Topic: [NXT] API 2 Brainstorming (Read 5023 times)
Account statistics; number of messages / aliases / assets owned, number of transactions done, number of forged blocks, forged block fees, creation date of account, etc..
Ability to get all assets owned by an account. CFB already mentioned including a call for this.
yeah this one is important!
heyhey, I made some experiments - my raspi needs TWO SECONDS to answer a query - while the testnet has a replytime of ~150ms
My concern is the following: when you have to resolve a chain of queries, like when going from block ->transactions -> transaction detail -- 2 seconds per query does become a factor - you get to resolve 10 or 20 queries, get stuck for 20 to 40 seconds ?!?!?! Think about fast messaging ?!
Ability to get transactions where sender = x and recipient = Y. Especially useful for Arbitrary messaging instead of having to loop through potentially thousands of transactions.
Ability to get all assets owned by an account. CFB already mentioned including a call for this.
Ability to get transactions where sender = x and recipient = Y. Especially useful for Arbitrary messaging instead of having to loop through potentially thousands of transactions.
Ability to set timestampend so that it returns transactions BEFORE the timestamp. Good for pagination.
As well as a way to set a limit.
As well as a way to set a limit.
I'd rather have a solution to use api without any passphrase.
The best way to do this is to have the client do all of the signing and transmit transaction data to the server. No secret phrases would ever leave the client.
Can't wait either... 
- forged blocks statistics for a given account :
I've been said I have to crawl blocks to know who has computed each, and sum the coins for each account number (I may be wrong...). If it sounds possible, a api call giving forging stats for a nxt account would be relevant
Try getAccountBlockIds in current API.
Hello,
I have two main api addons to ask, because I'm faced with a few limitations in my mobile app :
- forged blocks statistics for a given account :
I've been said I have to crawl blocks to know who has computed each, and sum the coins for each account number (I may be wrong...). If it sounds possible, a api call giving forging stats for a nxt account would be relevant
- tokens to replace the passphrase into api calls :
To send money, one has to send his own passphrase through http. This is truly not secured, because communications can be listened, and modified 'reliable' nodes can store passphrases using a api proxy for example... I'd rather have a solution to use api without any passphrase. To do so, one may imagine the following services :
getAppToken(application_name, application_secretkey) : returns a token (token_app), used to identify application provider. this token can be given publicly to the users who want to give the app access to their accounts
allowApp(token_app,account_passphrase, array of allowed functions) : returns a token (token_account_app), which certifies that the account owner allows the app to access to a list of api calls (send money, send message, ...)
The token_account_app is sent by the user to the app owner, who can use it to sign secured API calls, with his own application_secretkey. The called node has to verify the matching between application_secretkey, token_account_app, and allowed api services. The application_secretkey allows to certify it is called from the application owner. (this is close to app_ID+app_secretkey used into google,fb,twitter apis for example).
Doing so, the user does not have anymore to send his passphrase to send money, for example. He can also call a disallowApp(token_app,account_passphrase), which returns the same token_account_app, but remove all allowed functions. Doing so, the application can not call anymore any API functions. The allowed functions list could be stored into the blockchain, or even locally on the application dedicated node (ie the user allows a specified node to do API calls).
I've tried to keep it simple, and this is certainly not perfect. This is a very first proposal, in order to talk about with nxt teams. Maybe we could also use aliases to identify applications, or even hack the messages process to validate transactions... Whatever solution is used, I do think it is relevant not to send user's passphrase into the api calls made from external services.
Feedbacks welcome. Thanks,
Olivier
PS : another subject... Wouldn't it be possible to imagine an API call made to check a nxt node code has not been modified (in order to hack accounts for example) ? I know... this function could be modified by the node owner, to return the good checksum... so, this should be made externally, by a external peer. For example, the API service returns the server local main files, calling an external peer hashing service (hashing algorithm being secret, and peer dependent). If it matches, one can say the node uses not modified files. To hack this, one should have to modify hashing algorithm on all peers, which sounds quite difficult. The tested node could also send fake files, but maybe there is a solution to hash running code (and not local files) ?... don't know... this is just a thought.
I have two main api addons to ask, because I'm faced with a few limitations in my mobile app :
- forged blocks statistics for a given account :
I've been said I have to crawl blocks to know who has computed each, and sum the coins for each account number (I may be wrong...). If it sounds possible, a api call giving forging stats for a nxt account would be relevant
- tokens to replace the passphrase into api calls :
To send money, one has to send his own passphrase through http. This is truly not secured, because communications can be listened, and modified 'reliable' nodes can store passphrases using a api proxy for example... I'd rather have a solution to use api without any passphrase. To do so, one may imagine the following services :
getAppToken(application_name, application_secretkey) : returns a token (token_app), used to identify application provider. this token can be given publicly to the users who want to give the app access to their accounts
allowApp(token_app,account_passphrase, array of allowed functions) : returns a token (token_account_app), which certifies that the account owner allows the app to access to a list of api calls (send money, send message, ...)
