Arx/Eve-Relay
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases 1 Packages Wiki Activity Actions

Compare commits

base: Arx:190e38dfc1feb20a1bc56a1b17ccb94b37b69297
Branches Tags
Arx:master
Arx:simulation-testing
Arx:feature/support-delete-events
Arx:bux-fix/adding-ccn-does-not-encrypt-key
Arx:feature/mls
Arx:0.0.1
...
compare: Arx:1fef22269e9a88693b2ff82205d79b73c74f99cb
Branches Tags
Arx:master
Arx:simulation-testing
Arx:feature/support-delete-events
Arx:bux-fix/adding-ccn-does-not-encrypt-key
Arx:feature/mls
Arx:0.0.1

2 commits
190e38dfc1 ... 1fef22269e

Author SHA1 Message Date
Danny Morabito
1fef22269e Merge pull request ' Fully rewrite relay' (#6) from relay-rewrite into master 
Reviewed-on: #6
 2025-06-04 11:51:31 +00:00
Danny Morabito
20ffbd4c6d
Fully rewrite relay 2025-06-04 12:43:23 +02:00
47 changed files with 3489 additions and 128 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -5,7 +5,7 @@ TARGETS = x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu x86_64-apple-darwin
all: $(TARGETS:%=dist/relay-%)
dist/relay-%: | dist/
deno compile -A -r --target $* --include migrations --include public --no-lock --output $@ index.ts
deno compile -A -r --target $* --include migrations --include public --no-lock --output $@ src/index.ts
dist/:
mkdir -p dist

7
Readme.md
View file

@ -1,6 +1,11 @@
# EVE Relay
> ⚠️ ALPHA STAGE DISCLAIMER: EVE is currently in early alpha development. Many features described here are still in development or planned for future releases. The platform is rapidly evolving, and you may encounter bugs, incomplete functionality, or significant changes between versions. We welcome early adopters and contributors who share our vision, but please be aware of the platform's developmental status.
> ⚠️ ALPHA STAGE DISCLAIMER: EVE is currently in early alpha development. Many
> features described here are still in development or planned for future
> releases. The platform is rapidly evolving, and you may encounter bugs,
> incomplete functionality, or significant changes between versions. We welcome
> early adopters and contributors who share our vision, but please be aware of
> the platform's developmental status.
# Requirements

2
biome.json
View file

@ -1,7 +1,7 @@
{
"$schema": "https://biomejs.dev/schemas/1.9.4/schema.json",
"files": {
"include": ["index.ts", "**/*.ts"]
"include": ["**/*.ts"]
},
"vcs": {
"enabled": true,

4
deno.json
View file

@ -1,6 +1,6 @@
{
"tasks": {
"dev": "deno run --allow-read --allow-write --allow-net --allow-ffi --allow-env --env-file --watch index.ts",
"dev": "deno run --allow-read --allow-write --allow-net --allow-ffi --allow-env --env-file --watch src/index.ts",
"lint": "biome check",
"lint:fix": "biome check --write --unsafe"
},
@ -8,9 +8,11 @@
"@biomejs/biome": "npm:@biomejs/biome@^1.9.4",
"@db/sqlite": "jsr:@db/sqlite@^0.12.0",
"@noble/ciphers": "jsr:@noble/ciphers@^1.2.1",
"@noble/hashes": "jsr:@noble/hashes@^1.8.0",
"@nostr/tools": "jsr:@nostr/tools@^2.10.4",
"@nostrify/nostrify": "jsr:@nostrify/nostrify@^0.37.0",
"@nostrify/types": "jsr:@nostrify/types@^0.36.0",
"@scure/base": "jsr:@scure/base@^1.2.4",
"@std/encoding": "jsr:@std/encoding@^1.0.6",
"@std/fmt": "jsr:@std/fmt@^1.0.4",
"@std/log": "jsr:@std/log@^0.224.13",

4
migrations/3-replaceableAndDeleteableEvents.sql Normal file
View file

@ -0,0 +1,4 @@
ALTER TABLE events
ADD COLUMN replaced INTEGER NOT NULL DEFAULT 0;
ALTER TABLE events
ADD COLUMN deleted INTEGER NOT NULL DEFAULT 0;

2
migrations/3-replaceableEvents.sql
View file

@ -1,2 +0,0 @@
ALTER TABLE events
ADD COLUMN replaced INTEGER NOT NULL DEFAULT 0;

32
migrations/7-createLogsTable.sql Normal file
View file

@ -0,0 +1,32 @@
CREATE TABLE logs (
log_id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
timestamp TEXT NOT NULL,
level TEXT NOT NULL CHECK (level IN ('DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL')),
message TEXT NOT NULL,
args TEXT, -- JSON string of log arguments
source TEXT, -- tag or source component
created_at INTEGER NOT NULL DEFAULT (unixepoch()),
-- Security-specific fields
event_type TEXT, -- For security events
severity TEXT, -- For security events
remote_addr TEXT,
ccn_pubkey TEXT,
event_id TEXT,
risk_score REAL
);
CREATE INDEX idx_logs_timestamp ON logs(timestamp);
CREATE INDEX idx_logs_level ON logs(level);
CREATE INDEX idx_logs_created_at ON logs(created_at);
CREATE INDEX idx_logs_source ON logs(source);
CREATE INDEX idx_logs_event_type ON logs(event_type);
CREATE INDEX idx_logs_severity ON logs(severity);
CREATE INDEX idx_logs_ccn_pubkey ON logs(ccn_pubkey);
CREATE TRIGGER cleanup_old_logs
AFTER INSERT ON logs
WHEN (SELECT COUNT(*) FROM logs) > 100000
BEGIN
DELETE FROM logs
WHERE created_at < (unixepoch() - 2592000); -- 30 days
END;

44
migrations/8-fixChunksTableSchema.sql Normal file
View file

@ -0,0 +1,44 @@
-- Fix event_chunks table schema to add proper security constraints for chunked message handling
-- Drop the old table if it exists
DROP TABLE IF EXISTS event_chunks;
-- Create the event_chunks table with correct schema and security constraints
CREATE TABLE event_chunks (
chunk_id INTEGER PRIMARY KEY AUTOINCREMENT,
message_id TEXT NOT NULL,
chunk_index INTEGER NOT NULL,
total_chunks INTEGER NOT NULL CHECK (total_chunks > 0 AND total_chunks <= 1000),
content TEXT NOT NULL,
created_at INTEGER NOT NULL,
ccn_pubkey TEXT NOT NULL,
-- SECURITY: Prevent duplicate chunks and enforce data integrity
UNIQUE(message_id, chunk_index, ccn_pubkey),
-- SECURITY: Ensure chunk_index is within valid bounds
CHECK (chunk_index >= 0 AND chunk_index < total_chunks),
-- SECURITY: Limit message_id length to prevent DoS
CHECK (length(message_id) <= 100),
-- SECURITY: Limit content size to prevent memory exhaustion
CHECK (length(content) <= 65536),
-- SECURITY: Foreign key reference to ensure CCN exists
FOREIGN KEY (ccn_pubkey) REFERENCES ccns(pubkey) ON DELETE CASCADE
);
-- Indexes for performance
CREATE INDEX idx_event_chunks_message_id ON event_chunks(message_id);
CREATE INDEX idx_event_chunks_created_at ON event_chunks(created_at);
CREATE INDEX idx_event_chunks_ccn_pubkey ON event_chunks(ccn_pubkey);
-- SECURITY: Automatic cleanup trigger for old chunks to prevent storage exhaustion
CREATE TRIGGER cleanup_old_chunks
AFTER INSERT ON event_chunks
WHEN (SELECT COUNT(*) FROM event_chunks WHERE created_at < (unixepoch() - 86400)) > 0
BEGIN
DELETE FROM event_chunks
WHERE created_at < (unixepoch() - 86400);
END;

41
migrations/9-createOutboundEventQueue.sql Normal file
View file

@ -0,0 +1,41 @@
-- Create outbound event queue for offline event creation and reliable relay transmission
-- This allows users to create events when offline and sync them when connectivity is restored
CREATE TABLE outbound_event_queue (
queue_id INTEGER PRIMARY KEY AUTOINCREMENT,
event_id TEXT NOT NULL,
encrypted_event TEXT NOT NULL,
ccn_pubkey TEXT NOT NULL,
created_at INTEGER NOT NULL DEFAULT (unixepoch()),
attempts INTEGER NOT NULL DEFAULT 0,
last_attempt INTEGER NULL,
status TEXT NOT NULL DEFAULT 'pending' CHECK (status IN ('pending', 'sending', 'sent', 'failed')),
error_message TEXT NULL,
-- Ensure one queue entry per event
UNIQUE(event_id),
-- Foreign key constraints
FOREIGN KEY (ccn_pubkey) REFERENCES ccns(pubkey) ON DELETE CASCADE,
FOREIGN KEY (event_id) REFERENCES events(id) ON DELETE CASCADE
);
-- Indexes for efficient querying
CREATE INDEX idx_outbound_queue_status ON outbound_event_queue(status);
CREATE INDEX idx_outbound_queue_ccn_pubkey ON outbound_event_queue(ccn_pubkey);
CREATE INDEX idx_outbound_queue_created_at ON outbound_event_queue(created_at);
CREATE INDEX idx_outbound_queue_last_attempt ON outbound_event_queue(last_attempt);
-- Cleanup trigger for old completed/failed events
CREATE TRIGGER cleanup_old_queue_entries
AFTER UPDATE ON outbound_event_queue
WHEN NEW.status IN ('sent', 'failed') AND NEW.attempts >= 5
BEGIN
-- Keep failed events for 30 days for debugging, sent events for 1 day
DELETE FROM outbound_event_queue
WHERE queue_id = NEW.queue_id
AND (
(status = 'sent' AND created_at < (unixepoch() - 86400)) OR
(status = 'failed' AND created_at < (unixepoch() - 2592000))
);
END;

61
src/UserConnection.ts Normal file
View file

@ -0,0 +1,61 @@
import type { Database } from 'jsr:@db/sqlite';
import type { NostrEvent, NostrFilter } from 'jsr:@nostrify/types';
export class UserConnection {
public socket: WebSocket;
public subscriptions: Map<string, NostrFilter[]>;
public db: Database;
constructor(
socket: WebSocket,
subscriptions: Map<string, NostrFilter[]>,
db: Database,
) {
this.socket = socket;
this.subscriptions = subscriptions;
this.db = db;
}
/**
* Sends a response to the client
* @param responseArray The response array to send
*/
sendResponse(responseArray: unknown[]): void {
this.socket.send(JSON.stringify(responseArray));
}
/**
* Sends a notice to the client
* @param message The message to send
*/
sendNotice(message: string): void {
this.sendResponse(['NOTICE', message]);
}
/**
* Sends an event to the client
* @param subscriptionId The subscription ID
* @param event The event to send
*/
sendEvent(subscriptionId: string, event: NostrEvent): void {
this.sendResponse(['EVENT', subscriptionId, event]);
}
/**
* Sends an end of stored events message
* @param subscriptionId The subscription ID
*/
sendEOSE(subscriptionId: string): void {
this.sendResponse(['EOSE', subscriptionId]);
}
/**
* Sends an OK response
* @param eventId The event ID
* @param success Whether the operation was successful
* @param message The message to send
*/
sendOK(eventId: string, success: boolean, message: string): void {
this.sendResponse(['OK', eventId, success, message]);
}
}

