Appearance
ETA Windows Service – Architecture & Flow Diagrams
This document covers the component architecture and sequence diagrams for the ETA (Egyptian Tax Authority) Windows Service integration with the ERP system.
Overview
The ETA integration uses a locally-installed Windows Service on the user's device to handle invoice encryption before submission to ETA.
HMAC Security Model:
- HMAC-SHA256 is used exclusively on the MFE ↔ Windows Service channel
- The HMAC secret is generated once at installer creation time — stored in the backend DB and embedded in the installer
- The MFE never holds or computes the HMAC secret — it asks the backend to generate the signature on its behalf
- The backend returns
{ xHmacSignature, xTimestamp }which the MFE passes as headers to the Windows Service - The Windows Service signs its response; the MFE does not verify it — it forwards the response header directly to the backend
- The backend recomputes and validates the HMAC using its stored secret before dispatching to ETA via a Hangfire background job
Key Components:
- ERP Frontend (MFE) – Micro Frontend served to the browser
- ERP Backend – API server, manages device configs, validates payloads, and dispatches ETA jobs
- Hangfire – Background job service; executes the actual ETA API call asynchronously
- Windows Service – Runs locally on the user's device; encrypts invoices using the embedded key material
- ETA Service – External Egyptian Tax Authority API
1. System Component Diagram
2. Device Registration & Installer Setup Flow
The user registers their device in the ERP. The backend generates the HMAC secret at this point — it is stored in the DB and embedded in the installer. It is never sent again after this.
3. Invoice Upload to ETA – Full Flow
HMAC is used only on the MFE ↔ Windows Service channel. The backend validates the Windows Service HMAC signature before dispatching a Hangfire background job to submit to ETA.
Key points:
- The MFE never touches the HMAC secret — it calls the backend to generate the request signature; the backend computes and returns
{ xHmacSignature, xTimestamp } - The MFE uses those backend-provided values as headers on the Windows Service call
- The Windows Service responds with an HMAC signature in the response header and the encrypted invoice in the body
- The MFE does not verify the HMAC — it simply forwards the Windows Service HMAC response header as a request header to the backend
- The backend recomputes and validates using its stored secret