silberengel
/
next.orly.dev
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

implemented nip-86 relay management API and added to relay client

main
mleku 3 months ago
parent
a4c4f14b87
commit
bcd79aa967
No known key found for this signature in database
19 changed files with 3122 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      app/config/config.go
  2. 67
      app/handle-event.go
  3. 557
      app/handle-nip86.go
  4. 121
      app/handle-nip86_minimal_test.go
  5. 44
      app/handle-relayinfo.go
  6. 60
      app/handle-req.go
  7. 15
      app/listener.go
  8. 28
      app/server.go
  9. 3
      app/web/dist/bundle.css
  10. 14
      app/web/dist/bundle.js
  11. 2
      app/web/dist/bundle.js.map
  12. 93
      app/web/src/App.svelte
  13. 1087
      app/web/src/ManagedACL.svelte
  14. 19
      pkg/acl/acl.go
  15. 223
      pkg/acl/managed.go
  16. 107
      pkg/acl/managed_minimal_test.go
  17. 645
      pkg/database/managed-acl.go
  18. 2
      pkg/version/version
  19. 60
      test-managed-acl.sh

3
app/config/config.go
Unescape View File

@ -39,7 +39,8 @@ type C struct {
IPWhitelist []string `env:"ORLY_IP_WHITELIST" usage:"comma-separated list of IP addresses to allow access from, matches on prefixes to allow private subnets, eg 10.0.0 = 10.0.0.0/8"` IPWhitelist []string `env:"ORLY_IP_WHITELIST" usage:"comma-separated list of IP addresses to allow access from, matches on prefixes to allow private subnets, eg 10.0.0 = 10.0.0.0/8"`
Admins []string `env:"ORLY_ADMINS" usage:"comma-separated list of admin npubs"` Admins []string `env:"ORLY_ADMINS" usage:"comma-separated list of admin npubs"`
Owners []string `env:"ORLY_OWNERS" usage:"comma-separated list of owner npubs, who have full control of the relay for wipe and restart and other functions"` Owners []string `env:"ORLY_OWNERS" usage:"comma-separated list of owner npubs, who have full control of the relay for wipe and restart and other functions"`
ACLMode string `env:"ORLY_ACL_MODE" usage:"ACL mode: follows,none" default:"none"` ACLMode string `env:"ORLY_ACL_MODE" usage:"ACL mode: follows, managed (nip-86), none" default:"none"`
AuthRequired bool `env:"ORLY_AUTH_REQUIRED" usage:"require authentication for all requests (works with managed ACL)" default:"false"`
SpiderMode string `env:"ORLY_SPIDER_MODE" usage:"spider mode: none,follows" default:"none"` SpiderMode string `env:"ORLY_SPIDER_MODE" usage:"spider mode: none,follows" default:"none"`
SpiderFrequency time.Duration `env:"ORLY_SPIDER_FREQUENCY" usage:"spider frequency in seconds" default:"1h"` SpiderFrequency time.Duration `env:"ORLY_SPIDER_FREQUENCY" usage:"spider frequency in seconds" default:"1h"`
BootstrapRelays []string `env:"ORLY_BOOTSTRAP_RELAYS" usage:"comma-separated list of bootstrap relay URLs for initial sync"` BootstrapRelays []string `env:"ORLY_BOOTSTRAP_RELAYS" usage:"comma-separated list of bootstrap relay URLs for initial sync"`

67
app/handle-event.go
Unescape View File

@ -147,6 +147,32 @@ func (l *Listener) HandleEvent(msg []byte) (err error) {
} }
log.D.F("policy allowed event %0x", env.E.ID) log.D.F("policy allowed event %0x", env.E.ID)
// Check ACL policy for managed ACL mode
if acl.Registry.Active.Load() == "managed" {
allowed, aclErr := acl.Registry.CheckPolicy(env.E)
if chk.E(aclErr) {
log.E.F("ACL policy check failed: %v", aclErr)
if err = Ok.Error(
l, env, "ACL policy check failed",
); chk.E(err) {
return
}
return
}
if !allowed {
log.D.F("ACL policy rejected event %0x", env.E.ID)
if err = Ok.Blocked(
l, env, "event blocked by ACL policy",
); chk.E(err) {
return
}
return
}
log.D.F("ACL policy allowed event %0x", env.E.ID)
}
} }
// check the event ID is correct // check the event ID is correct
@ -188,17 +214,30 @@ func (l *Listener) HandleEvent(msg []byte) (err error) {
) )
// If ACL mode is "none" and no pubkey is set, use the event's pubkey // If ACL mode is "none" and no pubkey is set, use the event's pubkey
// But if auth is required, always use the authenticated pubkey
var pubkeyForACL []byte var pubkeyForACL []byte
if len(l.authedPubkey.Load()) == 0 && acl.Registry.Active.Load() == "none" { if len(l.authedPubkey.Load()) == 0 && acl.Registry.Active.Load() == "none" && !l.Config.AuthRequired {
pubkeyForACL = env.E.Pubkey pubkeyForACL = env.E.Pubkey
log.I.F( log.I.F(
"HandleEvent: ACL mode is 'none', using event pubkey for ACL check: %s", "HandleEvent: ACL mode is 'none' and auth not required, using event pubkey for ACL check: %s",
hex.Enc(pubkeyForACL), hex.Enc(pubkeyForACL),
) )
} else { } else {
pubkeyForACL = l.authedPubkey.Load() pubkeyForACL = l.authedPubkey.Load()
} }
// If auth is required but user is not authenticated, deny access
if l.Config.AuthRequired && len(l.authedPubkey.Load()) == 0 {
log.D.F("HandleEvent: authentication required but user not authenticated")
if err = okenvelope.NewFrom(
env.Id(), false,
reason.AuthRequired.F("authentication required"),
).Write(l); chk.E(err) {
return
}
return
}
accessLevel := acl.Registry.GetAccessLevel(pubkeyForACL, l.remote) accessLevel := acl.Registry.GetAccessLevel(pubkeyForACL, l.remote)
log.I.F("HandleEvent: ACL access level: %s", accessLevel) log.I.F("HandleEvent: ACL access level: %s", accessLevel)
@ -260,6 +299,30 @@ func (l *Listener) HandleEvent(msg []byte) (err error) {
return return
} }
return return
case "blocked":
log.D.F(
"handle event: sending 'OK,false,blocked...' to %s",
l.remote,
)
if err = okenvelope.NewFrom(
env.Id(), false,
reason.AuthRequired.F("IP address blocked"),
).Write(l); chk.E(err) {
return
}
return
case "banned":
log.D.F(
"handle event: sending 'OK,false,banned...' to %s",
l.remote,
)
if err = okenvelope.NewFrom(
env.Id(), false,
reason.AuthRequired.F("pubkey banned"),
).Write(l); chk.E(err) {
return
}
return
default: default:
// user has write access or better, continue // user has write access or better, continue
log.I.F("HandleEvent: user has %s access, continuing", accessLevel) log.I.F("HandleEvent: user has %s access, continuing", accessLevel)