314
src/commands/ccn.ts Normal file
View file

@ -0,0 +1,314 @@
import type { Database } from 'jsr:@db/sqlite';
import { encodeBase64 } from 'jsr:@std/encoding@0.224/base64';
import { hexToBytes } from '@noble/ciphers/utils';
import * as nostrTools from '@nostr/tools';
import type { UserConnection } from '../UserConnection.ts';
import { handleSocketError } from '../index.ts';
import { createNewCCN } from '../utils/createNewCCN.ts';
import { encryptUint8Array, encryptionKey } from '../utils/encryption.ts';
import { getEveFilePath } from '../utils/files.ts';
import { getAllCCNs } from '../utils/getAllCCNs.ts';
import { log } from '../utils/logs.ts';
import { sql } from '../utils/queries.ts';
import {
SecurityEventType,
SecuritySeverity,
logAuthEvent,
logSecurityEvent,
} from '../utils/securityLogs.ts';
function activateCCN(database: Database, pubkey: string): void {
sql`UPDATE ccns SET is_active = 0`(database);
sql`UPDATE ccns SET is_active = 1 WHERE pubkey = ${pubkey}`(database);
logAuthEvent(SecurityEventType.CCN_ACTIVATION_ATTEMPT, true, {
ccn_pubkey: pubkey,
});
}
async function handleCreateCCN(
connection: UserConnection,
data: { name: string; seed?: string; creator: string },
): Promise<void> {
log.debug('start', { tag: 'handleCreateCCN', data });
logSecurityEvent({
eventType: SecurityEventType.CCN_CREATION_ATTEMPT,
severity: SecuritySeverity.MEDIUM,
source: 'ccn_management',
details: {
ccn_name: data.name,
creator: data.creator,
has_seed: !!data.seed,
},
});
try {
if (!data.name || typeof data.name !== 'string') {
logSecurityEvent({
eventType: SecurityEventType.CCN_CREATION_ATTEMPT,
severity: SecuritySeverity.MEDIUM,
source: 'ccn_management',
details: {
error: 'invalid_name',
name_provided: !!data.name,
name_type: typeof data.name,
},
});
connection.sendNotice('Name is required');
return;
}
if (!data.creator || typeof data.creator !== 'string') {
logSecurityEvent({
eventType: SecurityEventType.CCN_CREATION_ATTEMPT,
severity: SecuritySeverity.MEDIUM,
source: 'ccn_management',
details: {
error: 'invalid_creator',
creator_provided: !!data.creator,
creator_type: typeof data.creator,
},
});
connection.sendNotice('Creator is required');
return;
}
const newCcn = await createNewCCN(
connection.db,
data.name,
data.creator,
data.seed,
);
log.debug('created new CCN', {
tag: 'handleCreateCCN',
pubkey: newCcn.pubkey,
});
activateCCN(connection.db, newCcn.pubkey);
log.debug('activated new CCN', {
tag: 'handleCreateCCN',
pubkey: newCcn.pubkey,
});
logSecurityEvent({
eventType: SecurityEventType.CCN_CREATION_ATTEMPT,
severity: SecuritySeverity.LOW,
source: 'ccn_management',
details: {
success: true,
ccn_pubkey: newCcn.pubkey,
ccn_name: data.name,
creator: data.creator,
},
});
connection.sendResponse([
'OK',
'CCN CREATED',
true,
JSON.stringify({
pubkey: newCcn.pubkey,
name: data.name,
}),
]);
log.info('CCN created', data);
} catch (error: unknown) {
log.error('error', { tag: 'handleCreateCCN', error });
logSecurityEvent({
eventType: SecurityEventType.CCN_CREATION_ATTEMPT,
severity: SecuritySeverity.HIGH,
source: 'ccn_management',
details: {
success: false,
error_message: error instanceof Error ? error.message : 'Unknown error',
ccn_name: data.name,
creator: data.creator,
},
});
handleSocketError(connection, 'create CCN', error);
}
log.debug('end', { tag: 'handleCreateCCN' });
}
function handleGetCCNs(connection: UserConnection): void {
try {
const ccns = getAllCCNs(connection.db);
connection.sendResponse(['OK', 'CCN LIST', true, JSON.stringify(ccns)]);
} catch (error: unknown) {
handleSocketError(connection, 'get CCNs', error);
}
}
function handleActivateCCN(
connection: UserConnection,
data: { pubkey: string },
): void {
log.debug('start', { tag: 'handleActivateCCN', data });
try {
if (!data.pubkey || typeof data.pubkey !== 'string') {
connection.sendNotice('CCN pubkey is required');
return;
}
const ccnExists = sql`
SELECT COUNT(*) as count FROM ccns WHERE pubkey = ${data.pubkey}
`(connection.db)[0].count;
if (ccnExists === 0) {
connection.sendNotice('CCN not found');
log.debug('CCN not found', {
tag: 'handleActivateCCN',
pubkey: data.pubkey,
});
return;
}
for (const subscriptionId of connection.subscriptions.keys()) {
connection.sendResponse([
'CLOSED',
subscriptionId,
'Subscription closed due to CCN activation',
]);
log.debug('closed subscription', {
tag: 'handleActivateCCN',
subscriptionId,
});
}
connection.subscriptions.clear();
log.info('All subscriptions cleared due to CCN activation', {});
activateCCN(connection.db, data.pubkey);
log.debug('activated CCN', {
tag: 'handleActivateCCN',
pubkey: data.pubkey,
});
const activatedCCN = sql`
SELECT pubkey, name FROM ccns WHERE pubkey = ${data.pubkey}
`(connection.db)[0];
connection.sendResponse([
'OK',
'CCN ACTIVATED',
true,
JSON.stringify(activatedCCN),
]);
log.info(`CCN activated: ${activatedCCN.name}`, {});
} catch (error: unknown) {
log.error('error', { tag: 'handleActivateCCN', error });
handleSocketError(connection, 'activate CCN', error);
}
log.debug('end', { tag: 'handleActivateCCN' });
}
async function handleAddCCN(
connection: UserConnection,
data: { name: string; allowedPubkeys: string[]; privateKey: string },
): Promise<void> {
log.debug('start', { tag: 'handleAddCCN', data });
try {
if (!data.privateKey || typeof data.privateKey !== 'string') {
connection.sendNotice('CCN private key is required');
return;
}
const privateKeyBytes = hexToBytes(data.privateKey);
const pubkey = nostrTools.getPublicKey(privateKeyBytes);
log.debug('derived pubkey', { tag: 'handleAddCCN', pubkey });
const ccnExists = sql`
SELECT COUNT(*) as count FROM ccns WHERE pubkey = ${pubkey}
`(connection.db)[0].count;
if (ccnExists > 0) {
connection.sendNotice('CCN already exists');
log.debug('CCN already exists', {
tag: 'handleAddCCN',
pubkey,
});
return;
}
const ccnPublicKey = nostrTools.getPublicKey(privateKeyBytes);
const ccnPrivPath = await getEveFilePath(`ccn_keys/${ccnPublicKey}`);
const encryptedPrivateKey = encryptUint8Array(
privateKeyBytes,
encryptionKey,
);
Deno.writeTextFileSync(ccnPrivPath, encodeBase64(encryptedPrivateKey));
connection.db.run('BEGIN TRANSACTION');
log.debug('begin transaction', { tag: 'handleAddCCN' });
sql`INSERT INTO ccns (pubkey, name) VALUES (${ccnPublicKey}, ${data.name})`(
connection.db,
);
for (const allowedPubkey of data.allowedPubkeys)
sql`INSERT INTO allowed_writes (ccn_pubkey, pubkey) VALUES (${ccnPublicKey}, ${allowedPubkey})`(
connection.db,
);
connection.db.run('COMMIT TRANSACTION');
log.debug('committed transaction', { tag: 'handleAddCCN' });
activateCCN(connection.db, ccnPublicKey);
log.debug('activated CCN', {
tag: 'handleAddCCN',
pubkey: ccnPublicKey,
});
connection.sendResponse([
'OK',
'CCN ADDED',
true,
JSON.stringify({
pubkey: ccnPublicKey,
name: 'New CCN',
}),
]);
} catch (error: unknown) {
log.error('error', { tag: 'handleAddCCN', error });
handleSocketError(connection, 'ADD CCN', error);
}
log.debug('end', { tag: 'handleAddCCN' });
}
function handleCCNCommands(
connection: UserConnection,
command: string,
data: unknown,
) {
switch (command) {
case 'CREATE':
return handleCreateCCN(
connection,
data as { name: string; seed?: string; creator: string },
);
case 'ADD':
return handleAddCCN(
connection,
data as { name: string; allowedPubkeys: string[]; privateKey: string },
);
case 'LIST':
return handleGetCCNs(connection);
case 'ACTIVATE':
return handleActivateCCN(connection, data as { pubkey: string });
default:
return log.warn('Invalid CCN command', {});
}
}
export {
activateCCN,
handleActivateCCN,
handleAddCCN,
handleCCNCommands,
handleCreateCCN,
handleGetCCNs,
};

15
src/commands/close.ts Normal file
View file

@ -0,0 +1,15 @@
import type { UserConnection } from '../UserConnection.ts';
import { log } from '../utils/logs.ts';
export function handleClose(
connection: UserConnection,
subscriptionId: string,
) {
if (!connection.subscriptions.has(subscriptionId)) {
return log.warn(
`Closing unknown subscription? That's weird. Subscription ID: ${subscriptionId}`,
);
}
connection.subscriptions.delete(subscriptionId);
}

85
src/commands/event.ts Normal file
View file

@ -0,0 +1,85 @@
import * as nostrTools from '@nostr/tools';
import type { UserConnection } from '../UserConnection.ts';
import { addEventToDb } from '../dbEvents/addEventToDb.ts';
import {
EventAlreadyExistsException,
createEncryptedEvent,
} from '../eventEncryptionDecryption.ts';
import { filtersMatchingEvent } from '../utils/filtersMatchingEvent.ts';
import { getActiveCCN } from '../utils/getActiveCCN.ts';
import { isArray } from '../utils/isArray.ts';
import { log } from '../utils/logs.ts';
import { queueEventForTransmission } from '../utils/outboundQueue.ts';
export async function handleEvent(
connection: UserConnection,
event: nostrTools.Event,
) {
log.debug('start', { tag: 'handleEvent', eventId: event.id });
const valid = nostrTools.verifyEvent(event);
if (!valid) {
connection.sendNotice('Invalid event');
return log.warn('Invalid event', { tag: 'handleEvent' });
}
const activeCCN = getActiveCCN(connection.db);
if (!activeCCN) {
connection.sendNotice('No active CCN found');
return log.warn('No active CCN found', { tag: 'handleEvent' });
}
const encryptedEvent = await createEncryptedEvent(event, connection.db);
try {
if (isArray(encryptedEvent)) {
log.debug('adding chunked event to database', {
tag: 'handleEvent',
});
addEventToDb(connection.db, event, encryptedEvent[0], activeCCN.pubkey);
} else {
addEventToDb(connection.db, event, encryptedEvent, activeCCN.pubkey);
}
queueEventForTransmission(
connection.db,
event.id,
encryptedEvent,
activeCCN.pubkey,
);
log.debug('event queued for transmission', {
tag: 'handleEvent',
eventId: event.id,
});
} catch (e) {
if (e instanceof EventAlreadyExistsException) {
log.warn('Event already exists');
return;
}
if (e instanceof Error)
log.error('error adding event', {
tag: 'handleEvent',
error: e.stack,
});
else
log.error('error adding event', {
tag: 'handleEvent',
error: String(e),
});
}
connection.sendOK(event.id, true, 'Event added');
log.debug('sent OK', { tag: 'handleEvent', eventId: event.id });
const filtersThatMatchEvent = filtersMatchingEvent(event, connection);
for (let i = 0; i < filtersThatMatchEvent.length; i++) {
const filter = filtersThatMatchEvent[i];
connection.sendEvent(filter, event);
log.debug('sent event to filter', {
tag: 'handleEvent',
filter,
eventId: event.id,
});
}
log.debug('end', { tag: 'handleEvent', eventId: event.id });
}

291
src/commands/request.ts Normal file
View file

@ -0,0 +1,291 @@
import type { NostrClientREQ } from 'jsr:@nostrify/types';
import type { UserConnection } from '../UserConnection.ts';
import { isCCNReplaceableEvent } from '../utils/eventTypes.ts';
import { getActiveCCN } from '../utils/getActiveCCN.ts';
import { log } from '../utils/logs.ts';
import { parseATagQuery } from '../utils/parseATagQuery.ts';
import { mixQuery, sql, sqlPartial } from '../utils/queries.ts';
export function handleRequest(
connection: UserConnection,
request: NostrClientREQ,
) {
log.debug('start', { tag: 'handleRequest', request });
const [, subscriptionId, ...filters] = request;
if (connection.subscriptions.has(subscriptionId)) {
return log.warn('Duplicate subscription ID', {
tag: 'handleRequest',
});
}
log.info(
`New subscription: ${subscriptionId} with filters: ${JSON.stringify(
filters,
)}`,
);
const activeCCN = getActiveCCN(connection.db);
if (!activeCCN) {
connection.sendNotice('No active CCN found');
return log.warn('No active CCN found', { tag: 'handleRequest' });
}
let query = sqlPartial`SELECT * FROM events WHERE replaced = 0 AND deleted = 0 AND ccn_pubkey = ${activeCCN.pubkey}`;
let minLimit: number | null = null;
for (const filter of filters) {
if (filter.limit && filter.limit > 0) {
minLimit =
minLimit === null ? filter.limit : Math.min(minLimit, filter.limit);
}
}
const filtersAreNotEmpty = filters.some((filter) => {
return Object.values(filter).some((value) => {
return value.length > 0;
});
});
if (filtersAreNotEmpty) {
query = mixQuery(query, sqlPartial`AND`);
for (let i = 0; i < filters.length; i++) {
// filters act as OR, filter groups act as AND
query = mixQuery(query, sqlPartial`(`);
const filter = Object.entries(filters[i]).filter(([type, value]) => {
if (type === 'ids') return value.length > 0;
if (type === 'authors') return value.length > 0;
if (type === 'kinds') return value.length > 0;
if (type.startsWith('#')) return value.length > 0;
if (type === 'since') return value > 0;
if (type === 'until') return value > 0;
if (type === 'limit') return value > 0;
return false;
});
const filterWithoutLimit = filter.filter(([type]) => type !== 'limit');
for (let j = 0; j < filter.length; j++) {
const [type, value] = filter[j];
if (type === 'ids') {
const uniqueIds = [...new Set(value)];
query = mixQuery(query, sqlPartial`(`);
for (let k = 0; k < uniqueIds.length; k++) {
const id = uniqueIds[k] as string;
query = mixQuery(query, sqlPartial`(id = ${id})`);
if (k < uniqueIds.length - 1) {
query = mixQuery(query, sqlPartial`OR`);
}
}
query = mixQuery(query, sqlPartial`)`);
}
if (type === 'authors') {
const uniqueAuthors = [...new Set(value)];
query = mixQuery(query, sqlPartial`(`);
for (let k = 0; k < uniqueAuthors.length; k++) {
const author = uniqueAuthors[k] as string;
query = mixQuery(query, sqlPartial`(pubkey = ${author})`);
if (k < uniqueAuthors.length - 1) {
query = mixQuery(query, sqlPartial`OR`);
}
}
query = mixQuery(query, sqlPartial`)`);
}
if (type === 'kinds') {
const uniqueKinds = [...new Set(value)];
query = mixQuery(query, sqlPartial`(`);
for (let k = 0; k < uniqueKinds.length; k++) {
const kind = uniqueKinds[k] as number;
query = mixQuery(query, sqlPartial`(kind = ${kind})`);
if (k < uniqueKinds.length - 1) {
query = mixQuery(query, sqlPartial`OR`);
}
}
query = mixQuery(query, sqlPartial`)`);
}
if (type.startsWith('#')) {
const tag = type.slice(1);
const uniqueValues = [...new Set(value)];
query = mixQuery(query, sqlPartial`(`);
for (let k = 0; k < uniqueValues.length; k++) {
const tagValue = uniqueValues[k] as string;
if (tag === 'a') {
const aTagInfo = parseATagQuery(tagValue);
if (aTagInfo.dTag && aTagInfo.dTag !== '') {
if (isCCNReplaceableEvent(aTagInfo.kind)) {
// CCN replaceable event reference
query = mixQuery(
query,
sqlPartial`id IN (
SELECT e.id
FROM events e
JOIN event_tags t ON e.id = t.event_id
JOIN event_tags_values v ON t.tag_id = v.tag_id
WHERE e.kind = ${aTagInfo.kind}
AND t.tag_name = 'd'
AND v.value_position = 1
AND v.value = ${aTagInfo.dTag}
)`,
);
} else {
// Addressable event reference
query = mixQuery(
query,
sqlPartial`id IN (
SELECT e.id
FROM events e
JOIN event_tags t ON e.id = t.event_id
JOIN event_tags_values v ON t.tag_id = v.tag_id
WHERE e.kind = ${aTagInfo.kind}
AND e.pubkey = ${aTagInfo.pubkey}
AND t.tag_name = 'd'
AND v.value_position = 1
AND v.value = ${aTagInfo.dTag}
)`,
);
}
} else {
// Replaceable event reference
query = mixQuery(
query,
sqlPartial`id IN (
SELECT id
FROM events
WHERE kind = ${aTagInfo.kind}
AND pubkey = ${aTagInfo.pubkey}
)`,
);
}
} else {
// Regular tag handling (unchanged)
query = mixQuery(
query,
sqlPartial`id IN (
SELECT t.event_id
FROM event_tags t
WHERE t.tag_name = ${tag}
AND t.tag_id IN (
SELECT v.tag_id
FROM event_tags_values v
WHERE v.value_position = 1
AND v.value = ${tagValue}
)
)`,
);
}
if (k < uniqueValues.length - 1) {
query = mixQuery(query, sqlPartial`OR`);
}
}
query = mixQuery(query, sqlPartial`)`);
}
if (type === 'since') {
query = mixQuery(query, sqlPartial`created_at > ${value}`);
}
if (type === 'until') {
query = mixQuery(query, sqlPartial`created_at <= ${value}`);
}
if (j < filterWithoutLimit.length - 1)
query = mixQuery(query, sqlPartial`AND`);
}
query = mixQuery(query, sqlPartial`)`);
if (i < filters.length - 1) query = mixQuery(query, sqlPartial`OR`);
}
}
query = mixQuery(query, sqlPartial`ORDER BY created_at ASC`);
if (minLimit !== null) {
query = mixQuery(query, sqlPartial`LIMIT ${minLimit}`);
}
log.debug('built query', {
tag: 'handleRequest',
query: query.query,
values: query.values,
});
const events = connection.db.prepare(query.query).all(...query.values);
log.debug('found events', {
tag: 'handleRequest',
count: events.length,
});
for (let i = 0; i < events.length; i++) {
const rawTags = sql`SELECT * FROM event_tags_view WHERE event_id = ${
events[i].id
}`(connection.db);
const tagsByIndex = new Map<
number,
{
name: string;
values: Map<number, string>;
}
>();
for (const tag of rawTags) {
let tagData = tagsByIndex.get(tag.tag_index);
if (!tagData) {
tagData = {
name: tag.tag_name,
values: new Map(),
};
tagsByIndex.set(tag.tag_index, tagData);
}
tagData.values.set(tag.tag_value_position, tag.tag_value);
}
const tagsArray = Array.from(tagsByIndex.entries())
.sort(([indexA], [indexB]) => indexA - indexB)
.map(([_, tagData]) => {
const { name, values } = tagData;
return [
name,
...Array.from(values.entries())
.sort(([posA], [posB]) => posA - posB)
.map(([_, value]) => value),
];
});
const event = {
id: events[i].id,
pubkey: events[i].pubkey,
created_at: events[i].created_at,
kind: events[i].kind,
tags: tagsArray,
content: events[i].content,
sig: events[i].sig,
};
connection.sendEvent(subscriptionId, event);
log.debug('sent event', {
tag: 'handleRequest',
subscriptionId,
eventId: event.id,
});
}
connection.sendEOSE(subscriptionId);
log.debug('sent EOSE', { tag: 'handleRequest', subscriptionId });
connection.subscriptions.set(subscriptionId, filters);
log.debug('end', { tag: 'handleRequest', subscriptionId });
}

