draft
mandatory
author:kieran
author:melvincarvalho
Authentication is covered in the NosDAV Core Spec. Authentication is the concept of verifying an identity. This is done by signing an event and sending it in an Authentication header.
NAV-03 is based on the original form of NIP-98
This NIP defines an ephemerial event used to authorize requests to HTTP servers using nostr events.
This is useful for HTTP services which are build for Nostr and deal with Nostr user accounts.
A kind 27235
(In reference to RFC 7235) event is used.
The content
SHOULD be empty.
The following tags are defined as REQUIRED.
u
- absolute URLmethod
- HTTP Request MethodExample event:
{
"id": "fe964e758903360f28d8424d092da8494ed207cba823110be3a57dfe4b578734",
"pubkey": "63fe6318dc58583cfe16810f86dd09e18bfd76aabc24a0081ce2856f330504ed",
"content": "",
"kind": 27235,
"created_at": 1682327852,
"tags": [
[
"u",
"https://api.snort.social/api/v1/n5sp/list"
],
[
"method",
"GET"
]
],
"sig": "5ed9d8ec958bc854f997bdc24ac337d005af372324747efe4a00e24f4c30437ff4dd8308684bed467d9d6be3e5a517bb43b1732cc7d33949a3aaf86705c22184"
}
Servers MUST perform the following checks in order to validate the event:
kind
MUST be 27235
.created_at
MUST be within a reasonable time window (suggestion 60 seconds).u
tag MUST be exactly the same as the absolute request URL (including query parameters).method
tag MUST be the same HTTP method used for the requested resource.When the request contains a body (as in POST/PUT/PATCH methods) clients SHOULD include a SHA256 hash of the request body in a payload
tag as hex (["payload", "<sha256-hex>"]
), servers MAY check this to validate that the requested payload is authorized.
If one of the checks was to fail the server SHOULD respond with a 401 Unauthorized response code.
All other checks which server MAY do are OPTIONAL, and implementation specific.
Using the Authorization
header, the kind 27235
event MUST be base64
encoded and use the Authorization scheme Nostr
Example HTTP Authorization header:
Authorization: Nostr eyJpZCI6ImZlOTY0ZTc1ODkwMzM2MGYyOGQ4NDI0ZDA5MmRhODQ5NGVkMjA3Y2JhODIzMTEwYmUzYTU3ZGZlNGI1Nzg3MzQiLCJwdWJrZXkiOiI2M2ZlNjMxOGRjNTg1ODNjZmUxNjgxMGY4NmRkMDllMThiZmQ3NmFhYmMyNGEwMDgxY2UyODU2ZjMzMDUwNGVkIiwiY29udGVudCI6IiIsImtpbmQiOjI3MjM1LCJjcmVhdGVkX2F0IjoxNjgyMzI3ODUyLCJ0YWdzIjpbWyJ1cmwiLCJodHRwczovL2FwaS5zbm9ydC5zb2NpYWwvYXBpL3YxL241c3AvbGlzdCJdLFsibWV0aG9kIiwiR0VUIl1dLCJzaWciOiI1ZWQ5ZDhlYzk1OGJjODU0Zjk5N2JkYzI0YWMzMzdkMDA1YWYzNzIzMjQ3NDdlZmU0YTAwZTI0ZjRjMzA0MzdmZjRkZDgzMDg2ODRiZWQ0NjdkOWQ2YmUzZTVhNTE3YmI0M2IxNzMyY2M3ZDMzOTQ5YTNhYWY4NjcwNWMyMjE4NCJ9
AuthenticationHandler
NostrAuth.cs