Open alexgleason opened 3 weeks ago
p-tag the correct signer based on the address the user provides. I think that should solve the problem, unless I'm mixing things up. But I also think the architecture is overly complicated, when you really do want to select a particular signer.
yeah, what @staab said, p-tag the correct signer that has authorized your client; you don't need to run signer on the same pubkey as the target pubkey (the one you want to sign as)
I have the same problem, but this is a problem that only developers or very powerful users will ever have so I think we shouldn't worry, just close Gossip and keep going with your life.
you don't need to run signer on the same pubkey as the target pubkey (the one you want to sign as)
Are you saying that the pubkey in a Bunker URI is not guaranteed to be the user's actual pubkey?
this is a problem that only developers or very powerful users will ever have
Soapbox is a NIP-46 signer, so simply having multiple Ditto sessions on different devices causes this problem. I worked around it by making Soapbox not throw an "Unauthorized" error and instead ignore those messages. But other signers like nak can interfere with my Ditto sessions.
you don't need to run signer on the same pubkey as the target pubkey (the one you want to sign as)
Are you saying that the pubkey in a Bunker URI is not guaranteed to be the user's actual pubkey?
The remote signer pubkey is not necessarily the remote user pubkey, and IMHO the bunker url is supposed to be the remote signer pubkey, but not everybody was convinced that is correct so it remains IMHO wrong in the NIP. I made them the same in gossip so it didn't affect me, but it does cause this issue you raise which apparently also affects fiatjaf.
Oh man. That's brutal. I guess I will have to change this: https://gitlab.com/soapbox-pub/ditto/-/blob/main/src/signers/ConnectSigner.ts?ref_type=heads#L59
Although I do see how it can fix the problem. Man this is complex.
Ok, I was wrong.
Looking closer, the signer has to be addressed by the key it is signing as because the commands don't include that key (except connect).
As it is written today you can't fix this. If two bunkers are signing on behalf of the same key through the same relay, they will both respond.
A more flexible architecture would assign a keypair to the bunker (we already do but only for signup) and address the bunker using its own keypair, and include the key you wish to sign as inside the command.
I was going to "fix" gossip but having dug into this, I have nothing to fix.
Just allow a signer
tag with the signer's public key to all requests. If no tag is found, all signers reply like today. If a signer is found, that signer is supposed to reply. They others will be ignored.
That's how we do it on NIP-55 when multiple Android signers are available in the same phone, with the same key.
I'm having a niche but very real problem. I am running multiple NIP-46 signers for the same nsec, to authorize with different apps. The problem is that whichever signer that responds first likely isn't the right one, and it will send an "Unauthorized" message back, resulting in an error.
So now I have to decide whether the signer is wrong or the client is wrong, and decide what to do about it, if anything. The only way I can picture getting around this is for each session to use a different relay. Possibly a generated relay URL. It could be doable if we used client-initiated auth. But since we use bunker URIs, it's the job of the signer to select the relay, leaving non-custodial solutions basically unable to solve this.