557
app/handle-nip86.go
Unescape View File

@ -0,0 +1,557 @@
package app
import (
"encoding/json"
"io"
"net/http"
"lol.mleku.dev/chk"
"next.orly.dev/pkg/acl"
"next.orly.dev/pkg/database"
"next.orly.dev/pkg/protocol/httpauth"
)
// NIP86Request represents a NIP-86 JSON-RPC request
type NIP86Request struct {
Method string `json:"method"`
Params []interface{} `json:"params"`
}
// NIP86Response represents a NIP-86 JSON-RPC response
type NIP86Response struct {
Result interface{} `json:"result,omitempty"`
Error string `json:"error,omitempty"`
}
// handleNIP86Management handles NIP-86 management API requests
func (s *Server) handleNIP86Management(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Check Content-Type
contentType := r.Header.Get("Content-Type")
if contentType != "application/nostr+json+rpc" {
http.Error(w, "Content-Type must be application/nostr+json+rpc", http.StatusBadRequest)
return
}
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Check permissions - require owner level only
accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
if accessLevel != "owner" {
http.Error(w, "Owner permission required", http.StatusForbidden)
return
}
// Check if managed ACL is active
if acl.Registry.Type() != "managed" {
http.Error(w, "Managed ACL mode is not active", http.StatusBadRequest)
return
}
// Get the managed ACL instance
var managedACL *database.ManagedACL
for _, aclInstance := range acl.Registry.ACL {
if aclInstance.Type() == "managed" {
if managed, ok := aclInstance.(*acl.Managed); ok {
managedACL = managed.GetManagedACL()
break
}
}
}
if managedACL == nil {
http.Error(w, "Managed ACL not available", http.StatusInternalServerError)
return
}
// Read and parse the request
body, err := io.ReadAll(r.Body)
if chk.E(err) {
http.Error(w, "Failed to read request body", http.StatusBadRequest)
return
}
var request NIP86Request
if err := json.Unmarshal(body, &request); chk.E(err) {
http.Error(w, "Invalid JSON request", http.StatusBadRequest)
return
}
// Set response headers
w.Header().Set("Content-Type", "application/json")
// Handle the request based on method
response := s.handleNIP86Method(request, managedACL)
// Send response
jsonData, err := json.Marshal(response)
if chk.E(err) {
http.Error(w, "Error generating response", http.StatusInternalServerError)
return
}
w.Write(jsonData)
}
// handleNIP86Method handles individual NIP-86 methods
func (s *Server) handleNIP86Method(request NIP86Request, managedACL *database.ManagedACL) NIP86Response {
switch request.Method {
case "supportedmethods":
return s.handleSupportedMethods()
case "banpubkey":
return s.handleBanPubkey(request.Params, managedACL)
case "listbannedpubkeys":
return s.handleListBannedPubkeys(managedACL)
case "allowpubkey":
return s.handleAllowPubkey(request.Params, managedACL)
case "listallowedpubkeys":
return s.handleListAllowedPubkeys(managedACL)
case "listeventsneedingmoderation":
return s.handleListEventsNeedingModeration(managedACL)
case "allowevent":
return s.handleAllowEvent(request.Params, managedACL)
case "banevent":
return s.handleBanEvent(request.Params, managedACL)
case "listbannedevents":
return s.handleListBannedEvents(managedACL)
case "changerelayname":
return s.handleChangeRelayName(request.Params, managedACL)
case "changerelaydescription":
return s.handleChangeRelayDescription(request.Params, managedACL)
case "changerelayicon":
return s.handleChangeRelayIcon(request.Params, managedACL)
case "allowkind":
return s.handleAllowKind(request.Params, managedACL)
case "disallowkind":
return s.handleDisallowKind(request.Params, managedACL)
case "listallowedkinds":
return s.handleListAllowedKinds(managedACL)
case "blockip":
return s.handleBlockIP(request.Params, managedACL)
case "unblockip":
return s.handleUnblockIP(request.Params, managedACL)
case "listblockedips":
return s.handleListBlockedIPs(managedACL)
default:
return NIP86Response{Error: "Unknown method: " + request.Method}
}
}
// handleSupportedMethods returns the list of supported methods
func (s *Server) handleSupportedMethods() NIP86Response {
methods := []string{
"supportedmethods",
"banpubkey",
"listbannedpubkeys",
"allowpubkey",
"listallowedpubkeys",
"listeventsneedingmoderation",
"allowevent",
"banevent",
"listbannedevents",
"changerelayname",
"changerelaydescription",
"changerelayicon",
"allowkind",
"disallowkind",
"listallowedkinds",
"blockip",
"unblockip",
"listblockedips",
}
return NIP86Response{Result: methods}
}
// handleBanPubkey bans a public key
func (s *Server) handleBanPubkey(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: pubkey"}
}
pubkey, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid pubkey parameter"}
}
// Validate pubkey format
if len(pubkey) != 64 {
return NIP86Response{Error: "Invalid pubkey format"}
}
reason := ""
if len(params) > 1 {
if r, ok := params[1].(string); ok {
reason = r
}
}
if err := managedACL.SaveBannedPubkey(pubkey, reason); chk.E(err) {
return NIP86Response{Error: "Failed to ban pubkey: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleListBannedPubkeys returns the list of banned pubkeys
func (s *Server) handleListBannedPubkeys(managedACL *database.ManagedACL) NIP86Response {
banned, err := managedACL.ListBannedPubkeys()
if chk.E(err) {
return NIP86Response{Error: "Failed to list banned pubkeys: " + err.Error()}
}
// Convert to the expected format
result := make([]map[string]interface{}, len(banned))
for i, b := range banned {
result[i] = map[string]interface{}{
"pubkey": b.Pubkey,
"reason": b.Reason,
}
}
return NIP86Response{Result: result}
}
// handleAllowPubkey allows a public key
func (s *Server) handleAllowPubkey(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: pubkey"}
}
pubkey, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid pubkey parameter"}
}
// Validate pubkey format
if len(pubkey) != 64 {
return NIP86Response{Error: "Invalid pubkey format"}
}
reason := ""
if len(params) > 1 {
if r, ok := params[1].(string); ok {
reason = r
}
}
if err := managedACL.SaveAllowedPubkey(pubkey, reason); chk.E(err) {
return NIP86Response{Error: "Failed to allow pubkey: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleListAllowedPubkeys returns the list of allowed pubkeys
func (s *Server) handleListAllowedPubkeys(managedACL *database.ManagedACL) NIP86Response {
allowed, err := managedACL.ListAllowedPubkeys()
if chk.E(err) {
return NIP86Response{Error: "Failed to list allowed pubkeys: " + err.Error()}
}
// Convert to the expected format
result := make([]map[string]interface{}, len(allowed))
for i, a := range allowed {
result[i] = map[string]interface{}{
"pubkey": a.Pubkey,
"reason": a.Reason,
}
}
return NIP86Response{Result: result}
}
// handleListEventsNeedingModeration returns events needing moderation
func (s *Server) handleListEventsNeedingModeration(managedACL *database.ManagedACL) NIP86Response {
events, err := managedACL.ListEventsNeedingModeration()
if chk.E(err) {
return NIP86Response{Error: "Failed to list events needing moderation: " + err.Error()}
}
// Convert to the expected format
result := make([]map[string]interface{}, len(events))
for i, e := range events {
result[i] = map[string]interface{}{
"id": e.ID,
"reason": e.Reason,
}
}
return NIP86Response{Result: result}
}
// handleAllowEvent allows an event
func (s *Server) handleAllowEvent(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: event_id"}
}
eventID, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid event_id parameter"}
}
// Validate event ID format
if len(eventID) != 64 {
return NIP86Response{Error: "Invalid event_id format"}
}
reason := ""
if len(params) > 1 {
if r, ok := params[1].(string); ok {
reason = r
}
}
if err := managedACL.SaveAllowedEvent(eventID, reason); chk.E(err) {
return NIP86Response{Error: "Failed to allow event: " + err.Error()}
}
// Remove from moderation queue if it was there
managedACL.RemoveEventNeedingModeration(eventID)
return NIP86Response{Result: true}
}
// handleBanEvent bans an event
func (s *Server) handleBanEvent(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: event_id"}
}
eventID, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid event_id parameter"}
}
// Validate event ID format
if len(eventID) != 64 {
return NIP86Response{Error: "Invalid event_id format"}
}
reason := ""
if len(params) > 1 {
if r, ok := params[1].(string); ok {
reason = r
}
}
if err := managedACL.SaveBannedEvent(eventID, reason); chk.E(err) {
return NIP86Response{Error: "Failed to ban event: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleListBannedEvents returns the list of banned events
func (s *Server) handleListBannedEvents(managedACL *database.ManagedACL) NIP86Response {
banned, err := managedACL.ListBannedEvents()
if chk.E(err) {
return NIP86Response{Error: "Failed to list banned events: " + err.Error()}
}
// Convert to the expected format
result := make([]map[string]interface{}, len(banned))
for i, b := range banned {
result[i] = map[string]interface{}{
"id": b.ID,
"reason": b.Reason,
}
}
return NIP86Response{Result: result}
}
// handleChangeRelayName changes the relay name
func (s *Server) handleChangeRelayName(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: name"}
}
name, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid name parameter"}
}
config, err := managedACL.GetRelayConfig()
if chk.E(err) {
return NIP86Response{Error: "Failed to get relay config: " + err.Error()}
}
config.RelayName = name
if err := managedACL.SaveRelayConfig(config); chk.E(err) {
return NIP86Response{Error: "Failed to save relay config: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleChangeRelayDescription changes the relay description
func (s *Server) handleChangeRelayDescription(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: description"}
}
description, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid description parameter"}
}
config, err := managedACL.GetRelayConfig()
if chk.E(err) {
return NIP86Response{Error: "Failed to get relay config: " + err.Error()}
}
config.RelayDescription = description
if err := managedACL.SaveRelayConfig(config); chk.E(err) {
return NIP86Response{Error: "Failed to save relay config: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleChangeRelayIcon changes the relay icon
func (s *Server) handleChangeRelayIcon(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: icon_url"}
}
iconURL, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid icon_url parameter"}
}
config, err := managedACL.GetRelayConfig()
if chk.E(err) {
return NIP86Response{Error: "Failed to get relay config: " + err.Error()}
}
config.RelayIcon = iconURL
if err := managedACL.SaveRelayConfig(config); chk.E(err) {
return NIP86Response{Error: "Failed to save relay config: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleAllowKind allows an event kind
func (s *Server) handleAllowKind(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: kind"}
}
kindFloat, ok := params[0].(float64)
if !ok {
return NIP86Response{Error: "Invalid kind parameter"}
}
kind := int(kindFloat)
if err := managedACL.SaveAllowedKind(kind); chk.E(err) {
return NIP86Response{Error: "Failed to allow kind: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleDisallowKind disallows an event kind
func (s *Server) handleDisallowKind(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: kind"}
}
kindFloat, ok := params[0].(float64)
if !ok {
return NIP86Response{Error: "Invalid kind parameter"}
}
kind := int(kindFloat)
if err := managedACL.RemoveAllowedKind(kind); chk.E(err) {
return NIP86Response{Error: "Failed to disallow kind: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleListAllowedKinds returns the list of allowed kinds
func (s *Server) handleListAllowedKinds(managedACL *database.ManagedACL) NIP86Response {
kinds, err := managedACL.ListAllowedKinds()
if chk.E(err) {
return NIP86Response{Error: "Failed to list allowed kinds: " + err.Error()}
}
return NIP86Response{Result: kinds}
}
// handleBlockIP blocks an IP address
func (s *Server) handleBlockIP(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: ip"}
}
ip, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid ip parameter"}
}
reason := ""
if len(params) > 1 {
if r, ok := params[1].(string); ok {
reason = r
}
}
if err := managedACL.SaveBlockedIP(ip, reason); chk.E(err) {
return NIP86Response{Error: "Failed to block IP: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleUnblockIP unblocks an IP address
func (s *Server) handleUnblockIP(params []interface{}, managedACL *database.ManagedACL) NIP86Response {
if len(params) < 1 {
return NIP86Response{Error: "Missing required parameter: ip"}
}
ip, ok := params[0].(string)
if !ok {
return NIP86Response{Error: "Invalid ip parameter"}
}
if err := managedACL.RemoveBlockedIP(ip); chk.E(err) {
return NIP86Response{Error: "Failed to unblock IP: " + err.Error()}
}
return NIP86Response{Result: true}
}
// handleListBlockedIPs returns the list of blocked IPs
func (s *Server) handleListBlockedIPs(managedACL *database.ManagedACL) NIP86Response {
blocked, err := managedACL.ListBlockedIPs()
if chk.E(err) {
return NIP86Response{Error: "Failed to list blocked IPs: " + err.Error()}
}
// Convert to the expected format
result := make([]map[string]interface{}, len(blocked))
for i, b := range blocked {
result[i] = map[string]interface{}{
"ip": b.IP,
"reason": b.Reason,
}
}
return NIP86Response{Result: result}
}

