TalerPHP: Progress Updates & Tracking the Journey of the Package

Hey everyone!
I’m starting this thread to post updates on my work with TalerPHP, a package I’m developing to integrate GNU Taler payments into PHP-based projects.
The code is available here: GitHub - mirrorps/taler-php: PHP SDK for GNU Taler REST API integration
I’ll be using this space to jot down thoughts, document progress, and share any notable milestones. If you have any questions or feedback about the project, feel free to get in touch!

Over the past few weeks, the following core components have been implemented in TalerPHP:
• SDK Bootstrapping PSR-4 autoloading is in place, along with a centralized configuration class to manage settings and environment variables.
• HTTP Abstraction Layer A PSR-18 compatible HTTP client interface has been integrated. Guzzle is supported by default, but any custom or third-party PSR-18 client can be used without modification.
• Asynchronous Support - Currently all API calls in the SDK can be made asynchronously, giving you the flexibility to use non-blocking request patterns for better performance and scalability.
• Logging (PSR-3) Full support for the LoggerInterface, including configurable log levels and logging of HTTP requests and responses.
• Caching Support Optional, per-endpoint caching built on PSR standards, allowing developers to plug in their preferred caching implementation.
• Data Transfer Objects (DTOs) Dedicated and fully typed DTO classes are available for every structure defined in the official Taler documentation. Developers can choose to use these DTOs or work directly with native arrays for flexibility.
• Exchange API Coverage:
• GET /config
• GET /keys
• GET /management/keys
• GET /transfers/$WTID
• GET /deposits

Work is ongoing for the Payments API.

Quick update!

The following Payments API endpoints are now implemented and tested:
• GET /orders/$ORDER_ID
• GET /orders

Both endpoints come with async support and typed DTOs.

Upcoming Feature: Request DTOs with Embedded Validation

Looking ahead, I’m planning to enhance the SDK with request Data Transfer Objects (DTOs) that include built-in data validation. Developers will have control over this validation, making it convenient to catch issues early in the development process. The SDK will automatically validate request data against the official Taler documentation, improving reliability and reducing integration headaches.

Refunds Order API Implemented

Just shipped support for the Refunds Order API - implemented and tested.

• POST /orders/$ORDER_ID/refund

The request Data Transfer Objects support data validation, giving developers control to enable or disable validation as needed. This makes it easier to ensure your data aligns with Taler’s requirements before sending any API requests.

Additionally, PHPStan compliance is enabled across the codebase, making static analysis and code quality stronger.

Async operations are also supported as well as typed DTOs.

Create Order API Implemented

Just added support for creating orders using both OrderV0 and OrderV1 specifications.

• POST /orders

• Typed Data Transfer Objects (DTOs) are available.
• The request DTOs continue to support data validation, so developers can ensure correctness before sending data to the API. Validation remains fully developer-controlled for flexibility and safety.
• Compatible with async workflows and PSR-compliant components.

TalerPHP Update: Forget Order Attributes API Added!

The Forget Order Attributes API is now implemented and tested.
This feature allows merchants to securely remove stored order attributes when they’re no longer needed — helping maintain privacy and keep data storage lean.
• Fully integrated with the existing async request patterns.
• Works with the Data Transfer Objects layer.
• Backed by automated test coverage for reliability.
• /private/orders/$ORDER_ID/forget
This marks the final step toward complete Payments API integration.

TalerPHP Update: Full Bank Accounts CRUD Support Added!

I’m excited to announce that TalerPHP now supports all CRUD operations for Bank Accounts with the following endpoints fully implemented:
• POST /instances/$INSTANCE/private/accounts
• PATCH /instances/$INSTANCE/private/accounts/$H_WIRE
• GET /instances/$INSTANCE/private/accounts
• GET /instances/$INSTANCE/private/accounts/$H_WIRE
• DELETE /instances/$INSTANCE/private/accounts/$H_WIRE

All operations utilize typed Data Transfer Objects (DTOs) with runtime validation (for request DTOs) to ensure data integrity. PHP unit tests have been added to maintain code quality, and the entire codebase passes PHPStan analysis successfully.

For the past few days the backend sandbox instance is experiencing issues preventing the creation or updating of bank accounts, resulting in 403 Forbidden errors for those endpoints. The GET and DELETE endpoints are working as expected. I will be retrying the failing endpoints next week.

