send ["OK",false,"auth-required: blah"] should be enough, i forget exactly, but the client has to expect that and queue the request to send it out after doing the auth and getting the OK true

i forget how the CLOSE envelope plays into it, but i do know that replicatr does it correctly, lemme dig it up...

no, it's CLOSED envelope:

https://github.com/Hubmakerlabs/replicatr/blob/main/app/auth.go

and then after that you send the AUTH envelope with the challenge to the client

and here is my client side code, this shoud help the client devs a bit at least:

this is a simple auth tester:

https://github.com/Hubmakerlabs/replicatr/blob/main/cmd/authr/authr.go

this shows how it's used in a client (this one can auth to two relays and pull from one and push to the other):

https://github.com/Hubmakerlabs/replicatr/blob/main/cmd/ingestr/app/ingest.go

of course nobody pays attention to me, but i've actually written both sides of it, fiatjaf wrote some fragments of parts of it but i wasn't able to find anything that actually demonstrated how to string it together

yes, this works with coracle btw on the client side

hell, replicatr works perfectly as a relay except after about 24 hours it has some weird resource leak that eats CPU that's why it isn't in production