package nip46

import (


type BunkerClient struct {
	serial          atomic.Uint64
	clientSecretKey string
	pool            *nostr.SimplePool
	target          string
	relays          []string
	sharedSecret    []byte
	listeners       *xsync.MapOf[string, chan Response]
	expectingAuth   *xsync.MapOf[string, struct{}]
	idPrefix        string
	onAuth          func(string)

	// memoized
	getPublicKeyResponse string

// ConnectBunker establishes an RPC connection to a NIP-46 signer using the relays and secret provided in the bunkerURL.
// pool can be passed to reuse an existing pool, otherwise a new pool will be created.
func ConnectBunker(
	ctx context.Context,
	clientSecretKey string,
	bunkerURLOrNIP05 string,
	pool *nostr.SimplePool,
	onAuth func(string),
) (*BunkerClient, error) {
	parsed, err := url.Parse(bunkerURLOrNIP05)
	if err != nil {
		return nil, fmt.Errorf("invalid url: %w", err)

	// assume it's a bunker url (will fail later if not)
	secret := parsed.Query().Get("secret")
	relays := parsed.Query()["relay"]
	targetPublicKey := parsed.Host

	if parsed.Scheme == "" {
		// could be a NIP-05
		pubkey, relays_, err := queryWellKnownNostrJson(ctx, bunkerURLOrNIP05)
		if err != nil {
			return nil, fmt.Errorf("failed to query nip05: %w", err)
		targetPublicKey = pubkey
		relays = relays_
	} else if parsed.Scheme == "bunker" {
		// this is what we were expecting, so just move on
	} else {
		// otherwise fail here
		return nil, fmt.Errorf("wrong scheme '%s', must be bunker://", parsed.Scheme)
	if !nostr.IsValidPublicKey(targetPublicKey) {
		return nil, fmt.Errorf("'%s' is not a valid public key hex", targetPublicKey)

	bunker := NewBunker(

	_, err = bunker.RPC(ctx, "connect", []string{targetPublicKey, secret})
	return bunker, err

func NewBunker(
	ctx context.Context,
	clientSecretKey string,
	targetPublicKey string,
	relays []string,
	pool *nostr.SimplePool,
	onAuth func(string),
) *BunkerClient {
	if pool == nil {
		pool = nostr.NewSimplePool(ctx)

	clientPublicKey, _ := nostr.GetPublicKey(clientSecretKey)
	sharedSecret, _ := nip04.ComputeSharedSecret(targetPublicKey, clientSecretKey)

	bunker := &BunkerClient{
		pool:            pool,
		clientSecretKey: clientSecretKey,
		target:          targetPublicKey,
		relays:          relays,
		sharedSecret:    sharedSecret,
		listeners:       xsync.NewMapOf[string, chan Response](),
		expectingAuth:   xsync.NewMapOf[string, struct{}](),
		onAuth:          onAuth,
		idPrefix:        "gn-" + strconv.Itoa(rand.Intn(65536)),

	go func() {
		now := nostr.Now()
		events := pool.SubMany(ctx, relays, nostr.Filters{
				Tags:      nostr.TagMap{"p": []string{clientPublicKey}},
				Kinds:     []int{nostr.KindNostrConnect},
				Since:     &now,
				LimitZero: true,
		for ie := range events {
			if ie.Kind != nostr.KindNostrConnect {

			var resp Response
			plain, err := nip04.Decrypt(ie.Content, sharedSecret)
			if err != nil {

			err = json.Unmarshal([]byte(plain), &resp)
			if err != nil {

			if resp.Result == "auth_url" {
				// special case
				authURL := resp.Error
				if _, ok := bunker.expectingAuth.Load(resp.ID); ok {

			if dispatcher, ok := bunker.listeners.Load(resp.ID); ok {
				dispatcher <- resp

	return bunker

func (bunker *BunkerClient) Ping(ctx context.Context) error {
	_, err := bunker.RPC(ctx, "ping", []string{})
	if err != nil {
		return err
	return nil

func (bunker *BunkerClient) GetPublicKey(ctx context.Context) (string, error) {
	if bunker.getPublicKeyResponse != "" {
		return bunker.getPublicKeyResponse, nil
	resp, err := bunker.RPC(ctx, "get_public_key", []string{})
	bunker.getPublicKeyResponse = resp
	return resp, err

func (bunker *BunkerClient) SignEvent(ctx context.Context, evt *nostr.Event) error {
	resp, err := bunker.RPC(ctx, "sign_event", []string{evt.String()})
	if err == nil {
		err = easyjson.Unmarshal([]byte(resp), evt)
	return err

func (bunker *BunkerClient) RPC(ctx context.Context, method string, params []string) (string, error) {
	id := bunker.idPrefix + "-" + strconv.FormatUint(bunker.serial.Add(1), 10)
	req, err := json.Marshal(Request{
		ID:     id,
		Method: method,
		Params: params,
	if err != nil {
		return "", err

	content, err := nip04.Encrypt(string(req), bunker.sharedSecret)
	if err != nil {
		return "", fmt.Errorf("error encrypting request: %w", err)

	evt := nostr.Event{
		Content:   content,
		CreatedAt: nostr.Now(),
		Kind:      nostr.KindNostrConnect,
		Tags:      nostr.Tags{{"p",}},
	if err := evt.Sign(bunker.clientSecretKey); err != nil {
		return "", fmt.Errorf("failed to sign request event: %w", err)

	respWaiter := make(chan Response)
	bunker.listeners.Store(id, respWaiter)
	hasWorked := false

	for _, r := range bunker.relays {
		relay, err := bunker.pool.EnsureRelay(r)
		if err == nil {
			hasWorked = true
		relay.Publish(ctx, evt)

	if !hasWorked {
		return "", fmt.Errorf("couldn't connect to any relay")

	resp := <-respWaiter
	if resp.Error != "" {
		return "", fmt.Errorf("response error: %s", resp.Error)

	return resp.Result, nil