Donation Store - V2.5 Released (New UIs, Discord Integration) Self Hosted Webstore & Helpdesk

Discussion in 'Server & Community Management' started by MCxJB, Jul 18, 2017.

  1. [​IMG]

    Be sure to follow us on Twitter @donationstoremc for smaller updates, but as mentioned above, most of our updates come through Discord. You can also follow us on our Discord:

    https://discord.gg/vsgeqp


    Thanks,
    Mark
     
    #1 MCxJB, Jul 18, 2017
    Last edited: Oct 22, 2020
    • Winner Winner x 4
    • Like Like x 1
  2. Woah! :eek:
    Sounds super cool! Are there premium and paid plans to get extra features?
     
  3. Thanks for the comment ! As like version 1 it is a single end user license, paid once. All features will be included and there will be no restrictions. There may be an unbranded option. A subscription will be available for continued support and updates!

    Also note there are a lot more features in development that haven't been implemented yet. Secret stuff for the moment lol
     
  4. MikeA

    MikeA Retired Moderator
    Retired Benefactor

    Looks great, the CodeCanyon demo is broken though, wrong link I guess so might want to update that. I'm not a fan of the basic bootstrap style but that can always be changed by the user.
     
  5. Thanks for the comment ! Thanks for pointing that out. It didn't get brought over when we moved hosts. I will set one up soon.

    As for the theme, I wanted to work on the technical side of things keeping the cosmetics as you said open to the user. It can all be change no problem with just HTML and CSS because the templating engine abstracts the functional code from it.
     
  6. Amazing! If it's affordable, I'll be sure to consider it for my network :)
     
  7. Thanks for the comment :) It will be! Especially for what you are getting.
     
  8. New development update live on the Donation Store site at: http://donationstore.net/blog

    All information and potential release date is discussed.
     
  9. I'm actually interested in this, and that doesn't happen quickly ;)

    I have a few questions.
    • What about security? We're talking about something pretty sensative here, customer data, financial data, etc. A panel such as this should be absolutely waterproof. Can you tell me something about it security on this?
    • The main disadvantage I have with Buycraft or Enjin is that it forces payment providers on you. I even had the idea of making a custom Magento store instead of Buycraft or Enjin so I could use my own payment gateways. I for the love of god hope so badly that you will (or maybe already added) the ability of choosing any payment provider you want. Can you give me some information about what you think about this?
    • Is this open or closed source?
    • Is there any info on pricing?
    EDIT: I just also noticed that the copyright URL in the panel links to donationstore.com, while the actual domain is .net, lol.
     
    • Optimistic Optimistic x 1
  10. Hey MrDienns! Thank you for your reply. I am really happy that this has taken your interest. I am more than happy to answer your questions, here are the answers:

    1. Security is the number one priority with Donation Store. Keeping sensitive information safe is really important. Sensitive information like passwords use the PBKDF2 algorithm with a SHA256 hash in order to prevent any information being leaked. All other information that you described is stored in a SQLite database (as this is what Donation Store uses to store data). To keep this fully secure its permissions are set appropriately and it is kept out of any directories an attacker may be able to access. In the future we may use some sort of Symmetric Encryption to increase the security of the connections. With this we offer 2 Factor Authentication which deters any attackers. We as developers can never guarantee fully waterproof applications as no web applications are completely protected, but we can provide certain things that will deter them.
    2. Out of the box Donation Store will support 4 payment gateways, PayPal, Stripe, Paymentwall and Braintree. As you can imagine it is completely unrealistic for us to provide support for every single payment method out there. For this reason the end point for finalising a transaction is left open. The 4 gateways we support are just to start, there will be a lot of documentation written that will show you how to get your payment gateway of choice integrated into Donation Store.
    3. It is closed source. It will be licensed to users and they are free to edit the HTML, CSS and the backend source code as long as it does not affect the way Donation Store protects information, licenses itself and also how it provides its main features. Any customisations to Donation Store is at their risk and we are not liable for damages caused by bad editing or deleting of source code.
    4. For now pricing is still up in the air. It will most likely be a once off fee for the script and a small monthly fee for larger networks which allows us to maintain a constant relationship in terms of support and updates. For example the once off fee may only give you 6 months of support and 6 months of updates in the current generation, but a continued small monthly fee allows us to continue to offer you support and updates.


