floonet-rs: whitelist the marketplace kind set
Test and build / test_floonet-rs (push) Has been cancelled
Test and build / test_floonet-rs (push) Has been cancelled
Extend the default-deny admission whitelist from the Goblin-wallet-only kinds to the union with Magick Market so one relay serves both apps, matching floonet-strfry. Adds 1 note, 7 reaction, 14/16/17 order+receipt (Gamma), 1111 comment, 10000 mute/blacklist, 24133 remote signing, 30000/30003 NIP-51 sets, 30078 app data, 30402/30405/30406 listing/collection/shipping, 31990 handler info. Keeps the Goblin base including 13 seal and 27235 NIP-98. DEFAULT_ALLOWED_KINDS, config.toml, and tests updated together.
This commit is contained in:
+21
-9
@@ -84,17 +84,29 @@ subscriptions_per_min = 30
|
||||
# THE KEYSTONE: default-deny event kind whitelist. The relay accepts
|
||||
# ONLY these kinds and rejects everything else. Removing the line
|
||||
# entirely keeps this exact built-in set (never allow-all); an empty
|
||||
# list denies everything.
|
||||
# list denies everything. The set is the union of the two apps this
|
||||
# relay serves (Goblin wallet + Magick Market marketplace).
|
||||
#
|
||||
# 0 profile metadata
|
||||
# 3 contacts
|
||||
# 5 delete (NIP-09)
|
||||
# 13 seal
|
||||
# Goblin wallet:
|
||||
# 0 profile metadata 10002 relay list (NIP-65)
|
||||
# 3 contacts 10050 DM relays (NIP-17)
|
||||
# 5 delete (NIP-09) 27235 HTTP auth (NIP-98, name authority)
|
||||
# 13 seal (NIP-59)
|
||||
# 1059 gift wrap (NIP-59)
|
||||
# 10002 relay list (NIP-65)
|
||||
# 10050 DM relays (NIP-17)
|
||||
# 27235 HTTP auth (NIP-98, used by the name authority)
|
||||
event_kind_allowlist = [0, 3, 5, 13, 1059, 10002, 10050, 27235]
|
||||
#
|
||||
# Magick Market marketplace:
|
||||
# 1 text note (NIP-01) 30000 people set (NIP-51)
|
||||
# 7 reaction (NIP-25) 30003 bookmark set (NIP-51)
|
||||
# 14 order chat (Gamma) 30078 app data: cart/prefs (NIP-78)
|
||||
# 16 order status (Gamma) 30402 product listing (NIP-99)
|
||||
# 17 payment receipt (Gamma) 30405 product collection (Gamma)
|
||||
# 1111 comment (NIP-22) 30406 shipping option (Gamma)
|
||||
# 10000 mute/blacklist (NIP-51) 31990 handler info (NIP-89)
|
||||
# 24133 remote signing (NIP-46)
|
||||
event_kind_allowlist = [
|
||||
0, 1, 3, 5, 7, 13, 14, 16, 17, 1059, 1111, 10000, 10002, 10050, 24133,
|
||||
27235, 30000, 30003, 30078, 30402, 30405, 30406, 31990,
|
||||
]
|
||||
|
||||
# Rejects imprecise requests (kind-only or author-only scrapes).
|
||||
limit_scrapers = false
|
||||
|
||||
+21
-9
@@ -16,11 +16,23 @@ use crate::config::Settings;
|
||||
use crate::event::Event;
|
||||
|
||||
/// The Floonet default kind whitelist, applied when the operator has not
|
||||
/// configured `event_kind_allowlist` explicitly. Kinds:
|
||||
/// 0 profile metadata, 3 contacts, 5 delete (NIP-09), 13 seal,
|
||||
/// 1059 gift wrap (NIP-59), 10002 relay list (NIP-65),
|
||||
/// 10050 DM relays (NIP-17), 27235 NIP-98 HTTP auth.
|
||||
pub const DEFAULT_ALLOWED_KINDS: [u64; 8] = [0, 3, 5, 13, 1059, 10002, 10050, 27235];
|
||||
/// configured `event_kind_allowlist` explicitly. It is the union of the two
|
||||
/// apps this relay serves (default-deny for everything else).
