Merge pull request #103 from crowdtainer/081223

Display legalcontractURI, read from smart contract's campaing data, to the frontend.

README.md

@@ -28,11 +28,11 @@ cp .env.example .env
 
 ### Projects & Legal texts
 
-Edit the projects.json file (src/routes/Data/projects.json) accordingly to inform the frontend about which campaigns should be displayed.
-The Vouchers721Address is obtained during smart contract deployment. Then each new Crowdtainer project generates an 'id' which should be referenced in the file.
+Edit the projects.json file (src/routes/Data/projects.json) accordingly to configure which campaigns should be displayed and available.
+The Vouchers721Address is obtained during smart contract deployment (the address of the Vouchers721 contract, which acts as the 'entrypoint' for multiple campaigns). Then each new crowdtainer campaign project generates an 'id' which should be referenced in the projects.json file.
 
 ```bash
-# Enter projects to be displayed in:
+# Configure projects to be displayed in:
 src/routes/Data/projects.json
 
 # Edit the privacy policy and other custom pages accordingly:
@@ -44,9 +44,9 @@ src/routes/Legal/Terms/+page.svelte
 src/lib/strings.ts
 ```
 
-The productConfiguration defined in projects.json is used to build the product selection UI automatically, by aligning the product name in the deployed campaign (smart contract side), with the description/delimiters defined in product configuration.
+The productConfiguration defined in projects.json is used to build the product selection UI automatically, by aligning the product name in the deployed campaign (smart contract side), with the description/delimiters defined in product configuration on the frontend.
 
-For example, a project deployed with the following parameters: 
+For example, a campaign deployed to the blockchain with the following parameters: 
 
 ```ts
 await vouchers721.createCrowdtainer(
@@ -64,7 +64,7 @@ await vouchers721.createCrowdtainer(
     );
 ```
 
-And with the following configuration in projects.json:
+Along with the following configuration in projects.json (web application):
 
 ```json
 "productConfiguration": {
@@ -75,7 +75,6 @@ And with the following configuration in projects.json:
 
 Will generate an interface similar to the following:
 
-
 <img src="static/images/docs/productSelection.png" alt="Crowdtainer" height="328px"/><br />
 <br />
 
@@ -117,7 +116,7 @@ brew install redis # MacOS; For other OS's see: https://redis.io/docs/getting-st
 ```
 
 ---
-### To start a development server:
+### To start a development environment:
 
  Run redis server:
  ```bash
@@ -161,7 +160,7 @@ More details [here](https://kit.svelte.dev/docs/adapter-node)
 
 # Plugins
 
-The plugins folder contains services that can be run separately from the frontend (only a connection to the same redis db is required).
+The plugins folder contains optional auxiliary services that runs separately from the frontend (only a connection to the same redis db is required).
 
 ## Mailer service (verification codes)
 - The e-mail worker sending verification codes (joining with signature) can be executed as follows:
@@ -188,9 +187,12 @@ docker compose --env-file plugins/notifications/.env  up --build -d mailer
 ```
 Note: be careful to not expose the redis port to the internet (unless authenticated/encrypted). When docker compose is used, the redis port remains isolated and shared only between the required services.
 
-## WooCommerce integration (order creation from successfull campaigns)
+## WooCommerce integration (invoice / order creation after successfull campaigns)
+
+This plugin helps with the "check out" workflow, by integrating with Wordpress' plugin WooCommerce. One reason to use WooCommerce is to take advantage of the existing open source ecosystem in E-commerce and avoid reimplementing existing functionality with regards to fulfillment, stock management, invoicing, tax, accounting, etc. It checks for work in a redis queue, checks its validity against blockchain state (to verify participation proof), and creates the respective orders in WooCommerce with the production selection (and if enabled, apply discount codes for projects with referral enabled).
+Plugins for other e-commerce platforms can be easily created based on this plugin, by changing the REST api call with a new request format.
 
