One of my primary goals for the next iteration of npub.cash is to make authorization ...

npub1mhc…c226

2025-01-02 10:09:25

One of my primary goals for the next iteration of npub.cash is to make authorization simpler, while keeping a high level of security.

The new version no longer relies on NIP-98 alone but on a mix of NIP-98 and JWTs. Most of the protected endpoints can be accessed by providing a valid auth token. This token can be obtained by providing a valid NIP-98 event ONCE. At the same time, all endpoints still accept valid NIP-98 headers instead of the JWT (this is great for apps that have full access to nsecs).

By default withdrawing is not possible using a JWT. However, users can opt-in to withdrawals using JWTs by signaling this when acquiring their auth token using NIP-98.

This keeps things secure, while at the same time reducing NIP-07 friction a lot. Reduced NIP-07 friction equals higher security as it makes sure users are not bullied into insecure default settings for their signers.

Finally, this opens up the possibility of OTP logins via nostr DMs. Instead of obtaining a JWT using NIP-98, users can get one by providing an OTP that the service sends via a secure nostr DM. I am still figuring out the best defaults for this, but I think the best way would be to require a second OTP on withdrawals.

Author Public Key

npub1mhcr4j594hsrnen594d7700n2t03n8gdx83zhxzculk6sh9nhwlq7uc226

Seen on

wss://atlas.nostr.land wss://relay.damus.io wss://relay.nostr.band

Show more details

Published at

2025-01-02 10:09:25

Kind type

1 Short Text Note

Event JSON

{ "id": "a01736895e9d74f18cd14fa5f92de4bc0dbc0a3c91318cb40dc0e9d4c42339ea", "pubkey": "ddf03aca85ade039e6742d5bef3df352df199d0d31e22b9858e7eda85cb3bbbe", "created_at": 1735812565, "kind": 1, "tags": [ [ "r", "wss://e.nos.lol/" ], [ "r", "wss://nos.lol/" ], [ "r", "wss://nostr-pub.wellorder.net/" ], [ "r", "wss://nostr-verified.wellorder.net/" ], [ "r", "wss://nostr.bitcoiner.social/" ], [ "r", "wss://nostr.cercatrova.me/" ], [ "r", "wss://nostr.einundzwanzig.space/" ], [ "r", "wss://nostr.land/" ], [ "r", "wss://nostr.mom/" ], [ "r", "wss://nostr.wine/" ], [ "r", "wss://nostr21.com/" ], [ "r", "wss://relay.damus.io/" ], [ "r", "wss://relay.nostr.bg/" ], [ "r", "wss://relay.nostr.wirednet.jp/" ] ], "content": "One of my primary goals for the next iteration of npub.cash is to make authorization simpler, while keeping a high level of security.\n\nThe new version no longer relies on NIP-98 alone but on a mix of NIP-98 and JWTs. Most of the protected endpoints can be accessed by providing a valid auth token. This token can be obtained by providing a valid NIP-98 event ONCE. At the same time, all endpoints still accept valid NIP-98 headers instead of the JWT (this is great for apps that have full access to nsecs).\n\nBy default withdrawing is not possible using a JWT. However, users can opt-in to withdrawals using JWTs by signaling this when acquiring their auth token using NIP-98.\n\nThis keeps things secure, while at the same time reducing NIP-07 friction a lot. Reduced NIP-07 friction equals higher security as it makes sure users are not bullied into insecure default settings for their signers.\n\nFinally, this opens up the possibility of OTP logins via nostr DMs. Instead of obtaining a JWT using NIP-98, users can get one by providing an OTP that the service sends via a secure nostr DM. I am still figuring out the best defaults for this, but I think the best way would be to require a second OTP on withdrawals. \n", "sig": "ae56e732848baf9f7109db84b3cc49942109b4af7d5c6f4fab10164f645363a4480616ae8497e944a70b59ff75e2e11497785e6adce3e718ce7a23b1320f5ad9" }