diff --git a/chorus-bin/src/nostr.rs b/chorus-bin/src/nostr.rs index cb4de61..85a0157 100644 --- a/chorus-bin/src/nostr.rs +++ b/chorus-bin/src/nostr.rs @@ -387,9 +387,20 @@ impl WebSocketService { async fn screen_incoming_event( event: &Event<'_>, - _event_flags: EventFlags, + event_flags: EventFlags, authorized_user: bool, ) -> Result { + // If the event has a '-' tag, require the user to be AUTHed and match + // the event author + for mut tag in event.tags()?.iter() { + if tag.next() == Some(b"-") { + // The event is protected. Only accept if user is AUTHed as the event author + if !event_flags.author_is_current_user { + return Err(ChorusError::ProtectedEvent.into()); + } + } + } + // Accept anything from authenticated authorized users if authorized_user { return Ok(true); diff --git a/chorus-lib/src/error.rs b/chorus-lib/src/error.rs index b8dd10e..4550f5d 100644 --- a/chorus-lib/src/error.rs +++ b/chorus-lib/src/error.rs @@ -100,6 +100,9 @@ pub enum ChorusError { // No such subscription NoSuchSubscription, + // Protected Event + ProtectedEvent, + // Restricted Restricted, @@ -175,6 +178,7 @@ impl std::fmt::Display for ChorusError { ChorusError::Lmdb(e) => write!(f, "{e}"), ChorusError::NoPrivateKey => write!(f, "Private Key Not Found"), ChorusError::NoSuchSubscription => write!(f, "No such subscription"), + ChorusError::ProtectedEvent => write!(f, "Protected event"), ChorusError::Restricted => write!(f, "Restricted"), ChorusError::Rustls(e) => write!(f, "{e}"), ChorusError::TimedOut => write!(f, "Timed out"), @@ -240,6 +244,7 @@ impl ChorusError { ChorusError::Lmdb(_) => 0.0, ChorusError::NoPrivateKey => 0.0, ChorusError::NoSuchSubscription => 0.05, + ChorusError::ProtectedEvent => 0.35, ChorusError::Restricted => 0.1, ChorusError::Rustls(_) => 0.0, ChorusError::TimedOut => 0.1,