Oddbean new post about | logout
brugeman | 5 months ago (raw) | root | parent | reply | flag +2 
 I am thinking of adding this to nostr-login, it will need server-side support by the app ofc. 

Questions:
- do you think there is any particularly good approach we could take that would help us make otp server api a nip?
- what if instead of server issuing a session token client would generate a session key and sign otp with it, the server could use this npub as session id, client could use standardized stuff like nip98 to sign requests, etc. Is this a  good idea?
Egge | 5 months ago (raw) | root | parent | reply | flag +1 
 Tricky… I am not sure if using a nostr key instead of a session token is a good idea, as it would need to be inherently less secure.

A session token can be a http only cookie, while a nostr key would need to be accessible to JavaScript in order to be useful, making it vulnerable to XSS.

If this leads to the conclusion that a session token shall be used, then a NIP doesn’t make sense either, as it’s not really a nostr centric thing anymore.
brugeman | 5 months ago (raw) | root | parent | reply | flag +1 
 Good point. Ok I will experiment with it too, maybe it's gonna be simpler with a simple cookie