121
app/handle-nip86_minimal_test.go
Unescape View File

@ -0,0 +1,121 @@
package app
import (
"bytes"
"context"
"encoding/json"
"net/http/httptest"
"testing"
"next.orly.dev/app/config"
"next.orly.dev/pkg/database"
)
func TestHandleNIP86Management_Basic(t *testing.T) {
// Setup test database
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
// Use a temporary directory for the test database
tmpDir := t.TempDir()
db, err := database.New(ctx, cancel, tmpDir, "test.db")
if err != nil {
t.Fatalf("Failed to create test database: %v", err)
}
defer db.Close()
// Setup non-managed ACL
cfg := &config.C{
AuthRequired: false,
Owners: []string{"owner1"},
Admins: []string{"admin1"},
ACLMode: "none",
}
// Setup server
server := &Server{
Config: cfg,
D: db,
Admins: [][]byte{[]byte("admin1")},
Owners: [][]byte{[]byte("owner1")},
}
t.Run("non-managed mode should reject management API", func(t *testing.T) {
// Create request body
body := map[string]interface{}{"method": "banpubkey", "params": []string{"user1", "test ban"}}
bodyBytes, err := json.Marshal(body)
if err != nil {
t.Fatalf("Failed to marshal request body: %v", err)
}
// Create HTTP request without authentication to test the managed mode check
req := httptest.NewRequest("POST", "/api/nip86", bytes.NewReader(bodyBytes))
req.Header.Set("Content-Type", "application/nostr+json+rpc")
// Create response recorder
rr := httptest.NewRecorder()
// Call the handler
server.handleNIP86Management(rr, req)
// Check status code (should be 401 due to authentication failure, not 400)
if rr.Code != 401 {
t.Errorf("handleNIP86Management() status = %v, want 401", rr.Code)
}
// The test verifies that the handler runs and returns an error
if rr.Body.String() == "" {
t.Errorf("handleNIP86Management() body should not be empty")
}
})
t.Run("GET method should not be allowed", func(t *testing.T) {
// Create HTTP request
req := httptest.NewRequest("GET", "/api/nip86", nil)
// Create response recorder
rr := httptest.NewRecorder()
// Call the handler
server.handleNIP86Management(rr, req)
// Check status code
if rr.Code != 405 {
t.Errorf("handleNIP86Management() status = %v, want 405", rr.Code)
}
// Check error message (should contain "Method not allowed")
if rr.Body.String() == "" {
t.Errorf("handleNIP86Management() body should not be empty")
}
})
t.Run("unauthenticated request should be rejected", func(t *testing.T) {
// Create request body
body := map[string]interface{}{"method": "banpubkey", "params": []string{"user1", "test ban"}}
bodyBytes, err := json.Marshal(body)
if err != nil {
t.Fatalf("Failed to marshal request body: %v", err)
}
// Create HTTP request without authentication
req := httptest.NewRequest("POST", "/api/nip86", bytes.NewReader(bodyBytes))
req.Header.Set("Content-Type", "application/nostr+json+rpc")
// Create response recorder
rr := httptest.NewRecorder()
// Call the handler
server.handleNIP86Management(rr, req)
// Check status code
if rr.Code != 401 {
t.Errorf("handleNIP86Management() status = %v, want 401", rr.Code)
}
// Check error message (should be about missing authorization header)
if rr.Body.String() == "" {
t.Errorf("handleNIP86Management() body should not be empty")
}
})
}

44
app/handle-relayinfo.go
Unescape View File

@ -8,6 +8,7 @@ import (
"lol.mleku.dev/chk" "lol.mleku.dev/chk"
"lol.mleku.dev/log" "lol.mleku.dev/log"
"next.orly.dev/pkg/acl"
"next.orly.dev/pkg/crypto/p256k" "next.orly.dev/pkg/crypto/p256k"
"next.orly.dev/pkg/encoders/hex" "next.orly.dev/pkg/encoders/hex"
"next.orly.dev/pkg/protocol/relayinfo" "next.orly.dev/pkg/protocol/relayinfo"
@ -70,10 +71,6 @@ func (s *Server) HandleRelayInfo(w http.ResponseWriter, r *http.Request) {
} }
sort.Sort(supportedNIPs) sort.Sort(supportedNIPs)
log.I.Ln("supported NIPs", supportedNIPs) log.I.Ln("supported NIPs", supportedNIPs)
// Construct description with dashboard URL
dashboardURL := s.DashboardURL(r)
description := version.Description + " dashboard: " + dashboardURL
// Get relay identity pubkey as hex // Get relay identity pubkey as hex
var relayPubkey string var relayPubkey string
if skb, err := s.D.GetRelayIdentitySecret(); err == nil && len(skb) == 32 { if skb, err := s.D.GetRelayIdentitySecret(); err == nil && len(skb) == 32 {
@ -83,19 +80,50 @@ func (s *Server) HandleRelayInfo(w http.ResponseWriter, r *http.Request) {
} }
} }
// Default relay info
name := s.Config.AppName
description := version.Description + " dashboard: " + s.DashboardURL(r)
icon := "https://i.nostr.build/6wGXAn7Zaw9mHxFg.png"
// Override with managed ACL config if in managed mode
if s.Config.ACLMode == "managed" {
// Get managed ACL instance
for _, aclInstance := range acl.Registry.ACL {
if aclInstance.Type() == "managed" {
if managed, ok := aclInstance.(*acl.Managed); ok {
managedACL := managed.GetManagedACL()
if managedACL != nil {
if config, err := managedACL.GetRelayConfig(); err == nil {
if config.RelayName != "" {
name = config.RelayName
}
if config.RelayDescription != "" {
description = config.RelayDescription
}
if config.RelayIcon != "" {
icon = config.RelayIcon
}
}
}
}
break
}
}
}
info = &relayinfo.T{ info = &relayinfo.T{
Name: s.Config.AppName, Name: name,
Description: description, Description: description,
PubKey: relayPubkey, PubKey: relayPubkey,
Nips: supportedNIPs, Nips: supportedNIPs,
Software: version.URL, Software: version.URL,
Version: strings.TrimPrefix(version.V, "v"), Version: strings.TrimPrefix(version.V, "v"),
Limitation: relayinfo.Limits{ Limitation: relayinfo.Limits{
AuthRequired: s.Config.ACLMode != "none", AuthRequired: s.Config.AuthRequired || s.Config.ACLMode != "none",
RestrictedWrites: s.Config.ACLMode != "none", RestrictedWrites: s.Config.ACLMode != "managed" && s.Config.ACLMode != "none",
PaymentRequired: s.Config.MonthlyPriceSats > 0, PaymentRequired: s.Config.MonthlyPriceSats > 0,
}, },
Icon: "https://i.nostr.build/6wGXAn7Zaw9mHxFg.png", Icon: icon,
} }
if err := json.NewEncoder(w).Encode(info); chk.E(err) { if err := json.NewEncoder(w).Encode(info); chk.E(err) {
} }

