Skip to content

Commit 9584ed3

Browse files
committed
document ohttp relay best practice in payjoin lib
1 parent db7db24 commit 9584ed3

1 file changed

Lines changed: 33 additions & 0 deletions

File tree

payjoin/src/core/io.rs

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,37 @@
11
//! IO-related types and functions. Specifically, fetching OHTTP keys from a payjoin directory.
2+
//!
3+
//! When multiple relays are configured, callers **should pick one at random per request**
4+
//! to avoid a fixed contact pattern at the network layer.
5+
//!
6+
//! Sender and receiver have distinct request patterns:
7+
//! - Receiver: long-poll GETs, then a POST
8+
//! - Sender: a POST, then long-poll GETs
9+
//!
10+
//! OHTTP does not hide the client IP from the relay. A relay that sees the same
11+
//! client repeatedly can observe its access patterns to infer whether
12+
//! the IP is associated with a sender or receiver, potentially linking to identity or
13+
//! location. Based on when a session ends it may be easier to correctly guess
14+
//! whether a transaction is a PayJoin. The IP address linked information may
15+
//! additionally aid in cluster analysis, for example whether a cluster's temporal
16+
//! patterns are consistent with a location guess for the IP address.
17+
//!
18+
//! ## Health checks
19+
//!
20+
//! Some clients call [`fetch_ohttp_keys`] periodically to verify that the
21+
//! directory and relay infrastructure is reachable. Given the threat model
22+
//! above, this is acceptable only when:
23+
//!
24+
//! - The call is **not** triggered on any deterministic, recurring event
25+
//! (e.g. app startup, periodic timer). Prefer user-initiated actions
26+
//! (e.g. opening a settings/status screen) or piggybacking on operations
27+
//! the user already triggered (e.g. resuming an existing session).
28+
//! - The caller throttles invocations so they don't produce a recurring
29+
//! timing pattern observable by the relay.
30+
//!
31+
//! A health check has a distinct traffic pattern from a real payjoin request
32+
//! and is not temporally tied to any onchain broadcast, but repeated calls
33+
//! still expose the client IP to the relay. Treat its frequency as part of
34+
//! your privacy budget.
235
use std::time::Duration;
336

437
use http::header::ACCEPT;

0 commit comments

Comments
 (0)