PWAs don’t have background notifications on iOS and can’t store secrets/keys securely
I prefer PWAs, but this is an obstacle I’m stuck on
Advice welcome
Discussion
that's why we need to push for pwa, iOS can do it for sure if ppl stop using app store, pwa is how mobile apps should be
I agree
Notification limits are gate-kept by Apple and are unlikely to lift it for risk of compromising App Store revenue
Not sure how to address web browser security though for key storage
They can do background notifications but you have to get the user to add the app to the home screen. Basically PWAs on iOS come in two flavours, home screen installed and not, and it's hard to discuss much without specifying which case.
Adding is not easy to get users to do, really need to make it a core part of the UX.
Even when added to Home Screen, you can’t have a notification pushed to the user if the app isn’t open on iOS
Notifications can only be pushed if the app is being actively viewed
I’ve tried
If you have a way to do it, let me know because I’m definitely interested
You mean if a user adds a PWA to the home screen, and then closes that app altogether?
Or if a user adds it to the home screen, opens it, and then opens another app or swipes away? (Jump over to Clash of Clans for example)
For A it won't work. For B it should though.
I more meant if their phone screen is locked/asleep it won’t wake
I’ll have to try option B again, maybe that’s good enough
Gleason is solid with PWA notifications (they have a central relay). Try adding either https://ditto.pub/ or else https://gleasonator.dev/ and to the home screen and when done sign in. At some stage you should get a prompt to allow notifications as attached. Once you approve then the PWA will show as notification enabled in your notification settings, double check. Then wait for some nostr notifications (replies, reactions) and see if you're getting them even when the app isn't active.
Oh nice! Thanks for showing me this! I’ll try it out
Good luck! You'll also notice that notifications will still show even if the PWA is closed entirely—at least for a while until the service worker eventually goes out, days or weeks.
But zooming out recent app store changes might make the native app route a little more enticing, for US anyway.
I guess this depends on how secure you want to be… do you mean having access to a secure element or something similar?
More secure than localstorage in js, but still on the user’s device so I don’t have to store it in a database that I own
I guess the main issue with local storage is the same with any other browser storage - a successful XSS attack could read the data. So probably encrypting with a passphrase would be the way to go? Or relying on a remote signer
Yeah, maybe I’ll try encrypting with passcode
I shall report back 🫡
nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqghwaehxw309ahxverz9ehx7umhdpjhyefwvdhk6qpq2262qa4uhw7u8gdwlgmntqtv7aye8vdcmvszkqwgs0zchel6mz7s4pc3yf
if I make a PWA client, how can I securely store a private key so that it's not susceptible to simple XSS attacks?
localStorage is not secure enough for something so sensitive
Have 2 domains. app.example and sign.app.example
On sign.app.example, it acts as an in browser signer for app.example in a hidden iframe (you do not need users to visit it directly) while always validating the parent is app.example.
If app.example is broken they can’t break the sign subdomain
Curious why you'd want the PWA to store private keys in the first place?
nostr:nprofile1q9z8wumn8ghj7erzx3jkvmmzw4eny6tvw368wdt8da4kxamrdvek76mrwg6rwdngw94k67t3v36k77tev3kx7vn2xa5kjem9dp4hjepwd3hkxctvq9n8wumn8ghj7enfd36x2u3wdehhxarj9emkjmn99ah8qatzx9ukzatv8p4nqdfexvmnwafed3eh2d3hv3jnw7fkxvmhwdr2w3nk2athvdkksdtwxumnswrvxeuxumrwwfnhxvm5we4x6e3lvfex7ctyvdshxapaw3e82egqyqnhnu7e7sk8mmsh7rnteh8cn28e6kfdr83mrw7j0mcullg607vdztfajye how's iOS signer coming along?
Will this signer help PWA clients not rely on storing keys?
My work on it is a bit stalled. But in theory, yes, I think we could rely on deeplinks to switch between PWA clients and a signer app when it needs to sign data. The experience with app switching will be suboptimal for frequent actions like reacting to events.
I was pleasantly surprised to see that they do. I use PWA for stacker.news with Safari on iOS. Took a couple tries to get the push notifications option to enable, but it finally did and works great. Now, it functions almost native-like.
Oh, and forgot to mention, these are background notifications. I don't have the app open. The notifications even come through to Watch.
Even when your phone is locked?
What iOS version?
Yup sure does! Running latest iOS 18.
That’s good to know it’s possible!
Thanks for confirming
Now I just need to figure out how to do it
nostr:npub1qkfnmpuz692azr8c5phn0930x2v92xyqvwgr6ve8znaa3qd6c3hq09ertp the stacker news site is awesome! Any insight to how y’all made the background push notifications work for iOS when Safari PWA is created that might help steer another pleb into the right direction?
Our source is open. Link in the footer of the site.
iOS PWA notifications are tricky, they are very strict about what you can do, but they use the same open standard other PWAs use.