Skip to content

Commit 018314a

Browse files
committed
document ohttp relay best practice in payjoin lib
1 parent db7db24 commit 018314a

1 file changed

Lines changed: 29 additions & 0 deletions

File tree

payjoin/src/core/io.rs

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,33 @@
11
//! IO-related types and functions. Specifically, fetching OHTTP keys from a payjoin directory.
2+
//!
3+
//! When multiple relays are configured, callers **should pick one at random per request**
4+
//! to avoid a fixed contact pattern at the network layer.
5+
//!
6+
//! Sender and receiver have distinct request patterns:
7+
//! - Receiver: long-poll GETs, then a POST
8+
//! - Sender: a POST, then long-poll GETs
9+
//!
10+
//! OHTTP does not hide the client IP from the relay. A relay that sees the same
11+
//! client repeatedly can correlate these patterns with the IP to infer whether
12+
//! the IP is acting as sender or receiver, potentially linking to identity or
13+
//! location. Across a full session, a relay may narrow down to candidate
14+
//! transactions and match the sender/receiver role fingerprint against the IP.
15+
//!
16+
//! ## Health checks
17+
//!
18+
//! Some clients call [`fetch_ohttp_keys`] periodically to verify that the
19+
//! directory and relay infrastructure is reachable. Given the threat model
20+
//! above, this is acceptable only when:
21+
//!
22+
//! - The call is **not** triggered on any deterministic, recurring event
23+
//! (e.g. app startup, periodic timer). Prefer user-initiated actions
24+
//! (e.g. opening a settings/status screen) or piggybacking on operations
25+
//! the user already triggered (e.g. resuming an existing session).
26+
//! - The caller throttles invocations so they don't produce a recurring
27+
//! timing pattern observable by the relay.
28+
//!
29+
//! A health check leaks the same metadata as a real payjoin request.
30+
//! Treat its frequency as part of your privacy budget.
231
use std::time::Duration;
332

433
use http::header::ACCEPT;

0 commit comments

Comments
 (0)