sir, took some more time to get around to it but here it is:
quick and dirty implementation of nsecbunker
key points:
* uses a separate relay connection (I think it makes more sense to have the signer connectivity separate since it's useless to push the signing events to pretty much all relays except the ones where nsecbunker is listening to)
* local key, generated locally
https://github.com/coracle-social/coracle/commit/c2cf06ee0101d46cbb08576a4b03fc8c1a7fc3f3
Is this a security vulnerability? IOW, if you log out of Coracle, the browser still has write access via nsecbunker if the same pubkey is re-entered. So you're logged out, but it's trivial to log back in without re-establishing permission. It seems to me the key should be re-generated every login.
I agree; if you logout from coracle the private key should be destroyed
How does the token work? Do you need that every time, or is that just intended to bypass manual authorization? IOW, authentication depends on the approved app key, right?
Just for manual authorization; the token tells the bunker “I’ve been preauthorized”
Once used you can’t redeem it anymore so you should not save it. Just save the npub from the token
