coracle icon indicating copy to clipboard operation
coracle copied to clipboard

NIP-96 Upload Auth header has an invalid `payload` tag

Open Ademan opened this issue 7 months ago • 0 comments

If you inspect the Auth header coracle sends for NIP-96 uploads, you'll see that the payload tag does not change for different files. It is always 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a (which happens to be sha256("{}"))

This is because the body passed to nip98Fetch() in commands.ts is a FormData which stringifies to "{}"

Evidently, nostr.build (and other?) NIP-96 servers are not checking the payload tag, because this doesn't appear to cause an issue.

Furthermore, what the payload tag should actually be, appears ambiguous (to me).

See https://github.com/nostr-protocol/nips/issues/1376 for details.

Ademan avatar Jul 22 '24 17:07 Ademan