damus icon indicating copy to clipboard operation
damus copied to clipboard

Published 20 hours ago verified publisher icon damus-io

Push Notifications: Device token authentication

Open alltheseas opened this issue 2 years ago • 1 comments

Builds on #67

For push notifications to work, we need the client device's random device token given by Apple.

As of writing, strfry-push-notify uses a simple HTTPS endpoint to receive the device tokens and the corresponding pubkey.

Currently all relay notes are public so it is not much of a concern. However, when DM authentication on the relays is implemented, we need to ensure only the true holder of a pubkey is allowed to register their device token, so as to avoid leaking DM metadata.

Acceptance criteria:

  • [ ] Only the true holder of the private key is allowed to associate a device token with their pubkey.
    • We can leverage existing Nostr infrastructure to cryptographically sign a note (e.g. we can use https://github.com/jb55/nostr-js on the server-side)
  • [ ] We should also put some thought into hardening security (e.g. putting a timestamp or some info in the signed message to prevent replay attacks, etc)

alltheseas avatar Nov 13 '23 17:11 alltheseas

Note: We wrote some code for NIP-98 authentication during https://github.com/damus-io/damus/issues/1809. We can probably push that to https://github.com/jb55/nostr-js and reuse it for this server.

danieldaquino avatar Dec 16 '23 00:12 danieldaquino

@danieldaquino advises: has non-optimal solution

alltheseas avatar May 20 '24 16:05 alltheseas

This will be resolved alongside #1704. Patch sent: https://groups.google.com/a/damus.io/g/patches/c/9roECAoeZBk

danieldaquino avatar May 21 '24 04:05 danieldaquino