|
1 | 1 | //! IO-related types and functions. Specifically, fetching OHTTP keys from a payjoin directory. |
| 2 | +//! |
| 3 | +//! When multiple relays are configured, callers **should pick one at random per request** |
| 4 | +//! to avoid a fixed contact pattern at the network layer. |
| 5 | +//! |
| 6 | +//! Sender and receiver have distinct request patterns: |
| 7 | +//! - Receiver: long-poll GETs, then a POST |
| 8 | +//! - Sender: a POST, then long-poll GETs |
| 9 | +//! |
| 10 | +//! OHTTP does not hide the client IP from the relay. A relay that sees the same |
| 11 | +//! client repeatedly can correlate these patterns with the IP to infer whether |
| 12 | +//! the IP is acting as sender or receiver, potentially linking to identity or |
| 13 | +//! location. Across a full session, a relay may narrow down to candidate |
| 14 | +//! transactions and match the sender/receiver role fingerprint against the IP. |
| 15 | +//! |
| 16 | +//! ## Health checks |
| 17 | +//! |
| 18 | +//! Some clients call [`fetch_ohttp_keys`] periodically to verify that the |
| 19 | +//! directory and relay infrastructure is reachable. Given the threat model |
| 20 | +//! above, this is acceptable only when: |
| 21 | +//! |
| 22 | +//! - The call is **not** triggered on any deterministic, recurring event |
| 23 | +//! (e.g. app startup, periodic timer). Prefer user-initiated actions |
| 24 | +//! (e.g. opening a settings/status screen) or piggybacking on operations |
| 25 | +//! the user already triggered (e.g. resuming an existing session). |
| 26 | +//! - The caller throttles invocations so they don't produce a recurring |
| 27 | +//! timing pattern observable by the relay. |
| 28 | +//! |
| 29 | +//! A health check leaks the same metadata as a real payjoin request. |
| 30 | +//! Treat its frequency as part of your privacy budget. |
2 | 31 | use std::time::Duration; |
3 | 32 |
|
4 | 33 | use http::header::ACCEPT; |
|
0 commit comments