What do you mean by permission? Download permission or upload?
Discussion
Both, but more salient is download permission. I had it working a while ago with a custom khatru relay which checked authorization based on a nip 98 header, but the code for probing support was nasty, especially if you wanted to make sure the relay was properly enforcing read permissions.
I am all for nip98 support for uploads/sharing, just convince the rest of the clients to send the headers. So far we are stuck in this mode that clients control what is being implemented, and it hurts any sort of innovation in that area. Pay per view, protected access, limited sharing. All can be done easily, but no client support means no point of doing it
Yeah, it depends on use cases implemented by clients. In my case, I had a use case and built it on both ends, but ultimately it seemed like encrypting the file was simpler and more resilient.
Encryption is good, as long as you nail key management, which is the most important and hardest part of the problem. If the key is in the open, you might as well not do it at all, since it misleads the user into thinking that the communication is private
The way I'm doing it is the key is attached to the note, making the media exactly as private as the event. Since the events are being sent to a relay with access controls, the media access control policy is implicitly the same. Events can get leaked of course, but that's up to the relay/client/users.
That’s what I would call “misleading the user about privacy”. Random url in the note accomplishes the same thing without all the complexity of your proposed implementation. I’d suggest trying to get nip98 as a standard header to fetching media, maybe allowing users to pick if they want to send it, if the server signal 401 or anything else that is needed for the user to make a decision
Why is it misleading? That's what I don't understand
The simple fact that additional measures that are meant to increase protection and are likely to be misinterpreted by the user as increased level of privacy. The reality is that it is no more secure than a plain URL within the note. If people get false sense of security, they might share things that they otherwise wouldn’t
The user doesn't know it's encrypted, only that it works in the app but the url breaks when copied (not fixable with access controls either). The random id could work, assuming the blossom server doesn't support the list endpoint. But why assume?
Blossom server, according to specs, suggests authentication for list, which majority do already. Random ID for blossom is hash of the content, so probably sufficient for “random”. Adding encryption to something adds overhead and maintenance (nobody here thinks of maintenance as often as they should) and complexity, which does not add any sort of security in addition to a simple thing.
I get what you're saying, but security by obscurity is not really a good idea. Things should be secure by design.
You are echoing my point, where encryption is just a token with the key being obscured.
so, what's the verdict? i see nostr:npub18ams6ewn5aj2n3wt2qawzglx9mr4nzksxhvrdc4gzrecw7n5tvjqctp424 is using blossom.band to test, which i wasnt aware of. it sounds a bit like nostr:npub1cgcwm56v5hyrrzl5ty4vq4kdud63n5u4czgycdl2r3jshzk55ufqe52ndy 's problem is she tried to use, nostr build blossom and satellite.. does yakbak only support blossom band and haven? and then it sounds like nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn has a fix for flotilla but it also may not work with blossom build after the fix, which blossom does flotilla support?
thanks for all the comments everyone ♥️
My view is that adding encryption to something that is shared in clear is identical to sharing a plain URL. The note literally contains URL and key which defeats the purpose of encryption, since both are unknown outside of the note.
is there any reason why yakbak cant use blossom build? i dont think yak is encrypting..?
blossom.band ? It should work as long as the submitter of the file follows blossom standard to the letter.
ok so i guess.. when we hear back from nostr:npub18ams6ewn5aj2n3wt2qawzglx9mr4nzksxhvrdc4gzrecw7n5tvjqctp424 about testing, maybe he just didnt try build.. i dont know why it would matter but i am learning that blossom has an equivalent of a relay list, for your blossoms, and that it matters what you pick..
Blossom allows user to publish an event with their blossom servers. Is that what you mean? Plus, no client should upload same thing to more than one, and instead should use /mirror endpoint. Otherwise there is no point to using blossom
i mean, when choosing blossom servers.. there is an event that is like a list.. of which ones to use. i think? so to fix anything i assume you just pick different ones or etc. right? (and report bugs to clients obvs too about non standard stuff)
I am not sure how it works on all clients, I only tested a few key ones. Reporting bugs is definitely a good thing, to either a server or a client, or both
Yeah, 10063 list. I think: Yakbak uses them 1st to last, falling back if the first fails. Coracle & Flotilla only use the first. Amethyst allows for pick & choose per upload but only tries one at a time.
Again, I don't know if I fully understand this stuff. Just so thats clear 😅 I'm learning about blossom the hard way.
Blossom .band and blossom .nostr .build are both rejecting my voice note audio files. (So is satellite but i dont know if it ever accepted them) It's only from this profile. They are accepted from a different npub, same servers, same device, etc. It worked fine with this profile until mid-July. I could have caused this by trying a new client, getting my server list overwritten, and trying to change them back. I don't really know, I am just trying to figure out how to fix it & I keep running into walls.
Amethyst tells me this, which is similar to the console errors posted above:
Pictures are accepted to band & build now from Coracle & Amethyst. From the conversation here, I gather that not being able to upload with Flotilla anymore might not be related, but I haven't tried with another npub yet. I also haven't had a chance to retry Nostrudel in the last few days, which was failing also recently.
that is very strange it works with new npub.. did you try clearing your browser cache, or if amethyst, clearing it's cache? maybe nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z would know.
Yep, I've cleared cache. I've tried on multiple devices, different servers, different relay settings, with Amber & extensions, now nsec with Amethyst, lol... same results. I can only really try voice notes from 2 clients. Both return the same error.
