Nxt Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client 1.11.5 - NEW RELEASE: Ardor 2.0.3e TestNet IS LAUNCHED!

Pages: 1 2 [3] 4 5  All

Author Topic: [Client Plugins] Specification / Developers Guide  (Read 9369 times)

Tosch110

  • Ex-Staff Member
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2375
    • View Profile
  • Karma: +211/-18

Is it possible to use third-party plugins in a plugin/js/3rdparty folder?

Not really getting this idea actually.

sry, brainfart :D

xchrix

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 257
    • View Profile
    • CryptoCoinCharts
  • Karma: +56/-3

is it possible to generate a token as plugin?
i think about doing some ajax calls to a webservice and this service needs a token to identify the NXT account.

Tosch110

  • Ex-Staff Member
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2375
    • View Profile
  • Karma: +211/-18

is it possible to generate a token as plugin?
i think about doing some ajax calls to a webservice and this service needs a token to identify the NXT account.

yes, you can use all the NRS functions and make your own requests. Have not been using this plugin integration yet but this is how I understand it.

Check out nrs.server.js and nrs.util.js which will be really helpful for you ;)

xchrix

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 257
    • View Profile
    • CryptoCoinCharts
  • Karma: +56/-3

i know i am able to make a request to the NXT API and call the generateToken function
http://wiki.nxtcrypto.org/wiki/Nxt_API#Generate_Token
but that means i have to provide the passphrase. i dont think plugins should have access to the passphrase!


is it possible to generate a token as plugin?
i think about doing some ajax calls to a webservice and this service needs a token to identify the NXT account.

yes, you can use all the NRS functions and make your own requests. Have not been using this plugin integration yet but this is how I understand it.

Check out nrs.server.js and nrs.util.js which will be really helpful for you ;)

valarmg

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1779
    • View Profile
  • Karma: +178/-57

i know i am able to make a request to the NXT API and call the generateToken function
http://wiki.nxtcrypto.org/wiki/Nxt_API#Generate_Token
but that means i have to provide the passphrase. i dont think plugins should have access to the passphrase!

But they do! There's no sandboxing. Downloaded plugins have to be trusted.
NXT-CSED-4PK5-AR4V-6UB5V

NxtSwe

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 659
    • View Profile
  • Karma: +121/-9

i know i am able to make a request to the NXT API and call the generateToken function
http://wiki.nxtcrypto.org/wiki/Nxt_API#Generate_Token
but that means i have to provide the passphrase. i dont think plugins should have access to the passphrase!

But they do! There's no sandboxing. Downloaded plugins have to be trusted.

 :o
I hope this point is extremely clear in the UI when installing/downloading the plugin!

Edit:
No offense, I love the whole consept of plugins!
I would just hate to see it fail because of angry users who get robbed because they did not know the capabilities of what a plugin can/can't do.
Check out the NxtLib, the .NET Framework API for the Nxt platform.

jones

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1043
  • write code not war
    • View Profile
    • jNxt
  • Karma: +310/-8

is it possible to generate a token as plugin?
i think about doing some ajax calls to a webservice and this service needs a token to identify the NXT account.

yes, you can use all the NRS functions and make your own requests. Have not been using this plugin integration yet but this is how I understand it.

Check out nrs.server.js and nrs.util.js which will be really helpful for you ;)

https://github.com/jonesnxt/tokenjs

been meaning to integrate this with NRS for a couple weeks, seems I need to get this done :)
-- Jones NXT-RJU8-JSNR-H9J4-2KWKY

xchrix

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 257
    • View Profile
    • CryptoCoinCharts
  • Karma: +56/-3

tokenjs is really nice! this should be included by default.

no sandboxing? that could be a real show stopper for plugins. personally i wont install plugins which are trying to grab my passphrase or for example have ajax requests. is it possible to scan the plugin code for "passphrase" or "ajax" before installing one and if something like this is found the user gets a warning prior the install?

shin

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 456
    • View Profile
  • Karma: +47/-4

So, is the gate opened wide for malicious hackers to place their code to?

They used to have to have an external place for their malicious software: injected nxt clients, infectious web pages, etc.
Now there is this plugins area right on our lawn!

Are these plugins going to be audited before published? I hope so!

Is it better to wait for two-phase auth?
« Last Edit: February 24, 2015, 07:41:44 am by shin »
Wallet: NXT-ELEB-XT6G-L475-HXRFX • 18354136531262130569 • Twitter: Shin NXT

cc001

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 829
    • View Profile
  • Karma: +68/-4

Would it be possible to define per plugin if it is sandboxed with restricted access or not?
Some kind of a permission system like in Android would be nice. A plugin that needs access to the passphrase has to request for that permission, (maybe with a password?).
If a plugin does not ask for that permission, there will be no way that it could get access to the passphrase.

This would allow a lot of simple plugins with very low permission. Those plugins don't need some fancy verification or hash or whatever, everybody could write and publish them, and the user can be sure, that even if there is some hidden code/functionality in it, there is no way that it could gain access to the account. Only sophisticated plugins that need access to the passphrase must be managed somehow with some verification, so the user can be sure that the plugin will do what it is supposed to do.
cc001 Personal - NXT-8RXS-2SSK-RNF2-HSNL8
NxtReporting.com - The Nxt Asset Exchange Portfolio Manager with Profitability Tracking - Donations are greatly appreciated on NXT-5W4G-GAR6-JHJP-H8ZTW

shin

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 456
    • View Profile
  • Karma: +47/-4

cc001, that is a great idea! To notify users upon/prior to installation (or even stated on the plugin's overview) what it has access to.

