fix(relay): remove media bearer-token auth#1444
Merged
Merged
Conversation
Media uploads now authorize with Blossom kind:24242 plus the existing NIP-43 membership gate. Remove the unused X-Auth-Token/api_tokens lookup from the upload extractor and keep open relay + production auth fail-closed so Blossom-only uploads are only allowed for dev/open deployments. Drop mobile apiToken plumbing because the provider only passed null and clients already upload with Nostr Blossom auth. Co-authored-by: npub12gtutshhh76rx0jx697f32f9tffd4hhp3hx58fp4x6u4uemkm7sqf8f757 <5217c5c2f7bfb4333e46d17c98a9255a52dadee18dcd43a43536b95e6776dfa0@sprout-oss.stage.blox.sqprod.co> Signed-off-by: npub12gtutshhh76rx0jx697f32f9tffd4hhp3hx58fp4x6u4uemkm7sqf8f757 <5217c5c2f7bfb4333e46d17c98a9255a52dadee18dcd43a43536b95e6776dfa0@sprout-oss.stage.blox.sqprod.co>
…uthority Per direction: media upload is gated on Blossom (Nostr) auth plus the NIP-43 relay-membership allowlist when enabled, and nothing else. require_auth_token governs the REST API, not media, so the enforce_media_storage_boundary guard (reject when membership off but auth token on) contradicted the intended model and broke uploads on open relays with production REST auth (e.g. bb-block prod). Remove the guard and its tests; open relays now match the WS door's admission policy for media. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
…opes The extractor doc still described the pre-#1444 model (Blossom auth + API token scopes). It now validates Blossom auth, the BUD-11 hash binding, and NIP-43 relay membership. Comment-only; caught in review. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
wpfleger96
added a commit
that referenced
this pull request
Jul 2, 2026
…into HEAD * origin/paul/nip-am-agent-turn-metrics: fix(profile): consolidate agent profile runtime metadata (#1451) fix(desktop): simplify workspace rail badges (#1462) perf(desktop): instant channel switching — non-blocking first paint, persisted snapshots (#1452) perf(relay): bounded-concurrency multi-filter query execution (S2) (#1457) fix(desktop): classify timeline prepends so history loads don't bump unread (#1416) fix(desktop): quiet gate for workspace switches instead of boot splash (#1449) fix(read-path): reach complete threads, dense-second timelines, and all people in the GUI (#1418) E1+E3: reduce relay ingest/fan-out DB round trips; ack p99 −7–16%, fd p99 −6–28%, p999 tails −29–53% vs PR #1453 tip (#1454) perf(relay): defer post-commit dispatch and avoid verify clone (#1453) fix(relay): include git hook tools in runtime image (#1326) feat(chart): per-pod emptyDir git scratch when persistence disabled (multi-replica HA) (#1450) fix(relay): remove media bearer-token auth (#1444) fix(desktop): stop search shortcut from hijacking the sidebar (#1447) Co-authored-by: Will Pfleger <pfleger.will@gmail.com> Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
X-Auth-Token/api_tokensauthorization pathapiTokenplumbing and the always-null test/provider constructor argsReview context
Dawn/Sami/Mari/Perci review converged on the same shape: Buzz media auth should be Nostr-native, not bearer tokens. Their audit found:
apiToken: nullBUZZ_API_TOKEN→Authorization: Bearerbranch is dead for relay auth because relay endpoints parse NIP-98Authorization: Nostr, not Bearerapi_tokenscleanup should be a follow-up lane because this PR only unblocks Blossom media authValidation
bin/cargo test -p buzz-relaycd mobile && ../bin/flutter test test/shared/relay/media_upload_test.dart test/features/channels/compose_bar_test.dartbin/dart format --set-exit-if-changed mobile/lib/shared/relay/media_upload.dart mobile/test/features/channels/compose_bar_test.dart mobile/test/shared/relay/media_upload_test.dartbin/flutter analyzerg -n "X-Auth-Token|apiToken" crates/buzz-relay mobile/lib mobile/test→ no matchesFollow-ups deliberately not in this PR
api_tokensDB/schema/helpers/docs after migration/backcompat reviewBUZZ_REQUIRE_AUTH_TOKENflag; this PR only uses it for the media fail-closed guard and does not change bridge/main auth semantics