coracle/zooid
1
2
Fork 3
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: coracle/zooid:aa0eba1fbeb708ad18c3afd4245812fd722a4acc
Branches Tags
coracle/zooid:dev coracle/zooid:signevent coracle/zooid:master
..
compare: coracle/zooid:dev
Branches Tags
coracle/zooid:dev coracle/zooid:signevent coracle/zooid:master

22 Commits
aa0eba1fbe .. dev

Author SHA1 Message Date
Jon Staab a8871da100 Add signevent method 2026-06-22 17:29:29 -07:00
Jon Staab 918f2c2c1c Broadcast role deletion 2026-06-22 13:16:55 -07:00
Jon Staab 0b319989e9 Add relay roles 2026-06-22 11:06:51 -07:00
Jon Staab e992b84f4f Add top-level livekit webhook
Docker / build-and-push-image (push) Successful in 3m3s
Details
2026-06-16 09:43:56 -07:00
Jon Staab f9c752801f Create rooms with relay as metadata 2026-06-16 08:20:47 -07:00
Jon Staab a4cc9f53a8 If groups are disabled, treat h tagged events as regular events
Docker / build-and-push-image (push) Successful in 2m58s
Details
2026-06-15 09:29:12 -07:00
Jon Staab 213ce1694d Prevent removing permanent admins from member list
Docker / build-and-push-image (push) Successful in 3m40s
Details
2026-06-09 10:10:32 -07:00
Jon Staab 6a4dff3f51 Fix patch and tests
Docker / build-and-push-image (push) Successful in 2m58s
Details
2026-06-01 16:54:29 -07:00
Jon Staab e9260f40f1 Clean up config file name stuff 2026-05-26 15:50:14 -07:00
Jon Staab 2fcc48abed Document blossom s3 options 2026-05-12 14:44:30 -07:00
Jon Staab ea145079f4 Clean up api and blossom
Docker / build-and-push-image (push) Successful in 2m56s
Details
2026-05-12 14:08:56 -07:00
userAdityaa f40e909863 feat(blossom): optional S3-compatible blob storage 2026-05-12 14:08:56 -07:00
Jon Staab fd645c1e0a Move containers to gitea registry
Docker / build-and-push-image (push) Successful in 2m52s
Details
2026-05-12 10:07:33 -07:00
Jon Staab 9e56d47fc0 Add blossom.authenticated_read config setting
Docker / build-and-push-image (push) Successful in 5m16s
Details
2026-05-06 16:45:46 -07:00
Jon Staab 6ef94a76c8 Bump khatru to fix broadcast bug
Docker / build-and-push-image (push) Successful in 3m0s
Details
2026-05-05 12:03:41 -07:00
Jon Staab f48d4a0d12 Spiff up the readme
Docker / build-and-push-image (push) Successful in 2m38s
Details
2026-04-28 14:02:54 -07:00
Jon Staab 34c02b45b2 tweak readme
Docker / build-and-push-image (push) Successful in 4m20s
Details
2026-04-25 06:00:31 -07:00
Jon Staab 9960a0fae8 Attempt to reduce memory requirements for docker build
Docker / build-and-push-image (push) Successful in 4m38s
Details
2026-04-22 15:38:43 -07:00
Jon Staab 959d019b54 A little more refactoring
Docker / build-and-push-image (push) Failing after 16m8s
Details
2026-04-22 14:46:43 -07:00
Jon Staab 53bf913fe6 Fix some bugs
Docker / build-and-push-image (push) Has been cancelled
Details
2026-04-22 14:40:37 -07:00
Jon Staab b3c2ee7f87 Use serve mux for api handler 2026-04-22 14:07:54 -07:00
Jon Staab 081c4765ed Do a little cleanup on the api 2026-04-22 13:52:20 -07:00
28 changed files with 1577 additions and 560 deletions
Expand all files Collapse all files
.ackrc
+1
View File
@@ -1 +1,2 @@
--ignore-dir=bin
--ignore-dir=.claude
.fdignore
+1
View File
@@ -1,3 +1,4 @@
bin
data
media
.claude
.gitea/workflows/docker-publish.yml
+5 -4
View File
@@ -5,8 +5,8 @@ on:
branches: [master]
env:
REGISTRY: ghcr.io
IMAGE_NAME: coracle-social/zooid
REGISTRY: gitea.coracle.social
IMAGE_NAME: coracle/zooid
jobs:
build-and-push-image:
@@ -23,8 +23,8 @@ jobs:
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
username: hodlbod
password: ${{ secrets.PACKAGE_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
@@ -48,3 +48,4 @@ jobs:
platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
.gitignore
+1
View File
@@ -4,3 +4,4 @@ config
media
data
relay
.claude
Dockerfile
+11 -2
View File
@@ -1,7 +1,13 @@
FROM golang AS build
FROM --platform=$BUILDPLATFORM golang:1.25 AS build
ARG TARGETOS TARGETARCH
WORKDIR /app
RUN apt-get update && apt-get install -y --no-install-recommends \
gcc-aarch64-linux-gnu libc6-dev-arm64-cross \
&& rm -rf /var/lib/apt/lists/*
COPY go.mod go.sum ./
RUN go mod download
@@ -9,7 +15,10 @@ RUN go mod download
COPY zooid zooid
COPY cmd cmd
RUN CGO_ENABLED=1 GOOS=linux go build -o bin/zooid cmd/relay/main.go
RUN set -eux; \
if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc; fi; \
CGO_ENABLED=1 GOOS=$TARGETOS GOARCH=$TARGETARCH \
go build -o bin/zooid cmd/relay/main.go
FROM gcr.io/distroless/base-debian12 AS run
README.md
+63 -19
View File
@@ -1,6 +1,41 @@
# Zooid
<p align="center">
<img src="./zooid-wordmark.jpeg" alt="Zooid" width="280" />
</p>
This is a multi-tenant relay based on [Khatru](https://gitworkshop.dev/fiatjaf.com/nostrlib/tree/master/khatru) which implements a range of access controls. It's designed to be used with [Flotilla](https://flotilla.social) as a community relay (complete with NIP 29 support), but it can also be used outside of a community context.
<p align="center">
<b>A multi-tenant Nostr relay for communities.</b>
</p>
<p align="center">
<a href="#quick-start">Quick start</a> ·
<a href="#configuration">Configuration</a> ·
<a href="#api">API</a>
</p>
---
Zooid is a multi-tenant relay built on [Khatru](https://gitworkshop.dev/fiatjaf.com/nostrlib/tree/master/khatru) with a flexible set of access controls. It's designed to pair with [Flotilla](https://flotilla.social) as a community relay (with full NIP 29 support), but it works just fine outside of a community context too.
## Features
- **Multi-tenant** — run any number of virtual relays from a single instance, each with its own host, schema, and policy.
- **Community-ready** — first-class support for [NIP 29](https://github.com/nostr-protocol/nips/blob/master/29.md) groups, invite codes, and role-based access.
- **Batteries included** — optional [Blossom](https://github.com/hzrd149/blossom) media, [NIP 86](https://github.com/nostr-protocol/nips/blob/master/86.md) management, [NIP 9a](https://github.com/nostr-protocol/nips/pull/1079) push, and [LiveKit](https://livekit.io/) audio/video calls.
- **Remotely manageable** — JSON REST API authenticated via [NIP 98](https://github.com/nostr-protocol/nips/blob/master/98.md).
- **Operationally simple** — single binary, SQLite storage, OCI container, optional pprof.
## Quick start
```sh
docker run -it \
-p 3334:3334 \
-v ./config:/app/config \
-v ./media:/app/media \
-v ./data:/app/data \
gitea.coracle.social/coracle/zooid
```
Drop a TOML config file into `./config/` (see [Configuration](#configuration)) and the relay will be available at `ws://<host>:3334`.
## Architecture
@@ -13,9 +48,9 @@ Zooid supports a few environment variables, which configure shared resources lik
- `PORT` - the port the server will listen on for all requests. Defaults to `3334`.
- `CONFIG` - where to store relay configuration files. Defaults to `./config`.
- `MEDIA` - where to store blossom media files. Defaults to `./media`.
- `DATA` - where to store databse files. Defaults to `./data`.
- `DATA` - where to store database files. Defaults to `./data`.
- `API_HOST` - the hostname on which to expose the management API. If not set, the API is disabled.
- `API_WHITELIST` - a comma-separated list of nostr hex pubkeys authorized to use the management API. Required when `API_HOST` is set.
- `API_WHITELIST` - a comma-separated list of nostr hex pubkeys authorized to use the management API.
- `PPROF_ADDR` - an http host to serve pprof stats on.
## Configuration
@@ -60,6 +95,19 @@ Configures NIP 86 support.
Configures blossom support.
- `enabled` - whether blossom is enabled.
- `authenticated_read` - whether users must perform NIP 98 AUTH in order to fetch a file.
- `adapter` - where to store blobs. Either `local` (the default, stores files under `MEDIA`) or `s3` (stores files in an S3-compatible bucket).
#### `[blossom.s3]`
Configures S3-compatible object storage, used when `blossom.adapter` is `s3`.
- `endpoint` - the S3 endpoint URL. Optional; leave unset to use AWS S3.
- `region` - the bucket region. Required when `adapter` is `s3`.
- `bucket` - the bucket name. Required when `adapter` is `s3`.
- `access_key` - the access key ID. Required when `adapter` is `s3`.
- `secret_key` - the secret access key. Required when `adapter` is `s3`.
- `key_prefix` - an optional prefix prepended to every object key.
### `[push]`
@@ -85,14 +133,19 @@ A special `[roles.member]` heading may be used to configure policies for all rel
- `api_key` - a key identifying this relay, assigned by the Livekit server.
- `api_secret` - a secret key authenticating this relay, assigned by the Livekit server.
On your LiveKit server you should also set up a webhook that points to `https://yourrelay.com/.well-known/nip29/livekit/webhook`. This allows LiveKit to notify your relay when people join rooms so it can publish a kind 39004 event.
On your LiveKit server you should also set up a webhook so LiveKit can notify the relay when people join or leave rooms; the relay uses these notifications to publish a kind 39004 presence event. How you point the webhook depends on how many relays share a LiveKit project:
- **One relay, or a dedicated LiveKit project per relay** — point the webhook at that relay's own `https://yourrelay.com/.well-known/nip29/livekit/webhook`.
- **Several relays sharing one LiveKit project** — point the webhook at the management API's `https://api.relayplatform.com/.well-known/nip29/livekit/webhook` instead. zooid stamps each room's metadata with the owning relay's `schema` when it creates the room, so this shared endpoint routes every event to the relay that owns the room. This requires `API_HOST` to be set.
Either way the webhook is authenticated by LiveKit's own request signature (signed with the relay's `api_secret`) rather than NIP 98, so the shared endpoint is exempt from the `API_WHITELIST`. Configure LiveKit to sign webhooks with the same `api_key`/`api_secret` the relay uses, or the relay will reject them.
### Example
The below config file might be saved as `./config/my-relay.example.com` in order to route requests from `wss://my-relay.example.com` to this virtual relay.
The below config file might be saved as `./config/my-relay.example.com` in order to route requests from `wss://my-relay.example.com:3334` to this virtual relay.
```toml
host = "my-relay.example.com"
host = "my-relay.example.com:3334"
schema = "my_relay"
secret = "<hex private key>"
@@ -128,7 +181,7 @@ can_manage = true
## API
When `API_HOST` and `API_WHITELIST` are configured, a JSON REST API is available for managing virtual relays remotely. All API requests must be authenticated using [NIP 98](https://github.com/nostr-protocol/nips/blob/master/98.md) HTTP AUTH.
When `API_HOST` is configured, a JSON REST API is available for managing virtual relays remotely. All API requests must be authenticated using [NIP 98](https://github.com/nostr-protocol/nips/blob/master/98.md) HTTP AUTH signed by a pubkey listed in `API_WHITELIST`.
The API accepts JSON config objects and stores them as TOML files in the `CONFIG` directory. Configs are validated for required fields (`host`, `schema`, `secret`) and duplicate checking (`schema` and `host` must be unique across all relays).
@@ -151,15 +204,6 @@ After running `just build`, a number of scripts will be available:
See `justfile` for defined commands.
