Closed alexgleason closed 1 month ago
NIP-98 auth events are scoped to specific servers and specific URLs so they wouldn't work if a user wanted to upload the same blob to two servers.
Also a NIP-98 event is the user allowing the app to call an endpoint on their behalf. but in blossoms case we want the user to sign to upload a blob
Also a NIP-98 event is the user allowing the app to call an endpoint on their behalf. but in blossoms case we want the user to sign to upload a blob
Can you elaborate, please? I am not sure I understand this.
I mainly see 2 differences:
1) NIP-98 wants to validate created_at
whereas Blossom doesn't
2) NIP-98 wants the payload sha256 in the event whereas Blossom does not
Is it any of these that you are referring to?
Also - is 2) really something we want as part of Blossom? Doesn't that mean that a server can falsely claim that a file belongs to you if they just know your pubkey?
NIP-98 wants to validate created_at whereas Blossom doesn't
Blossom validates the authorization events based on the NIP-40 expiration
tag set by the user. Its similar to NIP-98 but allows the user to specify how long their upload token should be valid for
NIP-98 wants the payload sha256 in the event whereas Blossom does not
Yes, currently the upload authorization event only requires a size
tag that matches the request body size, ideally it should have the sha256 hash in a "x" tag. but I got lazy when writing up the initial version of the spec and didn't add it :disappointed:
I'm going to update some of my helper libraries to include the sha256
when uploading and then get everyone thoughts on adding it as a requirement into the spec
Got it. Yes, I think the sha256
is a must. Or, at least, optionally a must. :)
But I still don't understand your point about the difference with NIP-98. What is the crucial difference you are talking here?
NIP-98 event is the user allowing the app to call an endpoint on their behalf. but in blossoms case we want the user to sign to upload a blob
TO me, it looks like they are the same thing. The endpoint validates that the user has upload permission, basically.
NIP-98 include a u
tag with the full URL of the endpoint that is being called. this works well for making requests to a single server, but for uploading blobs to multiple blossom server it does not make sense to have a u
tag
Ah, yes. I think that is the turning point where NIP-96 basically went the wrong way: by using NIP-98 for authentication. It became limited to one server versus being truly server independent, content addressable storage. Thanks for pointing it out here. I'll link this issue to #6 because I am sure 99% of the people stumbling upon Blossom are having this question and are going through the same thought process.
Alright, I implemented Blossom auth and I understand it now. I wished I could re-use my NIP-98 code, but building the Blossom event wasn't hard.
Why a custom even kind of authorization rather than NIP-98?