Avatar
YEGHRO 1y ago

!! WordPress #Nostr Login Plugin Update !!

Good news YEGHRO #Nostr plugin for #WordPress is now more secure.

We've added NIP98 authentication to the login process making even better.

Update now to version 1.6 and enjoy more peace of mind.

Big thanks to nostr:nprofile1qyx8wumn8ghj7cnjvghxjmcpz4mhxue69uhk2er9dchxummnw3ezumrpdejqzrthwden5te0dehhxtnvdakqz8thwden5te0dehhxarj94c82c3wwajkcmr0wfjx2u3wdejhgqg6waehxw309ahx7um5wghx7unpdenk2urfd3kzuer9wcq36amnwvaz7tm0vf5h2un8v96x7u3ww35x2amgv9kxctnrdakszynhwden5te0wp6hyurvv4cxzeewv4esz9rhwden5te0wfjkccte9ejxzmt4wvhxjmcpzemhxue69uhhyetvv9ujumn0wd68ytnzv9hxgqgkwaehxw309aex2mrp0yh8qunfd4skctnwv46qzgnhwden5te0wfjkccte9eex2enfdejhy7fwvdhhyctrd3jjuar0dak8xqgcwaehxw309aex2mrp0yh8xmn0wf6zuum0vd5kzmqqyr8vpazdp4jddkwh58yycvc023n7w5kv3vr97uswsa9qhmgu2stdygsq7mx for his contribution to this update. Give the man a follow and a thanks.

https://wordpress.org/plugins/nostr-login/

Reply to this note

Please Login to reply.

Discussion

Avatar
Rob Woodgate 1y ago

Appreciate the shout out nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqg6waehxw309ahx7um5wfjkccte9euk2emgwfhjucm0d5q3yamnwvaz7tmsw4e8qmr9wpskwtn9wvq3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7qghwaehxw309aex2mrp0yhxvmm4de6xz6tw9enx6qgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqz9nhwden5te0wfjkccte9ec8y6tdv9kzumn9wsqzp7ppz7dat453ccd5x43nvwy2mtwresfsfay7wudg0sudulk5l5pzr0eztk . However, your latest official v1.6 is once again HIGHLY INSECURE, as it completely bypasses the security I added to the backend.

The secure NIP-98 version of your plugin is v1.5, which I've posted as a package on my GitHub::

https://github.com/robwoodgate/YEGHRO_NostrLogin/releases/tag/v1.5

Note, since the PR I made to your repository, I've added a check for the required PHP extension... it should now fail gracefully if not enabled.

I'd recommend rolling back to my version asap

Avatar
YEGHRO 1y ago

Oh no I thought I followed nip98 specs.

Avatar
Rob Woodgate 1y ago

Your new Nostr_Event class looks like it follows NIP-98, but:

a) haven't actually used it (it's not called anywhere in the code) and

b) your class doesn't implement the signature check, so it's simple to send a fake one.

You can't really avoid the cryptography in the back end. Without a signature check, you can't be sure the event isn't faked.

Avatar
YEGHRO 1y ago

Alright guys there appears to be an issue with the plugins security. Until it’s resolved I suggest and recommend you stop using it until. Ive resolved it.

Avatar
Rob Woodgate 1y ago

Sorry to have p*ssed on the bonfire. I just don't want people to get their sites hacked. If you roll back to my v1.5, and enable gmp for PHP on your server, it should work securely.

Avatar
YEGHRO 1y ago

That’s more than all right. I’d rather have a properly functioning plug-in.

Avatar
YEGHRO 11mo ago

Ok my frens,

My apologies for the mix up and confusion the past couple of days. The bugs in the plugin have been addressed and secure login and authentication is working as it should be.

Feel free to update to version 1.7 to get the latest plugin updates.

!! PS !!

It's important that you install something called php-gmp on your #WordPress servers so that your wordpress site has the nostr crypto tools it needs to properly authenticate and verify your logins. It's easy enough, the instructions are listed on the plugins wordpress page as well as github repo but I'll also add it here for your convieniance:

* For Ubuntu/Debian:

Run: sudo apt-get update && sudo apt-get install php-gmp

Restart PHP/web server: sudo service php-fpm restart (or apache2 if using Apache)

* For CPanel:

Contact your hosting provider to enable the PHP-GMP module

Most managed WordPress hosts can enable this through the hosting control panel

* For Windows:

Open php.ini file

Uncomment the line: extension=gmp

Restart your web server

After installation, verify GMP is enabled by checking your site's PHP info page.

I wanted to avoid installing extra stuff on your Wordpress server but this appears critical for security.

Avatar
Rob Woodgate 11mo ago

Glad we finally got there nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqg6waehxw309ahx7um5wfjkccte9euk2emgwfhjucm0d5q3yamnwvaz7tmsw4e8qmr9wpskwtn9wvq3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7qghwaehxw309aex2mrp0yhxvmm4de6xz6tw9enx6qgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqz9nhwden5te0wfjkccte9ec8y6tdv9kzumn9wsqzp7ppz7dat453ccd5x43nvwy2mtwresfsfay7wudg0sudulk5l5pzr0eztk 🤜 🤛

I can confirm v1.7 addresses the login security issue, and implements the NIP-98 authentication checks properly.

I know adding the GMP (GNU Multiple Precision) extension for PHP is a hassle, but this is a small price to pay for cryptographic security.

Great plugin! 🫡

Avatar
YEGHRO 11mo ago

Fantastic. And you're right it's a small price with a big pay off. 🍻