2026-02-17 15:03:34 +00:00
|
|
|
//! Node-to-node messaging over Tor.
|
|
|
|
|
//! Sends messages to peer .onion addresses via SOCKS5 proxy.
|
2026-03-20 08:26:40 +00:00
|
|
|
//! Messages are persisted to disk and survive restarts.
|
2026-02-17 15:03:34 +00:00
|
|
|
|
|
|
|
|
use anyhow::{Context, Result};
|
|
|
|
|
use serde::{Deserialize, Serialize};
|
2026-03-20 08:26:40 +00:00
|
|
|
use std::path::{Path, PathBuf};
|
2026-02-17 15:03:34 +00:00
|
|
|
use std::sync::{Mutex, OnceLock};
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
const MAX_STORED: usize = 200;
|
2026-02-17 15:03:34 +00:00
|
|
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
|
|
|
pub struct IncomingMessage {
|
|
|
|
|
pub from_pubkey: String,
|
2026-03-20 08:26:40 +00:00
|
|
|
#[serde(default)]
|
2026-02-17 15:03:34 +00:00
|
|
|
pub from_onion: Option<String>,
|
2026-04-12 12:11:00 -04:00
|
|
|
/// Sender's node name (for display in group chat).
|
|
|
|
|
#[serde(default)]
|
|
|
|
|
pub from_name: Option<String>,
|
feat(wallet,content,seed): Fedimint dual-ecash, paid content streaming, seed ceremony
- Fedimint ecash alongside Cashu: fedimint-clientd (fmcd) HTTP bridge,
fedimint_client, fedimint RPC, wallet wiring
- Paid peer content: content invoices + streaming content server + content RPCs
- Seed-phrase ceremony/reveal RPCs and CLI ceremony tool
- LND wallet, mesh status/messaging, app-stack (netbird HTTPS), and
decoupled-update wiring; Fedimint Client core app in catalog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 19:21:07 -04:00
|
|
|
/// Sender-assigned unique id for the message. Used to dedup reliably even
|
|
|
|
|
/// when a slow-Tor retry/redelivery arrives outside the time window (#31).
|
|
|
|
|
#[serde(default)]
|
|
|
|
|
pub msg_id: Option<String>,
|
2026-02-17 15:03:34 +00:00
|
|
|
pub message: String,
|
|
|
|
|
pub timestamp: String,
|
2026-03-20 08:26:40 +00:00
|
|
|
/// "sent" or "received"
|
|
|
|
|
#[serde(default = "default_received")]
|
|
|
|
|
pub direction: String,
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
fn default_received() -> String {
|
|
|
|
|
"received".to_string()
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
#[derive(Debug, Default, Serialize, Deserialize)]
|
|
|
|
|
struct MessageStore {
|
|
|
|
|
messages: Vec<IncomingMessage>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn store() -> &'static Mutex<MessageStore> {
|
|
|
|
|
static STORE: OnceLock<Mutex<MessageStore>> = OnceLock::new();
|
|
|
|
|
STORE.get_or_init(|| Mutex::new(MessageStore::default()))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn data_path() -> &'static Mutex<Option<PathBuf>> {
|
|
|
|
|
static PATH: OnceLock<Mutex<Option<PathBuf>>> = OnceLock::new();
|
|
|
|
|
PATH.get_or_init(|| Mutex::new(None))
|
|
|
|
|
}
|
|
|
|
|
|
feat(storage): encrypt chat history + mesh contacts at rest, atomic writes, persist contacts (#12)
User: chat history (messages + mesh/Tor contacts) must persist and be
secure/encrypted per best practice. Root cause of the .198 loss was the B17
mount race writing empty stores over real data (B17 already fixes the trigger);
this hardens storage so it can never silently lose or expose data:
- storage_crypto: shared at-rest envelope mirroring credentials::store — key =
SHA-256(domain ‖ node identity key) (seed-derived, per-store domain
separation), ChaCha20-Poly1305 AEAD with a random 96-bit nonce, tamper-evident.
Transparent migration of legacy plaintext files. Unit-tested (round-trip,
wrong-key/tamper rejection, plaintext detection).
- messages.json: encrypted at rest + ATOMIC write (temp+rename) so a crash/
reboot mid-write cannot corrupt history; decrypt-with-migration on load; a
failed decrypt never overwrites the on-disk data.
- mesh contacts (alias/notes/pinned/blocked): were ONLY in memory and lost on
every restart — now persisted to mesh-contacts.json (encrypted, atomic),
loaded on MeshState startup, saved after contacts-save/contacts-block.
Explicit clear (mesh.clear-all) still wipes everything, as intended.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 08:54:37 -04:00
|
|
|
/// At-rest encryption key for messages.json, derived from the node identity in
|
|
|
|
|
/// `init()`. `None` only if the node key is unreadable (pre-onboarding) — in
|
|
|
|
|
/// which case we persist plaintext rather than lose messages.
|
|
|
|
|
fn enc_key() -> &'static Mutex<Option<[u8; 32]>> {
|
|
|
|
|
static KEY: OnceLock<Mutex<Option<[u8; 32]>>> = OnceLock::new();
|
|
|
|
|
KEY.get_or_init(|| Mutex::new(None))
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
/// Initialize message store — load from disk. Call once at startup.
|
|
|
|
|
pub async fn init(data_dir: &Path) {
|
|
|
|
|
let path = data_dir.join("messages.json");
|
|
|
|
|
*data_path().lock().unwrap_or_else(|e| e.into_inner()) = Some(path.clone());
|
|
|
|
|
|
feat(storage): encrypt chat history + mesh contacts at rest, atomic writes, persist contacts (#12)
User: chat history (messages + mesh/Tor contacts) must persist and be
secure/encrypted per best practice. Root cause of the .198 loss was the B17
mount race writing empty stores over real data (B17 already fixes the trigger);
this hardens storage so it can never silently lose or expose data:
- storage_crypto: shared at-rest envelope mirroring credentials::store — key =
SHA-256(domain ‖ node identity key) (seed-derived, per-store domain
separation), ChaCha20-Poly1305 AEAD with a random 96-bit nonce, tamper-evident.
Transparent migration of legacy plaintext files. Unit-tested (round-trip,
wrong-key/tamper rejection, plaintext detection).
- messages.json: encrypted at rest + ATOMIC write (temp+rename) so a crash/
reboot mid-write cannot corrupt history; decrypt-with-migration on load; a
failed decrypt never overwrites the on-disk data.
- mesh contacts (alias/notes/pinned/blocked): were ONLY in memory and lost on
every restart — now persisted to mesh-contacts.json (encrypted, atomic),
loaded on MeshState startup, saved after contacts-save/contacts-block.
Explicit clear (mesh.clear-all) still wipes everything, as intended.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 08:54:37 -04:00
|
|
|
// Derive + cache the at-rest encryption key (bound to this node's identity).
|
|
|
|
|
match crate::storage_crypto::derive_key(data_dir, crate::storage_crypto::DOMAIN_MESSAGES).await
|
|
|
|
|
{
|
|
|
|
|
Ok(k) => *enc_key().lock().unwrap_or_else(|e| e.into_inner()) = Some(k),
|
|
|
|
|
Err(e) => tracing::warn!(
|
|
|
|
|
"message store: encryption key unavailable ({e}); will persist plaintext"
|
|
|
|
|
),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let Ok(raw) = tokio::fs::read(&path).await else {
|
|
|
|
|
return; // no file yet (new node)
|
|
|
|
|
};
|
|
|
|
|
// Decrypt the on-disk blob, transparently migrating a legacy plaintext file.
