Handling Posting Key in Steem based DApps
How to’s and best practices about private posting key for your next DApp.
.jpeg)
Photo by Markus Spiske on Unsplash
The Steem blockchain has rewarded more than $22 million to its users since June 2016. And with its API being released for public usage, we’ve seen many applications built on the top of it like Busy, DSound, DTube, Steepshot, etc.
These platforms provide users with a different interface to do different things; like publishing music, sharing photos and videos, blogging, etc. And since there are a lot of use cases where users can get rewarded for the content they create, there is a fair chance that you will come across the next cool thing and decide to work on it.
In such cases, you would like to provide your users with a functionality to vote, comment, create a post in your platform’s style and so on. But before you can do any of this, you would require user’s authorization.
In Steem, there are two ways to do this —
- Using Steem Connect.
- Using the private posting key (more here).
In this post, I will be discussing only the posting key method and the practices that developers should follow while using it.
Installing Dependencies
The Steem API is available in Javascript and can be easily installed using npm —
npm i --save steem
or using yarn —
yarn add steem
after this, we are all set to go.
Logging Users In
The easiest way to log users in is by asking their username and private posting key.
After getting this data, here is the flow for verifying the credentials —
- Get the username and request user details from Steem API.
- Extract the public posting key from the response to the previous step.
- Use the Steem API to validate private key using the public key.
- If success, set the cookies or localstorage or whatever you want, otherwise display some error message.
Here is an example —
// Get the form values
let username = document.getElementById('steem-username').value;
let privatePostingKey = document.getEmenentById('steem-posting-key').value;
// Get user details
steem.api.getAccounts([username], (err, result) => {
if (err) {
// Something went wrong
}
if (result.length === 0) {
// No such user
}
// Get the public key
let publicPostingKey = result[0].posting.key_auths[0][0];
// Try logging in
let loginSuccess = false;
try {
loginSuccess = steem.auth.wifIsValid(privatePostingKey, publicPostingKey);
} catch (e) {
// Failed log in
}
if (loginSuccess) {
// yay!!
} else {
// Wrong combination
}
})
view rawsteemLoginExample.js hosted with ❤ by GitHub
And once we are sure that the posting key provided by the user is correct, we can use it to comment, vote and create new posts. These actions are available in the steem.broadcast module.
(Not) Storing the Posting Key
The private key of the user can be used for the most powerful action on the Steem blockchain — content creation and curation.
So, the developers should NEVER store the posting key with themselves by making a POST request to their own back-end server (or something similar).
This would take away the power from users and introduce the trust element again in the blockchain, which is the USP of this technology.
If someone holds the posting keys of all the users on a platform, it is possible that they can use these keys to upvote some articles without the authorization of the user and ruin the complete motivation behind Steem.
Users should also take a deep look inside the platform before submitting their posting key to them, there are many phishing websites out there.
HapRamp is a social media platform for creative communities. For the people who consider themselves a part of communities like music, dance, art, dramatics and so on.
Our app is currently in private beta phase and we will be making the first public release soon.
Join our invite list and be among the early creators at HapRamp.
Written by @singhpratyush
This article was originallly Published on HapRamp Blog.