GM. 🫡

"I love the smell of Bitcoin in the morning."

Glad we finally got there nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqg6waehxw309ahx7um5wfjkccte9euk2emgwfhjucm0d5q3yamnwvaz7tmsw4e8qmr9wpskwtn9wvq3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7qghwaehxw309aex2mrp0yhxvmm4de6xz6tw9enx6qgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqz9nhwden5te0wfjkccte9ec8y6tdv9kzumn9wsqzp7ppz7dat453ccd5x43nvwy2mtwresfsfay7wudg0sudulk5l5pzr0eztk 🤜 🤛

I can confirm v1.7 addresses the login security issue, and implements the NIP-98 authentication checks properly.

I know adding the GMP (GNU Multiple Precision) extension for PHP is a hassle, but this is a small price to pay for cryptographic security.

Great plugin! 🫡

Sorry to have p*ssed on the bonfire. I just don't want people to get their sites hacked. If you roll back to my v1.5, and enable gmp for PHP on your server, it should work securely.

Your new Nostr_Event class looks like it follows NIP-98, but:

a) haven't actually used it (it's not called anywhere in the code) and

b) your class doesn't implement the signature check, so it's simple to send a fake one.

You can't really avoid the cryptography in the back end. Without a signature check, you can't be sure the event isn't faked.

PSA: For #plebs playing around building with #nostr

You should treat all front end code (such as JavaScript) as INSECURE.

It can be manipulated or replaced in browser console by an attacker.

So any data sent to your back end server MUST be sanitized and verified.

Check the schnorr signatures before relying on event data.

That's why Nostr events are SIGNED!

GOOD MORNING #NOSTR

Here is the secure version with NIP-98.

https://github.com/robwoodgate/YEGHRO_NostrLogin/releases/tag/v1.5

Bitcoin and Nostr or slavery

Appreciate the shout out nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqg6waehxw309ahx7um5wfjkccte9euk2emgwfhjucm0d5q3yamnwvaz7tmsw4e8qmr9wpskwtn9wvq3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7qghwaehxw309aex2mrp0yhxvmm4de6xz6tw9enx6qgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqz9nhwden5te0wfjkccte9ec8y6tdv9kzumn9wsqzp7ppz7dat453ccd5x43nvwy2mtwresfsfay7wudg0sudulk5l5pzr0eztk . However, your latest official v1.6 is once again HIGHLY INSECURE, as it completely bypasses the security I added to the backend.

The secure NIP-98 version of your plugin is v1.5, which I've posted as a package on my GitHub::

https://github.com/robwoodgate/YEGHRO_NostrLogin/releases/tag/v1.5

Note, since the PR I made to your repository, I've added a check for the required PHP extension... it should now fail gracefully if not enabled.

I'd recommend rolling back to my version asap

Good morning. Hope it's a great one.

GM. Today I will be mostly playing with #nostr code.

Just contributed a NIP-98 authentication solution to the YEGHRO Nostr login plugin WordPress. If you use the plugin, upgrading to the latest version (1.5) is highly recommended for security.

Awesome! What you running for your node?

If the election of the "wrong" party is the end of your world, your government is probably too large and overreaching.

Viva la libertad, carajo!

Well done nostr:npub10pensatlcfwktnvjjw2dtem38n6rvw8g6fv73h84cuacxn4c28eqyfn34f

The BitAxe Gamma looks amazing!

nostr:note1anv0fkjes3m6s9xp4ffg4hjlzjfwuhsezf3e3mg6eg2qjnxfhtyqv4c8ll

All set for Uptober?

I broke a tooth, and had to go to the dentist today to prepare it for a crown.

Amusingly (to me) the appointment was at 2:30 ("tooth hurty").

Now I'm sat with a numb mouth, feeling like an extra from the Godfather.

Anyhow, this unexpected expense and downtime prompted me to finally release some of my most useful WordPress plugins.

(I've been meaning to do it since about March).

I use these three WordPress plugins on pretty much every website I create.

I think you'll find them useful too.

https://www.cogmentis.com/#wordpress

Regards

Rob

"If you don't have proof of work, you don't have atoms that are in the real universe in your bitcoins"

Agreed. Much more aligned with the first two movies than the rest