## Deploying
## License
Zooid can be run using an OCI container:
```sh
podman run -it \
-p 3334:3334 \
-v ./config:/app/config \
-v ./media:/app/media \
-v ./data:/app/data \
ghcr.io/coracle-social/zooid
```
[MIT](./LICENSE)
cmd/export/main.go
+4 -4
View File
@@ -25,11 +25,11 @@ func main() {
os.Exit(1)
}
// Load config for the specified relay
filename := fmt.Sprintf("%s.toml", *relay)
config, err := zooid.LoadConfig(filename)
name := zooid.ConfigNameFromId(*relay)
path := zooid.ConfigPathFromName(name)
config, err := zooid.LoadConfigFromPath(path)
if err != nil {
fmt.Fprintln(os.Stderr, "No such config file", filename)
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
cmd/import/main.go
+4 -4
View File
@@ -39,11 +39,11 @@ func main() {
os.Exit(1)
}
// Load config for the specified relay
filename := fmt.Sprintf("%s.toml", *relay)
config, err := zooid.LoadConfig(filename)
name := zooid.ConfigNameFromId(*relay)
path := zooid.ConfigPathFromName(name)
config, err := zooid.LoadConfigFromPath(path)
if err != nil {
fmt.Fprintln(os.Stderr, "No such config file", filename)
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
cmd/relay/main.go
+2 -4
View File
@@ -21,8 +21,6 @@ func main() {
port := zooid.Env("PORT")
apiHost := zooid.Env("API_HOST")
apiWhitelist := zooid.Env("API_WHITELIST")
configDir := zooid.Env("CONFIG")
pprofAddr := zooid.Env("PPROF_ADDR")
// pprof server — only starts when PPROF_ADDR is set. Bind to
@@ -50,8 +48,8 @@ func main() {
// Wrap with API handler if API_HOST is configured
var handler http.Handler = mainHandler
if apiHost != "" && apiWhitelist != "" {
apiHandler := zooid.NewAPIHandler(apiWhitelist, configDir)
if apiHost != "" {
apiHandler := zooid.NewAPIHandler()
handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Check if this request is for the API host
if r.Host == apiHost {
go.mod
+21 -4
View File
@@ -6,8 +6,11 @@ require (
fiatjaf.com/nostr v0.0.0-20251104112613-38a6ca92b954
github.com/BurntSushi/toml v1.5.0
github.com/Masterminds/squirrel v1.5.4
github.com/aws/aws-sdk-go-v2 v1.41.7
github.com/aws/aws-sdk-go-v2/config v1.32.17
github.com/aws/aws-sdk-go-v2/credentials v1.19.16
github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0
github.com/fsnotify/fsnotify v1.9.0
github.com/gosimple/slug v1.15.0
github.com/livekit/protocol v1.43.5-0.20260114074149-a8bb8204ce69
github.com/mattn/go-sqlite3 v1.14.32
github.com/spf13/afero v1.15.0
@@ -18,14 +21,29 @@ require (
buf.build/go/protovalidate v0.13.1 // indirect
buf.build/go/protoyaml v0.6.0 // indirect
cel.dev/expr v0.24.0 // indirect
fiatjaf.com/lib v0.3.6 // indirect
fiatjaf.com/lib v0.3.7 // indirect
github.com/ImVexed/fasturl v0.0.0-20230304231329-4e41488060f3 // indirect
github.com/andybalholm/brotli v1.1.1 // indirect
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 // indirect
github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 // indirect
github.com/aws/smithy-go v1.25.1 // indirect
github.com/benbjohnson/clock v1.3.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bep/debounce v1.2.1 // indirect
github.com/btcsuite/btcd/btcec/v2 v2.3.4 // indirect
github.com/btcsuite/btcd/btcutil v1.1.5 // indirect
github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/coder/websocket v1.8.13 // indirect
@@ -40,7 +58,6 @@ require (
github.com/go-logr/logr v1.4.3 // indirect
github.com/google/cel-go v0.25.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/gosimple/unidecode v1.0.1 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/josharian/intern v1.0.0 // indirect
@@ -114,4 +131,4 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
)
replace fiatjaf.com/nostr => gitea.coracle.social/Coracle/nostrlib v0.0.0-20260414151249-4daeb8737c1c
replace fiatjaf.com/nostr => gitea.coracle.social/Coracle/nostrlib v0.0.0-20260623001341-fa7d25a59b3d
go.sum
+122 -11
View File
@@ -8,12 +8,10 @@ cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
fiatjaf.com/lib v0.3.6 h1:GRZNSxHI2EWdjSKVuzaT+c0aifLDtS16SzkeJaHyJfY=
fiatjaf.com/lib v0.3.6/go.mod h1:UlHaZvPHj25PtKLh9GjZkUHRmQ2xZ8Jkoa4VRaLeeQ8=
gitea.coracle.social/Coracle/nostrlib v0.0.0-20260313164927-662e7d271c47 h1:Pg/8ZXG2diV3uWbgt3mcAWF2ifL4FZXwotieokY8TBA=
gitea.coracle.social/Coracle/nostrlib v0.0.0-20260313164927-662e7d271c47/go.mod h1:ue7yw0zHfZj23Ml2kVSdBx0ENEaZiuvGxs/8VEN93FU=
gitea.coracle.social/Coracle/nostrlib v0.0.0-20260414151249-4daeb8737c1c h1:RqKwqUz1R3LQC2IcsdsyYHEUAZACIAKYxGuntyBCGw8=
gitea.coracle.social/Coracle/nostrlib v0.0.0-20260414151249-4daeb8737c1c/go.mod h1:1cmygNC87Pw06/WjkZqDV+Xo6rV10kpTjzuayosIX4Y=
fiatjaf.com/lib v0.3.7 h1:mXZOn7NrUcjSdy4oNvwQyAmes7Ueb+Zr5hjqMIe2dxI=
fiatjaf.com/lib v0.3.7/go.mod h1:UlHaZvPHj25PtKLh9GjZkUHRmQ2xZ8Jkoa4VRaLeeQ8=
gitea.coracle.social/Coracle/nostrlib v0.0.0-20260623001341-fa7d25a59b3d h1:Ws4dqvn6Fou5DvrdrrctHfbXgENPpa+QBXXRb95P3Zw=
gitea.coracle.social/Coracle/nostrlib v0.0.0-20260623001341-fa7d25a59b3d/go.mod h1:b1EIUDnd133Ie8Pg8O/biaKdFyCMz28aD4n64g1GqvM=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
@@ -28,10 +26,47 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEV
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
github.com/PowerDNS/lmdb-go v1.9.3 h1:AUMY2pZT8WRpkEv39I9Id3MuoHd+NZbTVpNhruVkPTg=
github.com/PowerDNS/lmdb-go v1.9.3/go.mod h1:TE0l+EZK8Z1B4dx070ZxkWTlp8RG1mjN0/+FkFRQMtU=
github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII=
github.com/andybalholm/brotli v1.1.1 h1:PR2pgnyFznKEugtsUo0xLdDop5SKXd5Qf5ysW+7XdTA=
github.com/andybalholm/brotli v1.1.1/go.mod h1:05ib4cKhjx3OQYUY22hTVd34Bc8upXjOLL2rKwwZBoA=
github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
github.com/aws/aws-sdk-go-v2 v1.41.7 h1:DWpAJt66FmnnaRIOT/8ASTucrvuDPZASqhhLey6tLY8=
github.com/aws/aws-sdk-go-v2 v1.41.7/go.mod h1:4LAfZOPHNVNQEckOACQx60Y8pSRjIkNZQz1w92xpMJc=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 h1:gx1AwW1Iyk9Z9dD9F4akX5gnN3QZwUB20GGKH/I+Rho=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10/go.mod h1:qqY157uZoqm5OXq/amuaBJyC9hgBCBQnsaWnPe905GY=
github.com/aws/aws-sdk-go-v2/config v1.32.17 h1:FpL4/758/diKwqbytU0prpuiu60fgXKUWCpDJtApclU=
github.com/aws/aws-sdk-go-v2/config v1.32.17/go.mod h1:OXqUMzgXytfoF9JaKkhrOYsyh72t9G+MJH8mMRaexOE=
github.com/aws/aws-sdk-go-v2/credentials v1.19.16 h1:r3RJBuU7X9ibt8RHbMjWE6y60QbKBiII6wSrXnapxSU=
github.com/aws/aws-sdk-go-v2/credentials v1.19.16/go.mod h1:6cx7zqDENJDbBIIWX6P8s0h6hqHC8Avbjh9Dseo27ug=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 h1:UuSfcORqNSz/ey3VPRS8TcVH2Ikf0/sC+Hdj400QI6U=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23/go.mod h1:+G/OSGiOFnSOkYloKj/9M35s74LgVAdJBSD5lsFfqKg=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 h1:GpT/TrnBYuE5gan2cZbTtvP+JlHsutdmlV2YfEyNde0=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23/go.mod h1:xYWD6BS9ywC5bS3sz9Xh04whO/hzK2plt2Zkyrp4JuA=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 h1:bpd8vxhlQi2r1hiueOw02f/duEPTMK59Q4QMAoTTtTo=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23/go.mod h1:15DfR2nw+CRHIk0tqNyifu3G1YdAOy68RftkhMDDwYk=
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 h1:OQqn11BtaYv1WLUowvcA30MpzIu8Ti4pcLPIIyoKZrA=
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24/go.mod h1:X5ZJyfwVrWA96GzPmUCWFQaEARPR7gCrpq2E92PJwAE=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 h1:FLudkZLt5ci0ozzgkVo8BJGwvqNaZbTWb3UcucAateA=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9/go.mod h1:w7wZ/s9qK7c8g4al+UyoF1Sp/Z45UwMGcqIzLWVQHWk=
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 h1:ieLCO1JxUWuxTZ1cRd0GAaeX7O6cIxnwk7tc1LsQhC4=
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15/go.mod h1:e3IzZvQ3kAWNykvE0Tr0RDZCMFInMvhku3qNpcIQXhM=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 h1:pbrxO/kuIwgEsOPLkaHu0O+m4fNgLU8B3vxQ+72jTPw=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23/go.mod h1:/CMNUqoj46HpS3MNRDEDIwcgEnrtZlKRaHNaHxIFpNA=
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 h1:03xatSQO4+AM1lTAbnRg5OK528EUg744nW7F73U8DKw=
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23/go.mod h1:M8l3mwgx5ToK7wot2sBBce/ojzgnPzZXUV445gTSyE8=
github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0 h1:etqBTKY581iwLL/H/S2sVgk3C9lAsTJFeXWFDsDcWOU=
github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0/go.mod h1:L2dcoOgS2VSgbPLvpak2NyUPsO1TBN7M45Z4H7DlRc4=
github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 h1:TdJ+HdzOBhU8+iVAOGUTU63VXopcumCOF1paFulHWZc=
github.com/aws/aws-sdk-go-v2/service/signin v1.0.11/go.mod h1:R82ZRExE/nheo0N+T8zHPcLRTcH8MGsnR3BiVGX0TwI=
github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 h1:7byT8HUWrgoRp6sXjxtZwgOKfhss5fW6SkLBtqzgRoE=
github.com/aws/aws-sdk-go-v2/service/sso v1.30.17/go.mod h1:xNWknVi4Ezm1vg1QsB/5EWpAJURq22uqd38U8qKvOJc=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 h1:+1Kl1zx6bWi4X7cKi3VYh29h8BvsCoHQEQ6ST9X8w7w=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21/go.mod h1:4vIRDq+CJB2xFAXZ+YgGUTiEft7oAQlhIs71xcSeuVg=
github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 h1:F/M5Y9I3nwr2IEpshZgh1GeHpOItExNM9L1euNuh/fk=
github.com/aws/aws-sdk-go-v2/service/sts v1.42.1/go.mod h1:mTNxImtovCOEEuD65mKW7DCsL+2gjEH+RPEAexAzAio=
