Oh no I thought I followed nip98 specs.
Appreciate the shout out nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqg6waehxw309ahx7um5wfjkccte9euk2emgwfhjucm0d5q3yamnwvaz7tmsw4e8qmr9wpskwtn9wvq3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7qghwaehxw309aex2mrp0yhxvmm4de6xz6tw9enx6qgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqz9nhwden5te0wfjkccte9ec8y6tdv9kzumn9wsqzp7ppz7dat453ccd5x43nvwy2mtwresfsfay7wudg0sudulk5l5pzr0eztk . However, your latest official v1.6 is once again HIGHLY INSECURE, as it completely bypasses the security I added to the backend.
The secure NIP-98 version of your plugin is v1.5, which I've posted as a package on my GitHub::
https://github.com/robwoodgate/YEGHRO_NostrLogin/releases/tag/v1.5
Note, since the PR I made to your repository, I've added a check for the required PHP extension... it should now fail gracefully if not enabled.
I'd recommend rolling back to my version asap
Discussion
Your new Nostr_Event class looks like it follows NIP-98, but:
a) haven't actually used it (it's not called anywhere in the code) and
b) your class doesn't implement the signature check, so it's simple to send a fake one.
You can't really avoid the cryptography in the back end. Without a signature check, you can't be sure the event isn't faked.