Vessel 0.2.0 - Interact with Steem securely from any website

in #vessel7 years ago

I'm incredibly excited today to release the next version of Vessel - which features a brand new way to interact with the Steem blockchain from anywhere on the internet. It is my hope that this effort helps unlocks the potential of the Steem blockchain by empowering developers and content creators with tools to interact with their audiences anywhere.

A bit of background on Vessel before going too much further:

What is Vessel?
Vessel is a desktop wallet for the Steem blockchain, which can be downloaded and run on your computer. Vessel is free to use and open source, and is designed to be a way to help secure your account. While using Vessel, your keys/password never leave the app, transactions are signed locally, then broadcast to the blockchain much like any other downloadable cryptocurrency wallet.

With Vessel, you no longer need to trust your web browser while performing secure actions with your account.

Download Vessel
Vessel is still beta software and it's recommended that you treat it as such. Before committing irreversible actions on your account (such as large outgoing transfers), please test with smaller amounts to ensure it's working properly and you understand your actions. If you send all your SBD to someone - there's no reversing that.

Download available on github for macOS, Windows and Linux.

Releases: https://github.com/aaroncox/vessel/releases
chainBB Forums: https://chainbb.com/f/vessel
Bug Reports: https://github.com/aaroncox/vessel/issues
Source Code: https://github.com/aaroncox/vessel
What's new in 0.2.0
A single, infinitely usable feature:

Operation creation through a URI scheme
That's probably gibberish to 99% of you - so I'll try to explain what a URI Scheme is, then give some examples of how we can use it.

Have you ever clicked on a link that opened your email client? These types of links are used everywhere: on contact pages, in email signatures, or anywhere you want someone to be able to contact you (a way of interacting). These links are a special type of link that uses a URI scheme (the mailto:// scheme in this case) which allows your web browser to interact with your default mail client.

That's the purpose of a URI scheme - to launch an app under your control as a way to interact with content on a website.

This new version of Vessel implements this same idea and introduces an early draft of the steem:// scheme - except instead of opening your email client, this scheme opens Vessel (or any other future Steem application). It also does way more than just opening Vessel - it can prompt the user to interact with the blockchain in a specific way.

Let's look at a couple examples - but first, you really should have Vessel 0.2.0 installed for this. You can download it here. If you have privacy/security/trust concerns with Vessel, I'd recommend you just import a posting key from one of your accounts.

Ready? This post just got interactive.

Example #1 - Voting on a post
By using the steem:// scheme, anyone can create links that actually interact with the Steem blockchain:

Vote Button (or view in opbuilder)


Vote Button

That link was created specifically to prompt for a vote on a post I wrote earlier this week about opbuilder (a developer tool to support this URI scheme). When clicked, Vessel will launch a small window to confirm the action and sometimes give values to modify (the percent in this case).

When the window appears - nothing immediately happens. You have to choose to proceed with the transaction by selecting which account you'd like to use and clicking the button at the bottom. If you have a wallet password - you'll also be prompted for that.

When you are ready to confirm the vote, hitting the button at the bottom will sign the transaction and broadcast it to the blockchain - without your keys ever leaving your wallet or being shared with anyone. The window will then close and you can continue doing whatever you were doing.

Voting was probably one of the most simple examples I could provide - so let's move into some other examples.

Example #2 - Vote for Witness
A lot of people line the bottom of their posts with signatures related to the author's witness campaign, soliciting votes. Using the URI scheme and Vessel, you can now do things like this:

Vote @jesta as Witness (using Vessel) (view in opbuilder)

That link will initiate a vote for me as a witness. Vessel will launch and display a form that allows you to select your account, and then broadcast the witness vote. No more having to step-by-step provide instructions, a content or website creator can craft operations they are looking to encourage other users to perform.

Example #3 - Requesting a Delegation
This example could be useful to services like Utopian, where you can delegate to their account in order to support the efforts of it's community. Instead of writing a post providing instructions on what to do - you can now simply just provide a link.

Here's an example link that initiates a delegation from you to @utopian-io, and prompts you to select an account and enter the amount of SP (or VESTS).

Delegate SP to @utopian-io (via Vessel) (view in opbuilder)

Example #4 - Donation Form
Vessel also supports many parameters that lets you customize the operations slightly to fit special needs. If I were writing a post asking for donations to support the development of Vessel, I could do so with a link:

Donate to support Vessel (with Vessel) (opbuilder)

This link initiates a transfer and also customizes the display a bit.

The "amount" field has a custom label of "Donation" and a special input selector allowing them to choose the amount of STEEM or SBD to send.
The "amount" field has a suggested amount that users can change.
The "memo" field on the transfer has a custom label, prompting the user for a Message along with their donation.
All the user has to do is pick an amount, decide if they want to include a message, choose the account to use and hit the button at the bottom. It could be even more simple using multiple links with individual pre-filled denominations.

Regardless of how it's customized - you'll always be able to expand and view the raw JSON operations to see exactly what's happening under the hood.

The examples could go on and on...
The possibilities for this are endless. Anything that can be done on Steem can also theoretically be done utilizing this method.

I built this specifically because I needed a secure way of interacting with the forum owners on chainBB. I really don't want to encourage users to enter their master password/active keys on my website - and I want something more secure than a user logged in with a posting key.

Instead of just building something specifically for chainBB - I choose to build a robust enough system into Vessel to allow any project the means to securely interact with their audience, without having to entrust sensitive information with each other.

The next version of chainBB will let forum owners configure moderation teams, beneficiaries, and other more security-sensitive options directly through Vessel.

What this will be used for in the future is anyone's guess!

What this means for 3rd Party websites and their ability to utilize Steem
The important thing to realize is that anyone can use these links on any website or app that supports custom HTML. If you were to copy and paste any of the examples above onto your Wordpress blog or into a reddit post - they would just work.

This furthers the ability for 3rd party websites to quickly and transparently integrate the features of Steem (and upcoming SMTs) into their own websites, services, and communities.

To assist with this, I'm working on what I'm calling opbuilder, a tool that can create operations and then provide the JSON, a steem:// URI, or a SteemConnect link. All of the example links above were created using the opbuilder (and then run through a URL shortener, more on that below).

Work in Progress
There's a lot still to be done with all of this, including use cases, the UI, security and tools to help integrate this into any website.

Almost all of the interactions created using this scheme will use a generic UI like the example shown for witness voting (#2). The transfer, vote, and delegate_vesting_shares operations have custom UIs that look a bit nicer. Over time, these interfaces will be refined and improved as more use cases are discovered.

There's also no feedback when an operation is complete. This has always been a problem with Vessel unfortunately since it doesn't show your action history anywhere. For the time being, I'd recommend viewing your account on steemdb.com or steemd.com if you're looking for account/action history.

URI Scheme - Technicals
These steem:// URIs aren't incredibly complicated and I'd like to thank @fabien for sharing the idea of using the base64 strings. Currently only one path is supported:

steem://sign/tx/{base64_encoded_operation}#{base64_encoded_application_parameters}
The base64_encoded_operation string after steem://sign/tx is simply a base64 encoded string of the JSON operations to perform. The URL can also contain an optional hash, illustrated above as base64_encoded_application_parameters. This is additional data that the application you're communicating with can use to further interact with the operations.

In example #3 (the delegation prompt), here's a breakdown of how the URI works:

Scheme: steem://
Host: sign (the action to perform)
Path: /{type}/{opdata}#{appdata}

Full URL: steem://sign/tx/W1siZGVsZWdhdGVfdmVzdGluZ19zaGFyZXMiLHsiZGVsZWdhdG9yIjoiIiwiZGVsZWdhdGVlIjoidXRvcGlhbi1pbyIsInZlc3Rpbmdfc2hhcmVzIjoiIn1dXQ==#eyJ2ZXN0aW5nX3NoYXJlcyI6eyJwcm9tcHQiOnRydWUsInR5cGUiOiJ2ZXN0cyIsImxhYmVsIjoiQW1vdW50IHRvIERlbGVnYXRlIn19

