diff options
| author | fiatjaf <fiatjaf@gmail.com> | 2023-01-02 16:49:37 -0300 |
|---|---|---|
| committer | fiatjaf <fiatjaf@gmail.com> | 2023-01-02 16:56:44 -0300 |
| commit | c80be21cd44aa74efa42ead23a12343bf33ade34 (patch) | |
| tree | aad7a2a3bdcc0f9b55d6919901078b27d475afe6 /42.md | |
| parent | b9467cb428489d800e8e2729b0449ee1ceec03a5 (diff) | |
drastically simplify @semisol's auth NIP.
Diffstat (limited to '42.md')
| -rw-r--r-- | 42.md | 68 |
1 files changed, 68 insertions, 0 deletions
| @@ -0,0 +1,68 @@ | |||
| 1 | NIP-42 | ||
| 2 | ====== | ||
| 3 | |||
| 4 | Authentication of clients to relays | ||
| 5 | ----------------------------------- | ||
| 6 | |||
| 7 | `draft` `optional` `author:Semisol` `author:fiatjaf` | ||
| 8 | |||
| 9 | This NIP defines a way for clients to authenticate to relays by signing an ephemeral event. | ||
| 10 | |||
| 11 | ## Motivation | ||
| 12 | |||
| 13 | A relay may want to require clients to authenticate to access restricted resources. For example, | ||
| 14 | |||
| 15 | - A relay may request payment or other forms of whitelisting to publish events -- this can naïvely be achieved by limiting publication | ||
| 16 | to events signed by the whitelisted key, but with this NIP they may choose to accept any events as long as they are published from an | ||
| 17 | authenticated user; | ||
| 18 | - A relay may limit access to `kind: 4` DMs to only the parties involved in the chat exchange, and for that it may require authentication | ||
| 19 | before clients can query for that kind. | ||
| 20 | - A relay may limit subscriptions of any kind to paying users or users whitelisted through any other means, and require authentication. | ||
| 21 | |||
| 22 | ## Protocol flow | ||
| 23 | |||
| 24 | This NIP defines a new message, `AUTH`, which clients can send to relays when they want to authenticate. The message is of the following form: | ||
| 25 | |||
| 26 | ``` | ||
| 27 | ["AUTH", <signed-event>] | ||
| 28 | ``` | ||
| 29 | |||
| 30 | The signed event is an ephemeral event not meant to be published or queried, it must be of `kind: 22242` and content must be set to the | ||
| 31 | WebSocket URL of the relay. `created_at` should be the current time. Example: | ||
| 32 | |||
| 33 | ```json | ||
| 34 | { | ||
| 35 | "id": "...", | ||
| 36 | "pubkey": "...", | ||
| 37 | "created_at": 1669695536, | ||
| 38 | "kind": 22242, | ||
| 39 | "tags": [], | ||
| 40 | "content": "wss://relay.example.com/", | ||
| 41 | "sig": "..." | ||
| 42 | } | ||
| 43 | ``` | ||
| 44 | |||
| 45 | The client may send an auth message right before performing an action for which it knows authentication will be required -- for example, right | ||
| 46 | before requesting `kind: 4` chat messages --, or it may do right on connection start or at some other moment it deems best. | ||
| 47 | |||
| 48 | Upon receiving a message from an unauthenticated user it can't fulfill without authentication, a relay may choose to notify the client. For | ||
| 49 | that it can use a `NOTICE` message with a standard prefix `"restricted: "` that is readable both by humans and machines, for example: | ||
| 50 | |||
| 51 | ``` | ||
| 52 | ["NOTICE", "restricted: we can't serve DMs to unauthenticated users, does your client implement NIP-42?"] | ||
| 53 | ``` | ||
| 54 | |||
| 55 | or | ||
| 56 | |||
| 57 | ``` | ||
| 58 | ["NOTICE", "restricted: we do not accept events from unauthenticated users, please sign up at https://example.com/"] | ||
| 59 | ``` | ||
| 60 | |||
| 61 | ## Signed Event Verification | ||
| 62 | |||
| 63 | To verify `AUTH` messages, relays must ensure: | ||
| 64 | |||
| 65 | - that the `kind` is `22242` | ||
| 66 | - that the event was recently signed (~10 minutes, by `created_at`) | ||
| 67 | - that the `content` field matches the relay URL | ||
| 68 | - URL normalization techniques can be applied. For most cases just checking if the domain name is correct should be enough. | ||