Meh. Might be time for some redundancy?
Discussion
He said the problem is providing security for all of the NWC strings that have direct access to user funds.
Speaking of which, make sure you’re setting budgets when you set those up so you don’t get rugged for more than you’re willing to risk.
Yeah yeah mom I set my budgets…
Isn’t there some clever math beyond my reasoning that can be setup to obfuscate the secrets like a signed transaction and it just has to be verified hrmm sounds familiar… consensus model, rings any bells? ₿??
Fully expecting a reasonable explanation from someone much smarter than me why this hack can’t work like that though 🤷🏼
Can the NWC strings not be kept on the user devices hashed and transmitted to relays?
That’s not how it’s done at the moment. When you generate a string it contains all the information needed to send commands to your node. Maybe someone should write a spec for that!
I smell a new NIP brewing ☕️
I’m not sure what hashing it would do since that’s a one way function.
As I understand it all Zapple pay does it listen out in relays for a pubkey to send a certain react event referencing a note. When it sees that it uses the nwc string to initiate a zap on behalf of that wallet.
Those strings can be encrypted but the key to decrypt it would need to constantly be available making it a moot point.
The people using Zapple pay aren’t sending any other data for Zapple pay to handle (such as a key to decrypt the nwc string or anything).
Safest thing to do if worried is to run your own or if on Damus run that Nostr script to re-enable zap functionality.
Yeah ok how do I run either of those?
Nostr script: https://main--comfy-gnome-e2067d.netlify.app/
Hey nostr:npub13azv2cf3kd3xdzcwqxlgcudjg7r9nzak37usnn7h374lkpvd6rcq4k8m54 you’re using #zapple get in here what do you think of this?
To click or not to click? That is the question nostr:npub13azv2cf3kd3xdzcwqxlgcudjg7r9nzak37usnn7h374lkpvd6rcq4k8m54
Lol if you need some credibility here rather than running a script because a stranger on the Internet said so:
nostr:note1gjd2str0tfqvrcwdttskxkd52vmsagc477gsr858k0ug86nuj60qzn6uas
TBH I don’t know nostr:npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5s either 😆 it’s all good though at some point there has to be trust I would never get anything done if I always had to check everyone’s work.
True and I’m just a nym. He’s a well known dev. I’d trust him over me! 😂
Zapple pay backend.
Nice TY 🙏🏻