Merge branch 'main' into feat/geohash-prefix-filters

Author: cameri

.changeset/dark-places-tickle.md

@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+Fix root HTML negotiation and subpath-aware template links behind trusted proxies.

.changeset/huge-trains-nail.md

@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+Use timingSafeEqual for Nodeless webhook HMAC verification and guard against missing NODELESS_WEBHOOK_SECRET

package.json

@@ -153,10 +153,9 @@
     "node": ">=24.14.1"
   },
   "dependencies": {
-    "@getalby/sdk": "^5.0.0",
     "@clack/prompts": "^1.2.0",
+    "@getalby/sdk": "^5.0.0",
     "@noble/secp256k1": "1.7.1",
-    "accepts": "^1.3.8",
     "axios": "^1.15.0",
     "cac": "^7.0.0",
     "colorette": "^2.0.20",

pnpm-lock.yaml

@@ -9,7 +9,7 @@
   </head>
   <body lang="en">
     <main class="container">
-      <form method="post" action="/invoices">
+      <form method="post" action="{{path_prefix}}/invoices">
         <div class="row">
           <div class="col">
             <h1 class="mt-4 mb-4 text-center text-nowrap">{{name}}</h1>
@@ -46,7 +46,7 @@ <h1 class="mt-4 mb-4 text-center text-nowrap">{{name}}</h1>
               <div class="form-check">
                 <input class="form-check-input" type="checkbox" id="tosAccepted" name="tosAccepted" value="yes" required>
                 <label class="form-check-label" for="tosAccepted">
-                  I have read and agree to the <a href="/terms" class="card-link" target="_blank" rel="noopener noreferrer">Terms of Service</a>
+                  I have read and agree to the <a href="{{path_prefix}}/terms" class="card-link" target="_blank" rel="noopener noreferrer">Terms of Service</a>
                 </label>
               </div>
             </div>

resources/get-invoice.html

@@ -46,7 +46,7 @@ <h5 class="card-title">Admission Required</h5>
                 This relay requires a one-time admission fee of <strong>{{amount}} sats</strong>
                 to publish events. Reading events is free.
               </p>
-              <a href="/invoices" class="btn btn-warning">Pay Admission Fee</a>
+              <a href="{{path_prefix}}/invoices" class="btn btn-warning">Pay Admission Fee</a>
             </div>
           </div>
 
@@ -62,9 +62,9 @@ <h5 class="card-title">Open Relay</h5>
 
           <!-- Legal links -->
           <div class="d-flex justify-content-center gap-3 mt-2 mb-5">
-            <a href="/terms" class="text-muted small">Terms of Service</a>
+            <a href="{{path_prefix}}/terms" class="text-muted small">Terms of Service</a>
             <span class="text-muted small">·</span>
-            <a href="/privacy" class="text-muted small">Privacy Policy</a>
+            <a href="{{path_prefix}}/privacy" class="text-muted small">Privacy Policy</a>
           </div>
 
         </div>

resources/index.html

@@ -14,7 +14,7 @@
   </head>
   <body lang="en">
     <main class="container">
-      <form method="post" action="/invoices">
+      <form method="post" action="{{path_prefix}}/invoices">
         <div class="row">
           <div class="col">
             <h1 class="mt-4 mb-4 text-center text-nowrap">{{name}}</h1>
@@ -106,6 +106,7 @@ <h2 class="text-danger">Invoice expired!</h2>
       var reference = "{{reference}}"
       var relayUrl = "{{relay_url}}"
       var relayPubkey = "{{relay_pubkey}}"
+      var pathPrefix = {{path_prefix_json}};
       var invoice = "{{invoice}}";
       var pubkey = "{{pubkey}}"
       var expiresAt = "{{expires_at}}"
@@ -124,7 +125,7 @@ <h2 class="text-danger">Invoice expired!</h2>
       }
 
       async function getInvoiceStatus() {
-        fetch(`/invoices/${reference}/status`).then(async (response) => {
+        fetch(`${pathPrefix}/invoices/${reference}/status`).then(async (response) => {
           const data = await response.json()
           console.log('data', data)
           const { status } = data;
@@ -269,4 +270,4 @@ <h2 class="text-danger">Invoice expired!</h2>
       document.getElementById('sendPaymentBtn').addEventListener('click', sendPayment)
     </script>
   </body>
-</html>
+</html>

