Merge pull request #19 from hax0rbana-adam/15-private-keys-leaked-to-…

…server

Fix: private keys leaked to server

README.md

@@ -37,6 +37,26 @@ Important! Save your magic string. It contains your private key which you'll nee
 
 Also make sure you withdraw your money from the store frequently. The site uses whisper keys, which are sent to you in dms and not stored anywhere except on whatever relays you use. I personally don't trust nostr relays to store my dms forever so I recommend you withdraw your money quickly when you receive it, don't just let it sit there for weeks on end or the nostr relay you are connected to might delete your dms or go offline and leave you stranded without access to your money
 
+# How do I self host it?
+
+Check out this repo into a directory on your web server. Go to /superstore on your website (e.g. https://example.com/superstore) and set up your store in the same way as described above.
+
+If you already have your website in its own git repo, you can add superstore as a git submodule. To do so, run this command:
+
+```
+git submodule add --name superstore https://github.com/supertestnet/superstore.git signet/superstore
+```
+
+After that, you'll have to commit the superstore directory and the .gitmodules file and push it to your git server as usual.
+
+Then when you check out the repo on the web server, use the --recursive flag. If you already have it checked out on the web server, you can force git to pull in the submodules like so:
+
+```
+git submodule update --init
+```
+
+After running that you should have a `superstore` directory in your web root.
+
 # What are some upcoming features?
 
 Not sure. Usually after I get a project to a state like this one is in I abandon it in favor of something else that's more exciting. But if I do keep at it I'd like to add these features:

index.html

@@ -245,10 +245,14 @@
     <script>
         var $ = document.querySelector.bind( document );
         var $$ = document.querySelectorAll.bind( document );
+        // Accept parameters via either the query parameters...
         var url_params = new URLSearchParams( window.location.search );
         var url_keys = url_params.keys();
         var $_GET = {}
         for ( var key of url_keys ) $_GET[ key ] = url_params.get( key );
+        // ...or the fragment section of the URL
+        url_params = new URLSearchParams( window.location.hash.substring(1) );
+        for ( var key of url_params.keys() ) $_GET[ key ] = url_params.get( key );
         var mempoolNetwork = "";
         if ( $_GET[ "network" ] == "testnet" ) mempoolNetwork = $_GET[ "network" ] + "/";
         var index = window.location.pathname.indexOf( "index.htm" ) > -1 ? window.location.pathname.indexOf( "index.htm" ):100000;
@@ -1633,7 +1637,7 @@ <h2>Preview pane</h2>
             if ( window.location.href.indexOf( "?" ) > -1 ) var url = window.location.href.substring( 0, window.location.href.indexOf( "?" ) ); else var url = window.location.href;
             sessionStorage.removeItem( "modal_cleared" );
             var shareable = `${url}?pubkey=${original_pubkey}&relays=${encodeURI( JSON.stringify( relays ) )}`;
-            var private = `${url}?privkey=${privKey}&relays=${encodeURI( JSON.stringify( relays ) )}`;
+            var private = `${url}#privkey=${privKey}&relays=${encodeURI( JSON.stringify( relays ) )}`;
             if ( $_GET[ "network" ] ) {
                 shareable += `&network=${$_GET[ "network" ]}`;
                 private += `&network=${$_GET[ "network" ]}`;

onboard.html

@@ -293,7 +293,7 @@ <h2 class="big_title">
                 var extra_slash = window.location.pathname.substring( 0, index ).endsWith( "/" ) ? "":"/";
                 var port = "";
                 if ( window.location.port ) port = `:${window.location.port}`;
-                var url = window.location.protocol + "//" + window.location.hostname + port + window.location.pathname.substring( 0, index ) + extra_slash + "index.html?privkey=" + privkey + "&relays=" + encodeURI( relays );
+                var url = window.location.protocol + "//" + window.location.hostname + port + window.location.pathname.substring( 0, index ) + extra_slash + "index.html#privkey=" + privkey + "&relays=" + encodeURI( relays );
                 window.location.href = url;
             }
             var genString = () => {