laantungir/nips
1
0
Fork 0
mirror of https://github.com/nostr-protocol/nips.git synced 2025-12-09 08:38:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2d31ddd38a133584a2eea58fdbe106452999cce3
nips/98.md
Kieran 2d31ddd38a add note about payload hash
2023-05-08 12:22:53 +01:00

2.8 KiB
Raw Blame History

NIP-98

HTTP Auth

draft optional author:kieran author:melvincarvalho

This NIP defines and ephemerial event used to authenticate requests to HTTP servers using nostr events.

This is useful for HTTP services which are build for Nostr and deal with Nostr user accounts.

Nostr event

A kind 27235 (In reference to RFC 7235) event is used.

The content SHOULD be empty.

The following tags are defined as REQUIRED.

  • u - absolute URL
  • method - HTTP Request Method

Example event:

{
    "id": "fe964e758903360f28d8424d092da8494ed207cba823110be3a57dfe4b578734",
    "pubkey": "63fe6318dc58583cfe16810f86dd09e18bfd76aabc24a0081ce2856f330504ed",
    "content": "",
    "kind": 27235,
    "created_at": 1682327852,
    "tags": [
        [
            "u",
            "https://api.snort.social/api/v1/n5sp/list"
        ],
        [
            "method",
            "GET"
        ]
    ],
    "sig": "5ed9d8ec958bc854f997bdc24ac337d005af372324747efe4a00e24f4c30437ff4dd8308684bed467d9d6be3e5a517bb43b1732cc7d33949a3aaf86705c22184"
}

Servers MUST perform the following checks in order to validate the event:

  1. The kind MUST be 27235.
  2. The created_at MUST be within a reasonable time window (suggestion 60 seconds).
  3. The url tag MUST be exactly the same as the absolute request URL (including query parameters).
  4. The method tag MUST be the same HTTP method used for the requested resource.

When the request contains a body (as in POST/PUT/PATCH methods) clients SHOULD include a SHA256 hash of the request body in a payload tag as hex (["payload", "<sha256-hex>"]), servers MAY check this to validate that the requested payload is authorized.

If one of the checks was to fail the server SHOULD respond with a 401 Unauthorized response code.

All other checks which server MAY do are OPTIONAL, and implementation specific.

Request Flow

Using the Authorization header, the kind 27235 event MUST be base64 encoded and use the Authorization scheme Nostr

Example HTTP Authorization header:

Authorization: Nostr eyJpZCI6ImZlOTY0ZTc1ODkwMzM2MGYyOGQ4NDI0ZDA5MmRhODQ5NGVkMjA3Y2JhODIzMTEwYmUzYTU3ZGZlNGI1Nzg3MzQiLCJwdWJrZXkiOiI2M2ZlNjMxOGRjNTg1ODNjZmUxNjgxMGY4NmRkMDllMThiZmQ3NmFhYmMyNGEwMDgxY2UyODU2ZjMzMDUwNGVkIiwiY29udGVudCI6IiIsImtpbmQiOjI3MjM1LCJjcmVhdGVkX2F0IjoxNjgyMzI3ODUyLCJ0YWdzIjpbWyJ1cmwiLCJodHRwczovL2FwaS5zbm9ydC5zb2NpYWwvYXBpL3YxL241c3AvbGlzdCJdLFsibWV0aG9kIiwiR0VUIl1dLCJzaWciOiI1ZWQ5ZDhlYzk1OGJjODU0Zjk5N2JkYzI0YWMzMzdkMDA1YWYzNzIzMjQ3NDdlZmU0YTAwZTI0ZjRjMzA0MzdmZjRkZDgzMDg2ODRiZWQ0NjdkOWQ2YmUzZTVhNTE3YmI0M2IxNzMyY2M3ZDMzOTQ5YTNhYWY4NjcwNWMyMjE4NCJ9

References