Also regarding promotional packs - all of that is still recorded on the blockchain as well.
Awesome! This is what I love hearing. :)
Yeah, I figured someone could build an explorer right now, if they wanted to dig in a bit more. And I agree, you focused on the actual system, game-play mechanics, etc is the highest priority.
You are doing some great things here, and I'm sure a lot of people are watching. I'm really excited for your success. :)
Edit: Oh, one more thing I forgot to ask, when I combine cards, is that on the blockchain? I didn't see the transaction for that, but maybe I missed them? I was curious how that works or if it's just a visual representation based on settings in a private database for how the cards are represented?
Ok you caught me - I released the combine cards feature before the posting to the blockchain part was ready because i was still thinking through how it should work.
But it's ready now and just released so here's what I ended up deciding on (will probably make a post about this stuff too at some point). I welcome your feedback.
The site now requires the posting key to log in, and when you combine cards or gift packs it will post a custom_json transaction to your steem account which is proof that you initiated the transaction. The transaction is signed/broadcast on the client-side and the keys are never sent anywhere.
Another custom json will then be posted from the steemmonsters account with the details of the combine or gift or whatever and include a reference to the transaction posted on the player's account in step 1 above.
This has two benefits (in my opinion):
Users "own" their cards and they must publish a transaction to their account on the blockchain to move or change those cards. If we were to move cards or change them in our private DB then people could see that there was no associated transaction posted to that player's account and call us out on it (we won't do that of course!).
You can still get the current "state" of the game by just going through the steemmonsters account history and not the entire blockchain.
Here are screenshots of both transactions so you can see what I'm talking about (note that the second references the trx_id of the first):
Nice! I'm a little hesitant about logging in with a posting key, but I can see the need for it. As long as the key never leaves the browser, cool, but it is a concern the more we create interfaces that teach people to give out their posting keys, the more hacking incidents we're going to have.
I prefer using Vessel. Could it be done that way instead? That way each action could be done via Vessel securely. Either that or steemconnect which is an official product of Steemit, inc and trusted (for the most part).
I really do love where you're going with this and putting everything on chain though. That's what I was hoping to see. :)
Yes I agree with you that we shouldn't teach people to put keys in the browser at all. From that perspective it's not different than SteemConnect though. I also don't really like SC because I don't like having to give another account posting authority to use it.
The Utopian hack really made me think twice about using SC. I know we wouldn't be storing access tokens like what they were doing, but SC could get hacked and then the hackers would have posting access to all the steem monsters' players' accounts.
I think Vessel is the best option - and it is supported currently for purchases as I'm sure you've seen using my SC2-pay library (which is mis-named now that it supports other options than SC). Practically speaking though very few people use Vessel, especially the ones who don't know how to protect their keys.
The best option of all (in my opinion) would be to have a metamask-style browser extension for managing steem keys and signing transactions. That would be the best mix of security and user-experience (again in my opinion). I have talked to @jesta about this a couple of times but he doesn't seem too interested in it.
I would absolutely love for someone to build that though, and would definitely help fund and support that project.
Anyway - this was probably a much longer response than you were expecting, but the point is that I put a lot of thought into the authentication and I thought that using the private posting key on the client-side only was the option I preferred to use based on all of the above.
I've used Vessel every time when buying monsters, and I greatly appreciate the Vessel support.
I understand the concerns with SteemConnect but the way I look at it, the Utopian hack actually demonstrated the value of SteemConnect. Instead of all those posting keys needing to be reset, the SteemConnect OAuth tokens were revoked and no one had to change any keys. If SteemConnect itself ever got hacked, then Steemit could also be hacked. I figure we have to put trust somewhere and right now that's with the core Steemit, inc developers.
Right now, unfortunately, there's no easy way to ensure "This only happens in your browser and doesn't get sent to our servers". That's why I like Vessel. It makes that separation clear. A browser extension, to me, still feels a bit shady. I've never really trusted MetaMask. I wonder sometimes if those extensions are spying on pages or capturing key strokes... I don't like them running all the time in the background. I do agree they are more user friendly by far though.
No worries about the long reply. It's a really important discussion, IMO.
Keep up the great work.
I think we're mostly in agreement here. No method that involves entering private keys into a browser window is an ideal solution. I also agree that Vessel is a better solution from a security perspective than a browser extension, but it's definitely not better from a usability perspective when it comes to integration with websites (which is what the Steem blockchain is mostly all about). So in my opinion an open source browser extension would be the best of both worlds in that it would provide ease of use with Steem-based websites while also allowing the code to be reviewed and audited to ensure there's no shady business going on.
I would like to use vessel but when I click xdg-open from chrome, vessel never gets populated with the transaction. I wonder if this is because I installed vessel using its linux snap?
snap install --dangerous vessel_0.2.7_amd64.snap
Check with @jesta on Discord or Steemchat or open an issue ticket on Github. I've never had a problem using it.