straight-server 0.2.3 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3d3e00cdba620b59557e0f28a51cdc3a82a7b953
-  data.tar.gz: 53372b11a9ddd0045bba84f4b42e9c2706ec9668
+  metadata.gz: 8c948e3fe9fa5c45507abf1d99c8d79d208a8c38
+  data.tar.gz: 6bb99e03b2ab6d086cab4dd9afec47de95a85a34
 SHA512:
-  metadata.gz: 0ca180d944906bd732574b91794012e0661e09de8d47900906ccd06e9269746aaf2a39be3ceffd02ccb2e9e4f9a89e4b9d824ceee2293a9b4c69f9ffc8473f44
-  data.tar.gz: 656718bdf4cc21510fa657efd33265545e7d4cc9a0b47f27e263dfd888e5d55c6216056f897b2af2555e414622731ffaa30313824b67d31b21b9556a54ee2bd6
+  metadata.gz: 6eeaaf80ea4161fa7857739fbb25939e4bd7d159a389acff8880a0b208daaa46a5f90fdbca3752d7e563cc896bc1eb9d5ffb54e169918b5dfad426898b38eaab
+  data.tar.gz: 6cf3c16258ffd4b3b762ce8b2ebe287cb6a6c0e5e959dcae12a8c9d32d40de3d9b5f5a3dccbbb80d9ee3c9c4a4c62c54ff83c514e3a1dd9cb0302e9071649db8

data/.travis.yml

@@ -1,8 +1,8 @@
 gemfile: Gemfile.travis
 language: ruby
 rvm:
-  - 2.1.0
+  - 2.2.1
 services:
   - redis-server
 notifications:
-  slack: straight-payments:ovM1xPrG9BmKTHGkM0k42gkP
+  slack: mycelium-gear:ovM1xPrG9BmKTHGkM0k42gkP

data/Gemfile

@@ -1,21 +1,26 @@
-source "http://rubygems.org"
+source 'https://rubygems.org' do
+  gem 'straight', '1.0.0' #, path: '../straight-engine'
+  gem 'satoshi-unit', '>= 0.1.8'
+  gem 'goliath'
+  gem 'faye-websocket'
+  gem 'sequel'
+  gem 'logmaster', '0.1.5'
+  gem 'ruby-hmac'
+  gem 'httparty'
+  gem 'redis'
+  gem 'btcruby'
+end
 
-gem "straight", "0.2.2"
-gem "satoshi-unit"
-gem "goliath"
-gem "faye-websocket"
-gem "sequel"
-gem "logmaster", '0.1.5'
-gem "ruby-hmac"
-gem "httparty"
-gem "money-tree", "0.9.0"
+unless ENV['STRAIGHT_SERVER_IGNORE_ADDONS_GEMFILE'] # use this flag when building straight-server.gemspec
+  addons_gemfile = File.join(ENV['STRAIGHT_SERVER_CONFIG_DIR'] || File.join(ENV['HOME'], '.straight'), 'AddonsGemfile')
+  eval_gemfile addons_gemfile if File.exists?(addons_gemfile)
+end
 
-# Add dependencies to develop your gem here.
-# Include everything needed to run rake, tests, features, etc.
 group :development do
-  gem "bundler", "~> 1.0"
-  gem "jeweler", "~> 2.0.1"
-  gem "github_api", "0.11.3"
+  gem 'byebug'
+  gem 'bundler', '~> 1.0'
+  gem 'jeweler', '~> 2.0.1'
+  gem 'github_api', '0.11.3'
 end
 
 group :test do
@@ -24,5 +29,5 @@ group :test do
   gem 'factory_girl'
   gem 'sqlite3'
   gem 'hashie'
-  gem 'redis'
+  gem 'webmock', require: false
 end

