registration: avoid extra request that ends with HTTP 401 #53
Description
AutoTLS registration API is robust and works fine, but perhaps we could optimize the golden path?
Current flow
- libp2p identify checker at
registration.libp2p.directbackend is effectively load-balanced amond multiple nodes, each with own PeerID - HTTP API at
registration.libp2p.direct/v1/_acme-challengeimplements HTTP PeerID Auth from libp2p spec here - registration requires client to send two requests:
- First errors (HTTP 401) and allows client to learn about PeerID from
WWW-Authenticate: libp2p-PeerID [...] public-key=...header - Second request uses the PeerID from HTTP 401 response (
public-key) and this one is the real one that returns HTTP 200
- First errors (HTTP 401) and allows client to learn about PeerID from
This means 50% of requests are HTTP 401s (blue in pie chart):
Improvement ideas
(A) "well-known peerid"→ avoid entire request
👉 Are we able to remove the need for first request that always ends with HTTP 401 and cut the number of registration requests by 50%?
My understanding is that the AutoTLS feature does not care about the PeerID of the libp2p.direct backend being globally unique or even being a secret (node does not participate in DHT / swarm, and only performs direct dial to multiaddrs sent to registration API).
👉 👉 Could all backend nodes use the same static PeerID that is generated from the domain (libp2p.direct) as a seed, and make p2p-forge/client attempt registration with that knowledge to avoid 401?
(B) use HEAD → avoid sending body
We could return WWW-Authenticate: libp2p-PeerID public-key=.. in HEAD response, which would save client from signing and sending payload twice + we could filter out HEAD requests and only lok at POST ones.
cc @aschmahmann @MarcoPolo @sukunrt @achingbrain for feedback