nostr/nips
1
0
Fork 0
mirror of https://github.com/nostr-protocol/nips.git synced 2024-09-20 06:45:49 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity
34ad4615f1
nips/71.md
monlovesmango 34ad4615f1 add flow
2024-02-26 13:01:21 -06:00

3.6 KiB
Raw Blame History

NIP-71

Restricted Events

draft optional

When the "+" tag is present, that means the event is "restricted".

A restricted event is an event which requires NIP-42 Authentication of Clients to Relays in order to request. These events can only be requested by:

The default behavior of a relay MUST be to reject any event that contains ["+"].

Relays that want to accept such events MUST first require that clients requesting restricted events perform the NIP-42 AUTH flow and check that the authenticated user has the appropriate access for the requested restriced events.

The tag

The tag is a simple tag with a single item: ["+"]. It may be added to any event.

Use Cases

  • limiting metadata leakage of private chats
  • limiting access to content to only paid subscribers
  • limiting metadata leakage of personal events (like a journal or private calendar)

Requesting

In order to REQ for a restricted event, the filter MUST have (a) attibute "restricted": true to specify the filter is requesting restricted events AND (b) either "authors" attribute or "#p" attribute to establish the pubkey that authentication should be validated for.

If (b) is missing from the filter, the request is invalid and the relay should response with CLOSED message with prefix "invalid".

If the filter does not contain the "restricted": true attribute, the relay MUST behave as if it does not store any restricted events. Specifically, the relay MUST NOT:

  • respond with CLOSED and "auth-required" prefix
  • request authentication
  • return any restricted events

in response to a request. Even if there are restricted events that qualify for the filter, if the filter doesn't not have attribute "restricted": true the relay should behave as if those events are not stored on the relay. This is so that unauthenticated clients are unable to glean any information on what restricted events might be stored on the relay.

Access

A user has permission to request any restricted event for which they are the author by:

  • authenticating as the author
  • authenticating with a delegated authentication token of mode 0-Login from the author

A user has permission to request any restricted event in which their pubkey is tagged by:

  • authenticating as the tagged pubkey
  • authenticating with a delegated authentication token of mode 0-Login from the tagged pubkey

A user has permission to request any restricted event they have been granted access to by the delegated authentication tokens of mode 1-Restricted Event Permission they authenticate with. The filter used MUST BE narrower in scope than the filter condition of the delegated authentication token.

Flow

  • User abc... connects to relay wss://example.com:
/* client: */
["REQ", "sub_1", {"authors": ["abc..."], "restricted": true}]
/* relay: */
["AUTH", "challenge_string"]
["CLOSED", "sub_1", "auth-required: cannot serve restricted events to unauthenticated useres"]
/* client: */
["AUTH", {"id": "wxyz...", "pubkey": "abc...", "kind": 22242, "tags": [["relay", "wss://example.com"], ["challenge", "challenge_string"]], ...}]
/* relay: */
["OK", "wxyz...", true, ""]
/* client: */
["REQ", "sub_1", {"authors": ["abc..."], "restricted": true}]
/* relay: */
["EVENT", "sub_1", {...}]
["EVENT", "sub_1", {...}]
["EVENT", "sub_1", {...}]
["EVENT", "sub_1", {...}]