[ANN] Bitshares SMF login plugin

[gamey]

onepassword is a password manager and I suppose the '1 password' refers to the master password. 

Read bytemaster's blog entry on reasons you might wish to use a blockchain based authentication.

[jsidhu]

Why need a plugin ? Can you create an app like 1Password ?

https://agilebits.com/onepassword

One app and login all sites without plugin.

Why not login thru facebook then? Is onepassword decentralized?

[BitAsset]

Why need a plugin ? Can you create an app like 1Password ?

https://agilebits.com/onepassword

One app and login all sites without plugin.

[bytemaster]

It's a bug.  Nathan is on it.

[70231f697a2b3c2b]

• Went to http://bitsharesnation.org/.
• Clicked on "Login with BitShares":
  
  • BitShares app open and unlocked:  clicking the login button switched focus to the BitShares app, but nothing else happened.
  • BitShares app open and locked:  clicking the login button switched focus to the BitShares app, but nothing else happened.
  • BitShares app not open:  clicking the login button caused the BitShares app to launch.  I entered my password to unlock my wallet, but nothing else happened.

Browser:  Firefox 34.0
OS:  Mac OS 10.10.1
BTS:  0.4.27.2

[gamey]

I think having a email specified should be optional.

I agree but the problem is that the register function inside SMF insists on there being an email via not empty() (ie evaluates to false) AND it fits the regex.  So optional means I have to create a never valid email address for the field.

That then leads to 2 problems.  1 it is ugly and confusing and 2 if the user wishes to change it, SMF forces someone to know their password. (which they won't with bitshares login)

My other option which I hadn't considered earlier is making a magic value to register with then manually updating the account to blank out the password.

[bytemaster]

I think having a email specified should be optional.   

[gamey]

So the wallet/client on the server generates the first URL which is then redirected to a local wallet via the protocol handler.  Is this part of the handshake reusable?  Or will the wallet_handshake_finish (or whatever it is called) not allow reuse ?  Since there are no transactions involved I assume they can be reused.

The reason I ask is because caching of the pages could mess up authentication.  If the first portion of the handshake can be reused this can't be an issue.

Otherwise it seems to work.  I know of 2 minor issues on the admin panel .. I need to investigate one and not sure the other is worth fixing.. neither effect the user experience.  I also need to find out how to properly escape the input functions into SMF and it'll be done AFAIK.

There are some ugly things.  Like the user registration function provided by SMF forces a reasonable email address.  It can not be blank.  Either I patch SMF code (??) or I unset the email address later after registration is called.. OR I have some dummy value left in there.  That is a bit strange when you go see some ridiculous email address in the profile.  Maybe it is best to just turn off asking for email address, but I think a lot of the forum's functionality is useful like having email notifications when you receive PMs etc. ... thoughts?

[gamey]

@BM, if i login from bts, can i connect to the account that i had register in the forum.
or just a fresh account?

This is on my list of things to test tonight.  The code is there but it hasn't been tested.  The code is from the original plugin and not written by me so I won't make any comments on it until I test it and examine it.  I see little reason to not fix it if broken.  This goes quite a bit beyond a simple login plugin though but I'll gladly do it as I see the need.

[gamey]

So I had to delete all the accounts that signed up with the original ANN posting because those accounts were basically broken and in a state that wouldn't be readily fixable.

What issues are left to be resolved?

I'm going through and testing things.  There isn't a list of issues outside of the things I fix as I come across them.  I just removed the Bitshares profile entry that was left from the previous plugin.  I need to test synching of existing accounts. I am reading through the SMF php code and found that certain inputs need to be escaped.  I need to investigate that.  I found a redirect to an invalid URL sitting in the code.  I also want to look over the logic for the cookies.  It is close to being done but it still needs testing in a methodical manner of some sort.  etc.. My goal is to get most of this done tonight and get everything crossed off.

The accounts you are asking about though is just from legacy code .. shrug.. it was like a testnet but I can't reset the whole thing.  Easier to delete the earlier accounts.

[cgafeng]

@BM, if i login from bts, can i connect to the account that i had register in the forum.
or just a fresh account?

[bytemaster]

So I had to delete all the accounts that signed up with the original ANN posting because those accounts were basically broken and in a state that wouldn't be readily fixable.

What issues are left to be resolved?

[gamey]

So I had to delete all the accounts that signed up with the original ANN posting because those accounts were basically broken and in a state that wouldn't be readily fixable.

[gamey]

Perhaps the site name also needs a robohash?

Well I registered bitsharesnation so it will give you that name when you "ok" the login from inside your wallet.  Unfortunately I had problems importing the json I exported.  I became frustrated with it though and went back to the "testingtoday".

It would be nice to have a robohash of the site you are logging into inside the wallet's acknowledgement dialog box/window, but it is likely that making a dialog display a bitmap requires some level of hoop jumping for the devs.  Actually I suppose that is html so perhaps not so hard.

[gamey]

I attempted to login to this today as I was preparing a blog article on the topic.   After I was redirected to your site it failed to log me in.

I noticed a few bugs with URL handling on our side of the fence.  I would really like to get the kinks worked out so we can all switch to BitShares login and start getting some extra benefits out of our BitShares accounts.

I will look in this.  It was working well for me with only 1 known bug in the log display screen which shows an invalid URL for profiles.

2 possible problems or something has went down on the server.

1) If you patched the URL variable handling so they are passed through it will break the login as I rely on the code behaving as it does.

2) If you were trying to login in with an account you created when I first made this thread then the behavior isn't defined.  I released the site initially just for fun etc.  It was a prototype where I did the first bit of coding to get it to work.  Things have changed since then so I wouldn't expect the accounts made during that time to work, but they might. 


You can also claim accounts and synch them up but I have to test the functionality.  It appears that if you create an account without bitshares then try to login with an account, it will attempt to synch your accounts if you provide a password.  I plan on working on this today (tonight), running testcases etc and verifying some cookie behavior.  I also need to allow a person to enter an empty blank email.

[jsidhu]

From https://news.ycombinator.com/item?id=8788676 on BitShares Login

This sounds amazing and useful to me, but even if it all works perfectly, I do have one serious concern: if you forget the passphrase to your private key, your online identity is owned by nobody. That is a very scary prospect!

Is there a (obvious) solution here?

Wild / unspecified idea: What about somewhat making your finger print your private key?

Pretty cool idea but better to hAsh the fingerprint with an answer to a known security question.. that way even if your print was stolen they would need your priv key plus finger print plus answer to the secret question

[santaclause102]

From https://news.ycombinator.com/item?id=8788676 on BitShares Login

This sounds amazing and useful to me, but even if it all works perfectly, I do have one serious concern: if you forget the passphrase to your private key, your online identity is owned by nobody. That is a very scary prospect!

Is there a (obvious) solution here?

Wild / unspecified idea: What about somewhat making your finger print your private key?

[fluxer555]

Perhaps the site name also needs a robohash?

[erasmospunk]

 

Some feedback: What if an attacker registers a similar looking username on the blockchain for a mitm attack? For example when logging in to bitsharestalk.org the name that appears in the wallet is "bitsharestaIk" or "Bitsharestalk" instead of the original "bitsharestalk".

edit: clarification

[alt]

how to install bts handler plugin for firefox?

来自我的 HUAWEI P7-L00 上的 Tapatalk

http://wiki.bitshares.org/index.php/Developer/Build#System-wide_Installation_.28optional.29

it's part of the .desktop file

Code: [Select]

MimeType=x-scheme-handler/bts;


I have try just now, I need to run this command to work.

Code: [Select]

gvfs-mime --set x-scheme-handler/bts BitShares.desktop
run this to check if the bts handler register success

Code: [Select]

$ xdg-mime query default x-scheme-handler/bts
BitShares.desktop


[jsidhu]

http://bytemaster.github.io/article/2014/12/22/BitShares-Login/

bitshares url= Bitshares URI scheme

[bytemaster]

http://bytemaster.github.io/article/2014/12/22/BitShares-Login/

[alt]

I attempted to login to this today as I was preparing a blog article on the topic.   After I was redirected to your site it failed to log me in.

I noticed a few bugs with URL handling on our side of the fence.  I would really like to get the kinks worked out so we can all switch to BitShares login and start getting some extra benefits out of our BitShares accounts.

this is a big thing

[bytemaster]

I attempted to login to this today as I was preparing a blog article on the topic.   After I was redirected to your site it failed to log me in.

