tradestation-api 0.1.0

Complete TradeStation REST API v3 wrapper for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295

//! OAuth2 Authorization Code flow with token refresh for TradeStation API.
//!
//! TradeStation uses OAuth2 with:
//! - Authorization endpoint: `https://signin.tradestation.com/authorize`
//! - Token endpoint: `https://signin.tradestation.com/oauth/token`
//! - Access token lifetime: 20 minutes
//! - Refresh token lifetime: ~30 days
//!
//! # Flow
//!
//! 1. Build an authorization URL with [`Credentials::authorization_url`].
//! 2. User visits the URL and grants access.
//! 3. Exchange the callback code via [`exchange_code`].
//! 4. The [`Token`] auto-refreshes through [`Client::access_token`](crate::Client::access_token).

use chrono::{DateTime, Duration, Utc};
use serde::{Deserialize, Serialize};

use crate::Error;

const AUTH_URL: &str = "https://signin.tradestation.com/authorize";
const TOKEN_URL: &str = "https://signin.tradestation.com/oauth/token";

/// OAuth2 client credentials for the TradeStation API.
///
/// Obtain a `client_id` and `client_secret` from the
/// [TradeStation Developer Portal](https://developer.tradestation.com/).
///
/// # Example
///
/// ```
/// use tradestation_api::Credentials;
///
/// let creds = Credentials::new("my_client_id", "my_secret")
///     .with_redirect_uri("http://localhost:8080/callback");
/// ```
#[derive(Debug, Clone)]
pub struct Credentials {
    /// Application client ID.
    pub client_id: String,
    /// Application client secret.
    pub client_secret: String,
    /// OAuth2 redirect URI. Defaults to `http://localhost:3000/callback`.
    pub redirect_uri: String,
}

impl Credentials {
    /// Create new credentials with the default redirect URI.
    pub fn new(client_id: impl Into<String>, client_secret: impl Into<String>) -> Self {
        Self {
            client_id: client_id.into(),
            client_secret: client_secret.into(),
            redirect_uri: "http://localhost:3000/callback".to_string(),
        }
    }

    /// Override the redirect URI (builder pattern).
    pub fn with_redirect_uri(mut self, uri: impl Into<String>) -> Self {
        self.redirect_uri = uri.into();
        self
    }

    /// Build the authorization URL for the user to visit.
    ///
    /// The returned URL should be opened in a browser. After the user grants
    /// access, TradeStation redirects to `redirect_uri` with a `code` parameter.
    pub fn authorization_url(&self, scopes: &[Scope]) -> String {
        let scope_str: String = scopes
            .iter()
            .map(|s| s.as_str())
            .collect::<Vec<_>>()
            .join(" ");
        format!(
            "{}?response_type=code&client_id={}&redirect_uri={}&audience=https://api.tradestation.com&scope={}",
            AUTH_URL,
            urlencoding::encode(&self.client_id),
            urlencoding::encode(&self.redirect_uri),
            urlencoding::encode(&scope_str),
        )
    }
}

/// OAuth2 scopes controlling API access levels.
///
/// Use [`Scope::defaults`] for the most common combination.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Scope {
    /// Access to market data endpoints.
    MarketData,
    /// Read-only access to brokerage accounts.
    ReadAccount,
    /// Permission to place and manage orders.
    Trade,
    /// Access to option spread endpoints.
    OptionSpreads,
    /// Access to the Matrix order entry.
    Matrix,
    /// OpenID Connect profile scope.
    OpenId,
    /// Enables refresh tokens for offline access.
    OfflineAccess,
}

impl Scope {
    /// Return the OAuth2 scope string value.
    pub fn as_str(&self) -> &'static str {
        match self {
            Scope::MarketData => "MarketData",
            Scope::ReadAccount => "ReadAccount",
            Scope::Trade => "Trade",
            Scope::OptionSpreads => "OptionSpreads",
            Scope::Matrix => "Matrix",
            Scope::OpenId => "openid",
            Scope::OfflineAccess => "offline_access",
        }
    }

    /// Default scopes for full API access: MarketData, ReadAccount, Trade,
    /// OptionSpreads, Matrix, OpenId, OfflineAccess.
    pub fn defaults() -> Vec<Scope> {
        vec![
            Scope::MarketData,
            Scope::ReadAccount,
            Scope::Trade,
            Scope::OptionSpreads,
            Scope::Matrix,
            Scope::OpenId,
            Scope::OfflineAccess,
        ]
    }
}

/// OAuth2 token with expiration tracking.
///
/// Access tokens expire after ~20 minutes. The client automatically refreshes
/// them using the refresh token when available.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Token {
    /// The bearer access token.
    pub access_token: String,
    /// Refresh token for obtaining new access tokens.
    pub refresh_token: Option<String>,
    /// Token type (typically "Bearer").
    pub token_type: String,
    /// When the access token expires.
    pub expires_at: DateTime<Utc>,
    /// When the refresh token expires (~30 days from issue).
    pub refresh_expires_at: Option<DateTime<Utc>>,
}

impl Token {
    /// Check if the access token is expired (with 2-minute safety buffer).
    pub fn is_expired(&self) -> bool {
        Utc::now() + Duration::minutes(2) >= self.expires_at
    }

    /// Check if the refresh token is expired.
    pub fn refresh_expired(&self) -> bool {
        self.refresh_expires_at
            .is_some_and(|expires| Utc::now() >= expires)
    }

    /// Whether this token can be refreshed (has a refresh token that is not expired).
    pub fn can_refresh(&self) -> bool {
        self.refresh_token.is_some() && !self.refresh_expired()
    }
}

/// Token response from TradeStation OAuth2 endpoint.
#[derive(Debug, Deserialize)]
struct TokenResponse {
    access_token: String,
    refresh_token: Option<String>,
    token_type: String,
    expires_in: i64,
}

/// Exchange an authorization code for an access/refresh token pair.
///
/// This is step 3 of the OAuth2 flow. The `code` comes from the redirect URI
/// query parameter after the user authorizes the application.
///
/// # Errors
///
/// Returns [`Error::Auth`] if the token exchange fails.
pub async fn exchange_code(
    http: &reqwest::Client,
    credentials: &Credentials,
    code: &str,
) -> Result<Token, Error> {
    let resp = http
        .post(TOKEN_URL)
        .form(&[
            ("grant_type", "authorization_code"),
            ("code", code),
            ("client_id", &credentials.client_id),
            ("client_secret", &credentials.client_secret),
            ("redirect_uri", &credentials.redirect_uri),
        ])
        .send()
        .await?;

    if !resp.status().is_success() {
        let status = resp.status().as_u16();
        let body = resp.text().await.unwrap_or_default();
        return Err(Error::Auth(format!(
            "Token exchange failed ({status}): {body}"
        )));
    }

    let token_resp: TokenResponse = resp.json().await?;
    let now = Utc::now();

    Ok(Token {
        access_token: token_resp.access_token,
        refresh_token: token_resp.refresh_token,
        token_type: token_resp.token_type,
        expires_at: now + Duration::seconds(token_resp.expires_in),
        refresh_expires_at: Some(now + Duration::days(30)),
    })
}

/// Revoke a refresh token, invalidating it for future use.
///
/// # Errors
///
/// Returns [`Error::Auth`] if the revocation request fails.
pub async fn revoke_token(
    http: &reqwest::Client,
    credentials: &Credentials,
    token: &str,
) -> Result<(), Error> {
    let resp = http
        .post(TOKEN_URL)
        .header("Content-Type", "application/x-www-form-urlencoded")
        .form(&[
            ("token", token),
            ("token_type_hint", "refresh_token"),
            ("client_id", &credentials.client_id),
            ("client_secret", &credentials.client_secret),
        ])
        .send()
        .await?;

    if !resp.status().is_success() {
        let status = resp.status().as_u16();
        let body = resp.text().await.unwrap_or_default();
        return Err(Error::Auth(format!(
            "Token revocation failed ({status}): {body}"
        )));
    }

    Ok(())
}

/// Refresh an expired access token using the refresh token.
///
/// # Errors
///
/// Returns [`Error::Auth`] if the refresh request fails.
pub async fn refresh_token(
    http: &reqwest::Client,
    credentials: &Credentials,
    refresh_tok: &str,
) -> Result<Token, Error> {
    let resp = http
        .post(TOKEN_URL)
        .form(&[
            ("grant_type", "refresh_token"),
            ("refresh_token", refresh_tok),
            ("client_id", &credentials.client_id),
            ("client_secret", &credentials.client_secret),
        ])
        .send()
        .await?;

    if !resp.status().is_success() {
        let status = resp.status().as_u16();
        let body = resp.text().await.unwrap_or_default();
        return Err(Error::Auth(format!(
            "Token refresh failed ({status}): {body}"
        )));
    }

    let token_resp: TokenResponse = resp.json().await?;
    let now = Utc::now();

    Ok(Token {
        access_token: token_resp.access_token,
        refresh_token: token_resp.refresh_token,
        token_type: token_resp.token_type,
        expires_at: now + Duration::seconds(token_resp.expires_in),
        refresh_expires_at: Some(now + Duration::days(30)),
    })
}