data/Gemfile.lock

@@ -1,5 +1,5 @@
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
     activesupport (4.2.1)
       i18n (~> 0.7)
@@ -10,7 +10,14 @@ GEM
     addressable (2.3.8)
     async-rack (0.5.1)
       rack (~> 1.1)
+    btcruby (1.0.6)
+      ffi (~> 1.9, >= 1.9.3)
     builder (3.2.2)
+    byebug (5.0.0)
+      columnize (= 0.9.0)
+    columnize (0.9.0)
+    crack (0.4.2)
+      safe_yaml (~> 1.0.0)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
     diff-lcs (1.2.5)
@@ -24,11 +31,12 @@ GEM
       activesupport (>= 3.0.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
-    faye-websocket (0.9.2)
+    faye-websocket (0.10.0)
       eventmachine (>= 0.12.0)
       websocket-driver (>= 0.5.1)
-    ffi (1.9.8)
+    ffi (1.9.10)
     git (1.2.9.1)
+    git-version-bump (0.15.1)
     github_api (0.11.3)
       addressable (~> 2.3)
       descendants_tracker (~> 0.0.1)
@@ -64,18 +72,16 @@ GEM
       nokogiri (>= 1.5.10)
       rake
       rdoc
-    json (1.8.2)
-    jwt (1.4.1)
+    json (1.8.3)
+    jwt (1.5.0)
     log4r (1.1.10)
     logmaster (0.1.5)
       pony
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
-    mime-types (2.5)
+    mime-types (2.6.1)
     mini_portile (0.6.2)
-    minitest (5.6.1)
-    money-tree (0.9.0)
-      ffi
+    minitest (5.7.0)
     multi_json (1.11.0)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
@@ -89,10 +95,11 @@ GEM
       rack (~> 1.2)
     pony (1.11)
       mail (>= 2.0)
-    rack (1.6.0)
+    rack (1.6.1)
     rack-accept-media-types (0.9)
-    rack-contrib (1.2.0)
-      rack (>= 0.9.1)
+    rack-contrib (1.3.0)
+      git-version-bump (~> 0.15)
+      rack (~> 1.4)
     rack-respond_to (0.9.8)
       rack-accept-media-types (>= 0.6)
     rake (10.4.2)
@@ -112,18 +119,23 @@ GEM
       rspec-support (~> 3.2.0)
     rspec-support (3.2.2)
     ruby-hmac (0.4.0)
-    satoshi-unit (0.1.7)
-    sequel (4.22.0)
+    safe_yaml (1.0.4)
+    satoshi-unit (0.1.8)
+    sequel (4.24.0)
     sqlite3 (1.3.10)
-    straight (0.2.2)
-      httparty
-      money-tree
-      satoshi-unit
+    straight (1.0.0)
+      btcruby (~> 1.0)
+      faraday
+      httparty (~> 0.13.5)
+      satoshi-unit (~> 0.1)
     thread_safe (0.3.5)
-    timecop (0.7.3)
+    timecop (0.7.4)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    websocket-driver (0.5.4)
+    webmock (1.21.0)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+    websocket-driver (0.6.0)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.2)
 
@@ -131,21 +143,23 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  btcruby!
   bundler (~> 1.0)
+  byebug
   factory_girl
-  faye-websocket
+  faye-websocket!
   github_api (= 0.11.3)
-  goliath
+  goliath!
   hashie
-  httparty
+  httparty!
   jeweler (~> 2.0.1)
-  logmaster (= 0.1.5)
-  money-tree (= 0.9.0)
-  redis
+  logmaster (= 0.1.5)!
+  redis!
   rspec
-  ruby-hmac
-  satoshi-unit
-  sequel
+  ruby-hmac!
+  satoshi-unit (>= 0.1.8)!
+  sequel!
   sqlite3
-  straight (= 0.2.2)
+  straight (= 1.0.0)!
   timecop
+  webmock

data/Gemfile.travis

@@ -1,21 +1,20 @@
-source "http://rubygems.org"
+source 'https://rubygems.org'
 
-gem "straight", git: "https://github.com/snitko/straight.git"
-gem "satoshi-unit"
-gem "goliath"
-gem "faye-websocket"
-gem "sequel"
-gem "logmaster", '0.1.5'
-gem "ruby-hmac"
-gem "httparty"
-gem "money-tree", "0.9.0"
+gem 'straight', github: "snitko/straight"
+gem 'satoshi-unit'
+gem 'goliath'
+gem 'faye-websocket'
+gem 'sequel'
+gem 'logmaster', '0.1.5'
+gem 'ruby-hmac'
+gem 'httparty'
+gem 'redis'
 
