Open Kixunil opened 3 years ago
guggero
commented
3 years ago Interesting proposal, I think this makes a lot of sense.
Would you suggest this to be a header that MUST be implemented (using the RFC meaning of must here) by a software that wants to be LSAT compliant or more of an extension that CAN be used? Meaning, on the server side, can you be certain the client doesn't support LSAT if the header isn't present or could the header just not be implemented there?
Kixunil
commented
3 years ago Good question.
If a server sends invoice regardless it probably only hurts itself or UX. (Although I believe sending both the invoice and some fallback page works?) If a client never sends the header, then servers expecting it will not send back the invoice. I think the client MUST support sending the header. If it's turned on only for certain domains in the browser, that still counts as support.
If the header is not present it should mean "doesn't support or doesn't wish to use it".
kiwiidb
commented
2 years ago We've been working on a middleware library for LSAT's Gin: https://github.com/getAlby/gin-lsat, and we are also wondering if a client should initiate the LSAT flow by sending a certain Accept header: https://github.com/getAlby/gin-lsat/blob/main/ginlsat/ginlsat.go#L89.
Another advantage for the client would be that in the case that the files are large (eg. video), this would prevent unneeded downloading of the free content if you are actually after the paid content.
guggero
commented
2 years ago I've discussed this with @bumi before and I think the conclusion was that the Accept header field doesn't really fit, since the payment is a meta information and not actual content (and the MIME type application/vnd.lsat.v1.full would imply that there is an actual content type for LSAT).
I think a custom (X-...) field would make more sense. But the question of how to name it, what to put into the field and whether to make it required or not (privacy aspects as mentioned above) is still open for discussion.
Kixunil
commented
2 years ago @guggero that's exactly why I wrote X-Accept-Authenticate instead of Accept. IIRC there's currently no standard for clients to signal authentication methods to servers and there is some other header starting with Accept- so that's why I selected X-Accept-Austhenticate, might be nice to get it standardized but IDK how hard it'd be.
bumi
commented
2 years ago Accept-Authenticate sounds good to me, it's open and general. ( - isn't the X- deprecated anyway? (rfc6648)?)
What would be the proposed value of the Accept-Authenticate header to for lsat?
Kixunil
commented
2 years ago Interesting, didn't know about 6648.
I proposed LN-invoice but I don't really care as long s it's reasonably clear and doesn't conflict with anything else.
bumi
commented
2 years ago wondering if LN-invoice is specific enough to indicate that lsat should be used. - potentially there could be another authorization flow that uses lightning invoices.
kiwiidb
commented
2 years ago So to recap: the header's name would be Accept-Authenticate and the value could simply be LSAT?
In that case we could add this to the spec, so it is clear what clients wishing to use the LSAT flow should send over.
bumi
commented
1 year ago How/Where should we add this in the spec description?
guggero
commented
1 year ago I'd add a new section to https://github.com/lightninglabs/LSAT/blob/master/protocol-specification.md, maybe call it "Client support signaling" or something like that.
Roasbeef
commented
1 year ago Relevant to this document perhaps issue perhaps: https://github.com/lightning/blips/pull/26
I was randomly thinking about payment protocol over HTTP and realized it'd be nicer to require that the client sends
X-Accept-Authenticate: LN-invoice header(could be standardized to not requireX-in the future) This allows the server to know upfront that the client actually supports LN.Advantages:
Disadvantages:
X-Supports-LN: example.com/*, *.example.com/*, the browser could then offer the user to enable LN for that website.