|
|
|
|
|
let mut was_plaintext = false;
|
|
|
|
|
let bytes = if crate::storage_crypto::is_plaintext_json(&raw) {
|
|
|
|
|
was_plaintext = true;
|
|
|
|
|
Some(raw)
|
|
|
|
|
} else {
|
|
|
|
|
let key = *enc_key().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
match key {
|
|
|
|
|
Some(k) => match crate::storage_crypto::open(&raw, &k) {
|
|
|
|
|
Ok(p) => Some(p),
|
|
|
|
|
Err(e) => {
|
|
|
|
|
tracing::error!(
|
|
|
|
|
"message store: decrypt failed ({e}); NOT overwriting on-disk data"
|
|
|
|
|
);
|
|
|
|
|
None
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
None => None,
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
if let Some(bytes) = bytes {
|
|
|
|
|
if let Ok(loaded) = serde_json::from_slice::<MessageStore>(&bytes) {
|
2026-03-20 08:26:40 +00:00
|
|
|
let mut guard = store().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
*guard = loaded;
|
|
|
|
|
tracing::info!("Loaded {} messages from disk", guard.messages.len());
|
|
|
|
|
}
|
|
|
|
|
}
|
feat(storage): encrypt chat history + mesh contacts at rest, atomic writes, persist contacts (#12)
User: chat history (messages + mesh/Tor contacts) must persist and be
secure/encrypted per best practice. Root cause of the .198 loss was the B17
mount race writing empty stores over real data (B17 already fixes the trigger);
this hardens storage so it can never silently lose or expose data:
- storage_crypto: shared at-rest envelope mirroring credentials::store — key =
SHA-256(domain ‖ node identity key) (seed-derived, per-store domain
separation), ChaCha20-Poly1305 AEAD with a random 96-bit nonce, tamper-evident.
Transparent migration of legacy plaintext files. Unit-tested (round-trip,
wrong-key/tamper rejection, plaintext detection).
- messages.json: encrypted at rest + ATOMIC write (temp+rename) so a crash/
reboot mid-write cannot corrupt history; decrypt-with-migration on load; a
failed decrypt never overwrites the on-disk data.
- mesh contacts (alias/notes/pinned/blocked): were ONLY in memory and lost on
every restart — now persisted to mesh-contacts.json (encrypted, atomic),
loaded on MeshState startup, saved after contacts-save/contacts-block.
Explicit clear (mesh.clear-all) still wipes everything, as intended.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 08:54:37 -04:00
|
|
|
// Eagerly re-write a legacy plaintext file as encrypted on first boot.
|
|
|
|
|
if was_plaintext
|
|
|
|
|
&& enc_key()
|
|
|
|
|
.lock()
|
|
|
|
|
.unwrap_or_else(|e| e.into_inner())
|
|
|
|
|
.is_some()
|
|
|
|
|
{
|
|
|
|
|
persist();
|
|
|
|
|
tracing::info!("message store: migrated plaintext messages.json to encrypted at rest");
|
|
|
|
|
}
|
2026-03-20 08:26:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Persist current messages to disk.
|
2026-03-21 01:21:08 +00:00
|
|
|
/// Serializes under the lock, then writes asynchronously via spawn_blocking
|
|
|
|
|
/// to avoid blocking the tokio runtime.
|
2026-03-20 08:26:40 +00:00
|
|
|
fn persist() {
|
|
|
|
|
let guard = store().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
let path_guard = data_path().lock().unwrap_or_else(|e| e.into_inner());
|
feat(storage): encrypt chat history + mesh contacts at rest, atomic writes, persist contacts (#12)
User: chat history (messages + mesh/Tor contacts) must persist and be
secure/encrypted per best practice. Root cause of the .198 loss was the B17
mount race writing empty stores over real data (B17 already fixes the trigger);
this hardens storage so it can never silently lose or expose data:
- storage_crypto: shared at-rest envelope mirroring credentials::store — key =
SHA-256(domain ‖ node identity key) (seed-derived, per-store domain
separation), ChaCha20-Poly1305 AEAD with a random 96-bit nonce, tamper-evident.
Transparent migration of legacy plaintext files. Unit-tested (round-trip,
wrong-key/tamper rejection, plaintext detection).
- messages.json: encrypted at rest + ATOMIC write (temp+rename) so a crash/
reboot mid-write cannot corrupt history; decrypt-with-migration on load; a
failed decrypt never overwrites the on-disk data.
- mesh contacts (alias/notes/pinned/blocked): were ONLY in memory and lost on
every restart — now persisted to mesh-contacts.json (encrypted, atomic),
loaded on MeshState startup, saved after contacts-save/contacts-block.