Practically, I am not so sure how this can be realised. Scanning for some method calls is useless as javascript code can be obfuscated and yet still executable.

The only thing I can think of is to reforge the current NXT API, anything that requires passphrase or spits it out, to have an extra parameter that takes the identity of the method caller. If the id does not match with the native NRS, then it must be an external caller. If that makes sense.
« Last Edit: February 24, 2015, 08:07:26 am by shin »
Wallet: NXT-ELEB-XT6G-L475-HXRFX • 18354136531262130569 • Twitter: Shin NXT

rudeboi

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 633
  • Nxt Organization Member
    • View Profile
  • Karma: +55/-4

There will not be any sandboxing in 1.5, not because it's not wanted but because of the technical difficulty of implementing and the current API.

However hopefully in future versions the community can think of a viable sandboxing method. For 1.5 only run plugins that have been independently code reviewed or are from a trusted dev.
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

HolgerD77

  • Core Dev
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 299
    • View Profile
  • Karma: +49/-0

no sandboxing? that could be a real show stopper for plugins. personally i wont install plugins which are trying to grab my passphrase or for example have ajax requests. is it possible to scan the plugin code for "passphrase" or "ajax" before installing one and if something like this is found the user gets a warning prior the install?

This is just not possible, there are so many ways to hook into something to manipulate things, e.g. change the recipient address of an existing transaction modal on sending, change variable fees and use transparent forging to have stuff channelled, the list goes on an on.

And the client JS API isn't just not as well defined, that you could channel all requests in a managed way. But if you guys come up with mechanisms to improve security this would be really great.

Atm I don't see this as a large scale feature (having hundreds of plugins you can choose from), I would be already calling this a success if we have a handful plugins coming from trusted members of the Nxt community - the Crowdfunding plugin from Tosch, a MGW/SuperNET plugin, maybe 2-3 others - which can enhance the client functionality in a meaningful way.
NXT-AQ9F-JC4F-NCM2-4JSXZ

HolgerD77

  • Core Dev
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 299
    • View Profile
  • Karma: +49/-0

:o
I hope this point is extremely clear in the UI when installing/downloading the plugin!

Edit:
No offense, I love the whole consept of plugins!
I would just hate to see it fail because of angry users who get robbed because they did not know the capabilities of what a plugin can/can't do.

This is pointed out very prominently on all entry point to plugin installation/usage, being the login page (displayed when a plugin is detected, determined as valid and active and would be loaded into the client after login) and the installation folder in form of a separate "SECURITY_WARNING.md" readme file.
NXT-AQ9F-JC4F-NCM2-4JSXZ

HolgerD77

  • Core Dev
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 299
    • View Profile
  • Karma: +49/-0

Are these plugins going to be audited before published? I hope so!

One way I could imagine this out is that some trusted/technically capable member from the Nxt community will run a curated plugin store/repository, and it becomes good habit/standard behaviour to just use the plugins from this trusted repo.
NXT-AQ9F-JC4F-NCM2-4JSXZ

TwinWinNerD

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2012
  • CEO BitPanda.com
    • View Profile
  • Karma: +222/-116

Coinimal is looking for a Freelancer that codes the Coinimal Plugin for the upcoming Plugin NXT System. PM.

_mr_e

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 956
    • View Profile
  • Karma: +88/-18

This scares the shit out of me. All it would take is for one popular trusted plugin to manage to go rogue and get through verification and nxt could effectively be destroyed. Many accounts permanently hacked with a simple ajax request and then the hacker is in control of massive amounts of forging power. It would be game over.

valarmg

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1779
    • View Profile
  • Karma: +178/-57

This scares the shit out of me. All it would take is for one popular trusted plugin to manage to go rogue and get through verification and nxt could effectively be destroyed. Many accounts permanently hacked with a simple ajax request and then the hacker is in control of massive amounts of forging power. It would be game over.

Wouldn't be that simple (has to be a rogue app where the malware doesn't get noticed for a long time while everyone updates). Someone managing to get something malicious into the latest Nxt or superNET release would have a similar terrible outcome.

There should be multiple people checking every plugin release before anyone installs them, never mind everyone. There's no room for complacency regarding plugins becoming trusted. The more paranoid people are about double checking, the better.
NXT-CSED-4PK5-AR4V-6UB5V

Tosch110

  • Ex-Staff Member
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2375
    • View Profile
  • Karma: +211/-18

Yep, in my opinion the best way to solve this is having multiple eyes checking and verifying plugins. Though, this may not be possible for all plugins as they can be offered anyway but maybe we can have some kind of committee or so which handles plugins and their verification (like an app store)

HolgerD77

  • Core Dev
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 299
    • View Profile
  • Karma: +49/-0

Yep, in my opinion the best way to solve this is having multiple eyes checking and verifying plugins. Though, this may not be possible for all plugins as they can be offered anyway but maybe we can have some kind of committee or so which handles plugins and their verification (like an app store)

Don't know, if we need a committee like structure for everything, maybe this will also organize itself by demand on the free market! :-)
NXT-AQ9F-JC4F-NCM2-4JSXZ
Pages: 1 2 [3] 4 5  All