coracle
coracle copied to clipboard
NIP-96 Upload Auth header has an invalid `payload` tag
If you inspect the Auth header coracle sends for NIP-96 uploads, you'll see that the payload
tag does not change for different files. It is always 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
(which happens to be sha256("{}")
)
This is because the body
passed to nip98Fetch()
in commands.ts is a FormData
which stringifies to "{}"
Evidently, nostr.build (and other?) NIP-96 servers are not checking the payload
tag, because this doesn't appear to cause an issue.
Furthermore, what the payload
tag should actually be, appears ambiguous (to me).
See https://github.com/nostr-protocol/nips/issues/1376 for details.