Updates to SC2 Pay - Enhanced Security & Integration with Vessel!

in #steemdev7 years ago

Hi everyone, it's been over a month since I released my SC2 Pay project (you can read the intro post here if you're interested) and I'm really sorry it's taken me so long to put out another update!

Switched to using a browser popup window for security

In the comments of the first post a number of users quickly pointed out that my implementation presents a security issue because it's not possible to see the address bar for the SteemConnect iFrame to validate it's actually coming from steemconnect.com and not a phishing site.

They were absolutely right, and as a result I have now changed the plug-in to use a browser popup window in which the address bar is visible instead of a modal popup within the same browser window. It is now easy to look and validate that the URL is actually steemconnect.com.

Another big benefit of this change, aside from the increased security, is that the plug-in is now no longer dependent on jQuery or Bootstrap libraries! I am always in support of reducing dependencies so that's a big win in my opinion.

Added support for payments using Vessel!

Anyone who follows @jesta's awesome work might remember that a few months back he added support for the steem:// URI scheme into Vessel (the Steem desktop wallet software). You can read more about that here.

There are many reasons why using a desktop wallet software is more secure than copy/pasting keys into a web page, and I know some people prefer that option, so I thought it would be good to add support for it to this project so anyone using this plugin can offer both options to their users. Of course, I might have to change the name from SC2 Pay to something more generic, but I'll get to that when I get to it!

purchase_vessel.gif

As you can see from the animated gif above, it's super smooth and just as easy as using SteemConnect in addition to being more security. The only drawback, from the development perspective, is that when using Vessel there is no way for the web page to know if the user cancelled the payment.

When using SteemConnect it checks to see if the popup window is closed so it knows that the user has cancelled the payment and it can stop checking to see if it went through and/or show some type of payment cancelled message to the user. When using Vessel if the payment isn't made then the code will just keep checking for 2 minutes and then stop.

Verify all transactions on the back-end

As I mentioned in the last post - you should NEVER trust a front-end callback as a completed purchase. You can pass the information from the front-end call back to your own server-side code to independently validate that the transaction actually took place before delivering any products. It's not included in the scope of this project but i'm always available if you need any help with that!

Please send me your feedback!

As I mentioned I received some great feedback on my initial post about this which has led to the changes made here...but I'm sure there's more things I could do better so please let me know in the comments or feel free to submit an issue or pull request to the GitHub repo!

Overall my hope is that this add-on can help more third party sites and services accept STEEM and SBD payments in as seamless and user-friendly a way as users are used to with other traditional payment methods.

Last, but not least, here is the link to the project on GitHub and relevant commits:

Sort:  

Look's really cool with the popup and Vessel integration :) Well done on the update! You could even make things lighter and easier to integrate if you get ride of sc2.min.js and steem.min.js, you dont need encryption libraries embed in steem.js and sc2.min.js is only used for these lines: https://github.com/steemit/steemconnect-sdk/blob/2d91c5cd025b17d236c95b9a36f898d56fcfe1af/src/sc2.js#L206-L211
Also does it check for irreversible block?

It doesn't check for irreversible block - that's a great idea so I'll have to look into that. Also good points on further reducing the dependencies, will also add that to the list! Thanks for the feedback and support as well as all the great work you do on SteemConnect and Busy!

I recently found out about Vessel and am going to have to look into using it. The world of code and apps is still pretty foreign to me. However, it seems Vessel can make life a little easier.

Thank you,
Spencer Coffman

I have a quesiton:

You should NEVER trust a front-end callback as a completed purchase.

That means if I want to integrate with a service, I have to call "checkSteemTransfer" in backend again. Is that duplicated? Why don't I just keep calling an api in which I check the transfer? Usually when we use a payment service, like stripe, they provide both "callback" and "webhook" api. I hope we can change to that.

Yes, this is only a front-end SDK right now, it is not a full end-to-end payment service and requires additional validation on the server-side.

You got a 23.65% upvote from @postpromoter courtesy of @postpromoter!

Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!

I am very interested in projects that allow people to use Steem in more ways. SC2 seems like it could be huge for the platform. I will be following closely!

Great post...
Thank for sharing...

A successful project with more features and more safety, I wish to win everyone's trust , I wish you more success for your project.
thanks u for sharing , good luck my dear friend @yabapmatt
all the best for you.

These are some amazing updates. Steembottracker is making a difference in all of our Steemit experiences. Thank you!

Hi @yabapmatt
Sorry for writing this here.

I want to ask you, what if a voting bot doesn't upvote post after taking money?

I use steembottracker.com, I sent 3SBD to @appreciator 1 hour ago for my dmania post.
But I couldn't get upvote altough voting round is over. They finished voting but they didn't vote my post. My post was listed in voting round. But not voted... They also didn't vote 3 other posts except mine... And you know there is not any contact method...

They are taking money. Then making a mistake or so... That's all.
We can't even contact them... Commented on their blog posts but no reply... Also 1 SBD has gone for @sneaky-ninja yesterday. Of course they did not refund back too.

It's unfair.

waiting votes.png