BitcoinTalk

Website integration for bitcoin

BitcoinTalk
#1
From:
martin
Subject:
Website integration for bitcoin
Date:
I've been working on a project inspired by a suggestion (and the offer of bounty Wink ) over from another thread. I thought I should stop derailing that thread and start my own project thread.

Basically, the idea of the project is an easy way for websites to integrate bitcoin payment. How it works is the user runs a website on their local machine, which is only accessible to them, then when the shop wants a user to pay some money, they simply send them to this local site, which handles sending the money and then redirects back to the shop site to finish the transaction.

So at the moment, I have a test of this running on my PC, visiting this URL:

http://127.0.0.1:8080/BitcoinSalepoint/LandingPage?continue=http://www.google.co.uk&paymentname=testaddress&address=1DoMXge6kToHZN8m4B2my43anCPbD4rJgE&amount=0.25

will simply send 0.25BC to my laptop from my PC, and then redirect me to google.

My todo list:
-> Add some stylesheets for prettiness
-> Add a confirm/deny button
-> Add a way to communicate to the shop if the transaction succeeded or failed (mostly done)
-> Look into packaging the program up into a simple executable which you can run instead of bitcoin, and it will run in the background and kill itself when the bitcoin process dies.

Suggestions (and donations) very welcome Smiley
BitcoinTalk
#2
From:
theymos
Subject:
Re: Website integration for bitcoin
Date:
Don't use 8080. Freenet Message System uses that port by default (on localhost), and I expect that there are a lot of FMS users here. It's also a registered port. I suggest using a port that isn't listed here.
BitcoinTalk
#3
From:
martin
Subject:
Re: Website integration for bitcoin
Date:
Good point! I hadn't thought about that as 8080 is just the default test port. I'll see about changing to port 18011 tomorrow Smiley
BitcoinTalk
#4
From:
Bitcoiner
Subject:
Re: Website integration for bitcoin
Date:
Hey Martin,

"Look into packaging the program up into a simple executable which you can run instead of bitcoin, and it will run in the background and kill itself when the bitcoin process dies."

My only concern with this is that we need to open the JSON API, which is insecure. So easy for a trojan to wipe out a user's wallet.

If this feature were embedded directly within Bitcoin, there would be no need to open the JSON API, and security measures could be taken (such as a captcha to be entered before a pay could be fired, or a password).

I am not, however, a security expert. What do you think?
BitcoinTalk
#5
From:
Bitcoiner
Subject:
Re: Website integration for bitcoin
Date:
And alternatively, the JSON API itself can be password secured; would there be a man in the middle attack possible, though?

Lots of security issues to address, but great stuff. I can't wait to see this in action!
BitcoinTalk
#6
From:
lachesis
Subject:
Re: Website integration for bitcoin
Date:
The JSON-API definitely needs some sort of security features. On Linux, you can use iptables to restrict the users who can access it, but that's hardly secure. If I want to access it from my website backend, then whatever user runs my httpd needs to be able to access it, and that's the user most likely to be compromised on my server!

Of course, a password wouldn't help that scenario too much, since the password would just be another variable in django's settings.py for an attacker to read, but still, it beats a blank!
BitcoinTalk
#7
From:
martin
Subject:
Re: Website integration for bitcoin
Date:
This is definately a temporary solution, ideally this functionality would be built into the client itself.

A temporary solution could be to use a password which the user has to enter, that way the website connects to the bitcoin client (via https), the user enters a password to prove their identity and onlythen everything will work. However, that requires https support from the client - either way the client needs some work to make anything like this properly secure.

Of course, for now, bitcoin probably isn't popular enough to be targeted by a trojan.
BitcoinTalk
#8
From:
Anonymous
Subject:
Re: Website integration for bitcoin
Date:
This is definately a temporary solution, ideally this functionality would be built into the client itself.

A temporary solution could be to use a password which the user has to enter, that way the website connects to the bitcoin client (via https), the user enters a password to prove their identity and onlythen everything will work. However, that requires https support from the client - either way the client needs some work to make anything like this properly secure.

Of course, for now, bitcoin probably isn't popular enough to be targeted by a trojan.

Thanks for this martin.If it works as easily as copy and pasting code from paypal onto my site you will have an amazon giftcard coming your way  Grin
BitcoinTalk
#9
From:
Anonymous
Subject:
Re: Website integration for bitcoin
Date:
This is definately a temporary solution, ideally this functionality would be built into the client itself.

A temporary solution could be to use a password which the user has to enter, that way the website connects to the bitcoin client (via https), the user enters a password to prove their identity and onlythen everything will work. However, that requires https support from the client - either way the client needs some work to make anything like this properly secure.

Of course, for now, bitcoin probably isn't popular enough to be targeted by a trojan.

Security through obscurity?


3 things I can think of
- Allow sellers to specify the value of their goods and services easily.
-Have a message section for the buyers when making payment to allow for such things as contact details and postage etc...
- ping bitmarket for the latest exchange prices to allow automatic conversion between currencies.
BitcoinTalk
#10
From:
martin
Subject:
Re: Website integration for bitcoin
Date:
I'm not certain how paypal is integrated into your site, but it should be fairly easy - simply direct the user to the payment address, then wait for them to come back to your site and when they do check that you've received payment off them.

The current problem I'm facing is that there is no way to identify who a transaction came from (and, in fact, there is no way to even get a list of transactions in json at the moment), this makes it very difficult to confirm that a person actually sent the payment - which is of course completely u nacceptable for acommerce application. If I can't find a solution to this I'll have to make some requests to satoshi and wait until he updates the client with some new features.

Security through obscurity?

It's terrible, I know, but the only other option is to request changes to the client and wait until they get implemented.

Edit: Anyone out there any good at doing stylesheets? I can make them, but I'm not great at it
BitcoinTalk
#11
From:
BitLex
Subject:
Re: Website integration for bitcoin
Date:
Quote
The current problem I'm facing is that there is no way to identify who a transaction came from (and, in fact, there is no way to even get a list of transactions in json at the moment), this makes it very difficult to confirm that a person actually sent the payment - which is of course completely u nacceptable for acommerce application. If I can't find a solution to this I'll have to make some requests to satoshi and wait until he updates the client with some new features.
you could still create a new address for any transaction,
if only one person knows that address, it's pretty obvious where bitcoins came from.

true that you can't get a list of all transactions from JSON yet, but from received credits by addresses, or labels,
no need to know about generated coins on a payment-system, or about sending, when your system is only supposed to accept payments.
BitcoinTalk
#12
From:
Quantumplation
Subject:
Re: Website integration for bitcoin
Date:
It's a good temporary solution, and the only drawback I can see is that it requires a different/separate install, as opposed to just being something server-side.  Granted, I can't come up with an alternative either, but it IS a bit of barrier-to-entry for some people.
BitcoinTalk
#13
From:
martin
Subject:
Re: Website integration for bitcoin
Date:
Quote
The current problem I'm facing is that there is no way to identify who a transaction came from (and, in fact, there is no way to even get a list of transactions in json at the moment), this makes it very difficult to confirm that a person actually sent the payment - which is of course completely unacceptable for a commerce application. If I can't find a solution to this I'll have to make some requests to satoshi and wait until he updates the client with some new features.
you could still create a new address for any transaction,
if only one person knows that address, it's pretty obvious where bitcoins came from.

Absolutely, I realised a while after posting that you can simply have a unique address per transaction.

It's a good temporary solution, and the only drawback I can see is that it requires a different/separate install, as opposed to just being something server-side.  Granted, I can't come up with an alternative either, but it IS a bit of barrier-to-entry for some people.

It is, I hope that ultimately this is just a proof of concept, and once it's shown to work it can be integrated into the client (using the same port and URLs).
BitcoinTalk
#14
From:
Quantumplation
Subject:
Re: Website integration for bitcoin
Date:

It is, I hope that ultimately this is just a proof of concept, and once it's shown to work it can be integrated into the client (using the same port and URLs).

*nods*  It's a good initiative, and ANY development in the interest of bitcoins right now is good development.
BitcoinTalk
#15
From:
satoshi
Subject:
Re: Website integration for bitcoin
Date:
I've been trying to encourage someone to write and release some sample Python code showing the recommended way to do the typical accounting stuff, but to no avail.  It would be nice if you didn't have to re-invent the wheel like you're doing here.  Search on getnewaddress and you should find a thread where I gave a small fragment of sample pseudocode.