    Thank you so much for noticing that. The next revision of Donation Store will be released for demo soon and it will be fixed in that.



    Thanks so much again for your comment and if you any further questions please ask them here, or if you need more information in private you can email me at: [email protected] or join our Discord which can be found on our website!
     
    • Informative Informative x 1
  11. You say security is top priority, however, by just using the demo I already found a few severe/critical security exploits that can be used to hack the website or any information in the database. I've joined your Discord server. I'll inform you about some of the issues I've found already...

    UPDATE: Talked to Mark (Owner & Lead Developer) about the issue I found. We are not able to disclose yet that what I found was security issue. Most likely we are looking at a simple bug that has to do with the Mojang API when loading skins.
     
    #11 MrDienns, Aug 24, 2017
    Last edited: Aug 24, 2017
    • Agree Agree x 1
    • Optimistic Optimistic x 1

  12. What is Donation Store?
    So if you haven't seen before, Donation Store is the worlds first self hosted webstore and helpdesk for Minecraft Servers. Like other Market leaders, Donation Store offers the same (and more) features that they all offer however Donation Store is self hosted meaning that customisation is infinite. Not only is customisation a huge factor of Donation Store, but so is the fact that you choose where it is hosted and manage it yourself, you also do not have to pay monthly fees, just a once off fee that has been constructed and priced based on market research from multiple competitors.

    Why make another platform for this?
    Originally Donation Store was a small, minimal featured PHP script that I created a couple of years ago that is for sale on CodeCanyon. I thought I would leave it there but I was swamped with a huge amount of emails from people from the community asking me to add certain features that they needed (more gateways, customer chooses price etc etc), however I got fed up using Vanilla PHP as I was not seeing satisfactory returns for the amount of effort I put in. Because of this I decided that it would make more sense to create a new piece of software from scratch using different technologies, so I did!

    Why are you telling us this?
    Well Donation Store has actually been in development for nearly a year. The first commit was the 1st of June 2017, and development continues. Recently I have been contacted asking when it is going to be released and normally I have pushed it off saying "soon", however I can now give a confirmed date as to when Donation Store will be released.

    [​IMG]
    Donation Store will be available for immediate download on 22nd June 2018.​

    So what comes with this?
    You can see a full list of features at https://donationstore.net/features. However alongside the release of Donation Store we will be releasing a few other things too.

    The Donation Store Addon Developer Program allows people just like you to develop (for now) themes and templates for Donation Store and sell them on the Donation Store addon store. These can then be applied to anybodies store when they purchase them. Right now we are unsure as to how this will work but it will either be a rolling subscription or a cut taken from each sale and in return you will receive the Donation Store SDK and all HTML and CSS files that come with Donation Store for customisation. Applications for this will be rolled out a couple of weeks after Donation Store releases.

    With this we have also planned a number of addons that we feel will work really well with Donation Store. One of them being a Vote Manager for your webstore which will allow you to add a voting module (like the old Vote4Diamonds module), onto your site. It will also come with a Votifier listener that will do things that you schedule it to do on the web app like reward players with packages, give them coupons, give them virtual currencies etc. It will also come with a notification system that will notify visiters to vote for rewards. It will finally give statistics on votes.

    As of now there is one final idea which involves the social aspect of Minecraft. It is not in development currently but we are playing with ideas. Some ideas are acheivements and social profiles which will be integrated with the core Donation Store plugin.

    All these addons will be coming after the release of Donation Store. But once Donation Store has been released development will not stop. We will be ironing out any bugs that people bring to our attention, but also we will be implementing new requested features that may have been left out upon release.

    How do I keep updated?
    The best way to keep updated is to join our Discord server, the link to which can be found at the top of this post. By registering on the Donation Store site you are also ensured to get less frequent but more important updates as they come out.

    Also, there will be a demo of the current version of Donation Store released in the next couple of days!

    If you have any questions please drop them below or you can contact us at https://donationstore.net/support. All non technical questions can go to sales.

