laantungir/ginxsom
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: laantungir:v0.1.10
Branches Tags
laantungir:master
laantungir:v0.1.24 laantungir:v0.1.23 laantungir:v0.1.22 laantungir:v0.1.21 laantungir:v0.1.20 laantungir:v0.1.19 laantungir:v0.1.18 laantungir:v0.1.17 laantungir:v0.1.16 laantungir:v0.1.15 laantungir:v0.1.14 laantungir:v0.1.13 laantungir:v0.1.12 laantungir:v0.1.11 laantungir:v0.1.10 laantungir:v0.1.9 laantungir:v0.1.8 laantungir:v0.1.7 laantungir:v0.1.6 laantungir:v0.1.5 laantungir:v0.1.4 laantungir:v0.1.3 laantungir:v0.1.2 laantungir:v0.1.1
...
compare: laantungir:v0.1.15
Branches Tags
laantungir:master
laantungir:v0.1.24 laantungir:v0.1.23 laantungir:v0.1.22 laantungir:v0.1.21 laantungir:v0.1.20 laantungir:v0.1.19 laantungir:v0.1.18 laantungir:v0.1.17 laantungir:v0.1.16 laantungir:v0.1.15 laantungir:v0.1.14 laantungir:v0.1.13 laantungir:v0.1.12 laantungir:v0.1.11 laantungir:v0.1.10 laantungir:v0.1.9 laantungir:v0.1.8 laantungir:v0.1.7 laantungir:v0.1.6 laantungir:v0.1.5 laantungir:v0.1.4 laantungir:v0.1.3 laantungir:v0.1.2 laantungir:v0.1.1

5 Commits
v0.1.10 ... v0.1.15

Author SHA1 Message Date
Your Name
3da7b62a95 v0.1.14 - Implement all remaining admin commands (config_update, stats_query, system_status, blob_list, storage_stats, sql_query) and make test mode default in restart-all.sh. All commands now fully functional with proper database queries, error handling, and security checks. 2025-12-11 14:33:48 -04:00
Your Name
4f1fbee52c v0.1.13 - Fix Kind 23458 test script: use websocat for bidirectional relay communication and correct nak decrypt flag (-p instead of --recipient-pubkey). Admin command system now fully functional end-to-end with NIP-44 encryption. 2025-12-11 14:28:33 -04:00
Your Name
6592c37c6e v0.1.12 - Successfully integrated websocket client, and program connects to relays and publishes kinds 0 and 10002 2025-12-10 14:28:38 -04:00
Your Name
deec021933 v0.1.11 - Last push before changing logging system 2025-12-07 12:50:12 -04:00
Your Name
db7621a293 v0.1.10 - In the middle of working on getting admin api working 2025-11-21 11:54:17 -04:00
42 changed files with 10242 additions and 483 deletions
Expand all files Collapse all files

3
.gitmodules vendored
View File

@@ -1,6 +1,3 @@
[submodule "blossom"]
path = blossom
url = ssh://git@git.laantungir.net:222/laantungir/blossom.git
[submodule "nostr_core_lib"]
path = nostr_core_lib
url = ssh://git@git.laantungir.net:222/laantungir/nostr_core_lib.git

16
Makefile
View File

@@ -1,16 +1,20 @@
# Ginxsom Blossom Server Makefile
CC = gcc
CFLAGS = -Wall -Wextra -std=c99 -O2 -Inostr_core_lib/nostr_core -Inostr_core_lib/cjson
CFLAGS = -Wall -Wextra -std=gnu99 -O2 -Inostr_core_lib/nostr_core -Inostr_core_lib/cjson
LIBS = -lfcgi -lsqlite3 nostr_core_lib/libnostr_core_x64.a -lz -ldl -lpthread -lm -L/usr/local/lib -lsecp256k1 -lssl -lcrypto -lcurl
SRCDIR = src
BUILDDIR = build
TARGET = $(BUILDDIR)/ginxsom-fcgi
# Source files
SOURCES = $(SRCDIR)/main.c $(SRCDIR)/admin_api.c $(SRCDIR)/admin_auth.c $(SRCDIR)/admin_websocket.c $(SRCDIR)/admin_handlers.c $(SRCDIR)/bud04.c $(SRCDIR)/bud06.c $(SRCDIR)/bud08.c $(SRCDIR)/bud09.c $(SRCDIR)/request_validator.c
SOURCES = $(SRCDIR)/main.c $(SRCDIR)/admin_api.c $(SRCDIR)/admin_auth.c $(SRCDIR)/admin_event.c $(SRCDIR)/admin_handlers.c $(SRCDIR)/bud04.c $(SRCDIR)/bud06.c $(SRCDIR)/bud08.c $(SRCDIR)/bud09.c $(SRCDIR)/request_validator.c $(SRCDIR)/relay_client.c $(SRCDIR)/admin_commands.c
OBJECTS = $(SOURCES:$(SRCDIR)/%.c=$(BUILDDIR)/%.o)
# Add core_relay_pool.c from nostr_core_lib
POOL_SRC = nostr_core_lib/nostr_core/core_relay_pool.c
POOL_OBJ = $(BUILDDIR)/core_relay_pool.o
# Default target
all: $(TARGET)
@@ -22,9 +26,13 @@ $(BUILDDIR):
$(BUILDDIR)/%.o: $(SRCDIR)/%.c | $(BUILDDIR)
$(CC) $(CFLAGS) -c $< -o $@
# Compile core_relay_pool.o (needs src/ for request_validator.h)
$(POOL_OBJ): $(POOL_SRC) | $(BUILDDIR)
$(CC) $(CFLAGS) -I$(SRCDIR) -c $< -o $@
# Link final executable
$(TARGET): $(OBJECTS)
$(CC) $(OBJECTS) $(LIBS) -o $@
$(TARGET): $(OBJECTS) $(POOL_OBJ)
$(CC) $(OBJECTS) $(POOL_OBJ) $(LIBS) -o $@
# Clean build files
clean:

126
README.md
View File

@@ -369,6 +369,132 @@ Error responses include specific error codes:
- `no_blob_hashes`: Missing valid SHA-256 hashes
- `unsupported_media_type`: Non-JSON Content-Type
## Administrator API
Ginxsom uses an **event-based administration system** where all configuration and management commands are sent as signed Nostr events using the admin private key. All admin commands use **NIP-44 encrypted command arrays** for security.
### Authentication
All admin commands require signing with the admin private key configured in the server. The admin public key is stored in the database and checked against incoming Kind 23458 events.
### Event Structure
**Admin Command Event (Kind 23458):**
```json
{
"id": "event_id",
"pubkey": "admin_public_key",
"created_at": 1234587890,
"kind": 23458,
"content": "NIP44_ENCRYPTED_COMMAND_ARRAY",
"tags": [
["p", "blossom_server_pubkey"]
],
"sig": "event_signature"
}
```
The `content` field contains a NIP-44 encrypted JSON array representing the command.
**Admin Response Event (Kind 23459):**
```json
{
"id": "response_event_id",
"pubkey": "blossom_server_pubkey",
"created_at": 1234587890,
"kind": 23459,
"content": "NIP44_ENCRYPTED_RESPONSE_OBJECT",
"tags": [
["p", "admin_public_key"],
["e", "request_event_id"]
],
"sig": "response_event_signature"
}
```
The `content` field contains a NIP-44 encrypted JSON response object.
### Admin Commands
All commands are sent as NIP-44 encrypted JSON arrays in the event content:
| Command Type | Command Format | Description |
|--------------|----------------|-------------|
| **Configuration Management** |
| `config_query` | `["config_query", "all"]` | Query all configuration parameters |
| `config_update` | `["config_update", [{"key": "max_file_size", "value": "209715200", ...}]]` | Update configuration parameters |
| **Statistics & Monitoring** |
| `stats_query` | `["stats_query"]` | Get comprehensive database and storage statistics |
| `system_status` | `["system_command", "system_status"]` | Get system status and health metrics |
| **Blossom Operations** |
| `blob_list` | `["blob_list", "all"]` or `["blob_list", "pubkey", "abc123..."]` | List blobs with filtering |
| `storage_stats` | `["storage_stats"]` | Get detailed storage statistics |
| `mirror_status` | `["mirror_status"]` | Get status of mirroring operations |
| `report_query` | `["report_query", "all"]` | Query content reports (BUD-09) |
| **Database Queries** |
| `sql_query` | `["sql_query", "SELECT * FROM blobs LIMIT 10"]` | Execute read-only SQL query |
### Configuration Categories
**Blossom Settings:**
- `max_file_size`: Maximum upload size in bytes
- `storage_path`: Blob storage directory path
- `cdn_origin`: CDN URL for blob descriptors
- `enable_nip94`: Include NIP-94 tags in responses
**Relay Client Settings:**
- `enable_relay_connect`: Enable relay client functionality
- `kind_0_content`: Profile metadata JSON
- `kind_10002_tags`: Relay list JSON array
**Authentication Settings:**
- `auth_enabled`: Enable auth rules system
- `require_auth_upload`: Require authentication for uploads
- `require_auth_delete`: Require authentication for deletes
**Limits:**
- `max_blobs_per_user`: Per-user blob limit
- `rate_limit_uploads`: Uploads per minute
- `max_total_storage`: Total storage limit in bytes
### Response Format
All admin commands return signed EVENT responses via the relay connection. Responses use NIP-44 encrypted JSON content with structured data.
**Success Response Example:**
```json
{
"query_type": "stats_query",
"timestamp": 1234587890,
"database_size_bytes": 1048576,
"storage_size_bytes": 10737418240,
"total_blobs": 1543,
"blob_types": [
{"type": "image/jpeg", "count": 856, "size_bytes": 5368709120}
]
}
```
**Error Response Example:**
```json
{
"query_type": "config_update",
"status": "error",
"error": "invalid configuration value",
"timestamp": 1234587890
}
```
### Security Features
- **Cryptographic Authentication**: Only admin pubkey can send commands
- **NIP-44 Encryption**: All commands and responses are encrypted
- **Command Logging**: All admin actions logged to database
- **SQL Safety**: Only SELECT statements allowed with timeout and row limits
- **Rate Limiting**: Prevents admin command flooding
For detailed command specifications and examples, see [`docs/ADMIN_COMMANDS_PLAN.md`](docs/ADMIN_COMMANDS_PLAN.md).
## File Storage
### Current (Flat) Structure

0
tests/admin_test.sh → Trash/admin_test.sh
View File

7
db/schema.sql → Trash/schema.sql
View File

@@ -38,10 +38,13 @@ INSERT OR IGNORE INTO config (key, value, description) VALUES
('auth_rules_enabled', 'false', 'Whether authentication rules are enabled for uploads'),
('server_name', 'ginxsom', 'Server name for responses'),
('admin_pubkey', '', 'Admin public key for API access'),
('admin_enabled', 'false', 'Whether admin API is enabled'),
('admin_enabled', 'true', 'Whether admin API is enabled'),
('nip42_require_auth', 'false', 'Enable NIP-42 challenge/response authentication'),
('nip42_challenge_timeout', '600', 'NIP-42 challenge timeout in seconds'),
('nip42_time_tolerance', '300', 'NIP-42 timestamp tolerance in seconds');
('nip42_time_tolerance', '300', 'NIP-42 timestamp tolerance in seconds'),
('enable_relay_connect', 'true', 'Enable Nostr relay client connections'),
('kind_0_content', '{"name":"Ginxsom Blossom Server","about":"A Blossom media server for storing and serving files on Nostr","picture":"","nip05":""}', 'Kind 0 profile metadata content (JSON)'),
('kind_10002_tags', '["wss://relay.laantungir.net"]', 'Kind 10002 relay list - JSON array of relay URLs');
-- Authentication rules table for whitelist/blacklist functionality
CREATE TABLE IF NOT EXISTS auth_rules (

0
tests/test_admin_api.sh → Trash/test_admin_api.sh
View File

BIN
build/admin_api.o
View File

Binary file not shown.

BIN
build/admin_commands.o Normal file
View File

Binary file not shown.

BIN
build/admin_event.o Normal file
View File

Binary file not shown.

BIN
build/admin_websocket.o
View File

Binary file not shown.

BIN
build/bud08.o
View File

Binary file not shown.

BIN
build/bud09.o
View File

Binary file not shown.

BIN
build/core_relay_pool.o Normal file
View File

Binary file not shown.

BIN
build/ginxsom-fcgi
View File

Binary file not shown.

BIN
build/main.o
View File

Binary file not shown.

BIN
build/relay_client.o Normal file
View File

Binary file not shown.

BIN
build/request_validator.o
View File

Binary file not shown.

7
config/local-nginx.conf
View File

@@ -2,7 +2,8 @@
# Comprehensive Blossom Protocol Implementation
# Main context - specify error log here to override system default
error_log logs/nginx/error.log info;
# Set to warn level to capture FastCGI stderr messages
error_log logs/nginx/error.log warn;
pid logs/nginx/nginx.pid;
events {
@@ -221,7 +222,7 @@ http {
# Admin API endpoints (/api/*)
location /api/ {
if ($request_method !~ ^(GET|PUT)$) {
if ($request_method !~ ^(GET|PUT|POST)$) {
return 405;
}
fastcgi_pass fastcgi_backend;
@@ -572,7 +573,7 @@ http {
# Admin API endpoints (/api/*)
location /api/ {
if ($request_method !~ ^(GET|PUT)$) {
if ($request_method !~ ^(GET|PUT|POST)$) {
return 405;
}
fastcgi_pass fastcgi_backend;

BIN
db/ginxsom.db → db/52e366edfa4e9cc6a6d4653828e51ccf828a2f5a05227d7a768f33b5a198681a.db
View File

Binary file not shown.

78
db/migrations/001_add_auth_rules.sql
View File

@@ -1,78 +0,0 @@
-- Migration: Add authentication rules tables
-- Purpose: Enable whitelist/blacklist functionality for Ginxsom
-- Date: 2025-01-12
-- Enable foreign key constraints
PRAGMA foreign_keys = ON;
-- Authentication rules table for whitelist/blacklist functionality
CREATE TABLE IF NOT EXISTS auth_rules (
id INTEGER PRIMARY KEY AUTOINCREMENT,
rule_type TEXT NOT NULL, -- 'pubkey_blacklist', 'pubkey_whitelist',
-- 'hash_blacklist', 'mime_blacklist', 'mime_whitelist'
rule_target TEXT NOT NULL, -- The pubkey, hash, or MIME type to match
operation TEXT NOT NULL DEFAULT '*', -- 'upload', 'delete', 'list', or '*' for all
enabled INTEGER NOT NULL DEFAULT 1, -- 1 = enabled, 0 = disabled
priority INTEGER NOT NULL DEFAULT 100,-- Lower number = higher priority
description TEXT, -- Human-readable description
created_by TEXT, -- Admin pubkey who created the rule
created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
-- Constraints
CHECK (rule_type IN ('pubkey_blacklist', 'pubkey_whitelist',
'hash_blacklist', 'mime_blacklist', 'mime_whitelist')),
CHECK (operation IN ('upload', 'delete', 'list', '*')),
CHECK (enabled IN (0, 1)),
CHECK (priority >= 0),
-- Unique constraint: one rule per type/target/operation combination
UNIQUE(rule_type, rule_target, operation)
);
-- Indexes for performance optimization
CREATE INDEX IF NOT EXISTS idx_auth_rules_type_target ON auth_rules(rule_type, rule_target);
CREATE INDEX IF NOT EXISTS idx_auth_rules_operation ON auth_rules(operation);
CREATE INDEX IF NOT EXISTS idx_auth_rules_enabled ON auth_rules(enabled);
CREATE INDEX IF NOT EXISTS idx_auth_rules_priority ON auth_rules(priority);
CREATE INDEX IF NOT EXISTS idx_auth_rules_type_operation ON auth_rules(rule_type, operation, enabled);
-- Cache table for authentication decisions (5-minute TTL)
CREATE TABLE IF NOT EXISTS auth_rules_cache (
cache_key TEXT PRIMARY KEY NOT NULL, -- SHA-256 hash of request parameters
decision INTEGER NOT NULL, -- 1 = allow, 0 = deny
reason TEXT, -- Reason for decision
pubkey TEXT, -- Public key from request
operation TEXT, -- Operation type
resource_hash TEXT, -- Resource hash (if applicable)
created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
expires_at INTEGER NOT NULL, -- Expiration timestamp
CHECK (decision IN (0, 1))
);
-- Index for cache expiration cleanup
CREATE INDEX IF NOT EXISTS idx_auth_cache_expires ON auth_rules_cache(expires_at);
CREATE INDEX IF NOT EXISTS idx_auth_cache_pubkey ON auth_rules_cache(pubkey);
-- Insert example rules (commented out - uncomment to use)
-- Example: Blacklist a specific pubkey for uploads
-- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES
-- ('pubkey_blacklist', '79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798', 'upload', 10, 'Example blacklisted user', 'admin_pubkey_here');
-- Example: Whitelist a specific pubkey for all operations
-- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES
-- ('pubkey_whitelist', 'your_pubkey_here', '*', 300, 'Trusted user - all operations allowed', 'admin_pubkey_here');
-- Example: Blacklist executable MIME types
-- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES
-- ('mime_blacklist', 'application/x-executable', 'upload', 200, 'Block executable files', 'admin_pubkey_here'),
-- ('mime_blacklist', 'application/x-msdos-program', 'upload', 200, 'Block DOS executables', 'admin_pubkey_here'),
-- ('mime_blacklist', 'application/x-msdownload', 'upload', 200, 'Block Windows executables', 'admin_pubkey_here');
-- Example: Whitelist common image types
-- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES
-- ('mime_whitelist', 'image/jpeg', 'upload', 400, 'Allow JPEG images', 'admin_pubkey_here'),
-- ('mime_whitelist', 'image/png', 'upload', 400, 'Allow PNG images', 'admin_pubkey_here'),
-- ('mime_whitelist', 'image/gif', 'upload', 400, 'Allow GIF images', 'admin_pubkey_here'),
-- ('mime_whitelist', 'image/webp', 'upload', 400, 'Allow WebP images', 'admin_pubkey_here');

15
db/migrations/002_add_relay_seckey.sql
View File

@@ -1,15 +0,0 @@
-- Migration: Add blossom_seckey table for storing server private key
-- This table stores the Blossom server's secp256k1 private key used for:
-- - Signing admin response events (Kind 23457)
-- - Decrypting admin commands (NIP-44)
CREATE TABLE IF NOT EXISTS blossom_seckey (
id INTEGER PRIMARY KEY CHECK (id = 1), -- Only one row allowed
seckey TEXT NOT NULL, -- Private key in hex format (64 chars)
created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
CHECK (length(seckey) = 64) -- Ensure valid secp256k1 key length
);
-- Add blossom_pubkey to config if not exists
INSERT OR IGNORE INTO config (key, value, description) VALUES
('blossom_pubkey', '', 'Blossom server public key derived from blossom_seckey');

