what can Alby do?
Discussion
Add a mechanism to AlbyHub where anyone can ask an npub for an invoice. People can add this npub to their profile next to / instead of an LNURL, and clients can fetch invoices from this instead of using LNURL
that’s basically NWC (without a secret), why is NWC not OK?
It's exactly NWC without a secret - but that's not how NWC implementations work. I don't think this is a huge lift, though you might need rate limiting, amount limits, etc.
I'm bullish on NWC
what’s the problem with the secret?
Do you mean attaching the full connection string to your profile? I guess this could technically work if the connection was limited to make_invoice, but it's needlessly dangerous. It would be better to have a different path that could never lose all of your funds. It could be as simple as making a connection with an empty secret, and all such connections would only be authorized for make_invoice. Clients could enforce an empty secret, and warn if a profile has a connection string that contains one. These UX improvements would round out otherwise dangerous edges
it’s both just an implementation detail on the wallet side, isn’t it?
the public messages also must be processed and the wallet must make sure it only accepts make_invoice calls?
I understand the thinking, NWC would just be already there and can be used
It depends on what you're calling the "wallet". AlbyGo appears to be a wallet, but isn't from this perspective. AlbyHub is what controls the funds and makes invoices.
Ultimately, NWC code that responds to "make_invoice" should be updated to make public connections that can only make invoices. Then zap capable apps would need to look for a field next to LNURL and use this to make the no-secret make_invoice call
yep,
I just wonder if it is really worth to have this special case.
why not have a NWC connection string in there (wouldn’t that also increase privacy actually?)
clients can easily validate the connection before adding it.
any current SDK would work and clients have NWC code anyway.
If something goes wrong and even one person loses their entire wallet by posting a real NWC string to their profile, saving a few lines of code will have been foolish. NWC strings themselves are already dangerous because they're a bearer token - everything should be using NWA anyway, and that wouldn't work for receiving zaps
I just don’t really see a difference that big actually.
it’s either way some lines of code somewhere that processes a nostr message.
but yea, people do crazy things… people loose sats by posting their seed phrases everywhere.
either way the nostr client could easily protect them.
It's a few lines at the wallet, or more lines in every nostr client
why more lines?
the wallet would implement a completely new way for the messages.
I'd rather open that PR myself than have anyone lose funds
which PR?
anyway let’s see if it happens.
still need to convince more wallets to implement NWC.
I think that I'm on to something with https://deposits.ynniv.com. If it works out, the next billion wallets will be NWC. So... I'm not worried about adoption
This is also why I'm interested in LNURL functionality natively available from NWC