Your user's account data is safe if you use Nostr login for an app 😏
Vibe coding boom will get many end users in trouble.
While it is a huge leap forward that allows enthusiasts to bring their ideas to life, majority of the new apps will be built in a reckless way by clueless people.
At the same time building something that does not interact with user data while improving your project is a win-win.
For example, I finally managed to automate my 3 year old project nostr:npub1tcalvjvswjh5rwhr3gywmfjzghthexjpddzvlxre9wxfqz4euqys0309hn and it now automatically posts historical Bitcoin events to Nostr. I know the code is bloated and ugly, I don’t know (yet) how to fix this, but automation works and that’s good enough for now.
PRs welcome 💜 https://github.com/Bitcoin-Calendar/calendar-bot
nostr:note1s4vx09gepe5t3xsfuuvq5f0h3fv70gxxrvj3nennayl37t3sm3jq5l5qd2
Discussion
That’s just a tip of an iceberg. Nostr login does not protect from man in the middle attacks, weak certification validation, excessive app permissions, and so on and so forth
Well, you're right. But, I was directly addressing your point about, "At the same time building something that does not interact with user data while improving your project is a win-win." Of course, things outside of that in the app/host layer is important to lockdown, as you mentioned.
I see, I probably should’ve worded it better. I felt like app permissions and bad encryption practices fall into this bucket, cause if attacker gets a hold of your server or orchestrate a MITM attack, they’ll be able to get their hands on stuff users wouldn’t want them to.
As rule of thumb, never store private keys in plain text and always aim to have them decodes at the client side.
Assume everything will be leaked. There is always a balance between usability and privacy.
The only thing private on NOSTR tends to be private messages and the private key.