4391
debug.log Normal file
View File

File diff suppressed because it is too large Load Diff

535
docs/ADMIN_COMMANDS_PLAN.md Normal file
View File

@@ -0,0 +1,535 @@
# Ginxsom Admin Commands Implementation Plan
## Overview
This document outlines the implementation plan for Ginxsom's admin command system, adapted from c-relay's event-based administration system. Commands are sent as NIP-44 encrypted Kind 23456 events and responses are returned as Kind 23457 events.
## Command Analysis: c-relay vs Ginxsom
### Commands to Implement (Blossom-Relevant)
| c-relay Command | Ginxsom Equivalent | Rationale |
|-----------------|-------------------|-----------|
| `config_query` | `config_query` | Query Blossom server configuration |
| `config_update` | `config_update` | Update server settings dynamically |
| `stats_query` | `stats_query` | Database statistics (blobs, storage, etc.) |
| `system_status` | `system_status` | Server health and status |
| `sql_query` | `sql_query` | Direct database queries for debugging |
| N/A | `blob_list` | List blobs by pubkey or criteria |
| N/A | `storage_stats` | Storage usage and capacity info |
| N/A | `mirror_status` | Status of mirroring operations |
| N/A | `report_query` | Query content reports (BUD-09) |
### Commands to Exclude (Not Blossom-Relevant)
| c-relay Command | Reason for Exclusion |
|-----------------|---------------------|
| `auth_add_blacklist` | Blossom uses different auth model (per-blob, not per-pubkey) |
| `auth_add_whitelist` | Same as above |
| `auth_delete_rule` | Same as above |
| `auth_query_all` | Same as above |
| `system_clear_auth` | Same as above |
**Note**: Blossom's authentication is event-based per operation (upload/delete), not relay-level whitelist/blacklist. Auth rules in Ginxsom are configured via the `auth_rules` table but managed differently than c-relay.
## Event Structure
### Admin Command Event (Kind 23456)
```json
{
"id": "event_id",
"pubkey": "admin_public_key",
"created_at": 1234567890,
"kind": 23456,
"content": "NIP44_ENCRYPTED_COMMAND_ARRAY",
"tags": [
["p", "blossom_server_pubkey"]
],
"sig": "event_signature"
}
```
### Admin Response Event (Kind 23457)
```json
{
"id": "response_event_id",
"pubkey": "blossom_server_pubkey",
"created_at": 1234567890,
"kind": 23457,
"content": "NIP44_ENCRYPTED_RESPONSE_OBJECT",
"tags": [
["p", "admin_public_key"],
["e", "request_event_id"]
],
"sig": "response_event_signature"
}
```
## Command Specifications
### 1. Configuration Management
#### `config_query`
Query server configuration parameters.
**Command Format:**
```json
["config_query", "all"]
["config_query", "category", "blossom"]
["config_query", "key", "max_file_size"]
```
**Response:**
```json
{
"query_type": "config_all",
"total_results": 15,
"timestamp": 1234567890,
"data": [
{
"key": "max_file_size",
"value": "104857600",
"data_type": "integer",
"category": "blossom",
"description": "Maximum file size in bytes"
},
{
"key": "enable_relay_connect",
"value": "true",
"data_type": "boolean",
"category": "relay",
"description": "Enable relay client functionality"
}
]
}
```
**Configuration Categories:**
- `blossom`: Blossom protocol settings (max_file_size, storage_path, etc.)
- `relay`: Relay client settings (enable_relay_connect, kind_0_content, etc.)
- `auth`: Authentication settings (auth_enabled, nip42_required, etc.)
- `limits`: Rate limits and quotas
- `system`: System-level settings
#### `config_update`
Update configuration parameters dynamically.
**Command Format:**
```json
["config_update", [
{
"key": "max_file_size",
"value": "209715200",
"data_type": "integer",
"category": "blossom"
},
{
"key": "enable_relay_connect",
"value": "true",
"data_type": "boolean",
"category": "relay"
}
]]
```
**Response:**
```json
{
"query_type": "config_update",
"status": "success",
"total_results": 2,
"timestamp": 1234567890,
"data": [
{
"key": "max_file_size",
"value": "209715200",
"status": "updated",
"restart_required": false
},
{
"key": "enable_relay_connect",
"value": "true",
"status": "updated",
"restart_required": true
}
]
}
```
### 2. Statistics and Monitoring
#### `stats_query`
Get comprehensive database and storage statistics.
**Command Format:**
```json
["stats_query"]
```
**Response:**
```json
{
"query_type": "stats_query",
"timestamp": 1234567890,
"database_size_bytes": 1048576,
"storage_size_bytes": 10737418240,
"total_blobs": 1543,
"unique_uploaders": 234,
"blob_types": [
{"type": "image/jpeg", "count": 856, "size_bytes": 5368709120, "percentage": 55.4},
{"type": "image/png", "count": 432, "size_bytes": 3221225472, "percentage": 28.0},
{"type": "video/mp4", "count": 123, "size_bytes": 2147483648, "percentage": 8.0}
],
"time_stats": {
"total": 1543,
"last_24h": 45,
"last_7d": 234,
"last_30d": 876
},
"top_uploaders": [
{"pubkey": "abc123...", "blob_count": 234, "total_bytes": 1073741824, "percentage": 15.2},
{"pubkey": "def456...", "blob_count": 187, "total_bytes": 858993459, "percentage": 12.1}
]
}
```
#### `system_status`
Get current system status and health metrics.
**Command Format:**
```json
["system_command", "system_status"]
```
**Response:**
```json
{
"query_type": "system_status",
"timestamp": 1234567890,
"uptime_seconds": 86400,
"version": "0.1.0",
"relay_client": {
"enabled": true,
"connected_relays": 1,
"relay_status": [
{
"url": "wss://relay.laantungir.net",
"state": "connected",
"events_received": 12,
"events_published": 3
}
]
},
"storage": {
"path": "/home/teknari/lt_gitea/ginxsom/blobs",
"total_bytes": 10737418240,
"available_bytes": 53687091200,
"usage_percentage": 16.7
},
"database": {
"path": "db/52e366edfa4e9cc6a6d4653828e51ccf828a2f5a05227d7a768f33b5a198681a.db",
"size_bytes": 1048576,
"total_blobs": 1543
}
}
```
### 3. Blossom-Specific Commands
#### `blob_list`
List blobs with filtering options.
**Command Format:**
```json
["blob_list", "all"]
["blob_list", "pubkey", "abc123..."]
["blob_list", "type", "image/jpeg"]
["blob_list", "recent", 50]
```
**Response:**
```json
{
"query_type": "blob_list",
"total_results": 50,
"timestamp": 1234567890,
"data": [
{
"sha256": "b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553",
"size": 184292,
"type": "application/pdf",
"uploaded_at": 1725105921,
"uploader_pubkey": "abc123...",
"url": "https://cdn.example.com/b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553.pdf"
}
]
}
```
#### `storage_stats`
Get detailed storage statistics.
**Command Format:**
```json
["storage_stats"]
```
**Response:**
```json
{
"query_type": "storage_stats",
"timestamp": 1234567890,
"storage_path": "/home/teknari/lt_gitea/ginxsom/blobs",
"total_bytes": 10737418240,
"available_bytes": 53687091200,
"used_bytes": 10737418240,
"usage_percentage": 16.7,
"blob_count": 1543,
"average_blob_size": 6958592,
"largest_blob": {
"sha256": "abc123...",
"size": 104857600,
"type": "video/mp4"
},
"by_type": [
{"type": "image/jpeg", "count": 856, "total_bytes": 5368709120},
{"type": "image/png", "count": 432, "total_bytes": 3221225472}
]
}
```
#### `mirror_status`
Get status of blob mirroring operations (BUD-04).
**Command Format:**
```json
["mirror_status"]
["mirror_status", "sha256", "abc123..."]
```
**Response:**
```json
{
"query_type": "mirror_status",
"timestamp": 1234567890,
"total_mirrors": 23,
"data": [
{
"sha256": "abc123...",
"source_url": "https://cdn.example.com/abc123.jpg",
"status": "completed",
"mirrored_at": 1725105921,
"size": 1048576
}
]
}
```
#### `report_query`
Query content reports (BUD-09).
**Command Format:**
```json
["report_query", "all"]
["report_query", "blob", "abc123..."]
["report_query", "type", "nudity"]
```
**Response:**
```json
{
"query_type": "report_query",
"total_results": 12,
"timestamp": 1234567890,
"data": [
{
"report_id": 1,
"blob_sha256": "abc123...",
"report_type": "nudity",
"reporter_pubkey": "def456...",
"content": "Inappropriate content",
"reported_at": 1725105921
}
]
}
```
### 4. Database Queries
#### `sql_query`
Execute read-only SQL queries for debugging.
**Command Format:**
```json
["sql_query", "SELECT * FROM blobs LIMIT 10"]
```
**Response:**
```json
{
"query_type": "sql_query",
"request_id": "request_event_id",
"timestamp": 1234567890,
"query": "SELECT * FROM blobs LIMIT 10",
"execution_time_ms": 12,
"row_count": 10,
"columns": ["sha256", "size", "type", "uploaded_at", "uploader_pubkey"],
"rows": [
["b1674191...", 184292, "application/pdf", 1725105921, "abc123..."]
]
}
```
**Security:**
- Only SELECT statements allowed
- Query timeout: 5 seconds
- Result row limit: 1000 rows
- All queries logged
## Implementation Architecture
### 1. Command Processing Flow
```
1. Relay client receives Kind 23456 event
2. Verify sender is admin_pubkey
3. Decrypt content using NIP-44
4. Parse command array
5. Validate command structure
6. Execute command handler
7. Generate response object
8. Encrypt response using NIP-44
9. Create Kind 23457 event
10. Publish to relays
```
### 2. Code Structure
**New Files:**
- `src/admin_commands.c` - Command handlers
- `src/admin_commands.h` - Command interface
- `src/nip44.c` - NIP-44 encryption wrapper (uses nostr_core_lib)
- `src/nip44.h` - NIP-44 interface
**Modified Files:**
- `src/relay_client.c` - Add command processing to `on_admin_command_event()`
- `src/main.c` - Initialize admin command system
### 3. Database Schema Additions
```sql
-- Admin command log
CREATE TABLE IF NOT EXISTS admin_commands (
id INTEGER PRIMARY KEY AUTOINCREMENT,
event_id TEXT NOT NULL,
command_type TEXT NOT NULL,
admin_pubkey TEXT NOT NULL,
executed_at INTEGER NOT NULL,
execution_time_ms INTEGER,
status TEXT NOT NULL,
error TEXT
);
-- Create index for command history queries
CREATE INDEX IF NOT EXISTS idx_admin_commands_executed
ON admin_commands(executed_at DESC);
```
### 4. Configuration Keys
**Blossom Category:**
- `max_file_size` - Maximum upload size in bytes
- `storage_path` - Blob storage directory
- `cdn_origin` - CDN URL for blob descriptors
- `enable_nip94` - Include NIP-94 tags in responses
**Relay Category:**
- `enable_relay_connect` - Enable relay client
- `kind_0_content` - Profile metadata JSON
- `kind_10002_tags` - Relay list JSON array
**Auth Category:**
- `auth_enabled` - Enable auth rules system
- `require_auth_upload` - Require auth for uploads
- `require_auth_delete` - Require auth for deletes
**Limits Category:**
- `max_blobs_per_user` - Per-user blob limit
- `rate_limit_uploads` - Uploads per minute
- `max_total_storage` - Total storage limit in bytes
## Implementation Phases
### Phase 1: NIP-44 Encryption Support
- Integrate nostr_core_lib NIP-44 functions
- Create encryption/decryption wrappers
- Test with sample data
### Phase 2: Command Infrastructure
- Create admin_commands.c/h
- Implement command parser
- Add command logging to database
- Implement response builder
### Phase 3: Core Commands
- Implement `config_query`
- Implement `config_update`
- Implement `stats_query`
- Implement `system_status`
### Phase 4: Blossom Commands
- Implement `blob_list`
- Implement `storage_stats`
- Implement `mirror_status`
- Implement `report_query`
### Phase 5: Advanced Features
- Implement `sql_query` with security
- Add command history tracking
- Implement rate limiting for admin commands
### Phase 6: Testing & Documentation
- Create test suite for each command
- Update README.md with admin API section
- Create example scripts using nak tool
## Security Considerations
1. **Authentication**: Only admin_pubkey can send commands
2. **Encryption**: All commands/responses use NIP-44
3. **Logging**: All admin actions logged to database
4. **Rate Limiting**: Prevent admin command flooding
5. **SQL Safety**: Only SELECT allowed, with timeout and row limits
6. **Input Validation**: Strict validation of all command parameters
## Testing Strategy
1. **Unit Tests**: Test each command handler independently
2. **Integration Tests**: Test full command flow with encryption
3. **Security Tests**: Verify auth checks and SQL injection prevention
4. **Performance Tests**: Ensure commands don't block relay operations
5. **Manual Tests**: Use nak tool to send real encrypted commands
## Documentation Updates
Add new section to README.md after "Content Reporting (BUD-09)":
```markdown
## Administrator API
Ginxsom uses an event-based administration system where commands are sent as
NIP-44 encrypted Kind 23456 events and responses are returned as Kind 23457
events. This provides secure, cryptographically authenticated remote management.
[Full admin API documentation here]

300
docs/DATABASE_NAMING_DESIGN.md Normal file
View File

@@ -0,0 +1,300 @@
# Database Naming Design (c-relay Pattern)
## Overview
Following c-relay's architecture, ginxsom will use pubkey-based database naming to ensure database-key consistency and prevent mismatched configurations.
## Database Naming Convention
Database files are named after the blossom server's public key:
```
db/<blossom_pubkey>.db
```
Example:
```
db/52e366edfa4e9cc6a6d4653828e51ccf828a2f5a05227d7a768f33b5a198681a.db
```
## Startup Scenarios
### Scenario 1: No Arguments (Fresh Start)
```bash
./ginxsom-fcgi
```
**Behavior:**
1. Generate new server keypair
2. Create database file: `db/<new_pubkey>.db`
3. Store keys in the new database
4. Start server
**Result:** New instance with fresh keys and database
---
### Scenario 2: Database File Specified
```bash
./ginxsom-fcgi --db-path db/52e366ed...198681a.db
```
**Behavior:**
1. Open specified database
2. Load blossom_seckey from database
3. Verify pubkey matches database filename
4. Load admin_pubkey if present
5. Start server
**Validation:**
- Database MUST exist
- Database MUST contain blossom_seckey
- Derived pubkey MUST match filename
**Error Cases:**
- Database doesn't exist → Error: "Database file not found"
- Database missing blossom_seckey → Error: "Invalid database: missing server keys"
- Pubkey mismatch → Error: "Database pubkey mismatch: expected X, got Y"
---
### Scenario 3: Keys Specified (New Instance with Specific Keys)
```bash
./ginxsom-fcgi --server-privkey c4e0d2ed...309c48f1 --admin-pubkey 8ff74724...5eedde0e
```
**Behavior:**
1. Validate provided server private key
2. Derive server public key
3. Create database file: `db/<derived_pubkey>.db`
4. Store both keys in new database
5. Start server
**Validation:**
- server-privkey MUST be valid 64-char hex
- Derived database file MUST NOT already exist (prevents overwriting)
**Error Cases:**
- Invalid privkey format → Error: "Invalid server private key format"
- Database already exists → Error: "Database already exists for this pubkey"
---
### Scenario 4: Test Mode
```bash
./ginxsom-fcgi --test-keys
```
**Behavior:**
1. Load keys from `.test_keys` file
2. Derive server public key from SERVER_PRIVKEY
3. Create/overwrite database: `db/<test_pubkey>.db`
4. Store test keys in database
5. Start server
**Special Handling:**
- Test mode ALWAYS overwrites existing database (for clean testing)
- Database name derived from test SERVER_PRIVKEY
---
### Scenario 5: Database + Keys Specified (Validation Mode)
```bash
./ginxsom-fcgi --db-path db/52e366ed...198681a.db --server-privkey c4e0d2ed...309c48f1
```
**Behavior:**
1. Open specified database
2. Load blossom_seckey from database
3. Compare with provided --server-privkey
4. If match: continue normally
5. If mismatch: ERROR and exit
**Purpose:** Validation/verification that correct keys are being used
**Error Cases:**
- Key mismatch → Error: "Server private key doesn't match database"
---
## Command Line Options
### Updated Options
```
--db-path PATH Database file path (must match pubkey if keys exist)
--storage-dir DIR Storage directory for files (default: blobs)
--admin-pubkey KEY Admin public key (only used when creating new database)
--server-privkey KEY Server private key (creates new DB or validates existing)
--test-keys Use test keys from .test_keys file
--generate-keys Generate new keypair and create database (deprecated - default behavior)
--help, -h Show this help message
```
### Removed Options
- `--generate-keys` - No longer needed, this is default behavior when no args provided
---
## Database Directory Structure
```
db/
├── 52e366edfa4e9cc6a6d4653828e51ccf828a2f5a05227d7a768f33b5a198681a.db # Test instance
├── a1b2c3d4e5f6...xyz.db # Production instance 1
├── f9e8d7c6b5a4...abc.db # Production instance 2
└── schema.sql # Schema template
```
Each database is completely independent and tied to its keypair.
---
## Implementation Logic Flow
```
START
├─ Parse command line arguments
├─ Initialize crypto system
├─ Determine mode:
│ │
│ ├─ Test mode (--test-keys)?
│ │ ├─ Load keys from .test_keys
│ │ ├─ Derive pubkey
│ │ ├─ Set db_path = db/<pubkey>.db
│ │ └─ Create/overwrite database
│ │
│ ├─ Keys provided (--server-privkey)?
│ │ ├─ Validate privkey format
│ │ ├─ Derive pubkey
│ │ ├─ Set db_path = db/<pubkey>.db
│ │ │
│ │ ├─ Database specified (--db-path)?
│ │ │ ├─ YES: Validate keys match database
│ │ │ └─ NO: Create new database
│ │ │
│ │ └─ Store keys in database
│ │
│ ├─ Database specified (--db-path)?
│ │ ├─ Open database
│ │ ├─ Load blossom_seckey
│ │ ├─ Derive pubkey
│ │ ├─ Validate pubkey matches filename
│ │ └─ Load admin_pubkey
│ │
│ └─ No arguments (fresh start)?
│ ├─ Generate new keypair
│ ├─ Set db_path = db/<new_pubkey>.db
│ └─ Create new database with keys
├─ Initialize database schema (if new)
├─ Load/validate all keys
└─ Start FastCGI server
```
---
## Migration Path
### For Existing Installations
1. **Backup current database:**
```bash
cp db/ginxsom.db db/ginxsom.db.backup
```
2. **Extract current pubkey:**
```bash
PUBKEY=$(sqlite3 db/ginxsom.db "SELECT value FROM config WHERE key='blossom_pubkey'")
```
3. **Rename database:**
```bash
mv db/ginxsom.db db/${PUBKEY}.db
```
4. **Update restart-all.sh:**
- Remove hardcoded `db/ginxsom.db` references
- Let application determine database name from keys
---
## Benefits
1. **Database-Key Consistency:** Impossible to use wrong database with wrong keys
2. **Multiple Instances:** Can run multiple independent instances with different keys
3. **Clear Identity:** Database filename immediately identifies the server
4. **Test Isolation:** Test databases are clearly separate from production
5. **No Accidental Overwrites:** Each keypair has its own database
6. **Follows c-relay Pattern:** Proven architecture from production relay software
---
## Error Messages
### Clear, Actionable Errors
```
ERROR: Database file not found: db/52e366ed...198681a.db
→ Specify a different database or let the application create a new one
ERROR: Invalid database: missing server keys
→ Database is corrupted or not a valid ginxsom database
ERROR: Database pubkey mismatch
Expected: 52e366edfa4e9cc6a6d4653828e51ccf828a2f5a05227d7a768f33b5a198681a
Got: a1b2c3d4e5f6789...
→ Database filename doesn't match the keys stored inside
ERROR: Server private key doesn't match database
→ The --server-privkey you provided doesn't match the database keys
ERROR: Database already exists for this pubkey: db/52e366ed...198681a.db
→ Use --db-path to open existing database or use different keys
```
---
## Testing Strategy
### Test Cases
1. **Fresh start (no args)** → Creates new database with generated keys
2. **Specify database** → Opens and validates existing database
3. **Specify keys** → Creates new database with those keys
4. **Test mode** → Uses test keys and creates test database
5. **Database + matching keys** → Validates and continues
6. **Database + mismatched keys** → Errors appropriately
7. **Invalid database path** → Clear error message
8. **Corrupted database** → Detects and reports
### Test Script
```bash
#!/bin/bash
# Test database naming system
# Test 1: Fresh start
./ginxsom-fcgi --generate-keys
# Should create db/<new_pubkey>.db
# Test 2: Test mode
./ginxsom-fcgi --test-keys
# Should create db/52e366ed...198681a.db
# Test 3: Specify keys
./ginxsom-fcgi --server-privkey abc123...
# Should create db/<derived_pubkey>.db
# Test 4: Open existing
./ginxsom-fcgi --db-path db/52e366ed...198681a.db
# Should open and validate
# Test 5: Mismatch error
./ginxsom-fcgi --db-path db/52e366ed...198681a.db --server-privkey wrong_key
# Should error with clear message

