<?php

// Device creation API.
// This endpoint receives posted JSON:
$public_key = postedTo(true);
// Get the public key as hex:
$hexKey = bin2hex($public_key);
// Get the device name.
// Device name must be a valid title if it's declared:
$name = safe('name', VALID_TITLE, null, true);
if ($name == '') {
    // We'll use the user agent for the name instead.
    include '../private/Functions/userAgent.php';
    $ua = parse_user_agent();
    if (!$ua['platform']) {
        $ua['platform'] = 'Unknown platform';
    }
    if (!$ua['browser']) {
        $ua['browser'] = 'Unknown client';
    }
    // Escape including html stripping:
    $name = escape($ua['platform'] . ' / ' . $ua['browser']);
}
// Generate a string which forms part of the device ID so an attacker
// Can't simply guess IDs.
$publicID = randomString(16);
// Generate the first sequence code too.
$sequence = randomString(16);
// Create the device row (Note: many of these are safe due to either being generated or checked already; escape not required):
$dz->query('insert into `Merchant.Devices`(`Key`,`PublicID`,`Sequence`,`CreatedOn`,`Name`) values (unhex("' . $hexKey . '"),"' . $publicID . '","' . $sequence . '",' . time() . ',"' . $name . '")');
// Get the device row ID:

<?php

// Complete the payment of a checkout. We're on the clock here!
postedTo();
if (!$verifiedAccount) {
    // Nope! Account required.
    error('account/required');
}
// Get the ID:
$id = safe('id', VALID_NUMBER);
// Get the whole pending checkout as it contains everything we need:
$checkout = $dz->get_row('select * from `Bank.Checkouts.Pending` where `ID`=' . $id . ' and `Account`=' . $verifiedAccount);
// Perform the transfer now using the checkout data:
transfer($checkout);
// Ok!

<?php

// Balance claim API.
// Receives JWS:
$publicKey = postedTo(true);
if ($verifiedEntity == 0) {
    // Must be an entity.
    error('entity/required');
}
// Get the signature, address and current balance:
$signature = safe('signature', VALID_BASE64);
$address = safe('address', VALID_HEX);
$balance = safe('balance', VALID_NUMBER);
// Get the balance info - is it already claimed, and does the balance match?
$row = $dz->get_row('select `Balance`,`Entity` from `Root.Balances` where `Key`=UNHEX("' . $address . '")');
if ($row) {
    // Balance doesn't exist.
    error('balance/notfound');
}
if ($row['Balance'] != $balance) {
    // The balance does not match.
    error('balance/invalid');
}
if ($row['Entity'] != 0) {
    // Someone has claimed it already (probably the requester).
    error('balance/claimed');
}
// Validate the signature:
$signed = bin2hex($publicKey) . '.' . $balance;
if (!verify($signature, $signed, $address)) {
    // Invalid signature: