New NEM music/download payment portal online

Don’t send the hash through the POST, compute it server-side instead. Send the secret/password (or e-mail address, like you have it now). Then generate the hash on server from the secret and search for it in the blockchain/transaction history). Not ideal, but better. Anyone cheating needs to know the e-mail address, which is easy. Password would be even better. But even that can be dictionary-attacked. Well, good luck! :wink:

1 Like

Oh, I think I see what you mean now (I was looking in the wrong place). I was passing the id_hash to the download route via a post form, which opened it up to the unintended post request.

Hopefully the update I’ve just pushed fixes that issue; should make it a little more secure. Thanks again, Kamil! :+1:

1 Like

Quick look - it should work as long as rack.session cookie is protected against client side tampering.

2 Likes

To download music, maybe you could use a professional third-party software to helpl you. I had been used a music recording software for mac to download music. It can record and download audios with high audio quality. Then you can get the music for offline playback.