chore: harden relay plan validation to prevent billing bypass and plan-state drift

Co-authored-by: userAdityaa <aditya.chaudhary1558@gmail.com>
Co-committed-by: userAdityaa <aditya.chaudhary1558@gmail.com>

backend/README.md

@@ -60,7 +60,13 @@ See [spec](spec) for more details
 
 ## API Routes
 
-All routes are NIP-98 protected.
+Most API routes are NIP-98 protected.
+
+Public exceptions:
+
+- `GET /plans`
+- `GET /plans/:id`
+- `POST /stripe/webhook` (validated with Stripe signatures instead)
 
 - `GET /identity` — get auth identity (`pubkey`, `is_admin`)
 - `GET /tenants` — list tenants (admin)
@@ -73,3 +79,13 @@ All routes are NIP-98 protected.
 - `PUT /relays/:id` — update relay (admin or relay tenant)
 - `POST /relays/:id/deactivate` — deactivate relay (admin or relay tenant)
 - `GET /invoices` — list invoices (`?tenant=<pubkey>` allowed for admin only)
+
+## API Auth Model
+
+Caravel intentionally uses a session-style variant of NIP-98 for client-to-backend API auth.
+
+- Frontend signs one kind `27235` event with `u = VITE_API_URL` and caches that header for about 10 minutes.
+- Backend verifies event kind, signature, and that `u` contains configured `HOST`.
+- Backend intentionally does not bind auth to exact request URL/method/query, and does not enforce payload hash, timestamp freshness window, or replay cache.
+- Goal: reduce repeated wallet signing prompts and avoid cookie-based sessions.
+- Tradeoff: this is weaker request-intent binding than strict NIP-98 semantics.

backend/spec/api.md

@@ -184,9 +184,11 @@ Notes:
 ## `extract_auth_pubkey(&self, headers: &HeaderMap) -> Result<String>`
 
 - Parses `Authorization` header
-- Validates event kind and signature using `nostr_sdk`
+- Validates event kind (`27235`) and signature using `nostr_sdk`
-- Validates event `u` against `HOST` (not the request path. Non-standard, but correct)
+- Validates event `u` contains configured `HOST`
-- Does not validate `method` tag
+- Intentionally does **not** enforce exact request URL/method/query matching
+- Intentionally does **not** validate `payload` tag/hash, `created_at` freshness window, or replay nonce/cache
+- This is a deliberate session-style tradeoff to reduce repeated signer prompts in the client
 - Returns pubkey if header all checks pass
 
 Refer to https://github.com/nostr-protocol/nips/blob/master/98.md for details. Use `nostr_sdk` functionality where possible.
@@ -202,7 +204,8 @@ Refer to https://github.com/nostr-protocol/nips/blob/master/98.md for details. U
 ## `prepare_relay(&self, relay: Relay) -> anyhow::Result<Relay>`
 
 - Validate `subdomain`
-- If `plan` is free and `blossom` is enabled, return `premium-feature`
+- Validate that `plan` matches a known plan id from `Query::list_plans`
-- If `plan` is free and `livekit` is enabled, return `premium-feature`
+- If selected `plan` does not include `blossom` and `blossom` is enabled, return `premium-feature`
+- If selected `plan` does not include `livekit` and `livekit` is enabled, return `premium-feature`
 - Populate `schema` if not already set
 - Populate missing fields using reasonable defaults

backend/spec/infra.md

@@ -19,7 +19,7 @@ Members:
 
 ## `async fn handle_activity(&self, activity: &Activity)`
 
-- For `create_relay`, `update_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
+- For `create_relay`, `update_relay`, `activate_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
 - All other activity types are ignored (e.g. `fail_relay_sync`, `complete_relay_sync`).
 
