upleb.uk

Public git repos — served from a NIP-34 GRASP relay at git.upleb.uk

summaryrefslogtreecommitdiff
path: root/96.md
diff options
context:
space:
mode:
Diffstat (limited to '96.md')
-rw-r--r--96.md335
1 files changed, 335 insertions, 0 deletions
diff --git a/96.md b/96.md
new file mode 100644
index 0000000..be70999
--- /dev/null
+++ b/96.md
@@ -0,0 +1,335 @@
1# NIP-96
2
3## HTTP File Storage Integration
4
5`draft` `optional`
6
7## Introduction
8
9This NIP defines a REST API for HTTP file storage servers intended to be used in conjunction with the nostr network.
10The API will enable nostr users to upload files and later reference them by url on nostr notes.
11
12The spec DOES NOT use regular nostr events through websockets for
13storing, requesting nor retrieving data because, for simplicity, the server
14will not have to learn anything about nostr relays.
15
16## Server Adaptation
17
18File storage servers wishing to be accessible by nostr users should opt-in by making available an https route at `/.well-known/nostr/nip96.json` with `api_url`:
19
20```js
21{
22 // Required
23 // File upload and deletion are served from this url
24 // Also downloads if "download_url" field is absent or empty string
25 "api_url": "https://your-file-server.example/custom-api-path",
26 // Optional
27 // If absent, downloads are served from the api_url
28 "download_url": "https://a-cdn.example/a-path",
29 // Optional
30 // Note: This field is not meant to be set by HTTP Servers.
31 // Use this if you are a nostr relay using your /.well-known/nostr/nip96.json
32 // just to redirect to someone else's http file storage server's /.well-known/nostr/nip96.json
33 // In this case, "api_url" field must be an empty string
34 "delegated_to_url": "https://your-file-server.example",
35 // Optional
36 "supported_nips": [60],
37 // Optional
38 "tos_url": "https://your-file-server.example/terms-of-service",
39 // Optional
40 "content_types": ["image/jpeg", "video/webm", "audio/*"],
41 // Optional
42 "plans": {
43 // "free" is the only standardized plan key and
44 // clients may use its presence to learn if server offers free storage
45 "free": {
46 "name": "Free Tier",
47 // Default is true
48 // All plans MUST support NIP-98 uploads
49 // but some plans may also allow uploads without it
50 "is_nip98_required": true,
51 "url": "https://...", // plan's landing page if there is one
52 "max_byte_size": 10485760,
53 // Range in days / 0 for no expiration
54 // [7, 0] means it may vary from 7 days to unlimited persistence,
55 // [0, 0] means it has no expiration
56 // early expiration may be due to low traffic or any other factor
57 "file_expiration": [14, 90],
58 "media_transformations": {
59 "image": [
60 'resizing'
61 ]
62 }
63 }
64 }
65}
66```
67
68### Relay Hints
69
70Note: This section is not meant to be used by HTTP Servers.
71
72A nostr relay MAY redirect to someone else's HTTP file storage server by
73adding a `/.well-known/nostr/nip96.json` with "delegated_to_url" field
74pointing to the url where the server hosts its own
75`/.well-known/nostr/nip96.json`. In this case, the "api_url" field must
76be an empty string and all other fields must be absent.
77
78If the nostr relay is also an HTTP file storage server,
79it must use the "api_url" field instead.
80
81### List of Supporting File Storage Servers
82
83See https://github.com/aljazceru/awesome-nostr#nip-96-file-storage-servers.
84
85## Auth
86
87When indicated, `clients` must add an [NIP-98](98.md) `Authorization` header (**optionally** with the encoded `payload` tag set to the base64-encoded 256-bit SHA-256 hash of the file - not the hash of the whole request body).
88
89## Upload
90
91`POST $api_url` as `multipart/form-data`.
92
93**AUTH required**
94
95List of form fields:
96
97- `file`: **REQUIRED** the file to upload
98- `caption`: **RECOMMENDED** loose description;
99- `expiration`: UNIX timestamp in seconds. Empty string if file should be stored forever. The server isn't required to honor this.
100- `size`: File byte size. This is just a value the server can use to reject early if the file size exceeds the server limits.
101- `alt`: **RECOMMENDED** strict description text for visibility-impaired users.
102- `media_type`: "avatar" or "banner". Informs the server if the file will be used as an avatar or banner. If absent, the server will interpret it as a normal upload, without special treatment.
103- `content_type`: mime type such as "image/jpeg". This is just a value the server can use to reject early if the mime type isn't supported.
104- `no_transform`: "true" asks server not to transform the file and serve the uploaded file as is, may be rejected.
105
106Others custom form data fields may be used depending on specific `server` support.
107The `server` isn't required to store any metadata sent by `clients`.
108
109The `filename` embedded in the file may not be honored by the `server`, which could internally store just the SHA-256 hash value as the file name, ignoring extra metadata.