I noticed a few bugs with URL handling on our side of the fence.  I would really like to get the kinks worked out so we can all switch to BitShares login and start getting some extra benefits out of our BitShares accounts.

[gamey]

I'd like to test this out.  http://bitsharesnation.org/ does not load for me:

Code: [Select]

[497][~] curl -IL 'http://bitsharesnation.org/'
curl: (7) Failed to connect to bitsharesnation.org port 80: Connection refused
PM me if you need any details to help troubleshoot the connection issue.

Once that's resolved, let me know if there's anything specific that you'd like me to test, and I'll be all over it.

3 gigs is not enough memory for the VPS apparently.  It ran out of memory at some point and apache died.  Hrmmm.  I guess I can just buy another gig for the instance and restart it.

All the spamming bots help load test it for me.

[alt]

how to install bts handler plugin for firefox?

来自我的 HUAWEI P7-L00 上的 Tapatalk

http://wiki.bitshares.org/index.php/Developer/Build#System-wide_Installation_.28optional.29

it's part of the .desktop file

Code: [Select]

MimeType=x-scheme-handler/bts;


thank you,
I'll try this,
that's really exciting  feature

[70231f697a2b3c2b]

I'd like to test this out.  http://bitsharesnation.org/ does not load for me:

Code: [Select]

[497][~] curl -IL 'http://bitsharesnation.org/'
curl: (7) Failed to connect to bitsharesnation.org port 80: Connection refused
PM me if you need any details to help troubleshoot the connection issue.

Once that's resolved, let me know if there's anything specific that you'd like me to test, and I'll be all over it.

[sudo]

cool

[gamey]

This is back up and the plugin is fairly robust now.  www.bitsharesnation.org

Originally I was going to make users put in an email address but SMF has some internal rules to validate an email address so it can't be left blank.  This causes a security problem though because if that email is 'leaked' then an attacker can simply sign-up with that email if it is available and then take the account over.  I'm going to have to fix this I suppose and allow blank emails.  Hopefully it is a permission somewhere.

You can register with a bitshares registered account or a local account.  The membergroup reflects this now.  Otherwise not sure if anything changed except the sign-up flow.

[gamey]

Great Work!

just want to double confirm that, wouldn't this method access your private key, right?
Cuz in GUI wallet you have to unlock to do everything, not just transaction.

Also, I think it would be great if this login method can use bitshares_client, not just qt-wallet.

The wallet has to be unlocked so in that way it accesses the private key. I would have to review the crypto but I assume it utilizes the private key directly, but i am not 100% sure.

It would be hard to get it to work with bitshares-client, as you would need to protocol handler installer to set it up for you.  It might very well be the it does work with the cli if that is done.  I'm not sure what use-case you have in mind, but I'm just working on the php side.

[cn-members]

Great Work!

just want to double confirm that, wouldn't this method access your private key, right?
Cuz in GUI wallet you have to unlock to do everything, not just transaction.

Also, I think it would be great if this login method can use bitshares_client, not just qt-wallet.

[gamey]

I am not sure what you could do.  Most of the user interaction is done on web side and the actual interaction with bitshares wallet is minimal.

Here is a list of commnads.  You could make the wallet go to the transaction of the payment in your shopping cart.  Either that or lock the wallet?

I'm trying to see if there is any functionality to put in the bts login plugin that makes a lot of sense.

Perhaps if a user is a delegate and then putting the 'vote for me' link in their profile but that sort of stuff requires a lot more effort.  However if you couple it with the membergroups on registration you have a system where delegates could have their own membergroup and likely work off that.. So 3 tiers = unreg/reg/delegates.  For delegates we could pull out special fields etc.

anyway.. thinking outloud but if anyone has any ideas on functionality tell me now why i am still actively working on this project because ramp-up time/learning curve is what always kicks you in the balls.  It is more likely I will do it now then later if someone has a good idea that isn't difficult.

