feat: supporting standard nip-9 and nip-62.

.github/workflows/linting.yml

@@ -22,4 +22,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.60
+          version: v1.63.4

delivery/websocket/event_handler.go

@@ -1,9 +1,10 @@
 package websocket
 
 import (
-	"context"
 	"fmt"
+	"slices"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/dezh-tech/immortal/infrastructure/redis"
@@ -13,7 +14,6 @@ import (
 	"github.com/dezh-tech/immortal/types/filter"
 	"github.com/dezh-tech/immortal/types/message"
 	"github.com/gorilla/websocket"
-	gredis "github.com/redis/go-redis/v9"
 )
 
 // handleEvent handles new incoming EVENT messages from client.
@@ -55,80 +55,18 @@ func (s *Server) handleEvent(conn *websocket.Conn, m message.Message) { //nolint
 		return
 	}
 
-	qCtx, cancel := context.WithTimeout(context.Background(), s.redis.QueryTimeout)
-	defer cancel()
-
-	pipe := s.redis.Client.Pipeline()
-
-	bloomCheckCmd := pipe.BFExists(qCtx, s.redis.BloomFilterName, eID[:])
-
-	var whiteListCheckCmd *gredis.BoolCmd
-
-	if s.config.Limitation.RestrictedWrites {
-		whiteListCheckCmd = pipe.CFExists(qCtx, s.redis.WhiteListFilterName, msg.Event.PublicKey)
-	}
-
-	blackListCheckCmd := pipe.CFExists(qCtx, s.redis.BlackListFilterName, msg.Event.PublicKey)
-
-	_, err := pipe.Exec(qCtx)
-	if err != nil {
-		logger.Error("checking bloom filter", "err", err.Error())
-	}
-
-	exists, err := bloomCheckCmd.Result()
-	if err != nil {
-		okm := message.MakeOK(false, msg.Event.ID, "error: internal error")
-		_ = conn.WriteMessage(1, okm)
-
-		status = serverFail
-
-		return
-	}
-
-	if exists {
-		okm := message.MakeOK(false, msg.Event.ID, "duplicate: this event is already received.")
-		_ = conn.WriteMessage(1, okm)
-
-		return
-	}
-
-	isBlackListed, err := blackListCheckCmd.Result()
-	if err != nil {
-		okm := message.MakeOK(false, msg.Event.ID, "error: internal error")
-		_ = conn.WriteMessage(1, okm)
-
-		status = serverFail
-
-		return
-	}
-	if isBlackListed {
-		okm := message.MakeOK(false, msg.Event.ID, "blocked: pubkey is blocked, contact support for more details.")
+	if err := s.redis.CheckAcceptability(s.config.Limitation.RestrictedWrites,
+		eID[:], msg.Event.PublicKey); err != nil {
+		okm := message.MakeOK(false, msg.Event.ID, err.Error())
 		_ = conn.WriteMessage(1, okm)
 
 		status = limitsFail
 
-		return
-	}
-
-	if s.config.Limitation.RestrictedWrites {
-		isWhiteListed, err := whiteListCheckCmd.Result()
-		if err != nil {
-			okm := message.MakeOK(false, msg.Event.ID, "error: internal error")
-			_ = conn.WriteMessage(1, okm)
-
+		if strings.HasPrefix(err.Error(), "internal") {
 			status = serverFail
-
-			return
 		}
 
-		if !isWhiteListed {
-			okm := message.MakeOK(false, msg.Event.ID, "restricted: not allowed to write.")
-			_ = conn.WriteMessage(1, okm)
-
-			status = limitsFail
-
-			return
-		}
+		return
 	}
 
 	client, ok := s.conns[conn]
@@ -176,54 +114,65 @@ func (s *Server) handleEvent(conn *websocket.Conn, m message.Message) { //nolint
 
 	if !msg.Event.Kind.IsEphemeral() { //nolint
 		if msg.Event.Kind == types.KindEventDeletionRequest {
-			deleteFilterString := msg.Event.Tags.GetValue("filter")
-
-			deleteFilter, err := filter.Decode([]byte(deleteFilterString))
-			if err != nil {
+			if err := s.handler.NIP09Deletion(msg.Event); err != nil {
 				okm := message.MakeOK(false,
 					msg.Event.ID,
-					fmt.Sprintf("error: parse deletion event: %s", deleteFilterString),
+					"error: can't delete requested event(s).",
 				)
 
