In order to be compliant with the french legal requirements, the POS system needs to guarantee the integrity of its data.
I have checked the work in progress by the Dolibarr community and they are doing the following to tackle this issue:
- Creation of new module called modBlockedLog to generate a real time archive of all actions regarding sales invoices and payments.
- Forced activation of this module if the country is France
- Control and log if the country is changed afterwards
- Creation of a CSV file from the modBlockedLog to be able to export an archive of this file
- Creation of a dedicated page to be able to consult this log at any time.
For ERPNext I would therefore propose to start with adding two or three new fields in a Sales Invoice Doctype (maybe Payment Entry also ?):
-
A line print: SHA256 (or more secure) of [list of all document fields + auto timestamp]
-
Chaining Hash: SHA256 (or more secure) of [line print + chaining hash of the preceding line]
-
Possibly: checksum version to be able to modify the algorithm, add or remove document fields in the future and still be able to verify the checksum.
If the country is France (or any other country with the same requirements): force a POST Request of the Chaining Hash to a log before any payment is registered in POS.
We would loose the offline capability of the POS unless another solution is found, but it will ensure that data coming from a POS are not corrupted.
My main concern is that with the current implementation, people can clear their LocalStorage and erase submitted sales invoices.
We can then have a dedicated administration page to verify that the checksum is identical in the log and in the invoice and potentially inform the Administrator that an invoice is missing.
I have found the following links to generate SHA256 hash:
https://github.com/emn178/js-sha256
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
I am starting to implement it but would love to have some feedback on this matter since it is not trivial.
I guess it will also be of interest for people outside of France since it is a more and more current legal requirement.
Thank you.
In order to be compliant with the french legal requirements, the POS system needs to guarantee the integrity of its data.
I have checked the work in progress by the Dolibarr community and they are doing the following to tackle this issue:
For ERPNext I would therefore propose to start with adding two or three new fields in a Sales Invoice Doctype (maybe Payment Entry also ?):
A line print: SHA256 (or more secure) of [list of all document fields + auto timestamp]
Chaining Hash: SHA256 (or more secure) of [line print + chaining hash of the preceding line]
Possibly: checksum version to be able to modify the algorithm, add or remove document fields in the future and still be able to verify the checksum.
If the country is France (or any other country with the same requirements): force a POST Request of the Chaining Hash to a log before any payment is registered in POS.
We would loose the offline capability of the POS unless another solution is found, but it will ensure that data coming from a POS are not corrupted.
My main concern is that with the current implementation, people can clear their LocalStorage and erase submitted sales invoices.
We can then have a dedicated administration page to verify that the checksum is identical in the log and in the invoice and potentially inform the Administrator that an invoice is missing.
I have found the following links to generate SHA256 hash:
https://github.com/emn178/js-sha256
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
I am starting to implement it but would love to have some feedback on this matter since it is not trivial.
I guess it will also be of interest for people outside of France since it is a more and more current legal requirement.
Thank you.