1640
docs/WEBSOCKET_IMPLEMENTATION.md Normal file
View File

File diff suppressed because it is too large Load Diff

8
ginxsom.code-workspace Normal file
View File

@@ -0,0 +1,8 @@
{
"folders": [
{
"path": "."
}
],
"settings": {}
}

1
nostr_core_lib

Submodule nostr_core_lib deleted from 7d7c3eafe8

114
restart-all.sh
View File

@@ -1,11 +1,12 @@
#!/bin/bash
# Restart Ginxsom Development Environment
# Combines nginx and FastCGI restart operations for debugging
# WARNING: This script DELETES all databases in db/ for fresh testing
# Configuration
# Parse command line arguments
TEST_MODE=0
TEST_MODE=1 # Default to test mode
FOLLOW_LOGS=0
while [[ $# -gt 0 ]]; do
@@ -14,14 +15,19 @@ while [[ $# -gt 0 ]]; do
TEST_MODE=1
shift
;;
-p|--production)
TEST_MODE=0
shift
;;
--follow)
FOLLOW_LOGS=1
shift
;;
*)
echo "Unknown option: $1"
echo "Usage: $0 [-t|--test-keys] [--follow]"
echo " -t, --test-keys Use test mode with keys from .test_keys"
echo "Usage: $0 [-t|--test-keys] [-p|--production] [--follow]"
echo " -t, --test-keys Use test mode with keys from .test_keys (DEFAULT)"
echo " -p, --production Use production mode (generate new keys)"
echo " --follow Follow logs in real-time"
exit 1
;;
@@ -177,9 +183,22 @@ if [ $? -ne 0 ]; then
fi
echo -e "${GREEN}Clean rebuild complete${NC}"
# Step 3.5: Handle keys based on mode
echo -e "\n${YELLOW}3.5. Configuring server keys...${NC}"
DB_PATH="$PWD/db/ginxsom.db"
# Step 3.5: Clean database directory for fresh testing
echo -e "\n${YELLOW}3.5. Cleaning database directory...${NC}"
echo "Removing all existing databases for fresh start..."
# Remove all .db files in db/ directory
if ls db/*.db 1> /dev/null 2>&1; then
echo "Found databases to remove:"
ls -lh db/*.db
rm -f db/*.db
echo -e "${GREEN}Database cleanup complete${NC}"
else
echo "No existing databases found"
fi
# Step 3.75: Handle keys based on mode
echo -e "\n${YELLOW}3.75. Configuring server keys...${NC}"
if [ $TEST_MODE -eq 1 ]; then
# Test mode: verify .test_keys file exists
@@ -188,29 +207,20 @@ if [ $TEST_MODE -eq 1 ]; then
echo -e "${RED}Test mode requires .test_keys file in project root${NC}"
exit 1
fi
# Extract test server pubkey to determine database name
TEST_PUBKEY=$(grep "^SERVER_PUBKEY=" .test_keys | cut -d"'" -f2)
if [ -z "$TEST_PUBKEY" ]; then
echo -e "${RED}ERROR: Could not extract SERVER_PUBKEY from .test_keys${NC}"
exit 1
fi
echo -e "${GREEN}Test mode: Will use keys from .test_keys${NC}"
echo -e "${GREEN}Fresh test database will be created as: db/${TEST_PUBKEY}.db${NC}"
else
# Production mode: check if keys exist, generate if needed
NEED_KEYS=1
if command -v sqlite3 >/dev/null 2>&1; then
if sqlite3 "$DB_PATH" "SELECT seckey FROM blossom_seckey WHERE id=1" 2>/dev/null | grep -Eq '^[0-9a-f]{64}$'; then
NEED_KEYS=0
echo -e "${GREEN}Blossom private key found in database${NC}"
fi
else
echo -e "${YELLOW}sqlite3 not found; assuming keys may be missing${NC}"
fi
if [ $NEED_KEYS -eq 1 ]; then
echo -e "${YELLOW}No blossom key found; generating server keypair...${NC}"
./build/ginxsom-fcgi --db-path "$DB_PATH" --storage-dir blobs --generate-keys 1>>logs/app/stdout.log 2>>logs/app/stderr.log
if [ $? -ne 0 ]; then
echo -e "${RED}Key generation failed. Check logs/app/stderr.log${NC}"
exit 1
fi
echo -e "${GREEN}Key generation completed${NC}"
echo -e "${YELLOW}IMPORTANT: Check logs/app/stderr.log for your generated keys!${NC}"
fi
# Production mode: databases were cleaned, will generate new keypair
echo -e "${YELLOW}Production mode: Fresh start with new keypair${NC}"
echo -e "${YELLOW}New database will be created as db/<new_pubkey>.db${NC}"
fi
# Step 4: Start FastCGI
@@ -232,30 +242,46 @@ echo "Setting GINX_DEBUG environment for pubkey extraction diagnostics"
export GINX_DEBUG=1
# Build command line arguments based on mode
FCGI_ARGS="--db-path $PWD/db/ginxsom.db --storage-dir blobs"
FCGI_ARGS="--storage-dir blobs"
if [ $TEST_MODE -eq 1 ]; then
FCGI_ARGS="$FCGI_ARGS --test-keys"
echo -e "${YELLOW}Starting FastCGI in TEST MODE with test keys${NC}"
else
# Production mode: databases were cleaned, will generate new keys
echo -e "${YELLOW}Starting FastCGI in production mode - will generate new keys and create database${NC}"
fi
# Start FastCGI application with proper logging (daemonized but with redirected streams)
# Start FastCGI application with proper logging
echo "FastCGI starting at $(date)" >> logs/app/stderr.log
spawn-fcgi -s "$SOCKET_PATH" -M 666 -u "$USER" -g "$USER" -P "$PID_FILE" -- "$FCGI_BINARY" $FCGI_ARGS 1>>logs/app/stdout.log 2>>logs/app/stderr.log
if [ $? -eq 0 ] && [ -f "$PID_FILE" ]; then
PID=$(cat "$PID_FILE")
# Use nohup with spawn-fcgi -n to keep process running with redirected output
# The key is: nohup prevents HUP signal, -n prevents daemonization (keeps stderr connected)
nohup spawn-fcgi -n -s "$SOCKET_PATH" -M 666 -u "$USER" -g "$USER" -- "$FCGI_BINARY" $FCGI_ARGS >>logs/app/stdout.log 2>>logs/app/stderr.log </dev/null &
SPAWN_PID=$!
# Wait for spawn-fcgi to spawn the child
sleep 1
# Get the actual FastCGI process PID (child of spawn-fcgi)
FCGI_PID=$(pgrep -f "ginxsom-fcgi.*--storage-dir" | head -1)
if [ -z "$FCGI_PID" ]; then
echo -e "${RED}Warning: Could not find FastCGI process${NC}"
FCGI_PID=$SPAWN_PID
fi
# Save PID
echo $FCGI_PID > "$PID_FILE"
# Give it a moment to start
sleep 1
if check_process "$FCGI_PID"; then
echo -e "${GREEN}FastCGI application started successfully${NC}"
echo "PID: $PID"
# Verify it's actually running
if check_process "$PID"; then
echo -e "${GREEN}Process confirmed running${NC}"
else
echo -e "${RED}Warning: Process may have crashed immediately${NC}"
exit 1
fi
echo "PID: $FCGI_PID"
echo -e "${GREEN}Process confirmed running${NC}"
else
echo -e "${RED}Failed to start FastCGI application${NC}"
echo -e "${RED}Process may have crashed immediately${NC}"
exit 1
fi
@@ -326,4 +352,8 @@ echo -e "${YELLOW}To stop all processes, run: nginx -p . -c $NGINX_CONFIG -s sto
echo -e "${YELLOW}To monitor logs, check: logs/nginx/error.log, logs/nginx/access.log, logs/app/stderr.log, logs/app/stdout.log${NC}"
echo -e "\n${YELLOW}Server is available at:${NC}"
echo -e " ${GREEN}HTTP:${NC} http://localhost:9001"
echo -e " ${GREEN}HTTPS:${NC} https://localhost:9443"
echo -e " ${GREEN}HTTPS:${NC} https://localhost:9443"
echo -e "\n${YELLOW}Admin WebSocket endpoint:${NC}"
echo -e " ${GREEN}WSS:${NC} wss://localhost:9443/admin (via nginx proxy)"
echo -e " ${GREEN}WS:${NC} ws://localhost:9001/admin (via nginx proxy)"
echo -e " ${GREEN}Direct:${NC} ws://localhost:9442 (direct connection)"

37
src/admin_api.c
View File

@@ -11,8 +11,8 @@
#include <unistd.h>
#include "ginxsom.h"
// Database path (consistent with main.c)
#define DB_PATH "db/ginxsom.db"
// Use global database path from main.c
extern char g_db_path[];
// Function declarations (moved from admin_api.h)
void handle_admin_api_request(const char* method, const char* uri, const char* validated_pubkey, int is_authenticated);
@@ -44,7 +44,7 @@ static int admin_nip94_get_origin(char* out, size_t out_size) {
sqlite3_stmt* stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
// Default on DB error
strncpy(out, "http://localhost:9001", out_size - 1);
@@ -130,8 +130,12 @@ void handle_admin_api_request(const char* method, const char* uri, const char* v
}
// Authentication now handled by centralized validation system
// Health endpoint is exempt from authentication requirement
if (strcmp(path, "/health") != 0) {
// Health endpoint and POST /admin (Kind 23456 events) are exempt from authentication requirement
// Kind 23456 events authenticate themselves via signed event validation
int skip_auth = (strcmp(path, "/health") == 0) ||
(strcmp(method, "POST") == 0 && strcmp(path, "/admin") == 0);
if (!skip_auth) {
if (!is_authenticated || !validated_pubkey) {
send_json_error(401, "admin_auth_required", "Valid admin authentication required");
return;
@@ -157,6 +161,13 @@ void handle_admin_api_request(const char* method, const char* uri, const char* v
} else {
send_json_error(404, "not_found", "API endpoint not found");
}
} else if (strcmp(method, "POST") == 0) {
if (strcmp(path, "/admin") == 0) {
// Handle Kind 23456/23457 admin event commands
handle_admin_event_request();
} else {
send_json_error(404, "not_found", "API endpoint not found");
}
} else if (strcmp(method, "PUT") == 0) {
if (strcmp(path, "/config") == 0) {
handle_config_put_api();
@@ -201,7 +212,7 @@ int verify_admin_pubkey(const char* event_pubkey) {
sqlite3_stmt* stmt;
int rc, is_admin = 0;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
return 0;
}
@@ -228,7 +239,7 @@ int is_admin_enabled(void) {
sqlite3_stmt* stmt;
int rc, enabled = 0;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
return 0; // Default disabled if can't access DB
}
@@ -254,7 +265,7 @@ void handle_stats_api(void) {
sqlite3_stmt* stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
send_json_error(500, "database_error", "Failed to open database");
return;
@@ -349,7 +360,7 @@ void handle_config_get_api(void) {
sqlite3_stmt* stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
send_json_error(500, "database_error", "Failed to open database");
return;
@@ -423,7 +434,7 @@ void handle_config_put_api(void) {
sqlite3_stmt* stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE, NULL);
if (rc) {
free(json_body);
cJSON_Delete(config_data);
@@ -541,7 +552,7 @@ void handle_config_key_put_api(const char* key) {
sqlite3_stmt* stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE, NULL);
if (rc) {
free(json_body);
cJSON_Delete(request_data);
@@ -621,7 +632,7 @@ void handle_files_api(void) {
sqlite3_stmt* stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
send_json_error(500, "database_error", "Failed to open database");
return;
@@ -715,7 +726,7 @@ void handle_health_api(void) {
// Check database connection
sqlite3* db;
int rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
int rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc == SQLITE_OK) {
cJSON_AddStringToObject(data, "database", "connected");
sqlite3_close(db);

743
src/admin_commands.c Normal file
View File

@@ -0,0 +1,743 @@
/*
* Ginxsom Admin Commands Implementation
*/
#include "admin_commands.h"
#include "../nostr_core_lib/nostr_core/nostr_core.h"
#include <sqlite3.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
// Forward declare app_log
typedef enum {
LOG_DEBUG = 0,
LOG_INFO = 1,
LOG_WARN = 2,
LOG_ERROR = 3
} log_level_t;
void app_log(log_level_t level, const char* format, ...);
// Global state
static struct {
int initialized;
char db_path[512];
} g_admin_state = {0};
// Initialize admin command system
int admin_commands_init(const char *db_path) {
if (g_admin_state.initialized) {
return 0;
}
strncpy(g_admin_state.db_path, db_path, sizeof(g_admin_state.db_path) - 1);
g_admin_state.initialized = 1;
app_log(LOG_INFO, "Admin command system initialized");
return 0;
}
// NIP-44 encryption helper
int admin_encrypt_response(
const unsigned char* server_privkey,
const unsigned char* admin_pubkey,
const char* plaintext_json,
char* output,
size_t output_size
) {
int result = nostr_nip44_encrypt(
server_privkey,
admin_pubkey,
plaintext_json,
output,
output_size
);
if (result != 0) {
app_log(LOG_ERROR, "Failed to encrypt admin response: %d", result);
return -1;
}
return 0;
}
// NIP-44 decryption helper
int admin_decrypt_command(
const unsigned char* server_privkey,
const unsigned char* admin_pubkey,
const char* encrypted_data,
char* output,
size_t output_size
) {
int result = nostr_nip44_decrypt(
server_privkey,
admin_pubkey,
encrypted_data,
output,
output_size
);
if (result != 0) {
app_log(LOG_ERROR, "Failed to decrypt admin command: %d", result);
return -1;
}
return 0;
}
// Create error response
static cJSON* create_error_response(const char* query_type, const char* error_msg) {
cJSON* response = cJSON_CreateObject();
cJSON_AddStringToObject(response, "query_type", query_type);
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", error_msg);
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
// Process admin command array and generate response
cJSON* admin_commands_process(cJSON* command_array, const char* request_event_id) {
(void)request_event_id; // Reserved for future use (e.g., logging, tracking)
if (!cJSON_IsArray(command_array) || cJSON_GetArraySize(command_array) < 1) {
return create_error_response("unknown", "Invalid command format");
}
cJSON* cmd_type = cJSON_GetArrayItem(command_array, 0);
if (!cJSON_IsString(cmd_type)) {
return create_error_response("unknown", "Command type must be string");
}
const char* command = cmd_type->valuestring;
app_log(LOG_INFO, "Processing admin command: %s", command);
// Route to appropriate handler
if (strcmp(command, "config_query") == 0) {
return admin_cmd_config_query(command_array);
}
else if (strcmp(command, "config_update") == 0) {
return admin_cmd_config_update(command_array);
}
else if (strcmp(command, "stats_query") == 0) {
return admin_cmd_stats_query(command_array);
}
else if (strcmp(command, "system_command") == 0) {
// Check second parameter for system_status
if (cJSON_GetArraySize(command_array) >= 2) {
cJSON* subcmd = cJSON_GetArrayItem(command_array, 1);
if (cJSON_IsString(subcmd) && strcmp(subcmd->valuestring, "system_status") == 0) {
return admin_cmd_system_status(command_array);
}
}
return create_error_response("system_command", "Unknown system command");
}
else if (strcmp(command, "blob_list") == 0) {
return admin_cmd_blob_list(command_array);
}
else if (strcmp(command, "storage_stats") == 0) {
return admin_cmd_storage_stats(command_array);
}
else if (strcmp(command, "sql_query") == 0) {
return admin_cmd_sql_query(command_array);
}
else {
char error_msg[256];
snprintf(error_msg, sizeof(error_msg), "Unknown command: %s", command);
return create_error_response("unknown", error_msg);
}
}
// ============================================================================
// COMMAND HANDLERS (Stub implementations - to be completed)
// ============================================================================
cJSON* admin_cmd_config_query(cJSON* args) {
cJSON* response = cJSON_CreateObject();
cJSON_AddStringToObject(response, "query_type", "config_query");
// Open database
sqlite3* db;
int rc = sqlite3_open_v2(g_admin_state.db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to open database");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
// Check if specific keys were requested (args[1] should be array of keys or null for all)
cJSON* keys_array = NULL;
if (cJSON_GetArraySize(args) >= 2) {
keys_array = cJSON_GetArrayItem(args, 1);
if (!cJSON_IsArray(keys_array) && !cJSON_IsNull(keys_array)) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Keys parameter must be array or null");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
sqlite3_close(db);
return response;
}
}
sqlite3_stmt* stmt;
const char* sql;
if (keys_array && cJSON_IsArray(keys_array) && cJSON_GetArraySize(keys_array) > 0) {
// Query specific keys
int key_count = cJSON_GetArraySize(keys_array);
// Build SQL with placeholders
char sql_buffer[1024] = "SELECT key, value, description FROM config WHERE key IN (?";
for (int i = 1; i < key_count && i < 50; i++) { // Limit to 50 keys
strncat(sql_buffer, ",?", sizeof(sql_buffer) - strlen(sql_buffer) - 1);
}
strncat(sql_buffer, ")", sizeof(sql_buffer) - strlen(sql_buffer) - 1);
rc = sqlite3_prepare_v2(db, sql_buffer, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to prepare query");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
sqlite3_close(db);
return response;
}
// Bind keys
for (int i = 0; i < key_count && i < 50; i++) {
cJSON* key_item = cJSON_GetArrayItem(keys_array, i);
if (cJSON_IsString(key_item)) {
sqlite3_bind_text(stmt, i + 1, key_item->valuestring, -1, SQLITE_STATIC);
}
}
} else {
// Query all config values
sql = "SELECT key, value, description FROM config ORDER BY key";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to prepare query");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
sqlite3_close(db);
return response;
}
}
// Execute query and build result
cJSON* config_obj = cJSON_CreateObject();
int count = 0;
while ((rc = sqlite3_step(stmt)) == SQLITE_ROW) {
const char* key = (const char*)sqlite3_column_text(stmt, 0);
const char* value = (const char*)sqlite3_column_text(stmt, 1);
const char* description = (const char*)sqlite3_column_text(stmt, 2);
cJSON* entry = cJSON_CreateObject();
cJSON_AddStringToObject(entry, "value", value ? value : "");
if (description && strlen(description) > 0) {
cJSON_AddStringToObject(entry, "description", description);
}
cJSON_AddItemToObject(config_obj, key, entry);
count++;
}
sqlite3_finalize(stmt);
sqlite3_close(db);
cJSON_AddStringToObject(response, "status", "success");
cJSON_AddNumberToObject(response, "count", count);
cJSON_AddItemToObject(response, "config", config_obj);
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
app_log(LOG_INFO, "Config query returned %d entries", count);
return response;
}
cJSON* admin_cmd_config_update(cJSON* args) {
cJSON* response = cJSON_CreateObject();
cJSON_AddStringToObject(response, "query_type", "config_update");
// Expected format: ["config_update", {"key1": "value1", "key2": "value2"}]
if (cJSON_GetArraySize(args) < 2) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Missing config updates object");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
cJSON* updates = cJSON_GetArrayItem(args, 1);
if (!cJSON_IsObject(updates)) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Updates must be an object");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
// Open database for writing
sqlite3* db;
int rc = sqlite3_open_v2(g_admin_state.db_path, &db, SQLITE_OPEN_READWRITE, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to open database");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
// Prepare update statement
const char* sql = "UPDATE config SET value = ?, updated_at = strftime('%s', 'now') WHERE key = ?";
sqlite3_stmt* stmt;
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to prepare update statement");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
sqlite3_close(db);
return response;
}
// Process each update
cJSON* updated_keys = cJSON_CreateArray();
cJSON* failed_keys = cJSON_CreateArray();
int success_count = 0;
int fail_count = 0;
cJSON* item = NULL;
cJSON_ArrayForEach(item, updates) {
const char* key = item->string;
const char* value = cJSON_GetStringValue(item);
if (!value) {
cJSON_AddItemToArray(failed_keys, cJSON_CreateString(key));
fail_count++;
continue;
}
sqlite3_reset(stmt);
sqlite3_bind_text(stmt, 1, value, -1, SQLITE_TRANSIENT);
sqlite3_bind_text(stmt, 2, key, -1, SQLITE_TRANSIENT);
rc = sqlite3_step(stmt);
if (rc == SQLITE_DONE && sqlite3_changes(db) > 0) {
cJSON_AddItemToArray(updated_keys, cJSON_CreateString(key));
success_count++;
app_log(LOG_INFO, "Updated config key: %s", key);
} else {
cJSON_AddItemToArray(failed_keys, cJSON_CreateString(key));
fail_count++;
}
}
sqlite3_finalize(stmt);
sqlite3_close(db);
cJSON_AddStringToObject(response, "status", "success");
cJSON_AddNumberToObject(response, "updated_count", success_count);
cJSON_AddNumberToObject(response, "failed_count", fail_count);
cJSON_AddItemToObject(response, "updated_keys", updated_keys);
if (fail_count > 0) {
cJSON_AddItemToObject(response, "failed_keys", failed_keys);
} else {
cJSON_Delete(failed_keys);
}
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
cJSON* admin_cmd_stats_query(cJSON* args) {
(void)args;
cJSON* response = cJSON_CreateObject();
cJSON_AddStringToObject(response, "query_type", "stats_query");
// Open database
sqlite3* db;
int rc = sqlite3_open_v2(g_admin_state.db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to open database");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
// Query storage stats view
const char* sql = "SELECT * FROM storage_stats";
sqlite3_stmt* stmt;
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to query stats");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
sqlite3_close(db);
return response;
}
cJSON* stats = cJSON_CreateObject();
if (sqlite3_step(stmt) == SQLITE_ROW) {
cJSON_AddNumberToObject(stats, "total_blobs", sqlite3_column_int64(stmt, 0));
cJSON_AddNumberToObject(stats, "total_bytes", sqlite3_column_int64(stmt, 1));
cJSON_AddNumberToObject(stats, "avg_blob_size", sqlite3_column_double(stmt, 2));
cJSON_AddNumberToObject(stats, "first_upload", sqlite3_column_int64(stmt, 3));
cJSON_AddNumberToObject(stats, "last_upload", sqlite3_column_int64(stmt, 4));
cJSON_AddNumberToObject(stats, "unique_uploaders", sqlite3_column_int64(stmt, 5));
}
sqlite3_finalize(stmt);
// Get auth rules count
sql = "SELECT COUNT(*) FROM auth_rules WHERE enabled = 1";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc == SQLITE_OK && sqlite3_step(stmt) == SQLITE_ROW) {
cJSON_AddNumberToObject(stats, "active_auth_rules", sqlite3_column_int(stmt, 0));
}
sqlite3_finalize(stmt);
sqlite3_close(db);
cJSON_AddStringToObject(response, "status", "success");
cJSON_AddItemToObject(response, "stats", stats);
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
cJSON* admin_cmd_system_status(cJSON* args) {
(void)args;
cJSON* response = cJSON_CreateObject();
cJSON_AddStringToObject(response, "query_type", "system_status");
cJSON* status = cJSON_CreateObject();
// Server uptime (would need to track start time - placeholder for now)
cJSON_AddStringToObject(status, "server_status", "running");
cJSON_AddNumberToObject(status, "current_time", (double)time(NULL));
// Database status
sqlite3* db;
int rc = sqlite3_open_v2(g_admin_state.db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc == SQLITE_OK) {
cJSON_AddStringToObject(status, "database_status", "connected");
// Get database size
sqlite3_stmt* stmt;
const char* sql = "SELECT page_count * page_size as size FROM pragma_page_count(), pragma_page_size()";
if (sqlite3_prepare_v2(db, sql, -1, &stmt, NULL) == SQLITE_OK) {
if (sqlite3_step(stmt) == SQLITE_ROW) {
cJSON_AddNumberToObject(status, "database_size_bytes", sqlite3_column_int64(stmt, 0));
}
sqlite3_finalize(stmt);
}
sqlite3_close(db);
} else {
cJSON_AddStringToObject(status, "database_status", "error");
}
// Memory info (basic - would need more system calls for detailed info)
cJSON_AddStringToObject(status, "memory_status", "ok");
cJSON_AddStringToObject(response, "status", "success");
cJSON_AddItemToObject(response, "system", status);
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
cJSON* admin_cmd_blob_list(cJSON* args) {
cJSON* response = cJSON_CreateObject();
cJSON_AddStringToObject(response, "query_type", "blob_list");
// Parse optional parameters: limit, offset, uploader_pubkey
int limit = 100; // Default limit
int offset = 0;
const char* uploader_filter = NULL;
if (cJSON_GetArraySize(args) >= 2) {
cJSON* params = cJSON_GetArrayItem(args, 1);
if (cJSON_IsObject(params)) {
cJSON* limit_item = cJSON_GetObjectItem(params, "limit");
if (cJSON_IsNumber(limit_item)) {
limit = limit_item->valueint;
if (limit > 1000) limit = 1000; // Max 1000
if (limit < 1) limit = 1;
}
cJSON* offset_item = cJSON_GetObjectItem(params, "offset");
if (cJSON_IsNumber(offset_item)) {
offset = offset_item->valueint;
if (offset < 0) offset = 0;
}
cJSON* uploader_item = cJSON_GetObjectItem(params, "uploader");
if (cJSON_IsString(uploader_item)) {
uploader_filter = uploader_item->valuestring;
}
}
}
// Open database
sqlite3* db;
int rc = sqlite3_open_v2(g_admin_state.db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to open database");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
// Build query
char sql[512];
if (uploader_filter) {
snprintf(sql, sizeof(sql),
"SELECT sha256, size, type, uploaded_at, uploader_pubkey, filename "
"FROM blobs WHERE uploader_pubkey = ? "
"ORDER BY uploaded_at DESC LIMIT ? OFFSET ?");
} else {
snprintf(sql, sizeof(sql),
"SELECT sha256, size, type, uploaded_at, uploader_pubkey, filename "
"FROM blobs ORDER BY uploaded_at DESC LIMIT ? OFFSET ?");
}
sqlite3_stmt* stmt;
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to prepare query");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
sqlite3_close(db);
return response;
}
// Bind parameters
int param_idx = 1;
if (uploader_filter) {
sqlite3_bind_text(stmt, param_idx++, uploader_filter, -1, SQLITE_STATIC);
}
sqlite3_bind_int(stmt, param_idx++, limit);
sqlite3_bind_int(stmt, param_idx++, offset);
// Execute and build results
cJSON* blobs = cJSON_CreateArray();
int count = 0;
while (sqlite3_step(stmt) == SQLITE_ROW) {
cJSON* blob = cJSON_CreateObject();
cJSON_AddStringToObject(blob, "sha256", (const char*)sqlite3_column_text(stmt, 0));
cJSON_AddNumberToObject(blob, "size", sqlite3_column_int64(stmt, 1));
cJSON_AddStringToObject(blob, "type", (const char*)sqlite3_column_text(stmt, 2));
cJSON_AddNumberToObject(blob, "uploaded_at", sqlite3_column_int64(stmt, 3));
const char* uploader = (const char*)sqlite3_column_text(stmt, 4);
if (uploader) {
cJSON_AddStringToObject(blob, "uploader_pubkey", uploader);
}
const char* filename = (const char*)sqlite3_column_text(stmt, 5);
if (filename) {
cJSON_AddStringToObject(blob, "filename", filename);
}
cJSON_AddItemToArray(blobs, blob);
count++;
}
sqlite3_finalize(stmt);
sqlite3_close(db);
cJSON_AddStringToObject(response, "status", "success");
cJSON_AddNumberToObject(response, "count", count);
cJSON_AddNumberToObject(response, "limit", limit);
cJSON_AddNumberToObject(response, "offset", offset);
cJSON_AddItemToObject(response, "blobs", blobs);
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
cJSON* admin_cmd_storage_stats(cJSON* args) {
(void)args;
cJSON* response = cJSON_CreateObject();
cJSON_AddStringToObject(response, "query_type", "storage_stats");
// Open database
sqlite3* db;
int rc = sqlite3_open_v2(g_admin_state.db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to open database");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
cJSON* storage = cJSON_CreateObject();
// Get overall stats from view
const char* sql = "SELECT * FROM storage_stats";
sqlite3_stmt* stmt;
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc == SQLITE_OK && sqlite3_step(stmt) == SQLITE_ROW) {
cJSON_AddNumberToObject(storage, "total_blobs", sqlite3_column_int64(stmt, 0));
cJSON_AddNumberToObject(storage, "total_bytes", sqlite3_column_int64(stmt, 1));
cJSON_AddNumberToObject(storage, "avg_blob_size", sqlite3_column_double(stmt, 2));
cJSON_AddNumberToObject(storage, "first_upload", sqlite3_column_int64(stmt, 3));
cJSON_AddNumberToObject(storage, "last_upload", sqlite3_column_int64(stmt, 4));
cJSON_AddNumberToObject(storage, "unique_uploaders", sqlite3_column_int64(stmt, 5));
}
sqlite3_finalize(stmt);
// Get stats by MIME type
sql = "SELECT type, COUNT(*) as count, SUM(size) as total_size "
"FROM blobs GROUP BY type ORDER BY count DESC LIMIT 10";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc == SQLITE_OK) {
cJSON* by_type = cJSON_CreateArray();
while (sqlite3_step(stmt) == SQLITE_ROW) {
cJSON* type_stat = cJSON_CreateObject();
cJSON_AddStringToObject(type_stat, "mime_type", (const char*)sqlite3_column_text(stmt, 0));
cJSON_AddNumberToObject(type_stat, "count", sqlite3_column_int64(stmt, 1));
cJSON_AddNumberToObject(type_stat, "total_bytes", sqlite3_column_int64(stmt, 2));
cJSON_AddItemToArray(by_type, type_stat);
}
cJSON_AddItemToObject(storage, "by_mime_type", by_type);
sqlite3_finalize(stmt);
}
// Get top uploaders
sql = "SELECT uploader_pubkey, COUNT(*) as count, SUM(size) as total_size "
"FROM blobs WHERE uploader_pubkey IS NOT NULL "
"GROUP BY uploader_pubkey ORDER BY count DESC LIMIT 10";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc == SQLITE_OK) {
cJSON* top_uploaders = cJSON_CreateArray();
while (sqlite3_step(stmt) == SQLITE_ROW) {
cJSON* uploader_stat = cJSON_CreateObject();
cJSON_AddStringToObject(uploader_stat, "pubkey", (const char*)sqlite3_column_text(stmt, 0));
cJSON_AddNumberToObject(uploader_stat, "blob_count", sqlite3_column_int64(stmt, 1));
cJSON_AddNumberToObject(uploader_stat, "total_bytes", sqlite3_column_int64(stmt, 2));
cJSON_AddItemToArray(top_uploaders, uploader_stat);
}
cJSON_AddItemToObject(storage, "top_uploaders", top_uploaders);
sqlite3_finalize(stmt);
}
sqlite3_close(db);
cJSON_AddStringToObject(response, "status", "success");
cJSON_AddItemToObject(response, "storage", storage);
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
cJSON* admin_cmd_sql_query(cJSON* args) {
cJSON* response = cJSON_CreateObject();
cJSON_AddStringToObject(response, "query_type", "sql_query");
// Expected format: ["sql_query", "SELECT ..."]
if (cJSON_GetArraySize(args) < 2) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Missing SQL query");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
cJSON* query_item = cJSON_GetArrayItem(args, 1);
if (!cJSON_IsString(query_item)) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Query must be a string");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
const char* sql = query_item->valuestring;
// Security: Only allow SELECT queries
const char* sql_upper = sql;
while (*sql_upper == ' ' || *sql_upper == '\t' || *sql_upper == '\n') sql_upper++;
if (strncasecmp(sql_upper, "SELECT", 6) != 0) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Only SELECT queries are allowed");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
// Open database (read-only for safety)
sqlite3* db;
int rc = sqlite3_open_v2(g_admin_state.db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
cJSON_AddStringToObject(response, "error", "Failed to open database");
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
return response;
}
// Prepare and execute query
sqlite3_stmt* stmt;
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response, "status", "error");
char error_msg[256];
snprintf(error_msg, sizeof(error_msg), "SQL error: %s", sqlite3_errmsg(db));
cJSON_AddStringToObject(response, "error", error_msg);
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
sqlite3_close(db);
return response;
}
// Get column names
int col_count = sqlite3_column_count(stmt);
cJSON* columns = cJSON_CreateArray();
for (int i = 0; i < col_count; i++) {
cJSON_AddItemToArray(columns, cJSON_CreateString(sqlite3_column_name(stmt, i)));
}
// Execute and collect rows (limit to 1000 rows for safety)
cJSON* rows = cJSON_CreateArray();
int row_count = 0;
const int MAX_ROWS = 1000;
while (row_count < MAX_ROWS && (rc = sqlite3_step(stmt)) == SQLITE_ROW) {
cJSON* row = cJSON_CreateArray();
for (int i = 0; i < col_count; i++) {
int col_type = sqlite3_column_type(stmt, i);
switch (col_type) {
case SQLITE_INTEGER:
cJSON_AddItemToArray(row, cJSON_CreateNumber(sqlite3_column_int64(stmt, i)));
break;
case SQLITE_FLOAT:
cJSON_AddItemToArray(row, cJSON_CreateNumber(sqlite3_column_double(stmt, i)));
break;
case SQLITE_TEXT:
cJSON_AddItemToArray(row, cJSON_CreateString((const char*)sqlite3_column_text(stmt, i)));
break;
case SQLITE_NULL:
cJSON_AddItemToArray(row, cJSON_CreateNull());
break;
default:
cJSON_AddItemToArray(row, cJSON_CreateString(""));
}
}
cJSON_AddItemToArray(rows, row);
row_count++;
}
sqlite3_finalize(stmt);
sqlite3_close(db);
cJSON_AddStringToObject(response, "status", "success");
cJSON_AddItemToObject(response, "columns", columns);
cJSON_AddItemToObject(response, "rows", rows);
cJSON_AddNumberToObject(response, "row_count", row_count);
if (row_count >= MAX_ROWS) {
cJSON_AddBoolToObject(response, "truncated", 1);
}
cJSON_AddNumberToObject(response, "timestamp", (double)time(NULL));
app_log(LOG_INFO, "SQL query executed: %d rows returned", row_count);
return response;
}

