mobius-client 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 01c4b81fee09290fed2e1935eabea312c6a18624
+  data.tar.gz: 6e74efa3ed49a49c1e999729f116a764146f01ab
+SHA512:
+  metadata.gz: cc4271c42a49e56503aae69b79d160e771031431d29d8680c4504a899540a4f28317d7d6dc5a8ef1680c80764c30559987b93069e71b936fc314761da47519a9
+  data.tar.gz: ba78a18c7728a53f9df79c689d393638c7dd2460eae24f71f41659e20f5fd03317126d0e2ed4243e3c8163b647aaedb2f70a2166943e7bc4ee9019635711e21d

data/.gitignore

@@ -0,0 +1,24 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/Gemfile.lock
+/coverage
+
+# rspec failure tracking
+.rspec_status
+
+# Ignore other unneeded files.
+*.swp
+*~
+.project
+.DS_Store
+/.idea
+.env
+.env.*
+/spec/examples.txt
+dev-wallet.html

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,84 @@
+---
+require: rubocop-rspec
+
+AllCops:
+  Include:
+    - ./Gemfile
+    - ./config.ru
+  Exclude:
+    - db/**/*
+    - config/**/*
+    - script/**/*
+    - bin/*
+    - vendor/**/*
+    - lib/tasks/**/*
+    - tmp/**/*
+  TargetRubyVersion: 2.3
+
+Documentation:
+  Enabled: false
+
+Lint/AmbiguousBlockAssociation:
+  Enabled: false # this is a whole damned mess
+
+Metrics/LineLength:
+  Max: 120
+
+Naming/FileName:
+  Exclude:
+    - "*.*"
+
+RSpec/FilePath:
+  Enabled: false
+
+RSpec/InstanceVariable:
+  Enabled: false
+
+RSpec/VerifiedDoubles:
+  Enabled: false
+
+Style/Alias:
+  Enabled: false
+
+Style/AndOr:
+  Enabled: false
+
+Style/AsciiComments:
+  Enabled: false
+
+Style/BlockComments:
+  Enabled: false
+
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact
+
+Style/DoubleNegation:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/Lambda:
+  Enabled: false
+
+Style/NumericLiterals:
+  Enabled: false
+
+Style/PercentLiteralDelimiters:
+  Enabled: false
+
+Style/RescueModifier:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/SingleLineBlockParams:
+  Enabled: false
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - "spec/**/*.*"

data/.travis.yml

@@ -0,0 +1,22 @@
+env:
+  global:
+    - CC_TEST_REPORTER_ID=b73e557e34c0841f1f534b98bb01a3346cdad5eb9913416dca9ec1350af6ac09
+
+language: ruby
+rvm:
+  - 2.3
+  - 2.4
+  - 2.5
+cache: bundler
+before_install:
+  - gem update --system && gem install bundler
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT
+script:
+  - bundle exec rake
+  - bundle exec bundle-audit update && bundle exec bundle-audit check  
+  - bundle exec rubocop

