include checkid length check from @pippellia-btc

ensure suspected blossom request hash does not have slashes in it
2026-04-09 15:06:52 +02:00 · 2025-03-24 15:57:20 -03:00 · 2025-03-24 15:23:00 -03:00
4 changed files with 6 additions and 6 deletions
--- a/blossom/authorization.go
+++ b/blossom/authorization.go
@@ -25,7 +25,7 @@ func readAuthorization(r *http.Request) (*nostr.Event, error) {
 	if err := easyjson.Unmarshal(eventj, &evt); err != nil {
 		return nil, fmt.Errorf("broken event")
 	}
-	if evt.Kind != 24242 || len(evt.ID) != 64 || !evt.CheckID() {
+	if evt.Kind != 24242 || !evt.CheckID() {
 		return nil, fmt.Errorf("invalid event")
 	}
 	if ok, _ := evt.CheckSignature(); !ok {
--- a/blossom/server.go
+++ b/blossom/server.go
@@ -49,7 +49,7 @@ func New(rl *khatru.Relay, serviceURL string) *BlossomServer {
 			return
 		}

-		if len(strings.SplitN(r.URL.Path, ".", 2)[0]) == 65 {
+		if (len(r.URL.Path) == 65 || strings.Index(r.URL.Path, ".") == 65) && strings.Index(r.URL.Path[1:], "/") == -1 {
 			if r.Method == "HEAD" {
 				bs.handleHasBlob(w, r)
 				return
--- a/go.mod
+++ b/go.mod
@@ -4,12 +4,11 @@ go 1.24.1

 require (
 	github.com/bep/debounce v1.2.1
-	github.com/cloudwego/base64x v0.1.5
 	github.com/fasthttp/websocket v1.5.12
 	github.com/fiatjaf/eventstore v0.16.2
 	github.com/liamg/magic v0.0.1
 	github.com/mailru/easyjson v0.9.0
-	github.com/nbd-wtf/go-nostr v0.51.4
+	github.com/nbd-wtf/go-nostr v0.51.7
 	github.com/puzpuzpuz/xsync/v3 v3.5.1
 	github.com/rs/cors v1.11.1
 	github.com/stretchr/testify v1.10.0
@@ -26,6 +25,7 @@ require (
 	github.com/bytedance/sonic v1.13.1 // indirect
 	github.com/bytedance/sonic/loader v0.2.4 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
 	github.com/coder/websocket v1.8.12 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/crypto/blake256 v1.1.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -129,8 +129,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/nbd-wtf/go-nostr v0.51.4 h1:L4kteLUu/U9P1v1i1CP9wXR+n7D7V4aSCWs4hPFdwp0=
-github.com/nbd-wtf/go-nostr v0.51.4/go.mod h1:raIUNOilCdhiVIqgwe+9enCtdXu1iuPjbLh1hO7wTqI=
+github.com/nbd-wtf/go-nostr v0.51.7 h1:dGjtaaFQ1kA3H+vF8wt9a9WYl54K8C0JmVDf4cp+a4A=
+github.com/nbd-wtf/go-nostr v0.51.7/go.mod h1:d6+DfvMWYG5pA3dmNMBJd6WCHVDDhkXbHqvfljf0Gzg=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
Author	SHA1	Message	Date
fiatjaf	850497956c	include checkid length check from @pippellia-btc	2025-03-24 15:57:20 -03:00
andrewheadricke	28ce6cfb7a	ensure suspected blossom request hash does not have slashes in it	2025-03-24 15:23:00 -03:00