Explicit clear (mesh.clear-all) still wipes everything, as intended.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 08:54:37 -04:00
|
|
|
let key = *enc_key().lock().unwrap_or_else(|e| e.into_inner());
|
2026-03-20 08:26:40 +00:00
|
|
|
if let Some(ref path) = *path_guard {
|
feat(storage): encrypt chat history + mesh contacts at rest, atomic writes, persist contacts (#12)
User: chat history (messages + mesh/Tor contacts) must persist and be
secure/encrypted per best practice. Root cause of the .198 loss was the B17
mount race writing empty stores over real data (B17 already fixes the trigger);
this hardens storage so it can never silently lose or expose data:
- storage_crypto: shared at-rest envelope mirroring credentials::store — key =
SHA-256(domain ‖ node identity key) (seed-derived, per-store domain
separation), ChaCha20-Poly1305 AEAD with a random 96-bit nonce, tamper-evident.
Transparent migration of legacy plaintext files. Unit-tested (round-trip,
wrong-key/tamper rejection, plaintext detection).
- messages.json: encrypted at rest + ATOMIC write (temp+rename) so a crash/
reboot mid-write cannot corrupt history; decrypt-with-migration on load; a
failed decrypt never overwrites the on-disk data.
- mesh contacts (alias/notes/pinned/blocked): were ONLY in memory and lost on
every restart — now persisted to mesh-contacts.json (encrypted, atomic),
loaded on MeshState startup, saved after contacts-save/contacts-block.
Explicit clear (mesh.clear-all) still wipes everything, as intended.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 08:54:37 -04:00
|
|
|
if let Ok(content) = serde_json::to_vec(&*guard) {
|
2026-03-21 01:21:08 +00:00
|
|
|
let path = path.clone();
|
|
|
|
|
drop(path_guard);
|
|
|
|
|
drop(guard);
|
|
|
|
|
tokio::task::spawn(async move {
|
feat(storage): encrypt chat history + mesh contacts at rest, atomic writes, persist contacts (#12)
User: chat history (messages + mesh/Tor contacts) must persist and be
secure/encrypted per best practice. Root cause of the .198 loss was the B17
mount race writing empty stores over real data (B17 already fixes the trigger);
this hardens storage so it can never silently lose or expose data:
- storage_crypto: shared at-rest envelope mirroring credentials::store — key =
SHA-256(domain ‖ node identity key) (seed-derived, per-store domain
separation), ChaCha20-Poly1305 AEAD with a random 96-bit nonce, tamper-evident.
Transparent migration of legacy plaintext files. Unit-tested (round-trip,
wrong-key/tamper rejection, plaintext detection).
- messages.json: encrypted at rest + ATOMIC write (temp+rename) so a crash/
reboot mid-write cannot corrupt history; decrypt-with-migration on load; a
failed decrypt never overwrites the on-disk data.
- mesh contacts (alias/notes/pinned/blocked): were ONLY in memory and lost on
every restart — now persisted to mesh-contacts.json (encrypted, atomic),
loaded on MeshState startup, saved after contacts-save/contacts-block.
Explicit clear (mesh.clear-all) still wipes everything, as intended.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 08:54:37 -04:00
|
|
|
// Encrypt at rest when the node key is available; fall back to
|
|
|
|
|
// plaintext rather than drop the write if it somehow isn't.
|
|
|
|
|
let bytes = match key {
|
|
|
|
|
Some(k) => crate::storage_crypto::seal(&content, &k).unwrap_or(content),
|
|
|
|
|
None => content,
|
|
|
|
|
};
|
|
|
|
|
// Atomic write: stage to a temp file then rename, so a crash or
|
|
|
|
|
// reboot mid-write can never truncate/corrupt the real history
|
|
|
|
|
// (rename is atomic on the same filesystem).
|
|
|
|
|
let tmp = path.with_extension("json.tmp");
|
|
|
|
|
if tokio::fs::write(&tmp, &bytes).await.is_ok() {
|
|
|
|
|
let _ = tokio::fs::rename(&tmp, &path).await;
|
|
|
|
|
} else {
|
|
|
|
|
let _ = tokio::fs::remove_file(&tmp).await;
|
|
|
|
|
}
|
2026-03-21 01:21:08 +00:00
|
|
|
});
|
2026-03-20 08:26:40 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-02-17 15:03:34 +00:00
|
|
|
|
|
|
|
|
/// Store a received message (called from HTTP handler).
