bad_nonce_len

Diagnostic `nanook::auth::bad_nonce_len`

Summary

ed25519 nonce must be 32 bytes (got {0})

Help

clients must include a fresh 32-byte nonce on every request

Details

When this fires

The x-nanook-nonce header decoded as base64 cleanly, but the raw bytes were not exactly 32 long. The verifier in nanook-auth::signing requires every request to carry a fresh 32-byte nonce so it can dedupe replays in its in-memory ring. The reported length is what the client actually sent. Almost always this is a third-party client bug, not a config issue: stock nanook ctl always emits the right size.

What to check

Generate the nonce as 32 random bytes (getrandom or equivalent), then base64-encode without truncation.
Check no proxy is rewriting the x-nanook-nonce header.
nanook ctl gets this right by construction.