draft optional author:wakoinc
This NIP is an extension to NIP-98 which allows HTTP authorization using a base64 encoded event header. This NIP documents a typical protocol flow for failure, retry and success - or hard fail.
Defining an authentication method without clearly defining the typical protocol flows can lead to different implimentations and confusion around the end to end transactional logic. This NIP aims to define the common approach, and simplify the possible outcomes.
- Nostr Service Authentication (e.g. translation API)
- Nostr CDN Authentication (e.g. paid images and media)
- Nostr Membership checks for content access (e.g. Patreon)
This NIP defines a new WWW-Authorization header scheme called Nostr-nip-98. This new scheme is used to tell clients they can retry their request with NIP-98 for authentication.
Clients may wish to show UI to allow users to whitelist domains (with an optional expiry, like 24 hours), so that all requests to that domain include the nostr-nip-98 auth header by default, or alternatively only on 401 responses. This is because there are private considerations where you are sharing your identity for each request to that domain you make.
Naive HTTP Request - without prior knowledge of authorization requirements
Client Server
| |
GET /protected | -----------------------> |
| |
| | 401 Unauthorized
| <----------------------- | WWW-Authorization: Nostr-nip-98
| |
GET /protected | |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
| |
| <----------------------- | 200 Ok
Naive HTTP Request - where access is disallowed for the authenticated identity
Client Server
| |
GET /protected | -----------------------> |
| |
| | 401 Unauthorized
| <----------------------- | WWW-Authorization: Nostr-nip-98
| |
GET /protected | |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
| |
| <----------------------- | 403 Forbidden
HTTP Request - where access is allowed for the authenticated identity
Client Server
| |
GET /protected | |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
| |
| <----------------------- | 200 Ok
402 Payment is currently nonstandard response status code that is reserved for future use - the future is now. We adapt the 401 Unauthorized protocol flow to add an additional 402 Payment Required check.
The the most simple case, please see Naive HTTP Request - without prior knowledge of authorization requirements above where the client will not even receive a 402 status code, as they already meet the payment requirements.
Naive HTTP Request - without prior knowledge of authorization / payment requirements - payment is required
Client Server
| |
GET /paid | -----------------------> |
| |
| | 401 Unauthorized
| <----------------------- | WWW-Authorization: Nostr-nip-98
| |
GET /paid | |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
| | 402 Payment Required
| | WWW-Authorization: Nostr-nip-98 INVOICE?
| |
(client makes payment) | |
| |
GET /paid | |
Authenticate: Nostr BASE64_AUTH_EVENT | -----------------------> |
| <----------------------- | 200 Ok
NOTE: THIS PART NEEDS WORK - as we need to define a payment flow. Ultimtely a lightning invoice
- How best to handle the lightning invoice creation, linking the request content and pubkey to the invoice payment status
- How best to support different payment offers - e.g. single payment (e.g. credits, or single item) vs a plan/package
- For this to be compatible with ZAPs a source event is required - this NIP does not rely on ZAPS, however if it's possible to support them, it can be considered
N/A
Nostr Paywall Example - https://github.com/blakejakopovic/nostr_paywall_example
Damus POC Implimentation - https://github.com/blakejakopovic/damus/commit/e27162b00fb10dcf2f02cc2fe533e1a09cb168aa
Nostr HTTP Auth - nostr-protocol/nips#469
Zapgates - https://github.com/Egge7/nips/blob/zapGates/XX.md
LSAT - https://docs.lightning.engineering/the-lightning-network/l402
LSAT Protocol - https://github.com/lightninglabs/L402/blob/master/authentication-flow.md