Skip to content

v0.3.5 — NIP-42 relay authentication

Latest

Choose a tag to compare

@sepehr-safari sepehr-safari released this 12 Jul 15:43
501f0f0

Added

  • NIP-42 authentication of clients to relays (src/nip42.zig). A connection can now authenticate to relays that require it — to protect DMs, deliver ephemeral events, etc. — so a signer can serve NIP-46 over such relays.
    • nip42.authEvent(...) builds and signs the kind:22242 event (a relay tag + the relay's challenge, empty content).
    • message.zig parses the relay's ["AUTH", <challenge>] into a new RelayMessage.auth variant (it previously returned InvalidMessage, which dropped the connection); encodeAuth emits the client's ["AUTH", <event>] reply; Connection.authenticate / Relay.authenticate send it.

Fixed

  • The WebSocket opening handshake now includes a non-default port in the Host header (RFC 9110 §7.2): Host: relay.example.com:8443, not Host: relay.example.com. Relays that derive their canonical URL from Host compare it against a NIP-42 auth event's relay tag; omitting the port made them mismatch and reject the authentication. Default ports (80/443) stay omitted, so standard ws:///wss:// relays are unaffected. Adds relay.Url.hostHeader.

Verified live against a relay requiring NIP-42 (nak serve --auth --eager-auth): the signer answers the challenge, is accepted, re-subscribes, and a full NIP-46 round-trip completes — the client receives a valid signed event (nak verify clean).

Full changelog: https://github.com/zig-nostr/nostr/blob/main/CHANGELOG.md