• Go to profile
  xts:profile-name
  
• Add new contact with name
  xts:name:XTSaccountkey
  
• Request Payment
  xts:name/transfer/[amount/amount/][memo/memo text/][from/sender name/][asset/asset name] (registered accounts)
  xts:name:XTSaccountkey/transfer/[amount/amount/][memo/memo text/][from/sender name/][asset/asset name] (unregistered accounts) (Not Yet Implemented)
  The ordering of the amount, memo, from and asset fields is unimportant.
  
• Vote for delegate
  xts:delegate-name/{approve|disapprove}
  
• Go to block
  xts:Block/num/block-number
  xts:Block/block-id
  
• Go to transaction
  xts:Trx/transaction-id
  Note that transaction-id above may be a prefix, as long as at least 8 characters are present
  
• Login to website
  xts:Login/server-one-time-public-key/signature-of-one-time-public-key-with-account-key/www.server.com:port/path/to/login.php
  For more information on the BitShares XT Login protocol, see here.
  

[jsidhu]

So I'm trying to think how I can use this stuff... am I able to redirect users based on an encoded URL inside the BTS URI scheme? Would be cool to redirect users to a completed screen after an action is complete...

[gamey]

sweet it works...

How is it ensuring security for authentication? Something like OAuth?

It is a modified oauth (google/gplus) plugin which has been used for years + recent updates so I assume it is secure.  My general approach is to just duplicate the functionality it uses.  Oauth is very similar to BTS login protocol.  google bitshares xts login protocol.  I would like to make a drop-in replacement for google's oauth library.

I need to go test the security myself, AFAIK it might ok invalid requests.  Not sure about your specific question.

I'm just trying to get feedback at the moment.

[jsidhu]

sweet it works...

How is it ensuring security for authentication? Something like OAuth?

[gamey]

Pardon my ignorance.... what is this site supposed to do?  Or what was the goal?

It was an old site which is being used as test site for the plugin.  It was never used for anything previously and has no purpose past testing the SMF plugin and having the plugin integrated onto bitsharestalk.org.  Thats why I don't clean up the spammers. 

edit - You don't actually see anything until you utilize bitshares login which opens up a private forum where a few people have posted.

[bitmarket]

Pardon my ignorance.... what is this site supposed to do?  Or what was the goal?

[gamey]

Down for me for about 2h already, as well.

 I just fixed it.  Missing semicolon on a  nonchalant change I made. <shamed> 

[zerosum]

Down for me for about 2h already, as well.

[gamey]

Excited to check it out but site seems down

http://bitsharesnation.org/

It works for me except on my phone.  It must be a network hiccup.  I assume it'll fix itself for you.  Perhaps this VPS provider isn't that great for a delegate. hahaha

edit - it is back up.  Was actually a php error on a minor change.  I didn't see the problem since my accounts were logged in and not executing login code.  Ooops. 

[roadscape]

Excited to check it out but site seems down

http://bitsharesnation.org/

[gamey]

Think every spam bot on the net is hitting it lol

Yea, it is amusing.  I've whitelisted IPs to help me with debugging and those bots come back within minutes of the whitelist code being disabled.  If the forum had some real potential I'd fix it, but I hate captchas and the challenge question doesn't work. 

However if you want any bootleg shoes, purses, or headphones I suspect there are many many leads..... There is a forum that is only readable once you create an account with BTS login.

[gamey]

how does automode work? You can skip the password somehow in the wallet? I can probably use this for my shopping carts which use the URI scheme..

Btw the uri is well known and is handled by the os and browser.. it is setup when you run the installer.. so maybe osx installer needs tweaking.

automode?  The plugin I modified has an automatic login feature.  I haven't tried it.

Then there is a registration mode - automatic/manual.  We are in automatic mode as it does 0 prompting for extra info.

edit - the modes I am talking about are all affecting the php side and not the wallet.

[islandking]

Think every spam bot on the net is hitting it lol

Yeah probably xrumer bots.

[Riverhead]

Think every spam bot on the net is hitting it lol

[islandking]

You have a huge spam problem on the general discussion.

[bytemaster]

Great work.

[jsidhu]

ok delete sparkle client... but login doesn't work for me on OSX Mavericks!

It opens client but nothing more ... any ideas!?

