Add strfry policies and members-only LDAP policy

This will look up nostr pubkeys in the LDAP directory to allow or deny publishing notes to the relay.
2024-06-09 22:49:44 +02:00
parent 5a5c316c14
commit c2c3ebc2e1
4 changed files with 79 additions and 3 deletions
--- a/extras/strfry/ldap-policy.ts
+++ b/extras/strfry/ldap-policy.ts
@@ -0,0 +1,46 @@
+import type { Policy } from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+import { Client } from 'npm:ldapts';
+import { load } from "https://deno.land/std@0.224.0/dotenv/mod.ts";
+
+const env      = await load({ export: true });
+const url      = Deno.env.get("LDAP_URL");
+const bindDN   = Deno.env.get("LDAP_BIND_DN");
+const password = Deno.env.get("LDAP_PASSWORD");
+const searchDN = Deno.env.get("LDAP_SEARCH_DN");
+
+const ldapPolicy: Policy<void> = async (msg) => {
+  const client = new Client({ url });
+  const { pubkey, kind, tags } = msg.event;
+  let out = { id: msg.event.id }
+
+  try {
+    await client.bind(bindDN, password);
+
+    const { searchEntries } = await client.search(searchDN, {
+      filter: `(nostrKey=${pubkey})`,
+      attributes: ['nostrKey']
+    });
+
+    const memberKey = searchEntries[0]?.nostrKey;
+
+    const accepted = (memberKey === pubkey);
+    // TODO  if kind is 9735, check that "description" tag contains valid 9734 event,
+    // signed by memberKey and with "p" tag being the same as pubkey (receipt sender)
+
+    if (accepted) {
+      out['action'] = 'accept';
+      out['msg'] = '';
+    } else {
+      out['action'] = 'reject';
+      out['msg'] = 'Only members can publish notes on this relay';
+    }
+  } catch (ex) {
+    out['action'] = 'reject';
+    out['msg'] = 'Auth service temporarily unavailable';
+  } finally {
+    await client.unbind();
+    return out;
+  }
+};
+
+export default ldapPolicy;