15
consts.ts → src/consts.ts
View file

@ -42,3 +42,18 @@ export const CHUNK_CLEANUP_INTERVAL = 1000 * 60 * 60;
* database before it is considered expired and eligible for cleanup.
*/
export const CHUNK_MAX_AGE = 1000 * 60 * 60 * 24;
/**
* Interval for processing the outbound event queue in milliseconds.
*
* This determines how often the relay will attempt to send pending events
* to external relays.
*/
export const QUEUE_PROCESS_INTERVAL = 10000;
/**
* Maximum number of transmission attempts for outbound events.
*
* Events that fail to transmit this many times will be marked as permanently failed.
*/
export const MAX_TRANSMISSION_ATTEMPTS = 5;

331
src/dbEvents/addEventToDb.ts Normal file
View file

@ -0,0 +1,331 @@
import { bytesToHex } from '@noble/ciphers/utils';
import { sha512 } from '@noble/hashes/sha2';
import * as nostrTools from '@nostr/tools';
import { base64 } from '@scure/base';
import type { Database } from 'jsr:@db/sqlite';
import { POW_TO_MINE } from '../consts.ts';
import { handleDeletionEvent } from '../dbEvents/deletionEvent.ts';
import {
EventAlreadyExistsException,
createEncryptedEventForPubkey,
} from '../eventEncryptionDecryption.ts';
import { publishToRelays } from '../relays.ts';
import {
isAddressableEvent,
isCCNReplaceableEvent,
isDeleteEvent,
isReplaceableEvent,
} from '../utils/eventTypes.ts';
import { getCCNPrivateKeyByPubkey } from '../utils/getCCNPrivateKeyByPubkey.ts';
import { log } from '../utils/logs.ts';
import { sql } from '../utils/queries.ts';
import {
SecurityEventType,
SecuritySeverity,
logCCNViolation,
logSecurityEvent,
} from '../utils/securityLogs.ts';
export function addEventToDb(
db: Database,
decryptedEvent: nostrTools.VerifiedEvent,
encryptedEvent: nostrTools.VerifiedEvent,
ccnPubkey: string,
) {
log.debug('start', {
tag: 'addEventToDb',
decryptedId: decryptedEvent.id,
encryptedId: encryptedEvent.id,
kind: decryptedEvent.kind,
ccnPubkey,
});
const existingEvent = sql`
SELECT * FROM events WHERE id = ${decryptedEvent.id}
`(db)[0];
if (existingEvent) throw new EventAlreadyExistsException();
if (isDeleteEvent(decryptedEvent.kind)) {
log.debug('isDeleteEvent, delegating to handleDeletionEvent', {
tag: 'addEventToDb',
decryptId: decryptedEvent.id,
});
handleDeletionEvent(db, decryptedEvent, encryptedEvent, ccnPubkey);
return;
}
const isInvite =
decryptedEvent.tags.findIndex(
(tag: string[]) => tag[0] === 'type' && tag[1] === 'invite',
) !== -1;
if (isInvite) {
log.debug('isInvite event', { tag: 'addEventToDb' });
const shadContent = bytesToHex(
sha512.create().update(decryptedEvent.content).digest(),
);
const inviteUsed = sql`
SELECT COUNT(*) as count FROM inviter_invitee WHERE invite_hash = ${shadContent}
`(db)[0].count;
if (inviteUsed > 0) {
log.debug('invite already used', { tag: 'addEventToDb' });
logSecurityEvent({
eventType: SecurityEventType.INVITE_ALREADY_USED,
severity: SecuritySeverity.HIGH,
source: 'invite_processing',
details: {
invite_hash: shadContent,
event_id: decryptedEvent.id,
ccn_pubkey: ccnPubkey,
invitee_pubkey: decryptedEvent.pubkey,
},
});
throw new Error('Invite already used');
}
const inviteEvent = sql`
SELECT * FROM events WHERE kind = 9999 AND id IN (
SELECT event_id FROM event_tags WHERE tag_name = 'i' AND tag_id IN (
SELECT tag_id FROM event_tags_values WHERE value_position = 1 AND value = ${shadContent}
)
)
`(db)[0];
if (!inviteEvent) {
log.debug('invite event not found', { tag: 'addEventToDb' });
logSecurityEvent({
eventType: SecurityEventType.INVITE_VALIDATION_FAILURE,
severity: SecuritySeverity.HIGH,
source: 'invite_processing',
details: {
error: 'invite_event_not_found',
invite_hash: shadContent,
event_id: decryptedEvent.id,
ccn_pubkey: ccnPubkey,
},
});
throw new Error('Invite event not found');
}
const inviterPubkey = inviteEvent.pubkey;
const inviteePubkey = decryptedEvent.pubkey;
db.run('BEGIN TRANSACTION');
log.debug('inserting inviter_invitee and allowed_writes', {
tag: 'addEventToDb',
});
sql`
INSERT INTO inviter_invitee (ccn_pubkey, inviter_pubkey, invitee_pubkey, invite_hash) VALUES (${ccnPubkey}, ${inviterPubkey}, ${inviteePubkey}, ${shadContent})
`(db);
sql`
INSERT INTO allowed_writes (ccn_pubkey, pubkey) VALUES (${ccnPubkey}, ${inviteePubkey})
`(db);
db.run('COMMIT TRANSACTION');
log.debug('committed invite transaction', { tag: 'addEventToDb' });
const allowedPubkeys = sql`
SELECT pubkey FROM allowed_writes WHERE ccn_pubkey = ${ccnPubkey}
`(db).flatMap((row) => row.pubkey);
const ccnName = sql`
SELECT name FROM ccns WHERE pubkey = ${ccnPubkey}
`(db)[0].name;
getCCNPrivateKeyByPubkey(ccnPubkey).then((ccnPrivateKey) => {
if (!ccnPrivateKey) {
log.error('CCN private key not found', { tag: 'addEventToDb' });
throw new Error('CCN private key not found');
}
const tags = allowedPubkeys.map((pubkey) => ['p', pubkey]);
tags.push(['t', 'invite']);
tags.push(['name', ccnName]);
const privateKeyEvent = nostrTools.finalizeEvent(
nostrTools.nip13.minePow(
{
kind: 9998,
created_at: Date.now(),
content: base64.encode(ccnPrivateKey),
tags,
pubkey: ccnPubkey,
},
POW_TO_MINE,
),
ccnPrivateKey,
);
const encryptedKeyEvent = createEncryptedEventForPubkey(
inviteePubkey,
privateKeyEvent,
);
publishToRelays(encryptedKeyEvent);
log.debug('published encryptedKeyEvent to relays', {
tag: 'addEventToDb',
});
});
return;
}
const isAllowedWrite = sql`
SELECT COUNT(*) as count FROM allowed_writes WHERE ccn_pubkey = ${ccnPubkey} AND pubkey = ${decryptedEvent.pubkey}
`(db)[0].count;
if (isAllowedWrite === 0) {
log.debug('not allowed to write to this CCN', {
tag: 'addEventToDb',
pubkey: decryptedEvent.pubkey,
});
logCCNViolation(
SecurityEventType.UNAUTHORIZED_WRITE_ATTEMPT,
ccnPubkey,
'write_event',
{
attempted_pubkey: decryptedEvent.pubkey,
event_id: decryptedEvent.id,
event_kind: decryptedEvent.kind,
ccn_pubkey: ccnPubkey,
},
);
throw new Error('Not allowed to write to this CCN');
}
try {
db.run('BEGIN TRANSACTION');
log.debug('begin transaction', { tag: 'addEventToDb' });
if (isReplaceableEvent(decryptedEvent.kind)) {
log.debug('isReplaceableEvent, updating replaced events', {
tag: 'addEventToDb',
});
sql`
UPDATE events
SET replaced = 1
WHERE kind = ${decryptedEvent.kind}
AND pubkey = ${decryptedEvent.pubkey}
AND ccn_pubkey = ${ccnPubkey}
AND (created_at < ${decryptedEvent.created_at} OR
(created_at = ${decryptedEvent.created_at} AND id > ${decryptedEvent.id}))
`(db);
}
if (isAddressableEvent(decryptedEvent.kind)) {
log.debug('isAddressableEvent, updating replaced events', {
tag: 'addEventToDb',
});
const dTag = decryptedEvent.tags.find((tag) => tag[0] === 'd')?.[1];
if (dTag) {
sql`
UPDATE events
SET replaced = 1
WHERE kind = ${decryptedEvent.kind}
AND pubkey = ${decryptedEvent.pubkey}
AND ccn_pubkey = ${ccnPubkey}
AND (created_at < ${decryptedEvent.created_at} OR
(created_at = ${decryptedEvent.created_at} AND id > ${decryptedEvent.id}))
AND id IN (
SELECT event_id FROM event_tags
WHERE tag_name = 'd'
AND tag_id IN (
SELECT tag_id FROM event_tags_values
WHERE value_position = 1
AND value = ${dTag}
)
)
`(db);
}
}
if (isCCNReplaceableEvent(decryptedEvent.kind)) {
log.debug('isCCNReplaceableEvent, updating replaced events', {
tag: 'addEventToDb',
});
const dTag = decryptedEvent.tags.find((tag) => tag[0] === 'd')?.[1];
log.debug('dTag', { tag: 'addEventToDb', dTag });
if (dTag) {
sql`
UPDATE events
SET replaced = 1
WHERE kind = ${decryptedEvent.kind}
AND ccn_pubkey = ${ccnPubkey}
AND (created_at < ${decryptedEvent.created_at} OR
(created_at = ${decryptedEvent.created_at} AND id > ${decryptedEvent.id}))
AND id IN (
SELECT event_id FROM event_tags
WHERE tag_name = 'd'
AND tag_id IN (
SELECT tag_id FROM event_tags_values
WHERE value_position = 1
AND value = ${dTag}
)
)
`(db);
} else {
sql`
UPDATE events
SET replaced = 1
WHERE kind = ${decryptedEvent.kind}
AND ccn_pubkey = ${ccnPubkey}
AND (created_at < ${decryptedEvent.created_at} OR
(created_at = ${decryptedEvent.created_at} AND id > ${decryptedEvent.id}))
`(db);
}
}
sql`
INSERT INTO events (id, original_id, pubkey, created_at, kind, content, sig, first_seen, ccn_pubkey) VALUES (
${decryptedEvent.id},
${encryptedEvent.id},
${decryptedEvent.pubkey},
${decryptedEvent.created_at},
${decryptedEvent.kind},
${decryptedEvent.content},
${decryptedEvent.sig},
unixepoch(),
${ccnPubkey}
)
`(db);
log.debug('inserted event', { tag: 'addEventToDb', id: decryptedEvent.id });
if (decryptedEvent.tags) {
for (let i = 0; i < decryptedEvent.tags.length; i++) {
const tag = sql`
INSERT INTO event_tags(event_id, tag_name, tag_index) VALUES (
${decryptedEvent.id},
${decryptedEvent.tags[i][0]},
${i}
) RETURNING tag_id
`(db)[0];
for (let j = 1; j < decryptedEvent.tags[i].length; j++) {
sql`
INSERT INTO event_tags_values(tag_id, value_position, value) VALUES (
${tag.tag_id},
${j},
${decryptedEvent.tags[i][j]}
)
`(db);
}
}
log.debug('inserted tags for event', {
tag: 'addEventToDb',
id: decryptedEvent.id,
});
}
db.run('COMMIT TRANSACTION');
log.debug('committed transaction', { tag: 'addEventToDb' });
} catch (e) {
db.run('ROLLBACK TRANSACTION');
log.error('transaction rolled back', { tag: 'addEventToDb', error: e });
throw e;
}
log.debug('end', { tag: 'addEventToDb', id: decryptedEvent.id });
}

