Nostr Web Client

My plan for Soapbox + Nostr onboarding UX is to have it generate a 12-word seed on the client. You see it once and are told to write it down, then it disappears forever. It gets stored securely in the browser and can then be used to sign events. To recover your session, you need the 12-word seed.

This is the basic normie flow for mass adoption. There are other options, including NIP-07 signing with a browser extension like Alby, and NIP-46 support where you can sign events remotely using a dedicated signer app. You can also import by seed or nsec.

Technical info: I'm making the ServiceWorker a signer. You can send it messages like generateSeed, signEvent, decrypt, etc. When you generate the seed, the ServiceWorker generates it within the worker context and stores it in the Web Cache API. Which is an absolutely insane thing to do, but it will work. It sends the seed back to the client exactly _once_ when you generate it, and you can never retrieve it again because the worker will block fetches to it. But the worker itself can access it and sign your events. This is Vegan Mad Science.

Reply to this note

Please Login to reply.

Discussion

dog's best friend 2y ago

hey how often do you use Soapbox on mobile and have you noticed all the weird z-index issues it has?

Sometimes you can't edit posts because the edit box is rendered beneath

Changing post scope? well the buttons on the screen don't match what you touch. Trying to change from followers-only to public is often torture because i keep touching the Public option but it keep selecting Direct Message somehow, etc

Alex Gleason 2y ago

I think BIP39 is a good UX that helps dumb down the whole thing, and by essentially making Soapbox an HD wallet it can open doors to other functionality and maybe help it support hardware signers in the future.

Leaf Lord 2y ago

Just make it so I can sign in with my gmail account please and thank you

τέχνη 2y ago

My guess is that 9/10 users do not write it down because they don’t have pen and paper on hand because they think they can come back and do it later.

Even if you say they can’t do it later, they will still not understand the magnitude of the importance of the act. Then they’ll be stuck with an ID forever linked to their account that they don’t actually own or control

DanConwayDev 2y ago

I've been struggling with a good UX / security tradeoff for a CLI tool without having a service running in the background.

realcaseyrollins ✝️ 2y ago

This is good, but normies are gonna hate this. A 15 or 20 character password might get more adoption.