Skip to content

Releases: decred/dcrstakepool

dcrstakepool 1.2.0

20 Sep 13:06
@davecgh davecgh
v1.2.0
This tag was signed with the committer’s verified signature.
davecgh Dave Collins
GPG key ID: B8904D9D9C93D1F2
Learn about vigilant mode.
625bcd2
Compare
Choose a tag to compare
dcrstakepool 1.2.0 Latest
Latest

dcrstakepool v1.2.0

dcrstakepool release 1.2.0 contains all development work completed since
v1.1.1 (September 2017).
Since then, 20 contributors have produced and merged 160 pull requests.
Changes include a proper interface for handling tickets purchased with insufficient fees,
an overhauled front-end design, security enhancements, updated terminology, reduced
dependencies on third parties, and various bug-fixes.

Warning: dcrstakepool v1.2.0 is not compatible with dcrd/dcrwallet v1.4.0.
dcrd and dcrwallet must be built from the current master or v1.5.0 (when available).

Notable Changes

Low Fee Ticket Handling

A new admin-only page for handling low-fee tickets has been added to the front-end.
This page will list all tickets which have been purchased with an insufficient fee,
and allow the admin to manually add or remove those tickets from the list of
elligible voting tickets. Previously this operation had to be performed manually
by directly manipulating database values.

New front-end design

The web front-end for dcrstakepool has been completely overhauled.
The front-end included in release 1.1.1 was fairly basic in style and functionality.
The design was not of a professional standard, and not consistent with other Decred
software such as Decrediton.
Some VSP operators have built their own front-end for dcrstakepool to help them
stand out against their competitors and offer a better experience for their users.
The intent of this update is not only to bring the design in line with other Decred software,
but also to provide all VSP operators an improved and more even starting point for their front-end.

SMTPS

dcrstakepool depends on an SMTP server to send registration and account recovery emails.
Initial development only supported unencrypted SMTP connections, however various VSP operators
requested support for encrypted SMTPS.
This has been added in release 1.2.0, including support for self-signed certificates.

Disconnect dcrwallet and dcrstakepool

Initial development of dcrstakepool required a direct connection to both dcrwallet and stakepoold.
This architectural decision was not ideal as it increased complexity, increased the quantity of
RPC calls going over the network, and required additional ports to be opened.
This release severs the connection between dcrstakepool and dcrwallet -
stakepoold is now responsible for all interactions with dcrwallet.
As a result, the ports which were previously opened between dcrstakepool and dcrwallet can be closed.

MySQL storage for HTTP sessions

HTTP sessions in dcrstakepool are implemented using gorilla/sessions,
which by default uses a file based storage solution for session cookies.
This release replaces that implementation with a custom MySQL session store.
dcrstakepool will create a new table Session in the MySQL database if it is not already present.
This was done to address several security issues introduced by the default file storage.

  • A user who changes their password or email will now be logged out of all sessions on all devices.
  • Cookies stored in a browser can no longer be used to obtain information after a user has logged out.
  • A session timeout of six hours has also been added.

Self-Hosted CAPTCHA

Google's reCAPTCHA has been replaced with a self-hosted solution implemented in go,
dchest/captcha.
All resources required for CAPTCHA are now hosted locally rather than by a third party.
The front-end included in this release executes no external Javascript at all,
granting a significant boost to user security and privacy.

Security Improvements

  • Cross-site Request Forgery (CSRF) protection has been implemented using
    gorilla/csrf
  • rel="noopener noreferrer" has been added to all external hyperlinks to
    ensure no private data is leaked to third parties
  • Cache-Control HTTP headers are used to prevent sensitive information being
    cached by browsers
  • Error page no longer enables embedding malicious links via URL parameters

Terminology

Various Decred terminology has changed since the last release:

  • "Stakepools" are now known as "Voting Service Providers"
  • The name Decred should no longer be styled as "deCRED"
  • "Paymetheus" wallet is no longer supported and has been superseded by "Decrediton"

Config Changes

Removed

These config items must be removed from dcrstakepool.conf. dcrstakepool will not start if these config items are set.

Config PR Reason
recaptchasecret and recaptchasitekey #281 CAPTCHA is now self-hosted and implemented using dchest/captcha instead of Google reCAPTCHA.

Deprecated

It is recommended to remove these config items from dcrstakepool.conf. dcrstakepool will ignore these config items and log a warning if they are set. They will be removed completely in the next release.

Config PR Reason
wallethosts, walletusers, walletpasswords and walletcerts #470 dcrstakepool no longer contacts dcrwallet directly. All comms are now routed through stakepoold.
enablestakepoold #398 stakepoold is always required. dcrstakepool cannot function without it.
maxvotedage #402 The last N voted tickets are now displayed rather than tickets which voted in the last N days.
minservers #457 This value is now hard-coded. Mainnet requires at least two back-end servers, testnet and simnet only need one.
datadir #507 This value was unused. dcrstakepool does not write any data to disk.

Added

These are new config items added to dcrstakepool.conf.

Config PR Reason
adminuserids #219 Required - enable specific users to access admin functionality
usesmtps #340 Optional - enables secure SMTP
smtpskipverify and smtpcert #486 Optional - configure secure SMTP
maxvotedtickets #457 Optional (default 1,000) - restrict how many voted tickets are displayed on the /tickets page.
description and designation #339 Optional - add a custom designation and description for your VSP

Recommended Upgrade Path

  1. Build dcrstakepool and stakepoold v1.2.0
  2. Build dcrwallet and dcrd from current master or v1.5.0 (when available)
  3. Announce maintenance and shut down dcrstakepool
  4. Perform an upgrade of each back-end server, one at a time
    1. Stop stakepoold
    2. Stop dcrwallet
    3. Stop dcrd
    4. Install latest dcrd binary and start
    5. Install latest dcrwallet binary and start
    6. Install latest stakepoold binary and start
    7. Check log files for warnings or errors
  5. Make required changes to dcrstakepool.conf (detailed above)
  6. Install latest dcrstakepool and start
  7. Announce maintenance complete after verifying functionality

Changelog

Split dcrstakepool and dcrwallet

  • Add ImportScript RPC to stakepoold (#342)
  • Add ValidateAddress to stakepoold RPC (#406)
  • Minor style fixes (#409)
  • Get VoteVersion from stakepoold instead of dcrwallet (#403)
  • Add StakePoolUserInfo RPC to stakepoold (#393)
  • introduce stakepoold connection manager (#381)
  • Move consistency checks and recovery to stakepoold (#437)
  • rpcserver: Add walletConnected method (#494)
  • Disconnect dcrstakepool and dcrwallet (#470)
  • Remove dcrwallet RPC from status page (#469)
  • multi: getstakeinfo grpc (#464)
  • Check wallets are all connected before performing write operations (#463)
  • Autoreconnect (#510)
  • Prevent unnecessary wallet rescans. (#519)

SQL session storage

  • multi: new sql store and session nullification on password change and logout (#410)

Redesign

  • Revamp design (#339)
  • standardise signin/login and signup/register (#363)
  • allow clicks on any part of row, not just checkbox (#367)
  • draw notifications on their own row (#368)
  • Show a message when no tickets to display. (#369)
  • Add block explorer link for low fee tickets (#382)
  • tickets: add link to block explorer (#383)
  • Show ticket info with monospace fon...
Read more
Assets 2
Loading