Sorry, no proof. It's not working well :(
First there were nsec.app's popup showing up and disappearing. I've fixed that, apologies.
Now window.nostr.js doesn't notice the actual reply after auth_url popup is shown and I confirm, reply to 'connect' is delivered but nothing happens (still on login screen). I have to retry connecting (enter nip05, click connect), and since the same local key is reused the perms are already assigned, no auth_url is sent and then it gets through.
Also the modal doesn't fit the screen on mobile.
Also Logout should probably clear the local key, otherwise it's not really logout.
Thank you for the comprehensive bug report.
Why should it clear the local key? The local key is just a key for that client instance, it's not related to your identity, no?
That key has permissions granted. If it stays anyone can relogin in the app without me confirming, or can copy the key from localstore and reuse in other apps and devices. I click logout on a public pc to make sure noone from this pc can access my account.
I see, but this sounds like a broken design. If you depend on the app to keep keys safe then how is this any better than just pasting your nsec there and hoping for the best?
I think the full logout can only happen at the bunker side somehow.
I think it's a common action for logout button to clear local session info - cookies, token etc. Client might ask the server to destroy the token too if that's supported, but client should act in the interest of user and do it's best to destroy the session info locally. Well at least that's how I always thought about it.
These should all be fixed now. I've just logged in with nsec.app with no problem.
Oddbean new post about login | logout