npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

online-marketplace

v5.40.0

Published

Smart, trustworthy, open, portable, safe and secure. Build amazing things and join the sustainable lightweight design revolution.

Downloads

118

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

fantasyui.comfantasyui.com

Keywords

Readme

online-marketplace

A wise and secure online marketplace for selling files. online-marketplace safely encodes purchase information in urls (AES(bcrypt-hash)) and performs operations via automated, interactive email system.

Opening Intro

Product Layout

Product Details

Licensing

Theory of operation, what problem does it fix, and do people have them?

In short we must ask, if it is possible to sell digital goods without forcing the user to create an account. If this is in deed, possible; then as a corollary: Why are we forcing the users to signup if it is not necessary.

There are no pros that could possibly outweigh the problems associated with a server breach, the legal repercussions that follow, and even the development of the features and flows to capture PII in the first place.

In the age of secure off-site (Stripe) 3rd party payment processors, signups (username/password) are not always necessary to run an online business. Username/Password invariably induces the need for other PII such as e-mail address to verify the claimed user identity and later to reset password. This relationship will then call for first and last name and later possibly address/ID where email is insufficient means of verification.

At this point we must ask, is all of this necessary. Customer information is an enormous liability in several domains. Legal (PII privacy laws), Software Vulnerabilities and Network Security. Additionally, we must also consider convenience. Sometimes a customer just wants the product.zip file without creating accounts and going through the extra effort that comes with it. Customers passing a security check on Stripe/PayPal should not sign-up the second time to the website, especially if they don't need to (in the larger sense, when trading money for service).

Security

  • Customer Privacy and Server Security first.
  • Minimal attack surface.
  • Server does not store e-mails in readable form (hash values only).
  • Credit card processing via Stripe or similar.

Structure

  • Simple product catalog (package.json format) see product-catalog.
  • Potential for serving static pages (generate from live and serve via static)

Secrets/Key Disclosure (requires full server breach)

STRIPE_SECRET_KEY (allows access to parts of Stripe)

Stripe secret key, used to execute API commands on Stripe.com.

  • If disclosed "Your secret API key can be used to make any API call; most notably, it can create new charges or refund existing payments. However, it cannot be used to retrieve any extremely sensitive data like your customer’s credit card numbers, which we’ll never reveal in our API." see Stripe Questions
  • Instantly mitigated by rolling new keys.

DOWNLOAD_SECRET_KEY (prevents magnet link disclosure)

Secret Download Key used to encrypt re-download link.

  • If disclosed, it will be possible to decrypt the download link.
  • Instantly mitigated by changing the secret download key.

DOWNLOAD_SECRET_SALT (prevents magnet link forgery)

Secret salt in decrypted link information.

  • If disclosed it is possible to tamper with the download link. It will be possible to forge a link that will allow arbitrary product downloads. Note this requires DOWNLOAD_SECRET_KEY disclosure.
  • Instantly mitigated by changing secret salt.

Development Status

See TODO.md

NPM NPM

Installation


mkdir my-online-marketplace
cd my-online-marketplace/
git clone https://github.com/fantasyui-com/online-marketplace.git .
npm i
npm start

at this point you will see http://0.0.0.0:8080/ navigate to the address to view the homepage.

Start Server

Use default npm (uses server.js)


npm start;

Periodic Updates

Use default npm command


npm update;

Development

Clone repository, install supervisor npm install -G supervisor and then:


npm run watch;

Running Tests

Test system uses mocha.


npm test;

Production

Using in Production

Installing node and pm2 for production


curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.1/install.sh | bash
export NVM_DIR="$HOME/.nvm"; [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  # This loads nvm
nvm install node # node installed
npm i -g pm2 # pm2 installed

Installing marketplace for production


cd ~
git clone https://github.com/fantasyui-com/online-marketplace.git
cd online-marketplace/
npm i;

Using a Process manager (pm2) to manage the server:


cd ~
pm2 start online-marketplace/server.js
pm2 save

Environment Variables

You MUST set three ENV variables STRIPE_PUBLISHABLE_KEY, STRIPE_SECRET_KEY, DOWNLOAD_SECRET_KEY, and DOWNLOAD_SECRET_SALT example:


STRIPE_PUBLISHABLE_KEY=pk_test_6pRNASCoBOKtIshFeQd4XMUh \
STRIPE_SECRET_KEY=sk_test_BQokikJOvBiI2HlWgH4olfQ2 \
DOWNLOAD_SECRET_KEY=sk_test_c40aeeb535784f3fa179b107c5ee8e99 \
DOWNLOAD_SECRET_SALT=st_test_784f3fa179b3f3f50a7c5faeeb5ee87c \
node server.js

Process JSON

If you choose to use pm2 you can activate the provided process.json via $> start online-marketplace/process.json please remember to update and guard the secret keys.


{
  "apps": [

    {

    "name": "online-marketplace",
    "script":"server.js",
    "cwd":"/home/meow/online-marketplace",

    "env": {

      "STRIPE_PUBLISHABLE_KEY" : "pk_test_6pRNASCoBOKtIshFeQd4XMUh",
      "STRIPE_SECRET_KEY"      : "sk_test_BQokikJOvBiI2HlWgH4olfQ2",
      "DOWNLOAD_SECRET_KEY"    : "sk_test_c40aeeb535784f3fa179b107c5ee8e99",
      "DOWNLOAD_SECRET_SALT"   : "st_test_784f3fa179b3f3f50a7c5faeeb5ee87c",
      }

    }

  ]
}

Low Number Ports

Server requires access to low level ports 80 (http) and 443 (https) to operate by default. On linux servers you can use the following command to give Node access to these ports. Note use of sudo setcap cap_net_bind_service=+ep $(which node) Note: Port forwarding is the preferred method.