Yep, because nos2x and manual-approve mode on Alby spam the user with signing requests
Discussion
Then the user shouldn’t specify an auth-required relay in their list ? 🤷
Perhaps the auth request allow-listing should be per relay not just site.
I also don’t think a client should connect to arbitrary relays not already approved. The minimum intersection of my explicit relays and those I follow should be all I’d normally expect client connections to. If clients just keep expanding the relay list dynamically as part of the social graph I don’t see how everybody doesn’t end up hitting malicious relays with no control over it.
Exactly, ultimately I agree that granular control is the target, this is just a UX stopgap
how does anyone know they are auth required or not. but i'd say if they are then that's sorta creepy if you aren't paying.
The NIP-11 relay info response has a place where relays can specify auth is required.
If auth is required and the client doesn’t handle it well then it will just get NOTICEs in response to every REQ. and be oblivious to the fact none of them ever return responses. There’s no way to actually have a failed REQ unfortunately- other than never giving answers.
this will be a problem down the track.
Given the increased surveillance risk of automatically AUTHing to any relay that asks, this should be a relay specific toggle, something you can turn on/off for each relay.
The nostr.land relays are serving optional auths on connect only so they can track REQs by pubkey. People should be careful and only AUTH when there is a reason…
came here to say this 👆