|
feat(wallet,content,seed): Fedimint dual-ecash, paid content streaming, seed ceremony
- Fedimint ecash alongside Cashu: fedimint-clientd (fmcd) HTTP bridge,
fedimint_client, fedimint RPC, wallet wiring
- Paid peer content: content invoices + streaming content server + content RPCs
- Seed-phrase ceremony/reveal RPCs and CLI ceremony tool
- LND wallet, mesh status/messaging, app-stack (netbird HTTPS), and
decoupled-update wiring; Fedimint Client core app in catalog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 19:21:07 -04:00
|
|
|
pub fn store_received_sync(
|
|
|
|
|
from_pubkey: &str,
|
|
|
|
|
message: &str,
|
|
|
|
|
from_name: Option<&str>,
|
|
|
|
|
msg_id: Option<&str>,
|
|
|
|
|
) {
|
2026-03-20 08:26:40 +00:00
|
|
|
let ts = chrono::Utc::now().to_rfc3339();
|
|
|
|
|
let mut guard = store().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
|
feat(wallet,content,seed): Fedimint dual-ecash, paid content streaming, seed ceremony
- Fedimint ecash alongside Cashu: fedimint-clientd (fmcd) HTTP bridge,
fedimint_client, fedimint RPC, wallet wiring
- Paid peer content: content invoices + streaming content server + content RPCs
- Seed-phrase ceremony/reveal RPCs and CLI ceremony tool
- LND wallet, mesh status/messaging, app-stack (netbird HTTPS), and
decoupled-update wiring; Fedimint Client core app in catalog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 19:21:07 -04:00
|
|
|
// Deduplication. When the sender supplied a unique id, dedup on
|
|
|
|
|
// (from_pubkey, msg_id) across all retained history — this is robust even
|
|
|
|
|
// when a slow-Tor redelivery arrives well outside any time window (#31).
|
|
|
|
|
// Older senders send no id; fall back to the legacy same-pubkey+message
|
|
|
|
|
// within-30s heuristic.
|
|
|
|
|
let duplicate = if let Some(id) = msg_id {
|
|
|
|
|
guard
|
|
|
|
|
.messages
|
|
|
|
|
.iter()
|
|
|
|
|
.any(|m| m.from_pubkey == from_pubkey && m.msg_id.as_deref() == Some(id))
|
|
|
|
|
} else {
|
|
|
|
|
guard.messages.iter().rev().take(20).any(|m| {
|
|
|
|
|
m.from_pubkey == from_pubkey
|
|
|
|
|
&& m.message == message
|
|
|
|
|
&& m.direction == "received"
|
|
|
|
|
&& within_seconds(&m.timestamp, &ts, 30)
|
|
|
|
|
})
|
|
|
|
|
};
|
|
|
|
|
if duplicate {
|
2026-03-20 08:26:40 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
guard.messages.push(IncomingMessage {
|
2026-02-17 15:03:34 +00:00
|
|
|
from_pubkey: from_pubkey.to_string(),
|
|
|
|
|
from_onion: None,
|
2026-04-12 12:11:00 -04:00
|
|
|
from_name: from_name.map(|s| s.to_string()),
|
feat(wallet,content,seed): Fedimint dual-ecash, paid content streaming, seed ceremony
- Fedimint ecash alongside Cashu: fedimint-clientd (fmcd) HTTP bridge,
fedimint_client, fedimint RPC, wallet wiring
- Paid peer content: content invoices + streaming content server + content RPCs
- Seed-phrase ceremony/reveal RPCs and CLI ceremony tool
- LND wallet, mesh status/messaging, app-stack (netbird HTTPS), and
decoupled-update wiring; Fedimint Client core app in catalog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 19:21:07 -04:00
|
|
|
msg_id: msg_id.map(|s| s.to_string()),
|
2026-02-17 15:03:34 +00:00
|
|
|
message: message.to_string(),
|
2026-03-20 08:26:40 +00:00
|
|
|
timestamp: ts,
|
|
|
|
|
direction: "received".to_string(),
|
2026-02-17 15:03:34 +00:00
|
|
|
});
|
2026-03-20 08:26:40 +00:00
|
|
|
trim_messages(&mut guard);
|
|
|
|
|
drop(guard);
|
|
|
|
|
persist();
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
feat(wallet,content,seed): Fedimint dual-ecash, paid content streaming, seed ceremony
- Fedimint ecash alongside Cashu: fedimint-clientd (fmcd) HTTP bridge,
fedimint_client, fedimint RPC, wallet wiring
- Paid peer content: content invoices + streaming content server + content RPCs
- Seed-phrase ceremony/reveal RPCs and CLI ceremony tool
- LND wallet, mesh status/messaging, app-stack (netbird HTTPS), and
decoupled-update wiring; Fedimint Client core app in catalog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 19:21:07 -04:00
|
|
|
pub async fn store_received(
|
|
|
|
|
from_pubkey: &str,
|
|
|
|
|
message: &str,
|
|
|
|
|
from_name: Option<&str>,
|
|
|
|
|
msg_id: Option<&str>,
|
|
|
|
|
) {
|
|
|
|
|
store_received_sync(from_pubkey, message, from_name, msg_id);
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
/// Store a sent message (for display in Archipelago channel).
