Refactor self-connection handling and improve message processing

- Removed self-connection detection logic from the Listener and Server, simplifying the message handling process.
- Updated the HandleMessage and handle-websocket functions to eliminate checks for self-connections, enhancing clarity and maintainability.
- Adjusted AUTH challenge logic to focus solely on blacklisted IPs, streamlining connection management.

app/handle-message.go

@@ -16,12 +16,6 @@ import (
 )
 
 func (l *Listener) HandleMessage(msg []byte, remote string) {
-	// Ignore all messages from self-connections
-	if l.isSelfConnection {
-		log.D.F("ignoring message from self-connection %s", remote)
-		return
-	}
-
 	// Handle blacklisted IPs - discard messages but keep connection open until timeout
 	if l.isBlacklisted {
 		// Check if timeout has been reached

app/handle-websocket.go

@@ -88,12 +88,6 @@ whitelist:
 		startTime: time.Now(),
 	}
 
-	// Detect self-connections early to avoid sending AUTH challenges
-	listener.isSelfConnection = s.isSelfConnection(remote)
-	if listener.isSelfConnection {
-		log.W.F("detected self-connection from %s, marking connection", remote)
-	}
-
 	// Check for blacklisted IPs
 	listener.isBlacklisted = s.isIPBlacklisted(remote)
 	if listener.isBlacklisted {
@@ -103,7 +97,7 @@ whitelist:
 	chal := make([]byte, 32)
 	rand.Read(chal)
 	listener.challenge.Store([]byte(hex.Enc(chal)))
-	if s.Config.ACLMode != "none" && !listener.isSelfConnection {
+	if s.Config.ACLMode != "none" {
 		log.D.F("sending AUTH challenge to %s", remote)
 		if err = authenvelope.NewChallengeWith(listener.challenge.Load()).
 			Write(listener); chk.E(err) {
@@ -111,8 +105,6 @@ whitelist:
 			return
 		}
 		log.D.F("AUTH challenge sent successfully to %s", remote)
-	} else if listener.isSelfConnection {
-		log.D.F("skipping AUTH challenge for self-connection from %s", remote)
 	}
 	ticker := time.NewTicker(DefaultPingWait)
 	go s.Pinger(ctx, conn, ticker, cancel)

app/listener.go

@@ -24,7 +24,6 @@ type Listener struct {
 	challenge        atomic.Bytes
 	authedPubkey     atomic.Bytes
 	startTime        time.Time
-	isSelfConnection bool      // Marker to identify self-connections
 	isBlacklisted    bool      // Marker to identify blacklisted IPs
 	blacklistTimeout time.Time // When to timeout blacklisted connections
 	// Diagnostics: per-connection counters

app/server.go

@@ -49,33 +49,6 @@ type Server struct {
 	policyManager    *policy.P
 }
 
-// isSelfConnection checks if the connection is coming from the relay itself
-func (s *Server) isSelfConnection(remote string) bool {
-	// Check for localhost connections
-	if strings.HasPrefix(remote, "127.0.0.1:") || strings.HasPrefix(remote, "::1:") || strings.HasPrefix(remote, "[::1]:") {
-		return true
-	}
-
-	// Check for connections from the same IP as the server
-	// This handles cases where the relay connects to itself via its public IP
-	if s.Config.Listen != "" {
-		// Extract IP from listen address (e.g., "0.0.0.0" -> "0.0.0.0")
-		listenIP := s.Config.Listen
-		if listenIP == "0.0.0.0" || listenIP == "" {
-			// If listening on all interfaces, check if remote IP matches any local interface
-			// For now, we'll be conservative and only check localhost
-			return false
-		}
-		// Check if remote IP matches the listen IP
-		remoteIP := strings.Split(remote, ":")[0]
-		if remoteIP == listenIP {
-			return true
-		}
-	}
-
-	return false
-}
-
 // isIPBlacklisted checks if an IP address is blacklisted using the managed ACL system
 func (s *Server) isIPBlacklisted(remote string) bool {
 	// Extract IP from remote address (e.g., "192.168.1.1:12345" -> "192.168.1.1")