Skip to content

Commit 8ce90d4

Browse files
committed
document ohttp relay best practice in payjoin lib
1 parent 647d55d commit 8ce90d4

1 file changed

Lines changed: 30 additions & 0 deletions

File tree

payjoin/src/core/io.rs

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,34 @@
11
//! IO-related types and functions. Specifically, fetching OHTTP keys from a payjoin directory.
2+
//!
3+
//! When multiple relays are configured, callers **should pick one at random per request**
4+
//! to avoid a fixed contact pattern at the network layer. The POST request (immediate
5+
//! response) and the GET requests (typically several 30-second responses followed by one
6+
//! shorter but likely non-immediate response) of a single client follow a temporal pattern
7+
//! that is different for the sender and the receiver (poll followed by post for receiver,
8+
//! post followed by poll for sender). OHTTP does not hide the client IP from the relay,
9+
//! which lets the relay link this information of "likely sender" or "likely receiver" to
10+
//! the IP address, which can reveal information like geographic location in some cases, or
11+
//! be linkable to personally identifying information. Due to the temporal pattern of the
12+
//! session as a whole, the relay may be able to narrow down to a list of candidate
13+
//! transactions, and then narrow those down further to those whose likely sender or
14+
//! receiver, assuming they are payjoin transactions, matches the fingerprint of the IP
15+
//! address.
16+
//!
17+
//! ## Health checks
18+
//!
19+
//! Some clients call [`fetch_ohttp_keys`] periodically to verify that the
20+
//! directory and relay infrastructure is reachable. Given the threat model
21+
//! above, this is acceptable only when:
22+
//!
23+
//! - The call is **not** triggered automatically on every app startup.
24+
//! Prefer triggering on user action (e.g. opening a settings/status
25+
//! screen) or piggybacking on operations the user already initiated
26+
//! (e.g. resuming an existing session).
27+
//! - The call is rate-limited so it does not produce a recurring timing
28+
//! pattern observable by the relay.
29+
//!
30+
//! A health check leaks the same metadata as a real payjoin request.
31+
//! Treat its frequency as part of your privacy budget.
232
use std::time::Duration;
333

434
use http::header::ACCEPT;

0 commit comments

Comments
 (0)