Suggestion for Securing Group Creation

[water783]

Hi sir,

I've been implementing NIP-29 groups in 0xchat and noticed some changes in relay29. Thank you for the updates! 🙏

However, I encountered an issue during group creation. Currently, groups can be created by simply inputting an npub and name. This allows others to potentially impersonate an npub and create a group as if they were the group owner.

I suggest enhancing the group creation process by requiring a JSON event to be sent to the server, which can also initialize some group information. Here’s a proposed structure for the JSON event:

{
  "pubkey": creator pubkey,
  "kind": create group event kind,
  "content": "",
  "tags": [
    ["name", "Pizza Lovers"],
    ["picture", "https://pizza.com/pizza.png"],
    ["about", "A group for people who love pizza"],
    ["public"], // or ["private"]
    ["open"] // or ["closed"]
  ],
  "sig": sig
}

[fiatjaf]

I don't follow. Why can't you create a group and be the group owner? That is the idea.

But that group creation page is nonstandard, it's there for testing purposes and will be removed or modified later.

[water783]

In the current implementation, when you create a group chat, you don't need to verify if you are the owner of the pubkey. You just need to enter a pubkey and a group name. Therefore, you can enter anyone's pubkey to create a group and make them the group owner.

So to avoid this, I think a signature verification is needed?

[fiatjaf]

I see. Yes, that's indeed a flaw. Will improve on that.

[fiatjaf]

See also: https://github.com/nostr-protocol/nips/pull/1344