Either the installer or the client itself will register the "bts" protocol handler (not sure).  So when you see a "bts://*" type url, that will be redirected to the client/wallet.  This appears to be a bit fragile.  I've had various luck with it working appropriately.  Someone said it didn't work for Firefox, I had it not work for Chrome.  I assume we'll have a better idea about this stuff as people post bug reports.

If anyone cares, it works like this.
1) Website generates unique button
2) user clicks on button -> wallet loads / unlocks wallet / chooses account.  Click ok.
3) Wallet then reopens webpage at login url and the handshake is completed.

You can use an unregistered account.  So it doesn't have to be done with a funded wallet.

In your case perhaps reinstalling BitShares client would overwrite bts settings with correct ones.  It is either that, or you need to learn how to change these settings inside OSX and have bts protocol handled by the Bitshares executable.

mhh ok .. but Delegate links and BTS account links out of forum are working well…

edit: sry my mistake ... also delegate and account linkg doesn't work currently so guess you'Re right

are you running the client already?

[jsidhu]

how does automode work? You can skip the password somehow in the wallet? I can probably use this for my shopping carts which use the URI scheme..

Btw the uri is well known and is handled by the os and browser.. it is setup when you run the installer.. so maybe osx installer needs tweaking.

[xeroc]

how to install bts handler plugin for firefox?

来自我的 HUAWEI P7-L00 上的 Tapatalk

http://wiki.bitshares.org/index.php/Developer/Build#System-wide_Installation_.28optional.29

it's part of the .desktop file

Code: [Select]

MimeType=x-scheme-handler/bts;


[alt]

how to install bts handler plugin for firefox?

来自我的 HUAWEI P7-L00 上的 Tapatalk

[xeroc]

Coool thing .. will give it a try once i installed those bts links here

[cass]

ok delete sparkle client... but login doesn't work for me on OSX Mavericks!

It opens client but nothing more ... any ideas!?

Either the installer or the client itself will register the "bts" protocol handler (not sure).  So when you see a "bts://*" type url, that will be redirected to the client/wallet.  This appears to be a bit fragile.  I've had various luck with it working appropriately.  Someone said it didn't work for Firefox, I had it not work for Chrome.  I assume we'll have a better idea about this stuff as people post bug reports.

If anyone cares, it works like this.
1) Website generates unique button
2) user clicks on button -> wallet loads / unlocks wallet / chooses account.  Click ok.
3) Wallet then reopens webpage at login url and the handshake is completed.

You can use an unregistered account.  So it doesn't have to be done with a funded wallet.

In your case perhaps reinstalling BitShares client would overwrite bts settings with correct ones.  It is either that, or you need to learn how to change these settings inside OSX and have bts protocol handled by the Bitshares executable.

mhh ok .. but Delegate links and BTS account links out of forum are working well…

edit: sry my mistake ... also delegate and account linkg doesn't work currently so guess you'Re right

[gamey]

Will we be able to eventually login with a QR code?  I guess that is too much to ask for right now but this is headed in the right direction.

I suppose the button could be a QR code that if scanned was the initial URL.  Then it would be up to the wallet to handle the crypto aspect of it and pass it back off.  It seems possible, but not sure if a qr-code use is appropriate in such a situation.

[luckybit]

Will we be able to eventually login with a QR code?  I guess that is too much to ask for right now but this is headed in the right direction.

[gamey]

ok delete sparkle client... but login doesn't work for me on OSX Mavericks!

It opens client but nothing more ... any ideas!?

Either the installer or the client itself will register the "bts" protocol handler (not sure).  So when you see a "bts://*" type url, that will be redirected to the client/wallet.  This appears to be a bit fragile.  I've had various luck with it working appropriately.  Someone said it didn't work for Firefox, I had it not work for Chrome.  I assume we'll have a better idea about this stuff as people post bug reports.

If anyone cares, it works like this.
1) Website generates unique button
2) user clicks on button -> wallet loads / unlocks wallet / chooses account.  Click ok.
3) Wallet then reopens webpage at login url and the handshake is completed.

You can use an unregistered account.  So it doesn't have to be done with a funded wallet.

In your case perhaps reinstalling BitShares client would overwrite bts settings with correct ones.  It is either that, or you need to learn how to change these settings inside OSX and have bts protocol handled by the Bitshares executable.

