create an account in the db for a nostr client \ stacker news ~nostr

create an account in the db for a nostr client

10 sats \ 4 comments \ @GlobalThreat 30 Nov 2023 nostr

I'm saving the nostr profile to the database, but I'm wondreing if this is a sane way to login just with a nip05. seems like anyone could generate a token and impersonate the user.

How can I do stuff in a hybrid nostr/database app with a nostr profile object and ensure people can't hack their account?

view all related items

0 sats \ 3 replies \ @nquiz 30 Nov 2023

The approach we used (eg for https://js.nquiz.io) was based on Nostr Passport Auth - https://github.com/nosdav/passport-nostr

Basically you just use a signed note in the request header. No tokens needed! Just verify the event at backend with each request (signed, within a date range, comes from the correct domain etc)

0 sats \ 2 replies \ @GlobalThreat OP 30 Nov 2023

I'm not using express though. Nor am I using passport.

I can get the nip05 but I don't know how to authenticate a user (ie: a signin). is there some kind of secret token that getalby gives me back somehow?

I'm using ndk

0 sats \ 1 reply \ @nquiz 30 Nov 2023

you don't need to use their library - check the implementation, it's just a few lines of code

You literally just sign an event and stick it in the auth header. This proves to backend that you control the private key, and that you are logging in to X website at X time.

This approach works with all signing mechanisms (nsecbunker, extensions, local key, signing device).

0 sats \ 0 replies \ @GlobalThreat OP 30 Nov 2023

sorry, can you give me some psuedo code? I'm new at this.