Wire Transfers API – Check & Delete Support

Two more endpoints are now fully implemented and tested in TalerPHP, expanding merchant backend capabilities:
• GET /instances/$INSTANCE/private/transfers – Retrieve a list of transfers.
• DELETE /instances/$INSTANCE/private/transfers/$TID – Delete a specific transfer by its ID.

Full OTP Devices CRUD Support

TalerPHP now fully supports CRUD operations for OTP devices, giving merchants more control over their two-factor authentication setups. The following endpoints are implemented:
• POST /instances/$INSTANCE/private/otp-devices
• PATCH /instances/$INSTANCE/private/otp-devices/$DEVICE_ID
• GET /instances/$INSTANCE/private/otp-devices
• GET /instances/$INSTANCE/private/otp-devices/$DEVICE_ID
• DELETE /instances/$INSTANCE/private/otp-devices/$DEVICE_ID

Features included:
• Typed Data Transfer Objects (DTOs) with runtime validation.
• Full async support for non-blocking operations.
• Automated unit tests for reliability.
• Complete PHPStan static analysis pass, keeping code quality high.

Update: Templates & Webhooks CRUD Support

Added full CRUD support for both Templates and Webhooks.

Implemented:

• Templates CRUD:

• POST [/instances/$INSTANCE]/private/templates

• PATCH [/instances/$INSTANCE]/private/templates/$TEMPLATE_ID

• GET [/instances/$INSTANCE]/private/templates

• GET [/instances/$INSTANCE]/private/templates/$TEMPLATE_ID

• DELETE [/instances/$INSTANCE]/private/templates/$TEMPLATE_ID

• Webhooks CRUD:

• POST [/instances/$INSTANCES]/private/webhooks

• PATCH [/instances/$INSTANCES]/private/webhooks/$WEBHOOK_ID

• GET [/instances/$INSTANCES]/private/webhooks

• GET [/instances/$INSTANCES]/private/webhooks/$WEBHOOK_ID

• DELETE [/instances/$INSTANCES]/private/webhooks/$WEBHOOK_ID

As with previous updates:
• All operations use typed Data Transfer Objects (DTOs) with runtime validation for request DTOs.
• Fully compatible with async operations.
• Covered by automated tests for reliability.
• Codebase passes PHPStan static analysis successfully.

Token Families CRUD Support

I’ve just added full CRUD operations for Token Families to TalerPHP!

Supported endpoints:
• POST /instances/$INSTANCE/private/tokenfamilies
• PATCH /instances/$INSTANCE/private/tokenfamilies/$TOKEN_FAMILY_SLUG
• GET /instances/$INSTANCE/private/tokenfamilies
• GET /instances/$INSTANCE/private/tokenfamilies/$TOKEN_FAMILY_SLUG
• DELETE /instances/$INSTANCE/private/tokenfamilies/$TOKEN_FAMILY_SLUG

Highlights:
• Implemented with typed Data Transfer Objects (DTOs) + runtime validation.
• Covered by automated unit tests for reliability.
• Codebase is fully PHPStan-compliant.
• Async support included for non-blocking operations.

Inventory Categories CRUD Support

The SDK now includes full CRUD support for Inventory Categories.

What’s included:
• All operations implemented with typed Data Transfer Objects (DTOs) and runtime validation.
• Automated unit tests added to ensure reliability.
• Codebase is fully PHPStan-compliant.
• Async support as well

Supported endpoints:

• GET [/instances/$INSTANCE]/private/categories
• GET [/instances/$INSTANCE]/private/categories/$CATEGORY_ID
• POST [/instances/$INSTANCE]/private/categories
• PATCH [/instances/$INSTANCE]/private/categories/$CATEGORY_ID
• DELETE [/instances/$INSTANCE]/private/categories/$CATEGORY_ID

TalerPHP Update: Inventory Categories & Products CRUD Support

TalerPHP now supports full CRUD operations for Inventory Categories and Products.

Categories Endpoints
• GET /instances/$INSTANCE/private/categories
• GET /instances/$INSTANCE/private/categories/$CATEGORY_ID
• POST /instances/$INSTANCE/private/categories
• PATCH /instances/$INSTANCE/private/categories/$CATEGORY_ID
• DELETE /instances/$INSTANCE/private/categories/$CATEGORY_ID

Products Endpoints
• POST /instances/$INSTANCE/private/products
• PATCH /instances/$INSTANCE/private/products/$PRODUCT_ID
• GET /instances/$INSTANCE/private/products
• GET /instances/$INSTANCE/private/products/$PRODUCT_ID
• DELETE /instances/$INSTANCE/private/products/$PRODUCT_ID

Features
• All requests/responses use typed Data Transfer Objects (DTOs) with runtime validation.
• Automated unit tests are included for reliability.
• Codebase passes PHPStan static analysis.
• Async support built-in for non-blocking integrations.