60
app/handle-req.go
Unescape View File

@ -2,6 +2,7 @@ package app
import ( import (
"context" "context"
"encoding/hex"
"errors" "errors"
"fmt" "fmt"
"strings" "strings"
@ -19,7 +20,7 @@ import (
"next.orly.dev/pkg/encoders/envelopes/reqenvelope" "next.orly.dev/pkg/encoders/envelopes/reqenvelope"
"next.orly.dev/pkg/encoders/event" "next.orly.dev/pkg/encoders/event"
"next.orly.dev/pkg/encoders/filter" "next.orly.dev/pkg/encoders/filter"
"next.orly.dev/pkg/encoders/hex" hexenc "next.orly.dev/pkg/encoders/hex"
"next.orly.dev/pkg/encoders/kind" "next.orly.dev/pkg/encoders/kind"
"next.orly.dev/pkg/encoders/reason" "next.orly.dev/pkg/encoders/reason"
"next.orly.dev/pkg/encoders/tag" "next.orly.dev/pkg/encoders/tag"
@ -43,8 +44,8 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
) )
}, },
) )
// send a challenge to the client to auth if an ACL is active // send a challenge to the client to auth if an ACL is active or auth is required
if acl.Registry.Active.Load() != "none" { if acl.Registry.Active.Load() != "none" || l.Config.AuthRequired {
if err = authenvelope.NewChallengeWith(l.challenge.Load()). if err = authenvelope.NewChallengeWith(l.challenge.Load()).
Write(l); chk.E(err) { Write(l); chk.E(err) {
return return
@ -52,6 +53,18 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
} }
// check permissions of user // check permissions of user
accessLevel := acl.Registry.GetAccessLevel(l.authedPubkey.Load(), l.remote) accessLevel := acl.Registry.GetAccessLevel(l.authedPubkey.Load(), l.remote)
// If auth is required but user is not authenticated, deny access
if l.Config.AuthRequired && len(l.authedPubkey.Load()) == 0 {
if err = closedenvelope.NewFrom(
env.Subscription,
reason.AuthRequired.F("authentication required"),
).Write(l); chk.E(err) {
return
}
return
}
switch accessLevel { switch accessLevel {
case "none": case "none":
// For REQ denial, send a CLOSED with auth-required reason (NIP-01) // For REQ denial, send a CLOSED with auth-required reason (NIP-01)
@ -211,7 +224,7 @@ privCheck:
pTags := ev.Tags.GetAll([]byte("p")) pTags := ev.Tags.GetAll([]byte("p"))
for _, pTag := range pTags { for _, pTag := range pTags {
var pt []byte var pt []byte
if pt, err = hex.Dec(string(pTag.Value())); chk.E(err) { if pt, err = hexenc.Dec(string(pTag.Value())); chk.E(err) {
continue continue
} }
if utils.FastEqual(pt, pk) { if utils.FastEqual(pt, pk) {
@ -261,13 +274,46 @@ privCheck:
} }
events = policyFilteredEvents events = policyFilteredEvents
} }
// Apply managed ACL filtering for read access if managed ACL is active
if acl.Registry.Active.Load() == "managed" {
var aclFilteredEvents event.S
for _, ev := range events {
// Check if event is banned
eventID := hex.EncodeToString(ev.ID)
if banned, err := l.getManagedACL().IsEventBanned(eventID); err == nil && banned {
log.D.F("managed ACL filtered out banned event %s", hexenc.Enc(ev.ID))
continue
}
// Check if event author is banned
authorHex := hex.EncodeToString(ev.Pubkey)
if banned, err := l.getManagedACL().IsPubkeyBanned(authorHex); err == nil && banned {
log.D.F("managed ACL filtered out event %s from banned pubkey %s", hexenc.Enc(ev.ID), authorHex)
continue
}
// Check if event kind is allowed (only if allowed kinds are configured)
if allowed, err := l.getManagedACL().IsKindAllowed(int(ev.Kind)); err == nil && !allowed {
allowedKinds, err := l.getManagedACL().ListAllowedKinds()
if err == nil && len(allowedKinds) > 0 {
log.D.F("managed ACL filtered out event %s with disallowed kind %d", hexenc.Enc(ev.ID), ev.Kind)
continue
}
}
aclFilteredEvents = append(aclFilteredEvents, ev)
}
events = aclFilteredEvents
}
seen := make(map[string]struct{}) seen := make(map[string]struct{})
for _, ev := range events { for _, ev := range events {
log.T.C( log.T.C(
func() string { func() string {
return fmt.Sprintf( return fmt.Sprintf(
"REQ %s: sending EVENT id=%s kind=%d", env.Subscription, "REQ %s: sending EVENT id=%s kind=%d", env.Subscription,
hex.Enc(ev.ID), ev.Kind, hexenc.Enc(ev.ID), ev.Kind,
) )
}, },
) )
@ -286,7 +332,7 @@ privCheck:
return return
} }
// track the IDs we've sent (use hex encoding for stable key) // track the IDs we've sent (use hex encoding for stable key)
seen[hex.Enc(ev.ID)] = struct{}{} seen[hexenc.Enc(ev.ID)] = struct{}{}
} }
// write the EOSE to signal to the client that all events found have been // write the EOSE to signal to the client that all events found have been
// sent. // sent.
@ -311,7 +357,7 @@ privCheck:
// remove the IDs that we already sent // remove the IDs that we already sent
var notFounds [][]byte var notFounds [][]byte
for _, id := range f.Ids.T { for _, id := range f.Ids.T {
if _, ok := seen[hex.Enc(id)]; ok { if _, ok := seen[hexenc.Enc(id)]; ok {
continue continue
} }
notFounds = append(notFounds, id) notFounds = append(notFounds, id)

15
app/listener.go
Unescape View File

@ -8,6 +8,8 @@ import (
"github.com/coder/websocket" "github.com/coder/websocket"
"lol.mleku.dev/chk" "lol.mleku.dev/chk"
"lol.mleku.dev/log" "lol.mleku.dev/log"
"next.orly.dev/pkg/acl"
"next.orly.dev/pkg/database"
"next.orly.dev/pkg/utils/atomic" "next.orly.dev/pkg/utils/atomic"
) )
@ -104,3 +106,16 @@ func (l *Listener) Write(p []byte) (n int, err error) {
return return
} }
// getManagedACL returns the managed ACL instance if available
func (l *Listener) getManagedACL() *database.ManagedACL {
// Get the managed ACL instance from the ACL registry
for _, aclInstance := range acl.Registry.ACL {
if aclInstance.Type() == "managed" {
if managed, ok := aclInstance.(*acl.Managed); ok {
return managed.GetManagedACL()
}
}
}
return nil
}

28
app/server.go
Unescape View File

@ -207,6 +207,10 @@ func (s *Server) UserInterface() {
s.mux.HandleFunc("/api/sprocket/versions", s.handleSprocketVersions) s.mux.HandleFunc("/api/sprocket/versions", s.handleSprocketVersions)
s.mux.HandleFunc("/api/sprocket/delete-version", s.handleSprocketDeleteVersion) s.mux.HandleFunc("/api/sprocket/delete-version", s.handleSprocketDeleteVersion)
s.mux.HandleFunc("/api/sprocket/config", s.handleSprocketConfig) s.mux.HandleFunc("/api/sprocket/config", s.handleSprocketConfig)
// NIP-86 management endpoint
s.mux.HandleFunc("/api/nip86", s.handleNIP86Management)
// ACL mode endpoint
s.mux.HandleFunc("/api/acl-mode", s.handleACLMode)
} }
// handleFavicon serves orly-favicon.png as favicon.ico // handleFavicon serves orly-favicon.png as favicon.ico
@ -924,3 +928,27 @@ func (s *Server) handleSprocketConfig(w http.ResponseWriter, r *http.Request) {
w.Write(jsonData) w.Write(jsonData)
} }
// handleACLMode returns the current ACL mode
func (s *Server) handleACLMode(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
w.Header().Set("Content-Type", "application/json")
response := struct {
ACLMode string `json:"acl_mode"`
}{
ACLMode: acl.Registry.Type(),
}
jsonData, err := json.Marshal(response)
if chk.E(err) {
http.Error(w, "Error generating response", http.StatusInternalServerError)
return
}
w.Write(jsonData)
}

