search

getAlby / lightning-browser-extension

The Bitcoin Lightning Browser extension that connects to different wallet interfaces and brings deep lightning integration to the web
https://getalby.com
MIT License
530 stars 193 forks source link

Security / Prompt user to confirm the signing of a message #242

Closed johnsBeharry closed 2 years ago

johnsBeharry commented 2 years ago

Current Behaviour

Scenario: Sign message can happen in the background without user being prompted 
    Given I am on a webln enabled page "https://webln.dev/#/api/sign-message"
    And the page has previously been granted access to the extension 
    When I click sign message
    Then the message is signed

Expected Behaviour

Scenario: Confirm a sign message request
    Given I am on a webln enabled page "https://webln.dev/#/api/sign-message"
    And the page has previously been granted access to the extension 
    When I click sign message
    And I see the message in a prompt from the extension
    And I can click "Sign this message"
    Then the signed message is inputted into the text field

Scenario: Deny sign message request
    Given I am on a webln enabled page "https://webln.dev/#/api/sign-message"
    And the page has previously been granted access to the extension 
    When I click sign message
    And I see the message in a prompt from the extension
    And I can click "Cancel"
    Then the website does not get the signed message
bumi commented 2 years ago

Thanks for raising this. Same goes actually for the makeInvoice calls. Do you think we should always prompt the user? or should we also have some kind of "allowance" for this? (as we do for payments and lnurl-auth)

johnsBeharry commented 2 years ago

While there are options some sites give when logging in to state how long the session should be kept for (remember me) I think LNURL-Auth is similar to the webln.requestProvider(). It's part of the "connect" flow so only needs to happen once unless the user disables / logs out of the site explicitly OR the extension is locked.

From my understanding even without auth, once webln has been enabled for the publisher the site would be able to request payments. So my rationale is that once the extension is unlocked, we can assume auth I granted (access to provider, and LNURL-Auth).

For signMessage() I see this as a follow-up authorisation/verification request so we should go with the tightest security so it is explicit to the user what data is being signed. Same would apply for makeInvoice(). Then adjust as we understand the usage of this functionality.

Explicit signMessage also helps us train user behavior and understanding of keys which I think would be important in this new ecosystem.

Looking ahead we can adjust the initial connect modal to show these options

bumi commented 2 years ago

There is now a prompt for signMessage calls but we do not yet have the option to remember the decision.