143
src/dbEvents/deletionEvent.ts Normal file
View file

@ -0,0 +1,143 @@
import type { Database } from '@db/sqlite';
import type * as nostrTools from '@nostr/tools';
import { isAddressableEvent, isReplaceableEvent } from '../utils/eventTypes.ts';
import { log } from '../utils/logs.ts';
import { parseATagQuery } from '../utils/parseATagQuery.ts';
import { sql } from '../utils/queries.ts';
export function handleDeletionEvent(
db: Database,
deletionEvent: nostrTools.VerifiedEvent,
encryptedEvent: nostrTools.VerifiedEvent,
ccnPubkey: string,
): void {
log.debug('start', {
tag: 'handleDeletionEvent',
decryptId: deletionEvent.id,
encryptedId: encryptedEvent.id,
kind: deletionEvent.kind,
ccnPubkey,
});
try {
db.run('BEGIN TRANSACTION');
log.debug('begin transaction', { tag: 'handleDeletionEvent' });
sql`
INSERT INTO events (id, original_id, pubkey, created_at, kind, content, sig, first_seen, ccn_pubkey) VALUES (
${deletionEvent.id},
${encryptedEvent.id},
${deletionEvent.pubkey},
${deletionEvent.created_at},
${deletionEvent.kind},
${deletionEvent.content},
${deletionEvent.sig},
unixepoch(),
${ccnPubkey}
)
`(db);
if (deletionEvent.tags) {
for (let i = 0; i < deletionEvent.tags.length; i++) {
const tag = sql`
INSERT INTO event_tags(event_id, tag_name, tag_index) VALUES (
${deletionEvent.id},
${deletionEvent.tags[i][0]},
${i}
) RETURNING tag_id
`(db)[0];
for (let j = 1; j < deletionEvent.tags[i].length; j++) {
sql`
INSERT INTO event_tags_values(tag_id, value_position, value) VALUES (
${tag.tag_id},
${j},
${deletionEvent.tags[i][j]}
)
`(db);
}
}
}
for (const tag of deletionEvent.tags) {
if (tag[0] === 'e' && tag[1]) {
sql`
UPDATE events
SET deleted = 1
WHERE id = ${tag[1]}
AND pubkey = ${deletionEvent.pubkey}
AND ccn_pubkey = ${ccnPubkey}
`(db);
log.debug('deleted event by id', {
tag: 'handleDeletionEvent',
eventId: tag[1],
});
} else if (tag[0] === 'a' && tag[1]) {
const { kind, pubkey, dTag } = parseATagQuery(tag[1]);
if (!kind || !pubkey) continue;
if (pubkey !== deletionEvent.pubkey) continue;
if (isReplaceableEvent(kind)) {
sql`
UPDATE events
SET deleted = 1
WHERE kind = ${kind}
AND pubkey = ${pubkey}
AND ccn_pubkey = ${ccnPubkey}
AND created_at <= ${deletionEvent.created_at}
`(db);
log.debug('deleted replaceable event', {
tag: 'handleDeletionEvent',
kind,
pubkey,
});
} else if (isAddressableEvent(kind) && dTag) {
sql`
UPDATE events
SET deleted = 1
WHERE kind = ${kind}
AND pubkey = ${pubkey}
AND ccn_pubkey = ${ccnPubkey}
AND created_at <= ${deletionEvent.created_at}
AND id IN (
SELECT event_id FROM event_tags
WHERE tag_name = 'd'
AND tag_id IN (
SELECT tag_id FROM event_tags_values
WHERE value_position = 1 AND value = ${dTag}
)
)
`(db);
log.debug('deleted addressable event', {
tag: 'handleDeletionEvent',
kind,
pubkey,
dTag,
});
}
} else if (tag[0] === 'k') {
sql`
UPDATE events
SET deleted = 1
WHERE kind = ${tag[1]}
AND pubkey = ${deletionEvent.pubkey}
AND ccn_pubkey = ${ccnPubkey}
AND created_at <= ${deletionEvent.created_at}
`(db);
log.debug('deleted events of kind', {
tag: 'handleDeletionEvent',
kind: tag[1],
});
}
}
db.run('COMMIT TRANSACTION');
log.debug('committed transaction', { tag: 'handleDeletionEvent' });
} catch (e) {
db.run('ROLLBACK TRANSACTION');
log.error('transaction rolled back', {
tag: 'handleDeletionEvent',
error: e,
});
throw e;
}
log.debug('end', { tag: 'handleDeletionEvent', id: deletionEvent.id });
}

157
eventEncryptionDecryption.ts → src/eventEncryptionDecryption.ts
View file

@ -2,14 +2,13 @@ import type { Database } from '@db/sqlite';
import * as nostrTools from '@nostr/tools';
import { nip44 } from '@nostr/tools';
import { MAX_CHUNK_SIZE, MIN_POW, POW_TO_MINE } from './consts.ts';
import {
getActiveCCN,
getAllCCNs,
getCCNPrivateKeyByPubkey,
randomTimeUpTo2DaysInThePast,
} from './utils.ts';
import { getActiveCCN } from './utils/getActiveCCN.ts';
import { getAllCCNs } from './utils/getAllCCNs.ts';
import { getCCNPrivateKeyByPubkey } from './utils/getCCNPrivateKeyByPubkey.ts';
import { log } from './utils/logs.ts';
import { None, type Option, Some, flatMap, map } from './utils/option.ts';
import { sql } from './utils/queries.ts';
import { randomTimeUpTo2DaysInThePast } from './utils/randomTimeUpTo2DaysInThePast.ts';
export class EventAlreadyExistsException extends Error {}
export class ChunkedEventReceived extends Error {}
@ -183,34 +182,142 @@ function handleChunkedMessage(
throw new Error('Invalid chunked message format');
}
const [_, chunkIndex, totalChunks, messageId] = chunkTag;
const [_, chunkIndexStr, totalChunksStr, messageId] = chunkTag;
const chunkIndex = Number(chunkIndexStr);
const totalChunks = Number(totalChunksStr);
if (!Number.isInteger(chunkIndex) || chunkIndex < 0) {
throw new Error('Invalid chunk index');
}
if (
!Number.isInteger(totalChunks) ||
totalChunks <= 0 ||
totalChunks > 1000
) {
throw new Error('Invalid total chunks count');
}
if (chunkIndex >= totalChunks) {
throw new Error('Chunk index exceeds total chunks');
}
if (!messageId || typeof messageId !== 'string' || messageId.length > 100) {
throw new Error('Invalid message ID');
}
const chunk = nip44.decrypt(seal.content, conversationKey);
const storedChunks = sql`
if (chunk.length > MAX_CHUNK_SIZE * 3) {
throw new Error('Chunk content too large');
}
let isMessageComplete = false;
let reconstructedEvent: nostrTools.VerifiedEvent | null = null;
try {
db.run('BEGIN IMMEDIATE TRANSACTION');
const insertStmt = db.prepare(`
INSERT OR IGNORE INTO event_chunks
(message_id, chunk_index, total_chunks, content, created_at, ccn_pubkey)
VALUES (?, ?, ?, ?, ?, ?)
`);
const insertResult = insertStmt.run(
messageId,
chunkIndex,
totalChunks,
chunk,
Math.floor(Date.now() / 1000),
ccnPubkey,
);
if (insertResult === 0) {
db.run('ROLLBACK TRANSACTION');
throw new ChunkedEventReceived();
}
const currentChunkCount = sql`
SELECT COUNT(DISTINCT chunk_index) as count
FROM event_chunks
WHERE message_id = ${messageId}
AND ccn_pubkey = ${ccnPubkey}
AND total_chunks = ${totalChunks}
`(db)[0].count;
if (currentChunkCount === totalChunks) {
const chunkGapCheck = sql`
SELECT COUNT(*) as count
FROM event_chunks
WHERE message_id = ${messageId}
AND ccn_pubkey = ${ccnPubkey}
AND chunk_index NOT IN (
SELECT DISTINCT chunk_index
FROM event_chunks
WHERE message_id = ${messageId}
AND ccn_pubkey = ${ccnPubkey}
ORDER BY chunk_index
LIMIT ${totalChunks}
)
`(db)[0].count;
sql`
INSERT INTO event_chunks (message_id, chunk_index, total_chunks, content, created_at, ccn_pubkey)
VALUES (${messageId}, ${chunkIndex}, ${totalChunks}, ${chunk}, ${Math.floor(Date.now() / 1000)}, ${ccnPubkey})
`(db);
if (chunkGapCheck > 0) {
db.run('ROLLBACK TRANSACTION');
throw new Error('Chunk sequence validation failed');
}
if (storedChunks + 1 === Number(totalChunks)) {
const allChunks = sql`
SELECT * FROM event_chunks
SELECT content, chunk_index
FROM event_chunks
WHERE message_id = ${messageId}
AND ccn_pubkey = ${ccnPubkey}
ORDER BY chunk_index
`(db);
let fullContent = '';
for (const chunk of allChunks) {
fullContent += chunk.content;
for (let i = 0; i < allChunks.length; i++) {
const chunkData = allChunks[i];
if (chunkData.chunk_index !== i) {
db.run('ROLLBACK TRANSACTION');
throw new Error('Chunk sequence integrity violation');
}
fullContent += chunkData.content;
}
if (fullContent.length === 0) {
db.run('ROLLBACK TRANSACTION');
throw new Error('Empty reconstructed content');
}
try {
const content = JSON.parse(fullContent);
return { ...content, ccnPubkey };
reconstructedEvent = { ...content, ccnPubkey };
isMessageComplete = true;
sql`
DELETE FROM event_chunks
WHERE message_id = ${messageId}
AND ccn_pubkey = ${ccnPubkey}
`(db);
} catch {
db.run('ROLLBACK TRANSACTION');
throw new Error('Failed to parse reconstructed message content');
}
}
db.run('COMMIT TRANSACTION');
} catch (error) {
try {
db.run('ROLLBACK TRANSACTION');
} catch (rollbackError) {
log.error('Failed to rollback transaction', {
tag: 'handleChunkedMessage',
error: rollbackError,
});
}
throw error;
}
if (isMessageComplete && reconstructedEvent) {
return reconstructedEvent;
}
throw new ChunkedEventReceived();
@ -229,7 +336,13 @@ export async function decryptEvent(
throw new Error('No CCNs found');
}
const pow = nostrTools.nip13.getPow(event.id);
if (
nostrTools.nip13.getPow(event.id) < MIN_POW &&
!event.tags.some((t) => t[0] === 'type' && t[1] === 'invite')
) {
throw new Error('Cannot decrypt event -- PoW too low');
}
const isInvite =
event.tags.findIndex(
(tag: string[]) => tag[0] === 'type' && tag[1] === 'invite',
@ -260,10 +373,6 @@ export async function decryptEvent(
throw new Error('Cannot decrypt invite');
}
if (pow < MIN_POW) {
throw new Error('Cannot decrypt event -- PoW too low');
}
const ccnPrivkey = await getCCNPrivateKeyByPubkey(eventDestination);
const decryptedEvent = attemptDecryptWithKey(
event,
@ -275,13 +384,13 @@ export async function decryptEvent(
}
try {
const chuncked = handleChunkedMessage(
const chunked = handleChunkedMessage(
db,
event,
ccnPrivkey,
eventDestination,
);
return { ...chuncked, ccnPubkey: eventDestination };
return { ...chunked, ccnPubkey: eventDestination };
} catch (e) {
if (e instanceof ChunkedEventReceived) {
throw e;

