You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
mleku
ea4a54c5e7
Add Cashu blind signature access tokens (NIP-XX draft)
Implements privacy-preserving bearer tokens for relay access control using
Cashu-style blind signatures. Tokens prove whitelist membership without
linking issuance to usage.
Features:
- BDHKE crypto primitives (HashToCurve, Blind, Sign, Unblind, Verify)
- Keyset management with weekly rotation
- Token format with kind permissions and scope isolation
- Generic issuer/verifier with pluggable authorization
- HTTP endpoints: POST /cashu/mint, GET /cashu/keysets, GET /cashu/info
- ACL adapter bridging ORLY's access control to Cashu AuthzChecker
- Stateless revocation via ACL re-check on each token use
- Two-token rotation for seamless renewal (max 2 weeks after blacklist)
Configuration:
- ORLY_CASHU_ENABLED: Enable Cashu tokens
- ORLY_CASHU_TOKEN_TTL: Token validity (default: 1 week)
- ORLY_CASHU_SCOPES: Allowed scopes (relay, nip46, blossom, api)
- ORLY_CASHU_REAUTHORIZE: Re-check ACL on each verification
Files:
- pkg/cashu/bdhke/: Core blind signature cryptography
- pkg/cashu/keyset/: Keyset management and rotation
- pkg/cashu/token/: Token format with kind permissions
- pkg/cashu/issuer/: Token issuance with authorization
- pkg/cashu/verifier/: Token verification with middleware
- pkg/interfaces/cashu/: AuthzChecker, KeysetStore interfaces
- pkg/bunker/acl_adapter.go: ORLY ACL integration
- app/handle-cashu.go: HTTP endpoints
- docs/NIP-XX-CASHU-ACCESS-TOKENS.md: Full specification
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
2 weeks ago |
| .. |
|
config
|
Add Cashu blind signature access tokens (NIP-XX draft)
|
2 weeks ago |
|
web
|
Add WireGuard VPN with random /31 subnet isolation (v0.40.0)
|
2 weeks ago |
|
blossom.go
|
Fix Blossom CORS headers and add root-level upload routes (v0.36.12)
|
3 weeks ago |
|
handle-auth.go
|
Fix NIP-42 AUTH compliance: always respond with OK message
|
1 month ago |
|
handle-cashu.go
|
Add Cashu blind signature access tokens (NIP-XX draft)
|
2 weeks ago |
|
handle-close.go
|
migrate to new nostr library
|
2 months ago |
|
handle-count.go
|
migrate to new nostr library
|
2 months ago |
|
handle-delete.go
|
Refactor Neo4j tests and improve tag handling in Cypher
|
1 month ago |
|
handle-event-types.go
|
Decompose handle-event.go into DDD domain services (v0.36.15)
|
3 weeks ago |
|
handle-event.go
|
Decompose handle-event.go into DDD domain services (v0.36.15)
|
3 weeks ago |
|
handle-logs.go
|
Add log viewer for relay owners (v0.37.3)
|
3 weeks ago |
|
handle-message.go
|
initial draft of hot reload policy
|
2 months ago |
|
handle-nip43.go
|
migrate to new nostr library
|
2 months ago |
|
handle-nip43_test.go
|
Adjust ACL behavior for "none" mode and make query cache optional
|
1 month ago |
|
handle-nip86.go
|
migrate to new nostr library
|
2 months ago |
|
handle-nip86_minimal_test.go
|
fix handleevents not prompting auth for event publish with auth-required
|
2 months ago |
|
handle-policy-config.go
|
Add ORLY_POLICY_PATH for custom policy file location
|
4 weeks ago |
|
handle-relayinfo.go
|
migrate to new nostr library
|
2 months ago |
|
handle-req.go
|
Update privileged event filtering to respect ACL mode
|
1 month ago |
|
handle-websocket.go
|
Add memory optimization improvements for reduced GC pressure (v0.36.16)
|
3 weeks ago |
|
handle-wireguard.go
|
Add WireGuard VPN with random /31 subnet isolation (v0.40.0)
|
2 weeks ago |
|
handle_policy_config_test.go
|
Add ORLY_POLICY_PATH for custom policy file location
|
4 weeks ago |
|
helpers.go
|
update docker and apache stuff to new next-orly and make it all more proxy-friendly
|
3 months ago |
|
listener.go
|
Add memory optimization improvements for reduced GC pressure (v0.36.16)
|
3 weeks ago |
|
main.go
|
Add WireGuard VPN with random /31 subnet isolation (v0.40.0)
|
2 weeks ago |
|
nip43_e2e_test.go
|
Adjust ACL behavior for "none" mode and make query cache optional
|
1 month ago |
|
ok.go
|
migrate to new nostr library
|
2 months ago |
|
payment_processor.go
|
migrate to new nostr library
|
2 months ago |
|
privileged_events_test.go
|
Update privileged event filtering to respect ACL mode
|
1 month ago |
|
publisher.go
|
migrate to new nostr library
|
2 months ago |
|
server.go
|
Add Cashu blind signature access tokens (NIP-XX draft)
|
2 weeks ago |
|
sprocket.go
|
migrate to new nostr library
|
2 months ago |
|
tls.go
|
Update dependencies and enhance deployment scripts
|
3 months ago |
|
web.go
|
Implement NIP-98 authentication for HTTP requests, enhancing security for event export and import functionalities. Update server methods to validate authentication and permissions, and refactor event handling in the Svelte app to support new export and import features. Add UI components for exporting and importing events with appropriate permission checks.
|
3 months ago |
|
wireguard-helpers.go
|
Add WireGuard VPN with random /31 subnet isolation (v0.40.0)
|
2 weeks ago |
