straight-server 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2ae2d0fa734b525a466d866b825cf18c95cd8886
+  data.tar.gz: 054c7bef45cc6ed613149cda162368d1bbeac012
+SHA512:
+  metadata.gz: f3c2cad75571e4bcc882bd33978b34efc7f831cd1fe154055b0ca2e0354ce70ac7a3b0c170cee2b54059811ace9bcd993aace43ccf09116d7f99aed64bceaf35
+  data.tar.gz: 29da34227a4b893dba7e285f84881dc20830d9d71d9e2dbb07c77e4f9aac391a7aed047ce5479297e23d820622bab79ffdd0835c2048558f080943fe1ed7c545

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.rspec

@@ -0,0 +1 @@
+--color

data/Gemfile

@@ -0,0 +1,24 @@
+source "http://rubygems.org"
+
+gem "straight"
+gem "satoshi-unit"
+gem "goliath"
+gem "faye-websocket"
+gem "sequel"
+gem "logmaster"
+gem "ruby-hmac"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "bundler", "~> 1.0"
+  gem "jeweler", "~> 2.0.1"
+  gem "github_api", "0.11.3"
+end
+
+group :test do
+  gem 'rspec'
+  gem 'factory_girl'
+  gem 'sqlite3'
+  gem 'hashie'
+end

data/Gemfile.lock

@@ -0,0 +1,138 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activesupport (4.1.6)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    addressable (2.3.6)
+    async-rack (0.5.1)
+      rack (~> 1.1)
+    builder (3.2.2)
+    descendants_tracker (0.0.4)
+      thread_safe (~> 0.3, >= 0.3.1)
+    diff-lcs (1.2.5)
+    em-synchrony (1.0.3)
+      eventmachine (>= 1.0.0.beta.1)
+    em-websocket (0.3.8)
+      addressable (>= 2.1.1)
+      eventmachine (>= 0.12.9)
+    eventmachine (1.0.3)
+    factory_girl (4.4.0)
+      activesupport (>= 3.0.0)
+    faraday (0.9.0)
+      multipart-post (>= 1.2, < 3)
+    faye-websocket (0.7.4)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.3.1)
+    ffi (1.9.3)
+    git (1.2.8)
+    github_api (0.11.3)
+      addressable (~> 2.3)
+      descendants_tracker (~> 0.0.1)
+      faraday (~> 0.8, < 0.10)
+      hashie (>= 1.2)
+      multi_json (>= 1.7.5, < 2.0)
+      nokogiri (~> 1.6.0)
+      oauth2
+    goliath (1.0.4)
+      async-rack
+      em-synchrony (>= 1.0.0)
+      em-websocket (= 0.3.8)
+      eventmachine (>= 1.0.0.beta.4)
+      http_parser.rb (= 0.6.0)
+      log4r
+      multi_json
+      rack (>= 1.2.2)
+      rack-contrib
+      rack-respond_to
+    hashie (3.3.1)
+    highline (1.6.21)
+    http_parser.rb (0.6.0)
+    i18n (0.6.11)
+    jeweler (2.0.1)
+      builder
+      bundler (>= 1.0)
+      git (>= 1.2.5)
+      github_api
+      highline (>= 1.6.15)
+      nokogiri (>= 1.5.10)
+      rake
+      rdoc
+    json (1.8.1)
+    jwt (1.0.0)
+    log4r (1.1.10)
+    logmaster (0.1.1)
+      pony
+    mail (2.6.1)
+      mime-types (>= 1.16, < 3)
+    mime-types (2.3)
+    mini_portile (0.6.0)
+    minitest (5.4.1)
+    money-tree (0.8.7)
+      ffi
+    multi_json (1.10.1)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
+    nokogiri (1.6.3.1)
+      mini_portile (= 0.6.0)
+    oauth2 (1.0.0)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (~> 1.2)
+    pony (1.11)
+      mail (>= 2.0)
+    rack (1.5.2)
+    rack-accept-media-types (0.9)
+    rack-contrib (1.1.0)
+      rack (>= 0.9.1)
+    rack-respond_to (0.9.8)
+      rack-accept-media-types (>= 0.6)
+    rake (10.3.2)
+    rdoc (4.1.2)
+      json (~> 1.4)
+    rspec (3.1.0)
+      rspec-core (~> 3.1.0)
+      rspec-expectations (~> 3.1.0)
+      rspec-mocks (~> 3.1.0)
+    rspec-core (3.1.2)
+      rspec-support (~> 3.1.0)
+    rspec-expectations (3.1.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.1.0)
+    rspec-mocks (3.1.0)
+      rspec-support (~> 3.1.0)
+    rspec-support (3.1.0)
+    ruby-hmac (0.4.0)
+    satoshi-unit (0.1.6)
+    sequel (4.13.0)
+    sqlite3 (1.3.9)
+    straight (0.1.0)
+      money-tree
+    thread_safe (0.3.4)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    websocket-driver (0.3.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.0)
+  factory_girl
+  faye-websocket
+  github_api (= 0.11.3)
+  goliath
+  hashie
+  jeweler (~> 2.0.1)
+  logmaster
+  rspec
+  ruby-hmac
+  satoshi-unit
+  sequel
+  sqlite3
+  straight

