amazing! how do you make sure the nsec is safe on local storage? does the user encrypt it every time?
Introducing nsec.app and nostr-login!
I've shown the prototype of https://nsec.app in December, and it's essentially an nsecbunker in your browser. It is non-custodial - your keys are stored locally in the browser, and apps can get access to your keys using NIP46. We've now turned that prototype into a real thing, and I invite you to try it. Shoutout to nostr:npub149p5act9a5qm9p47elp8w8h3wpwn2d7s2xecw2ygnrxqp4wgsklq9g722q for the designs!
Now how do we help Nostr apps adopt NIP46 for remote key access?
That's where nostr-login library comes in. If your app uses NIP07 to talk to a browser extension, then with just two lines of code you can make it talk over NIP46.
Both of these tools support the new OAuth-like flow proposed by Pablo. Below you can watch a demo of how nostr-login (added to my fork of Snort) works with Nsec.app (or would work with any other nsecbunker).
What this all means is that people could join Nostr on the web, without installing extensions or mobile apps, with their keys stored non-custodially in the Nsec.app, and then could log in to other Nostr apps without copying their private keys.
Demo: https://void.cat/d/JSWwYMTtbWxTDTLpe132Kr.mp4
Links:
Snort+nostr-login: https://snort.nostrapps.org
nsec app: https://github.com/nostrband/noauth
nsec app server: https://github.com/nostrband/noauthd
nostr-login: https://github.com/nostrband/nostr-login
Discussion
does the user encrypt it with a password and decrypt on every usage?*
The nsec is stored in an encrypted form with keys generated at the browser, it's a light protection from someone just peeking at the localstore. But if they're smart enough to debug js then they would find the decrypted nsec somewhere inside js variables (same w/ extensions btw).
It is possible to add some pin/password to confirm on every use, although it would mean you can't set 'Don't ask again' checkbox - you'd literally have to confirm (almost) every use of the key. Do you think we need such advanced mode?
Yes. Security first. I don't mind to put my pin each time I login with nsec.app Nostr-login.
I’m not sure, I asked because I’m facing a similar problem with encrypting user forms on local storage on formstr, it’s a security vs UI trade-off, perhaps an optional feature for security would be a nice idea, or perhaps a remote decryption key? (This would be too similar to a remote signer, but you’d only have to do this once, instead of signing every event remotely) also key-rotation would be easier.
Well with formstr you could encrypt forms w/ user's nsec store locally? It pushes the problem to nsec storage, at least it's one problem to solve, not scattered across apps.
Very interesting, I’m not sure why I didn’t think of that! I already encrypt and store the forms as an encrypted list on the relays, it’s not much different than storing locally, thanks! Does nsec.app also do nip-04 encryption?
Yes of course all nip07 methods are supported, although getRelays returns nothing atm
Wdyt of using nostr-login for formstr?
I am sure I replied to your comment earlier but I can’t find the reply anywhere. Clients are buggy!
We could definitely evaluate it for the increase in UX on formstr. We are already using signers for interacting with a users nostr profile. Will check it out later today!