Product Locking & POS Configuration

Two more features are now supported in TalerPHP!

New Features:
• Product Locking: lock a certain quantity of a product for a limited duration.
• Point-of-Sale (POS) Configuration: Added support for retrieving the full POS configuration, which provides detailed information on all items available in the merchant’s inventory.

Implementation Details:
• Both features are implemented using typed DTOs with runtime validation.
• Covered by automated tests to ensure correct behavior.
• Codebase remains PHPStan-compliant.
• Async support is included, making both endpoints suitable for high-performance environments.

Progress Report: Instances API Now Automated!

I’ve been busy these past few days enhancing TalerPHP with support for merchant instance automation. New endpoints now allow smoother, on-demand creation and configuration of merchant instances - great for anyone looking to streamline their onboarding workflow.

Supported endpoints so far:
• Create a new instance: POST /instances
• Update the authentication settings: POST /instances/$INSTANCE/private/auth
• Generate access tokens: POST /instances/$INSTANCE/private/token

Every new endpoint comes with its own test units for reliability, and strict PHPStan compliance for code quality. This unlocks new possibilities for dynamic deployments and rapid scaling.

Additional Instance API Endpoints Implemented

Building upon the previous Instances API work, I’ve integrated several more endpoints to enhance Instance management and control:

Newly supported endpoints include:
• DELETE /instances/$INSTANCE/private/token
• DELETE /instances/$INSTANCE/private/tokens/$SERIAL
• PATCH /instances/$INSTANCE/private
• GET /management/instances
• GET /instances/$INSTANCE/private

All new additions come with dedicated PHP unit tests and successfully clear PHPStan static code analysis, ensuring robust and maintainable code.

As always, feedback and testing assistance are greatly appreciated!

Quick Update: Back from Summer Vacation & Instance Management Complete!

After a short family vacation to end the summer, I returned and wrapped up the remaining Instance Management API endpoints in TalerPHP

Finalized endpoints:
• GET /instances/$INSTANCE/private/statistics-amount/$SLUG
• GET /instances/$INSTANCE/private/statistics-counter/$SLUG
• DELETE /instances/$INSTANCE/private
• GET /instances/$INSTANCE/private/kyc
• DELETE /instances/$INSTANCE/private/tokens/$SERIAL

All endpoints are backed by automated test units and have passed PHPStan analysis for code quality.

With these additions, the instance management functionality - and indeed, the core capabilities - of the SDK are now fully implemented and finalized.

My focus is now shifting to updating and improving the security of the SDK to better guard against potential hacks and attack vectors.

Security Update:

Recent work has focused on strengthening the security posture of the SDK. Here’s what’s now covered:
• HTTPS-only base URL enforcement
• Path-segment encoding for all dynamic segments
• Base-path containment to prevent directory traversal
• SSRF-resistant URL building
• CR/LF header stripping to block header injection
• Rich header redaction and comprehensive URL/query redaction (including handling for Location, Content-Location, Refresh, and Link headers)
• Exception and body sanitization to avoid leaking sensitive info
• Zero-overhead in production when DEBUG is off
• Immutable critical config

Last week, I received very detailed and informative feedback from Professor Christian Grothoff. His insights are incredibly valuable, and I’m currently working through the list of suggestions he provided.
I’m very thankful for his time and willingness to help improve the project.

Improvements from Professor Grothoff’s Feedback

Wanted to highlight several recent updates inspired by the detailed feedback I received from Professor Christian Grothoff:

1. HTTP improvements:
   • Added default JSON headers to all requests
   • Enabled optional gzip compression for request bodies
   • Extended configuration management via TalerConfig
   • Updated related tests; PHPStan passes
2. Order API enhancements:
   • Implemented structured error handling in CreateOrder for HTTP status codes 410 (OutOfStock) and 451 (PaymentDeniedLegally)
   • Introduced new DTOs and typed exceptions for better clarity
   • Refined unit tests and documentation; PHPStan is clean
3. Refund API enhancements:
   • Structured error handling for RefundOrder with proper parsing and exceptions for HTTP 451 responses
   • Strengthened test coverage and documentation; PHPStan compliant

These changes directly reflect Professor Grothoff’s expert review and suggestions, and I’m very grateful for his support!