Lightning-powered authentication with LNURL

[jowo-io]

Description 📓

It'd be awesome to start a discussion around the integration of Lightning Auth within the next-auth library.

What is Lightning

The Lightning Network is a second layer for Bitcoin that uses micropayment channels to scale the blockchain’s capability and handle transactions more efficiently and more cheaply.

What is LNURL

LNURL is a protocol for communication between Lightning wallets and external applications and third-party services.

Examples of LNURL using next-auth

Demo app

I put together this demo app using LNURL + next-auth.

Try the app hosted on Vercel: https://lnurl-next-auth-demo.vercel.app/

Inspect the app's code on GitHub: https://github.com/jowo-io/lnurl-next-auth-demo

Stacker.news

A prominent example of LNURL + next-auth is https://stacker.news

Give it a try, it's really seamless! Just download a Lightning wallet like Blixt or BlueWallet. Then, scan the QR on stacker.news, and you're authed!

Here's a link to the stacker.news GitHub

Benefits

• As I understand it, there are currently over 2 million Lightning users, and that number is rapidly growing.
• According to some estimates, there are over 100 million Bitcoin users. It's just a matter of time before they also become Lightning users. Going forwards, the potential addressable market is huge.
• next-auth is the best and most robust solution for self-hosted auth with Next.js. Adding Lightning auth will help to expand and solidify next-auth's offering.

Motivation

Improved documentation around implementation of, nuances around, and best practices for, LNURL auth using next-auth would be extremely valuable for those people developing Next.js apps on the Lightning network.

Currently, up to date, clear, concise and reliable information is very hard to find. I'd love to change that!

I have the time, interest, motivation and skills to contribute and work on this feature request: developing a LNURL based next-auth provider, or, if for technical reasons that is not currently feasible, writing technical documentation around LNURL based auth with next-auth.

How to reproduce ☕️

Try the app hosted on Vercel: https://lnurl-next-auth-demo.vercel.app/

Inspect the app's code on GitHub: https://github.com/jowo-io/lnurl-next-auth-demo

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR

[ekzyis]

Great idea @jowo-io! I would also love to see this included in next-auth.

Additional benefits:

• future websites which use next-auth anyway don't have to come up with their own implementation of this spec which could include bugs; leading to severe security issues
• Maximum possible privacy by default. New users can register without exposing any PII. Per the spec, the site only receives a public key which is unique per domain. If a site needs more information, it can request more information from the user after signup.
• it's password-less

For a complete view on this, here are some downsides:

• no key rotation included in the spec
• no separation of concern (most of the times, users use the private key of a wallet which also holds funds)
• no linking of multiple keys included in the spec (linking multiple lightning logins stackernews/stacker.news#164)

source: https://stacker.news/items/98659 by @TonyGiorgio

Some resources:

• LUD-04: auth base spec
• lnurl-auth explained by @fiatjaf
• Lightning authentication (LNURL-Auth)
• Also relevant code for our implementation of LNURL-auth: https://github.com/stackernews/stacker.news/blob/master/pages/api/lnauth.js

Other production-ready (?) implementations:

• https://github.com/chill117/passport-lnurl-auth
• ... ???

[jowo-io]

I'm currently working on an independent package that will interest those who stumble on this thread looking for a simple way to integrate Lightning auth within their next-auth stack.

It's currently a WIP, so anyone that wants to follow along with development or leave comments are welcome to do so here: https://github.com/jowo-io/next-auth-lightning-provider

Hoping to have this ready soon for next-auth@v4 and v5 to follow after that.

[jowo-io]

Reviewers and testers wanted

The https://github.com/jowo-io/next-auth-lightning-provider project has just moved out of alpha and into beta. It's time to polish things up and prepare the project for a stable release! Help wanted to get things across the line.

About the project:

A light-weight Lightning auth provider for your Next.js app that's entirely self-hosted and plugs seamlessly into the next-auth framework.

You can find the project on npm and GitHub

Technical review

Focus

If you're a JavaScript or TypeScript engineer, or have an understanding of React, OAuth, lnurl-auth, Next.js, next-auth or OSS in general, you can help by taking a look at the codebase and leaving your thoughts on:

In order of importance:

• Security - are there any security concerns that I've overlooked?
• Installation - do you have a Next.js app that uses next-auth? Install this package and let me know how it goes!
• Use-cases - are there any use cases or scenarios that I should add support for?
• Implementation - would you implement things differently in the codebase and why?
• Any other suggestions

Avoid

At this late stage in the project development, please avoid small syntactical suggestions or opinionated coding style suggestions. No nit-picking please :)

Leaving a review

I'd suggest opening an issue on GitHub before opening a PR, so feel free. Otherwise you can simply leave comments on here on SN.

Further reading

Further discussion can be found at https://stacker.news/items/357265