Pages:
Author

Topic: Bitoption.org API Discussion (Read 6582 times)

jr. member
Activity: 56
Merit: 1
June 22, 2011, 08:33:10 AM
#25
This is a very polite way to say "why the fuck is everything broken right now??" by the way.

LOL, not quite what I was going for. Just something to help my coding through the future changes.
newbie
Activity: 56
Merit: 0
June 21, 2011, 11:30:13 PM
#24
TOTALLY. Let me think about how to implement.

This is a very polite way to say "why the fuck is everything broken right now??" by the way.

jr. member
Activity: 56
Merit: 1
June 21, 2011, 06:32:07 AM
#23
Could we get a version number for the API and a way to retrieve it?
newbie
Activity: 56
Merit: 0
June 19, 2011, 03:41:14 PM
#22
You can and should always ask about security! No worries. Keep the questions coming.
jr. member
Activity: 56
Merit: 1
June 19, 2011, 03:32:54 PM
#21
Security sounds good. I actually realized I had no real reason to question it, but better safe than sorry. Odd that the mt gox hack stuff is going down right after I asked about your site. I guess I should have been asking about theirs.
newbie
Activity: 56
Merit: 0
June 19, 2011, 02:41:40 PM
#20
I have some low buy offers in; I'm curious how they'll deal with those. Sounds like we will have a 'go back in time' moment.

Here's how password security on bitoption works:

1) We take your password via an SSL-only POST request.  (This used to be a GET request before we turned on the anti-CSRF functionality. POST is marginally more secure; some logs will log the entire URL, so there was a chance of leakage that way, but it would only be at the endpoints of the request.) As it is, this is now encrypted end to end.

2) We have a sitewide secret salt that is used in all hashes

3) We have a per-account 'nonce' that is used to salt the password.

4) We store only the sha-256 hash of the password,secret,and nonce.

As far as I know, the combination of 3 and 4 is industry best practices for one factor authentication; it means that a rainbow attack is computationally difficult, in that each rainbow table is only effective for one account.

Happy to take further suggestions.
jr. member
Activity: 56
Merit: 1
June 19, 2011, 12:53:23 PM
#19
Someone just made a fortune buying 10,000 bitcoins at $0.01 a piece and it wasn't me!!!
jr. member
Activity: 56
Merit: 1
June 19, 2011, 09:39:13 AM
#18
Looking at the API, I was a little concerned by the fact that we are sending passwords in plaintext, and not a hash. I know we are using https, but I do hope that the passwords are not being stored in plaintext? A salted hash is best security practice for storing passwords. A random salt for each user, perhaps generated from their username is best, so that a brute force attack can't be used against everyone at once..
newbie
Activity: 56
Merit: 0
June 18, 2011, 05:00:58 AM
#17
Major update for API Developers:

We have moved to using posts for many API requests. I'll update here when I've had a break. Read our main thread for information about CSRF vulnerability cuddlefish pointed out to us today.
newbie
Activity: 56
Merit: 0
June 16, 2011, 09:33:47 AM
#16


I think you may at times want to send a bunch of bulk updates, like "I've got bids and asks in on these dates at these strikes, for this strike and date, update / reset all my bids and asks." This bears a little more consideration, I think. Let's start with the first two and see what needs we have.
jr. member
Activity: 56
Merit: 1
June 16, 2011, 05:06:47 AM
#15
Sounds good. Yeah, I thought that the stop loss system would lead to a whole bunch of problem. I suppose one can assume their bot will handle it.

I'm not sure I followed where you are going with updateAllStrikeBids. Is the idea to push all of your bids up or down a little. I admit that might be useful, depending on the final implementation of the bot.

And updateAllDateStrikeAsks, is there a reason that has a "date" in the name while the other doesn't? I'm still not completely familiar with the API so I might be missing the obvious.

PS you should have my email, I signed up with mine.
newbie
Activity: 56
Merit: 0
June 16, 2011, 02:56:18 AM
#14
I also propose:

updateAllStrikeBids:
  strike
  underlying
  type
  date
  bidask=optional
  num=optional
  expireTime=optional

updateAllDateStrikeAsks:
  strike
  underlying
  type
  date
  bidask=optional
  num=optional
  expireTime=optional


I would anticipate even a vaguely sophisticated bot is going to tier out its bids/asks, so this second set might or might not be useful, but I want to make sure to support a sort of 'everything in this line should change' function.
newbie
Activity: 56
Merit: 0
June 16, 2011, 02:00:08 AM
#13
OK, So let's agree on some functionality here.

There's no point in changing the strike of a bid, plus we may tie margin logic to different strike prices, so

updateBid:
  token
  bidId
  bidask(optional)
  expiredate(optional)
  cancelifbtcusdgt(optional)

updateAsk:
  token
  askId
  bidask(optional)
  expiredate(optional)
  cancelifbtcusdgt(optional)

 
Expire dates are relatively easy. Stop Loss prices have a whole bunch of problems, including (but not limited to):

. Possible manipulation some day when the options market grows
. Thin markets in down trading times
. Mt Gox websockets / order book functionality is not perfect and might miss something
. Significant database load; we're essentially queuing an update / delete on every websocket notice. This may be non-scalable.


There's also the question of what you actually do with the them once expired; I'd say they should stick around and get annotated 'canceled when blah happened.'  A good 25% of support questions are currently "what happened to my XXX?" Of those, 20% have been the market so far, the rest are people just being confused, bad interface, or memories.

The more I think about it, the more I think the bid bot should be responsible for keeping track of Gox, or Tradehill, or wherever. I'll shoot you some python websockets code that you can include in the bot for just such a purpose; I think I have your e-mail right?
jr. member
Activity: 56
Merit: 1
June 16, 2011, 12:52:53 AM
#12
There are two thing I would really like to see in the API.

First, I'd like the ability to change the bid/ask price on an open contract. It just seems cleaner than canceling and replacing, and it shouldn't be too hard to implement. This would be nice on the website too.

Second, and this one is harder, I'd like to be able to place an expiration on my open contracts. A time expiration would make me feel a lot more confidant and safer, especially if I were running a bot. If I get disconnected somehow, I know my open contracts will expire in an hour or two or whatever I set. Along with this should go a "renew" option which would let me change the expiration time.

Along the line of an expiration time, it would be nice to perhaps have an expiration price. If mt gox trades above, or below, a certain price the open contract gets canceled. This could by default be set (for asks at least) to anything that would instantly be in the money, since I'm pretty sure that no one ever wants to write a contract that is immediately in the money. This would require getting constant data from mt gox, but perhaps it could be implemented.
newbie
Activity: 56
Merit: 0
June 11, 2011, 01:53:31 PM
#11
Update, I believe it is working now. A second typo, sorry.
newbie
Activity: 56
Merit: 0
June 11, 2011, 01:48:32 PM
#10
Hit me up on email / google talk, we'll get it sorted.
newbie
Activity: 30
Merit: 0
June 11, 2011, 11:26:32 AM
#9
Not yet.
newbie
Activity: 56
Merit: 0
June 10, 2011, 11:33:39 PM
#8
That's because I'm an idiot. It's fixed, or should be.
newbie
Activity: 30
Merit: 0
June 10, 2011, 09:38:31 PM
#7
still seeing 500 response on attempt to exercise contractId 19
newbie
Activity: 56
Merit: 0
June 10, 2011, 01:45:20 PM
#6
Correct usage for canceling open options:



cancelOpenBid?token=&bidId=
cancelOpenAsk?token=&askId=

I incorrectly had something else here earlier.
Pages:
Jump to: