From 22a4fe069f0bc364f010b2a03084c8cd79127312 Mon Sep 17 00:00:00 2001
From: Danny Morabito <danny@arx-ccn.com>
Date: Wed, 6 Aug 2025 18:40:17 +0200
Subject: [PATCH] allow publishing events from allowed pubkeys without auth, if
 env variable is set

---
 index.ts    |  3 ++-
 src/main.ts | 15 +++++++++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/index.ts b/index.ts
index 2e9d445..236dc47 100644
--- a/index.ts
+++ b/index.ts
@@ -1,7 +1,8 @@
 import { main } from "./src/main.ts";
 
+let allowUnauthedPublish = Boolean(process.env.ALLOW_UNAUTHED_PUBLISH) || false;
 let relay = process.env.RELAY_URL ?? Bun.argv[Bun.argv.length - 1];
 if (!relay?.startsWith("wss://") && !relay?.startsWith("ws://"))
   relay = "wss://relay.arx-ccn.com";
 
-main(relay)
+main(relay, allowUnauthedPublish)
diff --git a/src/main.ts b/src/main.ts
index e63566f..f4ddcf6 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -16,23 +16,26 @@ type Nip42ProxySocketData = {
   remoteWs: WebSocket;
 };
 
-async function validateAuthEvent(event: Event, challenge: string): boolean {
+async function validateAuthEvent(event: Event, challenge: string): Promise<boolean> {
   if (event.kind !== 22242) return false;
   const last30Seconds = Math.floor(Date.now() / 1000) - 30;
   if (event.created_at < last30Seconds) return false;
   const challengeTag = event.tags.find(tag => tag[0] === 'challenge')?.[1];
   if (challengeTag !== challenge) return false;
+  return await isPubkeyAllowed(event);
+}
+
+async function isPubkeyAllowed(event: Event): Promise<boolean> {
   const file = Bun.file("./allowed-pubkeys.json");
   if (!await file.exists()) return true;
   const allowedPubkeys = JSON.parse(await file.text());
-  if (!allowedPubkeys.includes(event.pubkey)) return false;
-  return true;
+  return allowedPubkeys.includes(event.pubkey);
 }
 
 const sendMessage = (ws: ServerWebSocket<Nip42ProxySocketData>, message: any[]) => ws.send(JSON.stringify(message), true);
 const sendAuth = (ws: ServerWebSocket<Nip42ProxySocketData>) => sendMessage(ws, ["AUTH", ws.data.authToken, "This is an authenticated relay."]);
 
-export function main(mainRelayUrl: string) {
+export function main(mainRelayUrl: string, allowUnauthedPublish: boolean) {
   const server = Bun.serve<Nip42ProxySocketData, {}>({
     fetch(req, server) {
       const upgrade = server.upgrade(req, {
@@ -54,6 +57,10 @@ export function main(mainRelayUrl: string) {
           }
           if (command === "EVENT") {
             const [event] = data;
+            if (allowUnauthedPublish && await isPubkeyAllowed(event)) {
+              ws.data.remoteWs.send(msg);
+              return;
+            }
             sendMessage(ws, ["OK", event.id, false, 'auth-required: you must authenticate first']);
           }
           if (command === "AUTH") {