pull down to refresh

Integrating a Nostr Client into a PWA App
175 sats \ 8 comments \ @atitlanio 19 Aug 2023 nostr
Hola Todos!
Can I nest a nostr PWA such as Snort.social or Iris.to inside another PWA?
The goal is that the parent PWA will have a user account that has a nostr key pair associated with it. I would then, on the same server, have, let's say, the snort client available to be served and when opened, it would auto login using the person's private key and remain in the same app "universe".
I want to link this up with LNBits so that the person has their wallet, nostr market stall, and a social forum all in one!
I did play around with it a bit and was able to do a bit of a hack by just setting the localStorage privateKey property and then launching the snort repo from the PWA. I have to flesh it out a little bit, but does this approach make sense?
write
preview
related posts
8 sats \ 7 replies \ @03365d6a53 19 Aug 2023
nooooo
never ever (ever) put a private key in a browser
Unfortunately there isn't a good solution yet for mobile signin to web apps. You have nostr connect / NIP-46 (which IS a good solution) but difficult for newbies
A second option is to have sign in via DM (send an auth token in a link via direct message) but they won't be able to sign events that way
if there are third options I'd like to know about them
putting a private key into a web app is just a big no no, unless it's a throwaway key.
reply
0 sats \ 5 replies \ @Zepasta 21 Aug 2023
Isn't most Nostr Clients browser-based? Every1 is using them. Can you expand why we should never put a pkey in a browser?
I heard we should use signing extensions instead, like Alby. There are mobile browsers that support extensions, that should fix the issue, or?
reply
109 sats \ 1 reply \ @Alby 22 Aug 2023
Basically, as with Bitcoin, you should exercise extreme caution when entering your private key into a third-party platform, whether it be a clipboard, browser, or web client.
To minimize potential hazards on the web, it is recommended to use an extension like ours - where the open-source software (not the client) signs nostr events and your private keys do not touch any server (even Alby's one, it stays secure in your machine)
On mobile, yes, you currently need to copy and paste... for now! We hope developers will soon come up with a better solution.
Try www.getalby.com!
reply
0 sats \ 0 replies \ @Zepasta 22 Aug 2023
Thank you.
reply
7 sats \ 2 replies \ @03365d6a53 22 Aug 2023
Many nostr clients are browser based, but that doesn't mean they are safe, if they are asking for private keys, you should assume that those keys are now compromised
The best ones use third party signers like getalby or nostr wallet connect.
As @Alby point out, there are no mobile browsers that support Nostr extensions, perhaps someone can correct me?
If you google you can find some that claim to support extensions, but when I've tried them, they don't work.
reply
10 sats \ 1 reply \ @Alby 22 Aug 2023
Kiwi browser on mobile supports our extensions (but something stopped working on their side), and Firefox is about to introduce it soon.
However, they work within the browser - not to use in separate apps.
reply
0 sats \ 0 replies \ @03365d6a53 22 Aug 2023
hopefully kiwi will get that issue fixed, and FF will release soon!
Crazy that there are zero secure nostr web login options for mobile right now.
reply
0 sats \ 0 replies \ @atitlanio OP 19 Aug 2023
yeah agreed... Thanks for the tip on NIP-46. I have to do more research. It's tough because PWA's seem to be the easiest entry point into creating an agnostic app. I think in the interim I will simply make it clear that the nostr key, being stored in a browser, is to be considered a throw away while a solution like NIP-46 or similar is implemented. This message on damus.io/web summarizes at least one of the inherent dangers pretty well :
Damus Web is down because there is someone trying to exploit browser loopholes to steal private keys. I would not recommend using a web client at this time. Damus iOS is not affected.
reply