 ## `async fn sync_and_report(&self, relay: &Relay, is_new: bool)`

backend/src/api.rs

@@ -12,7 +12,7 @@ use base64::Engine;
 use nostr_sdk::{Event, JsonUtil, Kind};
 use serde::{Deserialize, Serialize};
 
-use crate::billing::Billing;
+use crate::billing::{Billing, InvoiceLookupError};
 use crate::command::Command;
 use crate::models::{
     RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay, Tenant,
@@ -72,6 +72,11 @@ enum ApiError {
     Unauthorized(anyhow::Error),
     Forbidden(&'static str),
     NotFound(&'static str),
+    Client {
+        status: StatusCode,
+        code: &'static str,
+        message: &'static str,
+    },
     Internal(String),
 }
 
@@ -81,11 +86,36 @@ impl IntoResponse for ApiError {
             Self::Unauthorized(e) => err(StatusCode::UNAUTHORIZED, "unauthorized", &e.to_string()),
             Self::Forbidden(message) => err(StatusCode::FORBIDDEN, "forbidden", message),
             Self::NotFound(message) => err(StatusCode::NOT_FOUND, "not-found", message),
+            Self::Client {
+                status,
+                code,
+                message,
+            } => err(status, code, message),
             Self::Internal(message) => err(StatusCode::INTERNAL_SERVER_ERROR, "internal", &message),
         }
     }
 }
 
+fn map_invoice_lookup_error(error: InvoiceLookupError) -> ApiError {
+    match error {
+        InvoiceLookupError::StripeClient { status } => {
+            let status = StatusCode::from_u16(status.as_u16()).unwrap_or(StatusCode::BAD_REQUEST);
+            match status {
+                StatusCode::NOT_FOUND => ApiError::NotFound("invoice not found"),
+                StatusCode::UNAUTHORIZED | StatusCode::FORBIDDEN => {
+                    ApiError::Forbidden("invoice access denied")
+                }
+                _ => ApiError::Client {
+                    status,
+                    code: "invoice-request-rejected",
+                    message: "invoice request rejected",
+                },
+            }
+        }
+        InvoiceLookupError::Internal(error) => ApiError::Internal(error.to_string()),
+    }
+}
+
 impl Api {
     pub fn new(query: Query, command: Command, billing: Billing) -> Self {
         let host = std::env::var("HOST").unwrap_or_else(|_| "127.0.0.1".to_string());
@@ -179,6 +209,9 @@ impl Api {
             return Err(ApiError::Unauthorized(anyhow!("missing u tag")));
         };
 
+        // Intentional session-style variant of NIP-98 for Caravel API auth.
+        // We validate signer identity plus host affinity, and do not bind to exact
+        // request URL/method or maintain replay state here.
         if !self.host.is_empty() && !got_u.contains(&self.host) {
             return Err(ApiError::Unauthorized(anyhow!(
                 "authorization host mismatch"
@@ -226,10 +259,12 @@ impl Api {
             return Err(anyhow!("invalid-subdomain"));
         }
 
-        if relay.plan == "free" && relay.blossom_enabled == 1 {
+        let plan = Query::get_plan(&relay.plan).ok_or_else(|| anyhow!("invalid-plan"))?;
+
+        if !plan.blossom && relay.blossom_enabled == 1 {
             return Err(anyhow!("premium-feature"));
         }
-        if relay.plan == "free" && relay.livekit_enabled == 1 {
+        if !plan.livekit && relay.livekit_enabled == 1 {
             return Err(anyhow!("premium-feature"));
         }
 
@@ -243,14 +278,10 @@ impl Api {
         relay.policy_strip_signatures = parse_bool_default(relay.policy_strip_signatures, 0);
         relay.groups_enabled = parse_bool_default(relay.groups_enabled, 1);
         relay.management_enabled = parse_bool_default(relay.management_enabled, 1);
-        relay.blossom_enabled = parse_bool_default(
+        relay.blossom_enabled =
-            relay.blossom_enabled,
+            parse_bool_default(relay.blossom_enabled, if plan.blossom { 1 } else { 0 });
-            if relay.plan == "free" { 0 } else { 1 },
+        relay.livekit_enabled =
-        );
+            parse_bool_default(relay.livekit_enabled, if plan.livekit { 1 } else { 0 });
-        relay.livekit_enabled = parse_bool_default(
-            relay.livekit_enabled,
-            if relay.plan == "free" { 0 } else { 1 },
-        );
         relay.push_enabled = parse_bool_default(relay.push_enabled, 1);
 
