Problem
Currently, when a user wants to log in to place orders, the marketplace prompts them to paste their Nostr private key (nsec) directly into a text field.
This is a security concern because:
- The private key is exposed to the website and could be logged, stolen, or leaked
- Users must fully trust the LNbits operator with their Nostr identity
- There's no isolation between the key and the web application
- Keys stored in localStorage are accessible to browser extensions and vulnerable to XSS attacks
Proposed Solution
Implement NIP-07 support to allow users to sign in using browser extensions like:
With NIP-07, the private key never leaves the secure extension. The website only requests signatures when needed, and the user approves each request.
Implementation Notes
The standard approach is to check for window.nostr and use:
// Check if extension is available
if (window.nostr) {
// Get public key
const pubkey = await window.nostr.getPublicKey();
// Sign events when needed
const signedEvent = await window.nostr.signEvent(event);
}Similar functionality should be added to https://github.com/EdenWeeks/eden-weeks-art as well.
Additional Context
- The "Generate" button for creating ephemeral keys is fine for testing/browsing
- For users who want to use their real Nostr identity, NIP-07 is the secure standard
- Consider also supporting NIP-46 (Nostr Connect) for remote signing
Problem
Currently, when a user wants to log in to place orders, the marketplace prompts them to paste their Nostr private key (nsec) directly into a text field.
This is a security concern because:
Proposed Solution
Implement NIP-07 support to allow users to sign in using browser extensions like:
With NIP-07, the private key never leaves the secure extension. The website only requests signatures when needed, and the user approves each request.
Implementation Notes
The standard approach is to check for
window.nostrand use:Similar functionality should be added to https://github.com/EdenWeeks/eden-weeks-art as well.
Additional Context