Great PoC Pablo!
As a best practice I would suggest to use only in-page modals, instead of popups; they are quite confusing and some browsers block them.
Here is a demo of a new onboarding flow for nostr applications. I started working on this after watching nostr:npub1wmr34t36fy03m8hvgl96zl3znndyzyaqhwmwdtshwmtkg03fetaqhjg240's keynote "Nostr for normies" at nostr:npub1nstrcu63lzpjkz94djajuz2evrgu2psd66cwgc0gz0c0qazezx0q9urg5l; which I highly recommend watching.
My goal here was to create a way to onboard new users without requiring them to:
* install a browser extension
* copy/paste a secret
* explain npub/nsec stuff
* without losing interoperability with other nostr applications
This flow resembles a lot an OAuth style (e.g. "Login with twitter") flow:
* You create an account in one site (e.g. Twitter)
* You can "login" to another site with that account
* You can revoke access from using your account
Behind the scenes this is using NIP-89 to find nsecBunkers that allow people to register an account in their domain.
This means that any nostr application can offer a signup/login flow on any nsecBunker domain. The application itself doesn't take custody nor ever see the generated key.
And what's cool is that any nsecBunker provider can create their own flow; they can use passwords, or not, they can require a payment or proof-of-work to create an account. They can brand their "signup/login" popup page in whatever way they want.
Here is a demo video of this new building block that is now available to nostr applications.
https://cdn.satellite.earth/2e2e353ac5f69caffdc73da81c4e735c19579432967323564924c585819e6ef9.mp4
Discussion
It can't be an in-browser modal though; it's gotta run in it's own domain. That's why twitter/google/facebook/etc all use a real popup for OAuth flows 😅
Oh right, the same-origin policy stuff!
But you should be able to use modals at least in the process of the account creation, the more critical one, or are there other security concerns?
Or mybe an iframe with a CORS setting on the provider side could be a solution.
Yeah, the account creation part where you enter the email and username etc is in-page modal, but then the password stuff must happen on the popup so the client generating the account can’t see it.
It could be done getting absolutely everything in the client but that increases the trust significantly with the client and you also want the nsecBunker domain to have a cookie to authorize new keys without having to login. I’d say that would only make sense if the client and nsecBunker provider are the same entity in that case that would be fine.
Got it. Thanks for the details!