Topic: Ecommerce bitcoin integration and verification (Read 1495 times)

Bitcoind (the daemon for bitcoin) doesn't support watching wallets however you can create one as a workaround.

On secure computer:
1) create a new wallet, expand the keypool for a reasonably large number based on your expected volume for example 1000 keys and encrypt it.  This is the spending wallet.
2) Make a backup of the spending wallet and store in a secure place along with a backup of passphrase.
3) Make a COPY of the spending wallet.  On the copy change the passphrase to a random long (like 80+ charecters) passphrase.  You should NOT record this passphrase anywhere for any reason.  Mashing the keyboard should be sufficient entropy.  This is the watching wallet.

You now have two wallets:
spending wallet
never put on public webserver
secure backup
known strong passphrase

watching wallet
put on public webserver
has an unknown and impossible to brute force passphrase

Technically the private keys are still on the server but the wallets is always locked, nobody (not even you) knows how to unlock it so if an attacker steals the "watching wallet" the coins are unspendable.

You can now use RPC calls on the watching wallet to get next address from keypool, check on incoming transactions, etc.  Eventually the keypool will be exhausted.  Since the watching wallet can not unlock it can't refresh the keypool.  You will get an error trying to get the next address once keypool is exhausted.  At this point you simply need to repeat step 2 above.  Your spending wallet will have refreshed the keypool overtime.  You can make a new copy, randomly encrypt it, and transfer the copy to the webserver.

I came up with a really easy way to accept bitcoins on a website without installing anything, but it relies on blockexplorer.com: https://bitcointalksearch.org/topic/m.77187

Also copied to here:
https://en.bitcoin.it/wiki/Lazy_API

It's a really easy (lazy) way to get started accepting bitcoins on a website without installing a bunch of stuff.

Have you tried http://BitMerch.com?

OK cool.
give me a day or two as i don't know Linux very well at all (nor how to build the code), so ill go an read a bit and try installing VM ware (as i have been using Oracle VirtualBox, but it is very slow and I've just been told its crap too... )

Ta
Ford

Sure, no problem - it's like an hour task.
But first see if gocoin suits you (i.e if you can build and run it at your machine) - then, if you still like it, just let me know and I will add it for you.
You can also play with the source code yourself - it's a new language, but pretty intuitive, especially if you come from C.
In fact if you build your stuff into the actual node, you can probably optimize the app pretty much (i.e. you don't need to pull for data then, but have your code called immediately when a balance changes).

By default it only binds to localhost, but yes - there is an IP access control already, if you'd want to connect from a different host.

Normally you get a list of all unspent outputs that belong to a given bitcoin address.
Each record contains txid+vout, block number and the BTC value (amount).
Note that after you spend some transaction, it will disappear from the list.
It's more like this one: http://blockchain.info/unspent?active=1MM5zVVBGxZ5F2hNoLvcerLdzfQAKFVFgY

No problem.

It is a shame this "watch only" wallet is not yet available, as i think by far the biggest potential of bitcoin is for online transactions.
The window of interest may only be small though, and if not capitalised on while the interest is there, the window and interest may close.

Having dealt with various card merchants over the years, i can honestly say most are right "pain in the arse", play god, decide who can and can not be in business, charge high fees and even higher to the smaller companies that can not afford to pay it (ensuring the bigger companies can always out price them), move the goal posts / change the terms and conditions, hold onto funds for unreasonable amount of time, ask for high security deposits, hold unnecessary retention (to gain interest! that is not passed to the merchant), refund customers without consulting the merchant first or offering chance to defend allegations, and many more dam annoying practices....

Card companies also promote themselves as offering "guarantees against fraud and theft", yet it is not the card company that pays for this, as any refunds are immediately deducted direct from the merchant along with a large claw-back fee, whether it is the fault of the merchant or not (so I guarantee against fraud and theft, not the banks!)

But, there is always PayPal  who are worse than all other card companies put together! ....

As you can tell i'm no fan of "visa like companies"  , which is one of the reasons i am so interested in bitcoins  .

I feel there are many smaller websites out there that would happily accept bitcoin, but when the price of integration comes in at 1000's this will put them off the idea. However if it were only 100's many more would have it as standard...

Rant over

"The "Monkey" may well have got it right with Bitcoin!"
Ford

Yes, this is a known lack.

For now the best way is to do as was already suggested - generate a wallet with lots and lots of keys locally, encrypt it, and put it on the server. This is the closest you can get to a "watching wallet" at the moment. You will have to manually refill the wallet from time to time.

Once BIP32 wallets are implemented in bitcoind, the need to refill will go away.

What we'd really like is a kind of proper merchant solution that connects to any arbitrary Bitcoin node and then provides a merchant oriented JSON-RPC API. The current bitcoind API isn't that great in some ways. It could be based on bitcoinj if you did it carefully. Then servers that can afford to run their own bitcoind can and they get full security, others can get SPV security if they run on a really tight budget.

This is a problem with the way bitcoin works.  You want a "watching only" wallet format.

