pull down to refresh
8 sats \ 7 replies \ @03365d6a53 19 Aug 2023 \ on: Integrating a Nostr Client into a PWA App nostr
nooooo
never ever (ever) put a private key in a browser
Unfortunately there isn't a good solution yet for mobile signin to web apps. You have nostr connect / NIP-46 (which IS a good solution) but difficult for newbies
A second option is to have sign in via DM (send an auth token in a link via direct message) but they won't be able to sign events that way
if there are third options I'd like to know about them
putting a private key into a web app is just a big no no, unless it's a throwaway key.
Isn't most Nostr Clients browser-based? Every1 is using them. Can you expand why we should never put a pkey in a browser?
I heard we should use signing extensions instead, like Alby. There are mobile browsers that support extensions, that should fix the issue, or?
reply
Basically, as with Bitcoin, you should exercise extreme caution when entering your private key into a third-party platform, whether it be a clipboard, browser, or web client.
To minimize potential hazards on the web, it is recommended to use an extension like ours - where the open-source software (not the client) signs nostr events and your private keys do not touch any server (even Alby's one, it stays secure in your machine)
On mobile, yes, you currently need to copy and paste... for now! We hope developers will soon come up with a better solution.
Try www.getalby.com!
reply
Thank you.
reply
Many nostr clients are browser based, but that doesn't mean they are safe, if they are asking for private keys, you should assume that those keys are now compromised
The best ones use third party signers like getalby or nostr wallet connect.
As @Alby point out, there are no mobile browsers that support Nostr extensions, perhaps someone can correct me?
If you google you can find some that claim to support extensions, but when I've tried them, they don't work.
reply
Kiwi browser on mobile supports our extensions (but something stopped working on their side), and Firefox is about to introduce it soon.
However, they work within the browser - not to use in separate apps.
reply
hopefully kiwi will get that issue fixed, and FF will release soon!
Crazy that there are zero secure nostr web login options for mobile right now.
reply
yeah agreed... Thanks for the tip on NIP-46. I have to do more research.
It's tough because PWA's seem to be the easiest entry point into creating an agnostic app. I think in the interim I will simply make it clear that the nostr key, being stored in a browser, is to be considered a throw away while a solution like NIP-46 or similar is implemented.
This message on damus.io/web summarizes at least one of the inherent dangers pretty well :
Damus Web is down because there is someone trying to exploit browser loopholes to steal private keys. I would not recommend using a web client at this time. Damus iOS is not affected.
reply