397
src/index.ts Normal file
View file

@ -0,0 +1,397 @@
import { randomBytes } from '@noble/ciphers/webcrypto';
import * as nostrTools from '@nostr/tools';
import { Database } from 'jsr:@db/sqlite';
import { NSchema as n } from 'jsr:@nostrify/nostrify';
import { encodeBase64 } from 'jsr:@std/encoding@0.224/base64';
import { UserConnection } from './UserConnection.ts';
import { handleCCNCommands } from './commands/ccn.ts';
import { handleClose } from './commands/close.ts';
import { handleEvent } from './commands/event.ts';
import { handleRequest } from './commands/request.ts';
import { CHUNK_CLEANUP_INTERVAL, QUEUE_PROCESS_INTERVAL } from './consts.ts';
import { addEventToDb } from './dbEvents/addEventToDb.ts';
import {
ChunkedEventReceived,
EventAlreadyExistsException,
decryptEvent,
} from './eventEncryptionDecryption.ts';
import { runMigrations } from './migrations.ts';
import { pool, relays } from './relays.ts';
import { cleanupOldChunks } from './utils/cleanupOldChunks.ts';
import { getEveFilePath } from './utils/files.ts';
import { getEncryptedEventByOriginalId } from './utils/getEncryptedEventByOriginalId.ts';
import { isArray } from './utils/isArray.ts';
import { isLocalhost } from './utils/isLocalhost.ts';
import { isValidJSON } from './utils/isValidJSON.ts';
import {
isOriginalEventIdCached,
updateKnownEventsCache,
} from './utils/knownEventsCache.ts';
import { log, setupLogger } from './utils/logs.ts';
import {
getQueueStats,
processOutboundQueue,
processStartupQueue,
} from './utils/outboundQueue.ts';
import { sql } from './utils/queries.ts';
import {
SecurityEventType,
SecuritySeverity,
logSecurityEvent,
logSystemEvent,
} from './utils/securityLogs.ts';
await setupLogger(null);
await Deno.mkdir(await getEveFilePath('ccn_keys'), { recursive: true });
logSystemEvent(SecurityEventType.SYSTEM_STARTUP, {
version: 'alpha',
deno_version: Deno.version.deno,
timestamp: new Date().toISOString(),
});
if (!Deno.env.has('ENCRYPTION_KEY')) {
const newKey = encodeBase64(randomBytes(32));
log.error(
`Missing ENCRYPTION_KEY. Please set it in your env.\nA new one has been generated for you: ENCRYPTION_KEY="${newKey}"`,
);
logSecurityEvent({
eventType: SecurityEventType.CONFIGURATION_LOADED,
severity: SecuritySeverity.CRITICAL,
source: 'startup',
details: {
error: 'missing_encryption_key',
generated_new_key: true,
},
});
Deno.exit(1);
}
logSystemEvent(SecurityEventType.CONFIGURATION_LOADED, {
encryption_key_present: true,
ccn_keys_directory: await getEveFilePath('ccn_keys'),
});
export const db = new Database(await getEveFilePath('db'));
await setupLogger(db);
/**
* Creates a subscription event handler for processing encrypted events.
* This handler decrypts and adds valid events to the database.
* @param database The database instance to use
* @returns An event handler function
*/
function createSubscriptionEventHandler(db: Database) {
return async (event: nostrTools.Event) => {
if (isOriginalEventIdCached(event.id)) return;
if (!nostrTools.verifyEvent(event)) {
log.warn('Invalid event received');
logSecurityEvent({
eventType: SecurityEventType.INVALID_SIGNATURE,
severity: SecuritySeverity.MEDIUM,
source: 'event_processing',
details: {
event_id: event.id,
event_kind: event.kind,
pubkey: event.pubkey,
},
});
return;
}
if (getEncryptedEventByOriginalId(db, event)) return;
try {
const decryptedEvent = await decryptEvent(db, event);
addEventToDb(db, decryptedEvent, event, decryptedEvent.ccnPubkey);
updateKnownEventsCache();
} catch (e) {
if (e instanceof EventAlreadyExistsException) {
logSecurityEvent({
eventType: SecurityEventType.DUPLICATE_EVENT_BLOCKED,
severity: SecuritySeverity.LOW,
source: 'event_processing',
details: {
event_id: event.id,
reason: 'event_already_exists',
},
});
return;
}
if (e instanceof ChunkedEventReceived) {
logSecurityEvent({
eventType: SecurityEventType.CHUNKED_EVENT_RECEIVED,
severity: SecuritySeverity.LOW,
source: 'event_processing',
details: {
event_id: event.id,
event_kind: event.kind,
},
});
return;
}
logSecurityEvent({
eventType: SecurityEventType.DECRYPTION_FAILURE,
severity: SecuritySeverity.MEDIUM,
source: 'event_processing',
details: {
operation: 'event_decryption',
event_id: event.id,
event_kind: event.kind,
error_message: e instanceof Error ? e.message : 'Unknown error',
},
});
}
};
}
function setupAndSubscribeToExternalEvents() {
const isInitialized = sql`
SELECT name FROM sqlite_master WHERE type='table' AND name='migration_history'
`(db)[0];
if (!isInitialized) runMigrations(db, -1);
const latestVersion =
sql`
SELECT migration_version FROM migration_history WHERE status = 'success' ORDER BY migration_version DESC LIMIT 1
`(db)[0]?.migration_version ?? -1;
runMigrations(db, latestVersion);
logSystemEvent(SecurityEventType.SYSTEM_STARTUP, {
database_logging_enabled: true,
migrations_complete: true,
});
const allCCNs = sql`SELECT pubkey FROM ccns`(db);
const ccnPubkeys = allCCNs.map((ccn) => ccn.pubkey);
pool.subscribeMany(
relays,
[
{
'#p': ccnPubkeys,
kinds: [1059],
},
],
{
onevent: createSubscriptionEventHandler(db),
},
);
updateKnownEventsCache();
setInterval(() => cleanupOldChunks(db), CHUNK_CLEANUP_INTERVAL);
processStartupQueue(db).catch((error: unknown) => {
log.error('Startup queue processing failed', {
tag: 'outboundQueue',
error: error instanceof Error ? error.message : 'Unknown error',
});
});
setInterval(async () => {
try {
await processOutboundQueue(db);
const stats = getQueueStats(db);
if (stats.total > 0) {
log.info('Outbound queue status', {
tag: 'outboundQueue',
...stats,
});
}
} catch (error) {
log.error('Error processing outbound queue', {
tag: 'outboundQueue',
error: error instanceof Error ? error.message : 'Unknown error',
});
}
}, QUEUE_PROCESS_INTERVAL);
processOutboundQueue(db).catch((error) => {
log.error('Initial queue processing failed', {
tag: 'outboundQueue',
error: error instanceof Error ? error.message : 'Unknown error',
});
});
log.info('Outbound queue processor started', {
tag: 'outboundQueue',
interval: QUEUE_PROCESS_INTERVAL,
});
}
setupAndSubscribeToExternalEvents();
export function handleSocketError(
connection: UserConnection,
operation: string,
error: unknown,
): void {
const errorMessage = error instanceof Error ? error.message : 'Unknown error';
log.error(`Error ${operation}: ${errorMessage}`);
connection.sendNotice(`Failed to ${operation}`);
}
Deno.serve({
port: 6942,
handler: (request, connInfo) => {
if (request.headers.get('upgrade') === 'websocket') {
if (!isLocalhost(request, connInfo)) {
logSecurityEvent({
eventType: SecurityEventType.NON_LOCALHOST_CONNECTION_BLOCKED,
severity: SecuritySeverity.HIGH,
source: 'connection_security',
details: {
remote_addr: connInfo?.remoteAddr,
user_agent: request.headers.get('user-agent'),
host: request.headers.get('host'),
origin: request.headers.get('origin'),
},
remoteAddr:
connInfo?.remoteAddr?.transport === 'tcp'
? connInfo.remoteAddr.hostname
: 'unknown',
});
return new Response(
'Forbidden. Please read the Arx-CCN documentation for more information on how to interact with the relay.',
{ status: 403 },
);
}
log.info('upgrading connection', { tag: 'WebSocket' });
const { socket, response } = Deno.upgradeWebSocket(request);
const connection = new UserConnection(socket, new Map(), db);
socket.onopen = () => {
log.info('User connected');
logSecurityEvent({
eventType: SecurityEventType.WEBSOCKET_CONNECTION_ESTABLISHED,
severity: SecuritySeverity.LOW,
source: 'connection_security',
details: {
remote_addr: connInfo?.remoteAddr,
user_agent: request.headers.get('user-agent'),
connection_time: new Date().toISOString(),
},
remoteAddr:
connInfo?.remoteAddr?.transport === 'tcp'
? connInfo.remoteAddr.hostname
: 'localhost',
});
};
socket.onmessage = (event) => {
log.debug('Received', {
tag: 'WebSocket',
data: event.data,
});
if (typeof event.data !== 'string' || !isValidJSON(event.data)) {
log.warn('Invalid request', { tag: 'WebSocket' });
logSecurityEvent({
eventType: SecurityEventType.MALFORMED_EVENT,
severity: SecuritySeverity.MEDIUM,
source: 'websocket_handler',
details: {
data_type: typeof event.data,
is_valid_json: isValidJSON(event.data),
data_length: event.data?.length || 0,
},
remoteAddr:
connInfo?.remoteAddr?.transport === 'tcp'
? connInfo.remoteAddr.hostname
: 'localhost',
});
return;
}
const data = JSON.parse(event.data);
if (!isArray(data)) {
logSecurityEvent({
eventType: SecurityEventType.MALFORMED_EVENT,
severity: SecuritySeverity.MEDIUM,
source: 'websocket_handler',
details: {
error: 'message_not_array',
received_type: typeof data,
},
remoteAddr:
connInfo?.remoteAddr?.transport === 'tcp'
? connInfo.remoteAddr.hostname
: 'localhost',
});
return log.warn('Invalid request', { tag: 'WebSocket' });
}
const msgType = data[0];
log.debug('received message', { tag: 'WebSocket', msgType });
switch (msgType) {
case 'REQ':
return handleRequest(connection, n.clientREQ().parse(data));
case 'EVENT':
return handleEvent(connection, n.clientEVENT().parse(data)[1]);
case 'CLOSE':
return handleClose(connection, n.clientCLOSE().parse(data)[1]);
case 'CCN':
return handleCCNCommands(connection, data[1] as string, data[2]);
default:
logSecurityEvent({
eventType: SecurityEventType.MALFORMED_EVENT,
severity: SecuritySeverity.MEDIUM,
source: 'websocket_handler',
details: {
error: 'unknown_message_type',
message_type: msgType,
data_preview: data.slice(0, 3), // First 3 elements for debugging
},
remoteAddr:
connInfo?.remoteAddr?.transport === 'tcp'
? connInfo.remoteAddr.hostname
: 'localhost',
});
log.warn('Invalid request', { tag: 'WebSocket' });
return;
}
};
socket.onclose = () => {
log.info('User disconnected');
logSecurityEvent({
eventType: SecurityEventType.WEBSOCKET_CONNECTION_CLOSED,
severity: SecuritySeverity.LOW,
source: 'connection_security',
details: {
disconnect_time: new Date().toISOString(),
subscriptions_count: connection.subscriptions.size,
},
remoteAddr:
connInfo?.remoteAddr?.transport === 'tcp'
? connInfo.remoteAddr.hostname
: 'localhost',
});
};
return response;
}
return new Response(
Deno.readTextFileSync(`${import.meta.dirname}/../public/landing.html`),
{
headers: { 'Content-Type': 'text/html' },
},
);
},
});

55
src/migrations.ts Normal file
View file

@ -0,0 +1,55 @@
import type { Database } from '@db/sqlite';
import { log } from './utils/logs.ts';
import { sql } from './utils/queries.ts';
export function runMigrations(db: Database, latestVersion: number) {
const migrations = [
...Deno.readDirSync(`${import.meta.dirname}/../migrations`),
];
migrations.sort((a, b) => {
const aVersion = Number.parseInt(a.name.split('-')[0], 10);
const bVersion = Number.parseInt(b.name.split('-')[0], 10);
return aVersion - bVersion;
});
for (const migrationFile of migrations) {
const migrationVersion = Number.parseInt(
migrationFile.name.split('-')[0],
10,
);
if (migrationVersion > latestVersion) {
log.info(
`Running migration ${migrationFile.name} (version ${migrationVersion})`,
);
const start = Date.now();
const migrationSql = Deno.readTextFileSync(
`${import.meta.dirname}/../migrations/${migrationFile.name}`,
);
db.run('BEGIN TRANSACTION');
try {
db.run(migrationSql);
const end = Date.now();
const durationMs = end - start;
sql`
INSERT INTO migration_history (migration_version, migration_name, executed_at, duration_ms, status) VALUES (${migrationVersion}, ${migrationFile.name}, ${new Date().toISOString()}, ${durationMs}, 'success');
db.run("COMMIT TRANSACTION");
`(db);
} catch (e) {
db.run('ROLLBACK TRANSACTION');
const error =
e instanceof Error
? e
: typeof e === 'string'
? new Error(e)
: new Error(JSON.stringify(e));
const end = Date.now();
const durationMs = end - start;
sql`
INSERT INTO migration_history (migration_version, migration_name, executed_at, duration_ms, status, error_message) VALUES (${migrationVersion}, ${migrationFile.name}, ${new Date().toISOString()}, ${durationMs}, 'failed', ${error.message});
`(db);
throw e;
}
db.run('END TRANSACTION');
}
}
}

39
src/relays.ts Normal file
View file

@ -0,0 +1,39 @@
import * as nostrTools from '@nostr/tools';
import { isArray } from './utils/isArray.ts';
export const pool = new nostrTools.SimplePool();
export const relays = [
'wss://relay.arx-ccn.com/',
'wss://relay.dannymorabito.com/',
'wss://nos.lol/',
'wss://nostr.einundzwanzig.space/',
'wss://nostr.massmux.com/',
'wss://nostr.mom/',
'wss://nostr.wine/',
'wss://purplerelay.com/',
'wss://relay.damus.io/',
'wss://relay.goodmorningbitcoin.com/',
'wss://relay.lexingtonbitcoin.org/',
'wss://relay.nostr.band/',
'wss://relay.primal.net/',
'wss://relay.snort.social/',
'wss://strfry.iris.to/',
'wss://cache2.primal.net/v1',
];
/**
* FIXME: make sure to somehow tag encryptedEvents and add asserts, so that it's not possible to accidentally call this function with unencrypted events
*
* @param encryptedEvent the event to publish to the relay
*/
export async function publishToRelays(
encryptedEvent: nostrTools.Event | nostrTools.Event[],
): Promise<void> {
if (isArray(encryptedEvent)) {
for (const chunk of encryptedEvent) {
await Promise.any(pool.publish(relays, chunk));
}
} else {
await Promise.any(pool.publish(relays, encryptedEvent));
}
}

8
src/utils/cleanupOldChunks.ts Normal file
View file

@ -0,0 +1,8 @@
import type { Database } from 'jsr:@db/sqlite';
import { CHUNK_MAX_AGE } from '../consts.ts';
import { sql } from './queries.ts';
export function cleanupOldChunks(db: Database) {
const cutoffTime = Math.floor((Date.now() - CHUNK_MAX_AGE) / 1000);
sql`DELETE FROM event_chunks WHERE created_at < ${cutoffTime}`(db);
}

