Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
@waxio/waxjs
Advanced tools
Javascript API for integration with the WAX Cloud Wallet.
Check the WAX developer portal for full instructions
Grab the waxjs.js minified bundle in the dist-web folder of this repo, or build it yourself (see below). Check the demo code to see how to use it.
npm install @waxio/waxjs
yarn add @waxio/waxjs
React style apps using npm or yarn can import the library via:
import * as waxjs from "@waxio/waxjs/dist";
Instantiate the waxjs object with the WAX RPC server you wish to connect to.
const wax = new waxjs.WaxJS({
rpcEndpoint: 'https://wax.greymass.com'
});
The library can also be instantiated with the user account and the public keys. Due to the library contains the user information, the login step can be avoided.
const wax = new waxjs.WaxJS({
rpcEndpoint: 'https://wax.greymass.com',
userAccount: 'user1',
pubKeys: ['EOS7rC8jFvFrPYDqp3Nh3HdRfL79h11B1JhPEXy85enF5wwYzF3Hk']
});
If you want to handle the auto-login on your side with the isAutoLoginAvailable
function (to avoid waiting for the user to click a button), you can disable the auto-login function in the constructor (so it won't get called twice).
const wax = new waxjs.WaxJS({
rpcEndpoint: 'https://wax.greymass.com',
tryAutoLogin: false
});
Log your user in so as to access their wax account name for creating transactions.
const userAccount = await wax.login();
Successful login will return the userAccount. It will also be available as the userAccount
member on the wax
instance. You can now use the eosjs api
member...
We could also combine proof system inside wax.login by passing optional nonce parameter onto the function
const nonce = 'your_nonce_string';
const userAccount = await wax.login(nonce);
later on we could get proof status of user by calling:
const proofVerified = wax.proofVerified; // return true or false
Utilize the eosjs api
and rpc
members available on the wax
instance. They are instances of the regular eosjs objects, Api, and JsonRpc, so you can do anything with them that eosjs already provides. Check the eosjs docs and repo for more info.
The api method will not be initialized until you login your user, and remember that the user's account name is available as the userAccount
member on the wax
instance.
const result = await wax.api.transact({
actions: [{
account: 'eosio.token',
name: 'transfer',
authorization: [{
actor: wax.userAccount,
permission: 'active',
}],
data: {
from: wax.userAccount,
to: 'eosio',
quantity: '0.00000001 WAX',
memo: '',
},
}]
}, {
blocksBehind: 3,
expireSeconds: 1200,
});
(userAccount: string, originalTx: any, augmentedTx: any) => void
. Where userAccount
is the account being signed for, originalTx
is the tx generated by your dapp, and augmentedTx
is the potentially bandwidth-managed altered tx you will receive from WAX. The default verifier does this for you, and you should check this to be confident that the verifier is sufficiently rigorous. OptionalTemporary accounts are users that have signed up for a wallet account, but have not paid the entry fee to get the blockchain account created.
We allow waxjs to return accounts using the returnTempAccounts
contructor argument, by then dapps can create an account on behalf of the user or have a custom signup flow if they want.
For example:
returnTempAccounts
= true, User with temporary account can login and try out the dApp without using any blockchain function
returnTempAccounts
= false, this means the waxjs library will only return accounts for users who have a block chain account. People who have already paid the creation fee
After the wax.login() call you can check if an account is temporary using wax.isTemp(), remember this will only ever can be true if allowTemporaryAccounts is set to true, or else waxjs will never return temporary accounts.
To create blockchain account on behalf of the user, dApp owners can send 5 WAXP
( get the latest value from here ) to newuser.wax
with the MEMO = userAccount
.
There is a refund system in place if you pay more than the account creation fee, the extra amount will be refunded to the newly created account. eg: you send 8 WAXP
to newuser.wax
for a new account named: new.wam
after the new account new.wam
is created it will get 3 WAXP
refunded. There is a maximum amount that will be refunded, it can be found here
If you want to get the latest account creation fee from the blockchain you can get it from waxjs. After the user has logged in you can call waxjs.createInfo
this will return an object like this :
{
"contract": "eosio.token",
"message": "Create the user's blockchain account ds.k.wam by sending 5 WAX to newuser.wax with the memo as the one mentioned below.",
"amount": "5.00000000 WAX",
"memo": "dsDOTkDOTwam"
}
This is only be returned if the account is temporary so check that the account is temporary using waxjs.isTemp
before you call waxjs.createInfo
For example:
User login with temporary account, and their userAccount
= hfhf.wam
Dapps can send 5 WAXP
(current account creation fee) to newuser.wax
, with MEMO
= hfhf.wam
Then the blockchain account of the user would be created, and they can start using all the blockchain features.
