pull down to refresh

create an account in the db for a nostr client
10 sats \ 4 comments \ @GlobalThreat 30 Nov 2023 nostr
I'm saving the nostr profile to the database, but I'm wondreing if this is a sane way to login just with a nip05. seems like anyone could generate a token and impersonate the user.
How can I do stuff in a hybrid nostr/database app with a nostr profile object and ensure people can't hack their account?
write
preview
related posts
0 sats \ 3 replies \ @nquiz 30 Nov 2023
The approach we used (eg for https://js.nquiz.io) was based on Nostr Passport Auth - https://github.com/nosdav/passport-nostr
Basically you just use a signed note in the request header. No tokens needed! Just verify the event at backend with each request (signed, within a date range, comes from the correct domain etc)
reply
0 sats \ 2 replies \ @GlobalThreat OP 30 Nov 2023
I'm not using express though. Nor am I using passport.
I can get the nip05 but I don't know how to authenticate a user (ie: a signin). is there some kind of secret token that getalby gives me back somehow?
I'm using ndk
reply
0 sats \ 1 reply \ @nquiz 30 Nov 2023 freebie
you don't need to use their library - check the implementation, it's just a few lines of code
You literally just sign an event and stick it in the auth header. This proves to backend that you control the private key, and that you are logging in to X website at X time.
This approach works with all signing mechanisms (nsecbunker, extensions, local key, signing device).