-This plugin helps with the "check out" workflow, with integration with Wordpress plugin WooCommerce. A reason to use WooCommerce is to take advantage of the existing ecosystem thus avoiding 'reinventing the wheel' when it comes to fulfillment, stock management, invoicing, tax, accounting, etc. Please see all files under:
+Please see all files under:
 
 ```sh
 cd plugins/woocommerce/
@@ -201,9 +203,15 @@ cd plugins/woocommerce/
 ```
 ---
 
+## Security Policy and Vulnerability Reporting
+
+Please refer to [Security Policy](https://github.com/crowdtainer/dapp-web/blob/main/SECURITY.md) for detailed information about how to report vulnerabilities in this codebase.
+
+---
+
 ## Known issues
 
-- Typechain (our tool to generate bindings between EVM/Solidity ABI and typescript) has a bug where it generates a few imports wrongly (without typescript's "type" specifier). For this reason, these files are not git ignored (included in the '.gitignore' list), so that we can quickly revert changes done by the generator.
+- Typechain (our tool to generate bindings between EVM/Solidity ABI and typescript) has a bug where it generates a few imports wrongly (without typescript's "type" specifier). For this reason, these files are not included in the '.gitignore' list, so that we can quickly revert changes done by the generator.
 
 ---
 
@@ -222,7 +230,7 @@ cd plugins/woocommerce/
         - Use `Crowdtainer.crowdtainerState()`.
     - ✅ If active, percentage of goal so far (progress bar).
         - Use `Crowdtainer.totalValueRaised()` and `CampaignData.targetMinimum().` to calculate percentage.
-    - ◻️ IPFS/Swarm hash which points to the legal sale contract agreement documents.
+    - ✅ IPFS/Swarm hash which points to the legal sale contract agreement documents.
 
 ### As a participant
 
@@ -287,7 +295,6 @@ cd plugins/woocommerce/
     - Use `Crowdtainer.claimRewards()` method.
 ##### Out of scope for MVP:
 
-- ◻️ Service to set ERC-721's status as 'claimed' for token ids which had its order created/confirmed.
-- ◻️ "Download Invoice" button
-- ◻️ Browser-side encryption (asymmetric, using service provider's PubKey) before pushing sensitive data to redis.
-- ◻️ Support for multiple deployments, each on potentially different chainIDs.
+- ◻️ Support for multiple deployments, each on potentially different chainIDs.
+- ◻️ Service to set ERC-721's status as 'claimed' on-chain, for token ids which had its order created/confirmed.
+- ◻️ In cases where it is desired to host this web application with a third party server (such as Cloudflare, Vercel, etc), in order to not have to trust them, it is better protect sensitive information such as delivery address by doing E2E encryption between the Browser (client-side) and the service provider before pushing the data to redis dabatase, by applying asymmetric encryption using service provider's PubKey, then decrypting the data at the service provider premises.

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+## How to disclose a vulnerability to us
+
+### The wrong way to disclose
+
+1. Filing a public ticket mentioning the vulnerability
+2. Testing the vulnerability on the mainnet or testnet
+
+### The right way to disclose
+
+For vulnerabilities in any of our smart contracts, websites, email servers or non-critical infrastructure, please email us at [dev@barterfly.de](mailto:dev@barterfly.de). 
+
+We appreciate detailed instructions for confirming the vulnerability.

plugins/woocommerce/README.md

@@ -11,7 +11,7 @@ A reason to use WooCommerce is to take advantage of the existing ecosystem thus
 
 > It is crutial that the conversion rate is correct for each product: e.g.: in Germany, set the  EUR price equivalent to the USDC amount for each product based on the moment where "getPaidAndDeliver()" method has been called on the smart contract. As always, consult a local tax advisor before doing anything.
 
-> Future work may also include automatically creating the products in WooCommerce based on smart contract data, but this is NOT a feature of the current "MVP".
+> Future work may include automatically creating the products in WooCommerce based on smart contract data, but this is NOT a feature of the current "MVP".
 
