Merge pull request #87 from planetary-social/giftwrap-allowed

Giftwrap allowed

roles/nos_social/templates/docker-compose.yml.tpl

@@ -20,7 +20,7 @@ services:
      - ./.env
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.nip05api.rule=(Host(`{{ domain }}`) && (PathPrefix(`/metrics`) || PathPrefix(`/api/`) || PathPrefix(`/.well-known`))) && !HostRegexp(`{subdomain:[a-zA-Z0-9-]+}.{{ domain }}`)"
+      - "traefik.http.routers.nip05api.rule=(Host(`{{ domain }}`) && (PathPrefix(`/metrics`) || PathPrefix(`/api/`) || PathPrefix(`/.well-known`)))
       - "traefik.http.routers.nip05api.entrypoints=websecure"
       - "traefik.http.middlewares.nip05api.ratelimit.average={{ nip05api_ratelimit_average }}"
       - "traefik.http.middlewares.nip05api.ratelimit.burst={{ nip05api_ratelimit_burst }}"
@@ -38,8 +38,7 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.redirect-service.entrypoints=websecure"
-      - "traefik.http.routers.redirect-service.rule=Host(`{{ domain }}`) && !PathPrefix(`/.well-known`)"
-      - "traefik.http.routers.redirect-service.rule=Host(`{{ domain }}`) && !PathPrefix(`/.well-known`) || (HostRegexp(`{subdomain:[a-zA-Z0-9-]+}.{{ domain }}`) && !HostRegexp(`traefik.{{ domain }}`))"
+      - "traefik.http.routers.redirect-service.rule=!PathPrefix(`/api/`) && !PathPrefix(`/.well-known`)
     networks:
       - proxy
 

roles/relay/files/allowed_rules.js

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+
+const ALLOWED = {
+  pubs: {
+    add5190be4673768546c18b565da3a699241f0e06a75e2dbc03f18663d1b7b27: true, // Reportinator
+  },
+  eventKinds: [
+    0, // Metadata
+    3, // Contacts
+    1059, // Gift wrap messages
+    10002, // Relay list metadata
+  ],
+};
+
+const rl = require("readline").createInterface({
+  input: process.stdin,
+  output: process.stdout,
+  terminal: false,
+});
+
+rl.on("line", (line) => {
+  let req = JSON.parse(line);
+
+  if (req.type === "lookback" || req.type !== "new") {
+    return;
+  }
+
+  let res = { id: req.event.id }; // must echo the event's id
+
+  const isAllowedPub = ALLOWED.pubs.hasOwnProperty(req.event.pubkey);
+  const isAllowedEventKind = ALLOWED.eventKinds.includes(req.event.kind);
+
+  if (isAllowedPub || isAllowedEventKind) {
+    res.action = "accept";
+  } else {
+    res.action = "reject";
+    res.msg = "blocked: pubkey not on white-list or event kind not allowed";
+  }
+
+  console.log(JSON.stringify(res));
+});

roles/relay/files/strfry.conf

@@ -53,7 +53,7 @@ relay {
 
     writePolicy {
         # If non-empty, path to an executable script that implements the writePolicy plugin logic
-        plugin = "./plugins/whitelist.js"
+        plugin = "./plugins/allowed_rules.js"
 
         # Number of seconds to search backwards for lookback events when starting the writePolicy plugin (0 for no lookback)
         lookbackSeconds = 0

roles/relay/tasks/main.yml

@@ -48,11 +48,11 @@
     mode: '0644'
 
 
-- name: Copy whitelist.js to relay dir
+- name: Copy allowed_rules.js to relay dir
   become: true
   ansible.builtin.copy:
-    src: "{{ role_path }}/files/whitelist.js"
-    dest: "{{ homedir }}/services/relay/whitelist.js"
+    src: "{{ role_path }}/files/allowed_rules.js"
+    dest: "{{ homedir }}/services/relay/allowed_rules.js"
     mode: '0755'
 
 

roles/relay/templates/docker-compose.yml.tpl

@@ -34,7 +34,7 @@ services:
     volumes:
       - ./strfry.conf:/etc/strfry.conf
       - ./strfrydb:/app/strfry-db
-      - ./whitelist.js:/app/plugins/whitelist.js
+      - ./allowed_rules.js:/app/plugins/allowed_rules.js
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.strfry.rule=Host(`{{ domain }}`) && Headers(`Accept`, `application/nostr+json`) || HeadersRegexp(`Connection`, `(?i)Upgrade`) && HeadersRegexp(`Upgrade`, `websocket`)"