user pain: perpetual fine grained permissions pop-up NIP-07 + nostr app

[alltheseas]

client initiating action

Android:

• [ ] Amethyst: Unusable, spams amber with 100+ decryption requests and NIP-42 auth even though I'm not viewing DMs

• [ ] 0xchat: one of the recent updates causes it to keep asking for NIP-42 auth events even after they are signed primal: - [ ] keeps asking me to sign a 6+ 10000300 events, but will eventually be usable after I sign 6+ of them

Web:

• [ ] I use nos2x-fox for NIP-07 signer
• [ ] yakihonne: last two times I visited it, it crashed by computer by opening too many decryption request windows ( partially an issue with nos2x-fox )
• [ ] primal.net: asks me to sign 4-5 kind 30078 events as soon as the app is open, but it does let me reject them
• [ ] snort.social: asks me to sign 2 events as soon as the apps opens, but after that its fine
• [ ] plebeian.market: wont stop asking me to sign NIP-98 events, but useable if I ignore them
• [ ] coracle.social: Asks me to sign NIP-42 events and a few decryption requests as soon as the app opens, and keeps asking for NIP-42 randomly as I use the app
• [ ] flotilla.social: asks for 6+ NIP-42 events as soon as the app opens, but is usable after signing one for each relay
• [ ] chachi.chat: same as flotilla, asks for NIP-42 for every relay and one decryption request. then becomes usable

client receiving or observing action (or lack thereof)

timestamp

For all the Nostr developers out there I challenge you to use your apps in manual approve mode ( no automatic signing ) with a signer like alby or amber. I'm willing to bet it will be almost unusable

I would say at least half of the apps I've seen built on Nostr just don't work unless you give the app full control over your key, by either pasting the nsec or giving it automatic signing privlages. This is bad UX and shows that the app does not respect the user at all. What's the point of having cryptographic signatures if I can only uses them in "sign everything" mode?

I will zap you 10k SATs if you post a screenshare in the next day or so of how well the app works or doesn't work with manual signing

https://njump.me/nevent1qqsyrkexauupu7ymcrraeqyjj5txyp2sdgtn5hcjrnnyr7mynvhx5lqequvdz

what happens

NIP-07 extension keeps asking for permissions. I must click yes tens and tens of times, which becomes tiring. As a solution I hit instead "authorize all", which defeats the purpose of asking for permission.

suggestion

related

see #189 #100

[alltheseas]

@franzaps reports this pain with

Primal Android + Amber (presumably)

I tried primal with this. It's not only literally unusable but you notice it's signing crap events of kind 1000160 and things like that.

[alltheseas]

I use nos2x and yeah, Coracle was really rough for a while because of relay authentication.

https://njump.me/nevent1qqsqft2xgp74pf0em524kgn8d628sr8x7h2c7x0mqpugdeqqlgrqzfcpz3mhxue69uhkummnw3ezummcw3ezuer9wcqs6amnwvaz7tmwdaejumr0dsq3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7qg4waehxw309ahx7um5wghx66tvda6jumr0dsak7l29

[alltheseas]

@vitorpamplona @wcat7 @diegogurpegui @yakihonne @MarkoBraticevic @mbrat1 @v0l @zeSchlausKwab @staab @purrgrammer

Please see negative user experience feedback on respective app + signer combination

[purrgrammer]

Thanks for the heads up. I recently did some changes in chachi to not require NIP-42 signing unless you are using a group in that relay. I'll re-test with manual approval mode just in case.

[amunrarara]

Not sure if this is relevant, but I've encountered a similar issue with Gooti Signer on desktop browsers. Often freezes my entire PC for several minutes, had to remove it completely. Great UX elements, very bad performance. Already opened an issue on the repo.

[ericfj2140]

Is it possible for a signer to have preferences for auto sign by type?? Then build UX around natural language of what you are giving permission for and what you want to review. This would also help establish which clients are forcing “auto” on certain event types that maybe should not be “auto” (if you change apps with the same signer settings, they’ll be revealed)

Introduces onboarding friction but it probably belongs in the signer layer.

The answer that “all of them will be unusable in manual approve” is guaranteed. Users need this automation for even basic functionality. The core issue is that the users should be giving informed consent on how their identity is used… not that these complexities shouldn’t be abstracted / automated

[alltheseas]

Issue brought forward by @hzrd149

[fiatjaf]

I think there are two different issues here, one is decryption, the other is NIP-42 auth.

For the decryption I believe this is the solution: https://github.com/nostr-protocol/nips/pull/1647

[diegogurpegui]

In relation to the multiple popup windows, the latest version of nos2x-fox (published a while ago) only opens one popup windows and just queue the permission requests. It might solve the crashing issue... I hope.

The need to approve all of them still exist. I'm not sure this is something that can be avoided. Specially if the initial requirement is exactly to avoid the "approve all" if it can be avoided. There might be sites that ask for the exact same permission more than once so the signer might group them and approve them together, but I don't know how often this happens. Another approach could be to group similar requests, for example decryption of different private messages. For this, nos2x-fox (the one I can mostly talk about) has the "approve for X minutes" that can partially solve it.

[alltheseas]

The need to approve all of them still exist. I'm not sure this is something that can be avoided. Specially if the initial requirement is exactly to avoid the "approve all" if it can be avoided.

Do any of the signers provide time-bounded permissions? e.g. approve all nos-2x events next 1 hour; next 24 hours; 1 week etc?

Might time bounded approval approach do away with your signer pop-up friction @hzrd149 ?

[hzrd149]

Do any of the signers provide time-bounded permissions? e.g. approve all nos-2x events next 1 hour; next 24 hours; 1 week etc?

nos2x-fox does and amber just added support for it, so it does make it a little better experience using these apps.

However my original complaint wasn't about how many signing popup windows these apps have, but more that they are unusable unless you give them full access to sign events (some will just keep asking until you sign).

Its pretty much the same as giving them your nsec for the duration that your using the app. but as hodlbod pointed out here https://njump.me/nevent1qvzqqqqqqypzp978pfzrv6n9xhq5tvenl9e74pklmskh4xw6vxxyp3j8qkke3cezqy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qgjwaehxw309ahx7um5wf6k2tnrdakj7qpqevppj4u7avdzgxc64wez9u5f4eluhg7n4yz2h7h9qu49ayl4gw6sn8ge3c it is more of a high trust way of building nostr apps.

So my complaint isn't really an issue, its just me complaining that most nostr apps require the users full trust and I cant easily use them because of that.

[diegogurpegui]

I don't see a revolutionary way of this. Having "I don't want to give unchecked authorization to an app" and "I don't want to approve every single thing" at the same time seems quite difficult if not impossible. Kind of saying "I want to be the one to approve everything but I also don't want to approve everything". Unless someone comes with a cool idea. The only ones I can think of right now are along the lines of partial approve-all permissions. Like the ones on time (eg "approve for 5 mins") or the ones on specific type of permission (eg "approve decrypt messages"). The later is somehow implemented on nos2x-fox but in a very limited way that I think can be very much improved. A combination on both approaches can give the user the ability to go on the "high trust" route but only in specific scopes.