 				_ = conn.WriteMessage(1, okm)
 
-				status = invalidFail
+				status = serverFail
 
 				return
 			}
+		}
 
-			// you can only delete events you own.
-			if len(deleteFilter.Authors) == 1 {
-				if deleteFilter.Authors[0] != msg.Event.PublicKey {
-					okm := message.MakeOK(false,
-						msg.Event.ID,
-						fmt.Sprintf(
-							"error: you can request to delete your events only: %s",
-							deleteFilter.Authors),
-					)
+		if msg.Event.Kind == types.KindRightToVanish {
+			relays := msg.Event.Tags.GetValues("relay")
+			if !slices.Contains(relays, "ALL_RELAYS") &&
+				!slices.Contains(relays, s.config.URL.String()) {
+				okm := message.MakeOK(false,
+					msg.Event.ID,
+					"error: can't execute vanish request.",
+				)
 
-					_ = conn.WriteMessage(1, okm)
+				_ = conn.WriteMessage(1, okm)
 
-					status = invalidFail
+				status = serverFail
 
-					return
-				}
-			} else {
+				return
+			}
+
+			if err := s.handler.DeleteByFilter(
+				&filter.Filter{Authors: []string{msg.Event.PublicKey}, Until: msg.Event.CreatedAt}); err != nil {
 				okm := message.MakeOK(false,
 					msg.Event.ID,
-					fmt.Sprintf(
-						"error: you can request to delete your events only: %s",
-						deleteFilter.Authors),
+					"error: can't execute vanish request.",
 				)
 
 				_ = conn.WriteMessage(1, okm)
 
-				status = invalidFail
+				status = serverFail
 
 				return
 			}
 
-			go s.handler.DeleteByFilter(deleteFilter) //nolint
+			if err := s.handler.DeleteByFilter(
+				&filter.Filter{Kinds: []types.Kind{types.KindGiftWrap}, Tags: map[string][]string{
+					"p": {msg.Event.PublicKey},
+				}, Until: msg.Event.CreatedAt}); err != nil {
+				okm := message.MakeOK(false,
+					msg.Event.ID,
+					"error: can't delete requested event(s).",
+				)
+
+				_ = conn.WriteMessage(1, okm)
+
+				status = serverFail
+
+				return
+			}
 		}
 
 		if err := s.handler.HandleEvent(msg.Event); err != nil {
@@ -242,16 +191,15 @@ func (s *Server) handleEvent(conn *websocket.Conn, m message.Message) { //nolint
 
 	_ = conn.WriteMessage(1, message.MakeOK(true, msg.Event.ID, ""))
 
-	_, err = s.redis.Client.BFAdd(qCtx, s.redis.BloomFilterName, eID[:]).Result()
-	if err != nil {
+	if err := s.redis.AddEventToBloom(eID[:]); err != nil {
 		logger.Info("adding event to bloom filter", "err", err.Error(), msg.Event.ID)
 	}
 
 	// todo::: can we run goroutines per client?
 	for conn, client := range s.conns {
 		client.Lock()
-		for id, filters := range client.subs {
-			if !filters.Match(msg.Event) {
+		for id, filter := range client.subs {
+			if !filter.Match(msg.Event) {
 				continue
 			}
 			_ = conn.WriteMessage(1, message.MakeEvent(id, msg.Event))

delivery/websocket/task_scheduler.go

@@ -42,6 +42,7 @@ func (s *Server) checkExpiration() { //nolint
 
 				// lint error is g115 gosec rule. this rule is broken.
 				// see: https://github.com/securego/gosec/issues/1288
+				// todo:: update gosec linter and remove //nolint comment.
 				if err := s.handler.DeleteByID(data[0],
 					types.Kind(kind)); err != nil { //nolint
 					failedTasks = append(failedTasks, task)

