[CAT-2453](https://sourceability.atlassian.net/browse/CAT-2543): Test Ecomm's new order API endpoints.

# [CAT-2453](https://sourceability.atlassian.net/browse/CAT-2543): Test Ecomm's new order API endpoints. ## Setup The first step was to get an API token for authorization. To do this, you need to navigate to a specific user (here is [my test user](https://staging-xyla.sourcengine.com/sourceability/ecomm/pyz-company/21/spy-customer/1128/show)) and click 'Access Tokens'. There are two ways to test the API, through the [documentation](https://staging-william.sourcengine.com/api/doc/public) or through Postman. I had to do everything through Postman since the documentation API test tool is broken (See section 'Authorization Problems' below). ## Headers The headers I set explicitly in Postman are the 'Authorization' header with content 'Bearer-Sourcengine {my-api-key}' and the 'Accept' header with content 'application/json;version=1.0'. Also, if you don't send the 'Host' header Cloudflare gives a 400 Bad Request error. I let Postman set this header for me. ## Authorization Problems First, I tried just pasting my API key into the authorization of the api doc interface. This appeared to work and the token said 'Authorized'. The documentation, however, says to first add 'Bearer-Sourcengine {my-api-key}'. I tried that and also got the result 'Authorized'. This was confusing for me as I had problems later and was not sure if that was the source or not. In Postman, the result was clearer. When I did not add the prefix, I received a 401 Unauthorized error. When I did add the prefix, I received a 500 error from one endpoint. Not good, but at least the results were different. I spoke with the Ecommerce team and it seems like the API doc interface falsely assigns the header as 'Authentication', not 'Authorization'. Until that is fixed the API doc interface will not work. ## /company/{company}/account This endpoint allows you to get all accounts under a given company. I was unsure from just reading the documentation what the input string for this should be, a company name, ID, or something else. First, I tried using the company name. This returned a 500 error. If it is bad input it should return a 404. I was later informed that I should use the company ID in the {company} field and that this value can be found using the /customer-me endpoint. This should be updated in the documentation. There was a link in the response that led to a 405 Method Not Allowed error: https://staging-william.sourcengine.com/company/21/account/146/address/. ## /company/{company}/account/{account} This endpoint allows you to get a specific account under a company ID. Everything here worked fine for me, but I would recommend specifying that a company ID and account ID must be used, not the names. The 'self' link in the response from https://staging-william.sourcengine.com/company/21/account/31/ gave back https://staging-william.sourcengine.com/account-by-platform-id/47, which does give the same result, but is not what I expect there. ## /company/{company}/account/{account}/courier/ This endpoint allows you to query the available couriers for an account. It has an optional parameter, 'active' which can only be set to 1 or 0. I figured that out through experimentation. That should be documented. It also felt a bit strange to me that the parameter 'active' controlled a field named 'is_default'. I'm not sure why the parameter name is not the same as the field name in this case. Does 'active' mean the same thing as 'is_default'? ## /company/{company} This endpoint allows you to get information about a specific company. Everything here worked fine for me, but I would recommend specifying that a company ID and account ID must be used, not the names. This link in the response led to a 403 Forbidden: https://staging-william.sourcengine.com/company/21/role. ## /customer-me This endpoint gives information about the customer, identified by the API key being used. I was told that this is a good endpoint to start with since it does not require any inputs and returns back information, like company ID, which can be used for further queries. If that is what should be recommended to new users, then it should be mentioned at the top of the API documentation. This link in the response resulted in a 405 method not allowed error: https://staging-william.sourcengine.com/customer/1128/address-assignment The 'associated customers' link resulted in a 403 Forbidden (maybe that is intended). ## /order/ (GET) This endpoint is for searching through orders using a set of filters. The customer key should be filled in, otherwise you will be trying to access orders from other customers and receive a 403 error. I think that this field should be marked as required in the documentation. The transaction_limit_decision link in the response results in a 405 Method Not Allowed. I got some strange results when checking the paramter 'awaiting_approval_by': no filter if set to 0, no results if set to 1, filtered results if set to 2-4, no results if set to 5-infinity. Setting this to null results in a 500 error. Setting 'identifier' to null results in a 500 error. For the parameter 'state_name', I tried 'paid' and 'unpaid', 0 results. Tried integers, just returned back all results. Not sure what should be there. Nothing I tried for the parameter 'has_scheduled_delivery' filter made a difference: true, false, 0, 1, yes, no. Putting a string in the 'account' parameter leads to a 500 internal server error. It did not seem to matter what I put in the 'states' parameter: I tried ['paid'], [''], ['unpaid'], ['delivered'], ['asdf'], 0 and it made no difference. The documentation says that the parameter 'sort' is required. I was able to send successful requests without it. I also cannot figure out what the proper input for this parameter is. ## /order/ (POST) This endpoint allows you to make orders using a JSON form. Is it OK that I can create the same purchase order number twice? Putting anything in "items" as null results in a 500 internal server error. The format for 'payment_method' in the documentation for the body is wrong. It says that 'payment_method' should be a list, but it should be a string. ## /order/{order}/ This endpoint provides information about a specific order ID. https://staging-william.sourcengine.com/order/null causes a 500 internal server error. The link in the response https://staging-william.sourcengine.com/order/{order}/transaction-limit-decision gives a 405 Method not allowed. Another link, https://staging-william.sourcengine.com/order-item/ is given in the response, but gives a 403 Forbidden. ## Other Questions Is it possible to cancel an order through the API? I saw that you can send the same requests twice to /order/ and get two different orders, even if you put the same purchase order number. It would be quite easy to make duplicate orders.