Oddbean new post about | logout
brugeman | 1 months ago (raw) | root | parent | reply | flag 
 Server should provide two api endpoints, one accepts npub and should send the one time code as dm. The other one accepts the code and should either set a cookie, or return some payload identifying the session. Nostr-login will pass that payload with onAuth event so you could use it to make future api calls. Codes should be bound to npub and expire
Tim Bouma | 1 months ago (raw) | root | parent | reply | flag +1 
 I did something similar:
- User enters npub to authorize
- Server visually displays one-time code and also send encrypted DMs to user 
- User visually confirms DM code is same and replies ‘OK’ if satisfied. 
- Server listens for decrypted DM ‘OK’ from npub where event.created_at > DM sent event created at.
- If ‘OK’, sets a status login ok for one time query
- Browser client polls for one time status, if login True, session cookie is set for logged in, status is cleared. 

I had this all working for NIP-04, upgrading to NIP-17.