Hey jack (npub1sg6…f63m) and jb55 (npub1xts…kk5s), I have a question related to Nostr.
I am building a passwordless login system for an app (login link sent to email, verification code sent via SMS, OAuth, etc.) and I want to include the ability to log in via Nostr. However, I only want to collect the npub from the user; I don't want the user to input their nsec key. This will only be for account creation and login purposes to verify that the user owns the provided npub; the user won't actually be posting anything to Nostr, so they won't need to provide their nsec key. I have two really simple options for accomplishing this (simplicity is the goal here):
1. When the user inputs their npub on the login/create account form, the app can send them a DM via Nostr with a code that they can then input in the app to verify that they own the npub in question. My app never has to ask for the nsec, and I can trust that the user is the owner of the nsec associated with the provided npub.
2. This option is simply the first option in reverse. When the user inputs their npub on the login/create account form, the app can show the user a code, and the user can then DM the code to the app's Nostr account to verify that they control the nsec associated with the provided npub.
Both of these options allow me to verify that someone owns the npub without having to ask for their nsec key. This allows a user to create an account on my app using their Nostr account, basically making their account "Nostr verified" (insofar as that other users can trust that the account on my app belongs to the owner of the associated Nostr npub). However, I have some questions:
First, can anyone DM anyone else on Nostr? If someone provides their npub, can I send them a DM with a verification code without being connected (either following them or them following me)?
Second, is there a better, simpler, or more standardized way to approach this with Nostr?
I recently developed a complex messaging application using DIDComm (different from the app I am currently developing), along with a custom mediator and relay built on top of the Aries Framework from Hyperledger with a React Native edge agent. That app uses verifiable credentials issued by a self-hosted VON (Verifiable Organizations Network) running on a custom built distributed ledger to achieve self-sovereign identity, credential exchange & verification, message exchange, persistence, etc.
I wanted to avoid that kind of complexity here and do something hyper simple to verify identity.
Any help with pointing me in the right direction or toward the right person(s) to answer my questions would be much appreciated!
moonspore
npub1d0…l6p5f
2023-09-21 15:29:49
Author Public Key
npub1d0mrrd46qcr0rnrzleme9unflt9gkv707n4cj5suq3muezl7p7vsdl6p5fPublished at
2023-09-21 15:29:49Event JSON
{
"id": "d461e7c9476e93542661b14b827ca3715bcfdd1044ccf24a1f53b515006d7a3c",
"pubkey": "6bf631b6ba0606f1cc62fe7792f269faca8b33cff4eb89521c0477cc8bfe0f99",
"created_at": 1695310189,
"kind": 1,
"tags": [
[
"p",
"82341f882b6eabcd2ba7f1ef90aad961cf074af15b9ef44a09f9d2a8fbfbe6a2"
],
[
"p",
"32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245"
]
],
"content": "Hey nostr:npub1sg6plzptd64u62a878hep2kev88swjh3tw00gjsfl8f237lmu63q0uf63m and nostr:npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5s, I have a question related to Nostr.\n\nI am building a passwordless login system for an app (login link sent to email, verification code sent via SMS, OAuth, etc.) and I want to include the ability to log in via Nostr. However, I only want to collect the npub from the user; I don't want the user to input their nsec key. This will only be for account creation and login purposes to verify that the user owns the provided npub; the user won't actually be posting anything to Nostr, so they won't need to provide their nsec key. I have two really simple options for accomplishing this (simplicity is the goal here):\n\n1. When the user inputs their npub on the login/create account form, the app can send them a DM via Nostr with a code that they can then input in the app to verify that they own the npub in question. My app never has to ask for the nsec, and I can trust that the user is the owner of the nsec associated with the provided npub.\n\n2. This option is simply the first option in reverse. When the user inputs their npub on the login/create account form, the app can show the user a code, and the user can then DM the code to the app's Nostr account to verify that they control the nsec associated with the provided npub.\n\nBoth of these options allow me to verify that someone owns the npub without having to ask for their nsec key. This allows a user to create an account on my app using their Nostr account, basically making their account \"Nostr verified\" (insofar as that other users can trust that the account on my app belongs to the owner of the associated Nostr npub). However, I have some questions:\n\nFirst, can anyone DM anyone else on Nostr? If someone provides their npub, can I send them a DM with a verification code without being connected (either following them or them following me)?\n\nSecond, is there a better, simpler, or more standardized way to approach this with Nostr?\n\nI recently developed a complex messaging application using DIDComm (different from the app I am currently developing), along with a custom mediator and relay built on top of the Aries Framework from Hyperledger with a React Native edge agent. That app uses verifiable credentials issued by a self-hosted VON (Verifiable Organizations Network) running on a custom built distributed ledger to achieve self-sovereign identity, credential exchange \u0026 verification, message exchange, persistence, etc.\n\nI wanted to avoid that kind of complexity here and do something hyper simple to verify identity.\n\nAny help with pointing me in the right direction or toward the right person(s) to answer my questions would be much appreciated!",
"sig": "5be0fa5d1419351fec680f4dbf1c6fd97431fd3474ffe97ed8b3444f3729cca5f7b5ef6550eded85250165683f85553dccd1ddc55a49065a4b0100f8d6e13321"
}