nip46: show NIP-98 HTTP url/method in the bunker approval screen#417
Conversation
|
Warning Review limit reached
Next review available in: 49 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
WalkthroughThe NIP-46 approval flow now passes HTTP authentication URL and method data to the approval screen, sanitizes the values, and conditionally displays them with localized labels and an unspecified-method fallback. ChangesNIP-46 HTTP authentication details
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Closes the keep-android follow-up from the NIP-98 over-broad-grant fix: the bunker approval screen did not show the HTTP URL/method being authorized.
NIP-98 (kind 27235) events carry empty content; the security-relevant
u(URL) and method live in the event tags. The Rust signer core already surfaces these asBunkerApprovalRequest.httpAuth { url, method }, butNip46ApprovalScreennever rendered them, so a user approving an HTTP-auth signature could not see which request they were authorizing.This renders the URL and method in the approval details for kind-27235 requests, so HTTP-auth is not approved blind.
Changes
Nip46ApprovalScreen: newhttpAuthUrl/httpAuthMethodparams; when present, renders sanitized "HTTP URL" and "HTTP Method" detail rows (a missing tag reads as "Unspecified", per the Rust contract, rather than being hidden).Nip46ApprovalActivity: passesrequest.httpAuth?.url/?.methodthrough.The URL/method are already sanitized in the signer core and are re-sanitized for display (
sanitizeDisplayContent).Testing
compileDebugKotlin,testDebugUnitTest, andlintDebugpass.GH: #392
Summary by CodeRabbit