Base64 Encoded Operations: W1siZGVsZWdhdGVfdmVzdGluZ19zaGFyZXMiLHsiZGVsZWdhdG9yIjoiIiwiZGVsZWdhdGVlIjoidXRvcGlhbi1pbyIsInZlc3Rpbmdfc2hhcmVzIjoiIn1dXQ==

Base64 Encoded Application Parameters: eyJ2ZXN0aW5nX3NoYXJlcyI6eyJwcm9tcHQiOnRydWUsInR5cGUiOiJ2ZXN0cyIsImxhYmVsIjoiQW1vdW50IHRvIERlbGVnYXRlIn19
If you were to decode these two strings, you'll see the operation and it's application parameters:

Operation JSON:

[
[
"delegate_vesting_shares",
{
"delegator": "",
"delegatee": "utopian-io",
"vesting_shares": ""
}
]
]
Application JSON:

{
"vesting_shares": {
"prompt": true,
"type": "vests",
"label": "Amount to Delegate"
}
}
Vessel uses the Operation JSON as a template to craft an initial operation and then the Application JSON to enhance the UI to prompt users for interaction with the operation template.

Bugs
This is the first release in the 0.2.x series of Vessel and some of these new actions are going to have problems. Any transaction issues that occur while trying to broadcast will appear in a red box above the "Sign + Broadcast" button.

Currently there are known bugs with:

Signing anything that requires auths (like custom_json).
JSON encoding some fields.
No interface for editing/templating multiple operations.
Signing a transaction using account_auths - you need the key currently.
Throughout the 0.2.x series of releases I'll be improving and addressing these as it relates to whatever projects start integrating these features. My first integration personally will be with chainBB, so the custom_json operation is likely to be improved in 0.2.1. I'd invite other developers to join the effort and help improve it where they need it.

If you have a bug to report, please file it on github. Bugs only though, as for discussion...

Questions? Want to talk about using this?
https://chainbb.com/f/vessel

I'm monitoring the above /f/vessel, a chainBB forum, for chatter related to Vessel. If you have questions/comments/concerns/whatever, I'd invite you to join the conversation there. chainBB is a discussion forum (and one of my other projects) so I'm going to drag you all there to use it :)

steemit.com support for the steem:// URI scheme
At the time of this post - steemit.com filters out links that use the steem:// scheme and only allows http:// or https://. I've created a pull request on steemit/condenser that alters the sanitizers to allow for these special links and am awaiting on feedback. Hopefully this pull request will get accepted and deployed to steemit.com to allow everyone to use this links.

chainBB.com has already been patched to allow support for this.

In the mean time - clever @netuoso recommended a workaround that this post uses to allow usage of these special links. You just have to use a URL shortener like tinyurl.com to convert the steem:// links into https:// links before posting them. They redirect to the appropriate protocol and allow these links to work within a post on steemit.com.

It's a bit of a pain to have to jump through an extra hoop - but at least it's immediately functional.

Vessel in 2018
I have a lot of goals for Vessel in 2018, here's a high level overview:

Complete rebranding with new name. As much as I hate the idea, and love the name Vessel, there's actually a company out there that makes physical wallets named Vessel. I had no idea until very recently. Instead of competing with them on search engines and potentially trademarks, it will be easier to just rename the project and rebrand it. I've been entertaining ideas, but I have no idea what the new name will be or how it will be rebranded.
Non-beta release product: Along with the rebrand, it's my goal to have a non-beta product released in 2018 of this wallet. This may also include a rewrite of the core of the wallet to accommodate better security and account management.
More community development: I don't want this to be a @jesta project, I want this to be a community effort. To that end - I'll be trying to work with any developer that's interested to improve this project. @netuoso has been a great help, and as more developers join the effort, we'll be able to release higher quality code more regularly.
These features and more will be developed as time permits. As a free/non-revenue generating project, Vessel has no full time developers and all development is done by volunteers. Features are created as free time becomes available and/or a revenue generating product creates a demand for it.

Thanks to everyone who has given it a shot in 2017 and supported it in some way!