-# Add dependencies to develop your gem here.
-# Include everything needed to run rake, tests, features, etc.
 group :development do
-  gem "bundler", "~> 1.0"
-  gem "jeweler", "~> 2.0.1"
-  gem "github_api", "0.11.3"
+  gem 'byebug'
+  gem 'bundler', '~> 1.0'
+  gem 'jeweler', '~> 2.0.1'
+  gem 'github_api', '0.11.3'
 end
 
 group :test do
@@ -24,5 +23,5 @@ group :test do
   gem 'factory_girl'
   gem 'sqlite3'
   gem 'hashie'
-  gem 'redis'
+  gem 'webmock', require: false
 end

data/README.md

@@ -10,7 +10,7 @@ Straight server
 
 > Website: http://gear.mycelium.com
 
-[![Build Status](https://travis-ci.org/snitko/straight-server.svg)](https://travis-ci.org/snitko/straight-server)
+[![Build Status](https://travis-ci.org/MyceliumGear/straight-server.svg)](https://travis-ci.org/MyceliumGear/straight-server)
 
 If you'd like to accept Bitcoin payments on your website automatically, but you're not
 fond of services like Coinbase or Bitpay, which hold your bitcoins for you and require a ton
@@ -35,7 +35,7 @@ Installation
 ------------
 I currently only tested it on Unix machines.
 
-1. Install RVM and Ruby 2.1 (see [RVM guide](http://rvm.io/rvm/install))
+1. Install RVM, Ruby 2.1 (see [RVM guide](http://rvm.io/rvm/install)) and Redis.
 
 2. run `gem install straight-server`
 
@@ -70,7 +70,7 @@ in the `~/.straight/config.yml` file for the current gateway. This callback requ
 
 Here's an example of a callback url request that could be made by Straight server when order status changes:
 
-    GET http://mystore.com/payment-callback?order_id=234&amount=1&status=2&address=1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q&tid=tid1&callback_data=some+random+data&keychain_id=1&last_keychain_id=1
+    GET http://mystore.com/payment-callback?order_id=234&amount=1&amount_in_btc=0.00000001&amoint_paid_in_btc=0.00000001&status=2&address=1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q&tid=tid1&callback_data=some+random+data&keychain_id=1&last_keychain_id=1
 
 As you may have noticed, there's a parameter called `callback_data`. It is a way for you to pass info back
 to your app. It will have the same value as the `callback_data` parameter you passed to the create order request:
@@ -96,7 +96,7 @@ where `:id` can either be order `id` (CAUTION: order `id` is NOT the same as `ke
 `payment_id` - both are returned in the json data when the order
 is created (see above). The request above may return something like:
 
-    {"status":2,"amount":1,"address":"1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q","tid":"f0f9205e41bf1b79cb7634912e86bb840cedf8b1d108bd2faae1651ca79a5838","id":1, "keychain_id": 1, "last_keychain_id": 1 }
+    {"status":2,"amount":1,"address":"1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q","tid":"f0f9205e41bf1b79cb7634912e86bb840cedf8b1d108bd2faae1651ca79a5838","id":1,"amount_in_btc": 0.00000001,"amount_paid_in_btc": 0.00000001,"keychain_id": 1,"last_keychain_id": 1 }
 
 **Subscribing to the order using websockets**:
 You can also subscribe to the order status changes using websockets at:
@@ -112,6 +112,15 @@ its creation time in `#created_at` field. In turn, each order's gateway has a fi
 depending on what approach to storing gateways you use). After this time has passed, straight-server stops
 checking whether new transactions appear on the order's bitcoin address and also changes order's status to 5 (expired).
 
