From 214b92ba3b1ebd978fce4860a6e2ec6a096dea5a Mon Sep 17 00:00:00 2001
From: fiatjaf <fiatjaf@gmail.com>
Date: Tue, 16 Jul 2024 13:30:14 -0300
Subject: [PATCH] management: check 'u' tag on authorization event.

---
 nip86.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nip86.go b/nip86.go
index af76af2..35523bb 100644
--- a/nip86.go
+++ b/nip86.go
@@ -74,6 +74,9 @@ func (rl *Relay) HandleNIP86(w http.ResponseWriter, r *http.Request) {
 		} else if ok, _ := evt.CheckSignature(); !ok {
 			resp.Error = "invalid auth event"
 			goto respond
+		} else if uTag := evt.Tags.GetFirst([]string{"u", ""}); uTag == nil || getServiceBaseURL(r) != (*uTag)[1] {
+			resp.Error = "invalid 'u' tag"
+			goto respond
 		} else if pht := evt.Tags.GetFirst([]string{"payload", hex.EncodeToString(payloadHash[:])}); pht == nil {
 			resp.Error = "invalid auth event payload hash"
 			goto respond