search

servuscms / servus

Self-contained CMS, Personal Nostr Relay & Blossom server
GNU General Public License v3.0
65 stars 1 forks source link

Blossom implementation fixes #10

Closed hzrd149 closed 2 months ago

hzrd149 commented 3 months ago

I presume your not done implementing blossom, but I looked over the code out of curiosity and noticed a few things

A few points on the client side implementation in https://github.com/servuscms/servus/blob/master/admin/index.html

  1. Authorization events should have a human readable description in content
  2. Authorization events must have a NIP-40 expiration tag. this helps prevents they from being leaked and used by malicious actors
  3. upload and delete authorization events must contain an x tag with the sha256 of the blob. This ensures the user is aware of what blob they are uploading or deleting

For computing the sha256 has of files on the client side you can use the window.crypto API or the @noble/hashes library. There is also some example code here https://github.com/hzrd149/blossom-server/blob/master/public/utils.js#L4-L32

If you like you can also use the blossom-client-sdk library I made https://www.npmjs.com/package/blossom-client-sdk

ibz commented 2 months ago

Done. https://github.com/servuscms/servus/commit/df02d74faac77c216c428cf7afd6e52650905d06

Thank you!

PS: I saw your client SDK, but I am not using Node - just plain HTML & Javascript.