 ### Process Description
 
@@ -25,7 +25,7 @@ After a crowdtainer project has been successful, an "order/delivery" process can
 6. A thank you message is shown to the user, who is informed that the service provider's order acceptance will arrive soon by e-mail with the respective invoice.
 7. In the project's web page, the "Check out" button disappears, and the user is presented with the message: "Your order has been received and is being processed."
 
-All steps above happens outside this plugin. If they are successful and the final state (7) is reached, a 'job' had been created in the database, to be processed by this plugin. This is the point where this module's work starts.
+All steps above happens in the SvelteKit Crowdtainer web app, outside this plugin. If they are successful and the final state (7) is reached, a 'job' had been created in the database, to be processed by this plugin. This is the point where this module's work starts.
 
 ### Order creation service
 
@@ -35,7 +35,7 @@ After a connection to the redis database and the WooCommerce site can be establi
 2. An order is created via API on the given WooCommerce instance (as defined in the environment variable).
 3. If the order is successfully created in WooCommerce, the delivery job is deleted from the redis database.
 
-Each Wordpress/WooCommerce installation can be freely configured to react to the order creation. Usually this will eventually trigger creation and dispatch of the invoice PDF e-mail.
+Each Wordpress/WooCommerce installation can be freely configured to react to the order creation. Usually this will eventually trigger creation and dispatch of the invoice PDF e-mail (by WooCommerce).
 
 
 ## Installation / running without docker

src/lib/Model/CrowdtainerModel.ts

@@ -25,6 +25,7 @@ export type CrowdtainerStaticModel = {
 	tokenVersion: string;
 	signer: string;
 	referralRate: BigNumber;
+	legalContractURI: string;
 }
 
 export interface SplitSelection { 

src/lib/ProjectDetails.svelte

@@ -41,18 +41,18 @@
 
 <div class="">
 	<!-- <div class="flex justify-center"> -->
-		<button
-			on:click={() => {
-				visibilityToggle();
-			}}
-			class=" w-auto"
-		>
-			{#if visible}
-				⬇ Details
-			{:else}
-				➡ Details
-			{/if}
-		</button>
+	<button
+		on:click={() => {
+			visibilityToggle();
+		}}
+		class=" w-auto"
+	>
+		{#if visible}
+			⬇ Details
+		{:else}
+			➡ Details
+		{/if}
+	</button>
 	<!-- </div> -->
 
 	{#if visible}
@@ -257,13 +257,27 @@
 							</span>
 						</td>
 					</tr>
+
+					<!-- Terms and Conditions -->
+					<tr class="even:backdrop-brightness-75">
+						<td class="p-1">Terms and Conditions:</td>
+						<td class="pr-4">
+							<span class="inline-flex items-baseline">
+								{#if campaignStaticData.legalContractURI && campaignStaticData.legalContractURI != ''}
+									<span>{campaignStaticData.legalContractURI}</span>
+								{:else}
+									<span>Unspecified</span>
+								{/if}
+							</span>
+						</td>
+					</tr>
 				</table>
 			</div>
 		</div>
 		<!-- <div class=''> -->
 		<span class="text-sm inline-flex items-baseline m-4 max-w-xs"
 			>Note: The unique identifier is composed of: ChainID, Vouchers721, and CrowdtainerID</span
-		> 
-	<!-- </div> -->
+		>
+		<!-- </div> -->
 	{/if}
 </div>

src/lib/ethersCalls/fetchStaticData.ts

@@ -85,7 +85,8 @@ export async function fetchStaticData(crowdtainerId: BigNumber): Promise<Result<
          tokenName: await ERC20Contract.name(),
          signer: await crowdtainerContract.getSigner(),
          referralRate: await crowdtainerContract.referralRate(),
-         tokenVersion: jsonData[0].tokenVersion
+         tokenVersion: jsonData[0].tokenVersion,
+         legalContractURI: await crowdtainerContract.legalContractURI()
       }
 
       crowdtainerStaticDataMap.set(crowdtainerId.toHexString(), crowdtainerData);