xgov-195-arcpay.md

[Wild-er]

First draft of Arcpay xGov proposal.

[gabrielkuettel]

Hi @Wild-er - I'm with the DevReal team at Foundation reviewing the technical deliverables of your proposal. Before proceeding, I have some feedback and questions:

Note: I tested all the features on TestNet.

Documentation:

The documentation is well organized and written clearly, but some areas could use expansion:

1. Please add an explanation of the "status" field (Active, Pending, Canceled, Closed) and how to manage listing states.
2. In the SDK initialization examples, please demonstrate initialization on both Algorand and Voi networks.
3. Please document frequently mentioned interfaces, like the Listing interface.

Dashboard/UI:

I successfully tested several features, including authentication, creating organizations, managing members via invitations, generating API keys, and generating listings. However, ran into issues with the following:

1. When testing the Buy flow, the "Buy" button is missing from the modal. Maybe because my listings were in a pending state? Would be helpful to document what this means and how to promote a listing from pending to active (as mentioned above).
2. Images for NFTs (in my case arc3) did not load in the listing creation or buy modal.
3. Because I was unable to complete the buy flow, I could not evaluate the dashboard's transaction and metrics display features.

Security:

When initializing the SDK in a browser environment, any API keys included in the client-side code are exposed to users. While you're restricting requests by domain, keep in mind that if you're checking the origin header of the request, this can be spoofed using a reverse proxy or other tools.

Potential Solutions:

1. Treat the client-side key as a "publishable" key (similar to Stripe's public API keys) with limited permissions
2. Add documentation explaining that anyone can create external listings for your organization using these public keys
3. Move SDK initialization to the server side where sensitive credentials can be kept private

Let me know if I'm misunderstanding your security posture here. The main consideration is whether you want these operations to be publicly accessible. If not, the authentication should be handled server-side where keys can remain private.

SDK:

During SDK testing, I successfully tested several core features, including initializing the client, retrieving listings, and creating listings. However, I encountered an issue when trying to buy listings, as the modal failed to load properly. I tested the integration using a vanilla React/TypeScript project bootstrapped with Vite.

I'd appreciate your feedback on these findings and would be happy to discuss potential solutions. Please let me know if you'd like clarification on any specific points, you see a different approach to these issues, or if I've misunderstood any aspects of your current implementation.

Thank you!

[Wild-er]

We have implemented updates that should address all issues raised.

Looking forward to the next review!

[Wild-er]

All changes have been applied @gabrielkuettel !

• Documentation: Updated to reflect requested changes and provide additional details for SDK integration.
• Buying Modal: Now functions as intended. Errors were caused by our custom indexer delay. All listing progression from Pending to Closed or Cancelled is present.
• API Key: Is publishable and documentation reflects that. It can only be used to create secondary listings, not primary.
• SDK: Updated NPM package to reflect requested integration examples.

We look forward to the next round of review! We greatly appreciate the rigorous approach :)