|
|
|
|
|
pub fn store_sent(message: &str) {
|
|
|
|
|
let mut guard = store().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
guard.messages.push(IncomingMessage {
|
|
|
|
|
from_pubkey: "me".to_string(),
|
|
|
|
|
from_onion: None,
|
2026-04-13 08:01:10 -04:00
|
|
|
from_name: None,
|
feat(wallet,content,seed): Fedimint dual-ecash, paid content streaming, seed ceremony
- Fedimint ecash alongside Cashu: fedimint-clientd (fmcd) HTTP bridge,
fedimint_client, fedimint RPC, wallet wiring
- Paid peer content: content invoices + streaming content server + content RPCs
- Seed-phrase ceremony/reveal RPCs and CLI ceremony tool
- LND wallet, mesh status/messaging, app-stack (netbird HTTPS), and
decoupled-update wiring; Fedimint Client core app in catalog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 19:21:07 -04:00
|
|
|
msg_id: None,
|
2026-03-20 08:26:40 +00:00
|
|
|
message: message.to_string(),
|
|
|
|
|
timestamp: chrono::Utc::now().to_rfc3339(),
|
|
|
|
|
direction: "sent".to_string(),
|
|
|
|
|
});
|
|
|
|
|
trim_messages(&mut guard);
|
|
|
|
|
drop(guard);
|
|
|
|
|
persist();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Get all messages (sent + received) for UI display.
|
2026-02-17 15:03:34 +00:00
|
|
|
pub fn get_received() -> Vec<IncomingMessage> {
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
store()
|
|
|
|
|
.lock()
|
|
|
|
|
.unwrap_or_else(|e| e.into_inner())
|
|
|
|
|
.messages
|
|
|
|
|
.clone()
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
fn trim_messages(store: &mut MessageStore) {
|
|
|
|
|
if store.messages.len() > MAX_STORED {
|
|
|
|
|
let drain = store.messages.len() - MAX_STORED;
|
|
|
|
|
store.messages.drain(0..drain);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Check if two ISO8601 timestamps are within N seconds of each other.
|
|
|
|
|
fn within_seconds(ts1: &str, ts2: &str, secs: i64) -> bool {
|
|
|
|
|
use chrono::DateTime;
|
|
|
|
|
let a = DateTime::parse_from_rfc3339(ts1).ok();
|
|
|
|
|
let b = DateTime::parse_from_rfc3339(ts2).ok();
|
|
|
|
|
match (a, b) {
|
|
|
|
|
(Some(a), Some(b)) => (a - b).num_seconds().unsigned_abs() < secs as u64,
|
|
|
|
|
_ => false,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-20 09:04:43 +00:00
|
|
|
// ─── E2E Encryption ─────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
use crate::mesh::crypto;
|
|
|
|
|
use base64::Engine;
|
|
|
|
|
|
|
|
|
|
/// Encrypt a message for a recipient using X25519 ECDH + ChaCha20-Poly1305.
|
|
|
|
|
/// Returns base64-encoded ciphertext (nonce + encrypted data).
