Open
Conversation
Implement NIP-42 (AUTH) challenge-response authentication for strfry, plus a session token mechanism that eliminates redundant signing on reconnection and unifies WebSocket/HTTP auth. Changes: - New src/SessionToken.h: HMAC-SHA256 session token generation/validation - RelayIngester: AUTH and SESSION command handling, per-connection auth state tracking, operation gating when auth is required - RelayServer.h: OpenConn message variant, session secret, auth helpers - RelayWebsocket: AUTH challenge on connect, NIP-11 auth advertising, GET /auth/verify HTTP endpoint for session token validation - cmd_relay: session secret init, auth config validation on startup - golpe.yaml + strfry.conf: auth config (enabled, required, relayUrl, sessionTokenEnabled, sessionTokenLifetimeSeconds) - README: full documentation including extension authentication guide - Reject kind:22242 events via EVENT (must use AUTH per NIP-42 spec)
Three new auth features absorbing the best ideas from interceptor-proxy
into strfry natively, eliminating the need for a separate proxy process.
1. Anti-abuse tarpit (RelayIngester.cpp):
- Track failed AUTH attempts per connection (authFailCount)
- After tarpitThreshold (default 10) failures, delay responses by
tarpitDelaySeconds (default 30s) on that connection
- Makes brute-force/replay attacks impractical
2. Sensitive event filtering (RelayReqWorker.cpp, RelayReqMonitor.cpp):
- Configurable sensitiveKinds JSON array (e.g. [4,1059,1060,...])
- Events of sensitive kinds only returned to author or p-tag recipients
- Subscription carries authedPubkey for per-subscriber filtering
- Batch sends in monitor filtered per-recipient via getSubAuthedPubkey()
- Protects DMs, gift wraps, sealed messages from unauthorized readers
3. Authorization plugin (RelayIngester.cpp):
- Long-running stdin/stdout plugin (same pattern as writePolicy)
- Called after successful NIP-42 or SESSION auth
- Returns {allowed, tier} where tier is 'full' or 'partial'
- Partial tier: write-only (EVENT allowed, REQ blocked)
- Fail-closed: plugin errors deny access
- Replaces interceptor-proxy's external config API
Supporting changes:
- golpe.yaml: 4 new config entries
- strfry.conf: documented all new options
- Subscription.h: added authedPubkey field
- ActiveMonitors.h: added getSubAuthedPubkey() lookup
- RelayServer.h: added parseSensitiveKinds(), isSensitiveEventAllowed()
static helpers, updated ingesterProcessReq signature
- ConnectionAuth: added authTier, authFailCount fields
- README.md: full documentation for all three features with examples
Owner
|
This is a very big changeset. We're still discussing how AUTH can/should be implemented. What are your thoughts on the approach in #156 ? Please join our telegram channel if you'd like to strike up a conversation on this: https://t.me/strfry_users |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nonce clientID for unique origin string and create session tokens.. why not? i haven't been here for every discussion so forgive me if this has been suggested or attempted
i am here to discover the meaning of sensible, stateless authentication
what are the implications??
godspeed