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at gzigzigzeo@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in mobius-client.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Viktor Sokolov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,259 @@
+[![Build Status](https://travis-ci.org/mobius-network/mobius-client-ruby.svg?branch=master)](https://travis-ci.org/mobius-network/mobius-client-ruby)
+[![Maintainability](https://api.codeclimate.com/v1/badges/a99a88d28ad37a79dbf6/maintainability)](https://codeclimate.com/github/codeclimate/codeclimate/maintainability)
+
+# Mobius DApp Store Ruby SDK
+
+The Mobius DApp Store Ruby SDK makes it easy to integrate Mobius DApp Store MOBI payments into any Ruby application.
+
+A big advantage of the Mobius DApp Store over centralized competitors such as the Apple App Store or Google Play Store is significantly lower fees - currently 0% compared to 30% - for in-app purchases.
+
+## DApp Store Overview
+
+The Mobius DApp Store will be an open-source, non-custodial "wallet" interface for easily sending crypto payments to apps. You can think of the DApp Store like https://stellarterm.com/ or https://www.myetherwallet.com/ but instead of a wallet interface it is an App Store interface.
+
+The DApp Store is non-custodial meaning Mobius never holds the secret key of either the user or developer.
+
+An overview of the DApp Store architecture is:
+
+- Every application holds the private key for the account where it receives MOBI.
+- An application specific unique account where a user deposits MOBI for use with the application is generated for each app based on the user's seed phrase.
+- When a user opens an app through the DApp Store:
+  1) Adds the application's public key as a signer so the application can access the MOBI and
+  2) Signs a challenge transaction from the app with its secret key to authenticate that this user owns the account. This prevents a different person from pretending they own the account and spending the MOBI (more below under Authentication).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'mobius-client'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself with:
+
+    $ gem install mobius-client
+
+### Setting up the developer's application account
+
+Run:
+
+    $ mobius-cli create dapp-account
+
+Creates a new Stellar account with 1,000 test-net MOBI.
+
+You can also obtain free test network MOBI from https://mobius.network/friendbot
+
+### Setting up test user accounts
+
+1. Create empty Stellar account without a MOBI trustline.
+    ```
+      $ mobius-cli create account
+    ```
+2. Create stellar account with 1,000 test-net MOBI
+    ```
+      $ mobius-cli create dapp-account
+    ```
+3. Create stellar account with 1,000 test-net MOBI and the specified application public key added as a signer
+    ```
+      $ mobius-cli create dapp-account -a <Your application public key>
+    ```
+
+### Account Creation Wizard
+
+Below command will create and setup the 4 account types above for testing and generate a simple HTML test interface that simulates the DApp Store authentication functionality (obtaining a challenge request from an app, signing it, and then openining the specified app passing in a JWT encoded token the application will use to verify this request is from the user that owns the specified MOBI account).
+
+```
+  $ mobius-cli create dev-wallet
+```
+
+## Authentication
+
+### Explanation
+
+When a user opens an app through the DApp Store it tells the app what Mobius account it should use for payment.
+
+The application needs to ensure that the user actually owns the secret key to the Mobius account and that this isn't a replay attack from a user who captured a previous request and is replyaing it.
+
+This authentication is accomplished through the following process:
+
+* When the user opens an app in the DApp Store it requests a challenge from the application.
+* The challenge is a payment transaction of 1 XLM from and to the application account. It is never sent to the network - it is just used for authentication.
+* The application generates the challenge transaction on request, signs it with itss own private key, and sends it to user.
+* User receives the challenge transaction, verifies it is signed by the application's secret key by checking it the application's published public key that it receives through the DApp Store, and then signs the transaction which its own private key and sends it back to application along with its public key.
+* Application checks that challenge transaction is now signed by itself and the public key that was passed in. Time bounds are also checked to make sure this isn't a replay attack. If everything passes the server replies with a token the application can pass in to "login" with the specified public key and use it for payment (it would have previously given the app access to the public key by adding the app's public key as a signer).
+
+Note: the challenge transaction also has time bounds to restrict the time window when it can be used.
+
+See demo at:
+
+    $ git clone git@github.com/mobius-network/mobius-client-ruby.git
+    $ cd mobius-client-ruby && bundle
+    $ cd examples/auth && bundle && ruby auth.rb
+
+### Sample Server Implementation
+
+```
+class AuthController < ApplicationController
+  skip_before_action :verify_authenticity_token, :only => [:authenticate]
+
+  # GET /auth
+  # Generates and returns challenge transaction XDR signed by application to user