documents/NIPs.md

@@ -8,4 +8,5 @@
 - [X] **NIP-42**: Authentication of Clients to Relays
 - [ ] **NIP-50**: Search Capability
 - [X] **NIP-56**: Reporting
+- [X] **NIP-62**: Right to Vanish
 - [X] **NIP-70**: Protected Events

go.mod

@@ -13,7 +13,6 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/tidwall/gjson v1.18.0
 	go.mongodb.org/mongo-driver v1.17.2
-	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
 	google.golang.org/grpc v1.69.2
 	google.golang.org/protobuf v1.36.2
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1

go.sum

@@ -109,8 +109,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=

infrastructure/redis/redis.go

@@ -2,6 +2,7 @@ package redis
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"time"
 
@@ -52,6 +53,71 @@ func (r *Redis) Close() error {
 	return r.Client.Close()
 }
 
+func (r *Redis) AddEventToBloom(id []byte) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.QueryTimeout)
+	defer cancel()
+
+	_, err := r.Client.BFAdd(ctx, r.BloomFilterName, id).Result()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r *Redis) CheckAcceptability(restrictedWrites bool, eid []byte, pubkey string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.QueryTimeout)
+	defer cancel()
+
+	pipe := r.Client.Pipeline()
+
+	bloomCheckCmd := pipe.BFExists(ctx, r.BloomFilterName, eid)
+
+	var whiteListCheckCmd *redis.BoolCmd
+
+	if restrictedWrites {
+		whiteListCheckCmd = pipe.CFExists(ctx, r.WhiteListFilterName, pubkey)
+	}
+
+	blackListCheckCmd := pipe.CFExists(ctx, r.BlackListFilterName, pubkey)
+
+	_, err := pipe.Exec(ctx)
+	if err != nil {
+		return errors.New("internal: error while checking event acceptability")
+	}
+
+	exists, err := bloomCheckCmd.Result()
+	if err != nil {
+		return errors.New("internal: cna't lookup bloom filter")
+	}
+
+	if exists {
+		return errors.New("duplicate: this event is already received")
+	}
+
+	isBlackListed, err := blackListCheckCmd.Result()
+	if err != nil {
+		return errors.New("internal: cna't lookup black list")
+	}
+
+	if isBlackListed {
+		return errors.New("blocked: pubkey is blocked")
+	}
+
+	if restrictedWrites {
+		isWhiteListed, err := whiteListCheckCmd.Result()
+		if err != nil {
+			return errors.New("internal: cna't lookup white list")
+		}
+
+		if !isWhiteListed {
+			return errors.New("restricted: not allowed to write")
+		}
+	}
+
+	return nil
+}
+
 // ! note: delayed tasks probably are not concurrent safe at the moment.
 func (r *Redis) AddDelayedTask(listName string,
 	data string, delay time.Duration,

pkg/utils/random.go

@@ -1,9 +1,8 @@
 package utils
 
 import (
-	"time"
-
-	"golang.org/x/exp/rand"
+	"crypto/rand"
+	"math/big"
 )
 
 const (
@@ -14,19 +13,19 @@ const (
 )
 
 func GenerateChallenge(n int) string {
-	src := rand.NewSource(uint64(time.Now().UnixNano()))
-	b := make([]byte, n)
-	for i, cache, remain := n-1, src.Uint64(), letterIdxMax; i >= 0; {
-		if remain == 0 {
-			cache, remain = src.Uint64(), letterIdxMax
-		}
-		if idx := cache & letterIdxMask; idx < uint64(len(chars)) {
-			b[i] = chars[idx]
-			i--
-		}
-		cache >>= letterIdxBits
-		remain--
+	token := ""
+	for i := 0; i < n; i++ {
+		token += string(chars[cryptoRandSecure(int64(len(chars)))])
+	}
+
+	return token
+}
+
+func cryptoRandSecure(n int64) int64 {
+	nBig, err := rand.Int(rand.Reader, big.NewInt(n))
+	if err != nil {
+		return 0
 	}
 
-	return string(b)
+	return nBig.Int64()
 }