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Roman Snitko
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,219 @@
+Straight server
+===============
+> A stand-alone Bitcoin payment gateway server
+> Receives bitcoin payments directly into your wallet, holds no private keys
+
+> Website: http://straight.romansnitko.com
+
+If you'd like to accept Bitcoin payments on your website automatically, but you're not
+fond of services like Coinbase or Bitpay, which hold your bitcoins for you and require a ton
+of AML/KYC info, you came to the right place.
+
+Straight server is a software you install on your machine, which you can then talk to
+via a RESTful API to create orders and generate payment addresses. Straight server will
+issue callback requests to the specified URLs when the bitcoins arrive and store all the information
+about the order in a DB.
+
+While it is written in Ruby, I made special effort so that it would be easy to install and configure.
+You can use Straight server with any application and website. You can even run your own payment
+gateway which serves many online stores.
+
+Straight uses BIP32 pubkeys so that you and only you control your private keys.
+If you're not sure what a BIP32 address and HD wallets are, read this article:
+http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/
+
+Installation
+------------
+I currently only tested it on Unix machines.
+
+1. Install RVM and Ruby 2.1 (see [RVM guide](http://rvm.io/rvm/install))
+
+2. run `gem install straight-server`
+
+3. start the server by running `straight-server`. This will generate a` ~/.straight` dir and put a `config.yml`
+file in there, then shut down. You have to edit the file first to be able to run the server again.
+
+4. In `config.yml`, under the `gateways/default` section, insert your BIP32 pubkey and a callback URL.
+Everything may be left as is for now. To generate a BIP32 private/public keys, you can use one of the
+wallets that support BIP32 (currently it's bitWallet for iOS) or go to http://bip32.org
+
+5. Run the server again with `straight-server -p 9696`
+
+
+Usage
+-----
+When the server is running, you can access it via http and use its RESTful API.
+Below I assume it runs on localhost on port 9696.
+
+**Creating a new order:**
+
+    # creates a new order for 1 satoshi
+    POST /gateways/1/orders?amount=1
+
+the result of this request will be the following json:
+
+    {"status":0,"amount":1,"address":"1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q","tid":null,"id":1 }
+
+Now you can obviously use that output to provide your user with the address and the expected
+amount to be sent there. At this point, the server starts automatically tracking the order address
+in a separate thread, so that when the money arrive, a callback will be issued to the url provided
+in the `~/.straight/config.yml` file for the current gateway. This callback request will contain order info too.
+Here's an example of a callback url request that could be made by Straight server when order status changes:
+
+    GET http://mystore.com/payment-callback?order_id=1&amount=1&status=2&address=1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q&tid=tid1&data=some+random+data
+
+As you may have noticed, there's a parameter called `data`. It is a way for you to pass info back
+to your app. It will have the same value as the `data` parameter you passed to the create order request:
+
+    POST /gateways/1/orders?amount=1&data=some+random+data
+
+You can specify amount in other currencies, as well as various BTC denominations.
+It will be converted using the current exchange rate (see [Straight::ExchangeAdapter](https://github.com/snitko/straight/blob/master/lib/straight/exchange_rate_adapter.rb)) into satoshis:
+
+    # creates a new order for 1 USD
+    POST /gateways/1/orders?amount=1&currency=USD
+
+    # creates an order for 0.00000001 BTC or 1 satoshi
+    POST /gateways/1/orders?amount=1&btc_denomination=btc
+
+
+**Checking the order manually**
+You can check the status of the order manually with the following request:
+
+    GET /gateways/1/orders/1
+
+may return something like:
+
+    {"status":2,"amount":1,"address":"1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q","tid":"f0f9205e41bf1b79cb7634912e86bb840cedf8b1d108bd2faae1651ca79a5838","id":1 }
+
+**Subscribing to the order using websockets**:
+You can also subscribe to the order status changes using websockets at:
+
+    /gateways/1/orders/1/websocket
+
+It will send a message to the client upon the status change and close connection afterwards.
+
+Client Example
+--------------
+I've implemented a small client example app written purely in Dart. It creates new orders,
+tracks changes via websockets and displays status info upon status change. To see how it works,
+download Dartium browser and navigate it to the `http://localhost:9696` while running the
+Straight server in development mode (nothing special has to be done for that).
+
+The code for this client app example can be found in [examples/client](https://github.com/snitko/straight-server/tree/master/examples/client).
+
+Using many different gateways
+------------------------------
+When you have many online stores, you'd want to create a separate gateway for each one of them.