github.com/aws/smithy-go v1.25.1 h1:J8ERsGSU7d+aCmdQur5Txg6bVoYelvQJgtZehD12GkI=
github.com/aws/smithy-go v1.25.1/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -42,13 +77,30 @@ github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
github.com/btcsuite/btcd v0.24.2 h1:aLmxPguqxza+4ag8R1I2nnJjSu2iFn/kqtHTIImswcY=
github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ=
github.com/btcsuite/btcd v0.22.0-beta.0.20220111032746-97732e52810c/go.mod h1:tjmYdS6MLJ5/s0Fj4DbLgSbDHbEqLJrtnHecBFkdz5M=
github.com/btcsuite/btcd v0.23.5-0.20231215221805-96c9fd8078fd/go.mod h1:nm3Bko6zh6bWP60UxwoT5LzdGJsQJaPo6HjduXq9p6A=
github.com/btcsuite/btcd/btcec/v2 v2.1.0/go.mod h1:2VzYrv4Gm4apmbVVsSq5bqf1Ec8v56E48Vt0Y/umPgA=
github.com/btcsuite/btcd/btcec/v2 v2.1.3/go.mod h1:ctjw4H1kknNJmRN4iP1R7bTQ+v3GJkZBd6mui8ZsAZE=
github.com/btcsuite/btcd/btcec/v2 v2.3.4 h1:3EJjcN70HCu/mwqlUsGK8GcNVyLVxFDlWurTXGPFfiQ=
github.com/btcsuite/btcd/btcec/v2 v2.3.4/go.mod h1:zYzJ8etWJQIv1Ogk7OzpWjowwOdXY1W/17j2MW85J04=
github.com/btcsuite/btcd/btcutil v1.0.0/go.mod h1:Uoxwv0pqYWhD//tfTiipkxNfdhG9UrLwaeswfjfdF0A=
github.com/btcsuite/btcd/btcutil v1.1.0/go.mod h1:5OapHB7A2hBBWLm48mmw4MOHNJCcUBTwmWH/0Jn8VHE=
github.com/btcsuite/btcd/btcutil v1.1.5 h1:+wER79R5670vs/ZusMTF1yTcRYE5GUsFbdjdisflzM8=
github.com/btcsuite/btcd/btcutil v1.1.5/go.mod h1:PSZZ4UitpLBWzxGd5VGOrLnmOjtPP/a6HaFo12zMs00=
github.com/btcsuite/btcd/chaincfg/chainhash v1.0.0/go.mod h1:7SFka0XMvUgj3hfZtydOrQY2mwhPclbT2snogU7SQQc=
github.com/btcsuite/btcd/chaincfg/chainhash v1.0.1/go.mod h1:7SFka0XMvUgj3hfZtydOrQY2mwhPclbT2snogU7SQQc=
github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0 h1:59Kx4K6lzOW5w6nFlA0v5+lk/6sjybR934QNHSJZPTQ=
github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0/go.mod h1:7SFka0XMvUgj3hfZtydOrQY2mwhPclbT2snogU7SQQc=
github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f/go.mod h1:TdznJufoqS23FtqVCzL0ZqgP5MqXbb4fg/WgDys70nA=
github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d/go.mod h1:+5NJ2+qvTyV9exUAL/rxXi3DcLg2Ts+ymUAY5y4NvMg=
github.com/btcsuite/go-socks v0.0.0-20170105172521-4720035b7bfd/go.mod h1:HHNXQzUsZCxOoE+CPiyCTO6x34Zs86zZUiwtpXoGdtg=
github.com/btcsuite/goleveldb v0.0.0-20160330041536-7834afc9e8cd/go.mod h1:F+uVaaLLH7j4eDXPRvw78tMflu7Ie2bzYOH4Y8rRKBY=
github.com/btcsuite/goleveldb v1.0.0/go.mod h1:QiK9vBlgftBg6rWQIj6wFzbPfRjiykIEhBH4obrXJ/I=
github.com/btcsuite/snappy-go v0.0.0-20151229074030-0bdef8d06723/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc=
github.com/btcsuite/snappy-go v1.0.0/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc=
github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY=
github.com/btcsuite/winsvc v1.0.0/go.mod h1:jsenWakMcC0zFBFurPLEAyrnc/teJEM1O46fmI40EZs=
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -57,13 +109,17 @@ github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9F
github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
github.com/decred/dcrd/crypto/blake256 v1.1.0 h1:zPMNGQCm0g4QTY27fOCorQW7EryeQ/U0x++OzVrdms8=
github.com/decred/dcrd/crypto/blake256 v1.1.0/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218=
github.com/dennwc/iters v1.1.0 h1:PsS3DbOU7GxSUQO0e7SGmzHkPhtwOlwbqggJ++Bgnr8=
github.com/dennwc/iters v1.1.0/go.mod h1:M9KuuMBeyEXYTmB7EnI9SCyALFCmPWOIxn5W1L0CjGg=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
@@ -83,6 +139,8 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
github.com/frostbyte73/core v0.1.1 h1:ChhJOR7bAKOCPbA+lqDLE2cGKlCG5JXsDvvQr4YaJIA=
github.com/frostbyte73/core v0.1.1/go.mod h1:mhfOtR+xWAvwXiwor7jnqPMnu4fxbv1F2MwZ0BEpzZo=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
github.com/gammazero/deque v1.1.0 h1:OyiyReBbnEG2PP0Bnv1AASLIYvyKqIFN5xfl1t8oGLo=
@@ -93,10 +151,21 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY=
github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
@@ -105,22 +174,24 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gosimple/slug v1.15.0 h1:wRZHsRrRcs6b0XnxMUBM6WK1U1Vg5B0R7VkIf1Xzobo=
github.com/gosimple/slug v1.15.0/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ=
github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o=
github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc=
github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/jxskiss/base62 v1.1.0 h1:A5zbF8v8WXx2xixnAKD2w+abC+sIzYJX+nxmhA6HWFw=
github.com/jxskiss/base62 v1.1.0/go.mod h1:HhWAlUXvxKThfOlZbcuFzsqwtF5TcqS9ru3y5GfjWAc=
github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4=
github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
github.com/klauspost/cpuid/v2 v2.2.11 h1:0OwqZRYI2rFrjS4kvkDnqJkKHdHaRnCm68/DY4OxRzU=
@@ -170,6 +241,15 @@ github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0=
github.com/nats-io/nkeys v0.4.11/go.mod h1:szDimtgmfOi9n25JpfIdGw12tZFYXqhGxjhVxsatHVE=
github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -252,6 +332,7 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc=
github.com/templexxx/cpu v0.0.1 h1:hY4WdLOgKdc8y13EYklu9OUTXik80BkxHoWvTO6MQQY=
github.com/templexxx/cpu v0.0.1/go.mod h1:w7Tb+7qgcAlIyX4NhLuDKt78AHA5SzPmq0Wj6HiEnnk=
github.com/templexxx/xhex v0.0.0-20200614015412-aed53437177b h1:XeDLE6c9mzHpdv3Wb1+pWBaWv/BlHK0ZYIu/KaL6eHg=
@@ -296,7 +377,9 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
golang.org/x/crypto v0.0.0-20170930174604-9419663f5a44/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
@@ -305,19 +388,33 @@ golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/y
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -333,6 +430,7 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
@@ -345,17 +443,30 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
zooid-logomark.jpeg
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 302 KiB

zooid-wordmark.jpeg
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

zooid/api.go
+278 -366
View File
@@ -1,302 +1,96 @@
package zooid
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"io"
"io/fs"
"net/http"
"os"
"path/filepath"
"regexp"
"sort"
"strings"
"fiatjaf.com/nostr"
"github.com/BurntSushi/toml"
)
// APIHandler handles REST API requests for managing virtual relays
type APIHandler struct {
whitelist map[string]bool
configDir string
mux http.Handler
}
// NewAPIHandler creates a new API handler with the given whitelist
func NewAPIHandler(whitelist string, configDir string) *APIHandler {
w := make(map[string]bool)
for _, pubkey := range Split(whitelist, ",") {
func NewAPIHandler() *APIHandler {
whitelist := make(map[string]bool)
for _, pubkey := range Split(Env("API_WHITELIST"), ",") {
pubkey = strings.TrimSpace(pubkey)
if pubkey != "" {
w[pubkey] = true
whitelist[pubkey] = true
}
}
return &APIHandler{
whitelist: w,
configDir: configDir,
api := &APIHandler{
whitelist: whitelist,
}
mux := http.NewServeMux()
mux.HandleFunc("POST /relay/{id}", api.auth(api.createRelay))
mux.HandleFunc("PUT /relay/{id}", api.auth(api.putRelay))
mux.HandleFunc("PATCH /relay/{id}", api.auth(api.patchRelay))
mux.HandleFunc("DELETE /relay/{id}", api.auth(api.deleteRelay))
mux.HandleFunc("GET /relay/{id}/members", api.auth(api.listRelayMembers))
// Skip auth, the handler checks the webhook signature itself
mux.HandleFunc("POST /.well-known/nip29/livekit/webhook", api.livekitWebhook)
api.mux = mux
return api
}
func (api *APIHandler) auth(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
pubkey, err := validateNIP98Auth(r)
if err != nil {
writeError(w, http.StatusUnauthorized, err.Error())
return
}
if !api.whitelist[pubkey.Hex()] {
writeError(w, http.StatusForbidden, "pubkey not in whitelist")
return
}
next(w, r)
}
}
// ServeHTTP implements the http.Handler interface
func (api *APIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
// Authenticate the request using NIP-98
pubkey, err := validateNIP98Auth(r)
if err != nil {
writeError(w, http.StatusUnauthorized, err.Error())
return
}
// Check if pubkey is in whitelist
if !api.whitelist[pubkey.Hex()] {
writeError(w, http.StatusForbidden, "pubkey not in whitelist")
return
}
// Route the request
path := strings.TrimPrefix(r.URL.Path, "/")
parts := strings.Split(path, "/")
if len(parts) < 2 || parts[0] != "relay" {
writeError(w, http.StatusNotFound, "not found")
return
}
id := parts[1]
if id == "" {
writeError(w, http.StatusBadRequest, "relay id is required")
return
}
if len(parts) > 2 {
if len(parts) == 3 && parts[2] == "members" {
if r.Method != http.MethodGet {
writeError(w, http.StatusMethodNotAllowed, "method not allowed")
return
}
api.listRelayMembers(w, id)
return
}
// Keep trailing-slash compatibility for existing /relay/{id}/ calls.
if len(parts) != 3 || parts[2] != "" {
writeError(w, http.StatusNotFound, "not found")
return
}
}
switch r.Method {
case http.MethodPost:
api.createRelay(w, r, id)
case http.MethodPut:
api.updateRelay(w, r, id)
case http.MethodPatch:
api.patchRelay(w, r, id)
case http.MethodDelete:
api.deleteRelay(w, r, id)
default:
writeError(w, http.StatusMethodNotAllowed, "method not allowed")
}
api.mux.ServeHTTP(w, r)
}
// listRelayMembers returns members for a relay as an array of pubkeys.