+**Get last keychain id**
+You can get last keychain id for gateway with the following request:
+
+    GET /gateway/1/last_keychain_id
+
+The request above return something like:
+
+    {"gateway_id": 1, "last_keychain_id": "11"}
+
 Implications of restarting the server
 -------------------------------------
 
@@ -197,35 +206,36 @@ Go to your `~/.straight/config.yml` directory and set two options for each of yo
     secret: 'a long string of random chars'
     check_signature: true
 
-This will force gateways to check signatures when you try to create a new order. A signature is
-a HMAC SHA256 hash of the secret and a keychain_id. Because you need keychain_id, it means you have
-to actually provide it manually in the params. It can be any integer > 0, but it's better
-that it is a consecutive integer, so keep track of the last keychain_id that was used in your
-application. A possible request (assuming secret is the line mentioned above in the sample config) would look like this:
-
-    POST /gateways/1/orders?amount=1&keychain_id=1&signature=aa14c26b2ae892a8719b0c2c57f162b967bfbfbdcc38d8883714a0680cf20467
+This will force gateways to check signatures when you try to create a new order.
+A signature is a `X-Signature` header with a string of about 88 chars: 
 
-An example of obtaining such signature in Ruby:
+    Base64StrictEncode(
+      HMAC-SHA512(
+        REQUEST_METHOD + REQUEST_URI + SHA512(X-Nonce + REQUEST_BODY),
+        GATEWAY_SECRET
+      )
+    )
 
-    require 'openssl'
-    
-    secret = 'a long string of random chars'
-    OpenSSL::HMAC.digest('sha256', secret, "1").unpack("H*").first # "1" may be order_id here
+Where
 
-Straight server will also sign the callback url request. However, since keychain_id may potentially
-be shared between 2 or more orders, the callback signature is based on internal `order_id` returned
-with the json after you create the said order. Here's an example of such a signature:
+* `REQUEST_METHOD`: `GET`, `POST`, etc.
+* `REQUEST_URI`: `/full/path/with?arguments&and#fragment`
+* `REQUEST_BODY`: final string with JSON or blank string
+* `X-Nonce`: header with an integer which must be incremented with each request (protects from replay attack), for example `(Time.now.to_f * 1000).to_i`
+* `SHA512`: [binary SHA-2, 512 bits](https://en.wikipedia.org/wiki/SHA-2)
+* `HMAC-SHA512`: [binary HMAC with SHA512](https://en.wikipedia.org/wiki/Hash-based_message_authentication_code)
+* `GATEWAY_SECRET`: key for HMAC
+* `Base64StrictEncode`: [Base64 encoding according to RFC 4648](https://en.wikipedia.org/wiki/Base64#RFC_4648)
 
-    order.id #=> 234
-    secret = 'a long string of random chars'
-    h = OpenSSL::HMAC.digest('sha256', secret, 234).unpack("H*").first
+For Ruby users signing is already implemented in `straight-server-kit` gem. 
 
-and then send the request to the callback url with that signature:
+Straight server will also sign the callback url request. However, it will use blank X-Nonce.
 
-    GET http://mystore.com/payment-callback?order_id=234&amount=1&status=2&address=1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q&tid=tid1&callback_data=some+random+data?signature=aa14c26b2ae892a8719b0c2c57f162b967bfbfbdcc38d8883714a0680cf20467&keychain_id=1&last_keychain_id=1
+    GET http://mystore.com/payment-callback?order_id=1&amount=10&amount_in_btc=0.0000001&amount_paid_in_btc=0.&status=1&address=address_1&tid=tid1&keychain_id=1&last_keychain_id=1&callback_data=so%3Fme+ran%26dom+data
+    X-Signature: S2P8A16+RPaegTzJnb0Eg91csb1SExjdnvadABmQvfoIry4POBp6WbA6UOSqXojzRevyC8Ya/5QrQTnNxIb4og==
 
-It is now up to your application to calculate that signature, compare it and
-make sure that only one such request is allowed (that is, if signature was used, it cannot be used again).
+It is now up to your application to calculate that signature and compare it.
+If it doesn't match, do not trust data, instead log it for further investigation and return 200 in order to prevent retries.  
 
 What is keychain_id and why do we need it?
 ------------------------------------------
@@ -245,13 +255,6 @@ If you have 20 orders in a row and try to create another one, straight-server wi
 automatically reuse the `keychain_id` (and consequently, the address too) of the 20-th order. It will
 also set the 21-st order's `reused` field to the value of `1`.
 
