Skip to content

Instantly share code, notes, and snippets.

@blakejakopovic
Last active May 20, 2023 10:00
Show Gist options
  • Save blakejakopovic/fe384b8fd97231ece267bf264eb466ef to your computer and use it in GitHub Desktop.
Save blakejakopovic/fe384b8fd97231ece267bf264eb466ef to your computer and use it in GitHub Desktop.
NIP-ZZ - 401/402 Unauthorised/Payment Required Nostr HTTP AUTH Flow

NIP-ZZ

401/402 Unauthorised/Payment Required Nostr HTTP AUTH Flow

draft optional author:wakoinc

This NIP is an extension to NIP-98 which allows HTTP authorization using a base64 encoded event header. This NIP documents a typical protocol flow for failure, retry and success - or hard fail.

Motivation

Defining an authentication method without clearly defining the typical protocol flows can lead to different implimentations and confusion around the end to end transactional logic. This NIP aims to define the common approach, and simplify the possible outcomes.

Example uses cases

  • Nostr Service Authentication (e.g. translation API)
  • Nostr CDN Authentication (e.g. paid images and media)
  • Nostr Membership checks for content access (e.g. Patreon)

Motivation

This NIP defines a new WWW-Authorization header scheme called Nostr-nip-98. This new scheme is used to tell clients they can retry their request with NIP-98 for authentication.

Client UX

Clients may wish to show UI to allow users to whitelist domains (with an optional expiry, like 24 hours), so that all requests to that domain include the nostr-nip-98 auth header by default, or alternatively only on 401 responses. This is because there are private considerations where you are sharing your identity for each request to that domain you make.

Protocol Flows

Naive HTTP Request - without prior knowledge of authorization requirements

                                    Client                    Server
                                      |                          |
                       GET /protected | -----------------------> |
                                      |                          |
                                      |                          | 401 Unauthorized
                                      | <----------------------- | WWW-Authorization: Nostr-nip-98
                                      |                          |
                       GET /protected |                          |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
                                      |                          |
                                      | <----------------------- | 200 Ok

Naive HTTP Request - where access is disallowed for the authenticated identity

                                    Client                    Server
                                      |                          |
                       GET /protected | -----------------------> |
                                      |                          |
                                      |                          | 401 Unauthorized
                                      | <----------------------- | WWW-Authorization: Nostr-nip-98
                                      |                          |
                       GET /protected |                          |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
                                      |                          |
                                      | <----------------------- | 403 Forbidden

HTTP Request - where access is allowed for the authenticated identity

                                    Client                    Server
                                      |                          |
                       GET /protected |                          |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
                                      |                          |
                                      | <----------------------- | 200 Ok

402 Payment Required Extension

402 Payment is currently nonstandard response status code that is reserved for future use - the future is now. We adapt the 401 Unauthorized protocol flow to add an additional 402 Payment Required check.

The the most simple case, please see Naive HTTP Request - without prior knowledge of authorization requirements above where the client will not even receive a 402 status code, as they already meet the payment requirements.

Naive HTTP Request - without prior knowledge of authorization / payment requirements - payment is required

                                    Client                    Server
                                      |                          |
                            GET /paid | -----------------------> |
                                      |                          |
                                      |                          | 401 Unauthorized
                                      | <----------------------- | WWW-Authorization: Nostr-nip-98
                                      |                          |
                            GET /paid |                          |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
                                      |                          | 402 Payment Required
                                      |                          | WWW-Authorization: Nostr-nip-98 INVOICE?
                                      |                          |
               (client makes payment) |                          |
                                      |                          |
                            GET /paid |                          |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
                                      | <----------------------- | 200 Ok

NOTE: THIS PART NEEDS WORK - as we need to define a payment flow. Ultimtely a lightning invoice

Areas requiring work

  • How best to handle the lightning invoice creation, linking the request content and pubkey to the invoice payment status
  • How best to support different payment offers - e.g. single payment (e.g. credits, or single item) vs a plan/package
  • For this to be compatible with ZAPs a source event is required - this NIP does not rely on ZAPS, however if it's possible to support them, it can be considered

Appendix

N/A

Related work

Nostr Paywall Example - https://github.com/blakejakopovic/nostr_paywall_example
Damus POC Implimentation - https://github.com/blakejakopovic/damus/commit/e27162b00fb10dcf2f02cc2fe533e1a09cb168aa
Nostr HTTP Auth - nostr-protocol/nips#469
Zapgates - https://github.com/Egge7/nips/blob/zapGates/XX.md
LSAT - https://docs.lightning.engineering/the-lightning-network/l402
LSAT Protocol - https://github.com/lightninglabs/L402/blob/master/authentication-flow.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment