nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn does Coracle automatically respond to all AUTH requests sent by all relays?
Asking because of a recent discussion with nostr:npub13f5edp5przy3sm0nnrrj205vgstuuul7s98datn7ekqahh54x6kqufgvmt today.
I tested it today, added my relay and connection was not successful.My relay always sends AUTH on connection. I haven’t debugged it yet though.
Also, briefly looking at coracle source I see there is a setting to whether reply to AUTH automatically or not but it seems I’m missing it in settings
Go to https://coracle.social/settings
There's a authenticate to relays option
Wow, I looked there 3 times and I first seen it in source code but only was able to see it in UI after your post 😂 thanks!
However, this setting seem to have no effect and it does not persist through reloads in any browser: safari, ff, chrome on mac
Based on discussions on telegram 2-3 weeks ago, I've got a branch for gossip to have new "allow_connect" and "allow_auth" flags on a per-relay basis. They start out as None meaning the user is prompted. Afterwards it behaves like a switch you can adjust in the per-relay settings. There are also global flags as to whether the relay connection requires approval, and whether relay auth requires approval, you can turn them both off and just let it rip the way it does currently. In fact they are off by default.
This branch isn't merged yet because the UI work hasn't been done.
I think this might be the best UX indeed.
Yes, but you can turn AUTH off entirely if preferred. More fine grained control is obviously desirable
What is the correct way to handle AUTH?0xchat also automatically respond to all AUTH requests.
I think maybe prompt the user if it comes from a new relay and then persist that setting somehow?
But if the action was directly triggered by a user a connecting to that relay (or to someone that can only be accessed through that relay) then just respond automatically I guess.
I think for the list of relays you manully produce, it should be like this per relay:
- respond always
- ignore always
- prompt
- auto (let client decide, for instance only auth when kind4 requested etc how some clients have it now)
Also probably the same types of settings shouls be applies for “other relays that happen to be requested” in case of outbox or similar
It would also be great to let user know when and why AUTH is requested by relay. And regarding WHY maybe it makes sense to consider adding it to NIP so that relays could notify why they need auth - is it just a regular hey here is a challenge if you want to AUTH or something critical may be missing without. Maybe relays could add a link to policy (nip-11 seem not to cover this granularly enough)
Also what is important for client auth imo - is to save challenge at let user auth at any given point in time later, to not force user take immediate action and to not break UX because relay sends it before client can react