+They would all be running within one Straight server.
+
+The standard way to do this is to use `~/.straight/config.yml` file. Under the `gateways` section,
+simply add a new gateway (come up with a nice name for it!) and set all the options you see were
+used for the default one. Change them as you wish. Restart the server.
+
+To create an order for the new gateway, simply send this request:
+
+    POST /gateways/2/orders?amount=1&currency=USD
+
+Notice that the gateway id has changed to 2. Gateway ids are assigned according to the order in
+which they follow in the config file.
+
+** Gateways from DB **
+When you have too many gateways, it is unwise to keep them in the config file. In that case,
+you can store gateway settings in the DB. To do that, change `~/.straight/config.yml` setting
+'gateways_source: config` to `gateways_source: db`.
+
+Then you should be able to use `straight-console` to manually create gateways to the DB. To do
+that, you'd have to consult [Sequel documentation](http://sequel.jeremyevans.net/) because currently
+there is no standard way to manage gateways through a web interface. In the future, it will be added.
+In general, it shouldn't be difficult, and may look like this:
+
+    $ straight-console
+
+    > g = Gateway.new
+    > gateway.pubkey                 = 'xpub1234'
+    > gateway.confirmations_required = 0
+    > gateway.order_class            = 'StraightServer::Order'
+    > gateway.callback_url           = 'http://myapp.com/payment_callback'
+    > gateway.save
+    > exit
+
+Using signatures
+----------------
+If you are running straight-server on a machine separate from your online stores, you
+HAVE to make sure that when somebody accesses your RESTful API it is those stores only,
+and not somebody else. For that purpose, you're gonna need signatures.
+
+Go to your `~/.straight/config.yml` directory and set two options for each of your gateways:
+
+    secret: 'a long string of random chars'
+    check_signature: true
+
+This will force gateways to check signatures when you try to create a new order. A signature is
+a HMAC SHA1 hash of the secret and an order id. Because you need order id, it means you have
+to actually provide it manually in the params. It can be any integer > 0, but it's better
+that it is a consecutive integer, so keep track of order ids in your application. Obviously,
+if an order with such an id already exists, the request will be rejected. A possible request
+(assuming secret is the line mentioned above in the sample config) would look like this:
+
+    POST /gateways/1/orders?amount=1&order_id=1&signature=fb0e8d863621a3e6e2bf4e81f8ab70737190d92b
+
+An example of obtaining such signature in Ruby:
+
+    require 'hmac'
+    require 'hmac-sha1'
+    
+    secret = 'a long string of random chars'
+    h = HMAC::SHA1.new(secret)
+    h << '1' # order id
+    h.hexdigest
+
+Straight server will also sign the callback url request. However, since the signature may be
+known to an attacker once it was used for creating a new order, we can no longer use it directly.
+Thus, Straight server will use a double signature calculated like this:
+
+    secret = 'a long string of random chars'
+    h = HMAC::SHA1.new(secret)
+    h << '1' # order id
+    h2 = HMAC::SHA1.new(secret)
+    h2 << h.hexdigest
+    h2.hexdigest
+
+and then send the request to the callback url with that signature:
+
+    GET http://mystore.com/payment-callback?order_id=1&amount=1&status=2&address=1NZov2nm6gRCGW6r4q1qHtxXurrWNpPr1q&tid=tid1&data=some+random+data?signature=a61381c87ea3f7e6958ef779b6a9789ec966c2b9
+
+It is now up to your application to calculate that signature, compare it and
+make sure that only one such request is allowed (that is, if signature was used, it cannot be used again).
+
+Running in production
+---------------------
+Running in production usually assumes running server as daemon with a pid. Straight server
+uses [Goliath](https://github.com/postrank-labs/goliath) so you can look up various options there.
+However, my recommendation is the following:
+
+    straight-server -e production -p 9696 --daemonize --pid ~/.straight/straight.pid
+
+Note that goliath server log file settings do not apply here. Straight has its own logging
+system and the file is usually `~/.straight/straight.log`. You can set various loggin options
+in `~/.straight/config.yml`. For production, you may want to set log level to WARN and also
+turn on email notifications, so that when a FATAL errors occurs, an email is sent to you address
+(emailing would most likely require *sendmail* to be installed).
+
+I would also recommend you to use something like *monit* daemon to monitor a *straight-server* process.
+
+Requirements
+------------
+Ruby 2.1 or later.
+
+Donations
+---------
+To go on with this project and make it truly awesome, I need more time. I can only buy free time with money, so any donation is highly appreciated. Please send bitcoins over to **1D3PknG4Lw1gFuJ9SYenA7pboF9gtXtdcD**
+
+There are [development plans](http://straight.romansnitko.com/#todo) for this software you might be interested in.
+
+Credits
+-------
+Author: [Roman Snitko](http://romansnitko.com)
+
+Licence: MIT (see the LICENCE file)

