Remove Cashu Access Token (CAT) system entirely (v0.52.3)
Some checks are pending
Go / build-and-release (push) Waiting to run
Some checks are pending
Go / build-and-release (push) Waiting to run
- Delete pkg/cashu/ package (BDHKE, issuer, verifier, keyset, token) - Delete pkg/interfaces/cashu/ interface definitions - Delete pkg/bunker/acl_adapter.go CAT authorization checker - Delete app/handle-cashu.go HTTP handlers for mint endpoints - Delete docs/NIP-XX-CASHU-ACCESS-TOKENS.md specification - Remove Cashu config fields from app/config/config.go - Remove CashuIssuer/CashuVerifier from app/server.go - Remove CAT initialization and NRC Cashu verifier from app/main.go - Remove token extraction from app/handle-websocket.go - Remove CAT permission checks from app/handle-event.go - Remove CashuEnabled from bunker info response - Remove UseCashu field from NRC connections - Remove AuthModeCAT from NRC protocol - Remove CAT UI from BunkerView.svelte and RelayConnectView.svelte - Remove cashu-client.js from web UI - Add missing bunker worker stores to stores.js Files modified: - app/config/config.go: Removed Cashu config fields - app/server.go: Removed Cashu issuer/verifier - app/main.go: Removed Cashu initialization - app/handle-*.go: Removed CAT checks and handlers - app/listener.go: Removed cashuToken field - pkg/database/nrc.go: Removed UseCashu field - pkg/protocol/nrc/: Removed CAT auth mode and handling - pkg/event/authorization/: Removed CAT import - app/web/src/: Removed CAT UI components and logic - main.go: Removed CAT help text Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
woikos
@@ -13,7 +13,6 @@ import (
|
||||
"lol.mleku.dev/log"
|
||||
"git.mleku.dev/mleku/nostr/encoders/envelopes/authenvelope"
|
||||
"git.mleku.dev/mleku/nostr/encoders/hex"
|
||||
"next.orly.dev/pkg/cashu/token"
|
||||
"next.orly.dev/pkg/protocol/publish"
|
||||
"git.mleku.dev/mleku/nostr/utils/units"
|
||||
)
|
||||
@@ -57,12 +56,6 @@ func (s *Server) HandleWebsocket(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
whitelist:
|
||||
// Extract and verify Cashu access token if verifier is configured
|
||||
var cashuToken *token.Token
|
||||
if s.CashuVerifier != nil {
|
||||
cashuToken = s.extractWebSocketToken(r, remote)
|
||||
}
|
||||
|
||||
// Create an independent context for this connection
|
||||
// This context will be cancelled when the connection closes or server shuts down
|
||||
ctx, cancel := context.WithCancel(s.Ctx)
|
||||
@@ -109,7 +102,6 @@ whitelist:
|
||||
remote: remote,
|
||||
connectionID: fmt.Sprintf("%s-%d", remote, now.UnixNano()), // Unique connection ID for access tracking
|
||||
req: r,
|
||||
cashuToken: cashuToken, // Verified Cashu access token (nil if none provided)
|
||||
startTime: now,
|
||||
writeChan: make(chan publish.WriteRequest, 100), // Buffered channel for writes
|
||||
writeDone: make(chan struct{}),
|
||||
@@ -303,58 +295,3 @@ func (s *Server) Pinger(
|
||||
}
|
||||
}
|
||||
|
||||
// extractWebSocketToken extracts and verifies a Cashu access token from a WebSocket upgrade request.
|
||||
// Checks query param first (for browser WebSocket clients), then headers.
|
||||
// Returns nil if no token is provided or if token verification fails.
|
||||
func (s *Server) extractWebSocketToken(r *http.Request, remote string) *token.Token {
|
||||
// Try query param first (WebSocket clients often can't set custom headers)
|
||||
tokenStr := r.URL.Query().Get("token")
|
||||
log.D.F("ws %s: CAT extraction - query param token: %v", remote, tokenStr != "")
|
||||
|
||||
// Try X-Cashu-Token header
|
||||
if tokenStr == "" {
|
||||
tokenStr = r.Header.Get("X-Cashu-Token")
|
||||
log.D.F("ws %s: CAT extraction - X-Cashu-Token header: %v", remote, tokenStr != "")
|
||||
}
|
||||
|
||||
// Try Authorization: Cashu scheme
|
||||
if tokenStr == "" {
|
||||
auth := r.Header.Get("Authorization")
|
||||
if strings.HasPrefix(auth, "Cashu ") {
|
||||
tokenStr = strings.TrimPrefix(auth, "Cashu ")
|
||||
}
|
||||
log.D.F("ws %s: CAT extraction - Authorization header: %v", remote, tokenStr != "")
|
||||
}
|
||||
|
||||
// No token provided - this is fine, connection proceeds without token
|
||||
if tokenStr == "" {
|
||||
log.D.F("ws %s: CAT extraction - no token found", remote)
|
||||
return nil
|
||||
}
|
||||
log.D.F("ws %s: CAT extraction - found token (len=%d)", remote, len(tokenStr))
|
||||
|
||||
// Parse the token
|
||||
tok, err := token.Parse(tokenStr)
|
||||
if err != nil {
|
||||
log.W.F("ws %s: invalid Cashu token format: %v", remote, err)
|
||||
return nil
|
||||
}
|
||||
|
||||
// Verify token - accept both "relay" and "nip46" scopes for WebSocket connections
|
||||
// NIP-46 connections are also WebSocket-based
|
||||
ctx := context.Background()
|
||||
if err := s.CashuVerifier.Verify(ctx, tok, remote); err != nil {
|
||||
log.W.F("ws %s: Cashu token verification failed: %v", remote, err)
|
||||
return nil
|
||||
}
|
||||
|
||||
// Check scope - allow "relay" or "nip46"
|
||||
if tok.Scope != token.ScopeRelay && tok.Scope != token.ScopeNIP46 {
|
||||
log.W.F("ws %s: Cashu token has invalid scope %q for WebSocket", remote, tok.Scope)
|
||||
return nil
|
||||
}
|
||||
|
||||
log.D.F("ws %s: verified Cashu token with scope %q, expires %v",
|
||||
remote, tok.Scope, tok.ExpiresAt())
|
||||
return tok
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user