René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Implement Automatic NIP-98 HTTP Authentication","articleBody":"## Overview\n\nCurrently, Podkey provides NIP-07 `window.nostr` API for websites to manually create and sign NIP-98 auth events, but it does **not automatically intercept HTTP requests** to add NIP-98 Authorization headers. This issue tracks the implementation of automatic NIP-98 authentication for Solid servers and other Nostr-authenticated HTTP endpoints.\n\n## Current State\n\n- ✅ Extension has `webRequest` permission in `manifest.json`\n- ✅ Extension can sign NIP-98 events (kind 27235) via `window.nostr.signEvent()`\n- ✅ Auto-sign functionality exists for trusted origins\n- ❌ **No automatic HTTP request interception**\n- ❌ **No automatic 401 response detection and retry**\n- ❌ **No automatic Authorization header injection**\n\n## NIP-98 Specification Reference\n\n**Specification:** https://github.com/nostr-protocol/nips/blob/master/98.md\n\n### Event Structure\n\n```json\n{\n  \"kind\": 27235,\n  \"content\": \"\",\n  \"tags\": [\n    [\"u\", \"https://example.com/api/resource?query=value\"],\n    [\"method\", \"GET\"]\n  ],\n  \"created_at\": 1682327852\n}\n```\n\n### Authorization Header Format\n\n```\nAuthorization: Nostr \u003cbase64-encoded-signed-event\u003e\n```\n\n### For Requests with Body (POST, PUT, etc.)\n\nInclude a `payload` tag with SHA-256 hash of the request body.\n\n## Implementation Requirements\n\n### 1. HTTP Request Interception\n\n**Location:** `src/background.js`\n\n- Use `chrome.webRequest.onBeforeSendHeaders` to intercept outgoing requests\n- Filter requests to origins that are trusted or are known Solid servers\n- Only intercept requests to origins that have been trusted or are known Solid servers\n- Don't intercept requests that already have an `Authorization` header (unless it's a retry)\n- Cache signed auth events per request URL+method to avoid re-signing identical requests\n\n### 2. 401 Response Detection and Retry\n\n**Location:** `src/background.js`\n\n- Use `chrome.webRequest.onHeadersReceived` to detect 401 responses\n- When 401 is detected:\n  1. Check if origin is trusted\n  2. Create NIP-98 auth event for the failed request\n  3. Sign the event using existing `signEvent()` function\n  4. Retry the original request with `Authorization: Nostr \u003cbase64-event\u003e` header\n\n**Retry Logic:**\n- Only retry on **401 Unauthorized** responses\n- Consider **403 Forbidden** if it's auth-related (optional, may need user preference)\n- **Do NOT retry** on other 4xx errors (404, 400, etc.) - these are not auth issues\n- Limit retry attempts (max 1 retry per request to avoid loops)\n- Track retry state to prevent infinite loops\n\n### 3. NIP-98 Event Creation\n\n**Location:** `src/background.js` (new function)\n\n```javascript\nasync function createNip98AuthEvent(requestDetails) {\n  const event = {\n    kind: 27235,\n    content: '',\n    created_at: Math.floor(Date.now() / 1000),\n    tags: [\n      ['u', requestDetails.url],\n      ['method', requestDetails.method]\n    ]\n  };\n  \n  // If request has body, add payload tag\n  if (requestDetails.requestBody) {\n    const bodyHash = await hashRequestBody(requestDetails.requestBody);\n    event.tags.push(['payload', bodyHash]);\n  }\n  \n  return event;\n}\n```\n\n### 4. Request Body Hashing\n\n- For requests with body (POST, PUT, PATCH), compute SHA-256 hash\n- Use existing `@noble/hashes` library\n- Handle different body formats: FormData, ArrayBuffer, Blob, string\n\n### 5. Base64 Encoding\n\n- Encode signed event JSON to base64\n- Format: `Authorization: Nostr \u003cbase64-string\u003e`\n\n### 6. User Preferences\n\n- Add setting: \"Auto-authenticate HTTP requests\" (separate from event auto-sign)\n- Add setting: \"Retry on 403 Forbidden\" (optional, default false)\n- Respect existing `getAutoSign()` preference\n\n## Code Structure\n\n### WebRequest Listeners\n\n```javascript\n// Intercept outgoing requests\nchrome.webRequest.onBeforeSendHeaders.addListener(\n  interceptRequest,\n  {\n    urls: ['\u003call_urls\u003e'],\n    types: ['xmlhttprequest', 'main_frame', 'sub_frame']\n  },\n  ['requestHeaders', 'blocking']\n);\n\n// Detect 401 responses\nchrome.webRequest.onHeadersReceived.addListener(\n  handle401Response,\n  {\n    urls: ['\u003call_urls\u003e'],\n    types: ['xmlhttprequest', 'main_frame', 'sub_frame']\n  },\n  ['responseHeaders']\n);\n```\n\n## Edge Cases\n\n1. **Request Body Handling:** Different formats (FormData, Blob, ArrayBuffer, string)\n2. **URL Normalization:** Ensure `u` tag matches exactly what server expects\n3. **Timing:** `created_at` should be recent (within 60 seconds typically)\n4. **Caching:** Cache signed events per (URL, method, bodyHash) tuple\n5. **Security:** Only auto-auth for trusted origins\n6. **Performance:** Minimize blocking operations\n7. **Error Handling:** Handle signing failures gracefully\n\n## Acceptance Criteria\n\n- [ ] Extension automatically adds NIP-98 Authorization header to requests from trusted origins\n- [ ] Extension detects 401 responses and retries with NIP-98 auth\n- [ ] NIP-98 events are correctly formatted per specification\n- [ ] Request bodies are hashed and included in `payload` tag when present\n- [ ] Only 401 (and optionally 403) responses trigger retry\n- [ ] User preferences (auto-sign, trusted origins) are respected\n- [ ] No infinite retry loops\n- [ ] Works with GET, POST, PUT, DELETE, PATCH methods\n- [ ] Handles various request body formats correctly\n- [ ] Unit tests pass\n- [ ] Integration tests pass\n\n## References\n\n- [NIP-98 Specification](https://github.com/nostr-protocol/nips/blob/master/98.md)\n- [Chrome WebRequest API](https://developer.chrome.com/docs/extensions/reference/webRequest/)\n- [Solid Project Authentication](https://solidproject.org/TR/oidc)","author":{"url":"https://github.com/melvincarvalho","@type":"Person","name":"melvincarvalho"},"datePublished":"2026-01-05T17:17:02.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/1/podkey/issues/1"}