web and pwa first
Discussion
Viu nostr:npub17natddjkmse4z8frh7ysynwtzanzmvs9d76c5r53546wsnzs25gqfdeqey, a importância de ter clientes PWA?
Sim, são importante, principalmente para coisas em sistemas como a Apple, ou em fase beta, mas nada disso exclui a importância e flexibilidade de um apk. Se você precisa usar PWA, está no sistema operacional errado.
So will bitkey go web/pwa?
I agree, but it's really hard to make a first class PWA. There are a lot of edge cases
No, look at jumble.social nostr client. It's PWA and works amazing.
cc nostr:npub1syjmjy0dp62dhccq3g97fr87tngvpvzey08llyt6ul58m2zqpzps9wf6wl
It always starts off great. Then you realize that:
- landscape layout sucks
- app manifest caching is broken
- ... only on certain platforms
- people are stuck on an old version
- or they just want to use the app right now instead of updating
- or their connection was unstable on update and now they have half old and have new assets
- some basic API isn't available
- or is available but has different options than the normal API
- or different bugs
- and things behave differently when installed as a PWA vs a web page
- etc
This isn't a criticism of jumble.social as I haven't used it. I've long advocated for PWAs and web first, but... it's way harder than it needs to be
It's harder cause the "market" pushed towards native apps for over a decade. Faster, more reliable, more control, more compliant, stores with policies.. It made sense.
But I can see a momentum for web and pwa. Not just interest from people like us. Also finally Mozilla is jumping back on working on it.
If we work on this all those problems are going to go away.
Just one example: cashu.me is definitely one of the best app i use and it's a PWA.
It's really difficult to adapt for mobile devices. But it's worth a try, because I don't want to be controlled by the App Store.
I don't have a single PWA installed on my phone. the web + nostr is a minefield of complexity due to needing signing extensions, etc. would be better to just have a browser for nostr apps.
PWAs don’t have background notifications on iOS and can’t store secrets/keys securely
I prefer PWAs, but this is an obstacle I’m stuck on
Advice welcome
that's why we need to push for pwa, iOS can do it for sure if ppl stop using app store, pwa is how mobile apps should be
I agree
Notification limits are gate-kept by Apple and are unlikely to lift it for risk of compromising App Store revenue
Not sure how to address web browser security though for key storage
They can do background notifications but you have to get the user to add the app to the home screen. Basically PWAs on iOS come in two flavours, home screen installed and not, and it's hard to discuss much without specifying which case.
Adding is not easy to get users to do, really need to make it a core part of the UX.
Even when added to Home Screen, you can’t have a notification pushed to the user if the app isn’t open on iOS
Notifications can only be pushed if the app is being actively viewed
I’ve tried
If you have a way to do it, let me know because I’m definitely interested
You mean if a user adds a PWA to the home screen, and then closes that app altogether?
Or if a user adds it to the home screen, opens it, and then opens another app or swipes away? (Jump over to Clash of Clans for example)
For A it won't work. For B it should though.
I more meant if their phone screen is locked/asleep it won’t wake
I’ll have to try option B again, maybe that’s good enough
Gleason is solid with PWA notifications (they have a central relay). Try adding either https://ditto.pub/ or else https://gleasonator.dev/ and to the home screen and when done sign in. At some stage you should get a prompt to allow notifications as attached. Once you approve then the PWA will show as notification enabled in your notification settings, double check. Then wait for some nostr notifications (replies, reactions) and see if you're getting them even when the app isn't active.
Oh nice! Thanks for showing me this! I’ll try it out
Good luck! You'll also notice that notifications will still show even if the PWA is closed entirely—at least for a while until the service worker eventually goes out, days or weeks.
But zooming out recent app store changes might make the native app route a little more enticing, for US anyway.
I guess this depends on how secure you want to be… do you mean having access to a secure element or something similar?
More secure than localstorage in js, but still on the user’s device so I don’t have to store it in a database that I own
I guess the main issue with local storage is the same with any other browser storage - a successful XSS attack could read the data. So probably encrypting with a passphrase would be the way to go? Or relying on a remote signer
Yeah, maybe I’ll try encrypting with passcode
I shall report back 🫡
nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqghwaehxw309ahxverz9ehx7umhdpjhyefwvdhk6qpq2262qa4uhw7u8gdwlgmntqtv7aye8vdcmvszkqwgs0zchel6mz7s4pc3yf
if I make a PWA client, how can I securely store a private key so that it's not susceptible to simple XSS attacks?
localStorage is not secure enough for something so sensitive
Have 2 domains. app.example and sign.app.example
On sign.app.example, it acts as an in browser signer for app.example in a hidden iframe (you do not need users to visit it directly) while always validating the parent is app.example.
