I guess that's the point of AUTH: it creates a signed event to check. Duh. Sorry.
It's a forward check.
But it's per-session, so you could theoretically AUTH once and then make multiple REQs, right, nostr:npub1qdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havq03fqm7 ?
Rate-limiting would be per-REQ or per-SESSION?
Or is this again a retarded question?
I'm not well versed on relay coms, but I believe it's per session when the socket is opened. It would get expensive otherwise. However I think a relay can send an auth message whenever it feels like, but it's attached to a session id.
The only code I'm most familiar with is Grain, and he uses per kind limiting iirc. Strfy defers it to the handlers I believe, so it depends on the message kind. I would assume strfy also has per-req limiting as well.
there is usually two triggers for sending auth, one is immediately upon connection, the other is in response to an auth-required request or event envelope
strfry is quite unopinionated, it has a "sprocket" thing that it feeds incoming events to and if you have code attached to that it can filter it and send back replies and/or interact with the relay event store... relay.tools guy nostr:npub10npj3gydmv40m70ehemmal6vsdyfl7tewgvz043g54p0x23y0s8qzztl5h got me to start doing some stuff writing scripts and tools for this and he's made it pretty fancy these days since back then (was december last year i did a little work on it)
the fiatjaf/mattn relayer nostr relay framework also has by default an option to enable a ratelimiter per-IP address also, and an easy thing to plug in your own filters and it is easy to enable auth with it as well (i'm in the last stages of completing a port of it to my fast, allocation avoiding, binary-focused nostr message codec right now)
I wish we could let people AUTH to read and just ignore the IP address and send the results to their npub.
well, thats what its doing.. i am still wondering what the concern is because i like the idea. its neat right? no dumb IPs, just pubkeys. i will not 'steel man' anti-auth for them because I'm still waiting to hear more reasons why. (hint: replyguy doesnt like auth either).
replyguy could auth just that usually relays that require it do so because only a whitelist of npubs are allowed to publish events
as it is, he is already making hundreds of new keys and publishing profile metadata to go with it, on top of it all
it's quite funny though, only spams replies and profile events, that is all
i'm sure whoever is doing it has an axe to grind with the relays its selecting to spam at also
yep
i am encountering it in my work too, i see it on a firehose feeder i made that pulls events from multiple relays concurrently and processes the unique ones it sees in a window of 2048 events (uses a map to implement a uniqueness invariant)
it's very easy to detect them, you literally would just look for the e,
but it's quite funny, very often the reply events are showing up ahead of the replied to events in the feed
i'm sure that replyguy is just the tip of the iceberg of problems these free relays are having
i may have to write a filter like this at some point in the future, it won't be hard to do... hell, even just looking for the relay's own address at the end of the reply content field would flag them all
"but it's quite funny, very often the reply events are showing up ahead of the replied to events in the feed"
LOL how the heck?
subscriptions often come ahead of req results... usually a req starts a subscription first, and then does the search and then sends the results
in the meantime, the subscription is there and if someone publishes a matching event it sends that out, and the database could still be working at that point
makes sense, when you think about it... subscription results can come in without a search, but reqs always need a search
yes, auth is once per websocket connection (in my implementation). strfry does not have any way beyond setting size of tags, or size of an individual req for doing read rate limits. so for example, there are ways to overload a meduim sized relay by forcing it to keep its cache hot, beyond its memory size by requesting many reqs over the single socket.
since i needed an auth proxy for DM protections anyway, i built one .. it could also be used with non auth, but, then you are still going to hit the problem where they will change to open more connections, and then you can throttle naively by IP address, which will cripple all users experience. the bots will always win a war using IPs. they will not however, win a war against sats. (because if they did, well, the value was never there to begin with) ⚡
Yeah. Makes sense. Is anyone working on that in strfry? I've never taken a liking on application proxies. The base software should be the one doing do the work, if not we need to fork it or replace it. Especially in the form of websocket traffic. A proxy should see nothing more than stream traffic of an upgraded connection. That's just imo.
