diff --git a/config.toml b/config.toml index 64b32bf..a8a94d0 100644 --- a/config.toml +++ b/config.toml @@ -173,6 +173,8 @@ limit_scrapers = false #] # Enable NIP-42 authentication #nip42_auth = false +# Allow whitelisted NIP-42 authenticated client to post from any pubkey +#nip42_whitelist = false # Send DMs (kind 4 and 44) and gift wraps (kind 1059) only to their authenticated recipients #nip42_dms = false diff --git a/src/config.rs b/src/config.rs index c71cd8b..7d92902 100644 --- a/src/config.rs +++ b/src/config.rs @@ -83,6 +83,7 @@ pub struct Limits { pub struct Authorization { pub pubkey_whitelist: Option>, // If present, only allow these pubkeys to publish events pub nip42_auth: bool, // if true enables NIP-42 authentication + pub nip42_whitelist: bool, // if true allows whitelisted NIP-42 authenticated clients to publish events from any pubkey pub nip42_dms: bool, // if true send DMs only to their authenticated recipients } @@ -325,6 +326,7 @@ impl Default for Settings { authorization: Authorization { pubkey_whitelist: None, // Allow any address to publish nip42_auth: false, // Disable NIP-42 authentication + nip42_whitelist: false, // Disable NIP-42 whitelist nip42_dms: false, // Send DMs to everybody }, pay_to_relay: PayToRelay { diff --git a/src/db.rs b/src/db.rs index ee31735..db96f69 100644 --- a/src/db.rs +++ b/src/db.rs @@ -204,9 +204,19 @@ pub async fn db_writer( if !pay_to_relay_enabled { // check if this event is authorized. if let Some(allowed_addrs) = whitelist { + let mut whitelisted = false; + if settings.authorization.nip42_auth && settings.authorization.nip42_whitelist { + if let Some(auth_pubkey) = subm_event.auth_pubkey.clone() { + if allowed_addrs.contains(&hex::encode(auth_pubkey)) { + // A nip42 authenticated whitelisted client can post whatever they want + debug!("nip42 authenticated client may publish"); + whitelisted = true; + } + } + } // TODO: incorporate delegated pubkeys // if the event address is not in allowed_addrs. - if !allowed_addrs.contains(&event.pubkey) { + if !whitelisted && !allowed_addrs.contains(&event.pubkey) { debug!( "rejecting event: {}, unauthorized author", event.get_event_id_prefix()