Is there any interest in header based client authentication instead of after the websocket is opened (NIP-42)?
I understand other use cases where it happens later in the flow, but why not both?
Discussion
Seems like this would be smart for private relays (e.g. company internal relay). You wouldn't even want to open the socket unless the user had auth'd, probably with a challenge-response or something.
Unless that already exists and I just missed it.
Yup. I’m trying to figure out why it’s not an option or what I’m missing🤔
Can’t a bunch of spammy requests to open web-sockets be pretty hard on relays too? I seem to remember someone saying that… maybe #[4] ?
i always require proof of work and posk for anonymous connections to my (pre-nostr) relays. all that required a socket. for auth comnections, a hash or token in the header is probably fine