layer-systems/relay
1
0
Fork 0
mirror of https://github.com/layer-systems/relay.git synced 2026-06-02 16:53:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

nip17-RejectNonAuthenticatedGiftWrapQueries

Browse Source
This commit is contained in:
highperfocused
2026-01-04 16:56:17 +01:00
parent c9dd6590da
commit 0abb475d2a
2 changed files with 58 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
main.go
View File

@@ -119,22 +119,7 @@ func main() {
// },
// )
// // you can request auth by rejecting an event or a request with the prefix "auth-required: "
// relay.RejectFilter = append(relay.RejectFilter,
// // built-in policies
// policies.NoComplexFilters,
// // define your own policies
// func(ctx context.Context, filter nostr.Filter) (reject bool, msg string) {
// if pubkey := khatru.GetAuthed(ctx); pubkey != "" {
// log.Printf("request from %s\n", pubkey)
// return false, ""
// }
// return true, "auth-required: only authenticated users can read from this relay"
// // (this will cause an AUTH message to be sent and then a CLOSED message such that clients can
// // authenticate and then request again)
// },
// )
relay.RejectFilter = append(relay.RejectFilter, RejectNonAuthenticatedGiftWrapQueries)
// management endpoints
relay.ManagementAPI.RejectAPICall = append(relay.ManagementAPI.RejectAPICall,

57
nip17.go Normal file
View File

@@ -0,0 +1,57 @@
package main
import (
"context"
"github.com/fiatjaf/khatru"
"github.com/nbd-wtf/go-nostr"
)
// RejectNonAuthenticatedGiftWrapQueries implements NIP-17 metadata protection
// by requiring authentication for kind 1059 (gift wrap) queries and restricting
// results to only show events intended for the authenticated user.
func RejectNonAuthenticatedGiftWrapQueries(ctx context.Context, filter nostr.Filter) (reject bool, msg string) {
// Check if filter includes kind 1059 (gift wrap events)
isGiftWrapQuery := false
for _, kind := range filter.Kinds {
if kind == 1059 {
isGiftWrapQuery = true
break
}
}
if !isGiftWrapQuery {
return false, "" // not a gift wrap query, allow
}
// Require authentication for gift wrap queries
pubkey := khatru.GetAuthed(ctx)
if pubkey == "" {
return true, "auth-required: authentication required to query direct messages"
}
// Only allow querying gift wraps addressed to the authenticated user
// Check if the filter already restricts by recipient pubkey
hasRecipientFilter := false
for _, tag := range filter.Tags {
if len(tag) > 0 && tag[0] == "p" {
// Check if authenticated user is in the p tags
for i := 1; i < len(tag); i++ {
if tag[i] == pubkey {
hasRecipientFilter = true
break
}
}
}
}
if !hasRecipientFilter {
// Force the filter to only include events where the authenticated user is the recipient
if filter.Tags == nil {
filter.Tags = make(nostr.TagMap)
}
filter.Tags["p"] = []string{pubkey}
}
return false, ""
}