         Ok(relay)
@@ -420,7 +451,7 @@ async fn get_identity(
 }
 
 async fn get_plan(Path(id): Path<String>) -> Response {
-    match Query::list_plans().into_iter().find(|p| p.id == id) {
+    match Query::get_plan(&id) {
         Some(plan) => ok(StatusCode::OK, plan),
         None => err(StatusCode::NOT_FOUND, "not-found", "plan not found"),
     }
@@ -561,6 +592,13 @@ async fn create_relay(
     };
 
     relay = match state.api.prepare_relay(relay) {
+        Err(e) if e.to_string() == "invalid-plan" => {
+            return Ok(err(
+                StatusCode::UNPROCESSABLE_ENTITY,
+                "invalid-plan",
+                "plan not found",
+            ));
+        }
         Ok(r) => r,
         Err(e) if e.to_string() == "premium-feature" => {
             return Ok(err(
@@ -658,6 +696,13 @@ async fn update_relay(
     }
 
     relay = match state.api.prepare_relay(relay) {
+        Err(e) if e.to_string() == "invalid-plan" => {
+            return Ok(err(
+                StatusCode::UNPROCESSABLE_ENTITY,
+                "invalid-plan",
+                "plan not found",
+            ));
+        }
         Ok(r) => r,
         Err(e) if e.to_string() == "premium-feature" => {
             return Ok(err(
@@ -808,7 +853,7 @@ async fn get_invoice(
         .billing
         .get_invoice_with_tenant(&id)
         .await
-        .map_err(|e| ApiError::Internal(e.to_string()))?;
+        .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
     Ok(ok(StatusCode::OK, invoice))
@@ -825,7 +870,7 @@ async fn get_invoice_bolt11(
         .billing
         .get_invoice_with_tenant(&id)
         .await
-        .map_err(|e| ApiError::Internal(e.to_string()))?;
+        .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
     let status = invoice["status"].as_str().unwrap_or_default();

backend/src/billing.rs

@@ -18,6 +18,41 @@ const STRIPE_API: &str = "https://api.stripe.com/v1";
 const COINBASE_SPOT_API: &str = "https://api.coinbase.com/v2/prices";
 const WEBHOOK_TOLERANCE_SECS: i64 = 300;
 
+#[derive(Debug)]
+pub enum InvoiceLookupError {
+    StripeClient { status: reqwest::StatusCode },
+    Internal(anyhow::Error),
+}
+
+impl std::fmt::Display for InvoiceLookupError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::StripeClient { status } => {
+                write!(
+                    f,
+                    "stripe invoice lookup failed with status {}",
+                    status.as_u16()
+                )
+            }
+            Self::Internal(error) => write!(f, "{error}"),
+        }
+    }
+}
+
+impl std::error::Error for InvoiceLookupError {}
+
+impl From<anyhow::Error> for InvoiceLookupError {
+    fn from(value: anyhow::Error) -> Self {
+        Self::Internal(value)
+    }
+}
+
+impl From<reqwest::Error> for InvoiceLookupError {
+    fn from(value: reqwest::Error) -> Self {
+        Self::Internal(value.into())
+    }
+}
+
 #[derive(serde::Deserialize)]
 struct StripeEvent {
     #[serde(rename = "type")]
@@ -119,8 +154,11 @@ impl Billing {
             return Ok(());
         };
 
+        let plan = Query::get_plan(&relay.plan)
+            .ok_or_else(|| anyhow!("unknown relay plan id: {}", relay.plan))?;
+
         // Free plan: remove subscription item if exists, then clean up
-        if relay.plan == "free" {
+        if plan.id == "free" {
             if let Some(ref item_id) = relay.stripe_subscription_item_id {
                 self.stripe_delete_subscription_item(item_id).await?;
                 self.command
@@ -144,12 +182,6 @@ impl Billing {
         }
 