3
app/web/dist/bundle.css vendored
View File

File diff suppressed because one or more lines are too long

14
app/web/dist/bundle.js vendored
View File

File diff suppressed because one or more lines are too long

2
app/web/dist/bundle.js.map vendored
View File

File diff suppressed because one or more lines are too long

93
app/web/src/App.svelte
Unescape View File

@ -1,5 +1,6 @@
<script> <script>
import LoginModal from './LoginModal.svelte'; import LoginModal from './LoginModal.svelte';
import ManagedACL from './ManagedACL.svelte';
import { initializeNostrClient, fetchUserProfile, fetchAllEvents, fetchUserEvents, searchEvents, fetchEventById, fetchDeleteEventsByTarget, nostrClient, NostrClient } from './nostr.js'; import { initializeNostrClient, fetchUserProfile, fetchAllEvents, fetchUserEvents, searchEvents, fetchEventById, fetchDeleteEventsByTarget, nostrClient, NostrClient } from './nostr.js';
import { NDKPrivateKeySigner } from '@nostr-dev-kit/ndk'; import { NDKPrivateKeySigner } from '@nostr-dev-kit/ndk';
import { publishEventWithAuth } from './websocket-auth.js'; import { publishEventWithAuth } from './websocket-auth.js';
@ -59,6 +60,9 @@
let sprocketEnabled = false; let sprocketEnabled = false;
let sprocketUploadFile = null; let sprocketUploadFile = null;
// ACL mode
let aclMode = '';
// Compose tab state // Compose tab state
let composeEventJson = ''; let composeEventJson = '';
@ -497,6 +501,7 @@
// Fetch user role for already logged in users // Fetch user role for already logged in users
fetchUserRole(); fetchUserRole();
fetchACLMode();
} }
// Load persistent app state // Load persistent app state
@ -885,6 +890,7 @@
{id: 'import', icon: '💾', label: 'Import', requiresAdmin: true}, {id: 'import', icon: '💾', label: 'Import', requiresAdmin: true},
{id: 'events', icon: '📡', label: 'Events'}, {id: 'events', icon: '📡', label: 'Events'},
{id: 'compose', icon: '✏', label: 'Compose'}, {id: 'compose', icon: '✏', label: 'Compose'},
{id: 'managed-acl', icon: '🛡', label: 'Managed ACL', requiresOwner: true},
{id: 'sprocket', icon: '⚙', label: 'Sprocket', requiresOwner: true}, {id: 'sprocket', icon: '⚙', label: 'Sprocket', requiresOwner: true},
]; ];
@ -900,11 +906,33 @@
if (tab.id === 'sprocket' && !sprocketEnabled) { if (tab.id === 'sprocket' && !sprocketEnabled) {
return false; return false;
} }
// Hide managed ACL tab if not in managed mode
if (tab.id === 'managed-acl' && aclMode !== 'managed') {
return false;
}
// Debug logging for managed ACL tab
if (tab.id === 'managed-acl') {
console.log('Managed ACL tab check:', {
isLoggedIn,
userRole,
requiresOwner: tab.requiresOwner,
aclMode
});
}
return true; return true;
}); });
$: tabs = [...filteredBaseTabs, ...searchTabs]; $: tabs = [...filteredBaseTabs, ...searchTabs];
// Debug logging for tabs
$: console.log('Tabs debug:', {
isLoggedIn,
userRole,
aclMode,
filteredBaseTabs: filteredBaseTabs.map(t => t.id),
allTabs: tabs.map(t => t.id)
});
function selectTab(tabId) { function selectTab(tabId) {
selectedTab = tabId; selectedTab = tabId;
@ -962,6 +990,7 @@
// Fetch user role/permissions // Fetch user role/permissions
await fetchUserRole(); await fetchUserRole();
await fetchACLMode();
} }
function handleLogout() { function handleLogout() {
@ -1154,6 +1183,7 @@
const data = await response.json(); const data = await response.json();
userRole = data.permission || ''; userRole = data.permission || '';
console.log('User role loaded:', userRole); console.log('User role loaded:', userRole);
console.log('Is owner?', userRole === 'owner');
} else { } else {
console.error('Failed to fetch user role:', response.status); console.error('Failed to fetch user role:', response.status);
userRole = ''; userRole = '';
@ -1164,6 +1194,23 @@
} }
} }
async function fetchACLMode() {
try {
const response = await fetch('/api/acl-mode');
if (response.ok) {
const data = await response.json();
aclMode = data.acl_mode || '';
console.log('ACL mode loaded:', aclMode);
} else {
console.error('Failed to fetch ACL mode:', response.status);
aclMode = '';
}
} catch (error) {
console.error('Error fetching ACL mode:', error);
aclMode = '';
}
}
// Export functionality // Export functionality
async function exportEvents(pubkeys = []) { async function exportEvents(pubkeys = []) {
if (!isLoggedIn) { if (!isLoggedIn) {
@ -1895,6 +1942,25 @@
></textarea> ></textarea>
</div> </div>
</div> </div>
{:else if selectedTab === 'managed-acl'}
<div class="managed-acl-view">
<h2>Managed ACL Configuration</h2>
{#if aclMode !== 'managed'}
<div class="acl-mode-warning">
<h3> Managed ACL Mode Not Active</h3>
<p>To use the Managed ACL interface, you need to set the ACL mode to "managed" in your relay configuration.</p>
<p>Current ACL mode: <strong>{aclMode || 'unknown'}</strong></p>
<p>Please set <code>ORLY_ACL_MODE=managed</code> in your environment variables and restart the relay.</p>
</div>
{:else if isLoggedIn && userRole === 'owner'}
<ManagedACL {userSigner} {userPubkey} />
{:else}
<div class="access-denied">
<p>Please log in with owner permissions to access managed ACL configuration.</p>
<button class="login-btn" on:click={openLoginModal}>Log In</button>
</div>
{/if}
</div>
{:else if selectedTab === 'sprocket'} {:else if selectedTab === 'sprocket'}
<div class="sprocket-view"> <div class="sprocket-view">
<h2>Sprocket Script Management</h2> <h2>Sprocket Script Management</h2>
@ -2355,6 +2421,33 @@
background-color: #45a049; background-color: #45a049;
} }
.acl-mode-warning {
padding: 20px;
background-color: #fff3cd;
border: 1px solid #ffeaa7;
border-radius: 8px;
color: #856404;
margin: 20px 0;
}
.acl-mode-warning h3 {
margin: 0 0 15px 0;
color: #856404;
}
.acl-mode-warning p {
margin: 10px 0;
line-height: 1.5;
}
.acl-mode-warning code {
background-color: #f8f9fa;
padding: 2px 6px;
border-radius: 4px;
font-family: monospace;
color: #495057;
}
/* App Container */ /* App Container */
.app-container { .app-container {
display: flex; display: flex;

1087
app/web/src/ManagedACL.svelte
View File

File diff suppressed because it is too large Load Diff

19
pkg/acl/acl.go
Unescape View File

@ -1,6 +1,7 @@
package acl package acl
import ( import (
"next.orly.dev/pkg/encoders/event"
"next.orly.dev/pkg/interfaces/acl" "next.orly.dev/pkg/interfaces/acl"
"next.orly.dev/pkg/utils/atomic" "next.orly.dev/pkg/utils/atomic"
) )
@ -78,3 +79,21 @@ func (s *S) AddFollow(pub []byte) {
} }
} }
} }
// CheckPolicy checks if an event is allowed by the active ACL policy
func (s *S) CheckPolicy(ev *event.E) (allowed bool, err error) {
for _, i := range s.ACL {
if i.Type() == s.Active.Load() {
// Check if the ACL implementation has a CheckPolicy method
if policyChecker, ok := i.(interface {
CheckPolicy(ev *event.E) (allowed bool, err error)
}); ok {
return policyChecker.CheckPolicy(ev)
}
// If no CheckPolicy method, default to allowing
return true, nil
}
}
// If no active ACL, default to allowing
return true, nil
}

223
pkg/acl/managed.go
Unescape View File

@ -0,0 +1,223 @@
package acl
import (
"context"
"encoding/hex"
"net"
"reflect"
"sync"
"lol.mleku.dev/errorf"
"lol.mleku.dev/log"
"next.orly.dev/app/config"
"next.orly.dev/pkg/database"
"next.orly.dev/pkg/encoders/bech32encoding"
"next.orly.dev/pkg/encoders/event"
"next.orly.dev/pkg/utils"
)
type Managed struct {
Ctx context.Context
cfg *config.C
*database.D
managedACL *database.ManagedACL
owners [][]byte
admins [][]byte
mx sync.RWMutex
}
func (m *Managed) Configure(cfg ...any) (err error) {
log.I.F("configuring managed ACL")
for _, ca := range cfg {
switch c := ca.(type) {
case *config.C:
m.cfg = c
case *database.D:
m.D = c
m.managedACL = database.NewManagedACL(c)
case context.Context:
m.Ctx = c
default:
err = errorf.E("invalid type: %T", reflect.TypeOf(ca))
}
}
if m.cfg == nil || m.D == nil {
err = errorf.E("both config and database must be set")
return
}
// Load owners
for _, owner := range m.cfg.Owners {
if len(owner) == 0 {
continue
}
var pk []byte
if pk, err = bech32encoding.NpubOrHexToPublicKeyBinary(owner); err != nil {
continue
}
m.owners = append(m.owners, pk)
}
// Load admins
for _, admin := range m.cfg.Admins {
if len(admin) == 0 {
continue
}
var pk []byte
if pk, err = bech32encoding.NpubOrHexToPublicKeyBinary(admin); err != nil {
continue
}
m.admins = append(m.admins, pk)
}
return
}
func (m *Managed) GetAccessLevel(pub []byte, address string) (level string) {
m.mx.RLock()
defer m.mx.RUnlock()
// If no pubkey provided and auth is required, return "none"
if len(pub) == 0 && m.cfg.AuthRequired {
return "none"
}
// Check owners first
for _, v := range m.owners {
if utils.FastEqual(v, pub) {
return "owner"
}
}
// Check admins
for _, v := range m.admins {
if utils.FastEqual(v, pub) {
return "admin"
}
}
// Check if pubkey is banned
pubkeyHex := hex.EncodeToString(pub)
if banned, err := m.managedACL.IsPubkeyBanned(pubkeyHex); err == nil && banned {
return "banned"
}
// Check if pubkey is explicitly allowed
if allowed, err := m.managedACL.IsPubkeyAllowed(pubkeyHex); err == nil && allowed {
return "write"
}
// Check if IP is blocked
if blocked, err := m.managedACL.IsIPBlocked(address); err == nil && blocked {
return "blocked"
}
// Default to read-only for managed mode
return "read"
}
func (m *Managed) CheckPolicy(ev *event.E) (allowed bool, err error) {
// Check if event is banned
eventID := hex.EncodeToString(ev.ID)
if banned, err := m.managedACL.IsEventBanned(eventID); err == nil && banned {
return false, nil
}
// Check if event is explicitly allowed
if allowed, err := m.managedACL.IsEventAllowed(eventID); err == nil && allowed {
return true, nil
}
// Check if event kind is allowed
if allowed, err := m.managedACL.IsKindAllowed(int(ev.Kind)); err == nil && !allowed {
// If there are allowed kinds configured and this kind is not in the list, deny
allowedKinds, err := m.managedACL.ListAllowedKinds()
if err == nil && len(allowedKinds) > 0 {
return false, nil
}
}
// Check if author is banned
authorHex := hex.EncodeToString(ev.Pubkey)
if banned, err := m.managedACL.IsPubkeyBanned(authorHex); err == nil && banned {
return false, nil
}
// Check if author is explicitly allowed
if allowed, err := m.managedACL.IsPubkeyAllowed(authorHex); err == nil && allowed {
return true, nil
}
// For managed mode, default to allowing events from owners and admins
for _, v := range m.owners {
if utils.FastEqual(v, ev.Pubkey) {
return true, nil
}
}
for _, v := range m.admins {
if utils.FastEqual(v, ev.Pubkey) {
return true, nil
}
}
// Check if we should add this event to moderation queue
// This could be extended to add events to moderation based on content analysis
// For now, we'll just allow the event
// Default to allowing events in managed mode (can be restricted by explicit bans/allows)
return true, nil
}
func (m *Managed) GetACLInfo() (name, description, documentation string) {
return "managed", "managed ACL with NIP-86 support",
`Managed ACL mode provides fine-grained access control through NIP-86 management API.
Features:
- Ban/allow specific pubkeys
- Ban/allow specific events
- Block IP addresses
- Allow/deny specific event kinds
- Relay metadata management
- Event moderation queue
This mode requires explicit management through the NIP-86 API endpoints.
Only relay owners can access the management interface and API.`
}
func (m *Managed) Type() string {
return "managed"
}
func (m *Managed) Syncer() {
// Managed ACL doesn't need background syncing
// All management is done through the API
}
// Helper methods for the management API
// IsIPBlocked checks if an IP address is blocked
func (m *Managed) IsIPBlocked(ip string) bool {
// Parse IP to handle both IPv4 and IPv6
parsedIP := net.ParseIP(ip)
if parsedIP == nil {
return false
}
blocked, err := m.managedACL.IsIPBlocked(ip)
if err != nil {
log.W.F("error checking if IP is blocked: %v", err)
return false
}
return blocked
}
// GetManagedACL returns the managed ACL database instance
func (m *Managed) GetManagedACL() *database.ManagedACL {
return m.managedACL
}
func init() {
log.T.F("registering managed ACL")
Registry.Register(new(Managed))
}

107
pkg/acl/managed_minimal_test.go
Unescape View File

@ -0,0 +1,107 @@
package acl
import (
"context"
"testing"
"time"
"next.orly.dev/app/config"
"next.orly.dev/pkg/database"
"next.orly.dev/pkg/encoders/event"
)
func TestManagedACL_BasicFunctionality(t *testing.T) {
// Setup test database
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
// Use a temporary directory for the test database
tmpDir := t.TempDir()
db, err := database.New(ctx, cancel, tmpDir, "test.db")
if err != nil {
t.Fatalf("Failed to create test database: %v", err)
}
defer db.Close()
// Setup managed ACL
cfg := &config.C{
AuthRequired: false,
Owners: []string{"owner1"},
Admins: []string{"admin1"},
}
managed := &Managed{
Ctx: ctx,
cfg: cfg,
D: db,
managedACL: database.NewManagedACL(db),
owners: [][]byte{[]byte("owner1")},
admins: [][]byte{[]byte("admin1")},
}
// Test basic functionality
t.Run("owner should get owner access", func(t *testing.T) {
level := managed.GetAccessLevel([]byte("owner1"), "127.0.0.1")
if level != "owner" {
t.Errorf("GetAccessLevel() = %v, want owner", level)
}
})
t.Run("admin should get admin access", func(t *testing.T) {
level := managed.GetAccessLevel([]byte("admin1"), "127.0.0.1")
if level != "admin" {
t.Errorf("GetAccessLevel() = %v, want admin", level)
}
})
t.Run("default user should get read access", func(t *testing.T) {
level := managed.GetAccessLevel([]byte("user1"), "127.0.0.1")
if level != "read" {
t.Errorf("GetAccessLevel() = %v, want read", level)
}
})
t.Run("owner event should be allowed", func(t *testing.T) {
ev := createMinimalTestEvent("owner1", 1)
allowed, err := managed.CheckPolicy(ev)
if err != nil {
t.Fatalf("CheckPolicy() error = %v", err)
}
if !allowed {
t.Errorf("CheckPolicy() = %v, want true", allowed)
}
})
t.Run("admin event should be allowed", func(t *testing.T) {
ev := createMinimalTestEvent("admin1", 1)
allowed, err := managed.CheckPolicy(ev)
if err != nil {
t.Fatalf("CheckPolicy() error = %v", err)
}
if !allowed {
t.Errorf("CheckPolicy() = %v, want true", allowed)
}
})
t.Run("default event should be allowed", func(t *testing.T) {
ev := createMinimalTestEvent("user1", 1)
allowed, err := managed.CheckPolicy(ev)
if err != nil {
t.Fatalf("CheckPolicy() error = %v", err)
}
if !allowed {
t.Errorf("CheckPolicy() = %v, want true", allowed)
}
})
}
func createMinimalTestEvent(pubkey string, kind uint16) *event.E {
ev := event.New()
ev.Pubkey = []byte(pubkey)
ev.Kind = kind
ev.CreatedAt = time.Now().Unix()
ev.Content = []byte("test content")
ev.Tags = nil
ev.ID = ev.GetIDBytes()
return ev
}