52
src/utils/createNewCCN.ts Normal file
View file

@ -0,0 +1,52 @@
import { encodeBase64 } from 'jsr:@std/encoding@~0.224.1/base64';
import type { Database } from '@db/sqlite';
import * as nostrTools from '@nostr/tools';
import * as nip06 from '@nostr/tools/nip06';
import { encryptUint8Array, encryptionKey } from './encryption.ts';
import { getEveFilePath } from './files.ts';
import { sql } from './queries.ts';
/**
* Create a new CCN and store it in the database
*
* @param db - The database instance
* @param name - The name of the CCN
* @param seed - The seed words for the CCN
* @returns The public key and private key of the CCN
*/
export async function createNewCCN(
db: Database,
name: string,
creator: string,
seed?: string,
): Promise<{ pubkey: string; privkey: Uint8Array }> {
const ccnSeed = seed || nip06.generateSeedWords();
const ccnPrivateKey = nip06.privateKeyFromSeedWords(ccnSeed);
const ccnPublicKey = nostrTools.getPublicKey(ccnPrivateKey);
const ccnSeedPath = await getEveFilePath(`ccn_seeds/${ccnPublicKey}`);
const ccnPrivPath = await getEveFilePath(`ccn_keys/${ccnPublicKey}`);
await Deno.mkdir(await getEveFilePath('ccn_seeds'), { recursive: true });
await Deno.mkdir(await getEveFilePath('ccn_keys'), { recursive: true });
const encryptedPrivateKey = encryptUint8Array(ccnPrivateKey, encryptionKey);
Deno.writeTextFileSync(ccnSeedPath, ccnSeed);
Deno.writeTextFileSync(ccnPrivPath, encodeBase64(encryptedPrivateKey));
db.run('BEGIN TRANSACTION');
sql`INSERT INTO ccns (pubkey, name) VALUES (${ccnPublicKey}, ${name})`(db);
sql`INSERT INTO allowed_writes (ccn_pubkey, pubkey) VALUES (${ccnPublicKey}, ${creator})`(
db,
);
db.run('COMMIT TRANSACTION');
return {
pubkey: ccnPublicKey,
privkey: ccnPrivateKey,
};
}

217
src/utils/databaseLogger.ts Normal file
View file

@ -0,0 +1,217 @@
import type { Database, Statement } from '@db/sqlite';
import * as log from '@std/log';
interface DatabaseHandlerOptions extends log.BaseHandlerOptions {
db?: Database;
}
export class DatabaseHandler extends log.BaseHandler {
private db: Database | null = null;
private insertStmt: Statement | null = null;
constructor(levelName: log.LevelName, options: DatabaseHandlerOptions = {}) {
super(levelName, options);
if (options.db) {
this.setDatabase(options.db);
}
}
setDatabase(db: Database): void {
this.db = db;
try {
this.insertStmt = this.db.prepare(`
INSERT INTO logs (timestamp, level, message, args, source, event_type, severity, remote_addr, ccn_pubkey, event_id, risk_score)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
`);
} catch (error) {
console.warn('Database logger not ready:', error);
}
}
override log(msg: string): void {
// Required by the abstract base class but not used in our implementation
}
override handle(logRecord: log.LogRecord): void {
if (this.shouldSkipLogging(logRecord)) {
return;
}
if (!this.db || !this.insertStmt) {
return;
}
try {
const timestamp = new Date(logRecord.datetime).toISOString();
const level = this.getLevelName(logRecord.level);
const message = logRecord.msg;
const securityData = this.extractSecurityData(logRecord.args);
const sanitizedArgs = this.sanitizeArgs(logRecord.args);
const argsJson =
sanitizedArgs.length > 0 ? JSON.stringify(sanitizedArgs) : null;
const source = this.extractSource(logRecord.args);
this.insertStmt.run(
timestamp,
level,
message,
argsJson,
source,
securityData.eventType,
securityData.severity,
securityData.remoteAddr,
securityData.ccnPubkey,
securityData.eventId,
securityData.riskScore,
);
} catch (error) {
console.error('Failed to write log to database:', error);
}
}
private getLevelName(level: number): string {
switch (level) {
case 10:
return 'DEBUG';
case 20:
return 'INFO';
case 30:
return 'WARN';
case 40:
return 'ERROR';
case 50:
return 'FATAL';
default:
return `LVL${level}`;
}
}
private shouldSkipLogging(logRecord: log.LogRecord): boolean {
const message = logRecord.msg.toLowerCase();
if (
message.includes('sql') ||
message.includes('database') ||
message.includes('migration') ||
message.includes('sqlite')
) {
return true;
}
if (message.includes('log') && message.includes('database')) {
return true;
}
return false;
}
private extractSecurityData(args: unknown[]): {
eventType: string | null;
severity: string | null;
remoteAddr: string | null;
ccnPubkey: string | null;
eventId: string | null;
riskScore: number | null;
} {
let eventType = null;
let severity = null;
let remoteAddr = null;
let ccnPubkey = null;
let eventId = null;
let riskScore = null;
for (const arg of args) {
if (typeof arg === 'object' && arg !== null) {
const obj = arg as Record<string, unknown>;
if (obj.eventType && typeof obj.eventType === 'string') {
eventType = obj.eventType;
}
if (obj.severity && typeof obj.severity === 'string') {
severity = obj.severity;
}
if (obj.remoteAddr && typeof obj.remoteAddr === 'string') {
remoteAddr = obj.remoteAddr;
}
if (obj.ccnPubkey && typeof obj.ccnPubkey === 'string') {
ccnPubkey = obj.ccnPubkey;
}
if (obj.eventId && typeof obj.eventId === 'string') {
eventId = obj.eventId;
}
if (obj.risk_score && typeof obj.risk_score === 'number') {
riskScore = obj.risk_score;
}
}
}
return { eventType, severity, remoteAddr, ccnPubkey, eventId, riskScore };
}
private extractSource(args: unknown[]): string | null {
for (const arg of args) {
if (typeof arg === 'object' && arg !== null) {
const obj = arg as Record<string, unknown>;
if (obj.tag && typeof obj.tag === 'string') {
return obj.tag;
}
if (obj.source && typeof obj.source === 'string') {
return obj.source;
}
}
}
return null;
}
private sanitizeArgs(args: unknown[]): unknown[] {
const sensitiveKeys = [
'privatekey',
'private_key',
'privkey',
'priv_key',
'secretkey',
'secret_key',
'seckey',
'sec_key',
'password',
'pass',
'pwd',
'token',
'auth',
'ccnprivatekey',
'ccn_private_key',
'ccnprivkey',
];
return args.map((arg) => {
if (typeof arg === 'object' && arg !== null) {
const sanitized: Record<string, unknown> = {};
for (const [key, value] of Object.entries(
arg as Record<string, unknown>,
)) {
const lowerKey = key.toLowerCase();
if (
sensitiveKeys.some((sensitiveKey) =>
lowerKey.includes(sensitiveKey),
)
) {
sanitized[key] = '[REDACTED]';
} else if (value instanceof Uint8Array) {
sanitized[key] = `[Uint8Array length=${value.length}]`;
} else {
sanitized[key] = value;
}
}
return sanitized;
}
return arg;
});
}
}
export const dbHandler: DatabaseHandler | null = null;

0
utils/encryption.ts → src/utils/encryption.ts
View file

24
src/utils/eventTypes.ts Normal file
View file

@ -0,0 +1,24 @@
export function isReplaceableEvent(kind: number): boolean {
return (kind >= 10000 && kind < 20000) || kind === 0 || kind === 3;
}
export function isAddressableEvent(kind: number): boolean {
return kind >= 30000 && kind < 40000;
}
export function isRegularEvent(kind: number): boolean {
return (
(kind >= 1000 && kind < 10000) ||
(kind >= 4 && kind < 45) ||
kind === 1 ||
kind === 2
);
}
export function isDeleteEvent(kind: number): boolean {
return kind === 5;
}
export function isCCNReplaceableEvent(kind: number): boolean {
return kind >= 60000 && kind < 65536;
}

0
utils/files.ts → src/utils/files.ts Normal file → Executable file
View file

32
src/utils/filtersMatchingEvent.ts Normal file
View file

@ -0,0 +1,32 @@
import type { NostrEvent } from 'jsr:@nostrify/types';
import type { UserConnection } from '../UserConnection.ts';
export function filtersMatchingEvent(
event: NostrEvent,
connection: UserConnection,
): string[] {
const matching = [];
for (const subscription of connection.subscriptions.keys()) {
const filters = connection.subscriptions.get(subscription);
if (!filters) continue;
const isMatching = filters.some((filter) =>
Object.entries(filter).every(([type, value]) => {
if (type === 'ids') return value.includes(event.id);
if (type === 'kinds') return value.includes(event.kind);
if (type === 'authors') return value.includes(event.pubkey);
if (type === 'since') return event.created_at > value;
if (type === 'until') return event.created_at <= value;
if (type === 'limit') return true;
if (type.startsWith('#')) {
const tagName = type.slice(1);
return event.tags.some(
(tag: string[]) => tag[0] === tagName && value.includes(tag[1]),
);
}
return false;
}),
);
if (isMatching) matching.push(subscription);
}
return matching;
}

17
src/utils/getActiveCCN.ts Normal file
View file

@ -0,0 +1,17 @@
import type { Database } from '@db/sqlite';
import { sql } from './queries.ts';
/**
* Get the single active CCN from the database
* @returns The active CCN or null if none is active
*/
export function getActiveCCN(
db: Database,
): { pubkey: string; name: string } | null {
const result = sql`SELECT pubkey, name FROM ccns WHERE is_active = 1 LIMIT 1`(
db,
);
return result.length > 0
? (result[0] as { pubkey: string; name: string })
: null;
}

13
src/utils/getAllCCNs.ts Normal file
View file

@ -0,0 +1,13 @@
import type { Database } from '@db/sqlite';
import { sql } from './queries.ts';
/**
* Get all CCNs from the database
*/
export function getAllCCNs(db: Database): { pubkey: string; name: string }[] {
return sql`SELECT pubkey, name FROM ccns`(db) as {
pubkey: string;
name: string;
}[];
}

20
src/utils/getCCNPrivateKeyByPubkey.ts Normal file
View file

@ -0,0 +1,20 @@
import { decodeBase64 } from 'jsr:@std/encoding@~0.224.1/base64';
import { exists } from 'jsr:@std/fs/exists';
import { decryptUint8Array, encryptionKey } from './encryption.ts';
import { getEveFilePath } from './files.ts';
/**
* Get the private key for a specific CCN
*/
export async function getCCNPrivateKeyByPubkey(
pubkey: string,
): Promise<Uint8Array> {
const ccnPrivPath = await getEveFilePath(`ccn_keys/${pubkey}`);
if (await exists(ccnPrivPath)) {
const encryptedPrivateKey = Deno.readTextFileSync(ccnPrivPath);
return decryptUint8Array(decodeBase64(encryptedPrivateKey), encryptionKey);
}
throw new Error(`CCN private key for ${pubkey} not found`);
}

12
src/utils/getEncryptedEventByOriginalId.ts Normal file
View file

@ -0,0 +1,12 @@
import type { Database } from '@db/sqlite';
import type * as nostrTools from '@nostr/tools';
import { sql } from '../utils/queries.ts';
export function getEncryptedEventByOriginalId(
db: Database,
event: nostrTools.VerifiedEvent,
) {
return sql`
SELECT * FROM events WHERE original_id = ${event.id}
`(db)[0];
}

76
src/utils/invites.ts Normal file
View file

@ -0,0 +1,76 @@
import type { Database } from 'jsr:@db/sqlite';
import { bytesToHex } from '@noble/ciphers/utils';
import { nip19 } from '@nostr/tools';
import { bech32m } from '@scure/base';
import { sql } from './queries.ts';
export class InviteTree {
public root: InviteNode;
constructor(npub: string) {
this.root = new InviteNode(npub);
}
public addChild(npub: string) {
const child = new InviteNode(npub);
this.root.children.push(child);
}
}
export class InviteNode {
public readonly npub: string;
public readonly children: InviteNode[];
constructor(npub: string) {
this.npub = npub;
this.children = [];
}
public addChild(npub: string) {
const child = new InviteNode(npub);
this.children.push(child);
}
}
export function buildInviteTree(db: Database, ccnPubkey: string) {
const ccnCreator = sql`
SELECT pubkey FROM allowed_writes WHERE ccn_pubkey = ${ccnPubkey} AND pubkey NOT IN (
SELECT invitee_pubkey FROM inviter_invitee WHERE ccn_pubkey = ${ccnPubkey}
)
`(db)[0]?.pubkey;
if (!ccnCreator) {
throw new Error('CCN creator not found');
}
const inviteTree = new InviteTree(ccnCreator);
const invitees = sql`
SELECT inviter_pubkey, invitee_pubkey FROM inviter_invitee WHERE ccn_pubkey = ${ccnPubkey}
`(db);
// populate the invite tree by traversing the inviters
for (const invitee of invitees) {
let inviterNode = inviteTree.root.children.find(
(child) => child.npub === invitee.inviter_pubkey,
);
if (!inviterNode) {
inviterNode = new InviteNode(invitee.inviter_pubkey);
inviteTree.root.children.push(inviterNode);
}
inviterNode.addChild(invitee.invitee_pubkey);
}
return inviteTree;
}
export function readInvite(invite: `${string}1${string}`) {
const decoded = bech32m.decode(invite, false);
if (decoded.prefix !== 'eveinvite') return false;
const hexBytes = bech32m.fromWords(decoded.words);
const npub = nip19.npubEncode(bytesToHex(hexBytes.slice(0, 32)));
const inviteCode = bytesToHex(hexBytes.slice(32));
return { npub, invite: inviteCode };
}

3
src/utils/isArray.ts Normal file
View file

@ -0,0 +1,3 @@
export function isArray<T>(obj: unknown): obj is T[] {
return Array.isArray(obj);
}

39
src/utils/isLocalhost.ts Normal file
View file

@ -0,0 +1,39 @@
export function isLocalhost(
req: Request,
connInfo?: Deno.ServeHandlerInfo,
): boolean {
if (connInfo?.remoteAddr) {
const remoteAddr = connInfo.remoteAddr;
if (remoteAddr.transport === 'tcp') {
const hostname = remoteAddr.hostname;
return hostname === '127.0.0.1' || hostname === '::1';
}
if (remoteAddr.transport === 'unix') {
return true;
}
}
const url = new URL(req.url);
const hostname = url.hostname;
if (hostname === '127.0.0.1' || hostname === '::1') {
return true;
}
if (hostname === 'localhost') {
const suspiciousHeaders = [
'x-forwarded-for',
'x-forwarded-host',
'x-real-ip',
'cf-connecting-ip',
'x-cluster-client-ip',
];
for (const header of suspiciousHeaders) {
if (req.headers.get(header)) {
return false;
}
}
return true;
}
return false;
}