func (api *APIHandler) listRelayMembers(w http.ResponseWriter, id string) {
members, err := api.resolveRelayMembers(id)
if err != nil {
if os.IsNotExist(err) {
writeError(w, http.StatusNotFound, "relay not found")
} else {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to load relay members: %v", err))
}
return
}
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(map[string][]string{"members": members})
}
func (api *APIHandler) resolveRelayMembers(id string) ([]string, error) {
if members, ok := api.getMembersFromLoadedInstance(id); ok {
return members, nil
}
configPath := api.configPath(id)
if err := api.checkConfigExists(configPath); err != nil {
return nil, err
}
instance, err := MakeInstanceFromPath(configPath)
if err != nil {
return nil, err
}
defer instance.Cleanup()
memberSet := make(map[string]struct{})
for _, pubkey := range instance.Management.GetMembers() {
memberSet[pubkey.Hex()] = struct{}{}
}
return sortedMembers(memberSet), nil
}
func (api *APIHandler) getMembersFromLoadedInstance(id string) ([]string, bool) {
instancesMux.RLock()
instance, exists := instancesByName[id+".toml"]
instancesMux.RUnlock()
if !exists || instance == nil || instance.Config == nil || instance.Management == nil {
return nil, false
}
memberSet := make(map[string]struct{})
for _, pubkey := range instance.Management.GetMembers() {
memberSet[pubkey.Hex()] = struct{}{}
}
return sortedMembers(memberSet), true
}
func sortedMembers(memberSet map[string]struct{}) []string {
members := Keys(memberSet)
sort.Strings(members)
return members
}
// writeError writes a JSON error response
func writeError(w http.ResponseWriter, status int, message string) {
w.WriteHeader(status)
json.NewEncoder(w).Encode(map[string]string{"error": message})
}
// writeJSON writes a JSON success response
func writeJSON(w http.ResponseWriter, status int, data map[string]string) {
func writeJSON(w http.ResponseWriter, status int, v any) {
w.WriteHeader(status)
json.NewEncoder(w).Encode(data)
json.NewEncoder(w).Encode(v)
}
// scheme returns the URL scheme based on the request
func scheme(r *http.Request) string {
if r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" {
return "https"
}
return "http"
}
// Relay CRUD
// createRelay creates a new relay config file
func (api *APIHandler) createRelay(w http.ResponseWriter, r *http.Request, id string) {
configPath := api.configPath(id)
func (api *APIHandler) configFromRequest(path string, r *http.Request) (*Config, error) {
r.Body = http.MaxBytesReader(nil, r.Body, 1024*1024)
defer r.Body.Close()
if _, err := os.Stat(configPath); err == nil {
writeError(w, http.StatusConflict, "relay with this id already exists")
return
}
config, err := api.parseAndValidateConfig(r)
body, err := io.ReadAll(r.Body)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
return nil, fmt.Errorf("failed to read body: %w", err)
}
if err := api.checkDuplicateSchemaOrHost(config, ""); err != nil {
writeError(w, http.StatusConflict, err.Error())
return
}
if err := api.saveConfig(configPath, config); err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to write config: %v", err))
return
}
writeJSON(w, http.StatusCreated, map[string]string{"message": "relay created successfully"})
return LoadConfigFromJson(path, body)
}
// updateRelay updates an existing relay config file
func (api *APIHandler) updateRelay(w http.ResponseWriter, r *http.Request, id string) {
configPath := api.configPath(id)
if err := api.checkConfigExists(configPath); err != nil {
if os.IsNotExist(err) {
writeError(w, http.StatusNotFound, "relay not found")
} else {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to check config: %v", err))
}
return
}
config, err := api.parseAndValidateConfig(r)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
if err := api.checkDuplicateSchemaOrHost(config, id+".toml"); err != nil {
writeError(w, http.StatusConflict, err.Error())
return
}
if err := api.saveConfig(configPath, config); err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to write config: %v", err))
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "relay updated successfully"})
}
// patchRelay partially updates an existing relay config
func (api *APIHandler) patchRelay(w http.ResponseWriter, r *http.Request, id string) {
configPath := api.configPath(id)
if err := api.checkConfigExists(configPath); err != nil {
if os.IsNotExist(err) {
writeError(w, http.StatusNotFound, "relay not found")
} else {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to check config: %v", err))
}
return
}
// Load existing config
existing, err := api.loadConfigFromPath(configPath)
if err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to read existing config: %v", err))
return
}
// Parse patch
patch, err := api.readPatch(r)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
// Apply patch to existing config
if err := api.applyPatch(existing, patch); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
// Validate the patched config
if err := api.validatePatchedConfig(existing); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
if err := api.checkDuplicateSchemaOrHost(existing, id+".toml"); err != nil {
writeError(w, http.StatusConflict, err.Error())
return
}
if err := api.saveConfig(configPath, existing); err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to write config: %v", err))
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "relay patched successfully"})
}
// readPatch reads and parses the patch JSON from the request
func (api *APIHandler) readPatch(r *http.Request) (map[string]interface{}, error) {
func (api *APIHandler) patchFromRequest(r *http.Request) (map[string]interface{}, error) {
r.Body = http.MaxBytesReader(nil, r.Body, 1024*1024)
defer r.Body.Close()
@@ -307,13 +101,143 @@ func (api *APIHandler) readPatch(r *http.Request) (map[string]interface{}, error
var patch map[string]interface{}
if err := json.Unmarshal(body, &patch); err != nil {
return nil, fmt.Errorf("invalid json: %w", err)
return nil, fmt.Errorf("invalid json config: %w", err)
}
return patch, nil
}
// applyPatch applies a JSON patch to a config using reflection via JSON marshaling
func (api *APIHandler) checkDuplicateSchemaOrHost(config *Config, excludeFilename string) error {
entries, err := os.ReadDir(Env("CONFIG"))
if err != nil {
return fmt.Errorf("failed to read config directory: %w", err)
}
for _, entry := range entries {
if entry.IsDir() || entry.Name() == excludeFilename || !strings.HasSuffix(entry.Name(), ".toml") {
continue
}
path := ConfigPathFromName(entry.Name())
if existing, err := LoadConfigFromPath(path); err == nil {
if existing.Schema == config.Schema {
return fmt.Errorf("schema %q is already in use", config.Schema)
}
if existing.Host == config.Host {
return fmt.Errorf("host %q is already in use", config.Host)
}
}
}
return nil
}
// Create relay
func (api *APIHandler) createRelay(w http.ResponseWriter, r *http.Request) {
name := ConfigNameFromId(r.PathValue("id"))
path := ConfigPathFromName(name)
if _, err := os.Stat(path); err == nil {
writeError(w, http.StatusConflict, "relay with this id already exists")
return
}
config, err := api.configFromRequest(path, r)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
if err := api.checkDuplicateSchemaOrHost(config, ""); err != nil {
writeError(w, http.StatusConflict, err.Error())
return
}
if err := config.Save(); err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to write config: %v", err))
return
}
writeJSON(w, http.StatusCreated, map[string]string{"message": "relay created successfully"})
}
// Put relay
func (api *APIHandler) putRelay(w http.ResponseWriter, r *http.Request) {
id := r.PathValue("id")
name := ConfigNameFromId(id)
path := ConfigPathFromName(name)
if _, err := os.Stat(path); err != nil {
writeError(w, http.StatusNotFound, "relay not found")
return
}
config, err := api.configFromRequest(path, r)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
if err := api.checkDuplicateSchemaOrHost(config, name); err != nil {
writeError(w, http.StatusConflict, err.Error())
return
}
if err := config.Save(); err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to write config: %v", err))
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "relay updated successfully"})
}
// Patch relay
func (api *APIHandler) patchRelay(w http.ResponseWriter, r *http.Request) {
id := r.PathValue("id")
name := ConfigNameFromId(id)
path := ConfigPathFromName(name)
if _, err := os.Stat(path); err != nil {
writeError(w, http.StatusNotFound, "relay not found")
return
}
config, err := LoadConfigFromPath(path)
if err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to read existing config: %v", err))
return
}
patch, err := api.patchFromRequest(r)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
if err := api.applyPatch(config, patch); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
if err := config.Validate(); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
if err := api.checkDuplicateSchemaOrHost(config, name); err != nil {
writeError(w, http.StatusConflict, err.Error())
return
}
if err := config.Save(); err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to write config: %v", err))
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "relay patched successfully"})
}
func (api *APIHandler) applyPatch(config *Config, patch map[string]interface{}) error {
// Convert config to map for merging
configJSON, _ := json.Marshal(config)
@@ -330,12 +254,15 @@ func (api *APIHandler) applyPatch(config *Config, patch map[string]interface{})
return err
}
// Preserve unexported fields, which don't survive the JSON round-trip
patched.path = config.path
patched.secret = config.secret
// Copy patched values to original config
*config = patched
return nil
}
// deepMerge recursively merges patch into base
func deepMerge(base, patch map[string]interface{}) map[string]interface{} {
result := make(map[string]interface{})
@@ -360,46 +287,18 @@ func deepMerge(base, patch map[string]interface{}) map[string]interface{} {
return result
}
// validatePatchedConfig validates a config after patching
func (api *APIHandler) validatePatchedConfig(config *Config) error {
if config.Host == "" {
return fmt.Errorf("host is required")
}
if config.Schema == "" {
return fmt.Errorf("schema is required")
}
if !regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_]*$`).MatchString(config.Schema) {
return fmt.Errorf("schema must contain only letters, numbers, and underscores")
}
if config.Secret == "" {
return fmt.Errorf("secret is required")
}
if _, err := nostr.SecretKeyFromHex(config.Secret); err != nil {
return fmt.Errorf("invalid secret key: %w", err)
}
if config.Info.Pubkey == "" {
return fmt.Errorf("info.pubkey is required")
}
if _, err := nostr.PubKeyFromHex(config.Info.Pubkey); err != nil {
return fmt.Errorf("invalid info.pubkey: %w", err)
}
return nil
}
// Delete relay
// deleteRelay deletes a relay config file
func (api *APIHandler) deleteRelay(w http.ResponseWriter, r *http.Request, id string) {
configPath := api.configPath(id)
if err := api.checkConfigExists(configPath); err != nil {
if os.IsNotExist(err) {
writeError(w, http.StatusNotFound, "relay not found")
} else {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to check config: %v", err))
}
func (api *APIHandler) deleteRelay(w http.ResponseWriter, r *http.Request) {
id := r.PathValue("id")
name := ConfigNameFromId(id)
path := ConfigPathFromName(name)
if _, err := os.Stat(path); err != nil {
writeError(w, http.StatusNotFound, "relay not found")
return
}
if err := os.Remove(configPath); err != nil {
if err := os.Remove(path); err != nil {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to delete config: %v", err))
return
}
@@ -407,90 +306,103 @@ func (api *APIHandler) deleteRelay(w http.ResponseWriter, r *http.Request, id st
writeJSON(w, http.StatusOK, map[string]string{"message": "relay deleted successfully"})
}
// configPath returns the full path for a config file
func (api *APIHandler) configPath(id string) string {
return filepath.Join(api.configDir, id+".toml")
// Relay members endpoint
func (api *APIHandler) listRelayMembers(w http.ResponseWriter, r *http.Request) {
id := r.PathValue("id")
name := ConfigNameFromId(id)
members, err := api.resolveRelayMembers(name)
if err != nil {
if errors.Is(err, fs.ErrNotExist) {
writeError(w, http.StatusNotFound, "relay not found")
} else {
writeError(w, http.StatusInternalServerError, fmt.Sprintf("failed to load relay members: %v", err))
}
return
}
writeJSON(w, http.StatusOK, map[string][]string{"members": members})
}
// checkConfigExists checks if a config file exists
func (api *APIHandler) checkConfigExists(path string) error {
_, err := os.Stat(path)
return err
}
func (api *APIHandler) resolveRelayMembers(name string) ([]string, error) {
instancesMux.RLock()
instance, exists := instancesByName[name]
instancesMux.RUnlock()
// loadConfigFromPath loads a config from a file path
func (api *APIHandler) loadConfigFromPath(path string) (*Config, error) {
var config Config
_, err := toml.DecodeFile(path, &config)
if exists {
return collectMembers(instance.Management), nil
}
path := ConfigPathFromName(name)
config, err := LoadConfigFromPath(path)
if err != nil {
return nil, err
}
return &config, nil
events := &EventStore{
Config: config,
Schema: &Schema{Name: config.Schema},
}
if err := events.Init(); err != nil {
return nil, fmt.Errorf("failed to init event store: %w", err)
}
management := &ManagementStore{
Config: config,
Events: events,
}
return collectMembers(management), nil
}
// parseAndValidateConfig parses and validates the JSON config from the request body
func (api *APIHandler) parseAndValidateConfig(r *http.Request) (*Config, error) {
r.Body = http.MaxBytesReader(nil, r.Body, 1024*1024)
defer r.Body.Close()
func collectMembers(management *ManagementStore) []string {
memberSet := make(map[string]struct{})
for _, pubkey := range management.GetMembers() {
memberSet[pubkey.Hex()] = struct{}{}
}
members := Keys(memberSet)
sort.Strings(members)
return members
}
body, err := io.ReadAll(r.Body)
// LiveKit webhook
// LiveKit webhooks are registered statically, so we add the relay's schema as metadata
// to the room and handle webhooks at the top level.
func (api *APIHandler) livekitWebhook(w http.ResponseWriter, r *http.Request) {
body, err := io.ReadAll(http.MaxBytesReader(w, r.Body, 1024*1024))
if err != nil {
return nil, fmt.Errorf("failed to read body: %w", err)
writeError(w, http.StatusBadRequest, "failed to read body")
return
}
var config Config
if err := json.Unmarshal(body, &config); err != nil {
return nil, fmt.Errorf("invalid json config: %w", err)
// Read the relay schema from the room metadata. This is parsed before
// verification, but the instance handler below re-checks the signature over
// the whole body (metadata included) with that relay's key, so a forged
// schema cannot pass.
