Unintentional Mutation: SpaceJoin Publishes Signed Requests on Mount #263

New Issue

Closed

opened 2026-05-03 11:48:44 +00:00 by Khushvendra · 1 comment

Khushvendra commented 2026-05-03 11:48:44 +00:00

Contributor

Copy Link

Copy Source

Description

Opening the "Join Space" modal immediately fires off a signed RELAY_JOIN Nostr event to the relay before the user has actually confirmed their intent to join.

Code References

• SpaceJoin.svelte (Line 77): onMount immediately calls attemptRelayAccess(url) to check for errors/access.
• commands.ts (Lines 232-265): attemptRelayAccess connects to the socket, attempts auth, and on line 258 explicitly calls publishJoinRequest({url, claim}).
• commands.ts (Lines 480-484): publishJoinRequest publishes a signed RELAY_JOIN event.

Impact

If a user merely clicks a space link to view the modal and then clicks "Go back" or "Cancel", their client has already signed and broadcast a join request. This irreversibly mutates relay-side membership state without explicit user consent.

### Description Opening the "Join Space" modal immediately fires off a signed `RELAY_JOIN` Nostr event to the relay before the user has actually confirmed their intent to join. ### Code References * `SpaceJoin.svelte` (Line 77): `onMount` immediately calls `attemptRelayAccess(url)` to check for errors/access. * `commands.ts` (Lines 232-265): `attemptRelayAccess` connects to the socket, attempts auth, and on line 258 explicitly calls `publishJoinRequest({url, claim})`. * `commands.ts` (Lines 480-484): `publishJoinRequest` publishes a signed `RELAY_JOIN` event. ### Impact If a user merely clicks a space link to view the modal and then clicks "Go back" or "Cancel", their client has already signed and broadcast a join request. This irreversibly mutates relay-side membership state without explicit user consent.

hodlbod commented 2026-05-06 19:48:35 +00:00

Owner

Copy Link

Copy Source

Fixed in 341c1b45b2

Fixed in 341c1b45b2f270e0402070b19a76de04e38050cb

hodlbod closed this issue 2026-05-06 19:48:35 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

dev

master

hodlbod/sandbox

video-demo

1.8.0

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.5

1.6.4

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.4.1

1.4.0

1.3.1

1.3.0

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

0.1.1

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

0.2.14

0.2.13

0.2.12

0.2.11

0.2.10

0.2.9

0.2.8

0.2.7

0.2.6

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.0

Labels

Clear labels

design

For issues related to design work. Development should be done in another issue and refer back to this one.

dev

Issues related to development work

easy

Issues that can be executed on by new contributors

idea

For issues that aren't yet actionable

priority

For issues related to high priority features and bugs

usability

Issues that have to be validated with real live human beings.

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

hodlbod (hodlbod) mplorentz (Matt Lorentz) sakshamjain (Saksham Jain) sondreb triesap userAdityaa (Aditya Chaudhary)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coracle/flotilla#263