kosmos/akkounts
kosmos/akkounts
8
1
Fork 0
Code Issues 19 Pull Requests 1 Actions Packages Releases 12 Activity

Refactor Nostr auth, add login via Nostr (web extension) #188

Merged
raucao merged 4 commits from feature/nostr_login into master 2024-05-10 11:01:01 +00:00
Conversation 2 Commits 4 Files Changed 18 +333 -101
raucao commented 2024-04-01 16:12:06 +00:00
Owner
Copy Link

Changes the Nostr event type we use to be an auth event according to NIP-42, and adds support for logging in via Nostr web extension (e.g. Alby) instead of a password.

This results in a much nicer dialog than (ab)using the default short note event type, since the challenge and site name can be handed over in tags instead of message content. Alby, and I assume other clients, will also show this is an authenticate event and allow to not prompt for confirmation on future events of the same type. So you can allow to log in automatically (i.e. without extra popup window and click), but not to sign any other events automatically.

The Nostr login option will only be shown when a Nostr web extension is installed and enabled. Otherwise it simply stays hidden on the login page.

Changes the Nostr event type we use to be an auth event according to NIP-42, and adds support for logging in via Nostr web extension (e.g. Alby) instead of a password. This results in a much nicer dialog than (ab)using the default short note event type, since the challenge and site name can be handed over in tags instead of message content. Alby, and I assume other clients, will also show this is an authenticate event and allow to not prompt for confirmation on future events of the same type. So you can allow to log in automatically (i.e. without extra popup window and click), but not to sign any other events automatically. The Nostr login option will only be shown when a Nostr web extension is installed and enabled. Otherwise it simply stays hidden on the login page.
Screenshot from 2024-04-01 19-06-50.png
557 KiB
Screenshot from 2024-04-01 19-08-25.png
102 KiB
Screenshot from 2024-04-01 19-06-50.png Screenshot from 2024-04-01 19-08-25.png
raucao added the
kredits-2
feature
 labels 2024-04-01 16:12:06 +00:00
raucao added 3 commits 2024-04-01 16:12:07 +00:00 
* Use NIP-42 auth event instead of short text note
* Verify event ID and signature using the nostr gem instead of custom code
Add login via nostr (web extension)
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
945eaba5e1
raucao requested review from bumi 2024-04-01 16:12:11 +00:00
raucao added 1 commit 2024-04-15 12:03:14 +00:00
Merge branch 'master' into feature/nostr_login
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
Release Drafter / Update release notes draft (pull_request) Successful in 4s
Details
d9dff3e872
raucao commented 2024-05-10 08:52:00 +00:00
Author
Owner
Copy Link

@bumi Any chance you could give this your seal of approval?

@bumi Any chance you could give this your seal of approval? <img src="/attachments/770181e8-b22e-45b3-9ae9-a8851b145cf2" width="300" />
271bf9216b2210cb2a4a33f4ce867ef8-10405317.jpg
164 KiB
bumi approved these changes 2024-05-10 09:28:05 +00:00
app/controllers/users/sessions_controller.rb
@ -0,0 +23,4 @@
def nostr_login
signed_event = Nostr::Event.new(**nostr_event_from_params)
is_valid_sig = signed_event.verify_signature
bumi commented 2024-05-10 09:28:00 +00:00
Owner
Copy Link

so because the event signature is correct and because that event contains the session shared_secret I can trust that it's the user with the pubkey to login. 🤔

so because the event signature is correct and because that event contains the session shared_secret I can trust that it's the user with the pubkey to login. 🤔
raucao commented 2024-05-10 10:59:13 +00:00
Author
Owner
Copy Link

Yes, when the signature is correct, we know that the owner of the privkey signed it (unless someone stole their key), so we can look up the user via the pubkey from that event/note.

The shared secret is to ensure that no other, evil site tried to obtain an auth event from the user, because the other site cannot know our shared secret.

Yes, when the signature is correct, we know that the owner of the privkey signed it (unless someone stole their key), so we can look up the user via the pubkey from that event/note. The shared secret is to ensure that no other, evil site tried to obtain an auth event from the user, because the other site cannot know our shared secret.
raucao merged commit 46fa42e387 into master 2024-05-10 11:01:01 +00:00
raucao deleted branch feature/nostr_login 2024-05-10 11:01:01 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
bumi
Labels
Clear labels
integration
btcpay
integration
discourse
integration
ejabberd
integration
email
integration
ldap
integration
lndhub
integration
mastodon
integration
nostr
integration
remotestorage
bug
Something is not working
design
Graphic/visual design
dev environment
Config, builds, CI, deployment, etc.
docs
Documentation
duplicate
This issue or pull request already exists
enhancement
Improving existing functionality
feature
New functionality
good first issue
Dive in, and start contributing
idea
Something to consider
invalid
Not a bug
kredits-1
Small contribution
kredits-2
Medium contribution
kredits-3
Large contribution
on hold
Currently not actionable
ops
Manual IT ops activities
question
Looking for an answer
release
major
release
minor
release
patch
security
All your base are belong to us
ui/ux
User interface, process design, etc.
wontfix
This won't be fixed
No Label
feature
kredits-2
Milestone
No items
No Milestone
Assignees
Clear assignees
bkero bumi fsmanuel galfert greg hueso raucao slvrbckt
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: kosmos/akkounts#188
No description provided.
Delete Branch "feature/nostr_login"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?