[gamey]

Ok I have this working but not that thoroughly tested.  I know of a couple issues.  I still need to clean it up and then put a v0.1 on github.

The login is in automode, so it just skips asking for email/password.  However I can turn that option on. I am not sure which is preferred. I think I prefer it creating real emails and passwords so people can access their account without a functional wallet.  At least with an email address they can have their account reset if they value it.

The other features are that it autodownloads the robohash and has an option to put anyone using bitshares login into a distinct membergroup.

Currently that membergroup gives permission to a forum that the regular logins can't access.  Make a post !

I may put a autologin feature by redirecting to a bts protocol but that seems questionable.

The test site is bitsharesnation.org.  We have 20k users and growing.  Quite a userbase. 

edit -
I need a new button.  The Bitshares button at the top is a login button if you have a wallet.

Please report any issues you have or suggestions as to something that might be useful.

I tested it out and it works great. I think we don't need passwords at all anymore and that is huge progress which Bitshares can market as a feature.

I think maybe micropayments for access to certain VIP threads would be the next feature to implement. This way you can have micropayments work as access control. In other cases reputation can work as access control.

I have seen some preliminary work on embedding fields into profiles via JSON.  I'm not sure if the website field is utilizing that but that is all easy to pull out and place in fields, but the fields have to be made.  Currently we can populate the website url on the forum.

Ideally it would be nice to have something that stated users were verified/registered.  As it currently is, people can fake names.  You can login without bts login button and use any account then just create the robohash for it.  So there is an implied security here that doesn't really exists.

Perhaps the best solution is 2 membergroups.  Those with bitshares logins and those with verified logins.  So if they are part of the verified login membership group, then they would be labeled as such.  Verified = registered accounts.

For the login, creating a password that is random but giving an option for an actual email address would be the best.  It can be easy to want to use your SMF account and not have a full wallet installed etc. 

[cass]

i'll prepare a button no problem

[cass]

ok delete sparkle client... but login doesn't work for me on OSX Mavericks!

It opens client but nothing more ... any ideas!?

[luckybit]

Ok I have this working but not that thoroughly tested.  I know of a couple issues.  I still need to clean it up and then put a v0.1 on github.

The login is in automode, so it just skips asking for email/password.  However I can turn that option on. I am not sure which is preferred. I think I prefer it creating real emails and passwords so people can access their account without a functional wallet.  At least with an email address they can have their account reset if they value it.

The other features are that it autodownloads the robohash and has an option to put anyone using bitshares login into a distinct membergroup.

Currently that membergroup gives permission to a forum that the regular logins can't access.  Make a post !

I may put a autologin feature by redirecting to a bts protocol but that seems questionable.

The test site is bitsharesnation.org.  We have 20k users and growing.  Quite a userbase. 

edit -
I need a new button.  The Bitshares button at the top is a login button if you have a wallet.

Please report any issues you have or suggestions as to something that might be useful.

I tested it out and it works great. I think we don't need passwords at all anymore and that is huge progress which Bitshares can market as a feature.

I think maybe micropayments for access to certain VIP threads would be the next feature to implement. This way you can have micropayments work as access control. In other cases reputation can work as access control.

[cass]

Great ! But if clikng Button, it opens Sparkle client
Guess URLs have to get changed on sparkle side…

[gamey]

Luckybit is the first poster using the Bitshares Login plugin!   

[gamey]

Ok I have this working but not that thoroughly tested.  I know of a couple issues.  I still need to clean it up and then put a v0.1 on github.

The login is in automode, so it just skips asking for email/password.  However I can turn that option on. I am not sure which is preferred. I think I prefer it creating real emails and passwords so people can access their account without a functional wallet.  At least with an email address they can have their account reset if they value it.

The other features are that it autodownloads the robohash and has an option to put anyone using bitshares login into a distinct membergroup.

Currently that membergroup gives permission to a forum that the regular logins can't access.  Make a post !

I may put a autologin feature by redirecting to a bts protocol but that seems questionable.

The test site is bitsharesnation.org.  We have 20k users and growing.  Quite a userbase. 

edit -
I need a new button.  The Bitshares button at the top is a login button if you have a wallet.

Please report any issues you have or suggestions as to something that might be useful.