Allow unauthenticated users to query if restrict user is off, prevent publishing events on behalf of others

Jon Staab · Jon Staab · commit 7ea3f7196f2c · 2025-09-18T17:08:57.000-07:00
diff --git a/common/access.go b/common/access.go
@@ -62,6 +62,11 @@ func ConsumeInvite(claim string) string {
 
 func GenerateInviteEvents(ctx context.Context, filter nostr.Filter) []*nostr.Event {
 	pubkey := khatru.GetAuthed(ctx)
+
+	if pubkey == "" {
+		return []*nostr.Event{}
+	}
+
 	claim := GenerateInvite(pubkey)
 	event := nostr.Event{
 		Kind:      AUTH_INVITE,
diff --git a/common/handlers.go b/common/handlers.go
@@ -13,14 +13,16 @@ import (
 // RejectFilter
 
 func RejectFilter(ctx context.Context, filter nostr.Filter) (reject bool, msg string) {
-	pubkey := khatru.GetAuthed(ctx)
+	if RELAY_RESTRICT_USER {
+		pubkey := khatru.GetAuthed(ctx)
 
-	if pubkey == "" {
-		return true, "auth-required: authentication is required for access"
-	}
+		if pubkey == "" {
+			return true, "auth-required: authentication is required for access"
+		}
 
-	if RELAY_RESTRICT_USER && !HasAccess(pubkey) {
-		return true, "restricted: you are not a member of this relay"
+		if !HasAccess(pubkey) {
+			return true, "restricted: you are not a member of this relay"
+		}
 	}
 
 	return false, ""
@@ -32,13 +34,13 @@ func QueryEvents(ctx context.Context, filter nostr.Filter) (chan *nostr.Event, e
 	ch := make(chan *nostr.Event)
 	pubkey := khatru.GetAuthed(ctx)
 
-  stripSignature := func (event *nostr.Event) *nostr.Event {
-  	if RELAY_STRIP_SIGNATURES && !slices.Contains(RELAY_ADMINS, pubkey) {
-  		event.Sig = ""
-  	}
+	stripSignature := func(event *nostr.Event) *nostr.Event {
+		if RELAY_STRIP_SIGNATURES && !slices.Contains(RELAY_ADMINS, pubkey) {
+			event.Sig = ""
+		}
 
-  	return event
-  }
+		return event
+	}
 
 	go func() {
 		defer close(ch)
@@ -102,20 +104,25 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri
 		}
 	}
 
-	// Auth is always required
+	// Auth is always required to publish events
 	if pubkey == "" {
 		return true, "auth-required: authentication is required for access"
 	}
 
+	// Reject replaying of events (join, create group) by other people
+	if pubkey != event.PubKey && event.Kind != nostr.KindZap {
+		return true, "restricted: you cannot publish events on behalf of others"
+	}
+
 	// Process relay-level join requests before anything else
-	if event.Kind == AUTH_JOIN && event.PubKey == pubkey {
+	if event.Kind == AUTH_JOIN {
 		tag := event.Tags.GetFirst([]string{"claim"})
 
 		if tag != nil {
 			claim := tag.Value()
 
 			if IsValidClaim(claim) || HasAccess(ConsumeInvite(claim)) {
-				AddUserClaim(event.PubKey, claim)
+				AddUserClaim(pubkey, claim)
 			}
 
 			if RELAY_RESTRICT_USER && !HasAccess(pubkey) {
@@ -130,7 +137,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri
 		return true, "restricted: you are not a member of this relay"
 	}
 
-	if RELAY_RESTRICT_AUTHOR && !HasAccess(event.PubKey) {
+	if RELAY_RESTRICT_AUTHOR && !HasAccess(pubkey) {
 		return true, "restricted: event author is not a member of this relay"
 	}
 
@@ -171,7 +178,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri
 			return true, "invalid: group events not accepted on this relay"
 		}
 
-		if !slices.Contains(RELAY_ADMINS, event.PubKey) {
+		if !slices.Contains(RELAY_ADMINS, pubkey) {
 			return true, "restricted: only relay admins can manage groups"
 		}
 	}
@@ -181,7 +188,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri
 			return true, "invalid: group events not accepted on this relay"
 		}
 
-		if IsGroupMember(ctx, h, event.PubKey) {
+		if IsGroupMember(ctx, h, pubkey) {
 			return true, "duplicate: already a member"
 		}
 	}
@@ -191,7 +198,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri
 			return true, "invalid: group events not accepted on this relay"
 		}
 
-		if !IsGroupMember(ctx, h, event.PubKey) {
+		if !IsGroupMember(ctx, h, pubkey) {
 			return true, "duplicate: not currently a member"
 		}
 	}
@@ -217,7 +224,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri
 			return true, "invalid: unknown group"
 		}
 
-		if !slices.Contains(groupRequestKinds, event.Kind) && g.Closed && !IsGroupMember(ctx, h, event.PubKey) {
+		if !slices.Contains(groupRequestKinds, event.Kind) && g.Closed && !IsGroupMember(ctx, h, pubkey) {
 			return true, "restricted: you are not a member of this group"
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -13,14 +13,16 @@ import (`
`13`	`13`	`// RejectFilter`
`14`	`14`
`15`	`15`	`func RejectFilter(ctx context.Context, filter nostr.Filter) (reject bool, msg string) {`
`16`		`- pubkey := khatru.GetAuthed(ctx)`
	`16`	`+ if RELAY_RESTRICT_USER {`
	`17`	`+ pubkey := khatru.GetAuthed(ctx)`
`17`	`18`
`18`		`- if pubkey == "" {`
`19`		`- return true, "auth-required: authentication is required for access"`
`20`		`- }`
	`19`	`+ if pubkey == "" {`
	`20`	`+ return true, "auth-required: authentication is required for access"`
	`21`	`+ }`
`21`	`22`
`22`		`- if RELAY_RESTRICT_USER && !HasAccess(pubkey) {`
`23`		`- return true, "restricted: you are not a member of this relay"`
	`23`	`+ if !HasAccess(pubkey) {`
	`24`	`+ return true, "restricted: you are not a member of this relay"`
	`25`	`+ }`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`return false, ""`
`@@ -32,13 +34,13 @@ func QueryEvents(ctx context.Context, filter nostr.Filter) (chan *nostr.Event, e`
`32`	`34`	`ch := make(chan *nostr.Event)`
`33`	`35`	`pubkey := khatru.GetAuthed(ctx)`
`34`	`36`
`35`		`- stripSignature := func (event nostr.Event) nostr.Event {`
`36`		`- if RELAY_STRIP_SIGNATURES && !slices.Contains(RELAY_ADMINS, pubkey) {`
`37`		`- event.Sig = ""`
`38`		`- }`
	`37`	`+ stripSignature := func(event nostr.Event) nostr.Event {`
	`38`	`+ if RELAY_STRIP_SIGNATURES && !slices.Contains(RELAY_ADMINS, pubkey) {`
	`39`	`+ event.Sig = ""`
	`40`	`+ }`
`39`	`41`
`40`		`- return event`
`41`		`- }`
	`42`	`+ return event`
	`43`	`+ }`
`42`	`44`
`43`	`45`	`go func() {`
`44`	`46`	`defer close(ch)`
`@@ -102,20 +104,25 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri`
`102`	`104`	`}`
`103`	`105`	`}`
`104`	`106`
`105`		`- // Auth is always required`
	`107`	`+ // Auth is always required to publish events`
`106`	`108`	`if pubkey == "" {`
`107`	`109`	`return true, "auth-required: authentication is required for access"`
`108`	`110`	`}`
`109`	`111`
	`112`	`+ // Reject replaying of events (join, create group) by other people`
	`113`	`+ if pubkey != event.PubKey && event.Kind != nostr.KindZap {`
	`114`	`+ return true, "restricted: you cannot publish events on behalf of others"`
	`115`	`+ }`
	`116`	`+`
`110`	`117`	`// Process relay-level join requests before anything else`
`111`		`- if event.Kind == AUTH_JOIN && event.PubKey == pubkey {`
	`118`	`+ if event.Kind == AUTH_JOIN {`
`112`	`119`	`tag := event.Tags.GetFirst([]string{"claim"})`
`113`	`120`
`114`	`121`	`if tag != nil {`
`115`	`122`	`claim := tag.Value()`
`116`	`123`
`117`	`124`	`if IsValidClaim(claim) \|\| HasAccess(ConsumeInvite(claim)) {`
`118`		`- AddUserClaim(event.PubKey, claim)`
	`125`	`+ AddUserClaim(pubkey, claim)`
`119`	`126`	`}`
`120`	`127`
`121`	`128`	`if RELAY_RESTRICT_USER && !HasAccess(pubkey) {`
`@@ -130,7 +137,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri`
`130`	`137`	`return true, "restricted: you are not a member of this relay"`
`131`	`138`	`}`
`132`	`139`
`133`		`- if RELAY_RESTRICT_AUTHOR && !HasAccess(event.PubKey) {`
	`140`	`+ if RELAY_RESTRICT_AUTHOR && !HasAccess(pubkey) {`
`134`	`141`	`return true, "restricted: event author is not a member of this relay"`
`135`	`142`	`}`
`136`	`143`
`@@ -171,7 +178,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri`
`171`	`178`	`return true, "invalid: group events not accepted on this relay"`
`172`	`179`	`}`
`173`	`180`
`174`		`- if !slices.Contains(RELAY_ADMINS, event.PubKey) {`
	`181`	`+ if !slices.Contains(RELAY_ADMINS, pubkey) {`
`175`	`182`	`return true, "restricted: only relay admins can manage groups"`
`176`	`183`	`}`
`177`	`184`	`}`
`@@ -181,7 +188,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri`
`181`	`188`	`return true, "invalid: group events not accepted on this relay"`
`182`	`189`	`}`
`183`	`190`
`184`		`- if IsGroupMember(ctx, h, event.PubKey) {`
	`191`	`+ if IsGroupMember(ctx, h, pubkey) {`
`185`	`192`	`return true, "duplicate: already a member"`
`186`	`193`	`}`
`187`	`194`	`}`
`@@ -191,7 +198,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri`
`191`	`198`	`return true, "invalid: group events not accepted on this relay"`
`192`	`199`	`}`
`193`	`200`
`194`		`- if !IsGroupMember(ctx, h, event.PubKey) {`
	`201`	`+ if !IsGroupMember(ctx, h, pubkey) {`
`195`	`202`	`return true, "duplicate: not currently a member"`
`196`	`203`	`}`
`197`	`204`	`}`
`@@ -217,7 +224,7 @@ func RejectEvent(ctx context.Context, event *nostr.Event) (reject bool, msg stri`
`217`	`224`	`return true, "invalid: unknown group"`
`218`	`225`	`}`
`219`	`226`
`220`		`- if !slices.Contains(groupRequestKinds, event.Kind) && g.Closed && !IsGroupMember(ctx, h, event.PubKey) {`
	`227`	`+ if !slices.Contains(groupRequestKinds, event.Kind) && g.Closed && !IsGroupMember(ctx, h, pubkey) {`
`221`	`228`	`return true, "restricted: you are not a member of this group"`
`222`	`229`	`}`
`223`	`230`	`}`