New NEM music/download payment portal online

Hi folks. Thought I’d share my new project with you, which I’ve decided to call NEMp3 , as it’s intended to be a music download payment portal (though there’s no reason why it couldn’t be used for video/software/games etc. instead). It’s a Sinatra app, as I’m most comfortable using Ruby, with downloads served from an Amazon S3 bucket.

I’m sure I’m not alone as a musician hoping to sell my music without a third party payment processor or platform, so I thought I’d give it a shot.

Mainnet

https://nemp3.herokuapp.com

Testnet

https://nemp3-testnet.herokuapp.com
(Note: download is an empty zip, as way of illustration.)

GitHub

What does it do?

I was wondering how you could tie someone’s email address with a purchase on the blockchain, as proof of purchase, so you could serve up a download to confirmed buyers. Currently, it hashes an email address + a secret salt, to be put in the message field of a payment, then once payment’s been confirmed, the app will look for this ID hash and serve a little download button if it finds payments that total the price set in the app.

No data whatsoever is stored by the app – everything is gleaned from the blockchain.

Anyway, please have a look and let me know what you think! If you fancy donating to me for this little labour of love, my address is: NBCR2G-JL7VJF-3FKVI6-6SMZCG-4YBC6H-3BM2A6-LLTM

Thanks!

hey there,

great initiative!!!

I have sent a first payment of 30 xem no problem - the second I sent only 25 and it also confirmed the purchase! I believe you need to add a check on the payment amount

Thanks! Heh, yeah there’s no check whatsoever on the amount at the moment. I’ll definitely pop a minimum check in at some point.

EDIT: There is now.

Great!!!
There is considerable demand in Japan.
This is the best idea!

Thank you, GodTanu! Glad you like it.

I’ve just updated the app to keep a tally of your payments through each email address, so if you’ve paid less than the price (currently 30 XEM) it’ll say that you need to pay more. Simply pay the remaining balance and it’ll let you have the download (which is now served slightly differently, to hopefully be more secure). I’ve put a text file in the zip now, so if the download works you should be able to unzip it successfully.

Please check that it works as expected, and do let me know if there’s anything else you think I should do. Thanks!

Please check that it works as expected, and do let me know if there’s anything else you think I should do. Thanks!

https://nemp3.herokuapp.com/download
When updating this page “Not Found” will be displayed

Just idea:
Download file, Apostille, better

That might just mean that the session has ended and the app has no record of your ID any longer (it’s just passed on from a previous route). I’ll make a nicer 404 page with some info on it.

Also, I’ve just pushed an update, so that might have disrupted things too.

Oh yeah – good idea about using Apostille for the downloads. I’ll try it now, but it’d definitely be cool to have Apostille-verified files.

Think I might truncate the ID hash down to 32 characters, as that would halve the transaction fee from 4 XEM to 2. Seems every 32 characters adds another XEM to the fee.

yep thats right. 31 characters = 1 XEM fee

That’s awesome! Any chance of releasing the source? I’m a ruby dev as well, and would love to see what you did? a NEM(XEM) gem would be amazing as a payment gateway.

Thanks Mark! I’ll get an update out today, moving it over to the mainnet, along with some actual music to buy/download.

Yep, I’ll definitely pop the source online once I’ve finished tinkering.

Now live on the mainnet!

Okay, I’ve popped it up on Github here. Two branches, for the test and mainnet versions.

I’ve also put the testnet version online separately, with footer links to switch between staging/test and mainnet apps.

Slight tweaks – I now salt emails with a secret, which’ll hopefully increase email security. Does mean previous purchases won’t be found, though.

I’ll get a readme up at some point, too. At present it uses Amazon S3 for downloads, but I’m going to look into using Storj/Sia etc., as it’d be cool to use decentralised/distributed services.

Yes, the same to the guy above. I turn to another free mp3 music download site here:http://www.videoconverterfactory.com/tips/free-mp3-download-websites.html. This could be used in some of the situation you mentioned above. But I would like to say that when i insert them to my PS4 gameplay video which i edit in gamefactory, they cannot be played but the process bar keep running. I still have no idea why this happen.

Hi.

U just wanted to report that I was able to download the empty.zip from testnet without paying anything like this:

1. pretend I am buying (just to discover the address)
2. explore given NEM testnet address on blockchain, search for recent transaction messages, pick one
3. modify POST request (i.e. “tamper data” firefox plugin), replace message with the one found on blockchain
4. voila!

You may want to check your production code for this issue.

Cheers!

Hi Kamil,

Thanks for letting me know. Hopefully it’ll be much easier once we have more nodes online that can support encrypted connections, because as far as I know most only respond to http API requests at the moment (and can be snooped on).

Hi,

not sure if you got my message, so just to be on the safe side - it has nothing to do with encrypted connections. The “message” is taken from publicly available transaction history - from a transaction perfomed previously by another (paying) user (like this: http://bob.nem.ninja:8765/#/transfer/b0ff5ee72b7bb038395da361f95d77611bcaf8d9ffac73e984ac8248c161522a - and “message” is “e99d585caed8ba280be7bca52b5b7d8”). It is enough then to forge a POST request to your application with this payload.

But you’re intercepting the request from my app to the NIS, and placing your own response in there, aren’t you?

No. I’m just forging my POST request to your app.

Ah, okay! Well, that’ll give me something to research. Unless you’ve got some suggestions?