    More in depth information about features etc can be found at our blog post: https://donationstore.net/blog/6
     
    • Like Like x 1
    • Winner Winner x 1
  13. Happy to see that this project is finally taking an almost finished shape. I have a few questions:

    • In case of security breach and data leak, who is responsible for it? For Buycraft, it would probably be them. However, since this is self hosted, is the blame put on us, or does it depend on where and how the breach happened? (better safe than sorry)
    • How scalable is this? If I need to deploy this 10 times to load balance it, would that be properly possible? Mainly the processing of orders that is.
    • Is there an API available? If so, how "hackable" is the application? If I need to replace major parts of the software to, for example, make it more scalable, is this possible and allowed?
     
    • Optimistic Optimistic x 1
  14. Hey MrDienns,

    Nice to see you again! I'll answer your questions the best I can.

    1. If you go to https://donationstore.net/features/ and look under security you will see the list of security features that come with Donation Store as standard. These are to ensure that security breaches and data leaks do not occur. Having said that, once the software is hosted by you, it is your responsibility to take any sort of security measures needed that are recommended by us. For example we intend to always make users implement SSL on their sites straight away upon setting up their stores. It's free and with our platform can be installed effortlessly. We also recommend to host your application with a provider that can ensure it's security and also provides a firewall and adequate DDOS protection. A provider like Digital Ocean is a good example. Once it is out of our hands theres very little we can do but we can provide software that is safe and secure.
    2. Donation Store is built on the Django framework and it is well known for being VERY scalable. Straight away you can look at sites like EventBrite, Bitbucket or Disqus, they are all created with Django and serve millions of requests everyday! For more information about Django's scalability check this out: https://www.quora.com/How-scalable-is-Django. It describes how Django applications are very scalable horizontally and can be deployed whenever you need them.
    3. The only API it comes with is the REST API it uses for sending commands to the servers. It also connects with the donationstore.net API to get updates and also global ban data etc. As far as customisation goes you can customise it to your hearts content both visually and also the backend. Most of the code has been written to quite simple and Python itself is a very human readable language. Right now there are no guides etc to change massive parts of the code, the only way you could do so is if you were fairly comfortable with Python and basic web technologies like MVC etc. It is a very easy thing to pick up and we will be here for all customers when they try to develop/customise their applications. However you must understand that if a user chops and changes code, it is very hard for us to figure out why certain errors may be arising. Nevertheless, all distributed copies of Donation Store are enabled with our Sentry in order for us to debug and spot errors when they happen, without needing people to submit them to us first.
    I hope that answers your questions!

    Thanks
     
  15. Thanks for the proper reply.

    I know you guys spent much time on security and actually used a framework that should be secure pretty much by default. However, I'm asking what happens if a data leak happens. For example, you guys missed an SQL injection or XSS thing somewhere (it may be unlikely, but just imagine someone forgot) and it causes my shop to be hacked and personal data of thousands of people got leaked. Assuming everything else is setup as good as can be (also the environment) and it's purely a code (no modification) fault that caused the security leak. Who is to blame in this case?

    I have not checked out any of the code yet (I haven't been able to since I have not (yet) purchased anything), but my main scalability concern is not the frontend, but the back end. Scaling frontend is easy, have several webservers serve the same application and put some load balancers on it. However, I'm more interested in the backend of things. For example, I assume somewhere the order goes on a pending state (until a transaction is confirmed for example), or certain commands need to be executed. In terms of scalability it would be smart to have a separate frontend and backend part of the application.

    Here's why: Let's say I have tens of thousands of customers and an enormous amount of orders a day. I want to scale this to be able to handle all of these orders. Scaling the frontend is easy as you already also said yourself. However, let's take the following example: We have 5 webservers serving the webshop. I place an order on a random one of these due to the load balancing, for example server #3. The order goes in pending due to the user using a certain payment method that's a little slow, or something else causes the order to be slowed down (for example an outage on our MC servers). This means that webshop instance #3 created the order and put a pending status on it (or something similar). How do the other webshop instances respond to this? I don't want 5 instances constantly trying to resolve the pending state on this order, causing commands to be executed 5 times for example. It would be nice to have a scalable backend for order processing which is completely separate to the frontend, to prevent issues like this.