56
src/admin_commands.h Normal file
View File

@@ -0,0 +1,56 @@
/*
* Ginxsom Admin Commands Interface
*
* Handles encrypted admin commands sent via Kind 23456 events
* and generates encrypted responses as Kind 23457 events.
*/
#ifndef ADMIN_COMMANDS_H
#define ADMIN_COMMANDS_H
#include <cjson/cJSON.h>
// Command handler result codes
typedef enum {
ADMIN_CMD_SUCCESS = 0,
ADMIN_CMD_ERROR_PARSE = -1,
ADMIN_CMD_ERROR_UNKNOWN = -2,
ADMIN_CMD_ERROR_INVALID = -3,
ADMIN_CMD_ERROR_DATABASE = -4,
ADMIN_CMD_ERROR_PERMISSION = -5
} admin_cmd_result_t;
// Initialize admin command system
int admin_commands_init(const char *db_path);
// Process an admin command and generate response
// Returns cJSON response object (caller must free with cJSON_Delete)
cJSON* admin_commands_process(cJSON* command_array, const char* request_event_id);
// Individual command handlers
cJSON* admin_cmd_config_query(cJSON* args);
cJSON* admin_cmd_config_update(cJSON* args);
cJSON* admin_cmd_stats_query(cJSON* args);
cJSON* admin_cmd_system_status(cJSON* args);
cJSON* admin_cmd_blob_list(cJSON* args);
cJSON* admin_cmd_storage_stats(cJSON* args);
cJSON* admin_cmd_sql_query(cJSON* args);
// NIP-44 encryption/decryption helpers
int admin_encrypt_response(
const unsigned char* server_privkey,
const unsigned char* admin_pubkey,
const char* plaintext_json,
char* output,
size_t output_size
);
int admin_decrypt_command(
const unsigned char* server_privkey,
const unsigned char* admin_pubkey,
const char* encrypted_data,
char* output,
size_t output_size
);
#endif /* ADMIN_COMMANDS_H */

471
src/admin_event.c Normal file
View File

@@ -0,0 +1,471 @@
// Admin event handler for Kind 23456/23457 admin commands
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "ginxsom.h"
// Forward declarations for nostr_core_lib functions
int nostr_hex_to_bytes(const char* hex, unsigned char* bytes, size_t bytes_len);
int nostr_nip44_decrypt(const unsigned char* recipient_private_key,
const unsigned char* sender_public_key,
const char* encrypted_data,
char* output,
size_t output_size);
int nostr_nip44_encrypt(const unsigned char* sender_private_key,
const unsigned char* recipient_public_key,
const char* plaintext,
char* output,
size_t output_size);
cJSON* nostr_create_and_sign_event(int kind, const char* content, cJSON* tags,
const unsigned char* private_key, time_t created_at);
// Use global database path from main.c
extern char g_db_path[];
// Forward declarations
static int get_server_privkey(unsigned char* privkey_bytes);
static int get_server_pubkey(char* pubkey_hex, size_t size);
static int handle_config_query_command(cJSON* response_data);
static int send_admin_response_event(const char* admin_pubkey, const char* request_id,
cJSON* response_data);
/**
* Handle Kind 23456 admin command event
* Expects POST to /api/admin with JSON body containing the event
*/
void handle_admin_event_request(void) {
// Read request body
const char* content_length_str = getenv("CONTENT_LENGTH");
if (!content_length_str) {
printf("Status: 411 Length Required\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Content-Length header required\"}\n");
return;
}
long content_length = atol(content_length_str);
if (content_length <= 0 || content_length > 65536) {
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Invalid content length\"}\n");
return;
}
char* json_body = malloc(content_length + 1);
if (!json_body) {
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Memory allocation failed\"}\n");
return;
}
size_t bytes_read = fread(json_body, 1, content_length, stdin);
if (bytes_read != (size_t)content_length) {
free(json_body);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Failed to read complete request body\"}\n");
return;
}
json_body[content_length] = '\0';
// Parse event JSON
cJSON* event = cJSON_Parse(json_body);
free(json_body);
if (!event) {
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Invalid JSON\"}\n");
return;
}
// Verify it's Kind 23456
cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
if (!kind_obj || !cJSON_IsNumber(kind_obj) ||
(int)cJSON_GetNumberValue(kind_obj) != 23456) {
cJSON_Delete(event);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Event must be Kind 23456\"}\n");
return;
}
// Get event ID for response correlation
cJSON* id_obj = cJSON_GetObjectItem(event, "id");
if (!id_obj || !cJSON_IsString(id_obj)) {
cJSON_Delete(event);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Event missing id\"}\n");
return;
}
const char* request_id = cJSON_GetStringValue(id_obj);
// Get admin pubkey from event
cJSON* pubkey_obj = cJSON_GetObjectItem(event, "pubkey");
if (!pubkey_obj || !cJSON_IsString(pubkey_obj)) {
cJSON_Delete(event);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Event missing pubkey\"}\n");
return;
}
const char* admin_pubkey = cJSON_GetStringValue(pubkey_obj);
// Verify admin pubkey
sqlite3* db;
int rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
cJSON_Delete(event);
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Database error\"}\n");
return;
}
sqlite3_stmt* stmt;
const char* sql = "SELECT value FROM config WHERE key = 'admin_pubkey'";
int is_admin = 0;
if (sqlite3_prepare_v2(db, sql, -1, &stmt, NULL) == SQLITE_OK) {
if (sqlite3_step(stmt) == SQLITE_ROW) {
const char* db_admin_pubkey = (const char*)sqlite3_column_text(stmt, 0);
if (db_admin_pubkey && strcmp(admin_pubkey, db_admin_pubkey) == 0) {
is_admin = 1;
}
}
sqlite3_finalize(stmt);
}
sqlite3_close(db);
if (!is_admin) {
cJSON_Delete(event);
printf("Status: 403 Forbidden\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Not authorized as admin\"}\n");
return;
}
// Get encrypted content
cJSON* content_obj = cJSON_GetObjectItem(event, "content");
if (!content_obj || !cJSON_IsString(content_obj)) {
cJSON_Delete(event);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Event missing content\"}\n");
return;
}
const char* encrypted_content = cJSON_GetStringValue(content_obj);
// Get server private key for decryption
unsigned char server_privkey[32];
if (get_server_privkey(server_privkey) != 0) {
cJSON_Delete(event);
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Failed to get server private key\"}\n");
return;
}
// Convert admin pubkey to bytes
unsigned char admin_pubkey_bytes[32];
if (nostr_hex_to_bytes(admin_pubkey, admin_pubkey_bytes, 32) != 0) {
cJSON_Delete(event);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Invalid admin pubkey format\"}\n");
return;
}
// Decrypt content using NIP-44 (or use plaintext for testing)
char decrypted_content[8192];
const char* content_to_parse = encrypted_content;
// Check if content is already plaintext JSON (starts with '[')
if (encrypted_content[0] != '[') {
// Content is encrypted, decrypt it
int decrypt_result = nostr_nip44_decrypt(
server_privkey,
admin_pubkey_bytes,
encrypted_content,
decrypted_content,
sizeof(decrypted_content)
);
if (decrypt_result != 0) {
cJSON_Delete(event);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Failed to decrypt content\"}\n");
return;
}
content_to_parse = decrypted_content;
}
// Parse command array (either decrypted or plaintext)
cJSON* command_array = cJSON_Parse(content_to_parse);
if (!command_array || !cJSON_IsArray(command_array)) {
cJSON_Delete(event);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Decrypted content is not a valid command array\"}\n");
return;
}
// Get command type
cJSON* command_type = cJSON_GetArrayItem(command_array, 0);
if (!command_type || !cJSON_IsString(command_type)) {
cJSON_Delete(command_array);
cJSON_Delete(event);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Invalid command format\"}\n");
return;
}
const char* cmd = cJSON_GetStringValue(command_type);
// Create response data object
cJSON* response_data = cJSON_CreateObject();
cJSON_AddStringToObject(response_data, "query_type", cmd);
cJSON_AddNumberToObject(response_data, "timestamp", (double)time(NULL));
// Handle command
int result = -1;
if (strcmp(cmd, "config_query") == 0) {
result = handle_config_query_command(response_data);
} else {
cJSON_AddStringToObject(response_data, "status", "error");
cJSON_AddStringToObject(response_data, "error", "Unknown command");
}
cJSON_Delete(command_array);
cJSON_Delete(event);
if (result == 0) {
// Send Kind 23457 response
send_admin_response_event(admin_pubkey, request_id, response_data);
} else {
cJSON_Delete(response_data);
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Command processing failed\"}\n");
}
}
/**
* Get server private key from database (stored in blossom_seckey table)
*/
static int get_server_privkey(unsigned char* privkey_bytes) {
sqlite3* db;
int rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
return -1;
}
sqlite3_stmt* stmt;
const char* sql = "SELECT seckey FROM blossom_seckey LIMIT 1";
int result = -1;
if (sqlite3_prepare_v2(db, sql, -1, &stmt, NULL) == SQLITE_OK) {
if (sqlite3_step(stmt) == SQLITE_ROW) {
const char* privkey_hex = (const char*)sqlite3_column_text(stmt, 0);
if (privkey_hex && nostr_hex_to_bytes(privkey_hex, privkey_bytes, 32) == 0) {
result = 0;
}
}
sqlite3_finalize(stmt);
}
sqlite3_close(db);
return result;
}
/**
* Get server public key from database (stored in config table as blossom_pubkey)
*/
static int get_server_pubkey(char* pubkey_hex, size_t size) {
sqlite3* db;
int rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
return -1;
}
sqlite3_stmt* stmt;
const char* sql = "SELECT value FROM config WHERE key = 'blossom_pubkey'";
int result = -1;
if (sqlite3_prepare_v2(db, sql, -1, &stmt, NULL) == SQLITE_OK) {
if (sqlite3_step(stmt) == SQLITE_ROW) {
const char* pubkey = (const char*)sqlite3_column_text(stmt, 0);
if (pubkey) {
strncpy(pubkey_hex, pubkey, size - 1);
pubkey_hex[size - 1] = '\0';
result = 0;
}
}
sqlite3_finalize(stmt);
}
sqlite3_close(db);
return result;
}
/**
* Handle config_query command - returns all config values
*/
static int handle_config_query_command(cJSON* response_data) {
sqlite3* db;
int rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
cJSON_AddStringToObject(response_data, "status", "error");
cJSON_AddStringToObject(response_data, "error", "Database error");
return -1;
}
cJSON_AddStringToObject(response_data, "status", "success");
cJSON* data = cJSON_CreateObject();
// Query all config settings
sqlite3_stmt* stmt;
const char* sql = "SELECT key, value FROM config ORDER BY key";
if (sqlite3_prepare_v2(db, sql, -1, &stmt, NULL) == SQLITE_OK) {
while (sqlite3_step(stmt) == SQLITE_ROW) {
const char* key = (const char*)sqlite3_column_text(stmt, 0);
const char* value = (const char*)sqlite3_column_text(stmt, 1);
if (key && value) {
cJSON_AddStringToObject(data, key, value);
}
}
sqlite3_finalize(stmt);
}
cJSON_AddItemToObject(response_data, "data", data);
sqlite3_close(db);
return 0;
}
/**
* Send Kind 23457 admin response event
*/
static int send_admin_response_event(const char* admin_pubkey, const char* request_id,
cJSON* response_data) {
// Get server keys
unsigned char server_privkey[32];
char server_pubkey[65];
if (get_server_privkey(server_privkey) != 0 ||
get_server_pubkey(server_pubkey, sizeof(server_pubkey)) != 0) {
cJSON_Delete(response_data);
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Failed to get server keys\"}\n");
return -1;
}
// Convert response data to JSON string
char* response_json = cJSON_PrintUnformatted(response_data);
cJSON_Delete(response_data);
if (!response_json) {
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Failed to serialize response\"}\n");
return -1;
}
// Convert admin pubkey to bytes for encryption
unsigned char admin_pubkey_bytes[32];
if (nostr_hex_to_bytes(admin_pubkey, admin_pubkey_bytes, 32) != 0) {
free(response_json);
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Invalid admin pubkey\"}\n");
return -1;
}
// Encrypt response using NIP-44
char encrypted_response[131072];
int encrypt_result = nostr_nip44_encrypt(
server_privkey,
admin_pubkey_bytes,
response_json,
encrypted_response,
sizeof(encrypted_response)
);
free(response_json);
if (encrypt_result != 0) {
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Failed to encrypt response\"}\n");
return -1;
}
// Create Kind 23457 response event
cJSON* response_event = cJSON_CreateObject();
cJSON_AddStringToObject(response_event, "pubkey", server_pubkey);
cJSON_AddNumberToObject(response_event, "created_at", (double)time(NULL));
cJSON_AddNumberToObject(response_event, "kind", 23457);
cJSON_AddStringToObject(response_event, "content", encrypted_response);
// Add tags
cJSON* tags = cJSON_CreateArray();
// p tag for admin
cJSON* p_tag = cJSON_CreateArray();
cJSON_AddItemToArray(p_tag, cJSON_CreateString("p"));
cJSON_AddItemToArray(p_tag, cJSON_CreateString(admin_pubkey));
cJSON_AddItemToArray(tags, p_tag);
// e tag for request correlation
cJSON* e_tag = cJSON_CreateArray();
cJSON_AddItemToArray(e_tag, cJSON_CreateString("e"));
cJSON_AddItemToArray(e_tag, cJSON_CreateString(request_id));
cJSON_AddItemToArray(tags, e_tag);
cJSON_AddItemToObject(response_event, "tags", tags);
// Sign the event
cJSON* signed_event = nostr_create_and_sign_event(
23457,
encrypted_response,
tags,
server_privkey,
time(NULL)
);
cJSON_Delete(response_event);
if (!signed_event) {
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Failed to sign response event\"}\n");
return -1;
}
// Return the signed event as HTTP response
char* event_json = cJSON_PrintUnformatted(signed_event);
cJSON_Delete(signed_event);
if (!event_json) {
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\"error\":\"Failed to serialize event\"}\n");
return -1;
}
printf("Status: 200 OK\r\n");
printf("Content-Type: application/json\r\n");
printf("Cache-Control: no-cache\r\n");
printf("\r\n");
printf("%s\n", event_json);
free(event_json);
return 0;
}

163
src/admin_websocket.c
View File

@@ -1,163 +0,0 @@
/*
* Ginxsom Admin WebSocket Module
* Handles WebSocket connections for Kind 23456/23457 admin commands
* Based on c-relay's WebSocket implementation
*/
#include "ginxsom.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <cjson/cJSON.h>
#include <sqlite3.h>
// Forward declarations from admin_auth.c
int process_admin_command(cJSON *event, char ***command_array_out, int *command_count_out, char **admin_pubkey_out);
void free_command_array(char **command_array, int command_count);
int create_admin_response(const char *response_json, const char *admin_pubkey, const char *original_event_id, cJSON **response_event_out);
// Forward declarations from admin_handlers.c (to be created)
int execute_admin_command(char **command_array, int command_count, const char *admin_pubkey, char **response_json_out);
// Handle WebSocket admin command endpoint (/api/admin)
void handle_admin_websocket_request(void) {
// For now, this is a placeholder for WebSocket implementation
// In a full implementation, this would:
// 1. Upgrade HTTP connection to WebSocket
// 2. Handle WebSocket frames
// 3. Process Kind 23456 events
// 4. Send Kind 23457 responses
printf("Status: 501 Not Implemented\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"websocket_not_implemented\",\n");
printf(" \"message\": \"WebSocket admin endpoint not yet implemented\",\n");
printf(" \"note\": \"Use HTTP POST to /api/admin for now\"\n");
printf("}\n");
}
// Handle HTTP POST admin command endpoint (/api/admin)
void handle_admin_command_post_request(void) {
// Read the request body (should contain Kind 23456 event JSON)
const char *content_length_str = getenv("CONTENT_LENGTH");
if (!content_length_str) {
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"missing_content_length\",\n");
printf(" \"message\": \"Content-Length header required\"\n");
printf("}\n");
return;
}
long content_length = atol(content_length_str);
if (content_length <= 0 || content_length > 1024 * 1024) { // 1MB limit
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"invalid_content_length\",\n");
printf(" \"message\": \"Content-Length must be between 1 and 1MB\"\n");
printf("}\n");
return;
}
// Read the request body
char *request_body = malloc(content_length + 1);
if (!request_body) {
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"memory_allocation_failed\",\n");
printf(" \"message\": \"Failed to allocate memory for request body\"\n");
printf("}\n");
return;
}
size_t bytes_read = fread(request_body, 1, content_length, stdin);
if (bytes_read != (size_t)content_length) {
free(request_body);
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"incomplete_request_body\",\n");
printf(" \"message\": \"Failed to read complete request body\"\n");
printf("}\n");
return;
}
request_body[content_length] = '\0';
// Parse the JSON event
cJSON *event = cJSON_Parse(request_body);
free(request_body);
if (!event) {
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"invalid_json\",\n");
printf(" \"message\": \"Request body is not valid JSON\"\n");
printf("}\n");
return;
}
// Process the admin command
char **command_array = NULL;
int command_count = 0;
char *admin_pubkey = NULL;
int result = process_admin_command(event, &command_array, &command_count, &admin_pubkey);
cJSON_Delete(event);
if (result != 0) {
printf("Status: 400 Bad Request\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"invalid_admin_command\",\n");
printf(" \"message\": \"Failed to process admin command\"\n");
printf("}\n");
return;
}
// Execute the command
char *response_json = NULL;
int exec_result = execute_admin_command(command_array, command_count, admin_pubkey, &response_json);
free_command_array(command_array, command_count);
free(admin_pubkey);
if (exec_result != 0) {
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"command_execution_failed\",\n");
printf(" \"message\": \"Failed to execute admin command\"\n");
printf("}\n");
return;
}
// Create the response event (Kind 23457)
cJSON *response_event = NULL;
int create_result = create_admin_response(response_json, admin_pubkey, NULL, &response_event);
free(response_json);
if (create_result != 0) {
printf("Status: 500 Internal Server Error\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("{\n");
printf(" \"error\": \"response_creation_failed\",\n");
printf(" \"message\": \"Failed to create admin response\"\n");
printf("}\n");
return;
}
// Return the response event as JSON
char *response_json_str = cJSON_Print(response_event);
cJSON_Delete(response_event);
printf("Status: 200 OK\r\n");
printf("Content-Type: application/json\r\n\r\n");
printf("%s\n", response_json_str);
free(response_json_str);
}

8
src/bud08.c
View File

@@ -10,8 +10,8 @@
#include <stdint.h>
#include "ginxsom.h"
// Database path
#define DB_PATH "db/ginxsom.db"
// Use global database path from main.c
extern char g_db_path[];
// Check if NIP-94 metadata emission is enabled
int nip94_is_enabled(void) {
@@ -19,7 +19,7 @@ int nip94_is_enabled(void) {
sqlite3_stmt* stmt;
int rc, enabled = 1; // Default enabled
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
return 1; // Default enabled on DB error
}
@@ -50,7 +50,7 @@ int nip94_get_origin(char* out, size_t out_size) {
sqlite3_stmt* stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc == SQLITE_OK) {
const char* sql = "SELECT value FROM config WHERE key = 'cdn_origin'";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);

6
src/bud09.c
View File

@@ -11,8 +11,8 @@
#include <time.h>
#include "ginxsom.h"
// Database path (should match main.c)
#define DB_PATH "db/ginxsom.db"
// Use global database path from main.c
extern char g_db_path[];
// Forward declarations for helper functions
void send_error_response(int status_code, const char* error_type, const char* message, const char* details);
@@ -154,7 +154,7 @@ int store_blob_report(const char* event_json, const char* reporter_pubkey) {
sqlite3_stmt* stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE, NULL);
if (rc) {
return 0;
}

17
src/ginxsom.h
View File

@@ -10,8 +10,8 @@
// Version information (auto-updated by build system)
#define VERSION_MAJOR 0
#define VERSION_MINOR 1
#define VERSION_PATCH 9
#define VERSION "v0.1.9"
#define VERSION_PATCH 14
#define VERSION "v0.1.14"
#include <stddef.h>
#include <stdint.h>
@@ -250,6 +250,16 @@ void send_json_response(int status_code, const char* json_content);
// Logging utilities
void log_request(const char* method, const char* uri, const char* auth_status, int status_code);
// Centralized application logging (writes to logs/app/app.log)
typedef enum {
LOG_DEBUG = 0,
LOG_INFO = 1,
LOG_WARN = 2,
LOG_ERROR = 3
} log_level_t;
void app_log(log_level_t level, const char* format, ...);
// SHA-256 validation helper (used by multiple BUDs)
int validate_sha256_format(const char* sha256);
@@ -262,6 +272,9 @@ int validate_sha256_format(const char* sha256);
// Admin API request handler
void handle_admin_api_request(const char* method, const char* uri, const char* validated_pubkey, int is_authenticated);
// Admin event handler (Kind 23456/23457)
void handle_admin_event_request(void);
// Individual endpoint handlers
void handle_stats_api(void);
void handle_config_get_api(void);

