Subnostr

so, after nostr:nprofile1qyd8wumn8ghj7urewfsk66ty9enxjct5dfskvtnrdakj7qgmwaehxw309aex2mrp0yh8wetnw3jhymnzw33jucm0d5hsqgpm7rrrljungc6q0tuh5hj7ue863q73qlheu4vywtzwhx42a7j9n5zr9h9m reminding me that the auth flow is supposed to involve sending a CLOSED envelope prior to sending the AUTH envelope i refactored my code a bit to do this, and it works

first thing i want to point out is that the reject filter type in https://github.com/fiatjaf/khatru https://github.com/fiatjaf/khatru/blob/master/relay.go#L46

does not have a field for the subscription ID, which is required for making a CLOSED envelope

second point for nostr:nprofile1qyd8wumn8ghj7urewfsk66ty9enxjct5dfskvtnrdakj7qgmwaehxw309aex2mrp0yh8wetnw3jhymnzw33jucm0d5hsqgpm7rrrljungc6q0tuh5hj7ue863q73qlheu4vywtzwhx42a7j9n5zr9h9m :

https://github.com/fiatjaf/khatru/blob/master/handlers.go#L236

this would be unnecessary to do (and you could remove that mutex) if the channel was always created

second thing nostr:nprofile1qyfhwumn8ghj7mmxve3ksctfdch8qatz9uqsuamnwvaz7tmwdaejumr0dshszxthwden5te0dphkgmrzdajzumn0wd68yvfwvdhk6tcqyztuwzjyxe4x2dwpgken87tna2rdlhpd02va5cvvgrrywpddnr3jyhdw0my i have discovered that with auth to relays enabled in #coracle, it eventually does auth, but it takes like maybe 5 tries before it does, nearly 30 seconds, and the user is stuck sitting there wondering why the relay is not responding - and in a way that is violating privacy, this is favoring the use of relays that do not force AUTH on DMs - kind 4, 1059 and 1060

also just want to point out that by default even if you set only relays that force this (ie my testing relay and nostr wine) and the setting for number of relays to use is more than this number it runs off searching for other relays to violate your privacy with, i think you should rethink how you have implemented this, it's fine for a custom deployment of coracle like i have set up to test with, that forces only relays i list in the env and doesn't use others but this also does fail a bit because if you want to interact with users who don't post to your relays there is a partition, that currently bridging this leaks your DMs by sending them to the whole network

in the test case i'm working on, this is quite absurd because it's sending out my DMs destined to talk to the chatbot i'm building in the relay to other relays and these messages are never going to be read by anyone concerned, my relay is not searching for them anywhere else except in its database and only watches for them as they come in

Reply to this note

Please Login to reply.

Discussion

fiatjaf 1y ago

AUTH should be sent before CLOSED. But you can have AUTH without CLOSED too if AUTH is optional.

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

sounds racy to me... and what i've seen so far of how it works in practice it seems to be uncertain how the clients are responding, should be closed auth required then send auth challenge for specific events eg 4 1059 1060

IMO, auth should not be optional, this should be something that we want every client to support so we can name and shame the ones that don't

right now nostr is a honeypot for social graph discovery via these privileged types of events, i'm disabling publishing them in my #coracle settings but it still tries sending out events if i allow more than my relay list, it's absolutely an abomination, and you should all be embarrassed

fiatjaf 1y ago

How can sending AUTH specifically before sending CLOSED sound racy to you? TCP packets are sent in order, you know?

fiatjaf 1y ago

nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn thinks AUTH should not be mandatory. It's his fault. Blame him.