Replying to Avatar Blake

Thinking out loud how we can easily support Nostr 402 (payment required) and 401 (unauthorised). Good news — I think we can just use a WWW-Authenticate header to indicate supported auth methods - which can double as a way to prove payment.

Basically, for 402 Payment Required, we can return a mime/type suitable response.

For an image we can return a blurred/masked image and maybe some kind of indicator it’s paywalled with two HTTP headers. An invoice header to optionally pay and a WWW-Authenticate with something like Nostr-NIP-98.

Doesn’t solve the issue of knowing if you’ve already paid. If you get 402, do you automatically try auth to see? Privacy issues exist. Do you try auth once before invoice payment as a sense check? Also doesn’t solve normal web browser inter-op. Maybe closer to an approach.. but lots to solve still.

One possible approach is to whitelist domains you are happy sending HTTP AUTH events for accessing the content - paid or private.
Avatar
Blake 2y ago

WWW-Authenticate docs are worth a read. I didn’t know about this part.. apparently it’s a MUST to include.

“A server using HTTP authentication will respond with a 401 Unauthorized response to a request for a protected resource. This response _MUST_ include at least one WWW-Authenticate header and at least one challenge, to indicate what authentication schemes can be used to access the resource (and any additional data that each particular scheme needs).”

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate

Reply to this note

Please Login to reply.

Discussion

No replies yet.