add note about payload hash

author: Kieran <kieran@harkin.me> 2023-04-24 10:56:04 +0100
committer: Kieran <kieran@harkin.me> 2023-05-08 12:22:53 +0100
commit: 2d31ddd38a133584a2eea58fdbe106452999cce3 (patch)
tree: e936575ee709ba5d7eefcde4f68d912d0ac6ff2b
parent: 29f26e72b5fd4e918c8d0d9f9d9ae384f7052a0a (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/98.md b/98.md
index 48d079e..3a8ffdf 100644
--- a/98.md
+++ b/98.md
@@ -18,8 +18,8 @@ The `content` SHOULD be empty.
 The following tags are defined as REQUIRED.
-* `url` - absolute URL
+* `u` - absolute URL
-* `method` - HTTP Request Method 
+* `method` - HTTP Request Method
 Example event:
 ```json
@@ -31,7 +31,7 @@ Example event:
    "created_at": 1682327852,
    "tags": [
        [
-            "url",
+            "u",
            "https://api.snort.social/api/v1/n5sp/list"
        ],
        [
@@ -49,6 +49,10 @@ Servers MUST perform the following checks in order to validate the event:
 3. The `url` tag MUST be exactly the same as the absolute request URL (including query parameters).
 4. The `method` tag MUST be the same HTTP method used for the requested resource.
+When the request contains a body (as in POST/PUT/PATCH methods) clients SHOULD include a SHA256 hash of the request body in a `payload` tag as hex (`["payload", "<sha256-hex>"]`), servers MAY check this to validate that the requested payload is authorized.
+If one of the checks was to fail the server SHOULD respond with a 401 Unauthorized response code.
 All other checks which server MAY do are OPTIONAL, and implementation specific.
 ## Request Flow
author	Kieran <kieran@harkin.me>	2023-04-24 10:56:04 +0100
committer	Kieran <kieran@harkin.me>	2023-05-08 12:22:53 +0100
commit	2d31ddd38a133584a2eea58fdbe106452999cce3 (patch)
tree	e936575ee709ba5d7eefcde4f68d912d0ac6ff2b
parent	29f26e72b5fd4e918c8d0d9f9d9ae384f7052a0a (diff)