Unfortunately, bitcoin doesn't offer that option at the moment.  You have to give the private keys to "enable" that address to be scanned for.

It is not so much "any address" it is however addresses that are not in its own wallet.

I am new to bitcoin integration though, so if my ideas of how it works are wrong please do correct me!

(Basically i want 2 wallets; 1 online to allow checking if a payment was made; And 1 offline to store and have the funds sent too.
My logic "thinks" this is the best way to do things, as then if the server is hacked, it would still not be possible to transfer out my shiny bitcoins)

Thanks
Ford

The problem is that it scans a block, but doesn't record all addresses, since that is a massive database.

Basically, it watches for any addresses in its wallet when a new block arrives, but ignores any others.

Why do you want to be able to check any address?  If you tell the client in advance what ones you are interested in, then that is probably the best way.

If you would be as good to add a facility that would allow easy checking of any address that would be great!
JSON or XML would be Perfect! (which ever you prefer as you clearly know more than I)
(if it were to use a URL based query, would this need locking down so that it would only accept queries from specific IP's or internal IP's, etc).

To be perfectly honest, much of what you say kind of goes over my head, as i am relevantly new to "bitcoin integration" and i think am struggling enough with the basics of what i need to do, and have yet to tackle other features or possibilities....
(the one second to check on anything sounds perfect and fast though....)

At present i am using the BlockChain API and this URL to return all the details (and more) of what i need
eg: "http://blockchain.info/address/1MM5zVVBGxZ5F2hNoLvcerLdzfQAKFVFgY?format=json"

I think the basic details i need are
- payments/transactions received
- date/time received -block height
- amount received
(although i only expect to receive a single transaction to each address, i suppose i would also need to know a "transaction received count" and details of each transaction. Just in case anyone accidentally pays to a previously issued address)

I am also using this to get the current block height to work out the confirmed amount
"http://blockchain.info/latestblock"

Basically i (and i think all other eCommerce web developers) need to get similar details in order to establish if payment has been made.

In all honesty Bitcoind would have been perfect for the job, apart from it will only check addresses that are within its own wallet.
However, as i can never 100% trust my own security, my intent is NOT to store (or have sent to) any funds in the "online client". i intended to have the funds sent to an offline wallet (to which i will eventually integrate with offline/local code to reconcile payments).

I am hoping to be able to pre-load my database with 10,000+ payment addresses, although i have not yet got to this point so am unsure if it is doable yet....

Fell free to ask me any questions and i will do my best to answer

Ford

ATM there is no API that you could use from php app. I haven't developed any, because I had no need.
If you think about something like JSON-RPC, to get list of unspent outputs (balance) for a given set of addresses, I can add it for you.
Since there is already a framework for WebUI, I believe the easiest solution would be to add a new page handler that would return you an XML or JSON file for a URL based query.

Anyway, when you get to a point where you have a client running, check the "unspent" command to see how quickly it can work with a random address. It takes about a second on my PC to go through all the unspent outputs and output the balance.
Though, if you could define an address pool (I call it a wallet) - it takes a second first, but then the balances are cached and updated as new blocks appear, in which case you get the values almost immediately when you need them. For this you can try "wallet " and "balance" commands.

Thank you, that make sense now (i had wrongly assumed they were using some sort of client...)

your GoCoin client sounds interesting (although i wont pretend to know what "Go" is...).
I think anything that make verifying transactions simpler and without the need for 3rd parties is a good step forwards for bitcoin (no offence meant to the nice people at blockchain though for providing their API FOC).
I have had a quick look at your GoCoin, but will look in more detail over the next few days.
Will i find it "simpleish" to communicate with it using php? or is this not possible yet?

(would be very nice if some open source could compile and maintain a database like blockchain do  but afraid it is beyond me  )

Ford

not a client per se, but I believe they have their own block parser and additional databases to trace all this info.

my gocoin client supports checking balance of any address, but it isn't anyhow compatible with bitcoind.
and even then, it takes like at least a second to browse through all the unspent outputs (assuming that you have them all in memory already).

will blockchain have had to develop their own client then in order to get details on any address?
(i don't suppose they have posted the code for this anywhere?)

Unfortunately i class myself as a "simple web developer" as i only know php/sql (well also html/css, but i dont think this will help  )
I have tied to look at recoding the C++ client, but i think this may be a little ambitious of me!!

what language are you developing in?

Because of its architecture.

Thanks for your reply (and others).

But i think using "other's" services defies the point of a decentralised systems (as then we are not our own bank, the 3rd party is) and then this offers no advantages over using the Visa system.
I wonder why the bitcoind client is not allowed to check on the balances of any address as this would cure the problem perfectly, after all the system is meant to be open and transparent and not a closed system...
(please dont think i am being argumentative, as i'm not intending to be, it is just opinions and observations)

Thanks again for your reply (and good luck this coinprize, sounds good from your name  )

Ford

If you don't choose other's service,
then you will take lots of time to develop your own.
If you insist to do so,
you might need a team.

If you are worried about the safety of the site or wallet,
you can just test and improve the server before launching it.