Summary
Add a challenge-response authentication flow so users with a NIP-07 browser extension (nos2x, Alby, etc.) can log in or register without exposing their nsec and without needing email/password credentials.
Motivation
Pasting an nsec into a web form is a security anti-pattern. NIP-07 extensions already manage keys securely; Keycast should support them as a first-class auth method. Users who already have a Nostr identity and a NIP-07 extension should not need email/password at all — their Nostr key IS their identity.
Proposed Flow
Challenge-Response
- Client:
POST /api/auth/nip07/challenge → { challenge, expires_at }
- Client asks NIP-07 extension to sign a kind:27235 event (NIP-98 style) containing the challenge
- Client:
POST /api/auth/nip07/verify { signed_event } → Keycast verifies signature, sets session cookie
Login
- If an account exists for the pubkey, authenticate and set session.
- If no account exists, create one automatically. No email/password required — the NIP-07 key is the sole credential.
Considerations
- NIP-07 accounts have no email/password. Account recovery relies on the user's control of their Nostr key.
- Personal key signing (
POST /api/nostr) won't work for NIP-07 users since Keycast doesn't hold their private key. Clients needing personal key signatures can fall back to the NIP-07 extension directly.
- Challenge should be short-lived (e.g. 60 seconds) and single-use.
- The signed event kind could follow NIP-98 (kind 27235) or use a custom kind — TBD.
- Provide the option to input an email as a recovery method with "strongly recommended" language but optional.
Summary
Add a challenge-response authentication flow so users with a NIP-07 browser extension (nos2x, Alby, etc.) can log in or register without exposing their nsec and without needing email/password credentials.
Motivation
Pasting an nsec into a web form is a security anti-pattern. NIP-07 extensions already manage keys securely; Keycast should support them as a first-class auth method. Users who already have a Nostr identity and a NIP-07 extension should not need email/password at all — their Nostr key IS their identity.
Proposed Flow
Challenge-Response
POST /api/auth/nip07/challenge→{ challenge, expires_at }POST /api/auth/nip07/verify { signed_event }→ Keycast verifies signature, sets session cookieLogin
Considerations
POST /api/nostr) won't work for NIP-07 users since Keycast doesn't hold their private key. Clients needing personal key signatures can fall back to the NIP-07 extension directly.