+  def challenge
+    render plain: Mobius::Client::Auth::Challenge.call(
+      Rails.application.secrets.app[:secret_key], # SA2VTRSZPZ5FIC.....I4QD7LBWUUIK
+      12.hours                                    # Session duration
+    )
+  end
+
+  # POST /auth
+  # Validates challenge transaction. It must be:
+  #   - Signed by application and requesting user.
+  #   - Not older than 10 seconds from now (see Mobius::Client.strict_interval`)
+  def authenticate
+    token = Mobius::Client::Auth::Token.new(
+      Rails.application.secrets.app[:secret_key], # SA2VTRSZPZ5FIC.....I4QD7LBWUUIK
+      params[:xdr],                               # Challenge transaction
+      params[:public_key]                         # User's public key
+    )
+
+    # Important! Otherwise, token will be considered valid.
+    token.validate!
+
+    # Converts issued token into JWT and sends it to user.
+    #
+    # Note: this is not the requirement. Instead of JWT, application might save token.hash along
+    # with time frame and public key to local database and validate over it.
+    render plain: Mobius::Client::Auth::Jwt.new(
+      Rails.application.secrets.app[:jwt_secret]
+    ).encode(token)
+  rescue Mobius::Client::Error::Unauthorized
+    # Signatures are invalid
+    render plain: "Access denied!"
+  rescue Mobius::Client::Error::TokenExpired
+    # Current time is outside session time bounds
+    render plain: "Session expired!"
+  rescue Mobius::Client::Error::TokenTooOld
+    # Challenge transaction was issued more than 10 seconds ago
+    render plain: "Challenge tx expired!"
+  end
+end
+```
+
+## Payment
+
+### Explanation
+
+After the user completes the authentication process they have a token T. They now pass it to the application to "login" which tells the application which Mobius account to withdraw MOBI from (the user public key) when a payment is needed. For a web application the token is generally passed in via a `token` request parameter. Upon opening the website/loading the application it checks that the token is valid (within time bounds etc) and the account in the token has added the app as a signer so it can withraw MOBI from it.
+
+
+See demo at:
+
+    $ git clone git@github.com/mobius-network/mobius-client-ruby.git
+    $ cd mobius-client-ruby && bundle
+    $ cd examples/app && bundle && ruby app.rb
+
+### Sample Server Implementation
+
+```
+class AppController < ApplicationController
+  skip_before_action :verify_authenticity_token, :only => [:pay]
+
+  ROUND_PRICE = 5
+
+  # GET /
+  # User opens the application passing in the token variable.
+  def index
+    # User has opened application page without a token
+    return render plain: "Visit https://store.mobius.network to register in the DApp Store" unless app
+
+    # User has not granted access to his MOBI account so we can't use it for payments
+    return render plain: "Visit https://store.mobius.network and open our app" unless app.authorized?
+
+    # token is valid - should render the application or redirect to the main application page etc
+  end
+
+  # GET /balance
+  def balance
+    render plain: app.balance
+  end
+
+  # POST /pay
+  def pay
+    app.pay(ROUND_PRICE)
+    render plain: app.balance
+  rescue Mobius::Client::Error::InsufficientFunds
+    render :gone
+  end
+
+  private
+
+  def token_s
+    session[:token] = params[:token] || session[:token]
+  end
+
+  def token
+    @token ||= Mobius::Client::Auth::Jwt.new(Rails.application.secrets.app[:jwt_secret]).decode!(token_s)
+  rescue Mobius::Client::Error
+    nil # We treat all invalid tokens as missing
+  end
+
+  def app
+    @app ||= token && Mobius::Client::App.new(
+      Rails.application.secrets.app[:secret_key], # SA2VTRSZPZ5FIC.....I4QD7LBWUUIK
+      token.public_key                            # Current user
+    )
+  end
+end
+```
+
+## Sample Application
+
+[Flappy Bird](https://github.com/mobius-network/flappy-bird-dapp) has been reimplemented using this new arhictecture and the above simple server code!
+
+## CLI Test Implementation
+
+  Normally, as mentioned the Mobius DApp Store will request a challenge, validate and sign it, pass it back to the application to obtain an access token, and then open the application and pass in the token.
+
+  For development purposes you can use the simple HTML test interface generated via `mobius-cli create dev-wallet` as mentioned above in the "Account Creation Wizard" section or you can use the these CLI commands.
+
+```
+  # Fetch token from working application
+  # mobius-cli auth fetch <URL> <User secret> <App public>
+  $ mobius-cli auth fetch -j secret \
+    http://localhost:4567/auth SA2VTRSZPZ5FIC.....I4QD7LBWUUIK GCWYXW7RXJ5.....SV4AK32ECXFJ
+
+  # Generate token locally using the provided app secret
+  # mobius-cli auth token <User secret> <App secret>
+  $ mobius-cli auth token -j secret \
+    SA2VTRSZPZ5FIC.....I4QD7LBWUUIK SGZKDAKASDSD.....I4QD7LBWUUIK
+```
+
+  Use `-j` if you want to return JWT token, otherwise transaction hash will be returned.
+
+  Check `lib/mobius/cli/auth.rb` for details.
+
+## Documentation
+
+[[RDoc.info](http://www.rubydoc.info/github/mobius-network/mobius-client-ruby/master)]
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/mobius-network/mobius-client-ruby. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the Mobius::Client project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/mobius-client/blob/master/CODE_OF_CONDUCT.md).