How does lnurl auth logins normally work? Since the wallet doesn't talk to the app, how would the app know it signed it? Would you just have the front end pinging the backend seeing if it was authorized? Maybe simplified with a websocket.
Discussion
đź‘€
The app just knows there was "a signature". I don't think it cares what signed it. Doesn't have to be a wallet.
I'm talking about the app you're signing into, not the one that is signing
It uses lightning URIs scheme (no Lightning node involved). Websites can authenticate users simply by using the link and verifying the signature in the response.
No one understands the question I'm asking lol
I thought it was that they know your public key, then they give you a message to sign and they check it’s valid? Maybe that’s just lightning node sign in.
Creates key pair based on wallet/node “sig” + domain.
Signs k1 from app using key pair.
Sends signed k1 + public key to server.
Anyone that knows the original wallet “sig” can log in to that account
I thought the wallet does talk to the app. Doesn't it sign and then makes an http request back to the requesting server?
I believe that part of what is encoded in an lnurl is a callback url that the wallet uses after signing to notify the requesting server/app
That’s what I do. Client polls with the challenge seeing if it was signed. If so links to that client.
Yeah that's what I figured. Do you add a secret so you can't steal the login from just knowing the k1
You could. The k1 ends up being known to the wallet and anyone who can view the QR on your screen. Everywhere else is subject to tls.
I generate a random 32 byte k1 and set it to expire. That seemed good enough to me. More or less the security of a magic link.