604
src/main.c
View File

@@ -5,11 +5,14 @@
#define _GNU_SOURCE
#include "ginxsom.h"
#include "relay_client.h"
#include "admin_commands.h"
#include "../nostr_core_lib/nostr_core/nostr_common.h"
#include "../nostr_core_lib/nostr_core/utils.h"
#include <getopt.h>
#include <curl/curl.h>
#include <sqlite3.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
@@ -19,20 +22,57 @@
#include <time.h>
#include <unistd.h>
// Debug macros removed
// Centralized logging system (declaration in ginxsom.h)
void app_log(log_level_t level, const char *format, ...) {
FILE *log_file = fopen("logs/app/app.log", "a");
if (!log_file) {
return; // Silently fail if we can't open log file
}
// Get timestamp
time_t now = time(NULL);
struct tm *tm_info = localtime(&now);
char timestamp[64];
strftime(timestamp, sizeof(timestamp), "%Y-%m-%d %H:%M:%S", tm_info);
// Get log level string
const char *level_str;
switch (level) {
case LOG_DEBUG: level_str = "DEBUG"; break;
case LOG_INFO: level_str = "INFO"; break;
case LOG_WARN: level_str = "WARN"; break;
case LOG_ERROR: level_str = "ERROR"; break;
default: level_str = "UNKNOWN"; break;
}
// Write log prefix with timestamp, PID, and level
fprintf(log_file, "[%s] [PID:%d] [%s] ", timestamp, getpid(), level_str);
// Write formatted message
va_list args;
va_start(args, format);
vfprintf(log_file, format, args);
va_end(args);
// Ensure newline
fprintf(log_file, "\n");
fclose(log_file);
}
#define MAX_SHA256_LEN 65
#define MAX_PATH_LEN 4096
#define MAX_MIME_LEN 128
// Configuration variables - can be overridden via command line
char g_db_path[MAX_PATH_LEN] = "db/ginxsom.db";
char g_db_path[MAX_PATH_LEN] = ""; // Will be set based on pubkey
char g_storage_dir[MAX_PATH_LEN] = ".";
// Key management variables
char g_admin_pubkey[65] = ""; // Admin public key for authorization
char g_blossom_seckey[65] = ""; // Blossom server private key for decryption/signing
int g_generate_keys = 0; // Flag to generate keys on startup
char g_blossom_pubkey[65] = ""; // Blossom server public key (derived from seckey)
int g_generate_keys = 0; // Flag to generate keys on startup (deprecated)
// Use global configuration variables
#define DB_PATH g_db_path
@@ -192,10 +232,13 @@ int initialize_database(const char *db_path) {
" ('auth_rules_enabled', 'true', 'Whether authentication rules are enabled for uploads'),"
" ('server_name', 'ginxsom', 'Server name for responses'),"
" ('admin_pubkey', '', 'Admin public key for API access'),"
" ('admin_enabled', 'false', 'Whether admin API is enabled'),"
" ('admin_enabled', 'true', 'Whether admin API is enabled'),"
" ('nip42_require_auth', 'false', 'Enable NIP-42 challenge/response authentication'),"
" ('nip42_challenge_timeout', '600', 'NIP-42 challenge timeout in seconds'),"
" ('nip42_time_tolerance', '300', 'NIP-42 timestamp tolerance in seconds');";
" ('nip42_time_tolerance', '300', 'NIP-42 timestamp tolerance in seconds'),"
" ('enable_relay_connect', 'true', 'Enable connection to Nostr relays'),"
" ('kind_0_content', '{\"name\":\"Ginxsom Blossom Server\",\"about\":\"A Nostr-enabled Blossom media server\",\"picture\":\"\"}', 'JSON content for Kind 0 profile event'),"
" ('kind_10002_tags', '[\"wss://relay.laantungir.net\"]', 'JSON array of relay URLs for Kind 10002');";
rc = sqlite3_exec(db, insert_config, NULL, NULL, &err_msg);
if (rc != SQLITE_OK) {
@@ -245,6 +288,9 @@ int generate_server_keypair(void);
int load_server_keys(void);
int store_blossom_private_key(const char *seckey);
int get_blossom_private_key(char *seckey_out, size_t max_len);
int derive_pubkey_from_privkey(const char *privkey_hex, char *pubkey_hex_out);
int validate_database_pubkey_match(const char *db_path, const char *expected_pubkey);
int set_db_path_from_pubkey(const char *pubkey);
// External validator function declarations
const char *nostr_request_validator_get_last_violation_type(void);
@@ -258,6 +304,76 @@ void handle_delete_request_with_validation(const char *sha256, nostr_request_res
// Key management function implementations
// Derive public key from private key hex string
int derive_pubkey_from_privkey(const char *privkey_hex, char *pubkey_hex_out) {
if (!privkey_hex || strlen(privkey_hex) != 64) {
fprintf(stderr, "ERROR: Invalid private key format\n");
return -1;
}
unsigned char seckey_bytes[32];
if (nostr_hex_to_bytes(privkey_hex, seckey_bytes, 32) != NOSTR_SUCCESS) {
fprintf(stderr, "ERROR: Failed to parse private key hex\n");
return -1;
}
unsigned char pubkey_bytes[32];
if (nostr_ec_public_key_from_private_key(seckey_bytes, pubkey_bytes) != NOSTR_SUCCESS) {
fprintf(stderr, "ERROR: Failed to derive public key\n");
return -1;
}
nostr_bytes_to_hex(pubkey_bytes, 32, pubkey_hex_out);
return 0;
}
// Set database path based on pubkey (db/<pubkey>.db)
int set_db_path_from_pubkey(const char *pubkey) {
if (!pubkey || strlen(pubkey) != 64) {
fprintf(stderr, "ERROR: Invalid pubkey for database naming\n");
return -1;
}
snprintf(g_db_path, sizeof(g_db_path), "db/%s.db", pubkey);
fprintf(stderr, "DATABASE: Set database path to %s\n", g_db_path);
return 0;
}
// Validate that database filename matches the pubkey stored inside
int validate_database_pubkey_match(const char *db_path, const char *expected_pubkey) {
// Extract pubkey from database filename
const char *filename = strrchr(db_path, '/');
if (!filename) {
filename = db_path;
} else {
filename++; // Skip the '/'
}
// Check if filename matches pattern: <pubkey>.db
size_t filename_len = strlen(filename);
if (filename_len != 67) { // 64 chars + ".db" = 67
fprintf(stderr, "WARNING: Database filename doesn't match pubkey pattern: %s\n", filename);
return 0; // Don't enforce for non-standard names (backward compatibility)
}
// Extract pubkey from filename (first 64 chars)
char filename_pubkey[65];
strncpy(filename_pubkey, filename, 64);
filename_pubkey[64] = '\0';
// Compare with expected pubkey
if (strcasecmp(filename_pubkey, expected_pubkey) != 0) {
fprintf(stderr, "ERROR: Database pubkey mismatch!\n");
fprintf(stderr, " Database filename: %s\n", filename_pubkey);
fprintf(stderr, " Expected pubkey: %s\n", expected_pubkey);
fprintf(stderr, " → Database filename doesn't match the keys stored inside\n");
return -1;
}
fprintf(stderr, "DATABASE: Pubkey validation passed: %s\n", filename_pubkey);
return 0;
}
// Generate random private key bytes using /dev/urandom
int generate_random_private_key_bytes(unsigned char *key_bytes, size_t len) {
FILE *fp = fopen("/dev/urandom", "rb");
@@ -309,6 +425,26 @@ int generate_server_keypair(void) {
// Convert public key to hex
nostr_bytes_to_hex(pubkey_bytes, 32, pubkey_hex);
// Store pubkey in global variable
strncpy(g_blossom_pubkey, pubkey_hex, sizeof(g_blossom_pubkey) - 1);
g_blossom_pubkey[64] = '\0';
// Store seckey in global variable
strncpy(g_blossom_seckey, seckey_hex, sizeof(g_blossom_seckey) - 1);
g_blossom_seckey[64] = '\0';
// Set database path based on pubkey (MUST be done before storing keys)
if (set_db_path_from_pubkey(pubkey_hex) != 0) {
fprintf(stderr, "ERROR: Failed to set database path\n");
return -1;
}
// Initialize database with new path
if (initialize_database(g_db_path) != 0) {
fprintf(stderr, "ERROR: Failed to initialize database at %s\n", g_db_path);
return -1;
}
// Store private key securely
if (store_blossom_private_key(seckey_hex) != 0) {
@@ -321,7 +457,7 @@ int generate_server_keypair(void) {
sqlite3_stmt *stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE, NULL);
if (rc) {
fprintf(stderr, "ERROR: Can't open database for config: %s\n", sqlite3_errmsg(db));
return -1;
@@ -354,6 +490,7 @@ int generate_server_keypair(void) {
fprintf(stderr, "========================================\n");
fprintf(stderr, "Blossom Public Key: %s\n", pubkey_hex);
fprintf(stderr, "Blossom Private Key: %s\n", seckey_hex);
fprintf(stderr, "Database Path: %s\n", g_db_path);
fprintf(stderr, "========================================\n");
fprintf(stderr, "IMPORTANT: Save the private key securely!\n");
fprintf(stderr, "This key is used for decrypting admin messages.\n");
@@ -372,26 +509,30 @@ int load_server_keys(void) {
// Try to load blossom private key
fprintf(stderr, "DEBUG: Trying to load blossom private key...\n");
if (get_blossom_private_key(g_blossom_seckey, sizeof(g_blossom_seckey)) != 0) {
fprintf(stderr, "DEBUG: No blossom private key found\n");
// No private key found - check if we should generate one
if (g_generate_keys) {
fprintf(stderr, "STARTUP: No blossom private key found, generating new keypair...\n");
if (generate_server_keypair() != 0) {
fprintf(stderr, "ERROR: Failed to generate server keypair\n");
return -1;
}
} else {
fprintf(stderr, "WARNING: No blossom private key found. Use --generate-keys to create one.\n");
// This is not fatal - server can still operate without admin features
}
} else {
fprintf(stderr, "STARTUP: Blossom private key loaded successfully\n");
fprintf(stderr, "DEBUG: No blossom private key found in database\n");
return -1; // Keys must exist in database
}
fprintf(stderr, "STARTUP: Blossom private key loaded successfully\n");
// Derive public key from private key
if (derive_pubkey_from_privkey(g_blossom_seckey, g_blossom_pubkey) != 0) {
fprintf(stderr, "ERROR: Failed to derive public key from private key\n");
return -1;
}
fprintf(stderr, "STARTUP: Derived blossom pubkey: %s\n", g_blossom_pubkey);
// Validate database filename matches pubkey
if (validate_database_pubkey_match(g_db_path, g_blossom_pubkey) != 0) {
fprintf(stderr, "ERROR: Database pubkey validation failed\n");
return -1;
}
// Load admin pubkey from command line or config
if (strlen(g_admin_pubkey) == 0) {
// Try to load from database config
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc == SQLITE_OK) {
const char *sql = "SELECT value FROM config WHERE key = 'admin_pubkey'";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
@@ -410,7 +551,7 @@ int load_server_keys(void) {
}
} else {
// Store admin pubkey in config if provided via command line
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE, NULL);
if (rc == SQLITE_OK) {
const char *sql = "INSERT OR REPLACE INTO config (key, value, description) VALUES (?, ?, ?)";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
@@ -441,7 +582,7 @@ int store_blossom_private_key(const char *seckey) {
}
// Create blossom_seckey table if it doesn't exist
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
if (rc) {
fprintf(stderr, "ERROR: Can't open database: %s\n", sqlite3_errmsg(db));
return -1;
@@ -484,7 +625,7 @@ int get_blossom_private_key(char *seckey_out, size_t max_len) {
sqlite3_stmt *stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
return -1;
}
@@ -520,7 +661,7 @@ int insert_blob_metadata(const char *sha256, long size, const char *type,
sqlite3_stmt *stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
if (rc) {
fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
return 0;
@@ -575,7 +716,7 @@ int get_blob_metadata(const char *sha256, blob_metadata_t *metadata) {
sqlite3_stmt *stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY | SQLITE_OPEN_CREATE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY | SQLITE_OPEN_CREATE, NULL);
if (rc) {
fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
return 0;
@@ -845,7 +986,7 @@ void handle_list_request(const char *pubkey) {
sqlite3_stmt *stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc) {
send_error_response(500, "database_error", "Failed to access database",
@@ -992,7 +1133,7 @@ void handle_delete_request_with_validation(const char *sha256, nostr_request_res
sqlite3_stmt *stmt;
int rc;
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
if (rc) {
send_error_response(500, "database_error", "Failed to access database",
@@ -1731,16 +1872,20 @@ void handle_auth_challenge_request(void) {
/////////////////////////////////////////////////////////////////////////////////////////
int main(int argc, char *argv[]) {
fprintf(stderr, "DEBUG: main() started\n");
fflush(stderr);
// Initialize application logging
app_log(LOG_INFO, "=== Ginxsom FastCGI Application Starting ===");
app_log(LOG_INFO, "Process ID: %d", getpid());
// Parse command line arguments
int use_test_keys = 0;
char test_server_privkey[65] = "";
char specified_db_path[MAX_PATH_LEN] = "";
int db_path_specified = 0;
for (int i = 1; i < argc; i++) {
if (strcmp(argv[i], "--db-path") == 0 && i + 1 < argc) {
strncpy(g_db_path, argv[i + 1], sizeof(g_db_path) - 1);
strncpy(specified_db_path, argv[i + 1], sizeof(specified_db_path) - 1);
db_path_specified = 1;
i++; // Skip next argument
} else if (strcmp(argv[i], "--storage-dir") == 0 && i + 1 < argc) {
strncpy(g_storage_dir, argv[i + 1], sizeof(g_storage_dir) - 1);
@@ -1750,13 +1895,24 @@ int main(int argc, char *argv[]) {
const char *help_text =
"Usage: ginxsom-fcgi [options]\n"
"Options:\n"
" --db-path PATH Database file path (default: db/ginxsom.db)\n"
" --storage-dir DIR Storage directory for files (default: blobs)\n"
" --admin-pubkey KEY Admin public key for management (64 hex chars)\n"
" --server-privkey KEY Server private key (64 hex chars, for testing)\n"
" --db-path PATH Database file path (must match pubkey if keys exist)\n"
" --storage-dir DIR Storage directory for files (default: .)\n"
" --admin-pubkey KEY Admin public key (only used when creating new database)\n"
" --server-privkey KEY Server private key (creates new DB or validates existing)\n"
" --test-keys Use test keys from .test_keys file\n"
" --generate-keys Generate server keypair on startup\n"
" --help, -h Show this help message\n";
" --generate-keys Generate new keypair and create database (deprecated)\n"
" --help, -h Show this help message\n"
"\n"
"Database Naming:\n"
" Databases are named after the server's public key: db/<pubkey>.db\n"
" This ensures database-key consistency and prevents mismatches.\n"
"\n"
"Startup Scenarios:\n"
" 1. No arguments → Generate new keys, create db/<new_pubkey>.db\n"
" 2. --db-path <path> → Open existing database, validate keys match filename\n"
" 3. --server-privkey <key>→ Create new database with those keys\n"
" 4. --test-keys → Use test keys, create/overwrite test database\n"
" 5. --db-path + --server-privkey → Validate keys match or error\n";
ssize_t written = write(STDOUT_FILENO, help_text, strlen(help_text));
(void)written; // Suppress unused variable warning
return 0;
@@ -1770,6 +1926,7 @@ int main(int argc, char *argv[]) {
use_test_keys = 1;
} else if (strcmp(argv[i], "--generate-keys") == 0) {
g_generate_keys = 1;
fprintf(stderr, "WARNING: --generate-keys is deprecated. Keys are generated automatically when needed.\n");
} else {
fprintf(stderr, "Unknown option: %s\n", argv[i]);
fprintf(stderr, "Use --help for usage information\n");
@@ -1777,17 +1934,34 @@ int main(int argc, char *argv[]) {
}
}
// Load test keys if requested
app_log(LOG_INFO, "Storage directory: %s", g_storage_dir);
// CRITICAL: Initialize nostr crypto system BEFORE key operations
app_log(LOG_INFO, "Initializing nostr crypto system...");
int crypto_init_result = nostr_crypto_init();
if (crypto_init_result != 0) {
app_log(LOG_ERROR, "Failed to initialize nostr crypto system (result: %d)", crypto_init_result);
return 1;
}
app_log(LOG_INFO, "Nostr crypto system initialized successfully");
// ========================================================================
// DATABASE AND KEY INITIALIZATION - 5 SCENARIOS
// ========================================================================
// Scenario 4: Test Mode (--test-keys)
if (use_test_keys) {
app_log(LOG_INFO, "=== SCENARIO 4: TEST MODE ===");
// Load test keys from .test_keys file
FILE *keys_file = fopen(".test_keys", "r");
if (!keys_file) {
fprintf(stderr, "ERROR: Cannot open .test_keys file\n");
app_log(LOG_ERROR, "Cannot open .test_keys file");
return 1;
}
char line[256];
while (fgets(line, sizeof(line), keys_file)) {
// Parse ADMIN_PUBKEY='...'
if (strncmp(line, "ADMIN_PUBKEY='", 14) == 0) {
char *start = line + 14;
char *end = strchr(start, '\'');
@@ -1796,128 +1970,251 @@ int main(int argc, char *argv[]) {
g_admin_pubkey[64] = '\0';
}
}
// Parse SERVER_PRIVKEY='...'
else if (strncmp(line, "SERVER_PRIVKEY='", 16) == 0) {
char *start = line + 16;
char *end = strchr(start, '\'');
if (end && (end - start) == 64) {
strncpy(test_server_privkey, start, 64);
test_server_privkey[64] = '\0';
app_log(LOG_DEBUG, "Parsed SERVER_PRIVKEY from .test_keys");
} else {
app_log(LOG_ERROR, "Failed to parse SERVER_PRIVKEY (length: %ld)", end ? (long)(end - start) : -1L);
}
}
}
fclose(keys_file);
fprintf(stderr, "STARTUP: Using test keys from .test_keys\n");
fprintf(stderr, "STARTUP: Admin pubkey: %s\n", g_admin_pubkey);
fprintf(stderr, "STARTUP: Server privkey loaded from test keys\n");
}
fprintf(stderr, "STARTUP: Using database path: %s\n", g_db_path);
fprintf(stderr, "STARTUP: Using storage directory: %s\n", g_storage_dir);
if (strlen(g_admin_pubkey) > 0) {
fprintf(stderr, "STARTUP: Admin pubkey specified: %s\n", g_admin_pubkey);
}
if (g_generate_keys) {
fprintf(stderr, "STARTUP: Will generate server keypair\n");
}
fprintf(stderr, "DEBUG: About to initialize database\n");
// Initialize database (create if doesn't exist)
fprintf(stderr, "STARTUP: Initializing database...\n");
if (initialize_database(g_db_path) != 0) {
fprintf(stderr, "FATAL ERROR: Failed to initialize database\n");
return 1;
}
fprintf(stderr, "STARTUP: Database ready\n");
// CRITICAL: Initialize nostr crypto system BEFORE key operations
fprintf(stderr, "STARTUP: Initializing nostr crypto system...\r\n");
int crypto_init_result = nostr_crypto_init();
fprintf(stderr, "CRYPTO INIT RESULT: %d\r\n", crypto_init_result);
if (crypto_init_result != 0) {
fprintf(stderr,
"FATAL ERROR: Failed to initialize nostr crypto system\r\n");
return 1;
}
fprintf(stderr, "STARTUP: nostr crypto system initialized successfully\r\n");
// Initialize server keys (now that crypto is initialized)
fprintf(stderr, "STARTUP: Initializing server keys...\n");
fflush(stderr);
// If test keys were provided via command line, store them in database
if (test_server_privkey[0] != '\0') {
// Store test private key in database
app_log(LOG_INFO, "Loaded keys from .test_keys");
app_log(LOG_INFO, "Admin pubkey: %s", g_admin_pubkey);
// Derive pubkey from test privkey
if (derive_pubkey_from_privkey(test_server_privkey, g_blossom_pubkey) != 0) {
app_log(LOG_ERROR, "Failed to derive pubkey from test privkey");
return 1;
}
app_log(LOG_INFO, "Server pubkey: %s", g_blossom_pubkey);
// Set database path based on test pubkey
if (set_db_path_from_pubkey(g_blossom_pubkey) != 0) {
app_log(LOG_ERROR, "Failed to set database path");
return 1;
}
// Test mode ALWAYS overwrites database for clean testing
app_log(LOG_INFO, "Creating/overwriting test database: %s", g_db_path);
unlink(g_db_path); // Remove if exists
// Initialize new database
if (initialize_database(g_db_path) != 0) {
app_log(LOG_ERROR, "Failed to initialize test database");
return 1;
}
// Store test keys
strncpy(g_blossom_seckey, test_server_privkey, sizeof(g_blossom_seckey) - 1);
g_blossom_seckey[64] = '\0';
fprintf(stderr, "STARTUP: Storing test server private key in database...\n");
if (store_blossom_private_key(test_server_privkey) != 0) {
fprintf(stderr, "ERROR: Failed to store test private key\n");
app_log(LOG_ERROR, "Failed to store test private key");
return 1;
}
// Derive and store public key
unsigned char seckey_bytes[32];
if (nostr_hex_to_bytes(test_server_privkey, seckey_bytes, 32) != NOSTR_SUCCESS) {
fprintf(stderr, "ERROR: Failed to parse test private key\n");
return 1;
}
unsigned char pubkey_bytes[32];
if (nostr_ec_public_key_from_private_key(seckey_bytes, pubkey_bytes) != NOSTR_SUCCESS) {
fprintf(stderr, "ERROR: Failed to derive public key from test private key\n");
return 1;
}
char pubkey_hex[65];
nostr_bytes_to_hex(pubkey_bytes, 32, pubkey_hex);
// Store server public key in config
// Store pubkey and admin pubkey in config
sqlite3 *db;
sqlite3_stmt *stmt;
int rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
int rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE, NULL);
if (rc == SQLITE_OK) {
const char *sql = "INSERT OR REPLACE INTO config (key, value, description) VALUES (?, ?, ?)";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc == SQLITE_OK) {
sqlite3_bind_text(stmt, 1, "blossom_pubkey", -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 2, pubkey_hex, -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 2, g_blossom_pubkey, -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 3, "Blossom server's public key (TEST MODE)", -1, SQLITE_STATIC);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
}
if (strlen(g_admin_pubkey) > 0) {
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc == SQLITE_OK) {
sqlite3_bind_text(stmt, 1, "admin_pubkey", -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 2, g_admin_pubkey, -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 3, "Admin public key (TEST MODE)", -1, SQLITE_STATIC);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
}
}
sqlite3_close(db);
}
fprintf(stderr, "STARTUP: Test server keys stored in database\n");
fprintf(stderr, "STARTUP: Server pubkey: %s\n", pubkey_hex);
fprintf(stderr, "STARTUP: Admin pubkey: %s\n", g_admin_pubkey);
app_log(LOG_INFO, "Test database initialized successfully");
}
// Scenario 3: Keys Specified (--server-privkey)
else if (test_server_privkey[0] != '\0') {
app_log(LOG_INFO, "=== SCENARIO 3: KEYS SPECIFIED ===");
// Now call load_server_keys to ensure admin_pubkey is also stored
int key_init_result = load_server_keys();
if (key_init_result != 0) {
fprintf(stderr, "WARNING: Failed to complete key initialization\n");
}
} else {
// Load keys from database (production mode)
int key_init_result = load_server_keys();
fprintf(stderr, "KEY INIT RESULT: %d\n", key_init_result);
fflush(stderr);
if (key_init_result != 0) {
fprintf(stderr, "FATAL ERROR: Failed to initialize server keys\n");
// Derive pubkey from provided privkey
if (derive_pubkey_from_privkey(test_server_privkey, g_blossom_pubkey) != 0) {
fprintf(stderr, "ERROR: Invalid server private key\n");
return 1;
}
fprintf(stderr, "STARTUP: Server keys initialized successfully\n");
fprintf(stderr, "KEYS: Derived pubkey: %s\n", g_blossom_pubkey);
// Scenario 5: Both database and keys specified - validate match
if (db_path_specified) {
fprintf(stderr, "\n=== SCENARIO 5: DATABASE + KEYS (VALIDATION) ===\n");
strncpy(g_db_path, specified_db_path, sizeof(g_db_path) - 1);
g_db_path[sizeof(g_db_path) - 1] = '\0';
// Check if database exists
struct stat st;
if (stat(g_db_path, &st) != 0) {
fprintf(stderr, "ERROR: Database file not found: %s\n", g_db_path);
return 1;
}
// Load keys from database
if (get_blossom_private_key(g_blossom_seckey, sizeof(g_blossom_seckey)) != 0) {
fprintf(stderr, "ERROR: Invalid database: missing server keys\n");
return 1;
}
// Compare with provided key
if (strcmp(g_blossom_seckey, test_server_privkey) != 0) {
fprintf(stderr, "ERROR: Server private key doesn't match database\n");
fprintf(stderr, " Provided key and database keys are different\n");
return 1;
}
fprintf(stderr, "VALIDATION: Keys match database - continuing\n");
// Validate pubkey matches filename
if (validate_database_pubkey_match(g_db_path, g_blossom_pubkey) != 0) {
return 1;
}
}
// Scenario 3 continued: Create new database with provided keys
else {
// Set database path based on derived pubkey
if (set_db_path_from_pubkey(g_blossom_pubkey) != 0) {
fprintf(stderr, "ERROR: Failed to set database path\n");
return 1;
}
// Check if database already exists
struct stat st;
if (stat(g_db_path, &st) == 0) {
fprintf(stderr, "ERROR: Database already exists for this pubkey: %s\n", g_db_path);
fprintf(stderr, " Use --db-path to open existing database or use different keys\n");
return 1;
}
// Initialize new database
if (initialize_database(g_db_path) != 0) {
fprintf(stderr, "ERROR: Failed to initialize database\n");
return 1;
}
// Store keys
strncpy(g_blossom_seckey, test_server_privkey, sizeof(g_blossom_seckey) - 1);
g_blossom_seckey[64] = '\0';
if (store_blossom_private_key(test_server_privkey) != 0) {
fprintf(stderr, "ERROR: Failed to store private key\n");
return 1;
}
// Store pubkey in config
sqlite3 *db;
sqlite3_stmt *stmt;
int rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READWRITE, NULL);
if (rc == SQLITE_OK) {
const char *sql = "INSERT OR REPLACE INTO config (key, value, description) VALUES (?, ?, ?)";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc == SQLITE_OK) {
sqlite3_bind_text(stmt, 1, "blossom_pubkey", -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 2, g_blossom_pubkey, -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 3, "Blossom server's public key", -1, SQLITE_STATIC);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
}
if (strlen(g_admin_pubkey) > 0) {
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc == SQLITE_OK) {
sqlite3_bind_text(stmt, 1, "admin_pubkey", -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 2, g_admin_pubkey, -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 3, "Admin public key", -1, SQLITE_STATIC);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
}
}
sqlite3_close(db);
}
fprintf(stderr, "KEYS: New database created successfully\n");
}
}
fflush(stderr);
// Scenario 2: Database Specified (--db-path)
else if (db_path_specified) {
fprintf(stderr, "\n=== SCENARIO 2: DATABASE SPECIFIED ===\n");
strncpy(g_db_path, specified_db_path, sizeof(g_db_path) - 1);
g_db_path[sizeof(g_db_path) - 1] = '\0';
// Check if database exists
struct stat st;
if (stat(g_db_path, &st) != 0) {
fprintf(stderr, "ERROR: Database file not found: %s\n", g_db_path);
fprintf(stderr, " → Specify a different database or let the application create a new one\n");
return 1;
}
fprintf(stderr, "DATABASE: Opening existing database: %s\n", g_db_path);
// Load keys from database
if (load_server_keys() != 0) {
fprintf(stderr, "ERROR: Failed to load keys from database\n");
fprintf(stderr, " → Database may be corrupted or not a valid ginxsom database\n");
return 1;
}
fprintf(stderr, "DATABASE: Keys loaded and validated successfully\n");
}
// Scenario 1: No Arguments (Fresh Start)
else {
fprintf(stderr, "\n=== SCENARIO 1: FRESH START (NO ARGUMENTS) ===\n");
fprintf(stderr, "FRESH START: Generating new server keypair...\n");
// Generate new keypair (this will set g_db_path based on pubkey)
if (generate_server_keypair() != 0) {
fprintf(stderr, "ERROR: Failed to generate server keypair\n");
return 1;
}
fprintf(stderr, "FRESH START: New instance created successfully\n");
}
// ========================================================================
// END DATABASE AND KEY INITIALIZATION
// ========================================================================
app_log(LOG_INFO, "=== FINAL CONFIGURATION ===");
app_log(LOG_INFO, "Database path: %s", g_db_path);
app_log(LOG_INFO, "Storage directory: %s", g_storage_dir);
app_log(LOG_INFO, "Server pubkey: %s", g_blossom_pubkey);
if (strlen(g_admin_pubkey) > 0) {
app_log(LOG_INFO, "Admin pubkey: %s", g_admin_pubkey);
}
app_log(LOG_INFO, "===========================");
// If --generate-keys was specified, exit after key generation
if (g_generate_keys) {
fprintf(stderr, "Key generation completed, exiting.\n");
fflush(stderr);
app_log(LOG_INFO, "Key generation completed, exiting");
return 0;
}
@@ -1938,25 +2235,58 @@ if (!config_loaded /* && !initialize_server_config() */) {
}
// Initialize request validator system
fprintf(stderr, "STARTUP: Initializing request validator system...\r\n");
app_log(LOG_INFO, "Initializing request validator system...");
int validator_init_result =
ginxsom_request_validator_init(DB_PATH, "ginxsom");
fprintf(stderr, "MAIN: validator init return code: %d\r\n",
validator_init_result);
ginxsom_request_validator_init(g_db_path, "ginxsom");
if (validator_init_result != NOSTR_SUCCESS) {
fprintf(stderr,
"FATAL ERROR: Failed to initialize request validator system\r\n");
app_log(LOG_ERROR, "Failed to initialize request validator system (result: %d)", validator_init_result);
return 1;
}
fprintf(stderr,
"STARTUP: Request validator system initialized successfully\r\n");
fflush(stderr);
app_log(LOG_INFO, "Request validator system initialized successfully");
// Initialize relay client system
app_log(LOG_INFO, "Initializing relay client system...");
int relay_init_result = relay_client_init(g_db_path);
if (relay_init_result != 0) {
app_log(LOG_WARN, "Failed to initialize relay client system (result: %d)", relay_init_result);
app_log(LOG_WARN, "Continuing without relay client functionality");
} else {
app_log(LOG_INFO, "Relay client system initialized successfully");
// Start relay connections (this will check enable_relay_connect config)
app_log(LOG_INFO, "Starting relay client connections...");
int relay_start_result = relay_client_start();
if (relay_start_result != 0) {
app_log(LOG_WARN, "Failed to start relay client (result: %d)", relay_start_result);
app_log(LOG_WARN, "Relay client disabled - check configuration");
} else {
app_log(LOG_INFO, "Relay client started successfully");
}
}
// Initialize admin commands system
app_log(LOG_INFO, "Initializing admin commands system...");
int admin_cmd_result = admin_commands_init(g_db_path);
if (admin_cmd_result != 0) {
app_log(LOG_WARN, "Failed to initialize admin commands system (result: %d)", admin_cmd_result);
app_log(LOG_WARN, "Continuing without admin commands functionality");
} else {
app_log(LOG_INFO, "Admin commands system initialized successfully");
}
/////////////////////////////////////////////////////////////////////
// THIS IS WHERE THE REQUESTS ENTER THE FastCGI
/////////////////////////////////////////////////////////////////////
app_log(LOG_INFO, "FastCGI request loop starting - ready to accept requests");
int first_request = 1;
while (FCGI_Accept() >= 0) {
// Test stderr capture on first request
if (first_request) {
fprintf(stderr, "FCGI: First request received - testing nginx stderr capture\n");
fflush(stderr);
first_request = 0;
}
const char *request_method = getenv("REQUEST_METHOD");
const char *request_uri = getenv("REQUEST_URI");
const char *auth_header = getenv("HTTP_AUTHORIZATION");
@@ -2054,6 +2384,11 @@ if (!config_loaded /* && !initialize_server_config() */) {
operation = "report";
} else if (strncmp(request_uri, "/api/", 5) == 0) {
operation = "admin";
// Special case: POST /api/admin uses Kind 23456 events for authentication
// Skip centralized validation for these requests
if (strcmp(request_method, "POST") == 0 && strcmp(request_uri, "/api/admin") == 0) {
operation = "admin_event"; // Mark as special case
}
} else if (strcmp(request_method, "GET") == 0 && strncmp(request_uri, "/list/", 6) == 0) {
operation = "list";
} else if (strcmp(request_method, "GET") == 0 && strcmp(request_uri, "/auth") == 0) {
@@ -2095,6 +2430,9 @@ if (!config_loaded /* && !initialize_server_config() */) {
// List operation might be optional auth - let handler decide
} else if (strcmp(operation, "admin") == 0 && strcmp(request_uri, "/api/health") == 0) {
// Health endpoint is public and doesn't require authentication - let handler decide
} else if (strcmp(operation, "admin_event") == 0) {
// POST /api/admin uses Kind 23456 events - authentication handled by admin_event.c
// Skip centralized validation and let the handler validate the event
} else {
// For other operations, validation failure means auth failure
const char *message = result.reason[0] ? result.reason : "Authentication failed";

