hzrd149 · Michilis · Feb 23, 2025 · Feb 23, 2025 · Feb 23, 2025 · Feb 23, 2025
diff --git a/config.example.yml b/config.example.yml
@@ -126,3 +126,9 @@ list:
 tor:
   enabled: false
   proxy: ""
+
+whitelist:
+  enabled: false
+  domain: "example.com"  # Set the domain for the NIP-05 whitelist
+  errorMessage: "You are not authorized to upload."  # Error message for non-whitelisted users
+  fetchDelay: 3600  # Delay between fetches in seconds
diff --git a/src/api/upload.ts b/src/api/upload.ts
@@ -8,6 +8,7 @@ import { config, Rule } from "../config.js";
 import { hasUsedToken } from "../db/methods.js";
 import { removeUpload, saveFromUploadRequest } from "../storage/upload.js";
 import { blobDB } from "../db/db.js";
+import { isWhitelisted, fetchWhitelist } from '../whitelist.js';
 
 export type UploadState = CommonState & {
   contentType: string;
@@ -80,6 +81,17 @@ router.head<UploadState>("/upload", async (ctx) => {
 });
 
 router.put<UploadState>("/upload", async (ctx) => {
+  if (!config.upload.enabled) throw new HttpErrors.NotFound("Uploads disabled");
+
+  const pubkey = ctx.state.auth?.pubkey;
+  if (!pubkey) throw new HttpErrors.Unauthorized("Missing public key");
+
+  await fetchWhitelist(); // Ensure the whitelist is up-to-date
+
+  if (config.whitelist.enabled && pubkey && !isWhitelisted(pubkey)) {
+    throw new HttpErrors.Forbidden(config.whitelist.errorMessage);
+  }
+
   const { contentType } = ctx.state;
 
   let upload = await saveFromUploadRequest(ctx.req);
@@ -97,8 +109,8 @@ router.put<UploadState>("/upload", async (ctx) => {
     const blob = await addFromUpload(upload, type);
 
     // add owner
-    if (ctx.state.auth?.pubkey && !blobDB.hasOwner(upload.sha256, ctx.state.auth.pubkey)) {
-      blobDB.addOwner(blob.sha256, ctx.state.auth.pubkey);
+    if (pubkey && !blobDB.hasOwner(upload.sha256, pubkey)) {
+      blobDB.addOwner(blob.sha256, pubkey);
     }
 
     if (ctx.state.auth) saveAuthToken(ctx.state.auth);

diff --git a/src/config.ts b/src/config.ts
@@ -65,6 +65,12 @@ export type Config = {
     enabled: boolean;
     proxy: string;
   };
+  whitelist: {
+    enabled: boolean;
+    domain: string;
-    domain: string;
+    nip05Domain?: string;
+    pubkeys?: string[];
-    domain: string;
+    nip05Domain?: string;
+    pubkeys?: string[];
+    errorMessage: string;
+    fetchDelay: number;
+  };
 };
 
 function loadYaml(filepath: string, content: string) {
@@ -92,6 +98,12 @@ const defaultConfig: Config = {
   media: { enabled: false, requireAuth: true, requirePubkeyInRule: false },
   list: { requireAuth: false, allowListOthers: false },
   tor: { enabled: false, proxy: "" },
+  whitelist: {
+    enabled: true,
-    enabled: true,
+    enabled: false,
-    enabled: true,
+    enabled: false,
+    domain: "",
+    errorMessage: "You are not authorized to upload.",
+    fetchDelay: 3600,
+  },
 };
 
 const searchPlaces = ["config.yaml", "config.yml", "config.json"];

diff --git a/src/whitelist.ts b/src/whitelist.ts
@@ -0,0 +1,35 @@
+import axios from 'axios';
+import { config } from './config.js';
+
+let whitelistCache: Set<string> = new Set();
+let lastFetchTime = 0;
+
+export async function fetchWhitelist() {
+  if (!config.whitelist.enabled) {
+    whitelistCache.clear();
+    return whitelistCache;
+  }
+
+  const now = Date.now();
+  if (now - lastFetchTime < config.whitelist.fetchDelay * 1000) {
+    return whitelistCache;
+  }
+
+  try {
+    const response = await axios.get(`https://${config.whitelist.domain}/.well-known/nostr.json`);
+    const data = response.data;
+    if (data && data.names) {
+      whitelistCache = new Set(Object.values(data.names));
+      lastFetchTime = now;
+    }
+  } catch (error) {
+    console.error("Failed to fetch whitelist:", error);
+  }
+
+  return whitelistCache;
+}
+
+export function isWhitelisted(pubkey: string): boolean {
+  if (!config.whitelist.enabled) return true; // Allow all if whitelist is disabled
+  return whitelistCache.has(pubkey);
+}