-CAUTION: while you don't need to provide `keychain_id` when creating orders with gateways that
-do not require signatures, you still must do it with gateways that do require signatures.
-In this case, it is very important to make sure that you don't accidentally provide `keychain_id`
-that is too far away from the last used one. For example, if the gateway's `last_keychain_id` is `10`,
-do not use `35` for the next order, use `11`. `last_gateway_id` is always returned with other info
-when you create or check order status.
-
 Querying the blockchain
 -----------------------
 Straight currently uses third-party services, such as Blokchain.info and Helloblock.io to track
@@ -267,30 +270,40 @@ to query the blockchain.
 Counting orders
 ---------------
 For easy statistics and reports, it is desirable to know how many orders of each particular status each gateway has.
-For that reason optional order counters are implemented. To enable order counters, you must first install manually *redis-server*
-and then *redis* rubygem.
-
-Then edit your config file and make sure the following options are set:
+For that reason optional order counters are implemented. To enable order counters, make sure the following options are set:
 
-    environment: development # name your environment here
     count_orders: true       # enable order counting feature
 
-    redis:
-      host: localhost
-      port: 6379
-      db:       null # change to 1, 2, 3 etc. or leave as is
-      password: null # if no password is needed, leave as is
-
 After restarting the server, you can use `Gateway#order_counters` method which will
 return a hash of all the counters. Here's an example output:
 
-    { new: 132, unconfirmed: 0, paid: 34, underpaid: 1, overpaid: 2, expired: 55 }
+    { new: 132, unconfirmed: 0, paid: 34, underpaid: 1, overpaid: 2, expired: 55, canceled: 10 }
 
 The default behaviour is to cache the output, so if you want fresh values, use `reload: true`
 option on this method:
 
     Gateway#order_counters(reload: true)
 
+Throttling
+----------
+
+If Gateway does not require signature check (e.g. it's a public widget), you may wish to limit orders creation.
+This may help to mitigate potential DoS attacks.
+In order to enable throttler, edit your config file and make sure the following options are set:
+
+    throttle:
+      requests_limit: 21
+      period: 60
+      ip_ban_duration: 300
+
+This will allow maximum 21 new orders per 60 seconds per gateway to be created.
+`ip_ban_duration` is optional and prevents users from the banned IP (think of NAT) to create orders via any gateway for 300 seconds.
+When using this option, make sure that `HTTP_X_FORWARDED_FOR` header contains end user's IP. For example, in nginx config:
+
+    proxy_set_header X-Forwarded-For $remote_addr;
+
+Also, check out [ngx_http_realip_module](http://nginx.org/en/docs/http/ngx_http_realip_module.html).
+
 Running in production
 ---------------------
 Running in production usually assumes running server as daemon with a pid. Straight server
@@ -346,14 +359,20 @@ adding controllers and routes for them. Now let's look at how we should do that:
 
 1. All addons are placed under `~/.straight/addons/` (of course, it is wise to use symlinks).
 
-2. `./straight/addons.yml` file lists addons and tells straight-server what are the names of the files to be loaded.
+2. `~/.straight/addons.yml` file lists addons and tells straight-server what are the names of the files to be loaded.
 The format of the file is the following:
 
+
     my_addon                             # <- name doesn't affect anything, just shows up in the log file
       path: addons/my_addon/lib/my_addon # <- This is unnecessary if addon is already in the LOAD_PATH
       module: MyAddon                    # <- actual module should be a submodule of StraightServer::Addon
 
-3. In `./straight/addons/my_addon/lib/` we will place two files, `my_addon.rb` and 'my_controller.rb'. Below is their contents:
+3. If addon has dependencies, they can be listed in `~/.straight/AddonsGemfile` and will be installed along with `straight-server` dependencies.
+
+
+    eval_gemfile '/home/app/.straight/addons/my_addon/Gemfile'
+
+4. In `./straight/addons/my_addon/lib/` we will place two files, `my_addon.rb` and 'my_controller.rb'. Below is their contents:
 
 
     # my_addon.rb