Skip to content

ETA Windows Service – Architecture & Flow Diagrams

This document covers the component architecture and sequence diagrams for the ETA (Egyptian Tax Authority) Windows Service integration with the ERP system.


Overview

The ETA integration uses a locally-installed Windows Service on the user's device to handle invoice encryption before submission to ETA.

HMAC Security Model:

  • HMAC-SHA256 is used exclusively on the MFE ↔ Windows Service channel
  • The HMAC secret is generated once at installer creation time — stored in the backend DB and embedded in the installer
  • The MFE never holds or computes the HMAC secret — it asks the backend to generate the signature on its behalf
  • The backend returns { xHmacSignature, xTimestamp } which the MFE passes as headers to the Windows Service
  • The Windows Service signs its response; the MFE does not verify it — it forwards the response header directly to the backend
  • The backend recomputes and validates the HMAC using its stored secret before dispatching to ETA via a Hangfire background job

Key Components:

  • ERP Frontend (MFE) – Micro Frontend served to the browser
  • ERP Backend – API server, manages device configs, validates payloads, and dispatches ETA jobs
  • Hangfire – Background job service; executes the actual ETA API call asynchronously
  • Windows Service – Runs locally on the user's device; encrypts invoices using the embedded key material
  • ETA Service – External Egyptian Tax Authority API

1. System Component Diagram


2. Device Registration & Installer Setup Flow

The user registers their device in the ERP. The backend generates the HMAC secret at this point — it is stored in the DB and embedded in the installer. It is never sent again after this.


3. Invoice Upload to ETA – Full Flow

HMAC is used only on the MFE ↔ Windows Service channel. The backend validates the Windows Service HMAC signature before dispatching a Hangfire background job to submit to ETA.

Key points:

  • The MFE never touches the HMAC secret — it calls the backend to generate the request signature; the backend computes and returns { xHmacSignature, xTimestamp }
  • The MFE uses those backend-provided values as headers on the Windows Service call
  • The Windows Service responds with an HMAC signature in the response header and the encrypted invoice in the body
  • The MFE does not verify the HMAC — it simply forwards the Windows Service HMAC response header as a request header to the backend
  • The backend recomputes and validates using its stored secret

4. HMAC Security Model


5. Windows Service – Internal State & Lifecycle


6. Hangfire Job Lifecycle


7. End-to-End Setup Overview

Internal Documentation — Microtec