Tokenized: HotelRSV Parameters Encrypted with JWT

Tokenized: HotelRSV Parameters Encrypted with JWT

HotelRSV allows to pass encrypted data using the JSON Web Tokens protocol, based on the industry standard RFC 7519 method for securely representing Claims between two parties.

This is an optional advanced form in case your organization needs to pass encrypted parameters (claims) to the booking engine, such as user credentials in a Single Sign On (SSO) context.

It is necessary to agree between your Web Master and Novohit Support Staff on the data (claims) to be communicated in the JSON object which is done on a case by case basis via ticket on help.novohit.com, but the general scheme implementation process is explained below.

Implementation Scheme

General Perspective

The JWT exchange scheme requires the following components:
2.- A server-side scheme (implemented and controlled by your organization or your webmaster) where Web Token encoding is performed in JSON format. In particular these subcomponents will be required: 
The payload data (claims) to be communicated to the HotelRSV booking engine, which are agreed by ticket at help.novohit.com. As an example:
  1. {
  2.   "iss": "com-organizacion-acme",
  3.   "aud": "app.hotelrsv.com",
  4.   "iat": 1628793662,
  5.   "exp": 1628793962,
  6.   "jti": "cbc0d1ee1b337e803bfb2fb6ce759a81",
  7.   "username": "johndoe",
  8.   "id_hotel": "100"
  9. }
- The private key pair and its corresponding public key to be used to encrypt the JSON in JWT format. For this see the Server section below. The public key that will be sent to us via ticket and that we will install in our server to validate the encrypted data in the JWT.
- The server application that you will make to generate the JWT.
- The application or JavaScript code to include in the DOM the data-hotelrsv-tokenized attribute or in the URL the tokenized parameter. As an example, below is a booking button whose data-hotelhotelrsv-tokenized attribute is dynamically generated:
  1. <a href="#" id="theRsvButton" data-hotelrsv-show-other-rooms="1" class="rsv-app-launcher rsv-mobile-launcher" data-hotelrsv-tokenized="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" >Book</a>

Private Code and Public Code

Generate Binomial

A key pair must be generated with RSA algorithm with a minimum of 2048 bits. It can also be 4096, the bigger the key, the bigger the token signature information, but 2048 is enough.
Notes A Web service can be used to generate Private/Public Key Binomial as https://travistidwell.com/jsencrypt/demo/ Note that it is your responsibility to safeguard the private key at all times.

If you have access to Shell on Linux  

Navigate to the directory where the keys will be stored:
  1. # cd /path/to/keystorage
Generate the private key:
  1. # openssl genrsa -out myorganization-jwt-private.pem 2048
Generate the public key
  1. # openssl rsa -pubout -in myorganization-jwt-private.pem -out myorganization-jwt-public.pem

Private Code

Notes
You must safeguard the private key at all times! It is your responsibility!
Notes
Novohit will never ask for the private key.

Public Code

You must share with Novohit only the public key via help.novohit.com ticket.

Server-Side Application to Generate JWT

It is up to your web developer how to implement JWT generation. For example, if you use Wordpress, you can develop a PHP script to receive dynamic AJAX calls and generate the token.

Example of a PHP application

  1. <?php
  2. require_once __DIR__ . '/vendor/autoload.php';

  4. use Firebase\JWT\JWT;

  6. //-- when keys are loaded from file
  7. $passphrase = '';
  8. $privateKeyFile = __DIR__ . '/jwt-private.pem';
  9. $privateKey = openssl_pkey_get_private(
  10.     file_get_contents($privateKeyFile),
  11.     $passphrase
  12. );
  13. $publicKeyFile = __DIR__ . '/jwt-public.pem';
  14. $publicKey = file_get_contents($publicKeyFile);

  16. $iat = time();
  17. $interval = 5;  //-- minutes
  18. $jti = bin2hex(random_bytes(16));

  20. $data = array(
  21.     'iss' => 'com-organizacion-acme',
  22.     'aud' => 'app.hotelrsv.com',
  23.     'iat' => $iat,
  24.     'exp' => $iat + $interval * 60,
  25.     'jti' => $jti,
  26.     'hotelrsv_id_h' => 100,
  27.     'username' => 'johndoe',
  28.     'other_fields' => 'foo bar'
  29. );

  31. $token = JWT::encode($data, $privateKey, 'RS256');
  32. $aToken = array('token' => $token);
  33. header('Content-Type: application/json');
  34. echo json_encode($aToken);

JavaScript to Request the JWT and Inject it into the DOM

You can add the token dynamically to any Booking Button by simply adding the data-hotelrsv-tokenized attribute to the HTML element.
Since the token is valid for a maximum of 12 minutes, it is recommended to generate it dynamically for each call to a booking button.
For this we provided a Javascript "Hook Interface" or Hook in Javascript called nvhHookBeforeRsvAppLauncher that allows you to execute Javascript before the booking engine is triggered. It is there where you can dynamically define the call to your server application to generate the JWT dynamically.
Notes
Be sure to make the call after installation of hotelrsv.min.js
Below is a jQuery and AJAX based example that adds the data-hotelrsv-tokenized attribute to a button with ID theRsvButton :
  1. //...
  2. <script> 
  3. function nvhHookBeforeRsvAppLauncher() {
  4.     jQuery.ajax({
  5.         type: 'POST',
  6.         url: ' https://api.yourserver.com/jwt/buildToken.php',
  7.         success: function(data) {
  8.             console.log(data.token);
  9.             jQuery("#theRsvButton").attr("data-hotelrsv-tokenized",data.token);
  10.         }
  11.     });
  12. }
  13. </script>
  14. //...
  15. <body>
  16. //...
  17. <a href="#" id="theRsvButton" class="rsv-app-launcher rsv-mobile-launcher">Book</a>



Notes
Make sure that the server that handles calls to build tokens (in the example https://api.miservidor.com/jwt/construirToken.php) meets CORS requirements.
This way, when the end user clicks on the button id="theRsvButton" whose class is class="rsv-app-launcher" (see Booking Buttons - Action Calls) the nvhHookBeforeRsvAppLauncher function will be executed first and when receiving the JWT from the server, the data-hotelrsv-tokenized attribute will be inserted to the booking button and the booking engine will be executed. hotelrsv.min.js will automatically pass the value of the data-hotelrsv-tokenized attribute to the application.


    • Related Articles

    • Use of the Lead_Src Parameter for Source Statistics HotelRSV

      The lead_src parameter can be used to track campaigns in analytics.novohit.com (similar to Google Analytics campaigns) and get usage statistics in some HotelRSV reports. lead_src en analytics.novohit.com lead_src and promo_code (parameters used in ...

    • List of Supported Platforms and Browsers for HotelRSV

      See: https://help.novohit.com/portal/en/kb/articles/devices-and-browsers-compatible-with-hotelrsv

    • Hotel Contacts HotelRSV

      In HotelRSV, the user can input contact information to appear on the hotel's website. When the customer clicks on the booking engine and attempts to schedule a reservation for a certain date, but that date is unavailable, the customer can click on ...

    • HotelRSV Reports

      To obtain reservation reports and statistics you should go to: Reservations → Reports You will find the following reports: Report Observations Reservation Report This report shows information on past and future bookings, as well as the combination of ...

    • Multi Hotel Selector HotelRSV

      The parameter show_multihotel_selector or data-hotelrsv-multihotel-selector allows the hotel selector to be shown automatically, if certain parameters are specified. Example: ...