8
src/utils/isValidJSON.ts Normal file
View file

@ -0,0 +1,8 @@
export function isValidJSON(str: string) {
try {
JSON.parse(str);
} catch {
return false;
}
return true;
}

14
src/utils/knownEventsCache.ts Normal file
View file

@ -0,0 +1,14 @@
import { db } from '../index.ts';
import { sql } from './queries.ts';
let knownOriginalEventsCache: string[] = [];
export function isOriginalEventIdCached(eventId: string) {
return knownOriginalEventsCache.includes(eventId);
}
export function updateKnownEventsCache() {
knownOriginalEventsCache = sql`SELECT original_id FROM events`(db).flatMap(
(row) => row.original_id,
);
}

162
src/utils/logQueries.ts Normal file
View file

@ -0,0 +1,162 @@
import type { Database } from '@db/sqlite';
import { sql } from './queries.ts';
export interface LogEntry {
log_id: string;
timestamp: string;
level: string;
message: string;
args: string | null;
source: string | null;
created_at: number;
event_type: string | null;
severity: string | null;
remote_addr: string | null;
ccn_pubkey: string | null;
event_id: string | null;
risk_score: number | null;
}
export function getRecentLogs(
db: Database,
limit = 100,
level?: string,
): LogEntry[] {
if (level) {
return sql`
SELECT * FROM logs
WHERE level = ${level}
ORDER BY created_at DESC
LIMIT ${limit}
`(db) as LogEntry[];
}
return sql`
SELECT * FROM logs
ORDER BY created_at DESC
LIMIT ${limit}
`(db) as LogEntry[];
}
export function getSecurityLogs(
db: Database,
limit = 100,
severity?: string,
): LogEntry[] {
if (severity) {
return sql`
SELECT * FROM logs
WHERE event_type IS NOT NULL AND severity = ${severity}
ORDER BY created_at DESC
LIMIT ${limit}
`(db) as LogEntry[];
}
return sql`
SELECT * FROM logs
WHERE event_type IS NOT NULL
ORDER BY created_at DESC
LIMIT ${limit}
`(db) as LogEntry[];
}
export function getLogsByTimeRange(
db: Database,
startTime: number,
endTime: number,
level?: string,
): LogEntry[] {
if (level) {
return sql`
SELECT * FROM logs
WHERE created_at >= ${startTime} AND created_at <= ${endTime} AND level = ${level}
ORDER BY created_at DESC
`(db) as LogEntry[];
}
return sql`
SELECT * FROM logs
WHERE created_at >= ${startTime} AND created_at <= ${endTime}
ORDER BY created_at DESC
`(db) as LogEntry[];
}
export function getLogsByCCN(
db: Database,
ccnPubkey: string,
limit = 100,
): LogEntry[] {
return sql`
SELECT * FROM logs
WHERE ccn_pubkey = ${ccnPubkey}
ORDER BY created_at DESC
LIMIT ${limit}
`(db) as LogEntry[];
}
export function getHighRiskLogs(
db: Database,
minRiskScore = 7.0,
limit = 50,
): LogEntry[] {
return sql`
SELECT * FROM logs
WHERE risk_score >= ${minRiskScore}
ORDER BY risk_score DESC, created_at DESC
LIMIT ${limit}
`(db) as LogEntry[];
}
export function getLogStats(db: Database): {
total_logs: number;
logs_by_level: Record<string, number>;
security_events: number;
high_risk_events: number;
last_24h_logs: number;
} {
const totalLogs = sql`SELECT COUNT(*) as count FROM logs`(db)[0].count;
const logsByLevel = sql`
SELECT level, COUNT(*) as count
FROM logs
GROUP BY level
`(db);
const securityEvents = sql`
SELECT COUNT(*) as count
FROM logs
WHERE event_type IS NOT NULL
`(db)[0].count;
const highRiskEvents = sql`
SELECT COUNT(*) as count
FROM logs
WHERE risk_score >= 7.0
`(db)[0].count;
const last24hLogs = sql`
SELECT COUNT(*) as count
FROM logs
WHERE created_at >= ${Math.floor(Date.now() / 1000) - 86400}
`(db)[0].count;
const levelStats: Record<string, number> = {};
for (const row of logsByLevel) {
levelStats[row.level] = row.count;
}
return {
total_logs: totalLogs,
logs_by_level: levelStats,
security_events: securityEvents,
high_risk_events: highRiskEvents,
last_24h_logs: last24hLogs,
};
}
export function cleanupOldLogs(db: Database, daysToKeep = 30): number {
const cutoffTime = Math.floor(Date.now() / 1000) - daysToKeep * 86400;
const stmt = db.prepare('DELETE FROM logs WHERE created_at < ?');
return stmt.run(cutoffTime);
}

140
src/utils/logs.ts Normal file
View file

@ -0,0 +1,140 @@
import type { Database } from '@db/sqlite';
import * as colors from 'jsr:@std/fmt@^1.0.4/colors';
import * as log from 'jsr:@std/log';
import { DatabaseHandler } from './databaseLogger.ts';
import { getEveFilePath } from './files.ts';
export * as log from 'jsr:@std/log';
/**
* Sanitizes data before logging to prevent accidental exposure of sensitive information
* @param data The data to sanitize
* @returns Sanitized data safe for logging
*/
function sanitizeForLogging(data: unknown): unknown {
if (data === null || data === undefined || typeof data !== 'object') {
return data;
}
if (data instanceof Uint8Array) {
// Never log raw binary data that could contain keys
return `[Uint8Array length=${data.length}]`;
}
if (Array.isArray(data)) {
return data.map(sanitizeForLogging);
}
const sanitized: Record<string, unknown> = {};
const sensitiveKeys = [
'privatekey',
'private_key',
'privkey',
'priv_key',
'secretkey',
'secret_key',
'seckey',
'sec_key',
'password',
'pass',
'pwd',
'token',
'auth',
'ccnprivatekey',
'ccn_private_key',
'ccnprivkey',
'seed',
'seedphrase',
'seed_phrase',
'mnemonic',
'mnemonic_phrase',
'mnemonic_phrase_words',
];
for (const [key, value] of Object.entries(data as Record<string, unknown>)) {
const lowerKey = key.toLowerCase();
if (sensitiveKeys.some((sensitiveKey) => lowerKey.includes(sensitiveKey))) {
sanitized[key] = '[REDACTED]';
} else {
sanitized[key] = sanitizeForLogging(value);
}
}
return sanitized;
}
export async function setupLogger(db: Database | null) {
const formatLevel = (level: number): string => {
return (
{
10: colors.gray('[DEBUG]'),
20: colors.green('[INFO] '),
30: colors.yellow('[WARN] '),
40: colors.red('[ERROR]'),
50: colors.bgRed('[FATAL]'),
}[level] || `[LVL${level}]`
);
};
const levelName = (level: number): string => {
return (
{
10: 'DEBUG',
20: 'INFO',
30: 'WARN',
40: 'ERROR',
50: 'FATAL',
}[level] || `LVL${level}`
);
};
const formatArg = (arg: unknown): string => {
const sanitized = sanitizeForLogging(arg);
if (typeof sanitized === 'object') return JSON.stringify(sanitized);
return String(sanitized);
};
const handlers: Record<string, log.BaseHandler> = {
console: new log.ConsoleHandler('DEBUG', {
useColors: true,
formatter: (record) => {
const timestamp = new Date().toISOString();
let msg = `${colors.dim(`[${timestamp}]`)} ${formatLevel(record.level)} ${record.msg}`;
if (record.args.length > 0) {
const args = record.args
.map((arg, i) => `${colors.dim(`arg${i}:`)} ${formatArg(arg)}`)
.join(' ');
msg += ` ${colors.dim('|')} ${args}`;
}
return msg;
},
}),
file: new log.FileHandler('DEBUG', {
filename:
Deno.env.get('LOG_FILE') || (await getEveFilePath('eve-logs.jsonl')),
formatter: (record) => {
const timestamp = new Date().toISOString();
return JSON.stringify({
timestamp,
level: levelName(record.level),
msg: record.msg,
args: record.args.map(sanitizeForLogging),
});
},
}),
};
if (db) {
handlers.database = new DatabaseHandler('DEBUG', { db });
}
log.setup({
handlers,
loggers: {
default: {
level: 'DEBUG',
handlers: ['console', 'file', 'database'],
},
},
});
}

0
utils/option.ts → src/utils/option.ts
View file

389
src/utils/outboundQueue.ts Normal file
View file

@ -0,0 +1,389 @@
import type * as nostrTools from '@nostr/tools';
import type { Database } from 'jsr:@db/sqlite';
import { MAX_TRANSMISSION_ATTEMPTS } from '../consts.ts';
import { publishToRelays, relays } from '../relays.ts';
import { log } from './logs.ts';
import { sql } from './queries.ts';
import {
SecurityEventType,
SecuritySeverity,
logSecurityEvent,
} from './securityLogs.ts';
export interface QueuedEvent {
queue_id: number;
event_id: string;
encrypted_event: string;
ccn_pubkey: string;
created_at: number;
attempts: number;
last_attempt: number | null;
status: 'pending' | 'sending' | 'sent' | 'failed' | 'stale';
error_message: string | null;
}
let isConnectedToRelays = false;
let lastSuccessfulTransmission = 0;
let consecutiveFailures = 0;
export function queueEventForTransmission(
db: Database,
eventId: string,
encryptedEvent: nostrTools.VerifiedEvent | nostrTools.VerifiedEvent[],
ccnPubkey: string,
): void {
try {
const encryptedEventJson = JSON.stringify(encryptedEvent);
sql`
INSERT OR REPLACE INTO outbound_event_queue
(event_id, encrypted_event, ccn_pubkey, status)
VALUES (${eventId}, ${encryptedEventJson}, ${ccnPubkey}, 'pending')
`(db);
log.debug('Event queued for transmission', {
tag: 'outboundQueue',
eventId,
ccnPubkey,
connectionState: isConnectedToRelays ? 'connected' : 'offline',
});
logSecurityEvent({
eventType: SecurityEventType.EVENT_QUEUED_FOR_TRANSMISSION,
severity: SecuritySeverity.LOW,
source: 'outbound_queue',
details: {
action: 'event_queued',
event_id: eventId,
ccn_pubkey: ccnPubkey,
is_chunked: Array.isArray(encryptedEvent),
connection_state: isConnectedToRelays,
},
});
} catch (error) {
log.error('Failed to queue event for transmission', {
tag: 'outboundQueue',
eventId,
error,
});
throw error;
}
}
export function getPendingEvents(db: Database, limit = 50): QueuedEvent[] {
const now = Math.floor(Date.now() / 1000);
const maxAge = 30 * 24 * 60 * 60;
sql`
UPDATE outbound_event_queue
SET status = 'stale'
WHERE status IN ('pending', 'failed')
AND created_at < ${now - maxAge}
`(db);
return sql`
SELECT * FROM outbound_event_queue
WHERE (
status = 'pending'
OR (
status = 'failed'
AND attempts < ${MAX_TRANSMISSION_ATTEMPTS}
AND (
last_attempt IS NULL OR
last_attempt < ${now - getAdaptiveRetryDelay(consecutiveFailures)}
)
)
)
AND status != 'stale'
ORDER BY
CASE WHEN status = 'pending' THEN 0 ELSE 1 END,
created_at ASC
LIMIT ${limit}
`(db) as QueuedEvent[];
}
function getAdaptiveRetryDelay(failures: number): number {
return Math.min(300, 2 ** failures * 10);
}
async function checkRelayConnectivity(): Promise<boolean> {
const connectivityTests = relays.map(async (relay) => {
try {
const ws = new WebSocket(relay);
return new Promise<boolean>((resolve) => {
const timeout = setTimeout(() => {
ws.close();
resolve(false);
}, 3000); // 3 second timeout
ws.onopen = () => {
clearTimeout(timeout);
ws.close();
resolve(true);
};
ws.onerror = () => {
clearTimeout(timeout);
resolve(false);
};
ws.onclose = () => {
clearTimeout(timeout);
resolve(false);
};
});
} catch {
return false;
}
});
try {
const results = await Promise.allSettled(connectivityTests);
const successfulConnections = results.filter(
(result) => result.status === 'fulfilled' && result.value === true,
).length;
const isConnected = successfulConnections > 0;
log.debug('Relay connectivity check completed', {
tag: 'outboundQueue',
successfulConnections,
totalTested: relays.length,
isConnected,
});
return isConnected;
} catch {
return false;
}
}
export async function processStartupQueue(db: Database): Promise<void> {
const startupEvents = sql`
SELECT COUNT(*) as count FROM outbound_event_queue
WHERE status IN ('pending', 'failed', 'sending')
`(db)[0].count;
if (startupEvents > 0) {
log.info(`Found ${startupEvents} events from previous session`, {
tag: 'outboundQueue',
});
sql`
UPDATE outbound_event_queue
SET status = 'failed',
attempts = attempts + 1,
error_message = 'Interrupted by shutdown'
WHERE status = 'sending'
`(db);
await processOutboundQueue(db);
}
}
export function markEventSending(db: Database, queueId: number): void {
const now = Math.floor(Date.now() / 1000);
sql`
UPDATE outbound_event_queue
SET status = 'sending', last_attempt = ${now}
WHERE queue_id = ${queueId}
`(db);
}
export function markEventSent(db: Database, queueId: number): void {
sql`
UPDATE outbound_event_queue
SET status = 'sent'
WHERE queue_id = ${queueId}
`(db);
isConnectedToRelays = true;
lastSuccessfulTransmission = Math.floor(Date.now() / 1000);
consecutiveFailures = 0;
log.debug('Event marked as sent', {
tag: 'outboundQueue',
queueId,
});
}
export function markEventFailed(
db: Database,
queueId: number,
errorMessage: string,
): void {
sql`
UPDATE outbound_event_queue
SET status = 'failed',
attempts = attempts + 1,
error_message = ${errorMessage}
WHERE queue_id = ${queueId}
`(db);
consecutiveFailures++;
const timeSinceLastSuccess =
Math.floor(Date.now() / 1000) - lastSuccessfulTransmission;
if (consecutiveFailures >= 3 || timeSinceLastSuccess > 300) {
isConnectedToRelays = false;
}
log.warn('Event transmission failed', {
tag: 'outboundQueue',
queueId,
errorMessage,
consecutiveFailures,
timeSinceLastSuccess,
connectionState: isConnectedToRelays ? 'connected' : 'offline',
});
logSecurityEvent({
eventType: SecurityEventType.SYSTEM_STARTUP,
severity: SecuritySeverity.MEDIUM,
source: 'outbound_queue',
details: {
action: 'transmission_failed',
queue_id: queueId,
error_message: errorMessage,
consecutive_failures: consecutiveFailures,
},
});
}
async function batchProcessEvents(
db: Database,
events: QueuedEvent[],
): Promise<void> {
const BATCH_SIZE = 10;
const batches = [];
for (let i = 0; i < events.length; i += BATCH_SIZE) {
batches.push(events.slice(i, i + BATCH_SIZE));
}
for (const batch of batches) {
const promises = batch.map(async (queuedEvent) => {
try {
const encryptedEvent = JSON.parse(queuedEvent.encrypted_event);
await publishToRelays(encryptedEvent);
return { queueId: queuedEvent.queue_id, success: true };
} catch (error) {
const errorMessage =
error instanceof Error ? error.message : 'Unknown error';
return {
queueId: queuedEvent.queue_id,
success: false,
error: errorMessage,
};
}
});
const results = await Promise.allSettled(promises);
results.forEach((result, index) => {
const queuedEvent = batch[index];
if (result.status === 'fulfilled' && result.value.success) {
markEventSent(db, queuedEvent.queue_id);
} else {
const error =
result.status === 'fulfilled'
? result.value.error
: 'Promise rejected';
markEventFailed(db, queuedEvent.queue_id, error || 'Unknown error');
}
});
if (batches.indexOf(batch) < batches.length - 1) {
await new Promise((resolve) => setTimeout(resolve, 1000));
}
}
}
export async function processOutboundQueue(db: Database): Promise<void> {
const pendingEvents = getPendingEvents(db);
if (pendingEvents.length === 0) {
return;
}
const connectivityResult = await checkRelayConnectivity();
if (!connectivityResult && consecutiveFailures > 5) {
log.debug('Skipping queue processing - appears to be offline', {
tag: 'outboundQueue',
consecutiveFailures,
});
return;
}
log.info(`Processing ${pendingEvents.length} pending events`, {
tag: 'outboundQueue',
connectionState: isConnectedToRelays ? 'connected' : 'unknown',
});
for (const event of pendingEvents) {
markEventSending(db, event.queue_id);
}
await batchProcessEvents(db, pendingEvents);
}
export function getQueueStats(db: Database): {
pending: number;
sending: number;
sent: number;
failed: number;
stale: number;
total: number;
connectionState: string;
consecutiveFailures: number;
} {
const stats = sql`
SELECT
status,
COUNT(*) as count
FROM outbound_event_queue
GROUP BY status
`(db);
const result = {
pending: 0,
sending: 0,
sent: 0,
failed: 0,
stale: 0,
total: 0,
connectionState: isConnectedToRelays ? 'connected' : 'offline',
consecutiveFailures,
};
for (const stat of stats) {
const status = stat.status as
| 'pending'
| 'sending'
| 'sent'
| 'failed'
| 'stale';
switch (status) {
case 'pending':
result.pending = stat.count;
break;
case 'sending':
result.sending = stat.count;
break;
case 'sent':
result.sent = stat.count;
break;
case 'failed':
result.failed = stat.count;
break;
case 'stale':
result.stale = stat.count;
break;
}
result.total += stat.count;
}
return result;
}

