New NEM music/download payment portal online

Great!!!
There is considerable demand in Japan.
This is the best idea!

Thank you, GodTanu! Glad you like it.

I’ve just updated the app to keep a tally of your payments through each email address, so if you’ve paid less than the price (currently 30 XEM) it’ll say that you need to pay more. Simply pay the remaining balance and it’ll let you have the download (which is now served slightly differently, to hopefully be more secure). I’ve put a text file in the zip now, so if the download works you should be able to unzip it successfully.

Please check that it works as expected, and do let me know if there’s anything else you think I should do. Thanks!

1 Like

Please check that it works as expected, and do let me know if there’s anything else you think I should do. Thanks!

https://nemp3.herokuapp.com/download
When updating this page “Not Found” will be displayed

Just idea:
Download file, Apostille, better

That might just mean that the session has ended and the app has no record of your ID any longer (it’s just passed on from a previous route). I’ll make a nicer 404 page with some info on it.

Also, I’ve just pushed an update, so that might have disrupted things too. :slight_smile:

Oh yeah – good idea about using Apostille for the downloads. I’ll try it now, but it’d definitely be cool to have Apostille-verified files.

1 Like

Think I might truncate the ID hash down to 32 characters, as that would halve the transaction fee from 4 XEM to 2. Seems every 32 characters adds another XEM to the fee.

yep thats right. 31 characters = 1 XEM fee

1 Like

That’s awesome! Any chance of releasing the source? I’m a ruby dev as well, and would love to see what you did? a NEM(XEM) gem would be amazing as a payment gateway.

1 Like

Thanks Mark! I’ll get an update out today, moving it over to the mainnet, along with some actual music to buy/download.

Yep, I’ll definitely pop the source online once I’ve finished tinkering.

2 Likes

Now live on the mainnet! :slight_smile:

1 Like

Okay, I’ve popped it up on Github here. Two branches, for the test and mainnet versions.

I’ve also put the testnet version online separately, with footer links to switch between staging/test and mainnet apps.

Slight tweaks – I now salt emails with a secret, which’ll hopefully increase email security. Does mean previous purchases won’t be found, though.

I’ll get a readme up at some point, too. At present it uses Amazon S3 for downloads, but I’m going to look into using Storj/Sia etc., as it’d be cool to use decentralised/distributed services.

3 Likes

Yes, the same to the guy above. I turn to another free mp3 music download site here:http://www.videoconverterfactory.com/tips/free-mp3-download-websites.html. This could be used in some of the situation you mentioned above. But I would like to say that when i insert them to my PS4 gameplay video which i edit in gamefactory, they cannot be played but the process bar keep running. I still have no idea why this happen.

Hi.

U just wanted to report that I was able to download the empty.zip from testnet without paying anything like this:

  1. pretend I am buying (just to discover the address)
  2. explore given NEM testnet address on blockchain, search for recent transaction messages, pick one
  3. modify POST request (i.e. “tamper data” firefox plugin), replace message with the one found on blockchain
  4. voila!

You may want to check your production code for this issue.

Cheers!

Hi Kamil,

Thanks for letting me know. Hopefully it’ll be much easier once we have more nodes online that can support encrypted connections, because as far as I know most only respond to http API requests at the moment (and can be snooped on).

Hi,

not sure if you got my message, so just to be on the safe side - it has nothing to do with encrypted connections. The “message” is taken from publicly available transaction history - from a transaction perfomed previously by another (paying) user (like this: http://bob.nem.ninja:8765/#/transfer/b0ff5ee72b7bb038395da361f95d77611bcaf8d9ffac73e984ac8248c161522a - and “message” is “e99d585caed8ba280be7bca52b5b7d8”). It is enough then to forge a POST request to your application with this payload.

But you’re intercepting the request from my app to the NIS, and placing your own response in there, aren’t you?

No. I’m just forging my POST request to your app.

Ah, okay! Well, that’ll give me something to research. Unless you’ve got some suggestions? :slight_smile:

Don’t send the hash through the POST, compute it server-side instead. Send the secret/password (or e-mail address, like you have it now). Then generate the hash on server from the secret and search for it in the blockchain/transaction history). Not ideal, but better. Anyone cheating needs to know the e-mail address, which is easy. Password would be even better. But even that can be dictionary-attacked. Well, good luck! :wink:

1 Like

Oh, I think I see what you mean now (I was looking in the wrong place). I was passing the id_hash to the download route via a post form, which opened it up to the unintended post request.

Hopefully the update I’ve just pushed fixes that issue; should make it a little more secure. Thanks again, Kamil! :+1:

1 Like

Quick look - it should work as long as rack.session cookie is protected against client side tampering.

2 Likes