         // Active relay on a paid plan
-        let plan = Query::list_plans().into_iter().find(|p| p.id == relay.plan);
-
-        let Some(plan) = plan else {
-            return Ok(());
-        };
-
         let Some(ref stripe_price_id) = plan.stripe_price_id else {
             return Ok(());
         };
@@ -407,7 +439,7 @@ impl Billing {
 
         let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
         for relay in relays {
-            if relay.status == RELAY_STATUS_ACTIVE && relay.plan != "free" {
+            if relay.status == RELAY_STATUS_ACTIVE && Query::is_paid_plan(&relay.plan) {
                 self.command.mark_relay_delinquent(&relay).await?;
             }
         }
@@ -442,7 +474,7 @@ impl Billing {
 
         let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
         for relay in relays {
-            if relay.status == RELAY_STATUS_ACTIVE && relay.plan != "free" {
+            if relay.status == RELAY_STATUS_ACTIVE && Query::is_paid_plan(&relay.plan) {
                 self.command.mark_relay_delinquent(&relay).await?;
             }
         }
@@ -462,16 +494,18 @@ impl Billing {
     pub async fn get_invoice_with_tenant(
         &self,
         invoice_id: &str,
-    ) -> Result<(serde_json::Value, crate::models::Tenant)> {
+    ) -> std::result::Result<(serde_json::Value, crate::models::Tenant), InvoiceLookupError> {
         let invoice = self.stripe_get_invoice(invoice_id).await?;
         let customer_id = invoice["customer"]
             .as_str()
-            .ok_or_else(|| anyhow!("invoice missing customer"))?;
+            .ok_or_else(|| InvoiceLookupError::Internal(anyhow!("invoice missing customer")))?;
         let tenant = self
             .query
             .get_tenant_by_stripe_customer_id(customer_id)
             .await?
-            .ok_or_else(|| anyhow!("tenant not found for customer"))?;
+            .ok_or_else(|| {
+                InvoiceLookupError::Internal(anyhow!("tenant not found for customer"))
+            })?;
         Ok((invoice, tenant))
     }
 
@@ -515,7 +549,10 @@ impl Billing {
         Ok(body["data"].clone())
     }
 
-    pub async fn stripe_get_invoice(&self, invoice_id: &str) -> Result<serde_json::Value> {
+    pub async fn stripe_get_invoice(
+        &self,
+        invoice_id: &str,
+    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
         let resp = self
             .http
             .get(format!("{STRIPE_API}/invoices/{invoice_id}"))
@@ -523,6 +560,12 @@ impl Billing {
             .send()
             .await?;
 
+        if resp.status().is_client_error() {
+            return Err(InvoiceLookupError::StripeClient {
+                status: resp.status(),
+            });
+        }
+
         let body: serde_json::Value = resp.error_for_status()?.json().await?;
         Ok(body)
     }
@@ -755,7 +798,7 @@ impl Billing {
     }
 
     fn should_reactivate_after_payment(relay: &Relay) -> bool {
-        relay.status == RELAY_STATUS_DELINQUENT && relay.plan != "free"
+        relay.status == RELAY_STATUS_DELINQUENT && Query::is_paid_plan(&relay.plan)
     }
 
     async fn fetch_btc_spot_price(&self, currency: &str) -> Result<f64> {
@@ -901,10 +944,7 @@ mod tests {
             &unknown_status_paid
         ));
     }
-}
 
-#[cfg(test)]
-mod tests {
     use super::*;
     use sqlx::SqlitePool;
     use sqlx::sqlite::{SqliteConnectOptions, SqlitePoolOptions};

backend/src/command.rs

@@ -209,8 +209,7 @@ impl Command {
             .execute(&mut *tx)
             .await?;
 
-        let activity =
+        let activity = Self::insert_activity(&mut tx, activity_type, "relay", relay_id).await?;
-            Self::insert_activity(&mut tx, "deactivate_relay", "relay", &relay_id).await?;
 
         tx.commit().await?;
         self.emit(activity);

backend/src/infra.rs

@@ -56,10 +56,7 @@ impl Infra {
     }
 
     async fn handle_activity(&self, activity: &Activity) -> Result<()> {
-        let needs_sync = matches!(
+        let needs_sync = should_sync_relay_activity(activity.activity_type.as_str());
-            activity.activity_type.as_str(),
-            "create_relay" | "update_relay" | "deactivate_relay"
-        );
 
         if needs_sync {
             let Some(relay) = self.query.get_relay(&activity.resource_id).await? else {
@@ -93,7 +90,9 @@ impl Infra {
     async fn nip98_auth(&self, url: &str, method: HttpMethod) -> Result<String> {
         let keys = Keys::parse(&self.api_secret)?;
         let server_url = Url::parse(url)?;
-        let auth = HttpData::new(server_url, method).to_authorization(&keys).await?;
+        let auth = HttpData::new(server_url, method)
+            .to_authorization(&keys)
+            .await?;
         Ok(auth)
     }
 