110The hash is enough to uniquely identify a file, that's why it will be used on the `download` and `delete` routes.
111
112The `server` MUST link the user's `pubkey` string as the owner of the file so to later allow them to delete the file.
113
114`no_transform` can be used to replicate a file to multiple servers for redundancy, clients can use the [server list](#selecting-a-server) to find alternative servers which might contain the same file. When uploading a file and requesting `no_transform` clients should check that the hash matches in the response in order to detect if the file was modified.
115
116### Response codes
117
118- `200 OK`: File upload exists, but is successful (Existing hash)
119- `201 Created`: File upload successful (New hash)
120- `202 Accepted`: File upload is awaiting processing, see [Delayed Processing](#delayed-processing) section
121- `413 Payload Too Large`: File size exceeds limit
122- `400 Bad Request`: Form data is invalid or not supported.
123- `403 Forbidden`: User is not allowed to upload or the uploaded file hash didnt match the hash included in the `Authorization` header `payload` tag.
124- `402 Payment Required`: Payment is required by the server, **this flow is undefined**.
125
126The upload response is a json object as follows:
127
128```js
129{
130 // "success" if successful or "error" if not
131 status: "success",
132 // Free text success, failure or info message
133 message: "Upload successful.",
134 // Optional. See "Delayed Processing" section
135 processing_url: "...",
136 // This uses the NIP-94 event format but DO NOT need
137 // to fill some fields like "id", "pubkey", "created_at" and "sig"
138 //
139 // This holds the download url ("url"),
140 // the ORIGINAL file hash before server transformations ("ox")
141 // and, optionally, all file metadata the server wants to make available
142 //
143 // nip94_event field is absent if unsuccessful upload
144 nip94_event: {
145 // Required tags: "url" and "ox"
146 tags: [
147 // Can be same from /.well-known/nostr/nip96.json's "download_url" field
148 // (or "api_url" field if "download_url" is absent or empty) with appended
149 // original file hash.
150 //
151 // Note we appended .png file extension to the `ox` value
152 // (it is optional but extremely recommended to add the extension as it will help nostr clients
153 // with detecting the file type by using regular expression)
154 //
155 // Could also be any url to download the file
156 // (using or not using the /.well-known/nostr/nip96.json's "download_url" prefix),
157 // for load balancing purposes for example.
158 ["url", "https://your-file-server.example/custom-api-path/719171db19525d9d08dd69cb716a18158a249b7b3b3ec4bbdec5698dca104b7b.png"],
159 // SHA-256 hash of the ORIGINAL file, before transformations.
160 // The server MUST store it even though it represents the ORIGINAL file because
161 // users may try to download/delete the transformed file using this value
162 ["ox", "719171db19525d9d08dd69cb716a18158a249b7b3b3ec4bbdec5698dca104b7b"],
163 // Optional. SHA-256 hash of the saved file after any server transformations.
164 // The server can but does not need to store this value.
165 ["x", "543244319525d9d08dd69cb716a18158a249b7b3b3ec4bbde5435543acb34443"],
166 // Optional. Recommended for helping clients to easily know file type before downloading it.
167 ["m", "image/png"]
168 // Optional. Recommended for helping clients to reserve an adequate UI space to show the file before downloading it.
169 ["dim", "800x600"]
170 // ... other optional NIP-94 tags
171 ],
172 content: ""
173 },
174 // ... other custom fields (please consider adding them to this NIP or to NIP-94 tags)
175}
176```
177
178Note that if the server didn't apply any transformation to the received file, both `nip94_event.tags.*.ox` and `nip94_event.tags.*.x` fields will have the same value. The server MUST link the saved file to the SHA-256 hash of the **original** file before any server transformations (the `nip94_event.tags.*.ox` tag value). The **original** file's SHA-256 hash will be used to identify the saved file when downloading or deleting it.
179
180`clients` may upload the same file to one or many `servers`.
181After successful upload, the `client` may optionally generate and send to any set of nostr `relays` a [NIP-94](94.md) event by including the missing fields.
182
183Alternatively, instead of using NIP-94, the `client` can share or embed on a nostr note just the above url.
184
185`clients` may also use the tags from the `nip94_event` to construct an `imeta` tag
186
187### Delayed Processing
188
189Sometimes the server may want to place the uploaded file in a processing queue for deferred file processing.
190
191In that case, the server MUST serve the original file while the processing isn't done, then swap the original file for the processed one when the processing is over. The upload response is the same as usual but some optional metadata like `nip94_event.tags.*.x` and `nip94_event.tags.*.size` won't be available.
192
193The expected resulting metadata that is known in advance should be returned on the response.
194For example, if the file processing would change a file from "jpg" to "webp",
195use ".webp" extension on the `nip94_event.tags.*.url` field value and set "image/webp" to the `nip94_event.tags.*.m` field.
196If some metadata are unknown before processing ends, omit them from the response.
