mirror of
https://github.com/nostr-protocol/nips.git
synced 2024-12-22 16:35:52 -05:00
wip: Reconcile NIP-96 and NIP-98 and address implementation challenge
This commit is contained in:
parent
6826f5a52c
commit
2a1945cc7f
3
96.md
3
96.md
|
@ -84,7 +84,8 @@ See https://github.com/aljazceru/awesome-nostr#nip-96-file-storage-servers.
|
||||||
|
|
||||||
## Auth
|
## Auth
|
||||||
|
|
||||||
When indicated, `clients` must add an [NIP-98](98.md) `Authorization` header (**optionally** with the encoded `payload` tag set to the base64-encoded 256-bit SHA-256 hash of the file - not the hash of the whole request body).
|
When indicated, `clients` must add an [NIP-98](98.md) `Authorization` header.
|
||||||
|
`clients` SHOULD include either the `payload` tag or the `payload_multipart` tag with the `file` multipart field name included in the digest (`["payload_multipart", "<sha256-of-file>", "file"]`).
|
||||||
|
|
||||||
## Upload
|
## Upload
|
||||||
|
|
||||||
|
|
17
98.md
17
98.md
|
@ -43,12 +43,27 @@ Servers MUST perform the following checks in order to validate the event:
|
||||||
3. The `u` tag MUST be exactly the same as the absolute request URL (including query parameters).
|
3. The `u` tag MUST be exactly the same as the absolute request URL (including query parameters).
|
||||||
4. The `method` tag MUST be the same HTTP method used for the requested resource.
|
4. The `method` tag MUST be the same HTTP method used for the requested resource.
|
||||||
|
|
||||||
When the request contains a body (as in POST/PUT/PATCH methods) clients SHOULD include a SHA256 hash of the request body in a `payload` tag as hex (`["payload", "<sha256-hex>"]`), servers MAY check this to validate that the requested payload is authorized.
|
When the request contains a body (as in POST/PUT/PATCH methods) clients SHOULD include a SHA256 hash of the request body in a `payload` tag as hex (`["payload", "<sha256-hex>"]`) or a SHA256 hash of the relevant fields in a `payload_multipart` tag.
|
||||||
|
Servers MAY check these to validate that the requested payload is authorized.
|
||||||
|
|
||||||
If one of the checks was to fail the server SHOULD respond with a 401 Unauthorized response code.
|
If one of the checks was to fail the server SHOULD respond with a 401 Unauthorized response code.
|
||||||
|
|
||||||
Servers MAY perform additional implementation-specific validation checks.
|
Servers MAY perform additional implementation-specific validation checks.
|
||||||
|
|
||||||
|
### The `payload_multipart` tag
|
||||||
|
|
||||||
|
The `payload_multipart` tag SHOULD only be sent when authorizing a request with a `Content-Type` of `multipart/form-data`.
|
||||||
|
A valid `payload_multipart` tag will always consist of 3 or more elements.
|
||||||
|
The first element is always the tag name, `payload_multipart`.
|
||||||
|
The second element is the sha256 hash, which is computed over the concatenation of every serialized multipart field, in order.
|
||||||
|
The third through last elements name the form fields which will be concatenated together to calculate the hash.
|
||||||
|
|
||||||
|
`["payload_multipart", "<sha256-hex-of-concatenated-fields>", "<multipart-field-name-0>", ..."<multipart-field-name-N>"]`
|
||||||
|
|
||||||
|
The multipart-field-names MUST appear in the same order as they appear in the multipart body.
|
||||||
|
Repeated field names MUST have corresponding repeated fields in the multipart body.
|
||||||
|
After a multipart field is added to the sha256 digest, no subsequent multipart-field-name may refer to any multipart field up to and including the one which was just processed (field processing always progresses forward in the request body, never backwards).
|
||||||
|
|
||||||
## Request Flow
|
## Request Flow
|
||||||
|
|
||||||
Using the `Authorization` HTTP header, the `kind 27235` event MUST be `base64` encoded and use the Authorization scheme `Nostr`
|
Using the `Authorization` HTTP header, the `kind 27235` event MUST be `base64` encoded and use the Authorization scheme `Nostr`
|
||||||
|
|
Loading…
Reference in New Issue
Block a user