From 29f26e72b5fd4e918c8d0d9f9d9ae384f7052a0a Mon Sep 17 00:00:00 2001 From: Kieran Date: Mon, 24 Apr 2023 10:32:03 +0100 Subject: [PATCH] NIP-98 --- 98.md | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 98.md diff --git a/98.md b/98.md new file mode 100644 index 0000000..48d079e --- /dev/null +++ b/98.md @@ -0,0 +1,64 @@ +NIP-98 +====== + +HTTP Auth +------------------------- + +`draft` `optional` `author:kieran` `author:melvincarvalho` + +This NIP defines and ephemerial event used to authenticate requests to HTTP servers using nostr events. + +This is useful for HTTP services which are build for Nostr and deal with Nostr user accounts. + +## Nostr event + +A `kind 27235` (In reference to [RFC 7235](https://www.rfc-editor.org/rfc/rfc7235)) event is used. + +The `content` SHOULD be empty. + +The following tags are defined as REQUIRED. + +* `url` - absolute URL +* `method` - HTTP Request Method + +Example event: +```json +{ + "id": "fe964e758903360f28d8424d092da8494ed207cba823110be3a57dfe4b578734", + "pubkey": "63fe6318dc58583cfe16810f86dd09e18bfd76aabc24a0081ce2856f330504ed", + "content": "", + "kind": 27235, + "created_at": 1682327852, + "tags": [ + [ + "url", + "https://api.snort.social/api/v1/n5sp/list" + ], + [ + "method", + "GET" + ] + ], + "sig": "5ed9d8ec958bc854f997bdc24ac337d005af372324747efe4a00e24f4c30437ff4dd8308684bed467d9d6be3e5a517bb43b1732cc7d33949a3aaf86705c22184" +} +``` + +Servers MUST perform the following checks in order to validate the event: +1. The `kind` MUST be `27235`. +2. The `created_at` MUST be within a reasonable time window (suggestion 60 seconds). +3. The `url` tag MUST be exactly the same as the absolute request URL (including query parameters). +4. The `method` tag MUST be the same HTTP method used for the requested resource. + +All other checks which server MAY do are OPTIONAL, and implementation specific. + +## Request Flow + +Using the `Authorization` header, the `kind 27235` event MUST be `base64` encoded and use the Authorization scheme `Nostr` + +Example HTTP Authorization header: +``` +Authorization: Nostr eyJpZCI6ImZlOTY0ZTc1ODkwMzM2MGYyOGQ4NDI0ZDA5MmRhODQ5NGVkMjA3Y2JhODIzMTEwYmUzYTU3ZGZlNGI1Nzg3MzQiLCJwdWJrZXkiOiI2M2ZlNjMxOGRjNTg1ODNjZmUxNjgxMGY4NmRkMDllMThiZmQ3NmFhYmMyNGEwMDgxY2UyODU2ZjMzMDUwNGVkIiwiY29udGVudCI6IiIsImtpbmQiOjI3MjM1LCJjcmVhdGVkX2F0IjoxNjgyMzI3ODUyLCJ0YWdzIjpbWyJ1cmwiLCJodHRwczovL2FwaS5zbm9ydC5zb2NpYWwvYXBpL3YxL241c3AvbGlzdCJdLFsibWV0aG9kIiwiR0VUIl1dLCJzaWciOiI1ZWQ5ZDhlYzk1OGJjODU0Zjk5N2JkYzI0YWMzMzdkMDA1YWYzNzIzMjQ3NDdlZmU0YTAwZTI0ZjRjMzA0MzdmZjRkZDgzMDg2ODRiZWQ0NjdkOWQ2YmUzZTVhNTE3YmI0M2IxNzMyY2M3ZDMzOTQ5YTNhYWY4NjcwNWMyMjE4NCJ9 +``` + +## References +- C# ASP.NET `AuthenticationHandler` [NostrAuth.cs](https://gist.github.com/v0l/74346ae530896115bfe2504c8cd018d3) \ No newline at end of file