NEMventory – Create a Secure SAAS Application Using the NEM Blockchain
The NEM team would like to thank Robin (Telegram user: @robinped) for this blog.
I’m writing this article to serve as a resource for SAAS projects that need some of their functionality backed by the NEM blockchain. This functionality can include the following:
- Decentralized information
- You need to use the blockchain as a shared, secure and immutable source for some of your data.
- List of trusted servers.
- List of members.
- Master items.
- Documentation
- You need to share some immutable and timestamped information.
- Certificates
- Service work
- Assets of value
- You need to use the blockchain to handle
transferable and valuable assets. - In-game currencies
- Forum points
- Tokens of value
- Identity
- You need to use the blockchain to handle
- Transact
- You need to send or receive payments.
- Donations
- E-commerce
- Encrypt
- You need to encrypt and store some pieces of information.
- Health records.
- Secret messages.
First appeared on the NEM.io Blog
Background
I’m creating this article based on my experience in building NEMventory. A simple proof-of-concept inventory and trade system using mosaics under a centralized namespace. The backend was created with Laravel and the frontend with VUE.
Off-chain contracts
The challenge with a centralized namespace is giving users limited permission to interact with the namespace, in other words, a contract. This is often referred to as a smart “off-chain” contract. With NEM I can write this code in whatever language a prefer. In NEMventory there is a contract for creating an asset on the centralized namespace. This contract is written in PHP and running in a web application backend. The contract gets initiated when a transfer with a certain message is received. As we don’t want to store “large” amounts of data on the blockchain, the message will only hold a reference to the information. If the referenced information is sufficient and the transfer has enough XEM, the contract will execute. When the contract executes, it creates a mosaic on the namespace based on the referenced information.
NEM off-chain smart contract
There is another layer of security on this contract. The contract can only propose transactions. Because the account is multi-sig, a human or a bot will also need to confirm the transactions based on its logic.
Infrastructure
Another challenge is how our public SAAS application will communicate with the NEM network.
If we are only requesting open information from the blockchain, we don’t need a secure communication channel. But if our communication “contains” private keys, we will need to secure this connection. Then we have two options:
- Sign the data before announcing it to a remote node.
- Run a local node that signs and announces the data for you.
For option one, you will either need to create your own Ed25519 signing tool, or you can use the NEM-SDK JavaScript library. I didn’t try for option 1 for NEMventory as we created a secure backend that has local communication with a NEM NIS node which can sign the transactions for us. Though we could imagine a SAAS solution where transactions were only signed by the client, and even to enhance it even further, only through client-side decryption with a user password, but that is for another article.
In this SAAS typology, we will use option two where we have a local NEM node to communicate with the blockchain network. This NEM node is called NIS. Installation instructions can be found here. It has its API which you can find documentation on here. Our web app backend will communicate with the NEM node, which in turn can serve information to our web app frontend through its API. There are several good libraries in multiple languages that simplify the communication with NIS.
- JavaScript
- PHP
- See more libraries for other languages…
Multi-sig
The NEM blockchain comes with built-in features like multi-sig authentication which we will use to keep the main account with funds secure in the SAAS infrastructure.
The backend web app will only hold one of the multi-sig cosigner keys. So an intruder would only be able to suggest transactions. Then we can put logic in our signing (bot or human) on what transactions should be signed.
If our server gets compromised (without a bot on the same server), the intruder does not have enough access to steal the funds from the main account.
This secures our valuable assets. We can push it even further by withdrawing the assets into cold storage if necessary.
Start your own blockchain SAAS project
These are the steps to create a SAAS application that leverages functionality the NEM blockchain provides.
1. Setup an Ubuntu server.
2. Setup a NEM node on a server here.
3. Create a NEM 2-of-3 multisig account. (Tutorial Part 1, Part 2)
4. Setup your web application. ( Angular2, Laravel)
5. Connect the web application to the NEM node.
You can find a full SAAS example with [NEMventory here] (https://github.com/RobertoSnap/nemventory).
Setup NEMventory example
NEMventory consists of a Laravel 5.4 backend and a Vue SPA frontend. To run a secure namespace, you will have to set up a multisig account with at least one public and one private signer. The public signer will live in the .env file on the backend. The private signer can be yourself, or you can set up a bot to do it for you.
- Setup a Laravel environment.https://laravel.com/docs/5.4/installation
- Clone this repo into a public folder
git clone https://github.com/RobertoSnap/nemventory.git Nemventory - Run
composer install - Setup a DB for your Laravel installation and run PHP artisan migrate“`
- Run PHP artisan passport:install“`. This will generate the keys for API based authentication.
- Run
npm install - Run
npm run watch - Then in your .env file, configure the following:
“`PHP MAINACCOUNTADDRESS= MAINACCOUNTPUBLICKEY= MAINPUBLICACCOUNTPUBLICKEY= MAINPUBLICACCOUNTPRIVATEKEY= NEMNODEIP=127.0.0.1 NEMNAMESPACE=nemventory NEMITEMNAMESPACE=nemventory.items NEM_ADDRESS=TD4SAQFGF3DP3IJAXJA2GYGQ3HZVD3AS3UIZ44EA