So long as waxjs is initialized with freeBandwidth = true
(this is the default), your dapp will take advantage of freebandwidth provided by WAX, up to 5ms of CPU and 5K words per user per 24 hours, and tentatively 50s per contract per 24 hrs.
Dapps that require more bandwidth will be able to register their own bandwidth via the bandwidth registration contract. More info on registering for extra bandwidth management can be found here.
You can now log a user out of the waxjs library, this is usefull if you want to logout one user and let them login with another account.
To do this just call wax.logout()
that will be enough.
Sometimes it is important to verify that the current logged in user is legitimate.
We do this by checking the that the current session belongs to the user account that you have in your dapp.
There are two ways to check this using waxProof(nonce,verify = true)
Function and userAccountProof(nonce,description,verify = true)
Both of these functions will need a nonce, which is a string that you generate on your side and send it to be signed.
An extra parameter called description is needed for userAccountProof
but not used right now.
the verify
boolean will tell the functions if you want waxjs to do the verification.
If verify
is true
then the waxjs library will do the verification and the functions will return a boolean either true of false to indicate if the verfication process succeeded.
If verify
is false
the library will then return the following verification object
{
"type": "VERIFY",
"accountName": "myacc.wam",
"referer": "https://mywebsite.com/",
"signature": "SIG_K1_Jx8kAWjeiyaQPZyDExo5xrMPWLeM93BzJ25w2m2tvMdTnYb8AQ9TPyaPKh9Lqygg4Q6BNfTTsk6chdrnuPyLqG85gjXBpX",
"message": "cloudwallet-verification-https://mywebsite.com/-nonce-myacc.wam"
}
you can then use this structure if you want to do this verification in the backend.
signature
is the signature that was signed using the private key. accountName
is the account name we have on our record. the message
is the message that was actually signed.
The message is different for both the functions. the userAccountVerify
will sign whatever nonce you send so the message will contain only the nonce, where as waxProof
will contain a combined message as shown above.
wax.waxProof("hello world",true)
wax.userAccountProof("hello world","",true);
import * as ecc from 'eosjs-ecc';
let verifyObj = await wax.waxProof("hello world",false);
let proofWaxActivePublicKey="EOS5fiahVT7rWcu2V18T93WoCcJ27HF4GR7xr9sX4SQ5rMbGvEH1Y"; //active key for proof.wax
const isValidSignature = ecc.verify(verifyObj.signature, verifyObj.message, proofWaxActivePublicKey);
if (isValidSignature) {
alert('User authenticated');
} else {
alert('User unauthenticated');
}
import * as ecc from 'eosjs-ecc';
let verifyObj = wax.userAccountProof("hello world","",false);
let userWaxActivePublicKey="EOS5aaaaaaaaaaaaa";
const isValidSignature = ecc.verify(verifyObj.signature, verifyObj.message, userWaxActivePublicKey);
if (isValidSignature) {
alert('User authenticated');
} else {
alert('User unauthenticated');
}
So long as waxjs is initialized with feeFallback = true
(this is the default), Wallet automatically add action to transfer WAXP as fee for that transaction if user has enough balance. Transaction fee is calculated by formula:
waxFee = cpu_usage_us*CPU_FEE_RATIO + net_usage_words*NET_FEE_RATIO + FEE_CONSTANT;
By default CPU_FEE_RATIO=NET_FEE_RATIO=0.001, FEE_CONSTANT=0.01;
After logging in, you can get avatar of the current user by method
wax.avatar;
If user sets the avatar using NFT, function will return IPFS hash. You can get full avatar URL from IPFS hash with a IPFS gateway, for example
https://ipfs.io/ipfs/<IPFS_HASH>
Similar to Avatar above, you can get a user's trust score using the function
wax.trustScore;
The Trust score will be from 0 to 1. If there is no score yet, the function will return the empty string ""
.
TRUST scores are powered by Chain Champs and you can learn more about TRUST here.
wax.trustScoreProvider;
Current version of waxjs could be retrieved using
wax.version;
npm run docs
npm run serve
Note - run the demo app first (as above), and then run the tests suite:
npm run test
npm run build
npm run build-web
When making a pull request, please make sure to run npm run prettier
to make sure your code is as formatted as possible. Also, make sure npm run lint
runs without errors, since that is the final check before a new version is published to npm.
FAQs
Javascript API for integration with the WAX Cloud Wallet.
The npm package @waxio/waxjs receives a total of 320 weekly downloads. As such, @waxio/waxjs popularity was classified as not popular.
We found that @waxio/waxjs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.