Skip to content

fix(relay): remove media bearer-token auth#1444

Merged
tlongwell-block merged 3 commits into
mainfrom
fix/blossom-nostr-key-auth
Jul 1, 2026
Merged

fix(relay): remove media bearer-token auth#1444
tlongwell-block merged 3 commits into
mainfrom
fix/blossom-nostr-key-auth

Conversation

@tlongwell-block

Copy link
Copy Markdown
Collaborator

Summary

  • remove the media upload X-Auth-Token / api_tokens authorization path
  • authorize media uploads with Blossom kind:24242 + BUD-11 hash/server validation + existing NIP-43 relay membership
  • keep open-relay + production-auth deployments fail-closed for media storage, while allowing Blossom-only uploads for dev/open deployments
  • drop mobile apiToken plumbing and the always-null test/provider constructor args

Review context

Dawn/Sami/Mari/Perci review converged on the same shape: Buzz media auth should be Nostr-native, not bearer tokens. Their audit found:

  • production mobile never supplied a media API token; provider passed apiToken: null
  • relay routes have no token mint endpoint for this media path
  • the workflow BUZZ_API_TOKENAuthorization: Bearer branch is dead for relay auth because relay endpoints parse NIP-98 Authorization: Nostr, not Bearer
  • DB/schema api_tokens cleanup should be a follow-up lane because this PR only unblocks Blossom media auth

Validation

  • bin/cargo test -p buzz-relay
  • cd mobile && ../bin/flutter test test/shared/relay/media_upload_test.dart test/features/channels/compose_bar_test.dart
  • bin/dart format --set-exit-if-changed mobile/lib/shared/relay/media_upload.dart mobile/test/features/channels/compose_bar_test.dart mobile/test/shared/relay/media_upload_test.dart
  • bin/flutter analyze
  • rg -n "X-Auth-Token|apiToken" crates/buzz-relay mobile/lib mobile/test → no matches
  • pre-push hook after Hermit activation passed: rust-tests, mobile-test, desktop-test, desktop-tauri-test

Follow-ups deliberately not in this PR

  • remove/deprecate api_tokens DB/schema/helpers/docs after migration/backcompat review
  • rename/re-document the overloaded BUZZ_REQUIRE_AUTH_TOKEN flag; this PR only uses it for the media fail-closed guard and does not change bridge/main auth semantics

Media uploads now authorize with Blossom kind:24242 plus the existing NIP-43 membership gate. Remove the unused X-Auth-Token/api_tokens lookup from the upload extractor and keep open relay + production auth fail-closed so Blossom-only uploads are only allowed for dev/open deployments.

Drop mobile apiToken plumbing because the provider only passed null and clients already upload with Nostr Blossom auth.

Co-authored-by: npub12gtutshhh76rx0jx697f32f9tffd4hhp3hx58fp4x6u4uemkm7sqf8f757 <5217c5c2f7bfb4333e46d17c98a9255a52dadee18dcd43a43536b95e6776dfa0@sprout-oss.stage.blox.sqprod.co>
Signed-off-by: npub12gtutshhh76rx0jx697f32f9tffd4hhp3hx58fp4x6u4uemkm7sqf8f757 <5217c5c2f7bfb4333e46d17c98a9255a52dadee18dcd43a43536b95e6776dfa0@sprout-oss.stage.blox.sqprod.co>
npub1qyvc0c5kl4gqv2fd97fsk46tu378sqgy35vc83rvgfwne90sel7s0ed67d and others added 2 commits July 1, 2026 18:40
…uthority

Per direction: media upload is gated on Blossom (Nostr) auth plus the
NIP-43 relay-membership allowlist when enabled, and nothing else.
require_auth_token governs the REST API, not media, so the
enforce_media_storage_boundary guard (reject when membership off but
auth token on) contradicted the intended model and broke uploads on
open relays with production REST auth (e.g. bb-block prod). Remove the
guard and its tests; open relays now match the WS door's admission
policy for media.

Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
…opes

The extractor doc still described the pre-#1444 model (Blossom auth +
API token scopes). It now validates Blossom auth, the BUD-11 hash
binding, and NIP-43 relay membership. Comment-only; caught in review.

Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
@tlongwell-block tlongwell-block merged commit 0701f47 into main Jul 1, 2026
29 checks passed
@tlongwell-block tlongwell-block deleted the fix/blossom-nostr-key-auth branch July 1, 2026 23:25
wpfleger96 added a commit that referenced this pull request Jul 2, 2026
…into HEAD

* origin/paul/nip-am-agent-turn-metrics:
  fix(profile): consolidate agent profile runtime metadata (#1451)
  fix(desktop): simplify workspace rail badges (#1462)
  perf(desktop): instant channel switching — non-blocking first paint, persisted snapshots (#1452)
  perf(relay): bounded-concurrency multi-filter query execution (S2) (#1457)
  fix(desktop): classify timeline prepends so history loads don't bump unread (#1416)
  fix(desktop): quiet gate for workspace switches instead of boot splash (#1449)
  fix(read-path): reach complete threads, dense-second timelines, and all people in the GUI (#1418)
  E1+E3: reduce relay ingest/fan-out DB round trips; ack p99 −7–16%, fd p99 −6–28%, p999 tails −29–53% vs PR #1453 tip (#1454)
  perf(relay): defer post-commit dispatch and avoid verify clone (#1453)
  fix(relay): include git hook tools in runtime image (#1326)
  feat(chart): per-pod emptyDir git scratch when persistence disabled (multi-replica HA) (#1450)
  fix(relay): remove media bearer-token auth (#1444)
  fix(desktop): stop search shortcut from hijacking the sidebar (#1447)

Co-authored-by: Will Pfleger <pfleger.will@gmail.com>
Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant