Replying to Avatar Mazin

Had a telegram chat with the gate keepers, pretty clear this isn’t happening. Going to accept NIP-42 as it is for now. We wasted enough time on this today.
Avatar
Blake 2y ago

NIP-7 has some discussion two. I don’t need the generic sign function anymore, but we still need a consistent way to support web app login from extensions. An alternative is Nostr Connect - but I think simple extension support is required too. A suggestion was clicking an extension to sign in, but it has limitations too.

My POC works fine and is simple, however perhaps using JWT is a better approach long term and something to spec up. @mazin, you’re still planning relay login to customise pubkey preferences? Happy to collaborate on this too.

https://gist.github.com/blakejakopovic/b0065b9327c48c148bfe989c08137ba1

https://github.com/nostr-protocol/nips/issues/373

https://github.com/nostr-protocol/nips/issues/353

Reply to this note

Please Login to reply.

Discussion

Avatar
THE MAX 2y ago

Excellent discussion 💜

Avatar
Mazin 2y ago

Yes, we will still need to support some type of user login to change settings.

I guess I’ll just use a similar sign an event flow as you until they come up with something better. I can send you the JWT we came up with (and other header ideas) but I was told explicitly NIP-42 is “easy to implement” and more auth options leads to “protocol bloat”.

I’ll be working on that this week.

Avatar
Mazin 2y ago

JWT is a little messy (we discovered) because there isn’t a standard alg for schnorr, so you end up having to do your own validation anyway.

Another idea was just the base64 encoded NIP-42 event (no challenge string) as a header. Then I got lectured about MITM attacks 😂

Avatar
Blake 2y ago

I played with JWT today, and it’s not the best fit for use. Hadn’t implemented it before.

I really only wanted a 20,0XX kind defined and basic JSON event. Then browser extensions can tell you that you are signing a “WebApp login” event instead of “Unknown”. I also use an “origin” tag, as opposed to “relay”.

A suggestion to optionally include the users preferred relays in the login JSON event as tags was a good idea for any server side rendering - however not something I need at present. And extension relays and kind 10002 don’t sync, so that’s another issue.