var probe struct {
Room struct {
Metadata string `json:"metadata"`
} `json:"room"`
}
if err := json.Unmarshal(body, &probe); err != nil {
writeError(w, http.StatusBadRequest, "invalid webhook body")
return
}
if err := api.validatePatchedConfig(&config); err != nil {
return nil, err
schema := strings.TrimSpace(probe.Room.Metadata)
if schema == "" {
writeError(w, http.StatusBadRequest, "missing room metadata")
return
}
return &config, nil
}
// saveConfig saves a config to a file as TOML
func (api *APIHandler) saveConfig(path string, config *Config) error {
file, err := os.Create(path)
if err != nil {
return fmt.Errorf("failed to create file: %w", err)
}
defer file.Close()
encoder := toml.NewEncoder(file)
if err := encoder.Encode(config); err != nil {
return fmt.Errorf("failed to encode toml: %w", err)
}
return nil
}
// checkDuplicateSchemaOrHost checks if the schema or host is already in use by another config
func (api *APIHandler) checkDuplicateSchemaOrHost(config *Config, excludeFilename string) error {
entries, err := os.ReadDir(api.configDir)
if err != nil {
return fmt.Errorf("failed to read config directory: %w", err)
}
for _, entry := range entries {
if entry.IsDir() || entry.Name() == excludeFilename || !strings.HasSuffix(entry.Name(), ".toml") {
continue
}
path := filepath.Join(api.configDir, entry.Name())
var existing Config
if _, err := toml.DecodeFile(path, &existing); err != nil {
continue
}
if existing.Schema == config.Schema {
return fmt.Errorf("schema %q is already in use", config.Schema)
}
if existing.Host == config.Host {
return fmt.Errorf("host %q is already in use", config.Host)
}
}
return nil
instance, ok := DispatchBySchema(schema)
if !ok {
writeError(w, http.StatusNotFound, "relay not found")
return
}
r.Body = io.NopCloser(bytes.NewReader(body))
instance.livekitWebhookHandler(w, r)
}
zooid/api_test.go
+95 -50
View File
@@ -16,16 +16,14 @@ import (
)
func TestAPIHandler_Authentication(t *testing.T) {
// Create a temporary config directory
configDir := t.TempDir()
useTestConfigDir(t)
// Create a test keypair for authentication
secretKey := nostr.Generate()
pubkey := secretKey.Public()
// Create API handler with whitelist containing our test pubkey
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
t.Run("missing authorization header", func(t *testing.T) {
req := httptest.NewRequest(http.MethodPost, "/relay/test", strings.NewReader("{}"))
@@ -173,12 +171,11 @@ func TestAPIHandler_Authentication(t *testing.T) {
}
func TestAPIHandler_CreateRelay(t *testing.T) {
configDir := t.TempDir()
configDir := useTestConfigDir(t)
secretKey := nostr.Generate()
pubkey := secretKey.Public()
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
validConfig := map[string]interface{}{
"host": "relay.example.com",
@@ -226,6 +223,9 @@ func TestAPIHandler_CreateRelay(t *testing.T) {
"host": "other.example.com",
"schema": "testrelay", // Same schema as existing
"secret": secretKey.Hex(),
"info": map[string]interface{}{
"pubkey": pubkey.Hex(),
},
}
body, _ := json.Marshal(config)
req := createAuthenticatedRequest(http.MethodPost, "http://api.example.com/relay/other", secretKey, body)
@@ -243,6 +243,9 @@ func TestAPIHandler_CreateRelay(t *testing.T) {
"host": "relay.example.com", // Same host as existing
"schema": "otherschema",
"secret": secretKey.Hex(),
"info": map[string]interface{}{
"pubkey": pubkey.Hex(),
},
}
body, _ := json.Marshal(config)
req := createAuthenticatedRequest(http.MethodPost, "http://api.example.com/relay/other2", secretKey, body)
@@ -301,12 +304,11 @@ func TestAPIHandler_CreateRelay(t *testing.T) {
}
func TestAPIHandler_UpdateRelay(t *testing.T) {
configDir := t.TempDir()
useTestConfigDir(t)
secretKey := nostr.Generate()
pubkey := secretKey.Public()
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
// Create initial relay
initialConfig := map[string]interface{}{
@@ -371,6 +373,9 @@ func TestAPIHandler_UpdateRelay(t *testing.T) {
"host": "other.example.com",
"schema": "otherrelay",
"secret": secretKey.Hex(),
"info": map[string]interface{}{
"pubkey": pubkey.Hex(),
},
}
body, _ := json.Marshal(otherConfig)
req := createAuthenticatedRequest(http.MethodPost, "http://api.example.com/relay/otherrelay", secretKey, body)
@@ -385,6 +390,9 @@ func TestAPIHandler_UpdateRelay(t *testing.T) {
"host": "relay.example.com",
"schema": "otherrelay", // Duplicate
"secret": secretKey.Hex(),
"info": map[string]interface{}{
"pubkey": pubkey.Hex(),
},
}
body, _ = json.Marshal(updateConfig)
req = createAuthenticatedRequest(http.MethodPut, "http://api.example.com/relay/testrelay", secretKey, body)
@@ -399,12 +407,11 @@ func TestAPIHandler_UpdateRelay(t *testing.T) {
}
func TestAPIHandler_PatchRelay(t *testing.T) {
configDir := t.TempDir()
useTestConfigDir(t)
secretKey := nostr.Generate()
pubkey := secretKey.Public()
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
// Create initial relay with full config
initialConfig := map[string]interface{}{
@@ -494,6 +501,9 @@ func TestAPIHandler_PatchRelay(t *testing.T) {
"host": "other.example.com",
"schema": "anotherrelay",
"secret": secretKey.Hex(),
"info": map[string]interface{}{
"pubkey": pubkey.Hex(),
},
}
body, _ := json.Marshal(otherConfig)
req := createAuthenticatedRequest(http.MethodPost, "http://api.example.com/relay/anotherrelay", secretKey, body)
@@ -550,12 +560,11 @@ func TestAPIHandler_PatchRelay(t *testing.T) {
}
func TestAPIHandler_DeleteRelay(t *testing.T) {
configDir := t.TempDir()
configDir := useTestConfigDir(t)
secretKey := nostr.Generate()
pubkey := secretKey.Public()
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
// Create a relay to delete
config := map[string]interface{}{
@@ -605,12 +614,11 @@ func TestAPIHandler_DeleteRelay(t *testing.T) {
}
func TestAPIHandler_ListRelayMembers(t *testing.T) {
configDir := t.TempDir()
useTestConfigDir(t)
secretKey := nostr.Generate()
pubkey := secretKey.Public()
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
t.Run("list members from loaded relay instance", func(t *testing.T) {
member1 := nostr.Generate().Public()
@@ -676,23 +684,40 @@ func TestAPIHandler_ListRelayMembers(t *testing.T) {
t.Run("list members from config fallback", func(t *testing.T) {
relaySecret := nostr.Generate()
owner := nostr.Generate().Public()
rolePubkey := nostr.Generate().Public()
member1 := nostr.Generate().Public()
member2 := nostr.Generate().Public()
config := &Config{
Host: "members.example.com",
Schema: "members_" + RandomString(8),
Schema: "members_" + strings.ToLower(RandomString(8)),
Secret: relaySecret.Hex(),
Roles: map[string]Role{
"admin": {
Pubkeys: []string{rolePubkey.Hex()},
},
}
config.Info.Pubkey = nostr.Generate().Public().Hex()
config.path = ConfigPathFromName(ConfigNameFromId("fallback"))
if err := config.Save(); err != nil {
t.Fatalf("failed to save config: %v", err)
}
// Seed DB with RELAY_MEMBERS to simulate a prior relay load.
seedEvents := &EventStore{
Config: &Config{secret: relaySecret},
Schema: &Schema{Name: config.Schema},
}
if err := seedEvents.Init(); err != nil {
t.Fatalf("failed to init seed events: %v", err)
}
membersEvent := nostr.Event{
Kind: RELAY_MEMBERS,
CreatedAt: nostr.Now(),
Tags: nostr.Tags{
{"-"},
{"member", member1.Hex()},
{"member", member2.Hex()},
},
}
config.Info.Pubkey = owner.Hex()
if err := api.saveConfig(api.configPath("fallback"), config); err != nil {
t.Fatalf("failed to save config: %v", err)
if err := seedEvents.SignAndStoreEvent(&membersEvent, false); err != nil {
t.Fatalf("failed to seed members event: %v", err)
}
instancesMux.Lock()
@@ -725,9 +750,8 @@ func TestAPIHandler_ListRelayMembers(t *testing.T) {
}
expected := map[string]struct{}{
owner.Hex(): {},
relaySecret.Public().Hex(): {},
rolePubkey.Hex(): {},
member1.Hex(): {},
member2.Hex(): {},
}
if len(payload.Members) != len(expected) {
@@ -765,12 +789,11 @@ func TestAPIHandler_ListRelayMembers(t *testing.T) {
}
func TestAPIHandler_MethodNotAllowed(t *testing.T) {
configDir := t.TempDir()
useTestConfigDir(t)
secretKey := nostr.Generate()
pubkey := secretKey.Public()
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
t.Run("GET method not allowed", func(t *testing.T) {
req := createAuthenticatedRequest(http.MethodGet, "http://api.example.com/relay/test", secretKey, nil)
@@ -785,12 +808,11 @@ func TestAPIHandler_MethodNotAllowed(t *testing.T) {
}
func TestAPIHandler_InvalidPath(t *testing.T) {
configDir := t.TempDir()
useTestConfigDir(t)
secretKey := nostr.Generate()
pubkey := secretKey.Public()
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
t.Run("invalid path returns not found", func(t *testing.T) {
req := createAuthenticatedRequest(http.MethodPost, "http://api.example.com/invalid/path", secretKey, []byte("{}"))
@@ -809,19 +831,18 @@ func TestAPIHandler_InvalidPath(t *testing.T) {
api.ServeHTTP(w, req)
if w.Code != http.StatusBadRequest {
t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code)
if w.Code != http.StatusNotFound {
t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code)
}
})
}
func TestAPIHandler_ConfigValidation(t *testing.T) {
configDir := t.TempDir()
configDir := useTestConfigDir(t)
secretKey := nostr.Generate()
pubkey := secretKey.Public()
whitelist := pubkey.Hex()
api := NewAPIHandler(whitelist, configDir)
api := newTestAPIHandler(t, pubkey.Hex())
t.Run("invalid info.pubkey", func(t *testing.T) {
config := map[string]interface{}{
@@ -962,9 +983,33 @@ func createAuthenticatedRequest(method, url string, secretKey nostr.SecretKey, b
return req
}
// setTestEnv overrides a value in the package-level env map. Env memoizes
// os.Environ via sync.Once, so once the test binary has started, os.Setenv is
// ignored — mutating the cached map directly is the only way to change config
// for an individual test. Safe because tests in this package run sequentially.
func setTestEnv(key, value string) {
_ = Env("DATA") // ensure the env map has been initialized
env[key] = value
}
// useTestConfigDir points Env("CONFIG") at a fresh temp dir for this test.
func useTestConfigDir(t *testing.T) string {
t.Helper()
dir := t.TempDir()
setTestEnv("CONFIG", dir)
return dir
}
// newTestAPIHandler builds a handler whose whitelist contains the given pubkeys.
func newTestAPIHandler(t *testing.T, whitelist ...string) *APIHandler {
t.Helper()
setTestEnv("API_WHITELIST", strings.Join(whitelist, ","))
return NewAPIHandler()
}
func TestNewAPIHandler(t *testing.T) {
t.Run("empty whitelist", func(t *testing.T) {
api := NewAPIHandler("", "/tmp")
api := newTestAPIHandler(t)
if len(api.whitelist) != 0 {
t.Error("expected empty whitelist")
}
@@ -972,7 +1017,7 @@ func TestNewAPIHandler(t *testing.T) {
t.Run("single pubkey", func(t *testing.T) {
pubkey := nostr.Generate().Public().Hex()
api := NewAPIHandler(pubkey, "/tmp")
api := newTestAPIHandler(t, pubkey)
if len(api.whitelist) != 1 {
t.Error("expected 1 entry in whitelist")
}
@@ -984,8 +1029,8 @@ func TestNewAPIHandler(t *testing.T) {
t.Run("multiple pubkeys", func(t *testing.T) {
pubkey1 := nostr.Generate().Public().Hex()
pubkey2 := nostr.Generate().Public().Hex()
whitelist := fmt.Sprintf("%s, %s", pubkey1, pubkey2)
api := NewAPIHandler(whitelist, "/tmp")
setTestEnv("API_WHITELIST", fmt.Sprintf("%s, %s", pubkey1, pubkey2))
api := NewAPIHandler()
if len(api.whitelist) != 2 {
t.Error("expected 2 entries in whitelist")
}
@@ -996,8 +1041,8 @@ func TestNewAPIHandler(t *testing.T) {
t.Run("whitespace trimming", func(t *testing.T) {
pubkey := nostr.Generate().Public().Hex()
