From 8c9394993b3e5a86278aac77de003155e9b73d7f Mon Sep 17 00:00:00 2001 From: fiatjaf Date: Fri, 28 Mar 2025 18:08:38 -0300 Subject: [PATCH] reject reposts that embed nip70 protected events. in accordance with new stuff added to nip70 that makes some sense. --- go.mod | 6 +++--- go.sum | 7 +++++++ handlers.go | 45 ++++++++++++++++++++++++--------------------- policies/events.go | 2 +- 4 files changed, 35 insertions(+), 25 deletions(-) diff --git a/go.mod b/go.mod index 2ace4d9..1f5db35 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/fiatjaf/eventstore v0.16.2 github.com/liamg/magic v0.0.1 github.com/mailru/easyjson v0.9.0 - github.com/nbd-wtf/go-nostr v0.51.7 + github.com/nbd-wtf/go-nostr v0.51.8 github.com/puzpuzpuz/xsync/v3 v3.5.1 github.com/rs/cors v1.11.1 github.com/stretchr/testify v1.10.0 @@ -22,11 +22,11 @@ require ( github.com/aquasecurity/esquery v0.2.0 // indirect github.com/btcsuite/btcd/btcec/v2 v2.3.4 // indirect github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0 // indirect - github.com/bytedance/sonic v1.13.1 // indirect + github.com/bytedance/sonic v1.13.2 // indirect github.com/bytedance/sonic/loader v0.2.4 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/cloudwego/base64x v0.1.5 // indirect - github.com/coder/websocket v1.8.12 // indirect + github.com/coder/websocket v1.8.13 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/decred/dcrd/crypto/blake256 v1.1.0 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect diff --git a/go.sum b/go.sum index a20fabe..b0de1e8 100644 --- a/go.sum +++ b/go.sum @@ -14,12 +14,15 @@ github.com/aquasecurity/esquery v0.2.0 h1:9WWXve95TE8hbm3736WB7nS6Owl8UGDeu+0jiy github.com/aquasecurity/esquery v0.2.0/go.mod h1:VU+CIFR6C+H142HHZf9RUkp4Eedpo9UrEKeCQHWf9ao= github.com/bep/debounce v1.2.1 h1:v67fRdBA9UQu2NhLFXrSg0Brw7CexQekrBwDMM8bzeY= github.com/bep/debounce v1.2.1/go.mod h1:H8yggRPQKLUhUoqrJC1bO2xNya7vanpDl7xR3ISbCJ0= +github.com/btcsuite/btcd v0.24.2 h1:aLmxPguqxza+4ag8R1I2nnJjSu2iFn/kqtHTIImswcY= github.com/btcsuite/btcd/btcec/v2 v2.3.4 h1:3EJjcN70HCu/mwqlUsGK8GcNVyLVxFDlWurTXGPFfiQ= github.com/btcsuite/btcd/btcec/v2 v2.3.4/go.mod h1:zYzJ8etWJQIv1Ogk7OzpWjowwOdXY1W/17j2MW85J04= github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0 h1:59Kx4K6lzOW5w6nFlA0v5+lk/6sjybR934QNHSJZPTQ= github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0/go.mod h1:7SFka0XMvUgj3hfZtydOrQY2mwhPclbT2snogU7SQQc= github.com/bytedance/sonic v1.13.1 h1:Jyd5CIvdFnkOWuKXr+wm4Nyk2h0yAFsr8ucJgEasO3g= github.com/bytedance/sonic v1.13.1/go.mod h1:o68xyaF9u2gvVBuGHPlUVCy+ZfmNNO5ETf1+KgkJhz4= +github.com/bytedance/sonic v1.13.2 h1:8/H1FempDZqC4VqjptGo14QQlJx8VdZJegxs6wwfqpQ= +github.com/bytedance/sonic v1.13.2/go.mod h1:o68xyaF9u2gvVBuGHPlUVCy+ZfmNNO5ETf1+KgkJhz4= github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU= github.com/bytedance/sonic/loader v0.2.4 h1:ZWCw4stuXUsn1/+zQDqeE7JKP+QO47tz7QCNan80NzY= github.com/bytedance/sonic/loader v0.2.4/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI= @@ -33,6 +36,8 @@ github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo= github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs= +github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE= +github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -131,6 +136,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/nbd-wtf/go-nostr v0.51.7 h1:dGjtaaFQ1kA3H+vF8wt9a9WYl54K8C0JmVDf4cp+a4A= github.com/nbd-wtf/go-nostr v0.51.7/go.mod h1:d6+DfvMWYG5pA3dmNMBJd6WCHVDDhkXbHqvfljf0Gzg= +github.com/nbd-wtf/go-nostr v0.51.8 h1:CIoS+YqChcm4e1L1rfMZ3/mIwTz4CwApM2qx7MHNzmE= +github.com/nbd-wtf/go-nostr v0.51.8/go.mod h1:d6+DfvMWYG5pA3dmNMBJd6WCHVDDhkXbHqvfljf0Gzg= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= diff --git a/handlers.go b/handlers.go index 41b2711..214436e 100644 --- a/handlers.go +++ b/handlers.go @@ -17,6 +17,7 @@ import ( "github.com/nbd-wtf/go-nostr/nip42" "github.com/nbd-wtf/go-nostr/nip45" "github.com/nbd-wtf/go-nostr/nip45/hyperloglog" + "github.com/nbd-wtf/go-nostr/nip70" "github.com/nbd-wtf/go-nostr/nip77" "github.com/nbd-wtf/go-nostr/nip77/negentropy" "github.com/puzpuzpuz/xsync/v3" @@ -175,28 +176,30 @@ func (rl *Relay) HandleWebsocket(w http.ResponseWriter, r *http.Request) { } // check NIP-70 protected - for _, v := range env.Event.Tags { - if len(v) == 1 && v[0] == "-" { - msg := "must be published by event author" - authed := GetAuthed(ctx) - if authed == "" { - RequestAuth(ctx) - ws.WriteJSON(nostr.OKEnvelope{ - EventID: env.Event.ID, - OK: false, - Reason: "auth-required: " + msg, - }) - return - } - if authed != env.Event.PubKey { - ws.WriteJSON(nostr.OKEnvelope{ - EventID: env.Event.ID, - OK: false, - Reason: "blocked: " + msg, - }) - return - } + if nip70.IsProtected(env.Event) { + authed := GetAuthed(ctx) + if authed == "" { + RequestAuth(ctx) + ws.WriteJSON(nostr.OKEnvelope{ + EventID: env.Event.ID, + OK: false, + Reason: "auth-required: must be published by authenticated event author", + }) + return + } else if authed != env.Event.PubKey { + ws.WriteJSON(nostr.OKEnvelope{ + EventID: env.Event.ID, + OK: false, + Reason: "blocked: must be published by event author", + }) + return } + } else if nip70.HasEmbeddedProtected(env.Event) { + ws.WriteJSON(nostr.OKEnvelope{ + EventID: env.Event.ID, + OK: false, + Reason: "blocked: can't repost nip70 protected", + }) } srl := rl diff --git a/policies/events.go b/policies/events.go index d7d06d5..5ca069c 100644 --- a/policies/events.go +++ b/policies/events.go @@ -110,7 +110,7 @@ func RejectEventsWithBase64Media(ctx context.Context, evt *nostr.Event) (bool, s } func OnlyAllowNIP70ProtectedEvents(ctx context.Context, event *nostr.Event) (reject bool, msg string) { - if nip70.IsProtected(event) { + if nip70.IsProtected(*event) { return false, "" } return true, "blocked: we only accept events protected with the nip70 \"-\" tag"