The token_account_app is sent by the user to the app owner, who can use it to sign secured API calls, with his own application_secretkey. The called node has to verify the matching between application_secretkey, token_account_app, and allowed api services. The application_secretkey allows to certify it is called from the application owner. (this is close to app_ID+app_secretkey used into google,fb,twitter apis for example).
Doing so, the user does not have anymore to send his passphrase to send money, for example. He can also call a disallowApp(token_app,account_passphrase), which returns the same token_account_app, but remove all allowed functions. Doing so, the application can not call anymore any API functions. The allowed functions list could be stored into the blockchain, or even locally on the application dedicated node (ie the user allows a specified node to do API calls).
I've tried to keep it simple, and this is certainly not perfect. This is a very first proposal, in order to talk about with nxt teams. Maybe we could also use aliases to identify applications, or even hack the messages process to validate transactions... Whatever solution is used, I do think it is relevant not to send user's passphrase into the api calls made from external services.
Feedbacks welcome. Thanks,
Olivier
PS : another subject... Wouldn't it be possible to imagine an API call made to check a nxt node code has not been modified (in order to hack accounts for example) ? I know... this function could be modified by the node owner, to return the good checksum... so, this should be made externally, by a external peer. For example, the API service returns the server local main files, calling an external peer hashing service (hashing algorithm being secret, and peer dependent). If it matches, one can say the node uses not modified files. To hack this, one should have to modify hashing algorithm on all peers, which sounds quite difficult. The tested node could also send fake files, but maybe there is a solution to hash running code (and not local files) ?... don't know... this is just a thought.
add server date to getState as well as lastBlockDate.
Enable jsonp so that javascript can call peer via bot access like so: (to get around same origin policy)
?...&callback=myCallback
Can also implement CORS: http://enable-cors.org/server.html
?...&callback=myCallback
Can also implement CORS: http://enable-cors.org/server.html
An API call to get the AM size limit (currently 1000) would be helpful (in order to chop up data and send it in max. size chunks efficient).
API call to get peers that have public bot access enabled.
Is it possible to have an api that searches for incoming account transactions with a specific description? (payment with attached description)
This would be good to verify payments.. Sort of like the system with bank transfers can have a message attached to it.
This would be good to verify payments.. Sort of like the system with bank transfers can have a message attached to it.
For High-level:
getAllAccounts() - possibly with filtering parameters and sort/limit
I'm not sure what the Account object provides currently, but these would be useful:
getBalance()
getTotalTransferAmounts() - returns total amount of NXT transferred. filter by in/out
getTransactions() - filter by activity type (in/out/alias creation/etc.)
getTimeFirstActivity() - filter by activity type (in/out/alias creation/etc.)
getTimeLastActivity() - filter by activity type (in/out/alias creation/etc.)
getBlocksGenerated() - correct term?
getFeeEarned() - correct term?
getAliases()
getAllAccounts() - possibly with filtering parameters and sort/limit
I'm not sure what the Account object provides currently, but these would be useful:
getBalance()
getTotalTransferAmounts() - returns total amount of NXT transferred. filter by in/out
getTransactions() - filter by activity type (in/out/alias creation/etc.)
getTimeFirstActivity() - filter by activity type (in/out/alias creation/etc.)
getTimeLastActivity() - filter by activity type (in/out/alias creation/etc.)
getBlocksGenerated() - correct term?
getFeeEarned() - correct term?
getAliases()
I put generateBlock and a placeholder for a call to determine when an account could try to generate a block.
C-f-B?
C-f-B?
Shouldn't we leave block forging for clients? Coz it's the same as signing transactions, u have to use ur secret key.
Yes, that's the purpose of generateBlock, but we also need an API for determining when a client can generate blocks like the response that is used to update the timer in the current client. Basically, an API that encapsulates the TF logic to suggest when a client can attempt to generate a block.
I put generateBlock and a placeholder for a call to determine when an account could try to generate a block.
C-f-B?
C-f-B?
Shouldn't we leave block forging for clients? Coz it's the same as signing transactions, u have to use ur secret key.
Api call to see number of peers that accepted a transaction. This allows us to set a good value for pushTreshold.
This would be new functionality since right now Peer.sendToAllPeers (called by broadcastTransaction) doesn't keep any responses.
Jump to: