I have developed a solution that enables modern men to securely store their sensitive keys within encrypted physical structures, employing information encryption through a printed QR code.

• Run App
• See the code

I am the integration of a browser plugin with and prompt the user for the decryption key.
I am proposing to add to the browser plugin the capability to read the nsec from an encrypted QR code and ask the user for the opening key.
I believe we should instruct the user to only read qrcodes that were generated by hin.

The benefits of this mechanism are the possibility of removing my nsec from digital media, since a qrcode can be written not only with the ink of a printer, but also on wood, fiber or metal.

I am available to implement this solution if you approve the request.

Private QRCode App:

onboarding websites could make extension setup easier by having an API to import keys. something like this could work

await nostr.keys.importKey(<hex private key>)

in the future, this could be extended to account for #48

I am requesting a way to change the access credential without having to open the extension settings and change it manually, pasting my nsec from the secure place where I storaged it.

I have my personal account, my anonymous account (this), service accounts and organization accounts (for a brand or a company).

This make sense?

I'm requesting to include the encrypted nsec (ncryptsec) and request the password in the client to open the extension. I'm requesting this because it bothers me that my nsec is available for copying and viewing just by pressing the button "show key".

I understand that it would be less problematic to temporarily store a password capable of opening the encrypted content than to directly store the nsec permanently.

This make sense?

From what I see on the repo, it seems that there is a branch for Chrome Add-on and another one for Firefox Add-on. Is that the case?
I'm not so sure because in the Firefox marketplace the version is 1.4.0, but in the firefox branch it's 1.3.3.

Also, since most of the files are shared, is there a reason why there isn't only 1 branch and each addon on separate folders (with commons files or something)?

I'm able to fetch the public key from the extension, and when I call window.nostr.signEvent, it does ask me to give permissions to post the event. When I choose "Allow for 5 minutes", I get the error nos2x is undefined.

Not sure if I'm doing something wrong but I couldn't find any resources on how to fix this...

Note that 'pubkey' is not set on the event. Setting it before validateEvent causes that method to return false. Setting event.pubkey = pubkey after validateEvent still produces the error...

signEvent(event)
{
    return new Promise((resolve, reject) => {

        if (window.nostr) {

            return window.nostr.getPublicKey().then(pubkey => {

                let validEvent = validateEvent(event); // `validateEvent` from nostr-tools

                console.log('Event is valid:', validEvent); // True

                return window.nostr.signEvent(event).then(response => {
                    // Does not enter here...
                    //resolve(event);
                }).catch(error => {
                    reject(error); // Error occurs here 'nos2x: undefined'
                });

            }).catch(error => { // Did not get public key
                reject(error);
            });

        } else { // window.nostr undefined
            reject('window.nostr undefined');
        }
    });
},

Copying and pasting a private key is not triggering save. Save is triggered when clearing the private key field.
Firefox v110.0.1 on MacOS v13.2.1 (Intel).

See video (private key is created solely for demo):
https://user-images.githubusercontent.com/31248802/223728669-79240de3-aa70-4e64-8457-6e2af6decbcc.mov

NIP-26 could be supported by this extension. I would prefer this over each web client implementing it on their own.

To the web page it should look as if the extension has the privkey of the delegating account

This is an important feature for professional use of nostr. I don't want to hand over the privkey of our company profile to our editors

Currently most Nostr signer extensions like Nos2x, Nos2x-fox and Alby require permissions to "access data from all websites" which I feel is a bit excessive with regards to user privacy. Although I trust that the extension may not do anything with the data from other websites, I feel there could be a way for the user to configure a list of domains on the extension properties or options to allow access to data just for those domains.

Here is how I envision this to work:

1. User installs the extension and the extension allows probably just access to data for a default list of Nostr client domains like astral.ninja, snort.social...etc and clicks to 'Allow' during extension installation phase.
2. The user inputs their private key and saves it on the extension
3. The user is then presented with another options page on the extension to setup list of Nostr web client domains to allow access for data for the extension to sign events as per NIP-07 or NIP-04.
4. The extension sees only data for those list of websites/domains added.

An example of an extension that does this is Sponsorblock which allows only Youtube domains or user configured local or external domains.

I will be cross posting this on nos2x and alby extension GitHub repositories as well for a more open discussion.

Error is

Uncaught (in promise) Error: nos2x: undefined

Seems to be on line 52

let error = new Error('nos2x: ' + message.data.response.error.message)

message.data.response.error exist, but does not have a .message property.

multiple profiles being supported could open up some neat use cases. for now, switching could be implemented only through the extension popup and be global

in the future we could spec this so that websites can be notified on profile changes and ask for a list of authorized profiles, so on, something like this:

• an event on globalThis named nostr.profile-switch
• await nostr.keys.listAuthorizedProfiles()
• sign/decrypt/etc could take in a pubkey parameter

right now, everytime there's a window.nostr.nip04.decrypt, it opens a dialog and we have to go one by one. It would be better to have an option to act on all requests at once, otherwise, this can be very painful in the future if there's a high number of messages to decrypt.

Something similar to Password Manager master password.

