nip42 authorized whitelisted client can always post

2024-11-21 16:59:06 -05:00 · 2024-09-16 16:08:28 +02:00 · 2024-09-16 16:08:28 +02:00 · 53429075d6
commit 53429075d6
parent 6329acd82b
3 changed files with 15 additions and 1 deletions
--- a/config.toml
+++ b/config.toml
@ -173,6 +173,8 @@ limit_scrapers = false
 #]
 # Enable NIP-42 authentication
 #nip42_auth = false
+# Allow whitelisted NIP-42 authenticated client to post from any pubkey
+#nip42_whitelist = false
 # Send DMs (kind 4 and 44) and gift wraps (kind 1059) only to their authenticated recipients
 #nip42_dms = false

--- a/src/config.rs
+++ b/src/config.rs
@ -83,6 +83,7 @@ pub struct Limits {
 pub struct Authorization {
    pub pubkey_whitelist: Option<Vec<String>>, // If present, only allow these pubkeys to publish events
    pub nip42_auth: bool,                      // if true enables NIP-42 authentication
+    pub nip42_whitelist: bool,                 // if true allows whitelisted NIP-42 authenticated clients to publish events from any pubkey
    pub nip42_dms: bool, // if true send DMs only to their authenticated recipients
 }

@ -325,6 +326,7 @@ impl Default for Settings {
            authorization: Authorization {
                pubkey_whitelist: None, // Allow any address to publish
                nip42_auth: false,      // Disable NIP-42 authentication
+                nip42_whitelist: false, // Disable NIP-42 whitelist
                nip42_dms: false,       // Send DMs to everybody
            },
            pay_to_relay: PayToRelay {
--- a/src/db.rs
+++ b/src/db.rs
@ -204,9 +204,19 @@ pub async fn db_writer(
        if !pay_to_relay_enabled {
            // check if this event is authorized.
            if let Some(allowed_addrs) = whitelist {
+                let mut whitelisted = false;
+                if settings.authorization.nip42_auth && settings.authorization.nip42_whitelist {
+                    if let Some(auth_pubkey) = subm_event.auth_pubkey.clone() {
+                        if allowed_addrs.contains(&hex::encode(auth_pubkey)) {
+                            // A nip42 authenticated whitelisted client can post whatever they want
+                            debug!("nip42 authenticated client may publish");
+                            whitelisted = true;
+                        }
+                    }
+                }
                // TODO: incorporate delegated pubkeys
                // if the event address is not in allowed_addrs.
-                if !allowed_addrs.contains(&event.pubkey) {
+                if !whitelisted && !allowed_addrs.contains(&event.pubkey) {
                    debug!(
                        "rejecting event: {}, unauthorized author",
                        event.get_event_id_prefix()