Skip to content

Commit d5580ab

Browse files
bc1cindybc1cindy
committed
Document OHTTP relay random selection guidance
Fixed relay order creates a fingerprintable pattern at the network layer even though OHTTP protects the user's IP. Document that callers SHOULD select relays randomly and track failed ones for resilience, following the existing RelayManager implementation in payjoin-cli. Closes #1328
1 parent a2173c8 commit d5580ab

2 files changed

Lines changed: 19 additions & 0 deletions

File tree

payjoin-cli/src/app/v2/ohttp.rs

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,15 @@ use anyhow::{anyhow, Result};
44

55
use super::Config;
66

7+
/// Manages OHTTP relay selection with privacy and resilience in mind.
8+
///
9+
/// Relays are selected randomly from the configured list to avoid creating
10+
/// a fingerprintable pattern at the network layer. Even though OHTTP protects
11+
/// the user's IP address, always contacting the same relay in the same order
12+
/// reveals metadata about the client's behavior.
13+
///
14+
/// Failed relays are tracked and excluded from future selections until
15+
/// the session is reset, providing resilience without sacrificing privacy.
716
#[derive(Debug, Clone)]
817
pub struct RelayManager {
918
selected_relay: Option<url::Url>,
@@ -46,6 +55,10 @@ pub(crate) async fn unwrap_ohttp_keys_or_else_fetch(
4655
}
4756
}
4857

58+
/// Fetches OHTTP keys using a randomly selected relay from the configured list.
59+
///
60+
/// Random relay selection prevents network-layer fingerprinting. See [`RelayManager`]
61+
/// for details on the selection and failure-tracking strategy.
4962
async fn fetch_ohttp_keys(
5063
config: &Config,
5164
directory: Option<url::Url>,

payjoin/src/core/io.rs

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,12 @@ use crate::OhttpKeys;
1313
/// directory. Proxying requests for ohttp keys ensures a client IP address is never revealed to
1414
/// the payjoin directory.
1515
///
16+
/// When multiple relays are available, callers SHOULD select one at random rather than
17+
/// always using the same relay. A fixed selection order creates a fingerprintable pattern
18+
/// at the network layer even though the IP is protected by OHTTP.
19+
/// See `payjoin-cli`'s `RelayManager` for a reference implementation that combines
20+
/// random selection with failed-relay tracking for resilience.
21+
///
1622
/// * `payjoin_directory`: The payjoin directory from which to fetch the ohttp keys. This
1723
/// directory stores and forwards payjoin client payloads.
1824
pub async fn fetch_ohttp_keys(

0 commit comments

Comments
 (0)