Introducing Steem-Browsifier (Full Access to the Steem API from the BROWSER)

in #steemit8 years ago (edited)

Value Proposition:  Never allow your keys off your machine

We were working on a toy example for @Ned's Bounty System when we realized -- there was no way to access the most important Steem functions (including commenting, voting, paying/transferring money or escrow) from the browser!

There was no way to avoid transmitting your password or keys!

We contacted several of the other developers working on Steem-related projects but some expected users to trust transmission to their server while others were insisting on developing proprietary single-purpose plug-ins.  No one had a verifiable multi-purpose solution that didn't transmit your critical information across the internet.

Thus Steem-Browserify was born!

https://www.npmjs.com/package/steem-browserify
https://github.com/D161T4L-W15D0M/steem-browserify

@Fabien has created the excellent steem.js project (https://github.com/adcpm/steem) and released a subset for the browser (https://www.npmjs.com/package/steem) but didn't include any of the functions that required the cryptographic functions (i.e. your keys).  We asked him about including the rest of the functions but, while he eventually has plans to include them, they are not a priority and he had absolutely no interest in our offer to do it for his project.  Therefore, we forked the project.

Starting with [email protected] (because the newest version fails with errors), we

  1. merged steem and steemauth
  2. merged steem.api and steem.broadcast to create on uniform steem api
  3. replaced crypto with crypto-browserify
  4. cleaned up a number of browser-specific errors
  5. repackaged it all nicely as [email protected]

It has the standard open source MIT license -- and we ask/hope that steemit.com will consider auditing and hosting it.

Developer contributions (pull requests) are more than welcome.

One of the first improvements we intend to make is to prune unneeded code paths in an effort to make steem.min.js smaller.

With Steem-Browserify, it's trivial to create systems like SafePay.

Stay tuned as our next post will show how to use it to add a simple bounty to a post using A Totally Different Approach to Ned’s Bounty System.

Sort:  

This seems cool. Can you please explain a little bit more about how it works? How can I try it out or see what it does?

Sure! Basically "all" if does is allow you to perform any Steem operation without requiring a website or some other external party to do it for you (generally a real security no-no). An example of it in action is the very simple SafePay system (follow the link above to see all the details on and links for that) -- composed of two files necessary. One is a very simple HTML file. The other is the result of building the github project.

This looks neat. What Steem node is this connecting to to broadcast transactions?

Offline signing tools have been a niche feature that certain users have wanted or needed but has so far been unfilled. Can this be adapted to do offline signing as well?

Currently wss://steemit.com/wspa but it could easily be made configurable.

I'm not sure that I understand your question about offline signing. Since it basically signs off-line before transmitting only the transaction that was signed -- yes, it could easily be adapted to sign anything . . . .

Like you can sign Bitcoin transactions using a computer that isn't connected to the net, then take that transaction and broadcast it from a node that is online. Kind of a secure, air-gapped solution. The demand isn't super high, but it's one of those features that is good to have to have airtight paranoid security.

Maybe I'm ignorant and that kind of thing isn't possible with Steem, as I'm not familiar with the technical details of transactions, and they might need up-to-date block information.

That is precisely what this does. It signs the transaction in the browser and then transmits the signed transaction to the node. It would be trivial to change it to write out the signed transaction for transfer to another machine while it's own machine is disconnected.

Actually, it's easy/interesting enough that I'll add it to the next release. Thanks!

Note that minifying javascript code in security-related browser extensions is highly discouraged, as the only reason to minify is to save transfer bandwidth and browser extensions are downloaded once and then locally cached.

It also has the unfortunate side effect of making the extension-as-installed very difficult to audit/review for security vulnerabilities, errors, bugs, or backdoors.

Hi @digital-wisdom,

Nice tool !

I'm looking for an API that allows me to create content (POSTs). I have been reading the documentation and it seems that we can only retrieve information or just create a comments or up-vote.

I wonder if you could point me to some API that allows creating POST in steemit.com.

Thanks,

@realskilled