Fix NIP-42 AUTH compliance: always respond with OK message
Some checks failed
Go / build-and-release (push) Has been cancelled
Some checks failed
Go / build-and-release (push) Has been cancelled
- Ensure AUTH handler always sends OK response per NIP-42 specification, including for parse failures (uses zero event ID with error reason) - Add zeroEventID constant for OK responses when event ID cannot be parsed - Document critical client guidance: clients MUST wait for OK response after AUTH before publishing events requiring authentication - Update nostr skill and CLAUDE.md with NIP-42 AUTH protocol requirements for client developers, emphasizing OK response handling - Add MAX_THINKING_TOKENS setting to Claude configuration Files modified: - app/handle-auth.go: Add OK response for AUTH parse failures - .claude/skills/nostr/SKILL.md: Document AUTH OK response requirements - CLAUDE.md: Add NIP-42 AUTH Protocol section for client developers - .claude/settings.local.json: Add MAX_THINKING_TOKENS setting - pkg/version/version: Bump to v0.34.7 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,4 +1,5 @@
|
|||||||
{
|
{
|
||||||
|
"MAX_THINKING_TOKENS": "8000",
|
||||||
"permissions": {
|
"permissions": {
|
||||||
"allow": [
|
"allow": [
|
||||||
"Bash:*",
|
"Bash:*",
|
||||||
|
|||||||
@@ -150,10 +150,20 @@ Event kind `7` for reactions:
|
|||||||
|
|
||||||
#### NIP-42: Authentication
|
#### NIP-42: Authentication
|
||||||
Client authentication to relays:
|
Client authentication to relays:
|
||||||
- AUTH message from relay
|
- AUTH message from relay (challenge)
|
||||||
- Client responds with event kind `22242`
|
- Client responds with event kind `22242` signed auth event
|
||||||
- Proves key ownership
|
- Proves key ownership
|
||||||
|
|
||||||
|
**CRITICAL: Clients MUST wait for OK response after AUTH**
|
||||||
|
- Relays MUST respond to AUTH with an OK message (same as EVENT)
|
||||||
|
- An OK with `true` confirms the relay has stored the authenticated pubkey
|
||||||
|
- An OK with `false` indicates authentication failed:
|
||||||
|
1. **Alert the user** that authentication failed
|
||||||
|
2. **Assume the relay will reject** subsequent events requiring auth
|
||||||
|
3. Check the `reason` field for error details (e.g., "error: failed to parse auth event")
|
||||||
|
- Do NOT send events requiring authentication until OK `true` is received
|
||||||
|
- If no OK is received within timeout, assume connection issues and retry or alert user
|
||||||
|
|
||||||
#### NIP-50: Search
|
#### NIP-50: Search
|
||||||
Query filter extension for full-text search:
|
Query filter extension for full-text search:
|
||||||
- `search` field in REQ filters
|
- `search` field in REQ filters
|
||||||
|
|||||||
12
CLAUDE.md
12
CLAUDE.md
@@ -901,6 +901,18 @@ WebAssembly-compatible database backend (`pkg/wasmdb/`):
|
|||||||
- `ORLY_AUTH_REQUIRED=true`: Require authentication for ALL requests
|
- `ORLY_AUTH_REQUIRED=true`: Require authentication for ALL requests
|
||||||
- `ORLY_AUTH_TO_WRITE=true`: Require authentication only for writes (allow anonymous reads)
|
- `ORLY_AUTH_TO_WRITE=true`: Require authentication only for writes (allow anonymous reads)
|
||||||
|
|
||||||
|
### NIP-42 AUTH Protocol (IMPORTANT for Client Developers)
|
||||||
|
Per NIP-42, this relay always responds to AUTH messages with an OK message:
|
||||||
|
- **Clients MUST wait for the OK response** after sending AUTH before publishing events
|
||||||
|
- An OK with `true` confirms the relay has stored the authenticated pubkey
|
||||||
|
- An OK with `false` indicates authentication failed - clients should:
|
||||||
|
1. Alert the user that authentication failed
|
||||||
|
2. Assume the relay will reject subsequent events requiring auth
|
||||||
|
3. Check the reason field for error details
|
||||||
|
- If no OK is received within a reasonable timeout, assume connection issues
|
||||||
|
|
||||||
|
Implementation: `app/handle-auth.go`
|
||||||
|
|
||||||
### NIP-43 Relay Access Metadata
|
### NIP-43 Relay Access Metadata
|
||||||
Invite-based access control system:
|
Invite-based access control system:
|
||||||
- `ORLY_NIP43_ENABLED=true`: Enable invite system
|
- `ORLY_NIP43_ENABLED=true`: Enable invite system
|
||||||
|
|||||||
@@ -5,13 +5,25 @@ import (
|
|||||||
"lol.mleku.dev/log"
|
"lol.mleku.dev/log"
|
||||||
"git.mleku.dev/mleku/nostr/encoders/envelopes/authenvelope"
|
"git.mleku.dev/mleku/nostr/encoders/envelopes/authenvelope"
|
||||||
"git.mleku.dev/mleku/nostr/encoders/envelopes/okenvelope"
|
"git.mleku.dev/mleku/nostr/encoders/envelopes/okenvelope"
|
||||||
|
"git.mleku.dev/mleku/nostr/encoders/reason"
|
||||||
"git.mleku.dev/mleku/nostr/protocol/auth"
|
"git.mleku.dev/mleku/nostr/protocol/auth"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// zeroEventID is used for OK responses when we cannot parse the event ID
|
||||||
|
var zeroEventID = make([]byte, 32)
|
||||||
|
|
||||||
func (l *Listener) HandleAuth(b []byte) (err error) {
|
func (l *Listener) HandleAuth(b []byte) (err error) {
|
||||||
var rem []byte
|
var rem []byte
|
||||||
env := authenvelope.NewResponse()
|
env := authenvelope.NewResponse()
|
||||||
if rem, err = env.Unmarshal(b); chk.E(err) {
|
if rem, err = env.Unmarshal(b); chk.E(err) {
|
||||||
|
// NIP-42: AUTH messages MUST be answered with an OK message
|
||||||
|
// For parse failures, use zero event ID
|
||||||
|
log.E.F("%s AUTH unmarshal failed: %v", l.remote, err)
|
||||||
|
if writeErr := okenvelope.NewFrom(
|
||||||
|
zeroEventID, false, reason.Error.F("failed to parse auth event: %s", err),
|
||||||
|
).Write(l); chk.E(writeErr) {
|
||||||
|
return writeErr
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
v0.34.6
|
v0.34.7
|
||||||
Reference in New Issue
Block a user