[beem] one-time private key / wallet compatibility
Repository
https://github.com/holgern/beem/
(https://github.com/steemit/steem-python While this is the official Steem Python library, it is not maintained well, so beem (thanks to holger80) is de facto standard. But the suggestion applies to both, and I made PRs for both libraries.)
Components
I've actually made an implementation for the first idea and will do the second if the PO wants.
- one-time private key use without storing it in the wallet
- Issue
- PR
- wallet compatibility with the official Steem Python library
- Issue: https://github.com/holgern/beem/issues/164
- If the PO (holger80) wants to accept the idea, I'd like to implement this.
Proposal Description
1. one-time private key use without storing it in the wallet
Currently, if a private key can't be found in the wallet, there is no way to enter it manually. This isn't good if a user wants to use the key just one time, not storing it in the wallet.
Instead of raising MissingKeyError immediately, it's much better to give users a chance to enter the private key manually.
This isn't not just for convenience, but also for extra security for certain cases.
- Users may feel safe to store keys on the server for unimportant accounts, but not very important accounts.
- Users may want to store the posting key only in the wallet but use the active key manually only when it's needed (e.g., transfer). (While I don't have much STEEM/SBD/SP, as a practice, I don't store my private active key on my remote server. But when I'm on the terminal, I feel safe to enter my private key manually, of course when it's not echoing)
Mockups / Examples
Before
$ beempy transfer -a ned blockchainstudio 5000 SBD 'small gift'
Wallet Unlocked!
Traceback (most recent call last):
File "/usr/local/bin/beempy", line 11, in <module>
sys.exit(cli())
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 764, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1163, in invoke
rv.append(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/beem/cli.py", line 813, in transfer
tx = acc.transfer(to, amount, asset, memo)
File "/usr/local/lib/python3.6/dist-packages/beem/account.py", line 2394, in transfer
return self.steem.finalizeOp(op, account, "active", **kwargs)
File "/usr/local/lib/python3.6/dist-packages/beem/steem.py", line 950, in finalizeOp
self.txbuffer.sign()
File "/usr/local/lib/python3.6/dist-packages/beem/transactionbuilder.py", line 306, in sign
raise MissingKeyError
beem.exceptions.MissingKeyError
beempy transfer -a ned blockchainstudio 5000 SBD 'small gift' means, ned wants to transfer 5000 SBD to blockchainstudio with a memo 'small gift.' Obviously, I don't have ned's private active key.
Currently, if the private key of the user (ned in this example) who needs to sign the transaction doesn't exist in the wallet, it produces MissingKeyError Exception and the program exits.
After
$ beempy transfer -a ned blockchainstudio 5000 SBD 'small gift'
Password to unlock wallet:
Wallet Unlocked!
The required private key can't be found in the wallet.
Private key to sign:
Note that this is an actual output of my PR: https://github.com/holgern/beem/pull/163
If the required private key can't be found in the wallet, now it gives users a chance to enter it manually for a one-time use.
2. wallet compatibility with the official Steem Python library
While now beem library is even more standard than not so actively maintained the official Python library, some people still hope to use the official library at least together with beem.
While the wallet of beem is actually compatible with steem-python (beem shares most base codes with steem-python), there is no feature such that users can use one shared wallet. Or at least wallet import function should be provided (just in case the steem wallet is deleted).
Mockups / Examples
One workaround is to create a symbolic link as follows.
ln -s [steempy wallet file] [beempy wallet file]
which actually works.
Whether creating the symbolic link or import (copy) the wallet, it's better to ask users if they want as follows:
The steempy wallet is detected.
(N): Created a new wallet for beempy.
(I): Import (copy) the steempy wallet (Safe even if the steempy wallet is deleted)
(S): Make a symbolic link to steempy wallet (The wallet will be lost if the steempy wallet is deleted.)
Choose the option [N/I/S]:
Benefits
- Extra private key security for a one-time use
Not all people use python library frequently. In that case they may feel uncomfortable to create the wallet from the beginning. Thus, providing the option of a one-time use of private key can be important to them. - Saving the posting key only and entering the active key only when it's needed
This also enhance the security of the active key use. - Mistake prevention (e.g., transfer)
If you only store the posting key, then even if the wallet in unlocked, you're asked to enter your active key, which can prevent transfer mistakes, for instance. - Convenient testing
Likewise, for a one-time testing purpose, storing keys in the wallet might be too much. Also, suppose you use a trusted computer but not your own. To make some transaction you need to store the key which both of you and the owner of the computer may not want. - Compatibility
Even though it is much less frequently maintained, the official library is still working for most purposes, and many people are still using it. So the wallet compatibility provides convenience for users who want to use both libraries or switch from steem-python to beem.
Hi @blockchainstudio, thank you for your contribution.
You made a great post, again.
Although I never used Beempy, the contribution is clear and understandable.
If you check the answers of the questionnaire you could say that this one is not fair because you added a lot of details and you also created an Issue and a PR on GitHub.
I chose that because crokkon and holger told me that:
Also, holger told me that:
Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Chat with us on Discord.
[utopian-moderator]
Hi @favcau, thank you so much for your very detailed feedback and I'm happy with the score. So don't get me wrong and I just like to add some comments.
I agree in general with @crokkon that "added this to the library itself (transactionbuilder.py) is not a good idea.", since that file is a sort-of base library (shared with steem-python), so it might be better to be untouched although that's why I also submitted my PR for the official library.
But I actually don't agree with "The implementation (transactionbuilder.py) can potentially break a lot of other things." :) If you can read the code, you can see that it's actually safe, and if it's unsafe, then the existing and related codes have the serious problem. Even if a wrong private key is provided somehow, the error should be handled properly, and of course I've also already checked that.
While I also agree with that it's better to change more high-level files to add this feature, I chose a more easier (but again still safe and legit) way as an external contributor. One lesson I learned from other contributions are if a PR is complicated, then it tends to be ignored :) So that's why I always prefer a very simple fix so that PO can easily know that it's working without a problem :)
But @holger80 is quite active in dev, so maybe more complicated one might have been okay :) I'll change the PR or just close it depending on his response.
Many thanks everybody!
Hi @blockchainstudio, beem is primarily a library where other tools build upon. beempy is one example but by far not the only one. Having
transactionbuildercallprintor asking for a key viagetpassis no problem for beempy since it is a CLI anyway. However for non-CLI applications, bots, cronjobs, this would unexpectedly print things to stdout and block on getpass instead of raising an exception that can be handled on the higher-level code. beem/cli.py is IMO the right place to implement this great suggestion.Hi @crokkon, thank you so much for your detailed comment and now I understand what you meant and fully agree with you! I misunderstood your comment like you meant the code itself may not work :)
One last comment is of course I also tried to change cli.py and thought it was the right place to change, but you know in that case, I basically need to change every command that may raise the exception, which was too much, so I took the bad design without thinking further :) But you and @holger80 are 100% right in this case. Thank you so much again and I'll close my PR.
Are you planing to make a PR in which cli.py is adapted? Please let me know, so that we both do not work for the same changes..
Thank you for contacting me. It seems you already have interest in doing it, then I think it's better for you to do it for efficiency (unless you want me to do it). What about the wallet compatibility? Are you interested in that too?
Thank you for your review, @favcau! Keep up the good work!
한글요약: 이건 제가 쓰는 라이브러리들이라 불편해서 건의해보았습니다.
관리가 잘 안되어 공식 steem-python 라이브러리보다 사실상 더 공식으로 쓰이는 beem이 사실 공식 라이브러리를 포크한 것이라 코드베이스가 많은 부분이 같습니다. 따라서 월렛을 공유해서 쓸 수 있으면/또는 import 할 수 있으면 좋겠다. (symbolic link로 실제 해결이 됩니다.)
이보다 더 중요한 것은 현재 두 라이브러리 모두 키를 무조건 wallet에 저장해야 쓸 수 있게 되어있는데 저장하지 않고 1회성으로 쓰고 싶은 사람도 있을 겁니다. 제 경우도 리모트 서버에 gomdory 키는 저장했지만 만일의 경우를 대비해서 제 메인 계정 (posting key는 편의상 저장했지만) active 키는 저장하지 않았습니다. 이부분은 직접 수정해서 깃허브에 제출했습니다.
그리고보니 steem-python 공식 라이브러리가 (비트코인 백서제외) 제 첫 깃허브 contribution이기도 했네요^^
ps.위에 버니한테 대들어서(?) 다운보팅 받는거 아닌가 모르겠어요ㅎㅎ 하긴 랜덤으로 엄청 뿌리고 다닐테니 모니터링도 안하겠지만^^
steem-python을 포함하여 스팀잇 라이브러리 관리가 안되는건 좀 심각합니다.
js에서도 steem.js 보다 dsteem.js를 더 많이 사용하고 있어요.
esteem 오픈소스도 컨트리뷰트 하셨으니, 저보다 더 잘 아시겠네요. ㅎㅎ
코드에서 보긴했지만 사실 크게 신경쓰진 않았어요. 프론트엔드쪽은 그야 말로 그냥 딱 필요한 부분만 찾아서 보다보니^^ 이전에 esteem에 버그(아마 이스팀의 문제라기보다 api의 문제였던 것 같은데)때문에 한번 dsteem까지 따라갔던 적은 있었네요. hivemind전환때문에 api 서버에 따라서도 결과가 많이 틀려서 누가 잘못한것인지 찾기가 생각보다 힘들어서 그러다 내가 뭐하고 있지 하고 관뒀던 기억이 나네요ㅎㅎ 그렇게 이스팀 개발/버그찾기는 마음을 비웠습니다ㅎㅎ 새버전 나오면 함 보려나^^
저는 다른 사람의 코드를 읽고, 또 그걸 수정하는 게 매우 어렵습니다.