@@ -150,11 +149,21 @@ impl Infra {
         let response = if is_new {
             let url = format!("{}/relay/{}", base, relay.id);
             let auth = self.nip98_auth(&url, HttpMethod::POST).await?;
-            client.post(&url).header("Authorization", auth).json(&body).send().await?
+            client
+                .post(&url)
+                .header("Authorization", auth)
+                .json(&body)
+                .send()
+                .await?
         } else {
             let url = format!("{}/relay/{}", base, relay.id);
             let auth = self.nip98_auth(&url, HttpMethod::PUT).await?;
-            client.put(&url).header("Authorization", auth).json(&body).send().await?
+            client
+                .put(&url)
+                .header("Authorization", auth)
+                .json(&body)
+                .send()
+                .await?
         };
 
         if !response.status().is_success() {
@@ -165,3 +174,10 @@ impl Infra {
         Ok(())
     }
 }
+
+fn should_sync_relay_activity(activity_type: &str) -> bool {
+    matches!(
+        activity_type,
+        "create_relay" | "update_relay" | "activate_relay" | "deactivate_relay"
+    )
+}

backend/src/query.rs

@@ -68,6 +68,16 @@ impl Query {
         ]
     }
 
+    pub fn get_plan(plan_id: &str) -> Option<Plan> {
+        Self::list_plans().into_iter().find(|p| p.id == plan_id)
+    }
+
+    pub fn is_paid_plan(plan_id: &str) -> bool {
+        Self::get_plan(plan_id)
+            .map(|p| p.id != "free")
+            .unwrap_or(false)
+    }
+
     pub async fn list_relays(&self) -> Result<Vec<Relay>> {
         let rows = sqlx::query_as::<_, Relay>(
             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
@@ -135,13 +145,14 @@ impl Query {
     }
 
     pub async fn has_active_paid_relays(&self, tenant_id: &str) -> Result<bool> {
-        let count = sqlx::query_scalar::<_, i64>(
+        let plans = sqlx::query_scalar::<_, String>(
-            "SELECT COUNT(*) FROM relay WHERE tenant = ? AND status = 'active' AND plan != 'free'",
+            "SELECT plan FROM relay WHERE tenant = ? AND status = 'active'",
         )
         .bind(tenant_id)
-        .fetch_one(&self.pool)
+        .fetch_all(&self.pool)
         .await?;
-        Ok(count > 0)
+
+        Ok(plans.into_iter().any(|plan| Self::is_paid_plan(&plan)))
     }
 
     pub async fn list_activity_for_relay(&self, relay_id: &str) -> Result<Vec<Activity>> {

frontend/README.md

@@ -51,8 +51,11 @@ npm run preview
 
 ## Authentication
 
-- Tenant requests use NIP-98 tokens derived from the logged-in user
+- Tenant requests use an intentional session-style variant of NIP-98:
-- Admin routes require a pubkey listed in `PLATFORM_ADMIN_PUBKEYS` on the backend
+  - The client signs one kind `27235` event with `u = VITE_API_URL`.
+  - The resulting `Authorization` header is cached for about 10 minutes to avoid repeated signer prompts.
+  - The backend validates signer identity + host affinity rather than exact URL/method binding per request.
+- Admin routes require a pubkey listed in `ADMINS` on the backend.
 
 ## Routes
 

frontend/src/lib/api.ts

@@ -145,6 +145,8 @@ export async function makeAuth(): Promise<string | undefined> {
     kind: 27235,
     content: "",
     created_at: Math.floor(now / 1000),
+    // Intentional session-style auth: sign the API base URL once, then reuse
+    // the header briefly to avoid prompting the signer on every request.
     tags: [["u", API_URL]],
   })