Code example:

encryptObject(obj, password) {
    try {
      const iv = crypto.randomBytes(16);
      const salt = crypto.randomBytes(64);
      const key = crypto.pbkdf2Sync(password, salt, 100000, 32, "sha512");
      const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
      let encrypted = cipher.update(JSON.stringify(obj), "utf8", "hex");
      encrypted += cipher.final("hex");
      return {
        iv: iv.toString("hex"),
        encrypted: encrypted,
        salt: salt.toString("hex"),
      };
    } catch (e) {
      return { error: e.reason };
    }
  },

  decryptObject(data, password) {
    try {
      const iv = Buffer.from(data.iv, "hex");
      const salt = Buffer.from(data.salt, "hex");
      const key = crypto.pbkdf2Sync(password, salt, 100000, 32, "sha512");
      const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
      let decrypted = decipher.update(data.encrypted, "hex", "utf8");
      decrypted += decipher.final("utf8");
      return JSON.parse(decrypted);
    } catch (e) {
      return { error: e.reason };
    }
  },

Remake the design of popup, prompt and options page.

It would be useful to have support for multiple keys for those of us that run multiple accounts (personal, business/brand).

I'm learning about nostr and trying not to give my private key to the client. I installed nos2x using a custom addon collection. It lets me enter my private key, but clients either silently fail or show an error like this from nostr.rocks:

From what I gather, it's trying to show a permission dialog, which works on the desktop but not on mobile.

Apologies for the report if Firefox for Android is out of scope for this project.

In doing a deep dive into the nostr ecosystem I stumbled upon this repo from here. It didn't come up in my topic search as there is no nostr topic on this repo. Would you be open to adding that?

Currently, users are required to enter the "wss://" prefix when adding a WebSocket relay address into their preferred relay list.

Feature

• Automatically detect and add "wss://" prefix to simplify the process of entering relay addresses.

Benefits

• Reduced user confusion: It's easier for new users to enter relay addresses.

I did use pnpm to compile but that worked just fine for Chromium:

$ git checkout chromium
$ pnpm install
$ pnpm install readable-stream buffer
$ pnpm run build

For firefox:

$ git checkout firefox
$ pnpm install
$ pnpm install readable-stream buffer
$ pnpm run build

succeeded, too but I couldn't find how to load it in firefox.

I have the extension installed. Here is my config:

Here is an example link I tried to click on:
<a href="nostr:note180tr4kp6xx4j7avvvtzzvumn07k9mppfgkasf929cn23mfwzstmqqjmrry">Nostr test</a>

Nothing happens when I click on the link in the browser.

When I clear my private key and click save.

When I click login in other website, it still open authorize page. When I authorize it, I couldn't login success. And nothing happened when I click login again.(My test website https://coracle.social/login )

Unless revoke it.

expect

1. When I login a website, I can choose a private key between my private key list.
2. If there's no private key, tell me what happened and what should I do.

When using the extension to sign, I'm getting this error in Brave and Firefox (on macOS Ventura, fwiw) when trying to publish on https://nostr.rocks

Did not publish: TypeError: hexToBytes: expected string, got object

I'm unable to do most anything else with the app either. Can't change username, follow others, etc. I don't necessarily get that exact error with other web-based nostr apps (like https://astral.ninja), I just get silent errors. But the effect is the same. Nothing works.

When I enter my private key into the app directly, then everything works.

I had to add the script webextension-polyfill to run, but now I have this problem when I try to save private key in Uint8Array format:

Uncaught (in promise) Error: Cannot serialize value to JSON at browser-polyfill.js:772:26

@fiatjaf how did you solve this?

Thanks.

My suggestion is to adopt the: DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE

http://www.wtfpl.net/txt/copying/

This key extension should allow key creation, too.

When the user clicks the X to dismiss the popup window, the caller (app) does not receive any rejection. This can be handled by implementing an handler for the beforeunload event on the DOM.

when I click save, there's many input. And I can't remove it.

There‘s two many save button.

I'm not sure how this would work. BUT, having to enter this stuff upon every use of nos2x is tedious :)

nostr.getPublicKey is giving an incorrect serialization on firefox (v 1.3.1)

Instead of giving a hex string it displays an ascii version of the hex

Unsure what causes it, but the following line may be related

nbd-wtf/nostr-tools@c47f091

A possible workaround for now:

    // workaround for now
    if (navigator.userAgent.indexOf("Firefox") > 0) {
      publicKey = publicKey.split(/(..)/g).filter(i => i).map(i => String.fromCharCode(parseInt(i, 16))).join('')
    }

Really love this minimal extension. Only problem that nsec1 private keys can not be saved. Button "save" is grayed out

After cloning and CDing into nos2x, running yarn yields

00h00m00s 0/0: : ERROR: There are no scenarios; must have at least one.

Did I do something wrong? Running PopOS 22.04

useLoggedInUser.js

I allowed a website to decrypt always. Then I thought it might not be a good idea and tried to revoke it , but it didn't work

I'm getting the following error in the console of both Chrome, and Ungoogled Chromium in PopOS Linux:

Denying load of chrome-extension://kpgefcfmnafjgpblomihpgmejjdanjjp/nostr-provider.js. Resources must be listed in the web_accessible_resources manifest key in order to be loaded by pages outside the extension.

Using the following web page:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>

<script>
console.log(window.nostr)
</script>

</body>
</html>

Also, window.nostr returns undefined.

With version 1.4.0 as soon as I give a second site access to to the extension, the first loses it ... unless I ask only for a one-time access.

Hello,

I've installed the extension on
Firefox 96.0.2.
Windows 10 V. 21H2
It's not possible to get access to the "options" page. No link or button available