Package updates

[abitmore]

Tracker for development by @grctest.

(The following is copied from #181 (comment))

Summary of changes in PR:

• npm-check-updates was initially used to identify packages which could be updated
  • About half of the packages were able to be updated with minor changes
  • Some of the updated packages introduced severe breaking changes, namely vue2 -> vue3
    • The update to Vue3 required a refactoring of every (30+) components to using the composition API https://vuejs.org/api/composition-api-setup.html#basic-usage
    • Most of the vue2 related packages did/do not have equivalent vue3 packages, resulting in their replacement/removal being warranted.
      • Removed with no replacement: Password strength indicator (Custom zxcvbn component required)
      • Replaced: Bootstrap -> balm-ui
      • Replaced vue-multiselect with balm-ui selector component

Security changes

• sha512 hashing password that's stored in memory after login
  • Edge case: Restoring from old beet backup would be encrypted with raw password instead of the hash, so legacy checkbox was included for anyone who might have restored an old wallet instead of creating a new wallet.
• Removed cert stored in repo, fetches cert from beet cert repo
  • Automated tools search for these certs & report to the issuer
  • We should consider encrypting/encoding the external repo cert to further hide cert
• Beet client doesn't respond to queries unless logged in
• Additional store getter functions created to reduce handling of excessive data in vue components
• Uplift of packages across the board for security vulnerability bump
• Prompts are now much more isolated from the rest of the wallet, now launch their own electron BrowserWindow where user input data is passed as url encoded parameters. These prompts are isolated and can't access the main beet window state.
• elliptic replaced with secp from "@noble/secp256k1" and @noble/ed25519 for key exchange

UI changes

• Language selector component hidden from dashboard since there's only one language
• Main electron window bar isn't skinned
  • pro: easier to move the window, uses system app frame
  • con: no longer goes to task tray when closed
  • Could be re-implemented
• Balm-UI used instead of Bootstrap, deviating from the brand guide
• Debug console can be accessed via 'alt' then view -> debug tools.
• Sending BEET to system tray is also in the view menu.
• Balance in dashboard and linked apps list in settings are now scroll-able lists

New functionality

• Sign NFT_Object for NFT creation
• Broadcast & Update assets - for NFT issuance tool
• Prompts are now isolated popup windows instead of alert boxes within the main window

Maintenance based decisions

• After updating packages the icons broke, so the skinned window frame was replaced with system window frame.
• Elliptic package was replaced as it hadn't been updated in more than 2 years
• The custom BeetWS WebSocket implementation was replaced with socket.io
  • This prove to require a large refactoring of the beetserver, blockchainfactory and beet-js library.
  • It's far more maintained & supports multiple environments

[sschiessl-bcp]

It is now displaying properly on my Laptop, nothing cut out anymore!

Signing a message is now also working properly. What is the purpose of the Signature Verification dialog?

[grctest]

The sign message example script immediately attempts to verify the signed message, by verifying the signed message it proves that the signed message was valid. The prompt requests permission to perform the verification, perhaps the info could be conveyed better in the prompt?

I could have made it a separate script, but then would have needed to save the output of the signMessage script for input in the verifyMessage script.

After looking more into the mkcert option for https, I've decided to reintroduce part of the old https method, to improve compatibility. Will update the beet-js to detect if https or http is up & commit once working.

[sschiessl-bcp]

The sign message example script immediately attempts to verify the signed message, by verifying the signed message it proves that the signed message was valid. The prompt requests permission to perform the verification, perhaps the info could be conveyed better in the prompt?

I could have made it a separate script, but then would have needed to save the output of the signMessage script for input in the verifyMessage script.

After looking more into the mkcert option for https, I've decided to reintroduce part of the old https method, to improve compatibility. Will update the beet-js to detect if https or http is up & commit once working.

That's an unnecessary double check for the user. No single one will actually validate that signature by hand since you just created it. You can of course validate the signature directly after creating it, but asking the user to OK that is breaking UX. User must trust Beet to sign properly.

[grctest]

Alright, I'll make the message verification automatic without user prompt.

