From a183ab0768e6fd29475626724f32931925fdd6b7 Mon Sep 17 00:00:00 2001
From: fiatjaf <fiatjaf@gmail.com>
Date: Wed, 15 May 2024 16:13:12 -0300
Subject: [PATCH] nip46: pass secret to authorize functions.

---
 nip46/create_account.go    | 14 +++++++-------
 nip46/dynamic-signer.go    | 18 +++++++++++-------
 nip46/static-key-signer.go |  8 ++++++--
 3 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/nip46/create_account.go b/nip46/create_account.go
index ceed303..3ecc18d 100644
--- a/nip46/create_account.go
+++ b/nip46/create_account.go
@@ -30,15 +30,15 @@ func CreateAccount(
 	pool *nostr.SimplePool,
 	extraOpts *CreateAccountOptions,
 	onAuth func(string),
-) (*BunkerClient, error) {
+) (*BunkerClient, []string, error) {
 	if pool == nil {
 		pool = nostr.NewSimplePool(ctx)
 	}
 
 	// create a bunker that targets the provider directly
-	providerPubkey, relays, err := queryWellKnownNostrJson(ctx, domain)
+	providerPubkey, relays, err := queryWellKnownNostrJson(ctx, "_@"+domain)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	bunker := NewBunker(
@@ -52,7 +52,7 @@ func CreateAccount(
 
 	_, err = bunker.RPC(ctx, "connect", []string{providerPubkey, ""})
 	if err != nil {
-		return nil, fmt.Errorf("initial connect error: %w", err)
+		return nil, relays, fmt.Errorf("initial connect error: %w", err)
 	}
 
 	// call create_account on it, it should return the value of the public key that will be created
@@ -62,7 +62,7 @@ func CreateAccount(
 	}
 	resp, err := bunker.RPC(ctx, "create_account", []string{name, domain, email})
 	if err != nil {
-		return nil, fmt.Errorf("error on create_account: %w", err)
+		return nil, relays, fmt.Errorf("error on create_account: %w", err)
 	}
 
 	newlyCreatedPublicKey := resp
@@ -75,8 +75,8 @@ func CreateAccount(
 	// finally try to connect again using the new key as the target
 	_, err = bunker.RPC(ctx, "connect", []string{newlyCreatedPublicKey, ""})
 	if err != nil {
-		return nil, fmt.Errorf("newly-created public key connect error: %w", err)
+		return bunker, relays, fmt.Errorf("newly-created public key connect error: %w", err)
 	}
 
-	return bunker, err
+	return bunker, relays, err
 }
diff --git a/nip46/dynamic-signer.go b/nip46/dynamic-signer.go
index 8a82545..07a372a 100644
--- a/nip46/dynamic-signer.go
+++ b/nip46/dynamic-signer.go
@@ -24,16 +24,16 @@ type DynamicSigner struct {
 	RelaysToAdvertise map[string]RelayReadWrite
 
 	getPrivateKey       func(pubkey string) (string, error)
-	authorizeSigning    func(event nostr.Event) bool
+	authorizeSigning    func(event nostr.Event, from string, secret string) bool
 	onEventSigned       func(event nostr.Event)
-	authorizeEncryption func() bool
+	authorizeEncryption func(from string, secret string) bool
 }
 
 func NewDynamicSigner(
 	getPrivateKey func(pubkey string) (string, error),
-	authorizeSigning func(event nostr.Event) bool,
+	authorizeSigning func(event nostr.Event, from string, secret string) bool,
 	onEventSigned func(event nostr.Event),
-	authorizeEncryption func() bool,
+	authorizeEncryption func(from string, secret string) bool,
 ) DynamicSigner {
 	return DynamicSigner{
 		getPrivateKey:       getPrivateKey,
@@ -112,11 +112,15 @@ func (p *DynamicSigner) HandleRequest(event *nostr.Event) (
 		}
 	}
 
+	var secret string
 	var result string
 	var resultErr error
 
 	switch req.Method {
 	case "connect":
+		if len(req.Params) >= 2 {
+			secret = req.Params[1]
+		}
 		result = "ack"
 	case "get_public_key":
 		result = targetPubkey
@@ -131,7 +135,7 @@ func (p *DynamicSigner) HandleRequest(event *nostr.Event) (
 			resultErr = fmt.Errorf("failed to decode event/2: %w", err)
 			break
 		}
-		if !p.authorizeSigning(evt) {
+		if !p.authorizeSigning(evt, event.PubKey, secret) {
 			resultErr = fmt.Errorf("refusing to sign this event")
 			break
 		}
@@ -155,7 +159,7 @@ func (p *DynamicSigner) HandleRequest(event *nostr.Event) (
 			resultErr = fmt.Errorf("first argument to 'nip04_encrypt' is not a pubkey string")
 			break
 		}
-		if !p.authorizeEncryption() {
+		if !p.authorizeEncryption(event.PubKey, secret) {
 			resultErr = fmt.Errorf("refusing to encrypt")
 			break
 		}
@@ -189,7 +193,7 @@ func (p *DynamicSigner) HandleRequest(event *nostr.Event) (
 			resultErr = fmt.Errorf("first argument to 'nip04_decrypt' is not a pubkey string")
 			break
 		}
-		if !p.authorizeEncryption() {
+		if !p.authorizeEncryption(event.PubKey, secret) {
 			resultErr = fmt.Errorf("refusing to decrypt")
 			break
 		}
diff --git a/nip46/static-key-signer.go b/nip46/static-key-signer.go
index b6421a8..68b79b1 100644
--- a/nip46/static-key-signer.go
+++ b/nip46/static-key-signer.go
@@ -24,7 +24,7 @@ type StaticKeySigner struct {
 	sync.Mutex
 
 	RelaysToAdvertise map[string]RelayReadWrite
-	AuthorizeRequest  func(harmless bool, from string) bool
+	AuthorizeRequest  func(harmless bool, from string, secret string) bool
 }
 
 func NewStaticKeySigner(secretKey string) StaticKeySigner {
@@ -92,12 +92,16 @@ func (p *StaticKeySigner) HandleRequest(event *nostr.Event) (
 		return req, resp, eventResponse, fmt.Errorf("error parsing request: %w", err)
 	}
 
+	var secret string
 	var harmless bool
 	var result string
 	var resultErr error
 
 	switch req.Method {
 	case "connect":
+		if len(req.Params) >= 2 {
+			secret = req.Params[1]
+		}
 		result = "ack"
 		harmless = true
 	case "get_public_key":
@@ -197,7 +201,7 @@ func (p *StaticKeySigner) HandleRequest(event *nostr.Event) (
 	}
 
 	if resultErr == nil && p.AuthorizeRequest != nil {
-		if !p.AuthorizeRequest(harmless, event.PubKey) {
+		if !p.AuthorizeRequest(harmless, event.PubKey, secret) {
 			resultErr = fmt.Errorf("unauthorized")
 		}
 	}