Remove Dgraph, check hex field case, reject if any uppercase

app/handle-event.go

@@ -1,6 +1,7 @@
 package app
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"strings"
@@ -11,6 +12,7 @@ import (
 	"next.orly.dev/pkg/acl"
 	"git.mleku.dev/mleku/nostr/encoders/envelopes/authenvelope"
 	"git.mleku.dev/mleku/nostr/encoders/envelopes/eventenvelope"
+	"git.mleku.dev/mleku/nostr/encoders/envelopes/noticeenvelope"
 	"git.mleku.dev/mleku/nostr/encoders/envelopes/okenvelope"
 	"git.mleku.dev/mleku/nostr/encoders/hex"
 	"git.mleku.dev/mleku/nostr/encoders/kind"
@@ -19,8 +21,185 @@ import (
 	"next.orly.dev/pkg/utils"
 )
 
+// validateLowercaseHexInJSON checks that all hex-encoded fields in the raw JSON are lowercase.
+// NIP-01 specifies that hex encoding must be lowercase.
+// This must be called on the raw message BEFORE unmarshaling, since unmarshal converts
+// hex strings to binary and loses case information.
+// Returns an error message if validation fails, or empty string if valid.
+func validateLowercaseHexInJSON(msg []byte) string {
+	// Find and validate "id" field (64 hex chars)
+	if err := validateJSONHexField(msg, `"id"`); err != "" {
+		return err + " (id)"
+	}
+
+	// Find and validate "pubkey" field (64 hex chars)
+	if err := validateJSONHexField(msg, `"pubkey"`); err != "" {
+		return err + " (pubkey)"
+	}
+
+	// Find and validate "sig" field (128 hex chars)
+	if err := validateJSONHexField(msg, `"sig"`); err != "" {
+		return err + " (sig)"
+	}
+
+	// Validate e and p tags in the tags array
+	// Tags format: ["e", "hexvalue", ...] or ["p", "hexvalue", ...]
+	if err := validateEPTagsInJSON(msg); err != "" {
+		return err
+	}
+
+	return "" // Valid
+}
+
+// validateJSONHexField finds a JSON field and checks if its hex value contains uppercase.
+func validateJSONHexField(msg []byte, fieldName string) string {
+	// Find the field name
+	idx := bytes.Index(msg, []byte(fieldName))
+	if idx == -1 {
+		return "" // Field not found, skip
+	}
+
+	// Find the colon after the field name
+	colonIdx := bytes.Index(msg[idx:], []byte(":"))
+	if colonIdx == -1 {
+		return ""
+	}
+
+	// Find the opening quote of the value
+	valueStart := idx + colonIdx + 1
+	for valueStart < len(msg) && (msg[valueStart] == ' ' || msg[valueStart] == '\t' || msg[valueStart] == '\n' || msg[valueStart] == '\r') {
+		valueStart++
+	}
+	if valueStart >= len(msg) || msg[valueStart] != '"' {
+		return ""
+	}
+	valueStart++ // Skip the opening quote
+
+	// Find the closing quote
+	valueEnd := valueStart
+	for valueEnd < len(msg) && msg[valueEnd] != '"' {
+		valueEnd++
+	}
+
+	// Extract the hex value and check for uppercase
+	hexValue := msg[valueStart:valueEnd]
+	if containsUppercaseHex(hexValue) {
+		return "blocked: hex fields may only be lower case, see NIP-01"
+	}
+
+	return ""
+}
+
+// validateEPTagsInJSON checks e and p tags in the JSON for uppercase hex.
+func validateEPTagsInJSON(msg []byte) string {
+	// Find the tags array
+	tagsIdx := bytes.Index(msg, []byte(`"tags"`))
+	if tagsIdx == -1 {
+		return "" // No tags
+	}
+
+	// Find the opening bracket of the tags array
+	bracketIdx := bytes.Index(msg[tagsIdx:], []byte("["))
+	if bracketIdx == -1 {
+		return ""
+	}
+
+	tagsStart := tagsIdx + bracketIdx
+
+	// Scan through to find ["e", ...] and ["p", ...] patterns
+	// This is a simplified parser that looks for specific patterns
+	pos := tagsStart
+	for pos < len(msg) {
+		// Look for ["e" or ["p" pattern
+		eTagPattern := bytes.Index(msg[pos:], []byte(`["e"`))
+		pTagPattern := bytes.Index(msg[pos:], []byte(`["p"`))
+
+		var tagType string
+		var nextIdx int
+
+		if eTagPattern == -1 && pTagPattern == -1 {
+			break // No more e or p tags
+		} else if eTagPattern == -1 {
+			nextIdx = pos + pTagPattern
+			tagType = "p"
+		} else if pTagPattern == -1 {
+			nextIdx = pos + eTagPattern
+			tagType = "e"
+		} else if eTagPattern < pTagPattern {
+			nextIdx = pos + eTagPattern
+			tagType = "e"
+		} else {
+			nextIdx = pos + pTagPattern
+			tagType = "p"
+		}
+
+		// Find the hex value after the tag type
+		// Pattern: ["e", "hexvalue" or ["p", "hexvalue"
+		commaIdx := bytes.Index(msg[nextIdx:], []byte(","))
+		if commaIdx == -1 {
+			pos = nextIdx + 4
+			continue
+		}
+
+		// Find the opening quote of the hex value
+		valueStart := nextIdx + commaIdx + 1
+		for valueStart < len(msg) && (msg[valueStart] == ' ' || msg[valueStart] == '\t' || msg[valueStart] == '"') {
+			if msg[valueStart] == '"' {
+				valueStart++
+				break
+			}
+			valueStart++
+		}
+
+		// Find the closing quote
+		valueEnd := valueStart
+		for valueEnd < len(msg) && msg[valueEnd] != '"' {
+			valueEnd++
+		}
+
+		// Check if this looks like a hex value (64 chars for pubkey/event ID)
+		hexValue := msg[valueStart:valueEnd]
+		if len(hexValue) == 64 && containsUppercaseHex(hexValue) {
+			return fmt.Sprintf("blocked: hex fields may only be lower case, see NIP-01 (%s tag)", tagType)
+		}
+
+		pos = valueEnd + 1
+	}
+
+	return ""
+}
+
+// containsUppercaseHex checks if a byte slice (representing hex) contains uppercase letters A-F.
+func containsUppercaseHex(b []byte) bool {
+	for _, c := range b {
+		if c >= 'A' && c <= 'F' {
+			return true
+		}
+	}
+	return false
+}
+
 func (l *Listener) HandleEvent(msg []byte) (err error) {
 	log.D.F("HandleEvent: START handling event: %s", msg)
+
+	// Validate that all hex fields are lowercase BEFORE unmarshaling
+	// (unmarshal converts hex to binary and loses case information)
+	if errMsg := validateLowercaseHexInJSON(msg); errMsg != "" {
+		log.W.F("HandleEvent: rejecting event with uppercase hex: %s", errMsg)
+		// Send NOTICE to alert client developers about the issue
+		if noticeErr := noticeenvelope.NewFrom(errMsg).Write(l); noticeErr != nil {
+			log.E.F("failed to send NOTICE for uppercase hex: %v", noticeErr)
+		}
+		// Send OK false with the error message
+		if err = okenvelope.NewFrom(
+			nil, false,
+			reason.Blocked.F(errMsg),
+		).Write(l); chk.E(err) {
+			return
+		}
+		return nil
+	}
+
 	// decode the envelope
 	env := eventenvelope.NewSubmission()
 	log.I.F("HandleEvent: received event message length: %d", len(msg))