If app.example is broken they can’t break the sign subdomain
Curious why you'd want the PWA to store private keys in the first place?
nostr:nprofile1q9z8wumn8ghj7erzx3jkvmmzw4eny6tvw368wdt8da4kxamrdvek76mrwg6rwdngw94k67t3v36k77tev3kx7vn2xa5kjem9dp4hjepwd3hkxctvq9n8wumn8ghj7enfd36x2u3wdehhxarj9emkjmn99ah8qatzx9ukzatv8p4nqdfexvmnwafed3eh2d3hv3jnw7fkxvmhwdr2w3nk2athvdkksdtwxumnswrvxeuxumrwwfnhxvm5we4x6e3lvfex7ctyvdshxapaw3e82egqyqnhnu7e7sk8mmsh7rnteh8cn28e6kfdr83mrw7j0mcullg607vdztfajye how's iOS signer coming along?
Will this signer help PWA clients not rely on storing keys?
My work on it is a bit stalled. But in theory, yes, I think we could rely on deeplinks to switch between PWA clients and a signer app when it needs to sign data. The experience with app switching will be suboptimal for frequent actions like reacting to events.
I was pleasantly surprised to see that they do. I use PWA for stacker.news with Safari on iOS. Took a couple tries to get the push notifications option to enable, but it finally did and works great. Now, it functions almost native-like.
Oh, and forgot to mention, these are background notifications. I don't have the app open. The notifications even come through to Watch.
Even when your phone is locked?
What iOS version?
Yup sure does! Running latest iOS 18.
That’s good to know it’s possible!
Thanks for confirming
Now I just need to figure out how to do it
nostr:npub1qkfnmpuz692azr8c5phn0930x2v92xyqvwgr6ve8znaa3qd6c3hq09ertp the stacker news site is awesome! Any insight to how y’all made the background push notifications work for iOS when Safari PWA is created that might help steer another pleb into the right direction?
Our source is open. Link in the footer of the site.
iOS PWA notifications are tricky, they are very strict about what you can do, but they use the same open standard other PWAs use.
I wonder if apple want charge 30% if user paid subscription by sats
Primal web really needs some attention.
nah. i think people just stop building for ios and let the dev mindshare dry up for ios and let the market incentivize apple to stop treating their customers like idiots
#induecourse
forget primal (its already good) make nostr.com a web client where regular people can create an account and try nostr
Try jumble.social, is a PWA and it's an amazing nostr client.
Native desktop and Android first. End the web.
Wait… PWA is inherently non-secure… why use that?
The biggest problem with PWA imo is that there’s not a great way to store private key. Specifically on iOS you don’t have access to keychain as you would on a native app. I also I am not sure you can use a Safari extension as you normally would from just using Safari.
it's all tradeoffs
Yeah for sure. I think one way would be to use webauthn credentials to encrypt the private key, the it could be store in IndexedDB encrypted. Then any time the user needs to sign an event you could request navigator.credentials.get() which would pull up face/Touch ID to decrypt key and sign. Not perfect but it could be a potential solution.
This is how i see it, as long as we rely on gatekeeping app stores for distributing native apps
Web apps and PWAs can’t reliably support Signal or MLS protocol because those protocols depend on secure, persistent local storage and uninterrupted processing to keep cryptographic state (double-ratchets, MLS group keys and membership) up to date, whereas browsers only offer volatile storage and can’t guarantee continuous execution—so keys and session data risk being lost.
my only app attempt & that was my huge mistake: not doing web, starting w/ ios
100% agree must escape apple and android.
Then we need grapheneOS rooted hardware as the next step, can use Pixel mobile and tablet for immediate time being.
I will go meet OEM when in Taiwan in a couple of weeks.
SPEED UP.
Absolutely, I always start with PWA. Its non-negotiable.
Cons: some native features missing
Pros: you never need to explain Apple what ecash is
plus hypermedia apps.
🎯
Hi,I've got some exciting news for you,I can teach you how to turn your $300 into $9500 in just 4hours investing Bitcoin mining without interrupting your daily activities.
DM ME HOW FOR MORE INFO: 📞
WHATSAPP: +1 (818) 463‑4473
Email:
christineduff300@gmail.com
Telegram Username: christine4219
This. I've really come to love the idea of PWAs. As bloated as the modern web is, it can do just about anything with the right APIs and permissions, and PWAs can work totally offline. Browsers are also usually built from the ground up with security and fine tunable permissions in mind.
A lot of mobile apps wind up rendered by the webview anyways, and a bunch of desktops bundle an entire browser like electon in just to be written as a site and then run as an app. Skipping the middle man saves a bunch of space on your device, keeps things a little more secure and private (if done right), and makes the app instantly OS agnostic as long as you've got a desktop and mobile layout.
/end random monologue
It has gotten a lot easier building pwa for the web. Some webframework like tanstack router makes provides a good starting point