data/Rakefile

@@ -0,0 +1,27 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://guides.rubygems.org/specification-reference/ for more options
+  gem.name = "straight-server"
+  gem.homepage = "http://github.com/snitko/straight-server"
+  gem.license = "MIT"
+  gem.summary = %Q{A Bitcoin payment gateway server: a state server for the stateless Straight library}
+  gem.description = %Q{Accepts orders via http, returns payment info via http or streams updates via websockets, stores orders in a DB}
+  gem.email = "roman.snitko@gmail.com"
+  gem.authors = ["Roman Snitko"]
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/bin/straight-console

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+
+require 'irb'
+require_relative '../lib/straight-server'
+include StraightServer::Initializer
+prepare
+
+require_relative '../lib/straight-server/order'
+require_relative '../lib/straight-server/gateway'
+
+ARGV.clear
+IRB.start

data/bin/straight-server

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require 'goliath'
+
+require_relative '../lib/straight-server'
+require_relative '../lib/straight-server/server'

data/db/migrations/001_create_orders.rb

@@ -0,0 +1,26 @@
+Sequel.migration do
+
+  up do
+    create_table(:orders) do
+      primary_key :id
+      String  :address,     null: false
+      String  :tid
+      Integer :status,      null: false, default: 0
+      Integer :keychain_id, null: false
+      Bignum  :amount,      null: false
+      Integer :gateway_id,  null: false
+      String  :data
+      String  :callback_response, text: true
+      DateTime :created_at, null: false
+      DateTime :updated_at
+    end
+    add_index :orders, :id,      unique: true
+    add_index :orders, :address, unique: true
+    add_index :orders, [:keychain_id, :gateway_id], unique: true
+  end
+
+  down do
+    drop_table(:orders)
+  end
+
+end

data/db/migrations/002_create_gateways.rb

@@ -0,0 +1,28 @@
+Sequel.migration do
+
+  up do
+    create_table(:gateways) do
+      primary_key :id
+      Integer :confirmations_required, null: false, default: 0
+      Integer :last_keychain_id,       null: false, default: 0
+      String  :pubkey,      null: false
+      String  :order_class, null: false
+      String  :secret,      null: false
+      String  :name,        null: false
+      String  :default_currency, default: 'BTC'
+      String  :callback_url
+      Boolean :check_signature, null: false, default: false
+      String  :exchange_rate_adapter_names
+      DateTime :created_at, null: false
+      DateTime :updated_at
+    end
+    add_index :gateways, :id,     unique: true
+    add_index :gateways, :pubkey, unique: true
+    add_index :gateways, :name,   unique: true
+  end
+
+  down do
+    drop_table(:gateways)
+  end
+
+end