whitelist := " " + pubkey + " "
api := NewAPIHandler(whitelist, "/tmp")
setTestEnv("API_WHITELIST", " "+pubkey+" ")
api := NewAPIHandler()
if len(api.whitelist) != 1 {
t.Error("expected 1 entry in whitelist after trimming")
}
zooid/blossom.go
+131 -26
View File
@@ -3,13 +3,19 @@ package zooid
import (
"bytes"
"context"
"fmt"
"io"
"log"
"net/url"
"path/filepath"
"fiatjaf.com/nostr"
"fiatjaf.com/nostr/eventstore"
"fiatjaf.com/nostr/khatru/blossom"
"github.com/gosimple/slug"
"github.com/aws/aws-sdk-go-v2/aws"
awsconfig "github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/spf13/afero"
)
@@ -19,39 +25,23 @@ type BlossomStore struct {
}
func (bl *BlossomStore) Enable(instance *Instance) {
dir := Env("MEDIA") + "/" + slug.Make(bl.Config.Schema)
fs := afero.NewOsFs()
fs.MkdirAll(dir, 0755)
backend := blossom.New(instance.Relay, "https://"+bl.Config.Host)
backend.Store = blossom.EventStoreBlobIndexWrapper{
Store: bl.Events,
ServiceURL: "https://" + bl.Config.Host,
}
backend.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
file, err := fs.Create(dir + "/" + sha256)
if err != nil {
return err
switch bl.Config.Blossom.Adapter {
case "local":
if err := bl.UseLocalAdapter(backend); err != nil {
log.Fatalf("blossom: failed to use local adapter %q", err)
}
if _, err := io.Copy(file, bytes.NewReader(body)); err != nil {
return err
case "s3":
if err := bl.UseS3Adapter(backend); err != nil {
log.Fatalf("blossom: failed to use s3 adapter %q", err)
}
return nil
}
backend.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
file, err := fs.Open(dir + "/" + sha256)
if err != nil {
return nil, nil, err
}
return file, nil, nil
}
backend.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
return fs.Remove(dir + "/" + sha256)
default:
log.Fatalf("blossom: unknown backend %q", bl.Config.Blossom.Adapter)
}
backend.RejectUpload = func(ctx context.Context, auth *nostr.Event, size int, ext string) (bool, string, int) {
@@ -67,6 +57,10 @@ func (bl *BlossomStore) Enable(instance *Instance) {
}
backend.RejectGet = func(ctx context.Context, auth *nostr.Event, sha256 string, ext string) (bool, string, int) {
if !bl.Config.Blossom.AuthenticatedRead {
return false, "", 200
}
if auth == nil || !instance.Management.IsMember(auth.PubKey) {
return true, "unauthorized", 403
}
@@ -95,3 +89,114 @@ func (bl *BlossomStore) Enable(instance *Instance) {
instance.Relay.Info.SupportedNIPs = append(instance.Relay.Info.SupportedNIPs, "BUD-02")
instance.Relay.Info.SupportedNIPs = append(instance.Relay.Info.SupportedNIPs, "BUD-11")
}
// Local adapter
func (bl *BlossomStore) UseLocalAdapter(backend *blossom.BlossomServer) error {
dir := filepath.Join(Env("MEDIA"), bl.Config.Schema)
osfs := afero.NewOsFs()
_ = osfs.MkdirAll(dir, 0755)
backend.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
file, err := osfs.Create(filepath.Join(dir, sha256))
if err != nil {
return err
}
if _, err := io.Copy(file, bytes.NewReader(body)); err != nil {
return err
}
return nil
}
backend.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
file, err := osfs.Open(filepath.Join(dir, sha256))
if err != nil {
return nil, nil, err
}
return file, nil, nil
}
backend.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
return osfs.Remove(filepath.Join(dir, sha256))
}
return nil
}
// S3 adapter
func (bl *BlossomStore) S3Key(sha256 string) string {
key := bl.Config.Schema + "/" + sha256
if bl.Config.Blossom.S3.KeyPrefix != "" {
key = bl.Config.Blossom.S3.KeyPrefix + "/" + key
}
return key
}
func (bl *BlossomStore) UseS3Adapter(backend *blossom.BlossomServer) error {
ctx := context.Background()
awsConfig, err := awsconfig.LoadDefaultConfig(ctx,
awsconfig.WithRegion(bl.Config.Blossom.S3.Region),
awsconfig.WithCredentialsProvider(
credentials.NewStaticCredentialsProvider(
bl.Config.Blossom.S3.AccessKey,
bl.Config.Blossom.S3.SecretKey,
"",
),
),
)
if err != nil {
return fmt.Errorf("aws config: %w", err)
}
client := s3.NewFromConfig(awsConfig, func(o *s3.Options) {
if bl.Config.Blossom.S3.Endpoint != "" {
o.BaseEndpoint = aws.String(bl.Config.Blossom.S3.Endpoint)
o.UsePathStyle = true
}
})
backend.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
_, err := client.PutObject(ctx, &s3.PutObjectInput{
Bucket: aws.String(bl.Config.Blossom.S3.Bucket),
Key: aws.String(bl.S3Key(sha256)),
Body: bytes.NewReader(body),
})
return err
}
backend.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
out, err := client.GetObject(ctx, &s3.GetObjectInput{
Bucket: aws.String(bl.Config.Blossom.S3.Bucket),
Key: aws.String(bl.S3Key(sha256)),
})
if err != nil {
return nil, nil, err
}
defer out.Body.Close()
data, err := io.ReadAll(out.Body)
if err != nil {
return nil, nil, err
}
return bytes.NewReader(data), nil, nil
}
backend.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
_, err := client.DeleteObject(ctx, &s3.DeleteObjectInput{
Bucket: aws.String(bl.Config.Blossom.S3.Bucket),
Key: aws.String(bl.S3Key(sha256)),
})
return err
}
return nil
}
zooid/config.go
+90 -33
View File
@@ -1,11 +1,13 @@
package zooid
import (
"encoding/json"
"fiatjaf.com/nostr"
"fmt"
"github.com/BurntSushi/toml"
"os"
"path/filepath"
"regexp"
"slices"
)
@@ -45,7 +47,10 @@ type Config struct {
} `toml:"management" json:"management"`
Blossom struct {
Enabled bool `toml:"enabled" json:"enabled"`
Enabled bool `toml:"enabled" json:"enabled"`
AuthenticatedRead bool `toml:"authenticated_read" json:"authenticated_read"`
Adapter string `toml:"adapter" json:"adapter"`
S3 BlossomS3Settings `toml:"s3" json:"s3"`
} `toml:"blossom" json:"blossom"`
Livekit struct {
@@ -56,55 +61,110 @@ type Config struct {
Roles map[string]Role `toml:"roles" json:"roles"`
// Private/parsed values
// Parsed values
path string
secret nostr.SecretKey
}
func LoadConfig(filename string) (*Config, error) {
path := filepath.Join(Env("CONFIG"), filename)
// BlossomS3Settings configures S3-compatible object storage for Blossom blobs
// when [blossom] adapter is "s3".
type BlossomS3Settings struct {
Endpoint string `toml:"endpoint" json:"endpoint"`
Region string `toml:"region" json:"region"`
Bucket string `toml:"bucket" json:"bucket"`
AccessKey string `toml:"access_key" json:"access_key"`
SecretKey string `toml:"secret_key" json:"secret_key"`
KeyPrefix string `toml:"key_prefix" json:"key_prefix"`
}
return LoadConfigFromPath(path)
func ConfigNameFromId(id string) string {
return id + ".toml"
}
func ConfigPathFromName(name string) string {
return filepath.Join(Env("CONFIG"), name)
}
func LoadConfigFromPath(path string) (*Config, error) {
var config Config
if _, err := toml.DecodeFile(path, &config); err != nil {
return nil, fmt.Errorf("Failed to parse config file %s: %w", path, err)
}
if config.Host == "" {
return nil, fmt.Errorf("host is required")
}
if config.Schema == "" {
return nil, fmt.Errorf("schema is required")
}
if config.Info.Pubkey == "" {
return nil, fmt.Errorf("info.pubkey is required")
}
secret, err := nostr.SecretKeyFromHex(config.Secret)
if err != nil {
return nil, err
}
// Save the path for later
config.path = path
// Make the secret... secret
config.Secret = ""
config.secret = secret
if err := config.Validate(); err != nil {
return nil, err
}
return &config, nil
}
func (config *Config) Save() error {
// Restore the secret key to the public field for saving
config.Secret = config.secret.Hex()
func LoadConfigFromJson(path string, body []byte) (*Config, error) {
var config Config
if err := json.Unmarshal(body, &config); err != nil {
return nil, fmt.Errorf("invalid json config: %w", err)
}
config.path = path
if err := config.Validate(); err != nil {
return nil, err
}
return &config, nil
}
func (config *Config) Validate() error {
if config.Blossom.Adapter == "" {
config.Blossom.Adapter = "local"
}
if config.Host == "" {
return fmt.Errorf("host is required")
}
if config.Schema == "" {
return fmt.Errorf("schema is required")
}
if !regexp.MustCompile(`^[a-z_][a-z0-9_]*$`).MatchString(config.Schema) {
return fmt.Errorf("schema must contain only lowercase letters, numbers, and underscores")
}
secret, err := nostr.SecretKeyFromHex(config.Secret)
if err != nil {
return fmt.Errorf("invalid secret key: %w", err)
}
config.secret = secret
if _, err := nostr.PubKeyFromHex(config.Info.Pubkey); err != nil {
return fmt.Errorf("invalid info.pubkey: %w", err)
}
if config.Blossom.Adapter == "s3" {
if config.Blossom.S3.Bucket == "" {
return fmt.Errorf("blossom.s3.bucket is required when blossom.adapter is s3")
}
if config.Blossom.S3.Region == "" {
return fmt.Errorf("blossom.s3.region is required when blossom.adapter is s3")
}
if config.Blossom.S3.AccessKey == "" {
return fmt.Errorf("blossom.s3.access_key is required when blossom.adapter is s3")
}
if config.Blossom.S3.SecretKey == "" {
return fmt.Errorf("blossom.s3.secret_key is required when blossom.adapter is s3")
}
} else if config.Blossom.Adapter != "local" {
return fmt.Errorf("invalid blossom adapter")
}
return nil
}
func (config *Config) Save() error {
file, err := os.Create(config.path)
if err != nil {
return fmt.Errorf("Failed to open config file %s: %w", config.path, err)
@@ -116,9 +176,6 @@ func (config *Config) Save() error {
return fmt.Errorf("Failed to encode config file %s: %w", config.path, err)
}
// Clear the secret again
config.Secret = ""
return nil
}
zooid/config_test.go
+104
View File
@@ -1,6 +1,8 @@
package zooid
import (
"os"
"path/filepath"
"testing"
"fiatjaf.com/nostr"
@@ -154,3 +156,105 @@ func TestConfig_MemberRole(t *testing.T) {
t.Error("Any pubkey should have member role permissions")
}
}
// validBlossomTestConfig returns a config that passes Validate except for any
// Blossom settings the caller overrides, so blossom validation can be exercised
// in isolation.
func validBlossomTestConfig() *Config {
sk := nostr.Generate()
c := &Config{
Host: "r.example.com",
Schema: "myrelay",
Secret: sk.Hex(),
}
c.Info.Pubkey = sk.Public().Hex()
return c
}
func TestValidateBlossomFileStorage(t *testing.T) {
t.Run("empty adapter defaults to local", func(t *testing.T) {
c := validBlossomTestConfig()
c.Blossom.Enabled = true
if err := c.Validate(); err != nil {
t.Fatalf("expected nil, got %v", err)
}
if c.Blossom.Adapter != "local" {
t.Errorf("expected adapter normalized to local, got %q", c.Blossom.Adapter)
}
})
t.Run("local storage needs no s3 fields", func(t *testing.T) {
c := validBlossomTestConfig()
c.Blossom.Enabled = true
c.Blossom.Adapter = "local"
if err := c.Validate(); err != nil {
t.Fatalf("expected nil, got %v", err)
}
})
t.Run("s3 requires bucket region keys and secret", func(t *testing.T) {
c := validBlossomTestConfig()
c.Blossom.Enabled = true
c.Blossom.Adapter = "s3"
c.Blossom.S3.Region = "us-east-1"
if err := c.Validate(); err == nil {
t.Fatal("expected error for missing bucket and credentials")
}
c.Blossom.S3.Bucket = "b"
c.Blossom.S3.AccessKey = "k"
c.Blossom.S3.SecretKey = "s"
if err := c.Validate(); err != nil {
t.Fatalf("expected nil with all s3 fields set, got %v", err)
}
})
t.Run("invalid adapter value", func(t *testing.T) {
c := validBlossomTestConfig()
c.Blossom.Enabled = true
c.Blossom.Adapter = "nfs"
if err := c.Validate(); err == nil {
t.Fatal("expected error for unknown adapter")
}
})
}
func TestLoadConfigFromPath_BlossomS3(t *testing.T) {
sk := nostr.Generate()
tmp := t.TempDir()
path := filepath.Join(tmp, "relay.toml")
tomlBody := `host = "r.example.com"
schema = "myrelay"
secret = "` + sk.Hex() + `"
inactive = false
[info]
name = "n"
pubkey = "` + sk.Public().Hex() + `"
[blossom]
enabled = true
adapter = "s3"
[blossom.s3]
region = "auto"
bucket = "test-bucket"
access_key = "AKIA"
secret_key = "topsecret"
endpoint = "http://127.0.0.1:9000"
`
if err := os.WriteFile(path, []byte(tomlBody), 0644); err != nil {
t.Fatal(err)
}
cfg, err := LoadConfigFromPath(path)
if err != nil {
t.Fatalf("LoadConfigFromPath: %v", err)
}
if cfg.Blossom.S3.SecretKey != "topsecret" {
t.Errorf("expected s3 secret_key retained in struct, got %q", cfg.Blossom.S3.SecretKey)
}
if cfg.Blossom.Adapter != "s3" {
t.Errorf("adapter: got %q", cfg.Blossom.Adapter)
}
}
zooid/events.go
+1 -1
View File
@@ -364,7 +364,7 @@ func (events *EventStore) SignAndStoreEvent(event *nostr.Event, broadcast bool)
return err
}
if broadcast {
if broadcast && events.Relay != nil {
events.Relay.BroadcastEvent(*event)
}
zooid/groups.go
+4
View File
@@ -227,6 +227,10 @@ func (g *GroupStore) HasAccess(h string, pubkey nostr.PubKey) bool {
}
func (g *GroupStore) IsGroupEvent(event nostr.Event) bool {
if !g.Config.Groups.Enabled {
return false
}
if slices.Contains(nip29.MetadataEventKinds, event.Kind) {
return true
}
zooid/instance.go
+7 -15
View File
@@ -9,7 +9,6 @@ import (
"fiatjaf.com/nostr"
"fiatjaf.com/nostr/khatru"
"github.com/gosimple/slug"
)
type Instance struct {
@@ -22,22 +21,14 @@ type Instance struct {
Push *PushManager
}
func MakeInstance(filename string) (*Instance, error) {
config, err := LoadConfig(filename)
if err != nil {
return nil, err
}
return makeInstance(config, filename)
}
func MakeInstanceFromPath(path string) (*Instance, error) {
func MakeInstance(name string) (*Instance, error) {
path := ConfigPathFromName(name)
config, err := LoadConfigFromPath(path)
if err != nil {
return nil, err
}
return makeInstance(config, path)
return makeInstance(config, name)
}
func makeInstance(config *Config, source string) (*Instance, error) {
@@ -47,7 +38,7 @@ func makeInstance(config *Config, source string) (*Instance, error) {
Relay: relay,
Config: config,
Schema: &Schema{
Name: slug.Make(config.Schema),
Name: config.Schema,
},
}
@@ -277,8 +268,9 @@ func (instance *Instance) StoreEvent(ctx context.Context, event nostr.Event) err
return instance.Events.StoreEvent(event)
}
func (instance *Instance) ReplaceEvent(ctx context.Context, event nostr.Event) ([]nostr.Event, error) {
return instance.Events.ReplaceEvent(event)
func (instance *Instance) ReplaceEvent(ctx context.Context, event nostr.Event) error {
_, err := instance.Events.ReplaceEvent(event)
return err
}
func (instance *Instance) DeleteEvent(ctx context.Context, id nostr.ID) error {
zooid/instance_test.go
+1 -1
View File
@@ -27,7 +27,7 @@ func createTestInstance() *Instance {
schema := &Schema{Name: "test_" + RandomString(8)}
relay := &khatru.Relay{}
relay := khatru.NewRelay()
events := &EventStore{
Relay: relay,
zooid/lib.go
+13 -7
View File
@@ -28,13 +28,17 @@ func Dispatch(hostname string) (*Instance, bool) {
return instance, exists
}
func cleanupIfInactive(instance *Instance) bool {
if instance != nil && instance.Config != nil && instance.Config.Inactive {
instance.Cleanup()
return true
func DispatchBySchema(schema string) (*Instance, bool) {
instancesMux.RLock()
defer instancesMux.RUnlock()
for _, instance := range instancesByName {
if instance.Config.Schema == schema && !instance.Config.Inactive {
return instance, true
}
}
return false
return nil, false
}
func Start() {
@@ -72,7 +76,8 @@ func Start() {
if err != nil {
log.Printf("Failed to make instance for %s: %v", entry.Name(), err)
} else if cleanupIfInactive(instance) {
} else if instance.Config.Inactive {
instance.Cleanup()
log.Printf("Skipped inactive %s", entry.Name())
} else {
instancesByHost[instance.Config.Host] = instance
@@ -119,7 +124,8 @@ func Start() {
instance, err := MakeInstance(filename)
if err != nil {
log.Printf("Failed to reload %s: %v", filename, err)
} else if cleanupIfInactive(instance) {
} else if instance.Config.Inactive {
instance.Cleanup()
log.Printf("Skipped inactive %s", filename)
} else {
instancesByHost[instance.Config.Host] = instance
zooid/livekit.go
+5 -3
View File
@@ -50,7 +50,7 @@ func generateLivekitServerToken(apiKey, apiSecret string) string {
return jwt
}
func ensureLivekitRoom(apiKey, apiSecret, serverURL, roomName string) error {
func ensureLivekitRoom(apiKey, apiSecret, serverURL, roomName, metadata string) error {
roomKey := serverURL + "'" + roomName
livekitRoomsMu.RLock()
@@ -63,8 +63,10 @@ func ensureLivekitRoom(apiKey, apiSecret, serverURL, roomName string) error {
httpURL := strings.Replace(strings.Replace(serverURL, "wss://", "https://", 1), "ws://", "http://", 1)
url := fmt.Sprintf("%s/twirp/livekit.RoomService/CreateRoom", httpURL)
// Use the relay's schema as room metadata so we can use the same livekit creds for multiple relay
reqBody, _ := json.Marshal(map[string]interface{}{
"name": roomName,
"name": roomName,
"metadata": metadata,
})
req, err := http.NewRequest("POST", url, bytes.NewBuffer(reqBody))
@@ -214,7 +216,7 @@ func (instance *Instance) livekitTokenHandler(w http.ResponseWriter, r *http.Req
return
}
if err := ensureLivekitRoom(cfg.APIKey, cfg.APISecret, cfg.ServerURL, groupId); err != nil {
if err := ensureLivekitRoom(cfg.APIKey, cfg.APISecret, cfg.ServerURL, groupId, instance.Config.Schema); err != nil {
http.Error(w, "failed to create room", http.StatusInternalServerError)
return
}
zooid/main_test.go
+20
View File
@@ -0,0 +1,20 @@
package zooid
import (
"os"
"testing"
)
func TestMain(m *testing.M) {
dir, err := os.MkdirTemp("", "zooid-test-*")
if err != nil {
panic(err)
}
os.Setenv("DATA", dir)
code := m.Run()
os.RemoveAll(dir)
os.Exit(code)
}
zooid/management.go
+268 -4
View File
@@ -2,6 +2,11 @@ package zooid
import (
"context"
"errors"
"fmt"
"slices"
"strconv"
"fiatjaf.com/nostr"
"fiatjaf.com/nostr/khatru"
"fiatjaf.com/nostr/nip86"
@@ -127,10 +132,6 @@ func (m *ManagementStore) PubkeyIsBanned(pubkey nostr.PubKey) bool {
// Admins
func (m *ManagementStore) IsAdmin(pubkey nostr.PubKey) bool {
return m.Config.IsOwner(pubkey) || m.Config.IsSelf(pubkey)
}
func (m *ManagementStore) GetAdmins() []nostr.PubKey {
members := make([]nostr.PubKey, 0)
@@ -147,6 +148,10 @@ func (m *ManagementStore) GetAdmins() []nostr.PubKey {
return members
}
func (m *ManagementStore) IsAdmin(pubkey nostr.PubKey) bool {
return slices.Contains(m.GetAdmins(), pubkey)
}
// Membership
func (m *ManagementStore) GetMembers() []nostr.PubKey {
@@ -195,6 +200,10 @@ func (m *ManagementStore) AddMember(pubkey nostr.PubKey) error {
}
func (m *ManagementStore) RemoveMember(pubkey nostr.PubKey) error {
if m.IsAdmin(pubkey) {
return errors.New("Can't remove permanent admins from relay.")
}
membersEvent := m.Events.GetOrCreateRelayMembersList()
if membersEvent.Tags.FindWithValue("member", pubkey.Hex()) != nil {
@@ -225,6 +234,237 @@ func (m *ManagementStore) RemoveMember(pubkey nostr.PubKey) error {
return nil
}
// Roles
func (m *ManagementStore) GetRoleDefinition(id string) (nostr.Event, bool) {
filter := nostr.Filter{
Kinds: []nostr.Kind{RELAY_ROLE},
Tags: nostr.TagMap{"d": []string{id}},
}
for event := range m.Events.QueryEvents(filter, 1) {
return event, true
}
return nostr.Event{}, false
}
func (m *ManagementStore) buildRoleEvent(id, label, description string, color, order int) (nostr.Event, error) {
if id == "" {
return nostr.Event{}, errors.New("role id is required")
}
if color < 0 || color > 255 {
return nostr.Event{}, errors.New("color must be a hue between 0 and 255")
}
tags := nostr.Tags{
nostr.Tag{"-"},
nostr.Tag{"d", id},
}
if label != "" {
tags = append(tags, nostr.Tag{"label", label})
}
if description != "" {
tags = append(tags, nostr.Tag{"description", description})
}
// color and order are optional integers. The nip86 layer can't distinguish an omitted
// value from a zero, so we only persist them when they're explicitly non-zero, letting
// clients fall back to their own defaults otherwise.
if color != 0 {
tags = append(tags, nostr.Tag{"color", strconv.Itoa(color)})
}
if order != 0 {
tags = append(tags, nostr.Tag{"order", strconv.Itoa(order)})
}
return nostr.Event{
Kind: RELAY_ROLE,
CreatedAt: nostr.Now(),
Tags: tags,
}, nil
}
func (m *ManagementStore) CreateRole(id, label, description string, color, order int) error {
if _, exists := m.GetRoleDefinition(id); exists {
return fmt.Errorf("role %q already exists", id)
}
event, err := m.buildRoleEvent(id, label, description, color, order)
if err != nil {
return err
}
return m.Events.SignAndStoreEvent(&event, true)
}
func (m *ManagementStore) EditRole(id, label, description string, color, order int) error {
if _, exists := m.GetRoleDefinition(id); !exists {
return fmt.Errorf("role %q does not exist", id)
}
event, err := m.buildRoleEvent(id, label, description, color, order)
if err != nil {
return err
}
return m.Events.SignAndStoreEvent(&event, true)
}
func (m *ManagementStore) DeleteRole(id string) error {
if event, exists := m.GetRoleDefinition(id); exists {
if err := m.Events.DeleteEvent(event.ID); err != nil {
return err
}
address := nostr.EntityPointer{
Kind: event.Kind,
PublicKey: event.PubKey,
Identifier: event.Tags.GetD(),
}.AsTagReference()
event := nostr.Event{
Kind: nostr.KindDeletion,
CreatedAt: nostr.Now(),
Tags: nostr.Tags{
nostr.Tag{"e", event.ID.Hex()},
nostr.Tag{"a", address},
nostr.Tag{"k", strconv.Itoa(int(event.Kind))},
},
}
if err := m.Events.SignAndStoreEvent(&event, true); err != nil {
return err
}
}
return m.removeRoleFromMembers(id)
}
// Role assignment
func (m *ManagementStore) GetAssignedRoles(pubkey nostr.PubKey) []string {
tag := m.Events.GetOrCreateRelayMembersList().Tags.FindWithValue("member", pubkey.Hex())
if len(tag) < 3 {
return []string{}
}
return slices.Clone(tag[2:])
}
func (m *ManagementStore) AssignRole(pubkey nostr.PubKey, roleID string) error {
if _, exists := m.GetRoleDefinition(roleID); !exists {
return fmt.Errorf("role %q does not exist", roleID)
}
// A role is meaningless without membership, so ensure the pubkey is a member first.
if err := m.AddMember(pubkey); err != nil {
return err
}
roles := m.GetAssignedRoles(pubkey)
if slices.Contains(roles, roleID) {
return nil
}
return m.setAssignedRoles(pubkey, append(roles, roleID))
}
func (m *ManagementStore) UnassignRole(pubkey nostr.PubKey, roleID string) error {
roles := m.GetAssignedRoles(pubkey)
if !slices.Contains(roles, roleID) {
return nil
}
return m.setAssignedRoles(pubkey, Remove(roles, roleID))
}
func (m *ManagementStore) setAssignedRoles(pubkey nostr.PubKey, roleIDs []string) error {
membersEvent := m.Events.GetOrCreateRelayMembersList()
found := false
tags := make(nostr.Tags, 0, len(membersEvent.Tags))
for _, tag := range membersEvent.Tags {
if len(tag) >= 2 && tag[0] == "member" && tag[1] == pubkey.Hex() {
found = true
tags = append(tags, append(nostr.Tag{"member", pubkey.Hex()}, roleIDs...))
} else {
tags = append(tags, tag)
}
}
if !found {
return nil
}
membersEvent.CreatedAt = nostr.Now()
membersEvent.Tags = tags
return m.Events.SignAndStoreEvent(&membersEvent, true)
}
func (m *ManagementStore) removeRoleFromMembers(roleID string) error {
membersEvent := m.Events.GetOrCreateRelayMembersList()
changed := false
tags := make(nostr.Tags, 0, len(membersEvent.Tags))
for _, tag := range membersEvent.Tags {
if len(tag) >= 3 && tag[0] == "member" && slices.Contains(tag[2:], roleID) {
changed = true
roles := Filter(tag[2:], func(r string) bool { return r != roleID })
tags = append(tags, append(nostr.Tag{"member", tag[1]}, roles...))
