fix: bunker replay protection + sync quota fallback (deferred audit items)#2
Open
vveerrgg wants to merge 1 commit into
Open
fix: bunker replay protection + sync quota fallback (deferred audit items)#2vveerrgg wants to merge 1 commit into
vveerrgg wants to merge 1 commit into
Conversation
Two deferred items from the audit pass: - Bunker replay protection: the NIP-46 server now rejects request events whose id was already processed and events whose created_at is outside a ±5min window. A captured authenticated sign_event could otherwise be re-published to the relay and re-signed. Seen-id set is bounded (500) and cleared on stop(). - Sync quota fallback: storage.sync.set is all-or-nothing, so an over-quota batch was rejected whole and silently synced nothing — not even P1 profiles. setSyncRespectingQuota now drops the lowest-priority entries and retries, guaranteeing high-priority data syncs, and logs what was dropped (no silent truncation). Throws only if even P1 + meta exceeds quota. Tests: bunker-replay (7) and sync-quota (4) suites (+11).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #1 — the two contained, well-tested deferred items from the audit pass. Stacked on
fix/nsec-import-and-backup; will retarget tomainonce #1 merges.Bunker replay protection (
bunker-server.js)The NIP-46 server signs requests from authenticated clients. Without replay protection, a captured authenticated
sign_eventevent could be re-published to the relay and re-signed._isFreshEvent()rejects request ids already processed (bounded seen-set, 500) and events whosecreated_atis outside a ±5min window.stop().Sync quota fallback (
sync-manager.js)storage.sync.setis all-or-nothing: an over-quota batch was rejected whole and silently synced nothing — not even P1 profiles.setSyncRespectingQuota()drops the lowest-priority entries and retries, guaranteeing P1 (profiles) syncs. Logs what it dropped (no silent truncation). Throws only if P1 + meta alone exceeds quota.Tests
test/bunker-replay.test.js(7),test/sync-quota.test.js(4). Full suite: 181 passed, 2 skipped.Deliberately NOT included — needs a design decision
Sync deletion tombstones. While scoping it I found vault docs live on Nostr relays (NIP-78) and
vault.deletepublishes a NIP-09 deletion to relays —storage.syncis only a mirror of a local cache. So deletion propagation is entangled with the relay layer, not a pure sync-schema addition. It needs a dedicated design pass to reconcile the relay deletion path with the sync mirror, rather than a half-correct tombstone bolted onto storage.🤖 Generated with Claude Code