clarify created_at and auth session duration.

This commit is contained in:
fiatjaf 2023-01-04 10:24:37 -03:00
parent 4a5202646a
commit 50faceef09
No known key found for this signature in database
GPG Key ID: BAD43C4BE5C1A3A1

9
42.md
View File

@ -43,7 +43,8 @@ WebSocket URL of the relay. `created_at` should be the current time. Example:
```
The client may send an auth message right before performing an action for which it knows authentication will be required -- for example, right
before requesting `kind: 4` chat messages --, or it may do right on connection start or at some other moment it deems best.
before requesting `kind: 4` chat messages --, or it may do right on connection start or at some other moment it deems best. The authentication
is expected to last for the duration of the WebSocket connection.
Upon receiving a message from an unauthenticated user it can't fulfill without authentication, a relay may choose to notify the client. For
that it can use a `NOTICE` message with a standard prefix `"restricted: "` that is readable both by humans and machines, for example:
@ -62,7 +63,7 @@ or it can return an `OK` message noting the reason an event was not written usin
To verify `AUTH` messages, relays must ensure:
- that the `kind` is `22242`
- that the event was recently signed (~10 minutes, by `created_at`)
- that the `content` field matches the relay URL
- that the `kind` is `22242`;
- that the event `created_at` is close (e.g. within ~10 minutes) of the current time;
- that the `content` field matches the relay URL:
- URL normalization techniques can be applied. For most cases just checking if the domain name is correct should be enough.