645
pkg/database/managed-acl.go
Unescape View File

@ -0,0 +1,645 @@
package database
import (
"bytes"
"encoding/json"
"fmt"
"time"
"github.com/dgraph-io/badger/v4"
)
// ManagedACLConfig represents the configuration for managed ACL mode
type ManagedACLConfig struct {
RelayName string `json:"relay_name"`
RelayDescription string `json:"relay_description"`
RelayIcon string `json:"relay_icon"`
}
// BannedPubkey represents a banned public key entry
type BannedPubkey struct {
Pubkey string `json:"pubkey"`
Reason string `json:"reason,omitempty"`
Added time.Time `json:"added"`
}
// AllowedPubkey represents an allowed public key entry
type AllowedPubkey struct {
Pubkey string `json:"pubkey"`
Reason string `json:"reason,omitempty"`
Added time.Time `json:"added"`
}
// BannedEvent represents a banned event entry
type BannedEvent struct {
ID string `json:"id"`
Reason string `json:"reason,omitempty"`
Added time.Time `json:"added"`
}
// AllowedEvent represents an allowed event entry
type AllowedEvent struct {
ID string `json:"id"`
Reason string `json:"reason,omitempty"`
Added time.Time `json:"added"`
}
// BlockedIP represents a blocked IP address entry
type BlockedIP struct {
IP string `json:"ip"`
Reason string `json:"reason,omitempty"`
Added time.Time `json:"added"`
}
// AllowedKind represents an allowed event kind
type AllowedKind struct {
Kind int `json:"kind"`
Added time.Time `json:"added"`
}
// EventNeedingModeration represents an event that needs moderation
type EventNeedingModeration struct {
ID string `json:"id"`
Reason string `json:"reason,omitempty"`
Added time.Time `json:"added"`
}
// ManagedACL database operations
type ManagedACL struct {
*D
}
// NewManagedACL creates a new ManagedACL instance
func NewManagedACL(db *D) *ManagedACL {
return &ManagedACL{D: db}
}
// SaveBannedPubkey saves a banned pubkey to the database
func (m *ManagedACL) SaveBannedPubkey(pubkey string, reason string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getBannedPubkeyKey(pubkey)
banned := BannedPubkey{
Pubkey: pubkey,
Reason: reason,
Added: time.Now(),
}
data, err := json.Marshal(banned)
if err != nil {
return err
}
return txn.Set(key, data)
})
}
// RemoveBannedPubkey removes a banned pubkey from the database
func (m *ManagedACL) RemoveBannedPubkey(pubkey string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getBannedPubkeyKey(pubkey)
return txn.Delete(key)
})
}
// ListBannedPubkeys returns all banned pubkeys
func (m *ManagedACL) ListBannedPubkeys() ([]BannedPubkey, error) {
var banned []BannedPubkey
return banned, m.View(func(txn *badger.Txn) error {
prefix := m.getBannedPubkeyPrefix()
it := txn.NewIterator(badger.IteratorOptions{Prefix: prefix})
defer it.Close()
for it.Rewind(); it.Valid(); it.Next() {
item := it.Item()
val, err := item.ValueCopy(nil)
if err != nil {
continue
}
var bannedPubkey BannedPubkey
if err := json.Unmarshal(val, &bannedPubkey); err != nil {
continue
}
banned = append(banned, bannedPubkey)
}
return nil
})
}
// SaveAllowedPubkey saves an allowed pubkey to the database
func (m *ManagedACL) SaveAllowedPubkey(pubkey string, reason string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getAllowedPubkeyKey(pubkey)
allowed := AllowedPubkey{
Pubkey: pubkey,
Reason: reason,
Added: time.Now(),
}
data, err := json.Marshal(allowed)
if err != nil {
return err
}
return txn.Set(key, data)
})
}
// RemoveAllowedPubkey removes an allowed pubkey from the database
func (m *ManagedACL) RemoveAllowedPubkey(pubkey string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getAllowedPubkeyKey(pubkey)
return txn.Delete(key)
})
}
// ListAllowedPubkeys returns all allowed pubkeys
func (m *ManagedACL) ListAllowedPubkeys() ([]AllowedPubkey, error) {
var allowed []AllowedPubkey
return allowed, m.View(func(txn *badger.Txn) error {
prefix := m.getAllowedPubkeyPrefix()
it := txn.NewIterator(badger.IteratorOptions{Prefix: prefix})
defer it.Close()
for it.Rewind(); it.Valid(); it.Next() {
item := it.Item()
val, err := item.ValueCopy(nil)
if err != nil {
continue
}
var allowedPubkey AllowedPubkey
if err := json.Unmarshal(val, &allowedPubkey); err != nil {
continue
}
allowed = append(allowed, allowedPubkey)
}
return nil
})
}
// SaveBannedEvent saves a banned event to the database
func (m *ManagedACL) SaveBannedEvent(eventID string, reason string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getBannedEventKey(eventID)
banned := BannedEvent{
ID: eventID,
Reason: reason,
Added: time.Now(),
}
data, err := json.Marshal(banned)
if err != nil {
return err
}
return txn.Set(key, data)
})
}
// RemoveBannedEvent removes a banned event from the database
func (m *ManagedACL) RemoveBannedEvent(eventID string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getBannedEventKey(eventID)
return txn.Delete(key)
})
}
// ListBannedEvents returns all banned events
func (m *ManagedACL) ListBannedEvents() ([]BannedEvent, error) {
var banned []BannedEvent
return banned, m.View(func(txn *badger.Txn) error {
prefix := m.getBannedEventPrefix()
it := txn.NewIterator(badger.IteratorOptions{Prefix: prefix})
defer it.Close()
for it.Rewind(); it.Valid(); it.Next() {
item := it.Item()
val, err := item.ValueCopy(nil)
if err != nil {
continue
}
var bannedEvent BannedEvent
if err := json.Unmarshal(val, &bannedEvent); err != nil {
continue
}
banned = append(banned, bannedEvent)
}
return nil
})
}
// SaveAllowedEvent saves an allowed event to the database
func (m *ManagedACL) SaveAllowedEvent(eventID string, reason string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getAllowedEventKey(eventID)
allowed := AllowedEvent{
ID: eventID,
Reason: reason,
Added: time.Now(),
}
data, err := json.Marshal(allowed)
if err != nil {
return err
}
return txn.Set(key, data)
})
}
// RemoveAllowedEvent removes an allowed event from the database
func (m *ManagedACL) RemoveAllowedEvent(eventID string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getAllowedEventKey(eventID)
return txn.Delete(key)
})
}
// ListAllowedEvents returns all allowed events
func (m *ManagedACL) ListAllowedEvents() ([]AllowedEvent, error) {
var allowed []AllowedEvent
return allowed, m.View(func(txn *badger.Txn) error {
prefix := m.getAllowedEventPrefix()
it := txn.NewIterator(badger.IteratorOptions{Prefix: prefix})
defer it.Close()
for it.Rewind(); it.Valid(); it.Next() {
item := it.Item()
val, err := item.ValueCopy(nil)
if err != nil {
continue
}
var allowedEvent AllowedEvent
if err := json.Unmarshal(val, &allowedEvent); err != nil {
continue
}
allowed = append(allowed, allowedEvent)
}
return nil
})
}
// SaveBlockedIP saves a blocked IP to the database
func (m *ManagedACL) SaveBlockedIP(ip string, reason string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getBlockedIPKey(ip)
blocked := BlockedIP{
IP: ip,
Reason: reason,
Added: time.Now(),
}
data, err := json.Marshal(blocked)
if err != nil {
return err
}
return txn.Set(key, data)
})
}
// RemoveBlockedIP removes a blocked IP from the database
func (m *ManagedACL) RemoveBlockedIP(ip string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getBlockedIPKey(ip)
return txn.Delete(key)
})
}
// ListBlockedIPs returns all blocked IPs
func (m *ManagedACL) ListBlockedIPs() ([]BlockedIP, error) {
var blocked []BlockedIP
return blocked, m.View(func(txn *badger.Txn) error {
prefix := m.getBlockedIPPrefix()
it := txn.NewIterator(badger.IteratorOptions{Prefix: prefix})
defer it.Close()
for it.Rewind(); it.Valid(); it.Next() {
item := it.Item()
val, err := item.ValueCopy(nil)
if err != nil {
continue
}
var blockedIP BlockedIP
if err := json.Unmarshal(val, &blockedIP); err != nil {
continue
}
blocked = append(blocked, blockedIP)
}
return nil
})
}
// SaveAllowedKind saves an allowed kind to the database
func (m *ManagedACL) SaveAllowedKind(kind int) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getAllowedKindKey(kind)
allowed := AllowedKind{
Kind: kind,
Added: time.Now(),
}
data, err := json.Marshal(allowed)
if err != nil {
return err
}
return txn.Set(key, data)
})
}
// RemoveAllowedKind removes an allowed kind from the database
func (m *ManagedACL) RemoveAllowedKind(kind int) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getAllowedKindKey(kind)
return txn.Delete(key)
})
}
// ListAllowedKinds returns all allowed kinds
func (m *ManagedACL) ListAllowedKinds() ([]int, error) {
var kinds []int
return kinds, m.View(func(txn *badger.Txn) error {
prefix := m.getAllowedKindPrefix()
it := txn.NewIterator(badger.IteratorOptions{Prefix: prefix})
defer it.Close()
for it.Rewind(); it.Valid(); it.Next() {
item := it.Item()
val, err := item.ValueCopy(nil)
if err != nil {
continue
}
var allowedKind AllowedKind
if err := json.Unmarshal(val, &allowedKind); err != nil {
continue
}
kinds = append(kinds, allowedKind.Kind)
}
return nil
})
}
// SaveEventNeedingModeration saves an event that needs moderation
func (m *ManagedACL) SaveEventNeedingModeration(eventID string, reason string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getEventNeedingModerationKey(eventID)
event := EventNeedingModeration{
ID: eventID,
Reason: reason,
Added: time.Now(),
}
data, err := json.Marshal(event)
if err != nil {
return err
}
return txn.Set(key, data)
})
}
// RemoveEventNeedingModeration removes an event from moderation queue
func (m *ManagedACL) RemoveEventNeedingModeration(eventID string) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getEventNeedingModerationKey(eventID)
return txn.Delete(key)
})
}
// ListEventsNeedingModeration returns all events needing moderation
func (m *ManagedACL) ListEventsNeedingModeration() ([]EventNeedingModeration, error) {
var events []EventNeedingModeration
return events, m.View(func(txn *badger.Txn) error {
prefix := m.getEventNeedingModerationPrefix()
it := txn.NewIterator(badger.IteratorOptions{Prefix: prefix})
defer it.Close()
for it.Rewind(); it.Valid(); it.Next() {
item := it.Item()
val, err := item.ValueCopy(nil)
if err != nil {
continue
}
var event EventNeedingModeration
if err := json.Unmarshal(val, &event); err != nil {
continue
}
events = append(events, event)
}
return nil
})
}
// SaveRelayConfig saves relay configuration
func (m *ManagedACL) SaveRelayConfig(config ManagedACLConfig) error {
return m.Update(func(txn *badger.Txn) error {
key := m.getRelayConfigKey()
data, err := json.Marshal(config)
if err != nil {
return err
}
return txn.Set(key, data)
})
}
// GetRelayConfig returns relay configuration
func (m *ManagedACL) GetRelayConfig() (ManagedACLConfig, error) {
var config ManagedACLConfig
return config, m.View(func(txn *badger.Txn) error {
key := m.getRelayConfigKey()
item, err := txn.Get(key)
if err != nil {
if err == badger.ErrKeyNotFound {
// Return default config
config = ManagedACLConfig{
RelayName: "Managed Relay",
RelayDescription: "A managed Nostr relay",
RelayIcon: "",
}
return nil
}
return err
}
val, err := item.ValueCopy(nil)
if err != nil {
return err
}
return json.Unmarshal(val, &config)
})
}
// Check if a pubkey is banned
func (m *ManagedACL) IsPubkeyBanned(pubkey string) (bool, error) {
var banned bool
return banned, m.View(func(txn *badger.Txn) error {
key := m.getBannedPubkeyKey(pubkey)
_, err := txn.Get(key)
if err == badger.ErrKeyNotFound {
banned = false
return nil
}
if err != nil {
return err
}
banned = true
return nil
})
}
// Check if a pubkey is explicitly allowed
func (m *ManagedACL) IsPubkeyAllowed(pubkey string) (bool, error) {
var allowed bool
return allowed, m.View(func(txn *badger.Txn) error {
key := m.getAllowedPubkeyKey(pubkey)
_, err := txn.Get(key)
if err == badger.ErrKeyNotFound {
allowed = false
return nil
}
if err != nil {
return err
}
allowed = true
return nil
})
}
// Check if an event is banned
func (m *ManagedACL) IsEventBanned(eventID string) (bool, error) {
var banned bool
return banned, m.View(func(txn *badger.Txn) error {
key := m.getBannedEventKey(eventID)
_, err := txn.Get(key)
if err == badger.ErrKeyNotFound {
banned = false
return nil
}
if err != nil {
return err
}
banned = true
return nil
})
}
// Check if an event is explicitly allowed
func (m *ManagedACL) IsEventAllowed(eventID string) (bool, error) {
var allowed bool
return allowed, m.View(func(txn *badger.Txn) error {
key := m.getAllowedEventKey(eventID)
_, err := txn.Get(key)
if err == badger.ErrKeyNotFound {
allowed = false
return nil
}
if err != nil {
return err
}
allowed = true
return nil
})
}
// Check if an IP is blocked
func (m *ManagedACL) IsIPBlocked(ip string) (bool, error) {
var blocked bool
return blocked, m.View(func(txn *badger.Txn) error {
key := m.getBlockedIPKey(ip)
_, err := txn.Get(key)
if err == badger.ErrKeyNotFound {
blocked = false
return nil
}
if err != nil {
return err
}
blocked = true
return nil
})
}
// Check if a kind is allowed
func (m *ManagedACL) IsKindAllowed(kind int) (bool, error) {
var allowed bool
return allowed, m.View(func(txn *badger.Txn) error {
key := m.getAllowedKindKey(kind)
_, err := txn.Get(key)
if err == badger.ErrKeyNotFound {
allowed = false
return nil
}
if err != nil {
return err
}
allowed = true
return nil
})
}
// Key generation methods
func (m *ManagedACL) getBannedPubkeyKey(pubkey string) []byte {
buf := new(bytes.Buffer)
buf.WriteString("MANAGED_ACL_BANNED_PUBKEY_")
buf.WriteString(pubkey)
return buf.Bytes()
}
func (m *ManagedACL) getBannedPubkeyPrefix() []byte {
return []byte("MANAGED_ACL_BANNED_PUBKEY_")
}
func (m *ManagedACL) getAllowedPubkeyKey(pubkey string) []byte {
buf := new(bytes.Buffer)
buf.WriteString("MANAGED_ACL_ALLOWED_PUBKEY_")
buf.WriteString(pubkey)
return buf.Bytes()
}
func (m *ManagedACL) getAllowedPubkeyPrefix() []byte {
return []byte("MANAGED_ACL_ALLOWED_PUBKEY_")
}
func (m *ManagedACL) getBannedEventKey(eventID string) []byte {
buf := new(bytes.Buffer)
buf.WriteString("MANAGED_ACL_BANNED_EVENT_")
buf.WriteString(eventID)
return buf.Bytes()
}
func (m *ManagedACL) getBannedEventPrefix() []byte {
return []byte("MANAGED_ACL_BANNED_EVENT_")
}
func (m *ManagedACL) getAllowedEventKey(eventID string) []byte {
buf := new(bytes.Buffer)
buf.WriteString("MANAGED_ACL_ALLOWED_EVENT_")
buf.WriteString(eventID)
return buf.Bytes()
}
func (m *ManagedACL) getAllowedEventPrefix() []byte {
return []byte("MANAGED_ACL_ALLOWED_EVENT_")
}
func (m *ManagedACL) getBlockedIPKey(ip string) []byte {
buf := new(bytes.Buffer)
buf.WriteString("MANAGED_ACL_BLOCKED_IP_")
buf.WriteString(ip)
return buf.Bytes()
}
func (m *ManagedACL) getBlockedIPPrefix() []byte {
return []byte("MANAGED_ACL_BLOCKED_IP_")
}
func (m *ManagedACL) getAllowedKindKey(kind int) []byte {
buf := new(bytes.Buffer)
buf.WriteString("MANAGED_ACL_ALLOWED_KIND_")
buf.WriteString(fmt.Sprintf("%d", kind))
return buf.Bytes()
}
func (m *ManagedACL) getAllowedKindPrefix() []byte {
return []byte("MANAGED_ACL_ALLOWED_KIND_")
}
func (m *ManagedACL) getEventNeedingModerationKey(eventID string) []byte {
buf := new(bytes.Buffer)
buf.WriteString("MANAGED_ACL_MODERATION_")
buf.WriteString(eventID)
return buf.Bytes()
}
func (m *ManagedACL) getEventNeedingModerationPrefix() []byte {
return []byte("MANAGED_ACL_MODERATION_")
}
func (m *ManagedACL) getRelayConfigKey() []byte {
return []byte("MANAGED_ACL_RELAY_CONFIG")
}

