and Opera.
• It must not have bugs that clearly prevent it from working properly.

If the app stores store information on the server or must authenticate the store before it can be used, then it must:

• Implement automatic authentication without requiring any login.
• Implement the installation and removal procedures on the store.

At publication time you must specify the permissions the app requires, for example whether it can use the APIs and which methods it can call. The requested permissions must be the minimum required for the app to work correctly.

If your app offers many different features that are unrelated to each other, consider whether it is better to build multiple apps, each dedicated to a specific function, so customers can choose which one to install.

Before proceeding with building an app to publish on the Store, it is best to contact us so we can give you more precise guidance to avoid issues that might delay publication on the Store.

Updates

Since it runs on your servers, you can update the app at any time to fix bugs or improve functionality and appearance. Some changes, however, require an installation update on each store, specifically:

• Name
• Code
• Address
• Author
• Version number
• Icon
• Permissions

When there are updates, the customer can decide whether and when to apply them. Therefore, in case of updates you must be ready to support different versions of your app installed across different customers, i.e., versions with different name, code, address, icon, or permissions. You must allow customers an adequate period of time before an update becomes necessary to keep using the app.

Installation and removal from a store

If the app published on the Store consists only of HTML and JavaScript pages, it does not need to manage installation and removal because the Store will handle it. Even if the app has a server-side component but does not use it to store information about the store and does not need to authenticate it, in this case it also does not need to manage installation and removal from the store.

The installation of an app published on the Store is initiated by a store administrator. At installation time, the app will receive an HTTP POST to its installation endpoint with the data needed to complete installation. The app verifies that the installation request is authentic, saves the information needed to access the store, and responds with status 200 OK. Any other response will cause the installation to be canceled.

The installation request

The content sent via POST is in application/x-www-form-urlencoded format and includes a single parameter called auth that looks like this:

XoNxV5ITJVOztj8rReXC19ECnXQ9yElfWP0dE1Wwu8Q.eyJzaG9wIjoiMTIzNDU2Nzg5MCJ9

The auth parameter consists of two strings separated by a dot. The string to the left of the dot is an HMAC-SHA256 hash of the one to the right. The one on the right is a JSON object. Both are Base64url encoded.

An app first verifies that the string on the left is actually the signature of the one on the right and then decodes the latter to obtain the JSON object. The following PHP code shows how to verify and decode the request:

function parse_auth_request($key, $sign, $data) {
  $decoded_key  = base64_decode(strtr($key, '-_', '+/'));
  $decoded_sign = base64_decode(strtr($sign, '-_', '+/'));
  if ( $decoded_sign !== hash_hmac('sha256', $data, $decoded_key, true) ) {
      return null;
  }
  $request = json_decode(base64_decode(strtr($data, '-_', '+/')), true);
  if ( $request['expires'] < time() ) {
      return null;
  }
  return $request;
}

list($sign, $data) = explode('.', $_POST['auth'], 2);
$request = parse_auth_request($app_secret, $sign, $data);
$is_authentic = $request != null ? true : false;

Note that after verifying the signature and decoding the JSON object, the request is checked for expiration by reading the expires field.

Installation

For installations the following is the complete JSON object that results:

{
  "operation" : "Install",
  "shop" : "TN81S9AUB1", // store identifier
  "siteURL" : "https://www.store.com/", // site URL
  "api" {
    "baseURL": "https://myshop.open2b.com/api/", // API base URL
    "maxVersion" : 3, // minimum available API version
    "minVersion" : 1 // maximum available API version
  },
  "key" : "EZMRp7tfDT7JisRlGREU3R00do4nq0BSLHRKToTppOZRiTc75a", // API key
  "version" : "1.0", // app version
  "expires" : 1335939007 // request expiration time in Unix format
}

Update

For updates the following is the complete JSON object that results:

{
  "operation" : "Update",
  "shop" : "TN81S9AUB1", // store identifier
  "siteURL" : "https://www.store.com/", // site URL
  "api" {
    "baseURL": : "https://myshop.open2b.com/api/", // API base URL
    "maxVersion" : 3, // minimum available API version
    "minVersion" : 1 // maximum available API version
  },
  "version" : "1.1", // app version
  "expires" : 1335939007 // request expiration time in Unix format
}

Removal

For removals the following is the complete JSON object that results:

{
  "operation" : "Remove",
  "shop" : "TN81S9AUB1", // store identifier
  "expires" : 1335939007 // request expiration time in Unix format
}