|
1 | 1 | //! IO-related types and functions. Specifically, fetching OHTTP keys from a payjoin directory. |
| 2 | +//! |
| 3 | +//! When multiple relays are configured, callers **should pick one at random per request** |
| 4 | +//! to avoid a fixed contact pattern at the network layer. |
| 5 | +//! |
| 6 | +//! Sender and receiver have distinct request patterns: |
| 7 | +//! - Receiver: long-poll GETs, then a POST |
| 8 | +//! - Sender: a POST, then long-poll GETs |
| 9 | +//! |
| 10 | +//! OHTTP does not hide the client IP from the relay. A relay that sees the same |
| 11 | +//! client repeatedly can observe its access patterns to infer whether |
| 12 | +//! the IP is associated with a sender or receiver, potentially linking to identity or |
| 13 | +//! location. Based on when a session ends it may be easier to correctly guess |
| 14 | +//! whether a transaction is a PayJoin. The IP address linked information may |
| 15 | +//! additionally aid in cluster analysis, for example whether a cluster's temporal |
| 16 | +//! patterns are consistent with a location guess for the IP address. |
| 17 | +//! |
| 18 | +//! ## Health checks |
| 19 | +//! |
| 20 | +//! Some clients call [`fetch_ohttp_keys`] periodically to verify that the |
| 21 | +//! directory and relay infrastructure is reachable. Given the threat model |
| 22 | +//! above, this is acceptable only when: |
| 23 | +//! |
| 24 | +//! - The call is **not** triggered on any deterministic, recurring event |
| 25 | +//! (e.g. app startup, periodic timer). Prefer user-initiated actions |
| 26 | +//! (e.g. opening a settings/status screen) or piggybacking on operations |
| 27 | +//! the user already triggered (e.g. resuming an existing session). |
| 28 | +//! - The caller throttles invocations so they don't produce a recurring |
| 29 | +//! timing pattern observable by the relay. |
| 30 | +//! |
| 31 | +//! A health check has a distinct traffic pattern from a real payjoin request |
| 32 | +//! and is not temporally tied to any onchain broadcast, but repeated calls |
| 33 | +//! still expose the client IP to the relay. |
2 | 34 | use std::time::Duration; |
3 | 35 |
|
4 | 36 | use http::header::ACCEPT; |
|
0 commit comments