diegogurpegui / nos2x-fox Goto Github PK

It would be a great addition to be able to manage multiple nsecs inside the tool. At the moment one can use only one keys which makes having multiple accounts impossible to use in a more secure way.

Currently most Nostr signer extensions like Nos2x, Nos2x-fox and Alby require permissions to "access data from all websites" which I feel is a bit excessive with regards to user privacy. Although I trust that the extension may not do anything with the data from other websites, I feel there could be a way for the user to configure a list of domains on the extension properties or options to allow access to data just for those domains.

Here is how I envision this to work:

1. User installs the extension and the extension allows probably just access to data for a default list of Nostr client domains like astral.ninja, snort.social...etc and clicks to 'Allow' during extension installation phase.
2. The user inputs their private key and saves it on the extension
3. The user is then presented with another options page on the extension to setup list of Nostr web client domains to allow access for data for the extension to sign events as per NIP-07 or NIP-04.
4. The extension sees only data for those list of websites/domains added.

An example of an extension that does this is Sponsorblock which allows only Youtube domains or user configured local or external domains.

I will be cross posting this on nos2x and alby extension GitHub repositories as well for a more open discussion.

For authorizations to events that have been approved by the user, it would be nice to have a 'Revoke' option in the options page that would revoke the authorization by clearing out the permissions in local storage.

This is implemented in Nos2x and maybe can be forked?

Problem

Public key strings can be difficult to read, especially if you're managing multiple keys.

Proposed Solution

Provide the option to name a profile, which would be easier to recognize than just an npub. Users could also view the name alongside the shortened public key for a better overall usability.

• Users can name their profile during the key generation process or later on by editing the profile in options.
• When exporting a profile, users can choose a custom file name that includes both the profile name and the associated npub (e.g., "Custom Profile Name (npub...xyz)").

Is it worth it to have a manual approval each time you have to sign something? I'm thinking of a PIN or even a password.
The idea is that the private key is stored encrypted without the extension to know the encryption key. So each time you need to sign something you, the user, need to enter that encryption key. It could be in the form of a PIN or a password, which you have to enter every time.
If you have this activated, the saved authorizations (5m, 1h, etc) won't be available.

Does it make sense? is it too much?

It would be nice to have the ability to sign for periods longer than 5 minutes.

I don't want to sign forever, but feel the 5 minute period is too short and have to keep on signing multiple times.

My suggestion would be 1 hour, and 8 hours.

Thanks!

The Permissions are not showing in the Options page. It was working before but got broken with the multi-profile feature.
It's probably because they are not being saved along with the problem by mistake, then not properly retrieved. Or a similar bug.

Apparently the creation of popups is not throttled. I just had a situation on https://plebeian.market/ where I got bombarded with plugin popups in an infinite loop. I had to kill Firefox when the system started swapping beyond my 32GB of RAM.

Using this extension, one can only auto-permit all requests or nothing. However, for requests like AUTH, it would be great to allow them for a certain website always, because they have to be remade for each connection. But I feel less confident in allowing signing anything, mostly in case of bugs that'd cause my feed to explode.

Firefox android launching December 14 (tomorrow)

https://blog.mozilla.org/addons/2023/11/28/open-extensions-on-firefox-for-android-debut-december-14-but-you-can-get-a-sneak-peek-today/

Is there any way to install the Addon in the mobile version of Firefox?
If not, it would be a very much needed feature 👍

Description:

Mask the nsec behind circle bullets as entered by the user

Current behavior:

The nsec is only masked after it's been saved

Expected behavior:

User doesn't expose their nsec to prying eyes or cameras

I don't really feel comfortable keeping my private key unencrypted on my machine- as of right now the only NIP-07 extensions with this feature are BTC wallets, and I have no desire to use BTC/LN

I don't think I'm alone in wanting this. I'd PR the feature myself, but I unfortunately I've never worked with JS or React

It would be nice to configure multiple profiles consisting of the private/public keypair and allow the user to select which profile that they would want to authorize with while using Nostr Clients.

A selection dropdown in the options page for creating profiles and selecting would be useful. Once a new profile is selected, the 'generate' option would be present to create a new keypair and save it or the user can save their own. Selecting another profile from the dropdown would display another keypair.

