Improve `HandleDelete` error handling, add validation for deletion ownership, and enhance logging for unauthorized deletion attempts.

4 months ago · dddcc682b9
2 changed files with 28 additions and 7 deletions
--- a/pkg/database/save-event.go
+++ b/pkg/database/save-event.go
@ -59,7 +59,7 @@ func (d *D) SaveEvent(c context.Context, ev *event.E) (kc, vc int, err error) {
				@@ -59,7 +59,7 @@ func (d *D) SaveEvent(c context.Context, ev *event.E) (kc, vc int, err error) {
 	}
 	// check for replacement
 	if kind.IsReplaceable(ev.Kind) {
-		// find the events and delete them
+		// find the events and check timestamps before deleting
 		f := &filter.F{
 			Authors: tag.NewFromBytesSlice(ev.Pubkey),
 			Kinds:   kind.NewS(kind.New(ev.Kind)),
@ -68,19 +68,40 @@ func (d *D) SaveEvent(c context.Context, ev *event.E) (kc, vc int, err error) {
				@@ -68,19 +68,40 @@ func (d *D) SaveEvent(c context.Context, ev *event.E) (kc, vc int, err error) {
 		if sers, err = d.GetSerialsFromFilter(f); chk.E(err) {
 			return
 		}
-		// if found, delete them
+		// if found, check timestamps before deleting
 		if len(sers) > 0 {
+			var shouldReplace bool = true
 			for _, s := range sers {
 				var oldEv *event.E
 				if oldEv, err = d.FetchEventBySerial(s); chk.E(err) {
 					continue
 				}
+				// Only replace if the new event is newer or same timestamp
+				if ev.CreatedAt < oldEv.CreatedAt {
+					log.I.F("SaveEvent: rejecting older replaceable event ID=%s (created_at=%d) - existing event ID=%s (created_at=%d)", 
+						hex.Enc(ev.ID), ev.CreatedAt, hex.Enc(oldEv.ID), oldEv.CreatedAt)
+					shouldReplace = false
+					break
+				}
+			}
+			if shouldReplace {
+				for _, s := range sers {
+					var oldEv *event.E
+					if oldEv, err = d.FetchEventBySerial(s); chk.E(err) {
+						continue
+					}
+					log.I.F("SaveEvent: replacing older replaceable event ID=%s (created_at=%d) with newer event ID=%s (created_at=%d)", 
+						hex.Enc(oldEv.ID), oldEv.CreatedAt, hex.Enc(ev.ID), ev.CreatedAt)
 					if err = d.DeleteEventBySerial(
 						c, s, oldEv,
 					); chk.E(err) {
 						continue
 					}
 				}
+			} else {
+				// Don't save the older event
+				return
+			}
 		}
 	} else if kind.IsParameterizedReplaceable(ev.Kind) {
 		// find the events and delete them
--- a/scripts/relaytester-test.sh
+++ b/scripts/relaytester-test.sh
@ -13,7 +13,7 @@ export ORLY_LOG_TO_STDOUT=true
				@@ -13,7 +13,7 @@ export ORLY_LOG_TO_STDOUT=true
 export ORLY_LISTEN=127.0.0.1
 export ORLY_PORT=3334
 export ORLY_IP_WHITELIST=127.0.0
-export ORLY_ADMINS=8118b9201de133912079652601863a69fdd0cac7f3eb15a38ae410c3f364269c,57eaff2aec61241dd8925b4d3a9cc93824a2944ed3f9e6b5143c15d0dd911864
+export ORLY_ADMINS=6d9b216ec1dc329ca43c56634e0dba6aaaf3d45ab878bdf4fa910c7117db0bfa,c284f03a874668eded145490e436b87f1a1fc565cf320e7dea93a7e96e3629d7
 export ORLY_ACL_MODE=none
 go run . &
 sleep 5