NIP-98 auth

[alexgleason]

Why a custom even kind of authorization rather than NIP-98?

[hzrd149]

NIP-98 auth events are scoped to specific servers and specific URLs so they wouldn't work if a user wanted to upload the same blob to two servers.

Also a NIP-98 event is the user allowing the app to call an endpoint on their behalf. but in blossoms case we want the user to sign to upload a blob

[ibz]

Also a NIP-98 event is the user allowing the app to call an endpoint on their behalf. but in blossoms case we want the user to sign to upload a blob

Can you elaborate, please? I am not sure I understand this.

I mainly see 2 differences:

1) NIP-98 wants to validate created_at whereas Blossom doesn't 2) NIP-98 wants the payload sha256 in the event whereas Blossom does not

Is it any of these that you are referring to?

Also - is 2) really something we want as part of Blossom? Doesn't that mean that a server can falsely claim that a file belongs to you if they just know your pubkey?

[hzrd149]

NIP-98 wants to validate created_at whereas Blossom doesn't

Blossom validates the authorization events based on the NIP-40 expiration tag set by the user. Its similar to NIP-98 but allows the user to specify how long their upload token should be valid for

NIP-98 wants the payload sha256 in the event whereas Blossom does not

Yes, currently the upload authorization event only requires a size tag that matches the request body size, ideally it should have the sha256 hash in a "x" tag. but I got lazy when writing up the initial version of the spec and didn't add it :disappointed:

I'm going to update some of my helper libraries to include the sha256 when uploading and then get everyone thoughts on adding it as a requirement into the spec

[ibz]

Got it. Yes, I think the sha256 is a must. Or, at least, optionally a must. :)

But I still don't understand your point about the difference with NIP-98. What is the crucial difference you are talking here?

NIP-98 event is the user allowing the app to call an endpoint on their behalf. but in blossoms case we want the user to sign to upload a blob

TO me, it looks like they are the same thing. The endpoint validates that the user has upload permission, basically.

[hzrd149]

NIP-98 include a u tag with the full URL of the endpoint that is being called. this works well for making requests to a single server, but for uploading blobs to multiple blossom server it does not make sense to have a u tag

[ibz]

Ah, yes. I think that is the turning point where NIP-96 basically went the wrong way: by using NIP-98 for authentication. It became limited to one server versus being truly server independent, content addressable storage. Thanks for pointing it out here. I'll link this issue to #6 because I am sure 99% of the people stumbling upon Blossom are having this question and are going through the same thought process.

[alexgleason]

Alright, I implemented Blossom auth and I understand it now. I wished I could re-use my NIP-98 code, but building the Blossom event wasn't hard.