coracle/caravel
1
1
Fork 2
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Harden NIP-98 HTTP auth to exact URL/method with replay protection #12

New Issue
Closed
opened 2026-04-15 08:00:36 +00:00 by userAdityaa · 2 comments
userAdityaa commented 2026-04-15 08:00:36 +00:00
Contributor
Copy Link
Copy Source

Summary

Current NIP-98 verification is signer-identity-focused but not request-intent-bound.
Auth events are reusable across endpoints on the same host because backend only checks host containment and frontend signs only base API URL.

NIP-98 expects:

  • kind 27235
  • created_at within a short window
  • u exactly equal to absolute request URL including query
  • method tag equal to actual HTTP method
  • payload hash optional for body methods and validated when present

Source: https://github.com/nostr-protocol/nips/blob/master/98.md

### Summary Current NIP-98 verification is signer-identity-focused but not request-intent-bound. Auth events are reusable across endpoints on the same host because backend only checks host containment and frontend signs only base API URL. ### NIP-98 expects: * kind 27235 * created_at within a short window * u exactly equal to absolute request URL including query * method tag equal to actual HTTP method * payload hash optional for body methods and validated when present **Source:** https://github.com/nostr-protocol/nips/blob/master/98.md
hodlbod commented 2026-04-15 20:35:40 +00:00
Owner
Copy Link
Copy Source

This is actually ok, I did this non-standard on purpose to avoid nagging users with sign requests. We just need them to sign to establish a session, and then they're authorized. This allows us to skip cookie based auth which is nice.

This is actually ok, I did this non-standard on purpose to avoid nagging users with sign requests. We just need them to sign to establish a session, and then they're authorized. This allows us to skip cookie based auth which is nice.
👍 1
userAdityaa commented 2026-04-16 08:52:18 +00:00
Author
Contributor
Copy Link
Copy Source

This is actually ok, I did this non-standard on purpose to avoid nagging users with sign requests. We just need them to sign to establish a session, and then they're authorized. This allows us to skip cookie based auth which is nice.

Thanks, agreed with the decision choice being intentional.

I’ve opened a docs-only PR to make this explicit in backend/frontend READMEs, API spec, and inline auth code comments so future reviewers understand this is a deliberate tradeoff (fewer signing prompts, no cookie session), not an accidental deviation.

Given that clarification, I’m closing #12 as “by design, documented.”

> This is actually ok, I did this non-standard on purpose to avoid nagging users with sign requests. We just need them to sign to establish a session, and then they're authorized. This allows us to skip cookie based auth which is nice. Thanks, agreed with the decision choice being intentional. I’ve opened a docs-only PR to make this explicit in backend/frontend READMEs, API spec, and inline auth code comments so future reviewers understand this is a deliberate tradeoff (fewer signing prompts, no cookie session), not an accidental deviation. Given that clarification, I’m closing #12 as “by design, documented.”
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
hodlbod (hodlbod)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coracle/caravel#12
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?