[grctest]

Message verification prompt is gone now.
Reintroduced https alongside http, fetches certs from beet cert repo.
Added an nft_object signing api function prompt for streamlining NFT issuance on BTS.
Also fixed an issue with the signmessage function, it was signing null instead of messageText.

I feel like this is ready for merge at this point :)

[sschiessl-bcp]

There are some UX issues and other minor issues to be worked out, but general flow works.

[sschiessl-bcp]

@clockworkgr

Beetlejuice Beetlejuice Beetlejuice

Interested in skimming this PR a bit?

[grctest]

Summary of changes in PR:

• npm-check-updates was initially used to identify packages which could be updated
  • About half of the packages were able to be updated with minor changes
  • Some of the updated packages introduced severe breaking changes, namely vue2 -> vue3
    • The update to Vue3 required a refactoring of every (30+) components to using the composition API https://vuejs.org/api/composition-api-setup.html#basic-usage
    • Most of the vue2 related packages did/do not have equivalent vue3 packages, resulting in their replacement/removal being warranted.
      • Removed with no replacement: Password strength indicator (Custom zxcvbn component required)
      • Replaced: Bootstrap -> balm-ui
      • Replaced vue-multiselect with balm-ui selector component

Security changes

• sha512 hashing password that's stored in memory after login
  • Edge case: Restoring from old beet backup would be encrypted with raw password instead of the hash, so legacy checkbox was included for anyone who might have restored an old wallet instead of creating a new wallet.
• Removed cert stored in repo, fetches cert from beet cert repo
  • Automated tools search for these certs & report to the issuer
  • We should consider encrypting/encoding the external repo cert to further hide cert
• Beet client doesn't respond to queries unless logged in
• Additional store getter functions created to reduce handling of excessive data in vue components
• Uplift of packages across the board for security vulnerability bump
• Prompts are now much more isolated from the rest of the wallet, now launch their own electron BrowserWindow where user input data is passed as url encoded parameters. These prompts are isolated and can't access the main beet window state.
• elliptic replaced with secp from "@noble/secp256k1" and @noble/ed25519 for key exchange

UI changes

• Language selector component hidden from dashboard since there's only one language
• Main electron window bar isn't skinned
  • pro: easier to move the window, uses system app frame
  • con: no longer goes to task tray when closed
  • Could be re-implemented
• Balm-UI used instead of Bootstrap, deviating from the brand guide
• Debug console can be accessed via 'alt' then view -> debug tools.
• Sending BEET to system tray is also in the view menu.
• Balance in dashboard and linked apps list in settings are now scroll-able lists

New functionality

• Sign NFT_Object for NFT creation
• Broadcast & Update assets - for NFT issuance tool
• Prompts are now isolated popup windows instead of alert boxes within the main window

Maintenance based decisions

• After updating packages the icons broke, so the skinned window frame was replaced with system window frame.
• Elliptic package was replaced as it hadn't been updated in more than 2 years
• The custom BeetWS WebSocket implementation was replaced with socket.io
  • This prove to require a large refactoring of the beetserver, blockchainfactory and beet-js library.
  • It's far more maintained & supports multiple environments

[abitmore]

Summary of changes in PR:

Thanks. Copied to OP.

[abitmore]

Removed cert stored in repo, fetches cert from beet cert repo

Where is the "beet cert repo"?

[grctest]

https://github.com/beetapp/beet-certs

…

On Fri, 5 Aug 2022, 08:05 Abit, ***@***.***> wrote: ***@***.**** commented on this pull request. Removed cert stored in repo, fetches cert from beet cert repo Where is the "beet cert repo"? — Reply to this email directly, view it on GitHub <#181 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADZAOF2VFHXSNG4QPVWUD73VXS4LRANCNFSM5UGJDQJQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[abitmore]

https://github.com/beetapp/beet-certs

Thanks.

Looks like the certs aren't getting updated automatically. If it's a Let's encrypt cert, since it points to 127.0.0.1, I don't think it can be updated by running certbot via Github Actions.

By the way, we'd better use a repo in the bitshares organization.

[grctest]

Want to create such a bts cert repo? Or shall such a change be introduced in a future pull request?

[sschiessl-bcp]

This is a monster, lets do with new PR