871
src/relay_client.c Normal file
View File

@@ -0,0 +1,871 @@
/*
* Ginxsom Relay Client Implementation
*
* Manages connections to Nostr relays, publishes events, and subscribes to admin commands.
*/
#include "relay_client.h"
#include "admin_commands.h"
#include "../nostr_core_lib/nostr_core/nostr_core.h"
#include <sqlite3.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pthread.h>
#include <unistd.h>
#include <time.h>
// Forward declare app_log to avoid including ginxsom.h (which has typedef conflicts)
typedef enum {
LOG_DEBUG = 0,
LOG_INFO = 1,
LOG_WARN = 2,
LOG_ERROR = 3
} log_level_t;
void app_log(log_level_t level, const char* format, ...);
// Maximum number of relays to connect to
#define MAX_RELAYS 10
// Reconnection settings
#define RECONNECT_DELAY_SECONDS 30
#define MAX_RECONNECT_ATTEMPTS 5
// Global state
static struct {
int enabled;
int initialized;
int running;
char db_path[512];
nostr_relay_pool_t* pool;
char** relay_urls;
int relay_count;
nostr_pool_subscription_t* admin_subscription;
pthread_t management_thread;
pthread_mutex_t state_mutex;
} g_relay_state = {0};
// External globals from main.c
extern char g_blossom_seckey[65];
extern char g_blossom_pubkey[65];
extern char g_admin_pubkey[65];
// Forward declarations
static void *relay_management_thread(void *arg);
static int load_config_from_db(void);
static int parse_relay_urls(const char *json_array);
static int subscribe_to_admin_commands(void);
static void on_publish_response(const char* relay_url, const char* event_id, int success, const char* message, void* user_data);
static void on_admin_command_event(cJSON* event, const char* relay_url, void* user_data);
static void on_admin_subscription_eose(cJSON** events, int event_count, void* user_data);
// Initialize relay client system
int relay_client_init(const char *db_path) {
if (g_relay_state.initialized) {
app_log(LOG_WARN, "Relay client already initialized");
return 0;
}
app_log(LOG_INFO, "Initializing relay client system...");
// Store database path
strncpy(g_relay_state.db_path, db_path, sizeof(g_relay_state.db_path) - 1);
// Initialize mutex
if (pthread_mutex_init(&g_relay_state.state_mutex, NULL) != 0) {
app_log(LOG_ERROR, "Failed to initialize relay state mutex");
return -1;
}
// Load configuration from database
if (load_config_from_db() != 0) {
app_log(LOG_ERROR, "Failed to load relay configuration from database");
pthread_mutex_destroy(&g_relay_state.state_mutex);
return -1;
}
// Create relay pool if enabled
if (g_relay_state.enabled) {
// Use default reconnection config (don't free - it's a static structure)
nostr_pool_reconnect_config_t* config = nostr_pool_reconnect_config_default();
g_relay_state.pool = nostr_relay_pool_create(config);
if (!g_relay_state.pool) {
app_log(LOG_ERROR, "Failed to create relay pool");
pthread_mutex_destroy(&g_relay_state.state_mutex);
return -1;
}
// Add all relays to pool
for (int i = 0; i < g_relay_state.relay_count; i++) {
if (nostr_relay_pool_add_relay(g_relay_state.pool, g_relay_state.relay_urls[i]) != NOSTR_SUCCESS) {
app_log(LOG_WARN, "Failed to add relay to pool: %s", g_relay_state.relay_urls[i]);
}
}
// Trigger initial connection attempts by creating a dummy subscription
// This forces ensure_relay_connection() to be called for each relay
app_log(LOG_INFO, "Initiating relay connections...");
cJSON* dummy_filter = cJSON_CreateObject();
cJSON* kinds = cJSON_CreateArray();
cJSON_AddItemToArray(kinds, cJSON_CreateNumber(0)); // Kind 0 (will match nothing)
cJSON_AddItemToObject(dummy_filter, "kinds", kinds);
cJSON_AddNumberToObject(dummy_filter, "limit", 0); // Limit 0 = no results
nostr_pool_subscription_t* dummy_sub = nostr_relay_pool_subscribe(
g_relay_state.pool,
(const char**)g_relay_state.relay_urls,
g_relay_state.relay_count,
dummy_filter,
NULL, // No event callback
NULL, // No EOSE callback
NULL, // No user data
1, // close_on_eose
1, // enable_deduplication
NOSTR_POOL_EOSE_FIRST, // result_mode
30, // relay_timeout_seconds
30 // eose_timeout_seconds
);
cJSON_Delete(dummy_filter);
// Immediately close the dummy subscription
if (dummy_sub) {
nostr_pool_subscription_close(dummy_sub);
app_log(LOG_INFO, "Connection attempts initiated for %d relays", g_relay_state.relay_count);
} else {
app_log(LOG_WARN, "Failed to initiate connection attempts");
}
}
g_relay_state.initialized = 1;
app_log(LOG_INFO, "Relay client initialized (enabled: %d, relays: %d)",
g_relay_state.enabled, g_relay_state.relay_count);
return 0;
}
// Load configuration from database
static int load_config_from_db(void) {
sqlite3 *db;
sqlite3_stmt *stmt;
int rc;
rc = sqlite3_open_v2(g_relay_state.db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
app_log(LOG_ERROR, "Cannot open database: %s", sqlite3_errmsg(db));
return -1;
}
// Load enable_relay_connect
const char *sql = "SELECT value FROM config WHERE key = ?";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
app_log(LOG_ERROR, "Failed to prepare statement: %s", sqlite3_errmsg(db));
sqlite3_close(db);
return -1;
}
sqlite3_bind_text(stmt, 1, "enable_relay_connect", -1, SQLITE_STATIC);
rc = sqlite3_step(stmt);
if (rc == SQLITE_ROW) {
const char *value = (const char *)sqlite3_column_text(stmt, 0);
g_relay_state.enabled = (strcmp(value, "true") == 0 || strcmp(value, "1") == 0);
} else {
g_relay_state.enabled = 0;
}
sqlite3_finalize(stmt);
// If not enabled, skip loading relay URLs
if (!g_relay_state.enabled) {
sqlite3_close(db);
return 0;
}
// Load kind_10002_tags (relay URLs)
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
app_log(LOG_ERROR, "Failed to prepare statement: %s", sqlite3_errmsg(db));
sqlite3_close(db);
return -1;
}
sqlite3_bind_text(stmt, 1, "kind_10002_tags", -1, SQLITE_STATIC);
rc = sqlite3_step(stmt);
if (rc == SQLITE_ROW) {
const char *json_array = (const char *)sqlite3_column_text(stmt, 0);
if (parse_relay_urls(json_array) != 0) {
app_log(LOG_ERROR, "Failed to parse relay URLs from config");
sqlite3_finalize(stmt);
sqlite3_close(db);
return -1;
}
} else {
app_log(LOG_WARN, "No relay URLs configured in kind_10002_tags");
}
sqlite3_finalize(stmt);
sqlite3_close(db);
return 0;
}
// Parse relay URLs from JSON array
static int parse_relay_urls(const char *json_array) {
cJSON *root = cJSON_Parse(json_array);
if (!root || !cJSON_IsArray(root)) {
app_log(LOG_ERROR, "Invalid JSON array for relay URLs");
if (root) cJSON_Delete(root);
return -1;
}
int count = cJSON_GetArraySize(root);
if (count > MAX_RELAYS) {
app_log(LOG_WARN, "Too many relays configured (%d), limiting to %d", count, MAX_RELAYS);
count = MAX_RELAYS;
}
// Allocate relay URLs array
g_relay_state.relay_urls = malloc(count * sizeof(char*));
if (!g_relay_state.relay_urls) {
cJSON_Delete(root);
return -1;
}
g_relay_state.relay_count = 0;
for (int i = 0; i < count; i++) {
cJSON *item = cJSON_GetArrayItem(root, i);
if (cJSON_IsString(item) && item->valuestring) {
g_relay_state.relay_urls[g_relay_state.relay_count] = strdup(item->valuestring);
if (!g_relay_state.relay_urls[g_relay_state.relay_count]) {
// Cleanup on failure
for (int j = 0; j < g_relay_state.relay_count; j++) {
free(g_relay_state.relay_urls[j]);
}
free(g_relay_state.relay_urls);
cJSON_Delete(root);
return -1;
}
g_relay_state.relay_count++;
}
}
cJSON_Delete(root);
app_log(LOG_INFO, "Parsed %d relay URLs from configuration", g_relay_state.relay_count);
return 0;
}
// Start relay connections
int relay_client_start(void) {
if (!g_relay_state.initialized) {
app_log(LOG_ERROR, "Relay client not initialized");
return -1;
}
if (!g_relay_state.enabled) {
app_log(LOG_INFO, "Relay client disabled in configuration");
return 0;
}
if (g_relay_state.running) {
app_log(LOG_WARN, "Relay client already running");
return 0;
}
app_log(LOG_INFO, "Starting relay client...");
// Start management thread
g_relay_state.running = 1;
if (pthread_create(&g_relay_state.management_thread, NULL, relay_management_thread, NULL) != 0) {
app_log(LOG_ERROR, "Failed to create relay management thread");
g_relay_state.running = 0;
return -1;
}
app_log(LOG_INFO, "Relay client started successfully");
return 0;
}
// Relay management thread
static void *relay_management_thread(void *arg) {
(void)arg;
app_log(LOG_INFO, "Relay management thread started");
// Wait for at least one relay to connect (max 30 seconds)
int connected = 0;
for (int i = 0; i < 30 && !connected; i++) {
sleep(1);
// Poll to process connection attempts
nostr_relay_pool_poll(g_relay_state.pool, 100);
// Check if any relay is connected
for (int j = 0; j < g_relay_state.relay_count; j++) {
nostr_pool_relay_status_t status = nostr_relay_pool_get_relay_status(
g_relay_state.pool,
g_relay_state.relay_urls[j]
);
if (status == NOSTR_POOL_RELAY_CONNECTED) {
connected = 1;
app_log(LOG_INFO, "Relay connected: %s", g_relay_state.relay_urls[j]);
break;
}
}
}
if (!connected) {
app_log(LOG_WARN, "No relays connected after 30 seconds, continuing anyway");
}
// Publish initial events
relay_client_publish_kind0();
relay_client_publish_kind10002();
// Subscribe to admin commands
subscribe_to_admin_commands();
// Main loop: poll the relay pool for incoming messages
while (g_relay_state.running) {
// Poll with 1000ms timeout
int events_processed = nostr_relay_pool_poll(g_relay_state.pool, 1000);
if (events_processed < 0) {
app_log(LOG_ERROR, "Error polling relay pool");
sleep(1);
}
// Pool handles all connection management, reconnection, and message processing
}
app_log(LOG_INFO, "Relay management thread stopping");
return NULL;
}
// Stop relay connections
void relay_client_stop(void) {
if (!g_relay_state.running) {
return;
}
app_log(LOG_INFO, "Stopping relay client...");
g_relay_state.running = 0;
// Wait for management thread to finish
pthread_join(g_relay_state.management_thread, NULL);
// Close admin subscription
if (g_relay_state.admin_subscription) {
nostr_pool_subscription_close(g_relay_state.admin_subscription);
g_relay_state.admin_subscription = NULL;
}
// Destroy relay pool (automatically disconnects all relays)
if (g_relay_state.pool) {
nostr_relay_pool_destroy(g_relay_state.pool);
g_relay_state.pool = NULL;
}
// Free relay URLs
if (g_relay_state.relay_urls) {
for (int i = 0; i < g_relay_state.relay_count; i++) {
free(g_relay_state.relay_urls[i]);
}
free(g_relay_state.relay_urls);
g_relay_state.relay_urls = NULL;
}
pthread_mutex_destroy(&g_relay_state.state_mutex);
app_log(LOG_INFO, "Relay client stopped");
}
// Check if relay client is enabled
int relay_client_is_enabled(void) {
return g_relay_state.enabled;
}
// Publish Kind 0 profile event
int relay_client_publish_kind0(void) {
if (!g_relay_state.enabled || !g_relay_state.running || !g_relay_state.pool) {
return -1;
}
app_log(LOG_INFO, "Publishing Kind 0 profile event...");
// Load kind_0_content from database
sqlite3 *db;
sqlite3_stmt *stmt;
int rc;
rc = sqlite3_open_v2(g_relay_state.db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
app_log(LOG_ERROR, "Cannot open database: %s", sqlite3_errmsg(db));
return -1;
}
const char *sql = "SELECT value FROM config WHERE key = 'kind_0_content'";
rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
app_log(LOG_ERROR, "Failed to prepare statement: %s", sqlite3_errmsg(db));
sqlite3_close(db);
return -1;
}
rc = sqlite3_step(stmt);
if (rc != SQLITE_ROW) {
app_log(LOG_WARN, "No kind_0_content found in config");
sqlite3_finalize(stmt);
sqlite3_close(db);
return -1;
}
const char *content = (const char *)sqlite3_column_text(stmt, 0);
// Convert private key from hex to bytes
unsigned char privkey_bytes[32];
if (nostr_hex_to_bytes(g_blossom_seckey, privkey_bytes, 32) != 0) {
app_log(LOG_ERROR, "Failed to convert private key from hex");
sqlite3_finalize(stmt);
sqlite3_close(db);
return -1;
}
// Create and sign Kind 0 event using nostr_core_lib
cJSON* event = nostr_create_and_sign_event(
0, // kind
content, // content
NULL, // tags (empty for Kind 0)
privkey_bytes, // private key
time(NULL) // created_at
);
sqlite3_finalize(stmt);
sqlite3_close(db);
if (!event) {
app_log(LOG_ERROR, "Failed to create Kind 0 event");
return -1;
}
// Publish to all relays using async pool API
int result = nostr_relay_pool_publish_async(
g_relay_state.pool,
(const char**)g_relay_state.relay_urls,
g_relay_state.relay_count,
event,
on_publish_response,
(void*)"Kind 0" // user_data to identify event type
);
cJSON_Delete(event);
if (result == 0) {
app_log(LOG_INFO, "Kind 0 profile event publish initiated");
return 0;
} else {
app_log(LOG_ERROR, "Failed to initiate Kind 0 profile event publish");
return -1;
}
}
// Publish Kind 10002 relay list event
int relay_client_publish_kind10002(void) {
if (!g_relay_state.enabled || !g_relay_state.running || !g_relay_state.pool) {
return -1;
}
app_log(LOG_INFO, "Publishing Kind 10002 relay list event...");
// Build tags array from configured relays
cJSON* tags = cJSON_CreateArray();
for (int i = 0; i < g_relay_state.relay_count; i++) {
cJSON* tag = cJSON_CreateArray();
cJSON_AddItemToArray(tag, cJSON_CreateString("r"));
cJSON_AddItemToArray(tag, cJSON_CreateString(g_relay_state.relay_urls[i]));
cJSON_AddItemToArray(tags, tag);
}
// Convert private key from hex to bytes
unsigned char privkey_bytes[32];
if (nostr_hex_to_bytes(g_blossom_seckey, privkey_bytes, 32) != 0) {
app_log(LOG_ERROR, "Failed to convert private key from hex");
cJSON_Delete(tags);
return -1;
}
// Create and sign Kind 10002 event
cJSON* event = nostr_create_and_sign_event(
10002, // kind
"", // content (empty for Kind 10002)
tags, // tags
privkey_bytes, // private key
time(NULL) // created_at
);
cJSON_Delete(tags);
if (!event) {
app_log(LOG_ERROR, "Failed to create Kind 10002 event");
return -1;
}
// Publish to all relays using async pool API
int result = nostr_relay_pool_publish_async(
g_relay_state.pool,
(const char**)g_relay_state.relay_urls,
g_relay_state.relay_count,
event,
on_publish_response,
(void*)"Kind 10002" // user_data to identify event type
);
cJSON_Delete(event);
if (result == 0) {
app_log(LOG_INFO, "Kind 10002 relay list event publish initiated");
return 0;
} else {
app_log(LOG_ERROR, "Failed to initiate Kind 10002 relay list event publish");
return -1;
}
}
// Send Kind 23459 admin response event
int relay_client_send_admin_response(const char *recipient_pubkey, const char *response_content) {
if (!g_relay_state.enabled || !g_relay_state.running || !g_relay_state.pool) {
return -1;
}
if (!recipient_pubkey || !response_content) {
return -1;
}
app_log(LOG_INFO, "Sending Kind 23459 admin response to %s", recipient_pubkey);
// TODO: Encrypt response_content using NIP-44
// For now, use plaintext (stub implementation)
const char *encrypted_content = response_content;
// Build tags array
cJSON* tags = cJSON_CreateArray();
cJSON* p_tag = cJSON_CreateArray();
cJSON_AddItemToArray(p_tag, cJSON_CreateString("p"));
cJSON_AddItemToArray(p_tag, cJSON_CreateString(recipient_pubkey));
cJSON_AddItemToArray(tags, p_tag);
// Convert private key from hex to bytes
unsigned char privkey_bytes[32];
if (nostr_hex_to_bytes(g_blossom_seckey, privkey_bytes, 32) != 0) {
app_log(LOG_ERROR, "Failed to convert private key from hex");
cJSON_Delete(tags);
return -1;
}
// Create and sign Kind 23459 event
cJSON* event = nostr_create_and_sign_event(
23459, // kind
encrypted_content, // content
tags, // tags
privkey_bytes, // private key
time(NULL) // created_at
);
cJSON_Delete(tags);
if (!event) {
app_log(LOG_ERROR, "Failed to create Kind 23459 event");
return -1;
}
// Publish to all relays using async pool API
int result = nostr_relay_pool_publish_async(
g_relay_state.pool,
(const char**)g_relay_state.relay_urls,
g_relay_state.relay_count,
event,
on_publish_response,
(void*)"Kind 23459" // user_data to identify event type
);
cJSON_Delete(event);
if (result == 0) {
app_log(LOG_INFO, "Kind 23459 admin response publish initiated");
return 0;
} else {
app_log(LOG_ERROR, "Failed to initiate Kind 23459 admin response publish");
return -1;
}
}
// Callback for publish responses
static void on_publish_response(const char* relay_url, const char* event_id, int success, const char* message, void* user_data) {
const char* event_type = (const char*)user_data;
if (success) {
app_log(LOG_INFO, "%s event published successfully to %s (ID: %s)",
event_type, relay_url, event_id);
} else {
app_log(LOG_WARN, "%s event rejected by %s: %s",
event_type, relay_url, message ? message : "unknown error");
}
}
// Callback for received Kind 23458 admin command events
static void on_admin_command_event(cJSON* event, const char* relay_url, void* user_data) {
(void)user_data;
app_log(LOG_INFO, "Received Kind 23458 admin command from relay: %s", relay_url);
// Extract event fields
cJSON* kind_json = cJSON_GetObjectItem(event, "kind");
cJSON* pubkey_json = cJSON_GetObjectItem(event, "pubkey");
cJSON* content_json = cJSON_GetObjectItem(event, "content");
cJSON* id_json = cJSON_GetObjectItem(event, "id");
if (!kind_json || !pubkey_json || !content_json || !id_json) {
app_log(LOG_ERROR, "Invalid event structure");
return;
}
int kind = cJSON_GetNumberValue(kind_json);
const char* sender_pubkey = cJSON_GetStringValue(pubkey_json);
const char* encrypted_content = cJSON_GetStringValue(content_json);
const char* event_id = cJSON_GetStringValue(id_json);
if (kind != 23458) {
app_log(LOG_WARN, "Unexpected event kind: %d", kind);
return;
}
// Verify sender is admin
if (strcmp(sender_pubkey, g_admin_pubkey) != 0) {
app_log(LOG_WARN, "Ignoring command from non-admin pubkey: %s", sender_pubkey);
return;
}
app_log(LOG_INFO, "Processing admin command (event ID: %s)", event_id);
// Convert keys from hex to bytes
unsigned char server_privkey[32];
unsigned char admin_pubkey_bytes[32];
if (nostr_hex_to_bytes(g_blossom_seckey, server_privkey, 32) != 0) {
app_log(LOG_ERROR, "Failed to convert server private key from hex");
return;
}
if (nostr_hex_to_bytes(sender_pubkey, admin_pubkey_bytes, 32) != 0) {
app_log(LOG_ERROR, "Failed to convert admin public key from hex");
return;
}
// Decrypt command content using NIP-44
char decrypted_command[4096];
if (admin_decrypt_command(server_privkey, admin_pubkey_bytes, encrypted_content,
decrypted_command, sizeof(decrypted_command)) != 0) {
app_log(LOG_ERROR, "Failed to decrypt admin command");
// Send error response
cJSON* error_response = cJSON_CreateObject();
cJSON_AddStringToObject(error_response, "status", "error");
cJSON_AddStringToObject(error_response, "message", "Failed to decrypt command");
char* error_json = cJSON_PrintUnformatted(error_response);
cJSON_Delete(error_response);
char encrypted_response[4096];
if (admin_encrypt_response(server_privkey, admin_pubkey_bytes, error_json,
encrypted_response, sizeof(encrypted_response)) == 0) {
relay_client_send_admin_response(sender_pubkey, encrypted_response);
}
free(error_json);
return;
}
app_log(LOG_DEBUG, "Decrypted command: %s", decrypted_command);
// Parse command JSON
cJSON* command_json = cJSON_Parse(decrypted_command);
if (!command_json) {
app_log(LOG_ERROR, "Failed to parse command JSON");
cJSON* error_response = cJSON_CreateObject();
cJSON_AddStringToObject(error_response, "status", "error");
cJSON_AddStringToObject(error_response, "message", "Invalid JSON format");
char* error_json = cJSON_PrintUnformatted(error_response);
cJSON_Delete(error_response);
char encrypted_response[4096];
if (admin_encrypt_response(server_privkey, admin_pubkey_bytes, error_json,
encrypted_response, sizeof(encrypted_response)) == 0) {
relay_client_send_admin_response(sender_pubkey, encrypted_response);
}
free(error_json);
return;
}
// Process command and get response
cJSON* response_json = admin_commands_process(command_json, event_id);
cJSON_Delete(command_json);
if (!response_json) {
app_log(LOG_ERROR, "Failed to process admin command");
response_json = cJSON_CreateObject();
cJSON_AddStringToObject(response_json, "status", "error");
cJSON_AddStringToObject(response_json, "message", "Failed to process command");
}
// Convert response to JSON string
char* response_str = cJSON_PrintUnformatted(response_json);
cJSON_Delete(response_json);
if (!response_str) {
app_log(LOG_ERROR, "Failed to serialize response JSON");
return;
}
// Encrypt and send response
char encrypted_response[4096];
if (admin_encrypt_response(server_privkey, admin_pubkey_bytes, response_str,
encrypted_response, sizeof(encrypted_response)) != 0) {
app_log(LOG_ERROR, "Failed to encrypt admin response");
free(response_str);
return;
}
free(response_str);
if (relay_client_send_admin_response(sender_pubkey, encrypted_response) != 0) {
app_log(LOG_ERROR, "Failed to send admin response");
}
}
// Callback for EOSE (End Of Stored Events) - new signature
static void on_admin_subscription_eose(cJSON** events, int event_count, void* user_data) {
(void)events;
(void)event_count;
(void)user_data;
app_log(LOG_INFO, "Received EOSE for admin command subscription");
}
// Subscribe to admin commands (Kind 23458)
static int subscribe_to_admin_commands(void) {
if (!g_relay_state.pool) {
return -1;
}
app_log(LOG_INFO, "Subscribing to Kind 23458 admin commands...");
// Create subscription filter for Kind 23458 events addressed to us
cJSON* filter = cJSON_CreateObject();
cJSON* kinds = cJSON_CreateArray();
cJSON_AddItemToArray(kinds, cJSON_CreateNumber(23458));
cJSON_AddItemToObject(filter, "kinds", kinds);
cJSON* p_tags = cJSON_CreateArray();
cJSON_AddItemToArray(p_tags, cJSON_CreateString(g_blossom_pubkey));
cJSON_AddItemToObject(filter, "#p", p_tags);
cJSON_AddNumberToObject(filter, "since", (double)time(NULL));
// Subscribe using pool with new API signature
g_relay_state.admin_subscription = nostr_relay_pool_subscribe(
g_relay_state.pool,
(const char**)g_relay_state.relay_urls,
g_relay_state.relay_count,
filter,
on_admin_command_event,
on_admin_subscription_eose,
NULL, // user_data
0, // close_on_eose (keep subscription open)
1, // enable_deduplication
NOSTR_POOL_EOSE_FULL_SET, // result_mode
30, // relay_timeout_seconds
30 // eose_timeout_seconds
);
cJSON_Delete(filter);
if (!g_relay_state.admin_subscription) {
app_log(LOG_ERROR, "Failed to create admin command subscription");
return -1;
}
app_log(LOG_INFO, "Successfully subscribed to admin commands");
return 0;
}
// Get current relay connection status
char *relay_client_get_status(void) {
if (!g_relay_state.pool) {
return strdup("[]");
}
cJSON *root = cJSON_CreateArray();
pthread_mutex_lock(&g_relay_state.state_mutex);
for (int i = 0; i < g_relay_state.relay_count; i++) {
cJSON *relay_obj = cJSON_CreateObject();
cJSON_AddStringToObject(relay_obj, "url", g_relay_state.relay_urls[i]);
// Get status from pool
nostr_pool_relay_status_t status = nostr_relay_pool_get_relay_status(
g_relay_state.pool,
g_relay_state.relay_urls[i]
);
const char *state_str;
switch (status) {
case NOSTR_POOL_RELAY_CONNECTED: state_str = "connected"; break;
case NOSTR_POOL_RELAY_CONNECTING: state_str = "connecting"; break;
case NOSTR_POOL_RELAY_ERROR: state_str = "error"; break;
default: state_str = "disconnected"; break;
}
cJSON_AddStringToObject(relay_obj, "state", state_str);
// Get statistics from pool
const nostr_relay_stats_t* stats = nostr_relay_pool_get_relay_stats(
g_relay_state.pool,
g_relay_state.relay_urls[i]
);
if (stats) {
cJSON_AddNumberToObject(relay_obj, "events_received", stats->events_received);
cJSON_AddNumberToObject(relay_obj, "events_published", stats->events_published);
cJSON_AddNumberToObject(relay_obj, "connection_attempts", stats->connection_attempts);
cJSON_AddNumberToObject(relay_obj, "connection_failures", stats->connection_failures);
if (stats->query_latency_avg > 0) {
cJSON_AddNumberToObject(relay_obj, "query_latency_ms", stats->query_latency_avg);
}
}
cJSON_AddItemToArray(root, relay_obj);
}
pthread_mutex_unlock(&g_relay_state.state_mutex);
char *json_str = cJSON_PrintUnformatted(root);
cJSON_Delete(root);
return json_str;
}
// Force reconnection to all relays
int relay_client_reconnect(void) {
if (!g_relay_state.enabled || !g_relay_state.running || !g_relay_state.pool) {
return -1;
}
app_log(LOG_INFO, "Forcing reconnection to all relays...");
// Remove and re-add all relays to force reconnection
pthread_mutex_lock(&g_relay_state.state_mutex);
for (int i = 0; i < g_relay_state.relay_count; i++) {
nostr_relay_pool_remove_relay(g_relay_state.pool, g_relay_state.relay_urls[i]);
nostr_relay_pool_add_relay(g_relay_state.pool, g_relay_state.relay_urls[i]);
}
pthread_mutex_unlock(&g_relay_state.state_mutex);
app_log(LOG_INFO, "Reconnection initiated for all relays");
return 0;
}