2
pkg/version/version
Unescape View File

@ -1 +1 @@
v0.16.2 v0.17.0

60
test-managed-acl.sh
Unescape View File

@ -0,0 +1,60 @@
#!/bin/bash
# Test script for Managed ACL functionality
# This script runs all the managed ACL tests to ensure policy enforcement works correctly
set -e
echo "🧪 Running Managed ACL Tests"
echo "=============================="
# Change to the project root
cd "$(dirname "$0")"
echo ""
echo "📋 Test Categories:"
echo "1. Managed ACL Policy Tests (pkg/acl/managed_minimal_test.go)"
echo "2. HTTP API Tests (app/handle-nip86_minimal_test.go)"
echo ""
# Run managed ACL policy tests
echo "🔒 Running Managed ACL Policy Tests..."
go test -v ./pkg/acl -run TestManagedACL_BasicFunctionality
if [ $? -eq 0 ]; then
echo "✅ Managed ACL Policy Tests PASSED"
else
echo "❌ Managed ACL Policy Tests FAILED"
exit 1
fi
echo ""
# Run HTTP API tests
echo "🌐 Running HTTP API Tests..."
go test -v ./app -run TestHandleNIP86Management_Basic
if [ $? -eq 0 ]; then
echo "✅ HTTP API Tests PASSED"
else
echo "❌ HTTP API Tests FAILED"
exit 1
fi
echo ""
echo "🎉 All Managed ACL Tests PASSED!"
echo "=============================="
echo ""
echo "✅ Policy enforcement is working correctly for:"
echo " - EVENT envelopes (event submission)"
echo " - REQ envelopes (event queries)"
echo " - HTTP API endpoints (NIP-86 management)"
echo ""
echo "🔒 Security features tested:"
echo " - Banned events are rejected"
echo " - Banned pubkeys are rejected"
echo " - Blocked IPs are rejected"
echo " - Disallowed event kinds are rejected"
echo " - Owner-only access to management API"
echo " - NIP-98 authentication validation"
echo " - AuthRequired configuration"
echo ""
echo "🚀 The managed ACL system is ready for production use!"
Write Preview
Loading…
Cancel
Save