data/examples/client/client.dart

@@ -0,0 +1,67 @@
+import 'dart:html';
+import 'dart:convert';
+
+main() {
+
+  var create_order_button = document.querySelector('button#create_order');
+
+  create_order_button.onClick.listen((e) =>
+    create_order().listen((event) {
+      var order = JSON.decode(event.target.responseText);
+      show_pay_order(order);
+      listen_to_order(order);
+    })
+  );
+
+}
+
+create_order() {
+  var request  = new HttpRequest();
+  var listener = request.onLoad;
+  request.open('POST', '/gateways/1/orders?amount=1');
+  request.send();
+  return listener;
+}
+
+listen_to_order(order) {
+  var ws = new WebSocket("ws://localhost:9696/gateways/1/orders/${order['id']}/websocket");
+  ws.onMessage.listen((MessageEvent e) {
+    var order = JSON.decode(e.data);
+    if(order['status'] > 1) show_order_paid(order);
+  });
+}
+
+show_pay_order(order) {
+  var new_order_el  = document.querySelector('#newOrder');
+  var pay_order_el  = document.querySelector('#payOrder');
+
+  pay_order_el.querySelector('.orderId').text      = order['id'].toString();
+  pay_order_el.querySelector('.orderAmount').text  = order['amount'].toString();
+  pay_order_el.querySelector('.orderAddress').text = order['address'];
+
+  new_order_el.style.display = 'none';
+  pay_order_el.style.display = '';
+}
+
+show_order_paid(order) {
+
+  var status;
+  if(order['status'] == 2) {
+    status = 'PAID';
+  } else if(order['status'] == 3) {
+    status = 'UNDERPAID';
+  } else if(order['status'] == 4) {
+    status = 'OVERPAID';
+  } else {
+    status = order['status'].toString();
+  }
+
+  var order_paid_el = document.querySelector('#orderPaid');
+  var pay_order_el  = document.querySelector('#payOrder');
+  order_paid_el.querySelector('.orderStatus').text = status;
+  order_paid_el.querySelector('.orderTid').text    = order['tid'];
+
+  pay_order_el.style.display = 'none';
+  order_paid_el.style.display = '';
+
+}

data/examples/client/client.html

@@ -0,0 +1,32 @@
+<html>
+
+  <head>
+    <title>A Straight client example</title>
+    <script type="application/dart" src="client.dart"></script>
+  </head>
+
+  <body>
+
+      <p><b style="color: red; font-size: 80%;">Attention: this page requires <a href="https://www.dartlang.org/tools/dartium/">Dartium</a> to run properly.</b></p>
+
+    <div id="newOrder">
+      <p>Welcome to the Straight client example. It assumes you have your Straight server running on localhost on the standart Straight port and this page is loaded by accessing the / (root) on that server: that is, check that in your browser address you currently see http://localhost:9696. Loding this page from the filesystem won't work since ajax-requests cannot be sent to other domains.</p>
+      
+      <p>Clicking the button below will generate a new address for the order and will subscribe you to the websocket, which will automatically notify you when the money arrive to the address. You don't have to refresh this page.</p>
+
+      <p>Use this button to generate a new order:</p>
+      <p><button id="create_order">Create Order</button></p>
+    </div>
+
+    <div id="payOrder" style="display: none;">
+      Order <span class="orderId"></span> created. Please send exactly <b><span class="orderAmount"></span> satoshi(s)</b> to address <span class="orderAddress" style="font-weight: bold;"></span>. This page will be updated as soon as the transaction is made.
+    </div>
+
+    <div id="orderPaid" style="display: none;">
+      The status of your order is now <span class="orderStatus"></span><br/>
+      Transaction id is: <span class="orderTid"></span>
+    </div>
+
+  </body>
+
+</html>

data/lib/straight-server/config.rb

@@ -0,0 +1,11 @@
+module StraightServer
+
+  class Config
+
+    class << self
+      attr_accessor :db, :gateways_source, :gateways, :logmaster
+    end
+
+  end
+
+end