Bitcoin Forum
November 09, 2024, 12:55:27 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Website integration for bitcoin  (Read 10302 times)
martin (OP)
Full Member
***
Offline Offline

Activity: 150
Merit: 100



View Profile WWW
July 15, 2010, 01:09:23 AM
 #1

I've been working on a project inspired by a suggestion (and the offer of bounty Wink ) over from another thread. I thought I should stop derailing that thread and start my own project thread.

Basically, the idea of the project is an easy way for websites to integrate bitcoin payment. How it works is the user runs a website on their local machine, which is only accessible to them, then when the shop wants a user to pay some money, they simply send them to this local site, which handles sending the money and then redirects back to the shop site to finish the transaction.

So at the moment, I have a test of this running on my PC, visiting this URL:

http://127.0.0.1:8080/BitcoinSalepoint/LandingPage?continue=http://www.google.co.uk&paymentname=testaddress&address=1DoMXge6kToHZN8m4B2my43anCPbD4rJgE&amount=0.25

will simply send 0.25BC to my laptop from my PC, and then redirect me to google.

My todo list:
-> Add some stylesheets for prettiness
-> Add a confirm/deny button
-> Add a way to communicate to the shop if the transaction succeeded or failed (mostly done)
-> Look into packaging the program up into a simple executable which you can run instead of bitcoin, and it will run in the background and kill itself when the bitcoin process dies.

Suggestions (and donations) very welcome Smiley
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
July 15, 2010, 02:18:12 AM
 #2

Don't use 8080. Freenet Message System uses that port by default (on localhost), and I expect that there are a lot of FMS users here. It's also a registered port. I suggest using a port that isn't listed here.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
martin (OP)
Full Member
***
Offline Offline

Activity: 150
Merit: 100



View Profile WWW
July 15, 2010, 02:39:41 AM
 #3

Good point! I hadn't thought about that as 8080 is just the default test port. I'll see about changing to port 18011 tomorrow Smiley
Bitcoiner
Member
**
Offline Offline

Activity: 70
Merit: 11


View Profile
July 15, 2010, 06:02:42 PM
 #4

Hey Martin,

"Look into packaging the program up into a simple executable which you can run instead of bitcoin, and it will run in the background and kill itself when the bitcoin process dies."

My only concern with this is that we need to open the JSON API, which is insecure. So easy for a trojan to wipe out a user's wallet.

If this feature were embedded directly within Bitcoin, there would be no need to open the JSON API, and security measures could be taken (such as a captcha to be entered before a pay could be fired, or a password).

I am not, however, a security expert. What do you think?

Want to thank me for this post? Donate here! Flip your coins over to: 13Cq8AmdrqewatRxEyU2xNuMvegbaLCvEe  Smiley
Bitcoiner
Member
**
Offline Offline

Activity: 70
Merit: 11


View Profile
July 15, 2010, 06:03:52 PM
 #5

And alternatively, the JSON API itself can be password secured; would there be a man in the middle attack possible, though?

Lots of security issues to address, but great stuff. I can't wait to see this in action!

Want to thank me for this post? Donate here! Flip your coins over to: 13Cq8AmdrqewatRxEyU2xNuMvegbaLCvEe  Smiley
lachesis
Full Member
***
Offline Offline

Activity: 210
Merit: 105


View Profile
July 15, 2010, 06:52:13 PM
 #6

The JSON-API definitely needs some sort of security features. On Linux, you can use iptables to restrict the users who can access it, but that's hardly secure. If I want to access it from my website backend, then whatever user runs my httpd needs to be able to access it, and that's the user most likely to be compromised on my server!

Of course, a password wouldn't help that scenario too much, since the password would just be another variable in django's settings.py for an attacker to read, but still, it beats a blank!

Bitcoin Calculator | Scallion | GPG Key | WoT Rating | 1QGacAtYA7E8V3BAiM7sgvLg7PZHk5WnYc
martin (OP)
Full Member
***
Offline Offline

Activity: 150
Merit: 100



View Profile WWW
July 15, 2010, 07:42:43 PM
 #7

This is definately a temporary solution, ideally this functionality would be built into the client itself.

