create account

Handling Posting Key in Steem based DApps by singhpratyush

View this thread on: hive.blogpeakd.comecency.com
steem · @singhpratyush · (edited)
$0.46
Handling Posting Key in Steem based DApps
https://cdn-images-1.medium.com/max/1000/1*IPUgcQsiZiSJCxRzHHM-9w.jpeg
<div class="text-center">Photo by <a href="https://unsplash.com/photos/FXFz-sW0uwo?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Markus Spiske</a> on <a href="https://unsplash.com/search/photos/cryptography?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></div>

----

The [Steem](https://steem.io/) blockchain has rewarded more than **$22 million** to its users since June 2016. And with its [API](https://developers.steem.io/) being released for public usage, we’ve seen many applications built on the top of it like [Busy](https://busy.org/), [DSound](https://dsound.audio/), [DTube](https://d.tube/), [Steepshot](https://steepshot.io/), etc.

These platforms provide users with a different interface to do different things; like publishing music, sharing photos and videos, blogging, etc. And since there are a lot of use cases where users can get rewarded for the content they create, there is a fair chance that you will come across the next cool thing and decide to work on it.

In such cases, you would like to provide your users with a functionality to vote, comment, create a post in your platform’s style and so on. But before you can do any of this, you would require user’s authorization.

In Steem, there are two ways to do this —

- Using [Steem Connect](https://steemconnect.com/).
- Using the private posting key (more [here](https://steemit.com/steemit-guides/@pfunk/a-user-s-guide-to-the-different-steem-keys-or-passwords)).

In this post, I will be discussing only the posting key method and the practices that developers should follow while using it.

## Installing Dependencies

The Steem API is available in Javascript and can be easily installed using `npm` —

```sh
npm i --save steem
```

or using `yarn` - 

```sh
yarn add steem
```

after this, we are all set to go.

## Logging Users In

The easiest way to log users in is by asking their **username** and **private posting key**.

After getting this data, here is the flow for verifying the credentials —

1. Get the username and request user details from Steem API.
2. Extract the public posting key from the response to the previous step.
3. Use the Steem API to validate private key using the public key.
4. If success, set the cookies or `localstorage` or whatever you want, otherwise display some error message.

Here is an example —

```js
import steem from 'steem';

// Get the form values
let username = document.getElementById('steem-username').value;
let privatePostingKey = document.getEmenentById('steem-posting-key').value;

// Get user details
steem.api.getAccounts([username], (err, result) => {
  if (err) {
    // Something went wrong
  }
  if (result.length === 0) {
    // No such user
  }
  // Get the public key
  let publicPostingKey = result[0].posting.key_auths[0][0];
  // Try logging in
  let loginSuccess = false;
  try {
    loginSuccess = steem.auth.wifIsValid(privatePostingKey, publicPostingKey);
  } catch (e) {
    // Failed log in
  }
  if (loginSuccess) {
    // yay!!
  } else {
    // Wrong combination
  }
})
```

And once we are sure that the posting key provided by the user is correct, we can use it to comment, vote and create new posts. These actions are available in the `steem.broadcast` module.

## (Not) Storing the Posting Key

The private key of the user can be used for the most powerful action on the Steem blockchain — content creation and curation.

So, the developers should NEVER store the posting key with themselves by making a `POST` request to their own back-end server (or something similar).

This would take away the power from users and introduce the **trust** element again in the blockchain, which is the USP of this technology.

If someone holds the posting keys of all the users on a platform, it is possible that they can use these keys to upvote some articles without the authorization of the user and ruin the complete motivation behind Steem.

Users should also take a deep look inside the platform before submitting their posting key to them, there are many [phishing](https://en.wikipedia.org/wiki/Phishing) websites out there.

---

> We are currently working on the [HapRamp](http://hapramp.com/) platform. It is a social media for people who consider themselves a part of communities like music, dance, art, dramatics and so on.
>
> Our app is currently in private beta phase and we will be making the first public release soon.
👍  , , , , , , , ,
properties (23)
authorsinghpratyush
permlinkhandling-posting-key-in-steem-based-dapps
categorysteem
json_metadata{"tags":["steem","steem-api","blockchain","dapps","hapramp"],"image":["https://cdn-images-1.medium.com/max/1000/1*IPUgcQsiZiSJCxRzHHM-9w.jpeg"],"links":["https://unsplash.com/photos/FXFz-sW0uwo?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText","https://unsplash.com/search/photos/cryptography?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText","https://steem.io/","https://developers.steem.io/","https://busy.org/","https://dsound.audio/","https://d.tube/","https://steepshot.io/","https://steemconnect.com/","https://steemit.com/steemit-guides/@pfunk/a-user-s-guide-to-the-different-steem-keys-or-passwords","https://en.wikipedia.org/wiki/Phishing","http://hapramp.com/"],"app":"steemit/0.1","format":"markdown"}
created2018-01-27 08:40:39
last_update2018-01-27 14:35:33
depth0
children0
last_payout2018-02-03 08:40:39
cashout_time1969-12-31 23:59:59
total_payout_value0.361 HBD
curator_payout_value0.099 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length4,509
author_reputation7,035,648,262,478
root_title"Handling Posting Key in Steem based DApps"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd0
post_id32,685,111
net_rshares53,658,964,211
author_curate_reward""
vote details (9)
Help/Feedback