Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Nostr Address fails with redirection #1151

Open
darioAnongba opened this issue Oct 23, 2024 · 2 comments
Open

[BUG] Nostr Address fails with redirection #1151

darioAnongba opened this issue Oct 23, 2024 · 2 comments

Comments

@darioAnongba
Copy link

darioAnongba commented Oct 23, 2024

Hi @vitorpamplona,

After some tests, we found that Amethyst does not support redirections for NIP-05. Our service is deployed at api.numeraire.tech but our addresses are (also) reachable at username@numeraire.tech. We have a permanent (301) redirection in place from api.numeraire.tech to numeraire.tech for the addresses to look nicer.

This works fine in other services but fails on Amethyst. As you can see from BTCPayServer docs, there is even a tutorial explaining how to implement such a redirect, which is very common: here

We would very much like to fix this bug and will do the necessary on our end if you could point us to the reason of the error. Nevertheless, we consider this to be a bug on your end:

  • The NIP-05 protocol allows for redirects

Looking forward to collaborating on this,

PS: WalletOfSatoshi had a similar bug for LN Addresses that we pointed out and they fixed it.

To Reproduce

Easiest way would be:

  • Register a Nostr Address in our Dashboard
  • Register it in Amethyst at yourusername@numeraire.tech and see it fail
  • Register it in Amethyst at yourusername@api.numeraire.tech and see it succeed

Expected behaviour

yourusername@numeraire.tech should be a valid NIP-05 address following the redirect

Device (please complete the following information):

  • Phone Brand/Model : Samsung S22:
  • App Version: v0.92.7-play:
@vitorpamplona
Copy link
Owner

vitorpamplona commented Oct 23, 2024

NIP-05 cannot be redirected. It's a security issue: https://github.com/nostr-protocol/nips/blob/master/05.md#security-constraints

Other apps should also not redirect. If you convinced them to do, please ask them to revert the change.

@darioAnongba
Copy link
Author

Hi @vitorpamplona and thanks for pointing out the section in the NIP-05.
I wrongly assumed that NIP-05 was similar to Lightning Addresses and given that most implementations (Alby, Blink, WalletOfSatoshi, Phoenix, Breez, etc.) allow redirections, I assumed NIP-05 as well.

Given that it is part of the specification, I will of course not ask for you to change the implementation and will implement a workaround.
That being said, I argue that it is not true that allowing redirections causes a security concern for NIP-05 and I started a discussion about it here if you're interested: nostr-protocol/nips#1544.

Hopefully the discussion will either clarify the reasons HTTP redirections were prohibited or allow them, especially when pointing to subdomains.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants