newbie
Activity: 17
Merit: 0
Hello,
I have two main api addons to ask, because I'm faced with a few limitations in my mobile app :
- forged blocks statistics for a given account :
I've been said I have to crawl blocks to know who has computed each, and sum the coins for each account number (I may be wrong...). If it sounds possible, a api call giving forging stats for a nxt account would be relevant
- tokens to replace the passphrase into api calls :
To send money, one has to send his own passphrase through http. This is truly not secured, because communications can be listened, and modified 'reliable' nodes can store passphrases using a api proxy for example... I'd rather have a solution to use api without any passphrase. To do so, one may imagine the following services :
getAppToken(application_name, application_secretkey) : returns a token (token_app), used to identify application provider. this token can be given publicly to the users who want to give the app access to their accounts
allowApp(token_app,account_passphrase, array of allowed functions) : returns a token (token_account_app), which certifies that the account owner allows the app to access to a list of api calls (send money, send message, ...)
The token_account_app is sent by the user to the app owner, who can use it to sign secured API calls, with his own application_secretkey. The called node has to verify the matching between application_secretkey, token_account_app, and allowed api services. The application_secretkey allows to certify it is called from the application owner. (this is close to app_ID+app_secretkey used into google,fb,twitter apis for example).
Doing so, the user does not have anymore to send his passphrase to send money, for example. He can also call a disallowApp(token_app,account_passphrase), which returns the same token_account_app, but remove all allowed functions. Doing so, the application can not call anymore any API functions. The allowed functions list could be stored into the blockchain, or even locally on the application dedicated node (ie the user allows a specified node to do API calls).
I've tried to keep it simple, and this is certainly not perfect. This is a very first proposal, in order to talk about with nxt teams. Maybe we could also use aliases to identify applications, or even hack the messages process to validate transactions... Whatever solution is used, I do think it is relevant not to send user's passphrase into the api calls made from external services.
Feedbacks welcome. Thanks,
Olivier
PS : another subject... Wouldn't it be possible to imagine an API call made to check a nxt node code has not been modified (in order to hack accounts for example) ? I know... this function could be modified by the node owner, to return the good checksum... so, this should be made externally, by a external peer. For example, the API service returns the server local main files, calling an external peer hashing service (hashing algorithm being secret, and peer dependent). If it matches, one can say the node uses not modified files. To hack this, one should have to modify hashing algorithm on all peers, which sounds quite difficult. The tested node could also send fake files, but maybe there is a solution to hash running code (and not local files) ?... don't know... this is just a thought.