The profiles should also allow individually setting up different preferred relays..etc. Basically all options should fall under individual profiles to configure independently per profile.

During authorization prompt the user could be provided the option to select from the list of setup profiles to authorize from. A default or primary profile could be provided as an option too, or default to the value of the previous profile from which authorization was done.

Also, provide an option to delete profiles with a warning message to backup the private key.

noStrudel does not decrypt messages automatically because its author prefers to not give the extension permanent decrypt permission. As most users probably give this permission it would be nice if the nostr client could detect this.

I thought there was maybe a hack one could do - cancel request if it doesn't resolve in 100ms - but I could not find a way to do that.

I think a boolean parameter could be used.

async window.nostr.nip04.decrypt(pubkey, ciphertext, interactive): string // takes ciphertext and iv as specified in nip-04

If interactive is set to false, immediately throw an exception if the action is not permitted already.

My index.html is listening for a load event but even then window.nostr is undefined. If I manually open the browser console, window.nostr exists. I believe this is a timing issue, but I'm not sure what to look for or wait on to signify when nos2x-fox has been loaded into the page. I've also logged any 'message' events but nothing seems applicable.

I noticed once I close a prompt window the site just hangs waiting for the event response would something tied to the closing of the window help here?

I was thinking firing the reject event on a 'beforeunload' event

window.addEventListener('beforeunload', function(ev) {
  authorizeHandler(AuthorizationCondition.REJECT)
});

Preferred relays configurable by the user on the extension could allow the user to define a map of some relays, so that when they login to web clients and if clients request for the relay list, maybe they could be sent after the user authorizes it.

According to NIP-07 async window.nostr.getRelays(): { [url: string]: {read: boolean, write: boolean} } // returns a basic map of relay urls to relay policies

This is currently available with Nos2x and maybe could be implemented or forked here as well?

I cannot save my secret key.

Workaround

Downgrade: You can download the old version 1.11.0 from this page: https://addons.mozilla.org/firefox/addon/nos2x-fox/versions/

How to reproduce

1. Clean-install version 1.12.0
2. Click "New profile" to create a new profile
3. Input a secret key to the "Private key" input field
4. Click "Save key"
5. You'll get the error below:

Uncaught (in promise) Error: private key must be 32 bytes, hex or bigint, not string
    normPrivateKeyToScalar moz-extension://f6a8d7e0-020a-4805-b55b-4a8181ba9915/options.js:25675
    schnorrGetExtPubKey moz-extension://f6a8d7e0-020a-4805-b55b-4a8181ba9915/options.js:26512
    schnorrGetPublicKey moz-extension://f6a8d7e0-020a-4805-b55b-4a8181ba9915/options.js:26533
    getPublicKey moz-extension://f6a8d7e0-020a-4805-b55b-4a8181ba9915/options.js:31647
    updateActivePrivateKey moz-extension://f6a8d7e0-020a-4805-b55b-4a8181ba9915/options.js:34723
    savePrivateKey moz-extension://f6a8d7e0-020a-4805-b55b-4a8181ba9915/options.js:34996
    callCallback2 moz-extension://f6a8d7e0-020a-4805-b55b-4a8181ba9915/options.js:5583

Even if I use a new key generated by pressing "Generate key" button, I got the same error.
I think I could save the key when I was using version 1.11.0.

Environment

Firefox Developer Edition 118.0b7 (64bit) / Linux 6.5.2 x86_64

Debugging

I noticed that the original exception thrown by ensureBytes:

private key must be valid hex string, got "(omitted)". Cause: Error: padded hex string expected, got unpadded hex of length 63

The input field accepts npub but the process expects hex format. I think the cause it that.

Add a feature to mask the private key visibility with an asterisk * or a dot ●. This way if we open the options page to revoke permissions to configure something, it's not open for viewing when in a public area.

Ubuntu (Jammy), Firefox 119.0

When choosing to 'Export profile', an overlay is displayed but it is width-restricted, preventing proper display of the content or the ability to proceed within the Profile section beyond that point:

Hey there,

I'm trying to add an nsec key I generated on Damus to my nos2x-fox, but I'm getting a "the key is not valid error".

Does the extension accept nsec or just hex format keys?

I might be doing something wrong.

Thank you,

I pinned the extension and it's only visible when I hover over the icon.