Skip to content

feat(desktop): redesign Nostr bind verification flow#1850

Open
klopez4212 wants to merge 4 commits into
mainfrom
kennylopez-onboarding-bind-screen
Open

feat(desktop): redesign Nostr bind verification flow#1850
klopez4212 wants to merge 4 commits into
mainfrom
kennylopez-onboarding-bind-screen

Conversation

@klopez4212

@klopez4212 klopez4212 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • restyle the Nostr identity-binding prompt as a full-page onboarding flow
  • require the six-digit browser code before signing, with accessible OTP input, mismatch feedback, and reduced-motion-safe transitions
  • add a finish step that exposes the signed response with an explicit copy action
  • include a DEV-only seeded preview for safely reviewing the flow in the native staging app

Testing

  • just ci
  • Code Reviewer: no blocking findings
  • focused Playwright coverage for OTP entry/paste/navigation, mismatch and repeated shake behavior, sixth-slot input lock, reduced motion, step transition, signed response, and clipboard copy

Screenshots

Enter verification code

Six portrait code slots with Continue gated until the browser code matches.

01-enter-code

Code mismatch

Persistent, layout-stable mismatch feedback using the specified error treatment and shake motion.

02-code-mismatch

Finish verification

The signed response is shown in a readable code container with an explicit copy action.

03-finish-verification

@klopez4212 klopez4212 requested a review from a team as a code owner July 14, 2026 09:05
klopez4212 added a commit that referenced this pull request Jul 14, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bf1f5a2c4d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread desktop/src/features/profile/ui/NostrBindConsentDialog.tsx

@wesbillman wesbillman left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two blockers before this identity-signing flow is safe to ship:

  1. Show the requesting origin before signing. This PR removes the only disclosure of payload.origin, yet the signing command accepts any syntactically valid HTTPS origin and embeds it in the signed identity proof. The six-digit check does not authenticate the caller: both the code and origin come from the same attacker-controllable deep link, so a phishing page can launch Buzz with its own origin, show its matching code, and obtain a valid proof for that origin without Buzz ever telling the user what they are authorizing. Clipboard return does not fix that—the user can paste the response back into the phishing page. Keep the focused flow, but display the exact origin prominently before Continue (and ideally the identity being bound). This is consent context, not a claim of OS attestation.

  2. Add the claimed focused tests to the PR. This is a 644-line behavioral rewrite of a security-sensitive signing surface, but the only changed file is the component; there is no committed Playwright/unit coverage for OTP entry/paste/navigation, mismatch behavior, reduced motion, expiry, signing, copy failure, or origin disclosure. Existing green desktop CI therefore does not exercise the new flow. Please add the focused coverage described in the PR body, including a test proving the requesting origin is visible before signing and that no signing call occurs for incomplete/mismatched/expired input.

@wesbillman wesbillman left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two blockers remain at bf1f5a2c4:

  1. The signing confirmation still omits payload.origin, so users cannot see which requesting origin they are authorizing before signing. That origin is self-asserted, but it is still essential consent context and must be displayed.
  2. The PR description claims focused verification tests, but the branch changes only the component and commits no tests for the rewritten bind flow. Please add focused committed coverage for the request details and approve/reject behavior.

The branch also no longer contains current main; update and rerun CI after addressing these findings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants