You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For push notifications to work, we need the client device's random device token given by Apple.
As of writing, strfry-push-notify uses a simple HTTPS endpoint to receive the device tokens and the corresponding pubkey.
Currently all relay notes are public so it is not much of a concern. However, when DM authentication on the relays is implemented, we need to ensure only the true holder of a pubkey is allowed to register their device token, so as to avoid leaking DM metadata.
Acceptance criteria:
Only the true holder of the private key is allowed to associate a device token with their pubkey.
We can leverage existing Nostr infrastructure to cryptographically sign a note (e.g. we can use https://github.com/jb55/nostr-js on the server-side)
We should also put some thought into hardening security (e.g. putting a timestamp or some info in the signed message to prevent replay attacks, etc)
The text was updated successfully, but these errors were encountered:
Note: We wrote some code for NIP-98 authentication during #1809. We can probably push that to https://github.com/jb55/nostr-js and reuse it for this server.
Builds on #67
For push notifications to work, we need the client device's random device token given by Apple.
As of writing,
strfry-push-notify
uses a simple HTTPS endpoint to receive the device tokens and the corresponding pubkey.Currently all relay notes are public so it is not much of a concern. However, when DM authentication on the relays is implemented, we need to ensure only the true holder of a pubkey is allowed to register their device token, so as to avoid leaking DM metadata.
Acceptance criteria:
The text was updated successfully, but these errors were encountered: