einundzwanzig/einundzwanzig-verein
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-nostr.git synced 2026-05-23 13:15:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(auth): require signed NIP-42 event for Nostr login

Browse Source 
Closes a security flaw where the server trusted any pubkey the client
sent. The frontend now signs a per-session, time-bound challenge
(kind-22242 event) that the backend verifies with swentel/nostr-php
before establishing the session.

- NostrAuth: issueChallenge() + loginWithSignedEvent() with full
  schnorr/id verification, TTL window, and idempotent re-entry for
  concurrent Livewire listeners.
- auth-button: mounts a fresh challenge, exposes it via data-attribute
  + requestNostrChallenge() fallback, renders a full-viewport AAA-style
  loading overlay while the wallet signs.
- NostrSessionGuard: override logout() to drop the cookie-jar dep so
  programmatic logout works in any context.
This commit is contained in:
HolgerHatGarKeineNode
2026-05-20 01:09:20 +02:00
parent 532199fe15
commit 6bb7d93d1d
9 changed files with 501 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files
resources/views/layouts/app.blade.php
+1 -3
View File
@@ -20,9 +20,7 @@
@vite(['resources/css/app.css', 'resources/js/app.js'])
@fluxAppearance
</head>
<body class="min-h-screen bg-bg-page antialiased"
x-data="nostrLogin"
>
<body class="min-h-screen bg-bg-page antialiased">
<flux:header sticky class="bg-bg-surface h-18">
<flux:sidebar.toggle class="lg:hidden" icon="bars-2" inset="left"/>