|
||||
///
|
||||
/// Goblin wallet: 0 profile, 3 contacts, 5 delete (NIP-09), 13 seal (NIP-59),
|
||||
/// 1059 gift wrap (NIP-59), 10002 relay list (NIP-65), 10050 DM relays
|
||||
/// (NIP-17), 27235 NIP-98 HTTP auth (name authority).
|
||||
///
|
||||
/// Magick Market: 1 text note, 7 reaction (NIP-25), 14 order chat, 16 order
|
||||
/// status, 17 payment receipt (Gamma), 1111 comment (NIP-22), 10000
|
||||
/// mute/blacklist, 30000 people set, 30003 bookmark set (NIP-51), 30078 app
|
||||
/// data (NIP-78), 30402 product listing (NIP-99), 30405 product collection,
|
||||
/// 30406 shipping option (Gamma), 31990 handler info (NIP-89), 24133 remote
|
||||
/// signing (NIP-46).
|
||||
pub const DEFAULT_ALLOWED_KINDS: [u64; 23] = [
|
||||
0, 1, 3, 5, 7, 13, 14, 16, 17, 1059, 1111, 10000, 10002, 10050, 24133,
|
||||
27235, 30000, 30003, 30078, 30402, 30405, 30406, 31990,
|
||||
];
|
||||
|
||||
/// Outcome of an admission check.
|
||||
#[derive(Debug, Clone, PartialEq, Eq)]
|
||||
@@ -186,8 +198,8 @@ mod tests {
|
||||
#[test]
|
||||
fn default_whitelist_rejects_disallowed_kinds() {
|
||||
let admission = Admission::from_settings(&floonet_settings());
|
||||
// kind 1 (short text note) and other common kinds are NOT accepted.
|
||||
for kind in [1u64, 4, 6, 7, 42, 1984, 9735, 30023] {
|
||||
// Common kinds outside the two-app whitelist are NOT accepted.
|
||||
for kind in [4u64, 6, 42, 1984, 9735, 25910, 30017, 30018, 30023] {
|
||||
match admission.check(&event_of_kind(kind), None) {
|
||||
Decision::Deny { auth_required, .. } => {
|
||||
assert!(!auth_required, "kind rejection is not an auth issue");
|
||||
@@ -203,7 +215,7 @@ mod tests {
|
||||
settings.limits.event_kind_allowlist = None;
|
||||
let admission = Admission::from_settings(&settings);
|
||||
assert_eq!(admission.check(&event_of_kind(1059), None), Decision::Allow);
|
||||
assert_ne!(admission.check(&event_of_kind(1), None), Decision::Allow);
|
||||
assert_ne!(admission.check(&event_of_kind(30023), None), Decision::Allow);
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -272,7 +284,7 @@ mod tests {
|
||||
settings.authorization.nip42_auth = true;
|
||||
settings.authorization.require_auth_to_write = true;
|
||||
let admission = Admission::from_settings(&settings);
|
||||
match admission.check(&event_of_kind(1), None) {
|
||||
match admission.check(&event_of_kind(30023), None) {
|
||||
Decision::Deny { auth_required, .. } => {
|
||||
assert!(!auth_required, "disallowed kind must not leak auth hints");
|
||||
}
|
||||
|
||||
+3
-3
@@ -66,13 +66,13 @@ async fn whitelist_accepts_allowed_kind_and_rejects_disallowed() -> Result<()> {
|
||||
let relay = common::start_relay()?;
|
||||
common::wait_for_healthy_relay(&relay).await?;
|
||||
|
||||
// Kind 1 (short text note) is NOT in the Floonet whitelist: rejected.
|
||||
let (msg, id) = signed_event(1, "hello world");
|
||||
// Kind 30023 (long-form article) is NOT in the Floonet whitelist: rejected.
|
||||
let (msg, id) = signed_event(30023, "hello world");
|
||||
let ok = publish_and_get_ok(relay.port, &msg, &id).await?;
|
||||
assert_eq!(
|
||||
ok.get(2).and_then(Value::as_bool),
|
||||
Some(false),
|
||||
"kind 1 must be rejected: {ok}"
|
||||
"kind 30023 must be rejected: {ok}"
|
||||
);
|
||||
let reason = ok.get(3).and_then(Value::as_str).unwrap_or_default();
|
||||
assert!(
|
||||
|
||||
Reference in New Issue
Block a user