78
src/relay_client.h Normal file
View File

@@ -0,0 +1,78 @@
/*
* Ginxsom Relay Client - Nostr Relay Connection Manager
*
* This module enables Ginxsom to act as a Nostr client, connecting to relays
* to publish events (Kind 0, Kind 10002) and subscribe to admin commands (Kind 23456).
*/
#ifndef RELAY_CLIENT_H
#define RELAY_CLIENT_H
#include <stddef.h>
#include <time.h>
// Connection states for relay tracking
typedef enum {
RELAY_STATE_DISCONNECTED = 0,
RELAY_STATE_CONNECTING = 1,
RELAY_STATE_CONNECTED = 2,
RELAY_STATE_ERROR = 3
} relay_state_t;
// Relay connection info (in-memory only)
typedef struct {
char url[256];
relay_state_t state;
int reconnect_attempts;
time_t last_connect_attempt;
time_t connected_since;
} relay_info_t;
// Initialize relay client system
// Loads configuration from database and prepares for connections
// Returns: 0 on success, -1 on error
int relay_client_init(const char *db_path);
// Start relay connections
// Connects to all relays specified in kind_10002_tags config
// Publishes Kind 0 and Kind 10002 events after successful connection
// Returns: 0 on success, -1 on error
int relay_client_start(void);
// Stop relay connections and cleanup
// Gracefully disconnects from all relays and stops background thread
void relay_client_stop(void);
// Check if relay client is enabled
// Returns: 1 if enabled, 0 if disabled
int relay_client_is_enabled(void);
// Publish Kind 0 profile event to all connected relays
// Uses kind_0_content from config database
// Returns: 0 on success, -1 on error
int relay_client_publish_kind0(void);
// Publish Kind 10002 relay list event to all connected relays
// Uses kind_10002_tags from config database
// Returns: 0 on success, -1 on error
int relay_client_publish_kind10002(void);
// Send Kind 23457 admin response event
// Encrypts content using NIP-44 and publishes to all connected relays
// Parameters:
// - recipient_pubkey: Admin's public key (recipient)
// - response_content: JSON response content to encrypt
// Returns: 0 on success, -1 on error
int relay_client_send_admin_response(const char *recipient_pubkey, const char *response_content);
// Get current relay connection status
// Returns JSON string with relay status (caller must free)
// Format: [{"url": "wss://...", "state": "connected", "connected_since": 1234567890}, ...]
char *relay_client_get_status(void);
// Force reconnection to all relays
// Disconnects and reconnects to all configured relays
// Returns: 0 on success, -1 on error
int relay_client_reconnect(void);
#endif // RELAY_CLIENT_H

25
src/request_validator.c
View File

@@ -32,8 +32,8 @@
// NOSTR_ERROR_NIP42_CHALLENGE_EXPIRED are already defined in
// nostr_core_lib/nostr_core/nostr_common.h
// Database path (consistent with main.c)
#define DB_PATH "db/ginxsom.db"
// Use global database path from main.c
extern char g_db_path[];
// NIP-42 challenge management constants
#define MAX_CHALLENGES 1000
@@ -529,7 +529,7 @@ int nostr_validate_unified_request(const nostr_unified_request_t *request,
"VALIDATOR_DEBUG: STEP 10 FAILED - NIP-42 requires request_url and "
"challenge (from event tags)\n");
result->valid = 0;
result->error_code = NOSTR_ERROR_NIP42_NOT_CONFIGURED;
result->error_code = NOSTR_ERROR_NIP42_INVALID_CHALLENGE;
strcpy(result->reason, "NIP-42 authentication requires request_url and challenge in event tags");
cJSON_Delete(event);
return NOSTR_SUCCESS;
@@ -549,15 +549,12 @@ int nostr_validate_unified_request(const nostr_unified_request_t *request,
// Map specific NIP-42 error codes to detailed error messages
switch (nip42_result) {
case NOSTR_ERROR_NIP42_CHALLENGE_NOT_FOUND:
strcpy(result->reason, "Challenge not found or has been used. Request a new challenge from /auth endpoint.");
case NOSTR_ERROR_NIP42_INVALID_CHALLENGE:
strcpy(result->reason, "Challenge not found or invalid. Request a new challenge from /auth endpoint.");
break;
case NOSTR_ERROR_NIP42_CHALLENGE_EXPIRED:
strcpy(result->reason, "Challenge has expired. Request a new challenge from /auth endpoint.");
break;
case NOSTR_ERROR_NIP42_INVALID_CHALLENGE:
strcpy(result->reason, "Invalid challenge format. Challenge must be a valid hex string.");
break;
case NOSTR_ERROR_NIP42_URL_MISMATCH:
strcpy(result->reason, "Relay URL in auth event does not match server. Use 'ginxsom' as relay value.");
break;
@@ -576,12 +573,6 @@ int nostr_validate_unified_request(const nostr_unified_request_t *request,
case NOSTR_ERROR_EVENT_INVALID_TAGS:
strcpy(result->reason, "Required tags missing. Auth event must include 'relay' and 'expiration' tags.");
break;
case NOSTR_ERROR_NIP42_INVALID_RELAY_URL:
strcpy(result->reason, "Invalid relay URL in tags. Use 'ginxsom' as the relay identifier.");
break;
case NOSTR_ERROR_NIP42_NOT_CONFIGURED:
strcpy(result->reason, "NIP-42 authentication not properly configured on server.");
break;
default:
snprintf(result->reason, sizeof(result->reason),
"NIP-42 authentication failed (error code: %d). Check event structure and signature.",
@@ -1064,7 +1055,7 @@ static int reload_auth_config(void) {
memset(&g_auth_cache, 0, sizeof(g_auth_cache));
// Open database
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
validator_debug_log("VALIDATOR: Could not open database\n");
// Use defaults
@@ -1345,7 +1336,7 @@ static int check_database_auth_rules(const char *pubkey, const char *operation,
validator_debug_log(rules_msg);
// Open database
rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
rc = sqlite3_open_v2(g_db_path, &db, SQLITE_OPEN_READONLY, NULL);
if (rc != SQLITE_OK) {
validator_debug_log(
"VALIDATOR_DEBUG: RULES ENGINE - Failed to open database\n");
@@ -1907,7 +1898,7 @@ static int validate_challenge(const char *challenge_id) {
}
validator_debug_log("NIP-42: Challenge not found\n");
return NOSTR_ERROR_NIP42_CHALLENGE_NOT_FOUND;
return NOSTR_ERROR_NIP42_INVALID_CHALLENGE;
}
/**

199
tests/23458_test.sh Executable file
View File

@@ -0,0 +1,199 @@
#!/bin/bash
# Simple test for Kind 23458 relay-based admin commands
# Tests config_query command via Nostr relay subscription
set -e
# Configuration
TEST_KEYS_FILE=".test_keys"
RELAY_URL="wss://relay.laantungir.net"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
# Load test keys
if [[ ! -f "$TEST_KEYS_FILE" ]]; then
log_error "$TEST_KEYS_FILE not found"
exit 1
fi
source "$TEST_KEYS_FILE"
# Check dependencies
for cmd in nak jq websocat; do
if ! command -v $cmd &> /dev/null; then
log_error "$cmd is not installed"
exit 1
fi
done
echo "=== Kind 23458 Admin Command Test ==="
echo ""
log_info "Configuration:"
log_info " Admin Privkey: ${ADMIN_PRIVKEY:0:16}..."
log_info " Server Pubkey: $SERVER_PUBKEY"
log_info " Relay URL: $RELAY_URL"
echo ""
# Test 1: Send config_query command
log_info "Test: Sending config_query command"
echo ""
# Encrypt command with NIP-44
# Command format: ["config_query"]
PLAINTEXT_COMMAND='["config_query"]'
log_info "Encrypting command with NIP-44..."
ENCRYPTED_COMMAND=$(nak encrypt --sec "$ADMIN_PRIVKEY" -p "$SERVER_PUBKEY" "$PLAINTEXT_COMMAND")
if [[ -z "$ENCRYPTED_COMMAND" ]]; then
log_error "Failed to encrypt command"
exit 1
fi
log_success "Command encrypted"
log_info "Encrypted content: ${ENCRYPTED_COMMAND:0:50}..."
echo ""
log_info "Creating Kind 23458 event..."
EVENT=$(nak event -k 23458 \
-c "$ENCRYPTED_COMMAND" \
--tag p="$SERVER_PUBKEY" \
--sec "$ADMIN_PRIVKEY")
if [[ -z "$EVENT" ]]; then
log_error "Failed to create event"
exit 1
fi
log_success "Event created"
echo "$EVENT" | jq .
echo ""
# Step 1: Create pipes for bidirectional communication
log_info "Step 1: Setting up websocat connection..."
SINCE=$(date +%s)
# Create named pipes for input and output
INPUT_PIPE=$(mktemp -u)
OUTPUT_PIPE=$(mktemp -u)
mkfifo "$INPUT_PIPE"
mkfifo "$OUTPUT_PIPE"
# Start websocat in background with bidirectional communication
(websocat "$RELAY_URL" < "$INPUT_PIPE" > "$OUTPUT_PIPE" 2>/dev/null) &
WEBSOCAT_PID=$!
# Open pipes for writing and reading
exec 3>"$INPUT_PIPE" # File descriptor 3 for writing
exec 4<"$OUTPUT_PIPE" # File descriptor 4 for reading
# Give connection time to establish
sleep 1
log_success "WebSocket connection established"
echo ""
# Step 2: Subscribe to Kind 23459 responses
log_info "Step 2: Subscribing to Kind 23459 responses..."
# Create subscription filter
SUBSCRIPTION_FILTER='["REQ","admin-response",{"kinds":[23459],"authors":["'$SERVER_PUBKEY'"],"#p":["'$ADMIN_PUBKEY'"],"since":'$SINCE'}]'
# Send subscription
echo "$SUBSCRIPTION_FILTER" >&3
sleep 1
log_success "Subscription sent"
echo ""
# Step 3: Publish the command event
log_info "Step 3: Publishing Kind 23458 command event..."
# Create EVENT message
EVENT_MSG='["EVENT",'$EVENT']'
# Send event
echo "$EVENT_MSG" >&3
sleep 1
log_success "Event published"
echo ""
# Step 4: Wait for response
log_info "Step 4: Waiting for Kind 23459 response (timeout: 15s)..."
RESPONSE_RECEIVED=0
TIMEOUT=15
START_TIME=$(date +%s)
while [[ $(($(date +%s) - START_TIME)) -lt $TIMEOUT ]]; do
if read -t 1 -r line <&4; then
if [[ -n "$line" ]]; then
# Parse the relay message
MSG_TYPE=$(echo "$line" | jq -r '.[0] // empty' 2>/dev/null)
if [[ "$MSG_TYPE" == "EVENT" ]]; then
# Extract the event (third element in array)
EVENT_DATA=$(echo "$line" | jq '.[2]' 2>/dev/null)
if [[ -n "$EVENT_DATA" ]]; then
log_success "Received Kind 23459 response!"
echo "$EVENT_DATA" | jq .
echo ""
# Extract and decrypt content
ENCRYPTED_CONTENT=$(echo "$EVENT_DATA" | jq -r '.content // empty')
SENDER_PUBKEY=$(echo "$EVENT_DATA" | jq -r '.pubkey // empty')
if [[ -n "$ENCRYPTED_CONTENT" ]] && [[ -n "$SENDER_PUBKEY" ]]; then
log_info "Encrypted response: ${ENCRYPTED_CONTENT:0:50}..."
log_info "Sender pubkey: $SENDER_PUBKEY"
log_info "Decrypting response..."
# Try decryption with error output and timeout
DECRYPT_OUTPUT=$(timeout 5s nak decrypt --sec "$ADMIN_PRIVKEY" -p "$SENDER_PUBKEY" "$ENCRYPTED_CONTENT" 2>&1)
DECRYPT_EXIT=$?
if [[ $DECRYPT_EXIT -eq 0 ]] && [[ -n "$DECRYPT_OUTPUT" ]]; then
log_success "Response decrypted successfully:"
echo "$DECRYPT_OUTPUT" | jq . 2>/dev/null || echo "$DECRYPT_OUTPUT"
RESPONSE_RECEIVED=1
else
log_error "Failed to decrypt response (exit code: $DECRYPT_EXIT)"
if [[ -n "$DECRYPT_OUTPUT" ]]; then
log_error "Decryption error: $DECRYPT_OUTPUT"
fi
fi
fi
break
fi
fi
fi
fi
done
# Cleanup
exec 3>&- # Close write pipe
exec 4<&- # Close read pipe
kill $WEBSOCAT_PID 2>/dev/null
rm -f "$INPUT_PIPE" "$OUTPUT_PIPE"
if [[ $RESPONSE_RECEIVED -eq 0 ]]; then
log_error "No response received within timeout period"
log_info "This could mean:"
log_info " 1. The server didn't receive the command"
log_info " 2. The server received but didn't process the command"
log_info " 3. The response was sent but not received by subscription"
exit 1
fi
echo ""
log_success "Test complete!"
echo ""
log_info "This test uses full NIP-44 encryption for both commands and responses."

206
tests/admin_event_test.sh Executable file
View File

@@ -0,0 +1,206 @@
#!/bin/bash
# Ginxsom Admin Event Test Script
# Tests Kind 23456/23457 admin command system with NIP-44 encryption
#
# Prerequisites:
# - nak: https://github.com/fiatjaf/nak
# - curl
# - jq (for JSON parsing)
# - Server running with test keys from .test_keys
set -e
# Configuration
GINXSOM_URL="http://localhost:9001"
TEST_KEYS_FILE=".test_keys"
# Load test keys
if [[ ! -f "$TEST_KEYS_FILE" ]]; then
echo "ERROR: $TEST_KEYS_FILE not found"
echo "Run the server with --test-keys to generate test keys"
exit 1
fi
source "$TEST_KEYS_FILE"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Helper functions
log_info() {
echo -e "${BLUE}[INFO]${NC} $1"
}
log_success() {
echo -e "${GREEN}[SUCCESS]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
log_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
check_dependencies() {
log_info "Checking dependencies..."
for cmd in nak curl jq; do
if ! command -v $cmd &> /dev/null; then
log_error "$cmd is not installed"
case $cmd in
nak)
echo "Install from: https://github.com/fiatjaf/nak"
;;
jq)
echo "Install jq for JSON processing"
;;
curl)
echo "curl should be available in most systems"
;;
esac
exit 1
fi
done
log_success "All dependencies found"
}
# Create NIP-44 encrypted admin command event (Kind 23456)
create_admin_command_event() {
local command="$1"
local expiration=$(($(date +%s) + 3600)) # 1 hour from now
log_info "Creating Kind 23456 admin command event..."
log_info "Command: $command"
# For now, we'll create the event structure manually since nak may not support NIP-44 encryption yet
# The content should be NIP-44 encrypted JSON array: ["config_query"]
# We'll use plaintext for initial testing and add encryption later
local content="[\"$command\"]"
# Create event with nak
# Kind 23456 = admin command
# Tags: p = server pubkey, expiration
local event=$(nak event -k 23456 \
-c "$content" \
--tag p="$SERVER_PUBKEY" \
--tag expiration="$expiration" \
--sec "$ADMIN_PRIVKEY")
echo "$event"
}
# Send admin command and parse response
send_admin_command() {
local command="$1"
log_info "=== Testing Admin Command: $command ==="
# Create Kind 23456 event
local event=$(create_admin_command_event "$command")
if [[ -z "$event" ]]; then
log_error "Failed to create admin event"
return 1
fi
log_info "Event created successfully"
echo "$event" | jq . || echo "$event"
# Send to server
log_info "Sending to POST $GINXSOM_URL/api/admin"
local response=$(curl -s -w "\n%{http_code}" \
-X POST \
-H "Content-Type: application/json" \
-d "$event" \
"$GINXSOM_URL/api/admin")
local http_code=$(echo "$response" | tail -n1)
local body=$(echo "$response" | head -n-1)
echo ""
if [[ "$http_code" =~ ^2 ]]; then
log_success "HTTP $http_code - Response received"
echo "$body" | jq . 2>/dev/null || echo "$body"
# Try to parse as Kind 23457 event
local kind=$(echo "$body" | jq -r '.kind // empty' 2>/dev/null)
if [[ "$kind" == "23457" ]]; then
log_success "Received Kind 23457 response event"
local response_content=$(echo "$body" | jq -r '.content // empty' 2>/dev/null)
log_info "Response content (encrypted): $response_content"
# TODO: Decrypt NIP-44 content to see actual response
fi
else
log_error "HTTP $http_code - Request failed"
echo "$body" | jq . 2>/dev/null || echo "$body"
return 1
fi
echo ""
}
test_config_query() {
log_info "=== Testing config_query Command ==="
send_admin_command "config_query"
}
test_server_health() {
log_info "=== Testing Server Health ==="
local response=$(curl -s -w "\n%{http_code}" "$GINXSOM_URL/api/health")
local http_code=$(echo "$response" | tail -n1)
local body=$(echo "$response" | head -n-1)
if [[ "$http_code" =~ ^2 ]]; then
log_success "Server is healthy (HTTP $http_code)"
echo "$body" | jq .
else
log_error "Server health check failed (HTTP $http_code)"
echo "$body"
return 1
fi
echo ""
}
main() {
echo "=== Ginxsom Admin Event Test Suite ==="
echo "Testing Kind 23456/23457 admin command system"
echo ""
log_info "Test Configuration:"
log_info " Admin Pubkey: $ADMIN_PUBKEY"
log_info " Server Pubkey: $SERVER_PUBKEY"
log_info " Server URL: $GINXSOM_URL"
echo ""
check_dependencies
echo ""
# Test server health first
test_server_health
# Test admin commands
test_config_query
echo ""
log_success "Admin event testing complete!"
echo ""
log_warning "NOTE: NIP-44 encryption not yet implemented in test script"
log_warning "Events are sent with plaintext command arrays for initial testing"
log_warning "Production implementation will use full NIP-44 encryption"
}
# Allow sourcing for individual function testing
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
main "$@"
fi