14
src/utils/parseATagQuery.ts Normal file
View file

@ -0,0 +1,14 @@
export function parseATagQuery(aTagValue: string): {
kind: number;
pubkey: string;
dTag?: string;
} {
const parts = aTagValue.split(':');
if (parts.length < 2) return { kind: 0, pubkey: '' };
return {
kind: Number.parseInt(parts[0], 10),
pubkey: parts[1],
dTag: parts.length > 2 ? parts[2] : undefined,
};
}

0
utils/queries.ts → src/utils/queries.ts
View file

7
src/utils/randomTimeUpTo2DaysInThePast.ts Normal file
View file

@ -0,0 +1,7 @@
export function randomTimeUpTo2DaysInThePast() {
const now = Date.now();
const twoDaysAgo = now - 2 * 24 * 60 * 60 * 1000 - 3600 * 1000; // 1 hour buffer in case of clock skew
return Math.floor(
(Math.floor(Math.random() * (now - twoDaysAgo)) + twoDaysAgo) / 1000,
);
}

220
src/utils/securityLogs.ts Normal file
View file

@ -0,0 +1,220 @@
import { log } from './logs.ts';
export enum SecurityEventType {
// Authentication & Authorization
CCN_ACCESS_DENIED = 'ccn_access_denied',
CCN_ACTIVATION_ATTEMPT = 'ccn_activation_attempt',
CCN_CREATION_ATTEMPT = 'ccn_creation_attempt',
UNAUTHORIZED_WRITE_ATTEMPT = 'unauthorized_write_attempt',
// Connection Security
NON_LOCALHOST_CONNECTION_BLOCKED = 'non_localhost_connection_blocked',
SUSPICIOUS_HEADER_DETECTED = 'suspicious_header_detected',
WEBSOCKET_CONNECTION_ESTABLISHED = 'websocket_connection_established',
WEBSOCKET_CONNECTION_CLOSED = 'websocket_connection_closed',
// Cryptographic Operations
DECRYPTION_FAILURE = 'decryption_failure',
INVALID_SIGNATURE = 'invalid_signature',
POW_VALIDATION_FAILURE = 'pow_validation_failure',
ENCRYPTION_ERROR = 'encryption_error',
// Event Processing
DUPLICATE_EVENT_BLOCKED = 'duplicate_event_blocked',
MALFORMED_EVENT = 'malformed_event',
CHUNKED_EVENT_RECEIVED = 'chunked_event_received',
CHUNKED_EVENT_COMPLETED = 'chunked_event_completed',
EVENT_QUEUED_FOR_TRANSMISSION = 'event_queued_for_transmission',
// Resource Usage & DoS Protection
SUBSCRIPTION_LIMIT_EXCEEDED = 'subscription_limit_exceeded',
MEMORY_USAGE_HIGH = 'memory_usage_high',
LARGE_PAYLOAD_DETECTED = 'large_payload_detected',
// Database Security
SQL_QUERY_EXECUTED = 'sql_query_executed',
MIGRATION_EXECUTED = 'migration_executed',
TRANSACTION_ROLLBACK = 'transaction_rollback',
// CCN Boundary Violations
CCN_BOUNDARY_VIOLATION_ATTEMPT = 'ccn_boundary_violation_attempt',
INVITE_VALIDATION_FAILURE = 'invite_validation_failure',
INVITE_ALREADY_USED = 'invite_already_used',
// System Events
SYSTEM_STARTUP = 'system_startup',
SYSTEM_SHUTDOWN = 'system_shutdown',
CONFIGURATION_LOADED = 'configuration_loaded',
ERROR_THRESHOLD_EXCEEDED = 'error_threshold_exceeded',
}
export enum SecuritySeverity {
LOW = 'low',
MEDIUM = 'medium',
HIGH = 'high',
CRITICAL = 'critical',
}
export interface SecurityEventData {
eventType: SecurityEventType;
severity: SecuritySeverity;
timestamp: string;
source: string;
details: Record<string, unknown>;
userAgent?: string;
remoteAddr?: string;
ccnPubkey?: string;
userId?: string;
eventId?: string;
subscriptionId?: string;
risk_score?: number;
}
class SecurityLogger {
private readonly eventCounts = new Map<SecurityEventType, number>();
private readonly lastEventTime = new Map<SecurityEventType, number>();
logSecurityEvent(data: Omit<SecurityEventData, 'timestamp'>): void {
const eventData: SecurityEventData = {
...data,
timestamp: new Date().toISOString(),
};
this.updateEventTracking(data.eventType);
switch (data.severity) {
case SecuritySeverity.CRITICAL:
log.error(`SECURITY_CRITICAL: ${data.eventType}`, eventData);
break;
case SecuritySeverity.HIGH:
log.error(`SECURITY_HIGH: ${data.eventType}`, eventData);
break;
case SecuritySeverity.MEDIUM:
log.warn(`SECURITY_MEDIUM: ${data.eventType}`, eventData);
break;
case SecuritySeverity.LOW:
log.info(`SECURITY_LOW: ${data.eventType}`, eventData);
break;
}
}
logAuthEvent(
eventType: SecurityEventType,
success: boolean,
details: Record<string, unknown>,
remoteAddr?: string,
): void {
this.logSecurityEvent({
eventType,
severity: success ? SecuritySeverity.LOW : SecuritySeverity.MEDIUM,
source: 'authentication',
details: { success, ...details },
remoteAddr,
});
}
logCCNViolation(
eventType: SecurityEventType,
ccnPubkey: string,
attemptedAction: string,
details: Record<string, unknown>,
): void {
this.logSecurityEvent({
eventType,
severity: SecuritySeverity.HIGH,
source: 'ccn_boundary',
ccnPubkey,
details: { attemptedAction, ...details },
risk_score: 8.5,
});
}
logCryptoFailure(
eventType: SecurityEventType,
operation: string,
details: Record<string, unknown>,
): void {
this.logSecurityEvent({
eventType,
severity: SecuritySeverity.MEDIUM,
source: 'cryptography',
details: { operation, ...details },
});
}
logDoSEvent(
eventType: SecurityEventType,
details: Record<string, unknown>,
remoteAddr?: string,
): void {
this.logSecurityEvent({
eventType,
severity: SecuritySeverity.HIGH,
source: 'dos_protection',
details,
remoteAddr,
risk_score: 7.0,
});
}
logSystemEvent(
eventType: SecurityEventType,
details: Record<string, unknown>,
): void {
this.logSecurityEvent({
eventType,
severity: SecuritySeverity.LOW,
source: 'system',
details,
});
}
private updateEventTracking(eventType: SecurityEventType): void {
const now = Date.now();
const count = this.eventCounts.get(eventType) || 0;
this.eventCounts.set(eventType, count + 1);
this.lastEventTime.set(eventType, now);
}
}
export const securityLogger = new SecurityLogger();
export const logSecurityEvent = (data: Omit<SecurityEventData, 'timestamp'>) =>
securityLogger.logSecurityEvent(data);
export const logAuthEvent = (
eventType: SecurityEventType,
success: boolean,
details: Record<string, unknown>,
remoteAddr?: string,
) => securityLogger.logAuthEvent(eventType, success, details, remoteAddr);
export const logCCNViolation = (
eventType: SecurityEventType,
ccnPubkey: string,
attemptedAction: string,
details: Record<string, unknown>,
) =>
securityLogger.logCCNViolation(
eventType,
ccnPubkey,
attemptedAction,
details,
);
export const logCryptoFailure = (
eventType: SecurityEventType,
operation: string,
details: Record<string, unknown>,
) => securityLogger.logCryptoFailure(eventType, operation, details);
export const logDoSEvent = (
eventType: SecurityEventType,
details: Record<string, unknown>,
remoteAddr?: string,
) => securityLogger.logDoSEvent(eventType, details, remoteAddr);
export const logSystemEvent = (
eventType: SecurityEventType,
details: Record<string, unknown>,
) => securityLogger.logSystemEvent(eventType, details);

12
utils/invites.ts
View file

@ -1,12 +0,0 @@
import { bytesToHex } from '@noble/ciphers/utils';
import { nip19 } from '@nostr/tools';
import { bech32m } from '@scure/base';
export function readInvite(invite: `${string}1${string}`) {
const decoded = bech32m.decode(invite, false);
if (decoded.prefix !== 'eveinvite') return false;
const hexBytes = bech32m.fromWords(decoded.words);
const npub = nip19.npubEncode(bytesToHex(hexBytes.slice(0, 32)));
const inviteCode = bytesToHex(hexBytes.slice(32));
return { npub, invite: inviteCode };
}

75
utils/logs.ts
View file

@ -1,75 +0,0 @@
import * as colors from 'jsr:@std/fmt@^1.0.4/colors';
import * as log from 'jsr:@std/log';
import { getEveFilePath } from './files.ts';
export * as log from 'jsr:@std/log';
export async function setupLogger() {
const formatLevel = (level: number): string => {
return (
{
10: colors.gray('[DEBUG]'),
20: colors.green('[INFO] '),
30: colors.yellow('[WARN] '),
40: colors.red('[ERROR]'),
50: colors.bgRed('[FATAL]'),
}[level] || `[LVL${level}]`
);
};
const levelName = (level: number): string => {
return (
{
10: 'DEBUG',
20: 'INFO',
30: 'WARN',
40: 'ERROR',
50: 'FATAL',
}[level] || `LVL${level}`
);
};
const formatArg = (arg: unknown): string => {
if (typeof arg === 'object') return JSON.stringify(arg);
return String(arg);
};
await log.setup({
handlers: {
console: new log.ConsoleHandler('DEBUG', {
useColors: true,
formatter: (record) => {
const timestamp = new Date().toISOString();
let msg = `${colors.dim(`[${timestamp}]`)} ${formatLevel(record.level)} ${record.msg}`;
if (record.args.length > 0) {
const args = record.args
.map((arg, i) => `${colors.dim(`arg${i}:`)} ${formatArg(arg)}`)
.join(' ');
msg += ` ${colors.dim('|')} ${args}`;
}
return msg;
},
}),
file: new log.FileHandler('DEBUG', {
filename:
Deno.env.get('LOG_FILE') || (await getEveFilePath('eve-logs.jsonl')),
formatter: (record) => {
const timestamp = new Date().toISOString();
return JSON.stringify({
timestamp,
level: levelName(record.level),
msg: record.msg,
args: record.args,
});
},
}),
},
loggers: {
default: {
level: 'DEBUG',
handlers: ['console', 'file'],
},
},
});
}