그런데 개발자도 아닌데 그걸 하신 걸 보고 조금 놀랐습니다.
그리고 블럭체인스튜디오님이 작업한(수정한?) 코드를 보면서, 코딩 내공이 대단하다고 생각했습니다.
프로그래밍은 저보다 더 잘할 수도 있겠다는 생각이 들었어요.
그래서 간단한 서비스는 React.js로 금방 만드실 것 같습니다.
그리고 이스팀 쪽 버그 찾는 건 그만두셨군요.
마음을 비웠으니 좀 더 여유로워지셨겠네요. ㅎㅎ
곰돌이가 @anpigon님의 소중한 댓글에 $0.018을 보팅해서 $0.005을 살려드리고 가요. 곰돌이가 지금까지 총 3541번 $42.075을 보팅해서 $44.051을 구했습니다. @gomdory 곰도뤼~
항상 좋은 글 감사합니다 ㅎ
곰돌이가 @ayogom님의 소중한 댓글에 $0.018을 보팅해서 $0.005을 살려드리고 가요. 곰돌이가 지금까지 총 3540번 $42.057을 보팅해서 $44.046을 구했습니다. @gomdory 곰도뤼~
steem-python이 관리가 안되는군요ㅜㅜ. 유토피안 레포트에서 스태프 pick으로 뽑히셨던데요~ ㅎㅎ 축하드립니다. 앞으로도 많은 공헌 부탁드립니다~
네 감사합니다. 아무래도 저는 버그리포트를 제가 불편해서 수정하거나 수정에 가까운 수준으로 안되면 제출을 굳이 안해서 높은 점수를 받게되는 것 같아요. 버그는 이미 세번째고 아이디어 한번 됐었고, 아이디어는 사실 월간 상도 주는데 두달 연속 받아서 좀 제가 미안하네요ㅎㅎ 원래 지난달도 그래서 참가를 안하려다가 사실 좋은 의견이 딱히 올라오지도 않고(물론 몇몇 리뷰어가 너무 리뷰를 편파적이고 엉망으로 해서 사람들 의욕상실되게 만들어서 그럴듯) 그래서 몇개써서 됐네요. 이번달도 역시 submit이 적네요. 제안은 dakeshi님도 해보셔도 좋을텐데. 사실 이런 것들말고 analysis를 해야하는데 이건 좀 일처럼 느껴지고 누구나 궁금할만한 주제는 이미 제가 안써도 잘 쓰는 분들이 많아서 좀 마이너한데 제가 궁금한 주제 아니면(즉 점수 잘 받기 힘든) 잘 안쓰게 되더라고요. 사실 얼마전(이라기에 벌써 시간이)에 좀 괜찮으면서 저도 궁금한 주제하나가 있긴한데 이래저래 못쓰고 있네요. 이번주에는 되도록 써봐야겠습니다. 감사합니다.
제안은 번역만 해도 시간이 모자라서.. 저번주는 steemconnect 버전 2 절반 이상 진행했다가 fabien이 버전 3 출시되니 좀만 기다려주라고해서 급 중단.(중간에 fabien하고 연락이 안되어서 요런 상황이). 리뷰어 형평성 문제는 예전부터 제기된 문제인데 개인별 능력치가 다르다보니 쉽게 해결이 안되는거 같습니다. 그렇게 리뷰할 거면 차라리 다른 사람에게 맡기는게 좋을텐데 아무래도 리뷰어 활동성 체크를 하다보니 그렇게 된 것 같기도 하고요.
곰돌이가 @dakeshi님의 소중한 댓글에 $0.015을 보팅해서 $0.008을 살려드리고 가요. 곰돌이가 지금까지 총 3539번 $42.039을 보팅해서 $44.041을 구했습니다. @gomdory 곰도뤼~
곰돌이가 @dakeshi님의 소중한 댓글에 $0.015을 보팅해서 $0.008을 살려드리고 가요. 곰돌이가 지금까지 총 3538번 $42.024을 보팅해서 $44.033을 구했습니다. @gomdory 곰도뤼~
virus707님의 JJM 락업 물량과 private sale 참여자
@blockchainstudio님 곰돌이가 1.3배로 보팅해드리고 가요~! 영차~
짱짱맨 호출에 응답하였습니다.
zorba님의 [2019/3/10] 가장 빠른 해외 소식! 해외 스티미언 소모임 회원들의 글을 소개해드립니다.
Hi @blockchainstudio!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server
Hey, @blockchainstudio!
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!
Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!