From a816737cd37c6ead6911adeaf2a1bfaf440c0ad2 Mon Sep 17 00:00:00 2001
From: mleku <me@mleku.dev>
Date: Fri, 12 Dec 2025 06:14:24 +0100
Subject: [PATCH] Fix NIP-42 AUTH compliance: always respond with OK message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Ensure AUTH handler always sends OK response per NIP-42 specification,
  including for parse failures (uses zero event ID with error reason)
- Add zeroEventID constant for OK responses when event ID cannot be parsed
- Document critical client guidance: clients MUST wait for OK response
  after AUTH before publishing events requiring authentication
- Update nostr skill and CLAUDE.md with NIP-42 AUTH protocol requirements
  for client developers, emphasizing OK response handling
- Add MAX_THINKING_TOKENS setting to Claude configuration

Files modified:
- app/handle-auth.go: Add OK response for AUTH parse failures
- .claude/skills/nostr/SKILL.md: Document AUTH OK response requirements
- CLAUDE.md: Add NIP-42 AUTH Protocol section for client developers
- .claude/settings.local.json: Add MAX_THINKING_TOKENS setting
- pkg/version/version: Bump to v0.34.7

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .claude/settings.local.json   |  1 +
 .claude/skills/nostr/SKILL.md | 14 ++++++++++++--
 CLAUDE.md                     | 12 ++++++++++++
 app/handle-auth.go            | 12 ++++++++++++
 pkg/version/version           |  2 +-
 5 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index ac0147d..2960891 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -1,4 +1,5 @@
 {
+"MAX_THINKING_TOKENS": "8000",
   "permissions": {
     "allow": [
       "Bash:*",
diff --git a/.claude/skills/nostr/SKILL.md b/.claude/skills/nostr/SKILL.md
index 6499097..357d51a 100644
--- a/.claude/skills/nostr/SKILL.md
+++ b/.claude/skills/nostr/SKILL.md
@@ -150,10 +150,20 @@ Event kind `7` for reactions:
 
 #### NIP-42: Authentication
 Client authentication to relays:
-- AUTH message from relay
-- Client responds with event kind `22242`
+- AUTH message from relay (challenge)
+- Client responds with event kind `22242` signed auth event
 - Proves key ownership
 
+**CRITICAL: Clients MUST wait for OK response after AUTH**
+- Relays MUST respond to AUTH with an OK message (same as EVENT)
+- An OK with `true` confirms the relay has stored the authenticated pubkey
+- An OK with `false` indicates authentication failed:
+  1. **Alert the user** that authentication failed
+  2. **Assume the relay will reject** subsequent events requiring auth
+  3. Check the `reason` field for error details (e.g., "error: failed to parse auth event")
+- Do NOT send events requiring authentication until OK `true` is received
+- If no OK is received within timeout, assume connection issues and retry or alert user
+
 #### NIP-50: Search
 Query filter extension for full-text search:
 - `search` field in REQ filters
diff --git a/CLAUDE.md b/CLAUDE.md
index 316fa74..4fe370b 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -901,6 +901,18 @@ WebAssembly-compatible database backend (`pkg/wasmdb/`):
 - `ORLY_AUTH_REQUIRED=true`: Require authentication for ALL requests
 - `ORLY_AUTH_TO_WRITE=true`: Require authentication only for writes (allow anonymous reads)
 
+### NIP-42 AUTH Protocol (IMPORTANT for Client Developers)
+Per NIP-42, this relay always responds to AUTH messages with an OK message:
+- **Clients MUST wait for the OK response** after sending AUTH before publishing events
+- An OK with `true` confirms the relay has stored the authenticated pubkey
+- An OK with `false` indicates authentication failed - clients should:
+  1. Alert the user that authentication failed
+  2. Assume the relay will reject subsequent events requiring auth
+  3. Check the reason field for error details
+- If no OK is received within a reasonable timeout, assume connection issues
+
+Implementation: `app/handle-auth.go`
+
 ### NIP-43 Relay Access Metadata
 Invite-based access control system:
 - `ORLY_NIP43_ENABLED=true`: Enable invite system
diff --git a/app/handle-auth.go b/app/handle-auth.go
index bfafd11..be55294 100644
--- a/app/handle-auth.go
+++ b/app/handle-auth.go
@@ -5,13 +5,25 @@ import (
 	"lol.mleku.dev/log"
 	"git.mleku.dev/mleku/nostr/encoders/envelopes/authenvelope"
 	"git.mleku.dev/mleku/nostr/encoders/envelopes/okenvelope"
+	"git.mleku.dev/mleku/nostr/encoders/reason"
 	"git.mleku.dev/mleku/nostr/protocol/auth"
 )
 
+// zeroEventID is used for OK responses when we cannot parse the event ID
+var zeroEventID = make([]byte, 32)
+
 func (l *Listener) HandleAuth(b []byte) (err error) {
 	var rem []byte
 	env := authenvelope.NewResponse()
 	if rem, err = env.Unmarshal(b); chk.E(err) {
+		// NIP-42: AUTH messages MUST be answered with an OK message
+		// For parse failures, use zero event ID
+		log.E.F("%s AUTH unmarshal failed: %v", l.remote, err)
+		if writeErr := okenvelope.NewFrom(
+			zeroEventID, false, reason.Error.F("failed to parse auth event: %s", err),
+		).Write(l); chk.E(writeErr) {
+			return writeErr
+		}
 		return
 	}
 	defer func() {
diff --git a/pkg/version/version b/pkg/version/version
index 64799a9..a37f0fe 100644
--- a/pkg/version/version
+++ b/pkg/version/version
@@ -1 +1 @@
-v0.34.6
\ No newline at end of file
+v0.34.7
\ No newline at end of file