    How does this work in donation store? Is this an issue which is yet to be taken care of or have you guys solved it in a different way?

    Could you give me an example of backend customization? For example one thing I dislike about Buycraft is that you can only (maybe enterprise plan is different) Minecraft related fields, your MC username for example. I also want to fill out my XenForo user to get a rank there, or maybe a Discord user to also get a rank on Discord for example. Would this be possible? Adding custom fields and actually applying custom logic on this (like validating the Discord & XenForo user)?
     
    • Optimistic Optimistic x 1
  16. The thing about Django is it's protection for SQL Injection, XSS and CSRF is not controlled by me. Most of what happens with security with Django comes from the middleware that the framework comes with. For example, we do not write raw SQL queries with Donation Store. Having said that, you can write them but we do not. When we want to interact with a database (for example to get all of the orders on a particular web store), we would do something like this:

    Code (Text):
    context = {
        'orders': Order.objects.all()
    }
    Because of this Django uses its own ORM in order to sanitise this input, even if we use a parameter given by the user, for example in this query we could use the transaction ID sent by a HTML form:

    Code (Text):
    context = {
        'orders': Order.objects.all().filter(transaction_id=request.POST['transaction_id'])
    }
    If the result of potential data leak can be traced back to poor coding from our point of view then yes we will be the ones responsible and a fix would be issued effect of immediately. However if the code is modified by a user in any way and a breach occurs then yes the issue is there fault. We can only lend support for people who have not touched the code we provide as any changes to what we have written may break the code unless somebody knows what they are doing.


    From what you have stated this is a feature that is out of the reach of the current version of Donation Store. Like most right now the application can be expanded over many servers however when it comes to creating a dedicated application that deals with awarding commands the current version cannot be expanded to that. From what I have read in your description this is the kind of architecture you are looking for:

    [​IMG]
    Note each webstore is a new instance of the Donation Store application on a different server (not a new webstore within the same application) Donation Store's "Command Awarding" application is built into the main application, in order to extract that from the application and run it once or even multiple times over multiple instances would require a new rewrite of the Donation Store application. It would require separate applications to be run on multiple servers. As of now we have not developed this as to be honest where never knew there was a demand for an architecture this large. But in time if we found that there was a demand we would most certainly try to implement it as an enterprise system.
    [/QUOTE]

    Right now that is not a default feature of Donation Store but thank you for letting me know thats a really awesome feature that I would love to integrate as a default (I've added it to our Trello board lol). But I can give you a code example that could be a quick "hackable" way to implement such a feature with the current Donation Store:

    For this example I'm just going to use a basic Stripe implementation that we use (you could use PayPal or Paymentwall too!):
    Code (Text):
    # Charge the user's card:
    charge = stripe.Charge.create(
        amount=int(request.session['cart_total'] * 100),
        currency=webstore.currency.lower(),
        description=webstore.name+' Purchase',
        source=token,
    )

    # Check the package (Example ID for lets say a VIP rank)
    if package.id == '23214' and charge and charge['paid']:
        # Execute real commands or contact a webhook/API for Discord etc.
    I hope that helps and thanks for the external commands idea!
     
    • Winner Winner x 1
  17. clip

    Benefactor

    Nice to see someone else who uses Django. Your project looks promising.
     
    • Like Like x 1
  18. Thank you again for the answers. The image scheme you created pretty much describes what I'm looking for yes. Maybe a tip, which would solve several "issues" I would face with this webstore right now is to expand the API. For example, let us implement our own backend. Create webhooks or some kind of event system which allows us to process the order in our own way, on our own backend systems, when needed. This may save time on your end (by creating the option to disable (or simply not use) the default backend of Donation store and create a bunch of webhooks/events so people can make their own). This improves the API too. Kind off a win-win :p

    Edit: Actually, I think just a few simple webhooks on certain events (order created, order changed, etc) would suffice perfectly fine.
     
    #18 MrDienns, May 4, 2018
    Last edited: May 4, 2018
    • Like Like x 1
    • Optimistic Optimistic x 1
  19. If you go to the features page and click on the “Launch” tab at the bottom of the box it says “optimisation”.
     
  20. Thank you I appreciate it. I feel Django is perfect for this!