Any server-side examples?

Given client-side JavaScript examples are easy to imitate (and the WebMonetization.org examples even explicitly state this), is there an example of how I can verify receiving a payment server side?

If I could do this, then I would be able to gate access to content effectively.

1 Like

Listen for the monetizationprogress event, as per https://webmonetization.org/docs/counter:

monetizationprogress contains details about the micropayments that occur [emphasis mine].

In your callback function, you could make an ajax request to your server with the updated total amount. If you only need to verify it once (e.g. when it hits $10), then only make the request after total hits that amount.

If you need to keep tabs on the total received and do something at intervals, then you could fire the ajax request in the callback only when the "total module X" is equal to zero, where X is the interval (e.g. X = 10 implies every $10 dollars).

I know how to do the client-side part. That seems straight forward. But it’s also incredibly easy to fake.

I need to be able to to verify the Web-Monetization-Id HTTP header or the requestId in the monetizationprogress event emitted client-side on the server-side because the server is a trusted environment. Once I can do this, I can use the Web-Monetization-Id HTTP header as the authentication mechanism to grant access.

Coil is sending payment to my Stronghold account (I think) via XRP. How do I confirm server-side that the value was actually sent? Stronghold does not give general access to its API unless you’re willing to license it for $10k/month. That’s not a reasonable option for most content creators using Coil.

If XRP is a blockchain-like thing, I assume it must be publicly auditable. I don’t know how to do that part. I also assume and don’t know if the requestId is part of the XRP transaction.

I also don’t know how Interledger works or what role it plays. I assume in the future, some non-XRP-based payments will be supported. Maybe Interledge and not XRP’s psuedo-blockchain is the place to verify a payment transaction?

To fake a monetizationprogress event, one would need the requestId (i.e. session ID) and so the site would have to be compromised (e.g. XSS), no? Not sure if I would call that incredibly easy.

For sure, verification server side would be better. It’s even referenced in step 9 at https://webmonetization.org/docs/explainer#sequence-diagram. But no example is given. I get what you’re asking and would be curious to know the answer, as well.

Since the requestId seems to be a Web Monetization thing, I’d guess it’s not recorded at the Interledger layer nor the XRP layer. Since Coil is the Web Monetization provider, my guess is that they record it. But do/will they provide a way to query transactions by requestId?

@erika can you provide any insight on how one could verify monetization events server-side?

No. A site does not need to be compromised. In all of the examples on webmonetization.org, the client-side code merely looks for document.monetization, listens for related events, and reveals content when those events are emitted. The client-side does no validation. A visitor can simply open the developer tools to add a fake document.monetization object and trigger an event. It’s trivial to create and easy for mildly technical users to copy and paste.

A server-side solution could use the Web-Monetization-Id to validate the payment and then grant access to the content instead of simply hiding the paid content.

@JeremiahLee client-side validation can easily be done by comparing the requestId emitted in event.details to that generated by the browser at the start of the session. To fake that, a malicious script would have to have access already (this is what I meant).

Edit: to your point, a visitor could still fake a monetization object and dispatch fake events supplied with a fake requestId

I’m unable to provide an answer myself, but I’ll see if I can track down someone who can.

1 Like

Edit: to your point, a visitor could still fake a monetization object and dispatch fake events supplied with a fake requestId

Correct, we wouldn’t consider the client-side events to be trusted, because a clever user could spoof the events with a simple extension.

Coil is sending payment to my Stronghold account (I think) via XRP. How do I confirm server-side that the value was actually sent? Stronghold does not give general access to its API unless you’re willing to license it for $10k/month. That’s not a reasonable option for most content creators using Coil.

If XRP is a blockchain-like thing, I assume it must be publicly auditable. I don’t know how to do that part. I also assume and don’t know if the requestId is part of the XRP transaction.

Web monetization purely works over Interledger. While XRP can be used as a settlement asset for Interledger, that’s just an occasional operation that occurs between providers/wallets. If two parties are peered over XRP then they would send an XRP payment between each other for the total of their Interledger traffic on whatever schedule they agree on (could be every day, every month, every 10k XRP, etc.). If two parties are peered over USD then they would send a USD payment between each other to settle traffic and not touch XRP at all. Every pair of network participants on Interledger chooses whatever currency they want to settle their Interledger traffic. (Questions about this part would be better placed on the Interledger Forum, where I would be happy to answer them)

The Interleger micropayment completes separately to the settlement. So you could have your money available instantly after getting it sent over interledger even though many intermediary connectors haven’t settled their traffic yet.

Basically Interledger transactions have no corresponding XRP or blockchain transaction

I also don’t know how Interledger works or what role it plays. I assume in the future, some non-XRP-based payments will be supported. Maybe Interledge and not XRP’s psuedo-blockchain is the place to verify a payment transaction?

That’s right! You can use Interledger APIs to verify Web Monetization securely. Here is an example project that tracks incoming Interledger funds and exposes an API to check securely whether a given requestId has paid or not. https://github.com/sharafian/web-monetization-access

The main challenge in using something like this today is it requires direct Interledger access. Right now wallets on Interledger have not exposed an open API to directly access Interledger, but it’s being worked on. So in the meantime you would have to find a peer on the network, which isn’t really feasible for an individual.

Another approach for verifying payments which is a little more specialized to the use case is Open Payments. https://openpayments.dev/

Open payments defines a set of APIs that wallets can expose for a high level API on top of Interledger. This API covers common use cases like retail push/pull payments, and also Web Monetization. One of the resources in Open payments represents a given Web Monetization Provider, and can be checked to ensure that a given visitor’s provider has paid.

Basically the APIs that you would use for server-side verification are not generally available yet, although they are being used by us at Coil and by Cinnamon Video as proof of concept. Expect updates here soon because it’s a really important to us that this is possible. We just want to make sure it’s easy to use and safe, which can take some time.

2 Likes

@sharafian Thank you for the thorough and helpful response!

Good to know Interledger is where the action is happening, that it needs an API that isn’t generally available yet, and that it is being worked on. This is critical for any paid product in which I would consider adding Web Monetization API/Coil as another form of monetization, so I am very much looking forward to its availability.