DEV Community

Cover image for XUMM PYTHON SDK: 5. Security & finishing touch 🎉
Denis Angell
Denis Angell

Posted on

3 2

XUMM PYTHON SDK: 5. Security & finishing touch 🎉

Previous: 4. Verify the results ⛑ and push 🚀

If you have made it this far, you may want to actually build something (even if it's just a hobby project) using the XUMM SDK. If you do, please VERIFY THE PAYLOAD RESULT ON the XRP LEDGER.

You can use the XRPL-PY package, or use the sdk.get_transaction(txHash) method to do this by relying on the XUMM platform to fetch the on ledger transaction outcome for you, or, for example, by using the xrpl-py package to verify 'locally'.

By using the xrpl-py package, you can connect to one of the public XRP ledger nodes and verify the transaction. To do so, add the xrpl-py package to your project by entering this in the terminal: pip3 install xrpl-py. You can then verify a transaction as per the package documentation.

Pay special attention to the balanceChanges response.
There are several reasons why you need to check. For example, a payment can yield a different result (eg. lower amount sent) than requested!

It is your responsibility to check the transaction outcome returned from the XRP ledger rather than relying on XUMM telling you that a transaction has been signed. For example if:

  • The user signed successfully in XUMM, but with a key that is no longer valid for a certain account (because multisign has been configured, an account has been rekeyed, etc.)
  • The user sent a Partial Payment (e.g., sending EUR to deliver XRP, while the owned amount of EUR was insufficient due to exchange rate slippage)
  • The user tried to trick you into accepting a testnet payment, by signing with a funded Testnet account Please take a look at this sample code implementing the xrpl-py package to verify on ledger balance changes for a signed XUMM payload.
#!/usr/bin/env python
# coding: utf-8
from dotenv import load_dotenv
load_dotenv()
import xumm
sdk = xumm.XummSdk()
import json
import asyncio
# pip3 install nest_asyncio
import nest_asyncio
nest_asyncio.apply() # needed to asyncio inside asyncio
# pip3 install xrpl-py
from xrpl.clients import WebsocketClient
from xrpl.transaction import (
get_transaction_from_hash
)
client = WebsocketClient('wss://s.altnet.rippletest.net:51233')
async def main():
app_info = sdk.ping()
print(app_info.application.name)
request = {
"txjson": {
"TransactionType": "Payment",
"Destination": "rwietsevLFg8XSmG3bEZzFein1g8RBqWDZ",
"Amount": "10000",
},
"user_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
def callback_func(event):
print('New payload event: {}'.format(event['data']))
if 'signed' in event['data']:
return event['data']
subscription = await sdk.payload.create_and_subscribe(
request,
callback_func,
)
print('New payload created, URL: {}'.format(subscription.created.next.always))
print(' > Pushed: {}'.format('yes' if subscription.created.pushed else 'no'))
resolve_data = await subscription.resolved()
if resolve_data['signed'] == False:
print('The sign request was rejected :(')
else:
print('Woohoo! The sign request was signed :)')
"""
Let's fetch the full payload end result, and get the issued
user token, we can use to send our next payload per Push notification
"""
result = sdk.payload.get(resolve_data['payload_uuidv4'])
with client as w3:
tx = get_transaction_from_hash(result.response.txid, w3) # will fail without nested asyncio
print('DELIVERED AMOUNT: {}'.format(
tx.result['meta']['delivered_amount']
))
print('RESULT: {}'.format(
tx.result['meta']['TransactionResult']
))
print('VALIDATED: {}'.format(
tx.result['validated']
))
asyncio.run(main()) # Better syntax does the same.
view raw main.py hosted with ❤ by GitHub

Blog.5.1

That's it! You made it 🎉

Thank you for reading this tutorial! We hope you had fun! If you have questions, suggestions, something to share: our contact details are available at https://xrpl-labs.com :)

Resources 📚

If you want to learn more about the XUMM SDK PY, platform, documentation, etc., make sure to check out:

The XUMM SDK (PY) readme
The XUMM SDK (PY) source code
The XUMM API documentation & API reference
XUMM (end user) support docs
In case of questions: support@xumm.app
Thank you XRP Community!

... For checking, correcting & testing the SDK & tutorial!
@technotip, @calvincs, @wenusch, @alloyxrp, @rippleitinnz, @Ubbah, @enclavia, @WormholeMech, @Chicles_, @3N0RYM, @XrpSpark, @devnullinator, @Vetjes, @kevinking64, @Kujistudios, @nodehash, @4thMadHatter, @Vkumzy, @CarpeDiemXRP, @Hex539, @xrplosion1, @chemical_realm, @RossMacFirdeen

Retry later

Top comments (0)

Sentry mobile image

Improving mobile performance, from slow screens to app start time

Based on our experience working with thousands of mobile developer teams, we developed a mobile monitoring maturity curve.

Read more