} else {
tags = append(tags, tag)
}
}
if !changed {
return nil
}
membersEvent.CreatedAt = nostr.Now()
membersEvent.Tags = tags
return m.Events.SignAndStoreEvent(&membersEvent, true)
}
// Signing
// SignEvent signs an event template with the relay's identity key on an admin's behalf, then
// stores and broadcasts it before returning the signed event. Only kind 30078 (application-specific
// data) is supported for now; every other kind is rejected outright.
func (m *ManagementStore) SignEvent(kind nostr.Kind, createdAt nostr.Timestamp, tags nostr.Tags, content string) (nostr.Event, error) {
if kind != nostr.KindApplicationSpecificData {
return nostr.Event{}, errors.New("kind not allowed")
}
// A missing created_at would otherwise default to the epoch, which is almost never what
// the caller intends, so fall back to the current time.
if createdAt == 0 {
createdAt = nostr.Now()
}
event := nostr.Event{
Kind: kind,
CreatedAt: createdAt,
Tags: tags,
Content: content,
}
if err := m.Events.SignAndStoreEvent(&event, true); err != nil {
return nostr.Event{}, err
}
return event, nil
}
// Banning
func (m *ManagementStore) BanPubkey(pubkey nostr.PubKey, reason string) error {
@@ -380,4 +620,28 @@ func (m *ManagementStore) Enable(instance *Instance) {
instance.Relay.ManagementAPI.ListBannedEvents = func(ctx context.Context) ([]nip86.IDReason, error) {
return m.GetBannedEventItems(), nil
}
instance.Relay.ManagementAPI.CreateRole = func(ctx context.Context, id, label, description string, color, order int) error {
return m.CreateRole(id, label, description, color, order)
}
instance.Relay.ManagementAPI.EditRole = func(ctx context.Context, id, label, description string, color, order int) error {
return m.EditRole(id, label, description, color, order)
}
instance.Relay.ManagementAPI.DeleteRole = func(ctx context.Context, id string) error {
return m.DeleteRole(id)
}
instance.Relay.ManagementAPI.AssignRole = func(ctx context.Context, pubkey nostr.PubKey, roleID string) error {
return m.AssignRole(pubkey, roleID)
}
instance.Relay.ManagementAPI.UnassignRole = func(ctx context.Context, pubkey nostr.PubKey, roleID string) error {
return m.UnassignRole(pubkey, roleID)
}
instance.Relay.ManagementAPI.SignEvent = func(ctx context.Context, kind nostr.Kind, createdAt nostr.Timestamp, tags nostr.Tags, content string) (nostr.Event, error) {
return m.SignEvent(kind, createdAt, tags, content)
}
}
zooid/management_test.go
+317 -1
View File
@@ -1,6 +1,7 @@
package zooid
import (
"strconv"
"testing"
"fiatjaf.com/nostr"
@@ -12,8 +13,9 @@ func createTestManagementStore() *ManagementStore {
Host: "test.com",
secret: nostr.Generate(),
}
config.Info.Pubkey = nostr.Generate().Public().Hex()
schema := &Schema{Name: "test_" + RandomString(8)}
relay := &khatru.Relay{}
relay := khatru.NewRelay()
events := &EventStore{
Relay: relay,
Config: config,
@@ -163,6 +165,320 @@ func TestManagementStore_AllowEvent(t *testing.T) {
}
}
func roleTagValue(event nostr.Event, key string) string {
tag := event.Tags.Find(key)
if len(tag) < 2 {
return ""
}
return tag[1]
}
func TestManagementStore_CreateRole(t *testing.T) {
mgmt := createTestManagementStore()
if err := mgmt.CreateRole("king", "King", "ruler of the relay", 37, 1); err != nil {
t.Fatalf("CreateRole() error = %v", err)
}
event, ok := mgmt.GetRoleDefinition("king")
if !ok {
t.Fatal("GetRoleDefinition() should return the created role")
}
if event.Kind != RELAY_ROLE {
t.Errorf("role event kind = %v, want %v", event.Kind, RELAY_ROLE)
}
if !HasTag(event.Tags, "-") {
t.Error("role event should carry a NIP 70 \"-\" tag")
}
if got := roleTagValue(event, "d"); got != "king" {
t.Errorf("d tag = %q, want %q", got, "king")
}
if got := roleTagValue(event, "label"); got != "King" {
t.Errorf("label tag = %q, want %q", got, "King")
}
if got := roleTagValue(event, "description"); got != "ruler of the relay" {
t.Errorf("description tag = %q, want %q", got, "ruler of the relay")
}
if got := roleTagValue(event, "color"); got != "37" {
t.Errorf("color tag = %q, want %q", got, "37")
}
if got := roleTagValue(event, "order"); got != "1" {
t.Errorf("order tag = %q, want %q", got, "1")
}
if event.PubKey != mgmt.Config.GetSelf() {
t.Error("role event should be signed by the relay self key")
}
}
func TestManagementStore_CreateRole_Duplicate(t *testing.T) {
mgmt := createTestManagementStore()
if err := mgmt.CreateRole("king", "King", "", 0, 0); err != nil {
t.Fatalf("CreateRole() error = %v", err)
}
if err := mgmt.CreateRole("king", "King", "", 0, 0); err == nil {
t.Error("CreateRole() should error when the role already exists")
}
}
func TestManagementStore_CreateRole_OmitsEmptyAndZero(t *testing.T) {
mgmt := createTestManagementStore()
if err := mgmt.CreateRole("plain", "", "", 0, 0); err != nil {
t.Fatalf("CreateRole() error = %v", err)
}
event, ok := mgmt.GetRoleDefinition("plain")
if !ok {
t.Fatal("GetRoleDefinition() should return the created role")
}
for _, key := range []string{"label", "description", "color", "order"} {
if HasTag(event.Tags, key) {
t.Errorf("role event should omit empty/zero %q tag", key)
}
}
}
func TestManagementStore_CreateRole_InvalidColor(t *testing.T) {
mgmt := createTestManagementStore()
if err := mgmt.CreateRole("king", "King", "", 300, 0); err == nil {
t.Error("CreateRole() should error on out-of-range color")
}
if _, ok := mgmt.GetRoleDefinition("king"); ok {
t.Error("invalid role should not have been stored")
}
}
func TestManagementStore_EditRole(t *testing.T) {
mgmt := createTestManagementStore()
if err := mgmt.EditRole("king", "King", "", 0, 0); err == nil {
t.Error("EditRole() should error when the role does not exist")
}
if err := mgmt.CreateRole("king", "King", "ruler", 10, 1); err != nil {
t.Fatalf("CreateRole() error = %v", err)
}
if err := mgmt.EditRole("king", "Monarch", "the boss", 200, 2); err != nil {
t.Fatalf("EditRole() error = %v", err)
}
event, ok := mgmt.GetRoleDefinition("king")
if !ok {
t.Fatal("GetRoleDefinition() should return the edited role")
}
if got := roleTagValue(event, "label"); got != "Monarch" {
t.Errorf("label tag = %q, want %q", got, "Monarch")
}
if got := roleTagValue(event, "color"); got != "200" {
t.Errorf("color tag = %q, want %q", got, "200")
}
// Editing replaces the definition, so there should only be a single role event.
count := 0
for range mgmt.Events.QueryEvents(nostr.Filter{Kinds: []nostr.Kind{RELAY_ROLE}}, 0) {
count++
}
if count != 1 {
t.Errorf("expected 1 role event after edit, got %d", count)
}
}
func TestManagementStore_AssignAndUnassignRole(t *testing.T) {
mgmt := createTestManagementStore()
pubkey := nostr.Generate().Public()
if err := mgmt.CreateRole("king", "King", "", 0, 0); err != nil {
t.Fatalf("CreateRole() error = %v", err)
}
if err := mgmt.AssignRole(pubkey, "king"); err != nil {
t.Fatalf("AssignRole() error = %v", err)
}
// Assigning a role implies membership.
if !mgmt.IsMember(pubkey) {
t.Error("AssignRole() should make the pubkey a member")
}
if roles := mgmt.GetAssignedRoles(pubkey); len(roles) != 1 || roles[0] != "king" {
t.Errorf("GetAssignedRoles() = %v, want [king]", roles)
}
// Assignment is idempotent and must not duplicate the role.
if err := mgmt.AssignRole(pubkey, "king"); err != nil {
t.Fatalf("AssignRole() repeat error = %v", err)
}
if roles := mgmt.GetAssignedRoles(pubkey); len(roles) != 1 {
t.Errorf("GetAssignedRoles() after repeat = %v, want one entry", roles)
}
if err := mgmt.UnassignRole(pubkey, "king"); err != nil {
t.Fatalf("UnassignRole() error = %v", err)
}
if roles := mgmt.GetAssignedRoles(pubkey); len(roles) != 0 {
t.Errorf("GetAssignedRoles() after unassign = %v, want empty", roles)
}
// Unassigning a role does not revoke membership.
if !mgmt.IsMember(pubkey) {
t.Error("UnassignRole() should leave the pubkey a member")
}
}
func TestManagementStore_AssignRole_UnknownRole(t *testing.T) {
mgmt := createTestManagementStore()
pubkey := nostr.Generate().Public()
if err := mgmt.AssignRole(pubkey, "ghost"); err == nil {
t.Error("AssignRole() should error for an undefined role")
}
if mgmt.IsMember(pubkey) {
t.Error("failed AssignRole() should not add membership")
}
}
func TestManagementStore_DeleteRole(t *testing.T) {
mgmt := createTestManagementStore()
pubkey := nostr.Generate().Public()
if err := mgmt.CreateRole("king", "King", "", 0, 0); err != nil {
t.Fatalf("CreateRole() error = %v", err)
}
if err := mgmt.AssignRole(pubkey, "king"); err != nil {
t.Fatalf("AssignRole() error = %v", err)
}
if err := mgmt.DeleteRole("king"); err != nil {
t.Fatalf("DeleteRole() error = %v", err)
}
if _, ok := mgmt.GetRoleDefinition("king"); ok {
t.Error("GetRoleDefinition() should return false after deletion")
}
// Deleting a role must strip dangling assignments from the members list.
if roles := mgmt.GetAssignedRoles(pubkey); len(roles) != 0 {
t.Errorf("GetAssignedRoles() after delete = %v, want empty", roles)
}
// The pubkey remains a member, just without the deleted role.
if !mgmt.IsMember(pubkey) {
t.Error("DeleteRole() should leave the pubkey a member")
}
}
func TestManagementStore_DeleteRole_BroadcastsDeletion(t *testing.T) {
mgmt := createTestManagementStore()
if err := mgmt.CreateRole("king", "King", "", 0, 0); err != nil {
t.Fatalf("CreateRole() error = %v", err)
}
role, ok := mgmt.GetRoleDefinition("king")
if !ok {
t.Fatal("GetRoleDefinition() should return the created role")
}
if err := mgmt.DeleteRole("king"); err != nil {
t.Fatalf("DeleteRole() error = %v", err)
}
filter := nostr.Filter{Kinds: []nostr.Kind{nostr.KindDeletion}}
var deletion *nostr.Event
for event := range mgmt.Events.QueryEvents(filter, 1) {
e := event
deletion = &e
}
if deletion == nil {
t.Fatal("DeleteRole() should store a deletion event")
}
address := nostr.EntityPointer{
Kind: RELAY_ROLE,
PublicKey: role.PubKey,
Identifier: "king",
}.AsTagReference()
if tag := deletion.Tags.FindWithValue("e", role.ID.Hex()); tag == nil {
t.Errorf("deletion event missing e tag for %s", role.ID.Hex())
}
if tag := deletion.Tags.FindWithValue("a", address); tag == nil {
t.Errorf("deletion event missing a tag for %s", address)
}
if tag := deletion.Tags.FindWithValue("k", strconv.Itoa(RELAY_ROLE)); tag == nil {
t.Errorf("deletion event missing k tag for kind %d", RELAY_ROLE)
}
}
func TestManagementStore_SignEvent_AllowedKind(t *testing.T) {
mgmt := createTestManagementStore()
tags := nostr.Tags{nostr.Tag{"d", "zooid/test"}}
event, err := mgmt.SignEvent(nostr.KindApplicationSpecificData, 0, tags, "hello")
if err != nil {
t.Fatalf("SignEvent() error = %v", err)
}
if event.PubKey != mgmt.Config.GetSelf() {
t.Errorf("SignEvent() signed with %s, want relay key %s", event.PubKey, mgmt.Config.GetSelf())
}
if !event.VerifySignature() {
t.Error("SignEvent() produced an invalid signature")
}
// A zero created_at must be replaced with the current time.
if event.CreatedAt == 0 {
t.Error("SignEvent() should default a missing created_at to the current time")
}
// SignEvent must not persist the event, only return it.
filter := nostr.Filter{Kinds: []nostr.Kind{nostr.KindApplicationSpecificData}, Tags: nostr.TagMap{"d": []string{"zooid/test"}}}
for stored := range mgmt.Events.QueryEvents(filter, 1) {
if stored.ID == event.ID {
t.Error("SignEvent() should not store the signed event")
}
}
}
func TestManagementStore_SignEvent_RejectsOtherKinds(t *testing.T) {
mgmt := createTestManagementStore()
if _, err := mgmt.SignEvent(nostr.KindTextNote, 0, nil, ""); err == nil || err.Error() != "kind not allowed" {
t.Errorf("SignEvent() error = %v, want \"kind not allowed\"", err)
}
}
func TestManagementStore_PubkeyIsBanned_NotBanned(t *testing.T) {
mgmt := createTestManagementStore()
zooid/util.go
+8 -1
View File
@@ -21,6 +21,7 @@ const (
RELAY_INVITE = 28935
RELAY_LEAVE = 28936
PUSH_SUBSCRIPTION = 30390
RELAY_ROLE = 33534
BANNED_PUBKEYS = "zooid/banned_pubkeys"
BANNED_EVENTS = "zooid/banned_events"
)
@@ -42,6 +43,7 @@ func IsReadOnlyEvent(event nostr.Event) bool {
RELAY_ADD_MEMBER,
RELAY_REMOVE_MEMBER,
RELAY_MEMBERS,
RELAY_ROLE,
}
return slices.Contains(readOnlyEventKinds, event.Kind)
@@ -183,7 +185,12 @@ func validateNIP98Auth(r *http.Request) (nostr.PubKey, error) {
return nostr.PubKey{}, fmt.Errorf("invalid event signature")
}
expectedURL := fmt.Sprintf("%s://%s%s", scheme(r), r.Host, r.URL.Path)
scheme := "http"
if r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" {
scheme = scheme + "s"
}
expectedURL := fmt.Sprintf("%s://%s%s", scheme, r.Host, r.URL.Path)
var hasURL, hasMethod bool
for _, tag := range event.Tags {