[pRFP] Paysubmit ENS Payments Portal for small E-commerce

This post was flagged by the community and is temporarily hidden.

2 Likes

If this is zero-integration; I assume that means the customer purchasing the goods from an e-commerce site, would be required to leave the site where purchase is made to make payment. Is that correct?

How would the amount due to the e-commerce site translate the correct amount due in Eth to the secondary site with the correct payment address?

I feel like an actual integration for e-commerce would contain data effectively. In this case, pushing data back and forth between multiple servers, could leave room for MITM attacks and subsequently open up opportunities for fraud and/or theft.

What type of security features would you be implementing for data transmission and for your physical server?

Do you currently have any functional prototypes for demonstration?

Also I believe post needs to be changed to a [rRFP]

edit

My apologies this needs to be just a temp-check post. There should be a temp check category under the public goods section.

First, proposal of the idea needs to be posted as a temp-check DAO wide. This allows everyone to get an idea of your idea and have the opportunity give feedback, constructive criticism, and general suggestions.
Then it will be able to move to become a pRFP ( proposal for a request for proposal ).

The rRFP will outline the scope of work that needs to be completed such as requirements that need too be met to be completed.

Other applicants will have the opportunity to submit a project proposal ,to be submitted to the DAO–for a question period. This will give other members the opportunity to bid on the project with their unique project proposal or subsequently work together with other members if suggested or requested.

After that is complete the steward of the respective WG will evaluate each project the submit selected applicants project for DAO wide voting.

here is the documentation outlining the process for your idea / project become a proposal to the through the PG WG that will ultimately be submitted to a PG Steward.

Stewards: please correct me if I am wrong about the process described above or if any other clarification should be added.

3 Likes

Thank you! These are great points. I think what could be a good solution to this is to allow the store owners to “register”, in Web3 terms - Connect & Sign during their on-boarding to the platform, and we can store this signature with the address in the PaySubmit database for later authentication of payment data.

Now, during the passing of the order & payment data to the portal, the store owner can pass the data + signature. This covers two points of security:

  • the recipient can only be store-owner-wallet.eth (we will check this value against our Database; reject if not the same).
  • the data can be check against the signature (this is in addition to the above solution method).

This ensures that any tampering of the parameters during transport will invalidate the payment session.

There’s an issue with this though. The store owner can “sign” the catalog item from the PaySubmit dashboard and have the link live on their website but that will be a static link and cannot be changed (injected with dynamic data, explained; continue reading…). One of the core components of portal is the serialisation of the order because that is what ties the costumer to their payment i.e. if a payment is detected on chain and it is from serial: 1234, the store owner can then compare that against their records; who is 1234, where does the item need to be delivered. A solution for this could be: the store owner can sign duplicates (but with different serials) of the items and have it rotate per costumer.

Ideally, I want to integrate a full management suite for store owners to manage their inventory within PaySubmit, and their store can be displayed within the PaySubmit domain - this would eliminate the need for moving away from their domain before, during, and after the ordering process for the costumers.

Also, in the future there should probably be “advanced integration” methods that can help minimise or even eliminate these security concerns.

I don’t have a public prototype as of now but I have a working sample in my own working environment. I would love to show it off but right now it’s still in dress rehearsal! What I can say is: I have a framework from a different project that I have already repurposed so the development for this project will be very quick since all the components have already been made - the only task left to do now is to customise the framework to my needs. The framework includes: upgradeable smart contract suite (this will not be used but it is available if needed), a scalable cloud-server application (this will be lightly used for content delivery, and database queries, in the future it will probably be responsible for heavily lifting), the front-end (it is made in Angular with state management + Web3 integrations ready).

The servers are secured within the boundaries of the data centre I am colocating the hardware in. All operating systems are LUKS encrypted to protect it from insider threat. And for end-point security we’re using SSL to ensure secured communications.

Sorry, I’m new to the board and I don’t know my way around. Please if any mods can guide me what the correct title for this, I will appreciate any help.

Update: I’m still unsure about the said solution in the earlier part of this post. I could be missing something. I will update if something comes up.

2 Likes

That’s okay, I am newish to the board and trying to respond with the most accurate information. We are both in the same boat ad are being proactive–so that is good!

If there is anything wrong a steward is likely to come to the rescue.

I think the best thing right now, is for this to be moved to a temp-check rather than a proposal.
I’m excited to see this work out for you.

2 Likes