mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git
synced 2026-06-17 16:40:31 +00:00
Make the NIP-55 signer callback robust against Amber URL rewriting
Amber drops the query string when it rebuilds the callback URL and
appends the signed event directly to the path. The mobile login page now
hands out path-based callback URLs (/auth/mobile/signed/{k1}/) so the
event arrives as the remainder of the path.
The new callback runs in the web middleware group: the signer opens it
in the system browser, which shares cookies with the in-app browser
session, so the flow completes immediately — a bridge page issues the
token and fires the einundzwanzig:// deep link. The LoginKey row is
still written as a fallback for the polling login page.
This commit is contained in:
HolgerHatGarKeineNode
@@ -49,6 +49,13 @@ Route::get('/auth/mobile/complete/{k1}', [MobileAuthController::class, 'complete
|
||||
->middleware('throttle:30,1')
|
||||
->name('auth.mobile.complete');
|
||||
|
||||
// NIP-55 signer callback (Amber): k1 in the path, the signer appends the
|
||||
// URL-encoded signed event after the trailing slash.
|
||||
Route::get('/auth/mobile/signed/{payload}', [MobileAuthController::class, 'signedCallback'])
|
||||
->where('payload', '.*')
|
||||
->middleware('throttle:30,1')
|
||||
->name('auth.mobile.signed');
|
||||
|
||||
Route::post('/auth/mobile/confirm', [MobileAuthController::class, 'confirm'])
|
||||
->middleware(['auth', 'throttle:30,1'])
|
||||
->name('auth.mobile.confirm');
|
||||
|
||||
Reference in New Issue
Block a user