A temporary solution could be to use a password which the user has to enter, that way the website connects to the bitcoin client (via https), the user enters a password to prove their identity and onlythen everything will work. However, that requires https support from the client - either way the client needs some work to make anything like this properly secure.

Of course, for now, bitcoin probably isn't popular enough to be targeted by a trojan.
Anonymous
Guest

July 16, 2010, 03:21:59 AM
 #8

This is definately a temporary solution, ideally this functionality would be built into the client itself.

A temporary solution could be to use a password which the user has to enter, that way the website connects to the bitcoin client (via https), the user enters a password to prove their identity and onlythen everything will work. However, that requires https support from the client - either way the client needs some work to make anything like this properly secure.

Of course, for now, bitcoin probably isn't popular enough to be targeted by a trojan.

Thanks for this martin.If it works as easily as copy and pasting code from paypal onto my site you will have an amazon giftcard coming your way  Grin
Anonymous
Guest

July 16, 2010, 03:24:58 AM
Last edit: July 16, 2010, 03:39:36 AM by noagendamarket
 #9

This is definately a temporary solution, ideally this functionality would be built into the client itself.

A temporary solution could be to use a password which the user has to enter, that way the website connects to the bitcoin client (via https), the user enters a password to prove their identity and onlythen everything will work. However, that requires https support from the client - either way the client needs some work to make anything like this properly secure.

Of course, for now, bitcoin probably isn't popular enough to be targeted by a trojan.

Security through obscurity?


3 things I can think of
- Allow sellers to specify the value of their goods and services easily.
-Have a message section for the buyers when making payment to allow for such things as contact details and postage etc...
- ping bitmarket for the latest exchange prices to allow automatic conversion between currencies.
martin (OP)
Full Member
***
Offline Offline

Activity: 150
Merit: 100



View Profile WWW
July 16, 2010, 01:09:20 PM
Last edit: July 16, 2010, 01:24:08 PM by martin
 #10

I'm not certain how paypal is integrated into your site, but it should be fairly easy - simply direct the user to the payment address, then wait for them to come back to your site and when they do check that you've received payment off them.

The current problem I'm facing is that there is no way to identify who a transaction came from (and, in fact, there is no way to even get a list of transactions in json at the moment), this makes it very difficult to confirm that a person actually sent the payment - which is of course completely u nacceptable for acommerce application. If I can't find a solution to this I'll have to make some requests to satoshi and wait until he updates the client with some new features.

Security through obscurity?

It's terrible, I know, but the only other option is to request changes to the client and wait until they get implemented.

Edit: Anyone out there any good at doing stylesheets? I can make them, but I'm not great at it
BitLex
Hero Member
*****
Offline Offline

Activity: 532
Merit: 505


View Profile
July 16, 2010, 01:42:59 PM
 #11

Quote
The current problem I'm facing is that there is no way to identify who a transaction came from (and, in fact, there is no way to even get a list of transactions in json at the moment), this makes it very difficult to confirm that a person actually sent the payment - which is of course completely u nacceptable for acommerce application. If I can't find a solution to this I'll have to make some requests to satoshi and wait until he updates the client with some new features.
you could still create a new address for any transaction,
if only one person knows that address, it's pretty obvious where bitcoins came from.

true that you can't get a list of all transactions from JSON yet, but from received credits by addresses, or labels,
no need to know about generated coins on a payment-system, or about sending, when your system is only supposed to accept payments.

Quantumplation
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
July 16, 2010, 02:02:55 PM
 #12

It's a good temporary solution, and the only drawback I can see is that it requires a different/separate install, as opposed to just being something server-side.  Granted, I can't come up with an alternative either, but it IS a bit of barrier-to-entry for some people.

NOTE: This account was compromised from 2017 to 2021.  I'm in the process of deleting posts not made by me.
martin (OP)
Full Member
***
Offline Offline

Activity: 150
Merit: 100



View Profile WWW
July 16, 2010, 02:09:09 PM
 #13

Quote
The current problem I'm facing is that there is no way to identify who a transaction came from (and, in fact, there is no way to even get a list of transactions in json at the moment), this makes it very difficult to confirm that a person actually sent the payment - which is of course completely unacceptable for a commerce application. If I can't find a solution to this I'll have to make some requests to satoshi and wait until he updates the client with some new features.
you could still create a new address for any transaction,
if only one person knows that address, it's pretty obvious where bitcoins came from.

Absolutely, I realised a while after posting that you can simply have a unique address per transaction.

It's a good temporary solution, and the only drawback I can see is that it requires a different/separate install, as opposed to just being something server-side.  Granted, I can't come up with an alternative either, but it IS a bit of barrier-to-entry for some people.

It is, I hope that ultimately this is just a proof of concept, and once it's shown to work it can be integrated into the client (using the same port and URLs).
Quantumplation
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
July 16, 2010, 02:14:24 PM
 #14


It is, I hope that ultimately this is just a proof of concept, and once it's shown to work it can be integrated into the client (using the same port and URLs).

*nods*  It's a good initiative, and ANY development in the interest of bitcoins right now is good development.

NOTE: This account was compromised from 2017 to 2021.  I'm in the process of deleting posts not made by me.
satoshi
Founder
Sr. Member
*
qt
Offline Offline

Activity: 364
Merit: 7193


View Profile
July 16, 2010, 06:23:04 PM
 #15

I've been trying to encourage someone to write and release some sample Python code showing the recommended way to do the typical accounting stuff, but to no avail.  It would be nice if you didn't have to re-invent the wheel like you're doing here.  Search on getnewaddress and you should find a thread where I gave a small fragment of sample pseudocode.
martin (OP)
Full Member
***
Offline Offline

Activity: 150
Merit: 100



View Profile WWW
July 16, 2010, 09:15:10 PM
 #16

Thanks Satoshi, I found those threads. However, those threads seem to be addressing the server side as far as I can see. I'm trying to address the client side of the problem by presenting a webpage to the user with a simple confirm or cancel button like paypal, that way the user doesn't have to switch to the bitcoin client to send payment.

Is there any chance of adding some extra security to the JSON API? A simple password is all that's needed for now I should think (and possibly a check to make sure that the API can be connected to from the localhost)?
Insti
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252


Firstbits: 1duzy


View Profile
July 16, 2010, 10:05:52 PM
 #17

Thanks Satoshi, I found those threads. However, those threads seem to be addressing the server side as far as I can see. I'm trying to address the client side of the problem by presenting a webpage to the user with a simple confirm or cancel button like paypal, that way the user doesn't have to switch to the bitcoin client to send payment.

You sound like you want to be integrating with the https://www.mybitcoin.com/ guys.
martin (OP)
Full Member
***
Offline Offline

Activity: 150
Merit: 100



View Profile WWW
July 16, 2010, 11:49:47 PM
 #18

Nope, because mybitcoin requires that you trust the website, which partly defeats the point of bitcoin in the first place - every node is a bank, I'm trying to build a convenient interface for you to use your coins directly from a web interface.
gazoakley
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile WWW
July 18, 2010, 10:04:04 AM
 #19

Isn't the actual sending better handled by the BitCoin interface itself? There's been some talk on here about a URI schema for BitCoin (similar to the idea used by apps like Spotify/iTunes) that allow a link to launch the BitCoin interface pre-filled with address/amount information. It could be web based, but that opens up all kinds of attack vectors that need to be secured - possible to do, but personally I'd feel better seeing the BitCoin UI pop  up asking for confirmation knowing that some XSS attack isn't going to steal my coins Smiley
martin (OP)
Full Member
***
Offline Offline

Activity: 150
Merit: 100



View Profile WWW
July 18, 2010, 08:11:19 PM
 #20

Well what I'm proposing is basically a html bitcoin interface, eventually it should be built into the bitcoin client and there would be no difference at all between using the bitcoin interface and the web interface except that you don't need to leave the browser.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!