197
198The upload response MAY include a `processing_url` field informing a temporary url that may be used by clients to check if
199the file processing is done.
200
201If the processing isn't done, the server should reply at the `processing_url` url with **200 OK** and the following JSON:
202
203```
204{
205 // It should be "processing". If "error" it would mean the processing failed.
206 status: "processing",
207 message: "Processing. Please check again later for updated status.",
208 percentage: 15 // Processing percentage. An integer between 0 and 100.
209}
210```
211
212When the processing is over, the server replies at the `processing_url` url with **201 Created** status and a regular successful JSON response already mentioned before (now **without** a `processing_url` field), possibly including optional metadata at `nip94_event.tags.*` fields
213that weren't available before processing.
214
215### File compression
216
217File compression and other transformations like metadata stripping can be applied by the server.
218However, for all file actions, such as download and deletion, the **original** file SHA-256 hash is what identifies the file in the url string.
219
220## Download
221
222`GET $api_url/<sha256-hash>(.ext)`
223
224The primary file download url informed at the upload's response field `nip94_event.tags.*.url`
225can be that or not (it can be any non-standard url the server wants).
226If not, the server still MUST also respond to downloads at the standard url
227mentioned on the previous paragraph, to make it possible for a client
228to try downloading a file on any NIP-96 compatible server by knowing just the SHA-256 file hash.
229
230Note that the "\<sha256-hash\>" part is from the **original** file, **not** from the **transformed** file if the uploaded file went through any server transformation.
231
232Supporting ".ext", meaning "file extension", is required for `servers`. It is optional, although recommended, for `clients` to append it to the path.
233When present it may be used by `servers` to know which `Content-Type` header to send (e.g.: "Content-Type": "image/png" for ".png" extension).
234The file extension may be absent because the hash is the only needed string to uniquely identify a file.
235
236Example: `$api_url/719171db19525d9d08dd69cb716a18158a249b7b3b3ec4bbdec5698dca104b7b.png`
237
238### Media Transformations
239
240`servers` may respond to some media transformation query parameters and ignore those they don't support by serving
241the original media file without transformations.
242
243#### Image Transformations
244
245##### Resizing
246
247Upon upload, `servers` may create resized image variants, such as thumbnails, respecting the original aspect ratio.
248`clients` may use the `w` query parameter to request an image version with the desired pixel width.
249`servers` can then serve the variant with the closest width to the parameter value
250or an image variant generated on the fly.
251
252Example: `$api_url/<sha256-hash>.png?w=32`
253
254## Deletion
255
256`DELETE $api_url/<sha256-hash>(.ext)`
257
258**AUTH required**
259
260Note that the `/<sha256-hash>` part is from the **original** file, **not** from the **transformed** file if the uploaded file went through any server transformation.
261
262The extension is optional as the file hash is the only needed file identification.
263
264The `server` should reject deletes from users other than the original uploader with the appropriate http response code (403 Forbidden).
265
266It should be noted that more than one user may have uploaded the same file (with the same hash). In this case, a delete must not really delete the file but just remove the user's `pubkey` from the file owners list (considering the server keeps just one copy of the same file, because multiple uploads of the same file results
267in the same file hash).
268
269The successful response is a 200 OK one with just basic JSON fields:
270
271```
272{
273 status: "success",
274 message: "File deleted."
275}
276```
277
278## Listing files
279
280`GET $api_url?page=x&count=y`
281
282**AUTH required**
283
284Returns a list of files linked to the authenticated users pubkey.
285
286Example Response:
287
288```js
289{
290 "count": 1, // server page size, eg. max(1, min(server_max_page_size, arg_count))
291 "total": 1, // total number of files
292 "page": 0, // the current page number
293 "files": [
294 {
295 "tags": [
296 ["ox": "719171db19525d9d08dd69cb716a18158a249b7b3b3ec4bbdec5698dca104b7b"],
297 ["x": "5d2899290e0e69bcd809949ee516a4a1597205390878f780c098707a7f18e3df"],
298 ["size", "123456"],
299 ["alt", "a meme that makes you laugh"],
300 ["expiration", "1715691139"],
301 // ...other metadata
302 ]
303 "content": "haha funny meme", // caption
304 "created_at": 1715691130 // upload timestamp
305 },
306 ...
307 ]
308}
309```
310
311`files` contains an array of NIP-94 events
312
313### Query args
314
315- `page` page number (`offset=page*count`)
316- `count` number of items per page
317
318## Selecting a Server
319
320Note: HTTP File Storage Server developers may skip this section. This is meant for client developers.
321
322A File Server Preference event is a kind 10096 replaceable event meant to select one or more servers the user wants
323to upload files to. Servers are listed as `server` tags:
324
325```js
326{
327 // ...
328 "kind": 10096,
329 "content": "",
330 "tags": [
331 ["server", "https://file.server.one"],
332 ["server", "https://file.server.two"]
333 ]
334}
335```