Try again, I may have had a bug which I hope I addressed, and this may solve your problem. I am not sure if it was related but worth trying (blossom.band)
No such luck. Thank you, though. I feel certain now that everyone's software is working great & it's something in my profile that's broken. I appreciate your time. Over all, it's a good thing that it's just me. I'll survive or maybe someday learn enough to fix it. 😅🫂
Oh well. Are other file types work? Anything specific to your case?
Video & image uploads work fine from Amethyst & Coracle. I haven't tried from any other client besides Flotilla in the last few days.
I had posted a video with a new video client that overwrote my blossom server list. I had changed them back in Amethyst, but nothing else worked correctly after that. I tried Bouquet and Nostrudel's event publisher to try to fix my 10063. That didn't work. Maybe I made things worse but on the surface it appeared the same. I then published my list through Coracle, which fixed Coracle. Prior to all of this, everything worked everywhere. I suppose that's the stuff specific to my case.
Probably stale event, one huge overlooked problem with Nostr design
Maybe. Clients seem to be finding my current server list easily. I've changed those & relays a lot over the last month while troubleshooting, so that part feels like a win. 😅
Thanks again 🫂 I really do appreciate the help. This has been a process of elimination & the conversation in this thread has supercharged that.
the error probably isnt your blossom list, the 400 invalid content type was coming from blossom.build, and from satellite in your screenshots. it's something with the apps encoding the wrong (unmatched format) or something along these lines. it also isnt likely relay related. are you using a mobile device or desktop or both? just curious. might shed some light. i dont know much about how apps encode but i would guess amethyst has the most control over this and since you get the error there, it may just be some overlooked thing about blossom specs either on the clients or blossom servers.
With Yakbak, I've tried on both mobile browser and my laptop, with this profile. Same with Flotilla for images, though I'm not so sure that's even related anymore.
I tried replying to a nostr:nprofile1qqsr7acdvhf6we9fch94qwhpy0nza36e3tgrtkpku25ppuu80f69kfqppemhxue69uhkummn9ekx7mp0qy0hwumn8ghj7mn0wd68yttjv4kxz7fwv3jhyettwfhhxuewd4jj7qg3waehxw309ahx7um5wgh8w6twv5hsleq7kw voice note via Amethyst yesterday. When that failed with this profile, I tried with my nostr:nprofile1qqsrcwyu3ax5dj5px9n58glr8nkmr5rpn7rh3mn563ex2a670gh07lcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszrnhwden5te0dehhxtnvdakz7qfqwaehxw309ashqmrpvdjkjmn5dpjhxatw9ehx7um5wgcjucm0d5hs9r2qae profile and that worked. Twice. Both profiles on the same phone, same app, same server (being blossom .band), 1 different relay. I tried changing relays to match and it still failed with this profile. I am running out of combos to try. 😅
I have to restate, everything worked great with this profile prior to 6 weeks ago.
I just introduced another workaround just for you, please test
Holy shit, that worked! Thank you!! Is there a semi-layman's explanation so that I may understand what the problem was?
Thank you! From my investigation I see that the client that send the file is misrepresenting the mime type. Basically it tells that it sent video, but we detect audio, or visa versa
I've been beating myself up over this for a month and a half! 🤣 Thank you so so so much!
nostr:nprofile1qqs8eseg5zxak2hal8umuaa7laxgxjyll9uhyxp86c522shn9gj8crspz9mhxue69uhkummnw3ezuamfdejj7qgjwaehxw309ahx7um5wgerztnrdakj7qgkwaehxw309a3x2an09ehx7um5wgcjucm0d5hsvlnggv nostr:nprofile1qqsr7acdvhf6we9fch94qwhpy0nza36e3tgrtkpku25ppuu80f69kfqppemhxue69uhkummn9ekx7mp0qy0hwumn8ghj7mn0wd68yttjv4kxz7fwv3jhyettwfhhxuewd4jj7qg3waehxw309ahx7um5wgh8w6twv5hsleq7kw
Fishcake fixed it! I can leave you guys alone about it now! Thanks for helping me figure this out and for putting up with me in my state of despair 💜💜💜🫠
Thank you for being patient and explaining the situation, it’s always good to help a pleb in need. Please never hesitate to raise issues in the future 🫂🫡
Will do 🫂💜
yay! 🐳🎉😎
i knew nostr:npub137c5pd8gmhhe0njtsgwjgunc5xjr2vmzvglkgqs5sjeh972gqqxqjak37w would come through! 😁 these clients may still be broken for other blossom implementations or those implementations just ignore mime.. either way, now we know and nostr:npub1cgcwm56v5hyrrzl5ty4vq4kdud63n5u4czgycdl2r3jshzk55ufqe52ndy can get back to yakkin' 🦖 haha
Hum.. does it change if you don't compress it? I wonder what is the mimetype Android is sending for your videos...
I can upload videos just fine. It seems to think that voice note audio should be a video. Yakbak does it too. Its only a problem with this profile, and Yakbak did work fine until about 6 weeks ago. I was anxious to try voice notes with Amethyst, as it's great for sifting out problems. Amethyst was the only client I could use to upload pix & videos for about a month.
Yes, but it's a token whose privacy the client controls, rather than the blossom server. So I suppose your earlier point about hiding the content from the server is germane — I don't trust commodity blossom servers to protect user content.
You just shifted trust from blossom server to a relay, same problem nothing solved.
Yes, but the explicit paradigm in flotilla is delegating access control to relays (not commodity blossom servers)
Relays are not commodities? There are thousands of them and nobody knows who is who and user cannot fully control how their note propagates and by whom. Ok, I’ve said enough already, no point of taking it further
