Semisol
Semisol
> Looks good, as long as the server doesn't use the identifier as the session cookie. > > `created_at` check (must be < 5 minutes from the request) could also...
> I don't get this at all. What happens when you click? Who is going to handle that link? I think it's better to let websites come up with their...
> > not everyone has an extension. the point of this is if you don't have an extension, you could just scan a QR code/click a link and prove you...
> What about NIP-46? @fiatjaf This is for use cases where you don't need signing access and only need to prove your ownership of a key.
> What are the security trade-offs? I am assuming it's less secure than NIP-98, but it's not 100% clear how. Perhaps a security considerations section in the NIP could explain...
> I think pushing npubs as a login mechanism is a bit sketchy, because once your key leaks you basically have doors wide open into all the websites you visit....
> Agreed. The only downside of implementing the HTTP capacitor plugin would be that the app can no longer be tested in the browser because of CORS restrictions. That will...
I do not know how any of this native stuff works. All I have to say is I would not want to trust my token with a service, and others...
> @CodeLikeCrazE Yeah, we know. He's referring to the fact that he emailed me ([[email protected]](mailto:[email protected])) directly. > > @Semisol I'm no security expert, and I'm a frontend dev. Security is...
> This is a really good idea, this would be super helpful. Yeah. But if the rewrite works out then this would not be needed.