nip46: dynamic signer to store sessions associated with the handler pubkey to prevent stupid bugs when the same client try to use two different bunkers.

2025-07-18 14:36:42 -03:00
parent 33838a4801
commit 7cbca5f040
3 changed files with 35 additions and 44 deletions
--- a/nip46/dynamic-signer.go
+++ b/nip46/dynamic-signer.go
@@ -14,52 +14,38 @@ import (
 var _ Signer = (*DynamicSigner)(nil)

 type DynamicSigner struct {
-	sessions map[nostr.PubKey]Session
+	// { [handlePubkey]: {[clientKey]: Session} }
+	sessions map[nostr.PubKey]map[nostr.PubKey]Session

 	sync.Mutex

 	// the handler is the keypair we use to communicate with the NIP-46 client, decrypt requests, encrypt responses etc
-	GetHandlerSecretKey func(handlerPubkey nostr.PubKey) (nostr.SecretKey, error)
+	// the context can be returned as is, but it can also be returned with some values in it so they can be passed
+	//   to other functions later in the chain.
+	GetHandlerSecretKey func(
+		ctx context.Context,
+		handlerPubkey nostr.PubKey,
+	) (context.Context, nostr.SecretKey, error)
+
+	// called when a client calls "connect", use it to associate the client pubkey with a secret or something like that
+	OnConnect func(ctx context.Context, from nostr.PubKey, secret string) error

 	// this should correspond to the actual user on behalf of which we will respond to requests
-	GetUserKeyer func(handlerPubkey nostr.PubKey) (nostr.Keyer, error)
+	// the context works the same as for GetHandlerSecretKey
+	GetUserKeyer func(ctx context.Context, handlerPubkey nostr.PubKey) (context.Context, nostr.Keyer, error)

 	// this is called on every sign_event call, if it is nil it will be assumed that everything is authorized
-	AuthorizeSigning func(event nostr.Event, from nostr.PubKey, secret string) bool
+	AuthorizeSigning func(ctx context.Context, event nostr.Event, from nostr.PubKey) bool

 	// this is called on every encrypt or decrypt calls, if it is nil it will be assumed that everything is authorized
-	AuthorizeEncryption func(from nostr.PubKey, secret string) bool
+	AuthorizeEncryption func(ctx context.Context, from nostr.PubKey) bool

 	// unless it is nil, this is called after every event is signed
 	OnEventSigned func(event nostr.Event)
 }

 func (p *DynamicSigner) Init() {
-	p.sessions = make(map[nostr.PubKey]Session)
-}
-
-func (p *DynamicSigner) GetSession(clientPubkey nostr.PubKey) (Session, bool) {
-	p.Lock()
-	defer p.Unlock()
-
-	session, exists := p.sessions[clientPubkey]
-	if exists {
-		return session, true
-	}
-	return Session{}, false
-}
-
-func (p *DynamicSigner) setSession(clientPubkey nostr.PubKey, session Session) {
-	p.Lock()
-	defer p.Unlock()
-
-	_, exists := p.sessions[clientPubkey]
-	if exists {
-		return
-	}
-
-	// add to pool
-	p.sessions[clientPubkey] = session
+	p.sessions = make(map[nostr.PubKey]map[nostr.PubKey]Session)
 }

 func (p *DynamicSigner) HandleRequest(ctx context.Context, event nostr.Event) (
@@ -82,17 +68,28 @@ func (p *DynamicSigner) HandleRequest(ctx context.Context, event nostr.Event) (
 	if err != nil {
 		return req, resp, eventResponse, fmt.Errorf("%x is invalid pubkey: %w", handler[1], err)
 	}
-	handlerSecret, err := p.GetHandlerSecretKey(handlerPubkey)
+
+	p.Lock()
+	defer p.Unlock()
+
+	ctx, handlerSecret, err := p.GetHandlerSecretKey(ctx, handlerPubkey)
 	if err != nil {
 		return req, resp, eventResponse, fmt.Errorf("no private key for %s: %w", handlerPubkey, err)
 	}
-	userKeyer, err := p.GetUserKeyer(handlerPubkey)
+	ctx, userKeyer, err := p.GetUserKeyer(ctx, handlerPubkey)
 	if err != nil {
 		return req, resp, eventResponse, fmt.Errorf("failed to get user keyer for %s: %w", handlerPubkey, err)
 	}

-	session, exists := p.sessions[event.PubKey]
+	handlerSessions, exists := p.sessions[handlerPubkey]
 	if !exists {
+		handlerSessions = make(map[nostr.PubKey]Session)
+		p.sessions[handlerPubkey] = handlerSessions
+	}
+
+	session, exists := handlerSessions[event.PubKey]
+	if !exists {
+		// create session if it doesn't exist
 		session = Session{}

 		session.ConversationKey, err = nip44.GenerateConversationKey(event.PubKey, handlerSecret)
@@ -104,10 +101,12 @@ func (p *DynamicSigner) HandleRequest(ctx context.Context, event nostr.Event) (
 		if err != nil {
 			return req, resp, eventResponse, fmt.Errorf("failed to get public key: %w", err)
 		}
-
-		p.setSession(event.PubKey, session)
 	}

+	// save session
+	handlerSessions[event.PubKey] = session
+
+	// use this session to handle the request
 	req, err = session.ParseRequest(event)
 	if err != nil {
 		return req, resp, eventResponse, fmt.Errorf("error parsing request: %w", err)
@@ -146,6 +145,7 @@ func (p *DynamicSigner) HandleRequest(ctx context.Context, event nostr.Event) (
 			resultErr = fmt.Errorf("failed to sign event: %w", err)
 			break
 		}
+
 		jrevt, _ := easyjson.Marshal(evt)
 		result = string(jrevt)
 	case "nip44_encrypt":
--- a/nip46/nip46.go
+++ b/nip46/nip46.go
@@ -34,7 +34,6 @@ func (r Response) String() string {
 }

 type Signer interface {
-	GetSession(client nostr.PubKey) (Session, bool)
 	HandleRequest(context.Context, nostr.Event) (req Request, resp Response, eventResponse nostr.Event, err error)
 }

--- a/nip46/static-key-signer.go
+++ b/nip46/static-key-signer.go
@@ -30,14 +30,6 @@ func NewStaticKeySigner(secretKey [32]byte) StaticKeySigner {
 	}
 }

-func (p *StaticKeySigner) GetSession(clientPubkey nostr.PubKey) (Session, bool) {
-	p.Lock()
-	defer p.Unlock()
-
-	session, ok := p.sessions[clientPubkey]
-	return session, ok
-}
-
 func (p *StaticKeySigner) getOrCreateSession(clientPubkey nostr.PubKey) (Session, error) {
 	p.Lock()
 	defer p.Unlock()