resources/invoices.html

@@ -14,7 +14,7 @@
   </head>
   <body lang="en">
     <main class="container">
-      <form method="post" action="/invoices">
+      <form method="post" action="{{path_prefix}}/invoices">
         <div class="row">
           <div class="col">
             <h1 class="mt-4 mb-4 text-center text-nowrap">{{name}}</h1>
@@ -106,6 +106,7 @@ <h2 class="text-danger">Invoice expired!</h2>
       var reference = {{reference_json}}
       var relayUrl = {{relay_url_json}}
       var relayPubkey = {{relay_pubkey_json}}
+      var pathPrefix = {{path_prefix_json}}
       var invoice = {{invoice_json}}
       var pubkey = {{pubkey_json}}
       var expiresAt = {{expires_at_json}}
@@ -124,7 +125,7 @@ <h2 class="text-danger">Invoice expired!</h2>
       }
 
       async function getInvoiceStatus() {
-        fetch(`/invoices/${reference}/status`).then(async (response) => {
+        fetch(`${pathPrefix}/invoices/${reference}/status`).then(async (response) => {
           if (!response.ok) {
             throw new Error(`unexpected status ${response.status}`)
           }

resources/post-invoice.html

@@ -61,9 +61,9 @@ <h5>Changes to this policy</h5>
           </p>
 
           <div class="mt-4">
-            <a href="/" class="text-muted small">← Back to home</a>
+            <a href="{{path_prefix}}/" class="text-muted small">← Back to home</a>
             <span class="text-muted small mx-2">·</span>
-            <a href="/terms" class="text-muted small">Terms of Service</a>
+            <a href="{{path_prefix}}/terms" class="text-muted small">Terms of Service</a>
           </div>
         </div>
       </div>

resources/privacy.html

@@ -1,14 +1,15 @@
+import { timingSafeEqual } from 'crypto'
+
 import { always, applySpec, ifElse, is, path, prop, propEq, propSatisfies } from 'ramda'
 import { Request, Response } from 'express'
 
 import { Invoice, InvoiceStatus } from '../../@types/invoice'
 import { createLogger } from '../../factories/logger-factory'
-import { createSettings } from '../../factories/settings-factory'
 import { fromNodelessInvoice } from '../../utils/transform'
 import { hmacSha256 } from '../../utils/secret'
 import { IController } from '../../@types/controllers'
 import { IPaymentsService } from '../../@types/services'
-import { nodelessCallbackBodySchema } from '../../schemas/nodeless-callback-schema'
+import { nodelessCallbackBodySchema, nodelessSignatureSchema } from '../../schemas/nodeless-callback-schema'
 import { validateSchema } from '../../utils/validation'
 
 const logger = createLogger('nodeless-callback-controller')
@@ -30,20 +31,31 @@ export class NodelessCallbackController implements IController {
       return
     }
 
-    const settings = createSettings()
-    const paymentProcessor = settings.payments?.processor
-
-    const expected = hmacSha256(process.env.NODELESS_WEBHOOK_SECRET, (request as any).rawBody).toString('hex')
-    const actual = request.headers['nodeless-signature']
+    const webhookSecret = process.env.NODELESS_WEBHOOK_SECRET
+    if (!webhookSecret) {
+      logger.error('NODELESS_WEBHOOK_SECRET is not configured; unable to verify Nodeless callback')
+      response
+        .status(500)
+        .setHeader('content-type', 'application/json; charset=utf8')
+        .send('{"status":"error","message":"Internal Server Error"}')
+      return
+    }
 
-    if (expected !== actual) {
-      logger.error('nodeless callback request rejected: signature mismatch:', { expected, actual })
-      response.status(403).send('Forbidden')
+    const signatureValidation = validateSchema(nodelessSignatureSchema)(request.headers['nodeless-signature'])
+    if (signatureValidation.error) {
+      logger('nodeless callback request rejected: invalid signature format')
+      response
+        .status(400)
+        .setHeader('content-type', 'application/json; charset=utf8')
+        .send('{"status":"error","message":"Invalid signature"}')
       return
     }
 
-    if (paymentProcessor !== 'nodeless') {
-      logger('denied request from %s to /callbacks/nodeless which is not the current payment processor')
+    const expectedBuf = hmacSha256(webhookSecret, (request as any).rawBody)
+    const actualBuf = Buffer.from(signatureValidation.value, 'hex')
+
+    if (!timingSafeEqual(expectedBuf, actualBuf)) {
+      logger('nodeless callback request rejected: signature mismatch')
       response.status(403).send('Forbidden')
       return
     }