|
|
|
|
|
fn encrypt_for_peer(
|
|
|
|
|
our_signing_key: &ed25519_dalek::SigningKey,
|
|
|
|
|
their_pubkey_hex: &str,
|
|
|
|
|
plaintext: &str,
|
|
|
|
|
) -> Result<String> {
|
|
|
|
|
let their_pubkey_bytes: [u8; 32] = hex::decode(their_pubkey_hex)
|
|
|
|
|
.context("Invalid peer pubkey hex")?
|
|
|
|
|
.try_into()
|
|
|
|
|
.map_err(|_| anyhow::anyhow!("Invalid peer pubkey length"))?;
|
|
|
|
|
|
|
|
|
|
let their_x25519 = crypto::ed25519_pubkey_to_x25519(&their_pubkey_bytes)?;
|
|
|
|
|
let our_x25519 = crypto::ed25519_secret_to_x25519(our_signing_key);
|
|
|
|
|
let shared = crypto::x25519_shared_secret(&our_x25519, &their_x25519);
|
|
|
|
|
|
|
|
|
|
// HKDF to derive message key (domain separation for Tor messages)
|
|
|
|
|
let msg_key_bytes = crypto::hkdf_sha256(
|
|
|
|
|
b"archipelago-tor-msg-v1",
|
|
|
|
|
&shared,
|
|
|
|
|
b"message-encryption",
|
|
|
|
|
32,
|
|
|
|
|
)?;
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let msg_key: [u8; 32] = msg_key_bytes
|
|
|
|
|
.try_into()
|
2026-03-20 09:04:43 +00:00
|
|
|
.map_err(|_| anyhow::anyhow!("HKDF key length mismatch"))?;
|
|
|
|
|
|
|
|
|
|
let encrypted = crypto::encrypt(&msg_key, plaintext.as_bytes())?;
|
|
|
|
|
Ok(base64::engine::general_purpose::STANDARD.encode(&encrypted))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Decrypt a message from a sender using X25519 ECDH + ChaCha20-Poly1305.
|
|
|
|
|
pub fn decrypt_from_peer(
|
|
|
|
|
our_signing_key: &ed25519_dalek::SigningKey,
|
|
|
|
|
sender_pubkey_hex: &str,
|
|
|
|
|
encrypted_b64: &str,
|
|
|
|
|
) -> Result<String> {
|
|
|
|
|
let sender_pubkey_bytes: [u8; 32] = hex::decode(sender_pubkey_hex)
|
|
|
|
|
.context("Invalid sender pubkey hex")?
|
|
|
|
|
.try_into()
|
|
|
|
|
.map_err(|_| anyhow::anyhow!("Invalid sender pubkey length"))?;
|
|
|
|
|
|
|
|
|
|
let sender_x25519 = crypto::ed25519_pubkey_to_x25519(&sender_pubkey_bytes)?;
|
|
|
|
|
let our_x25519 = crypto::ed25519_secret_to_x25519(our_signing_key);
|
|
|
|
|
let shared = crypto::x25519_shared_secret(&our_x25519, &sender_x25519);
|
|
|
|
|
|
|
|
|
|
let msg_key_bytes = crypto::hkdf_sha256(
|
|
|
|
|
b"archipelago-tor-msg-v1",
|
|
|
|
|
&shared,
|
|
|
|
|
b"message-encryption",
|
|
|
|
|
32,
|
|
|
|
|
)?;
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let msg_key: [u8; 32] = msg_key_bytes
|
|
|
|
|
.try_into()
|
2026-03-20 09:04:43 +00:00
|
|
|
.map_err(|_| anyhow::anyhow!("HKDF key length mismatch"))?;
|
|
|
|
|
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let encrypted = base64::engine::general_purpose::STANDARD
|
|
|
|
|
.decode(encrypted_b64)
|
|
|
|
|
.context("Invalid base64 ciphertext")?;
|
2026-03-20 09:04:43 +00:00
|
|
|
let plaintext_bytes = crypto::decrypt(&msg_key, &encrypted)?;
|
|
|
|
|
String::from_utf8(plaintext_bytes).context("Decrypted message is not valid UTF-8")
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
// ─── Tor Messaging ──────────────────────────────────────────────
|
|
|
|
|
|
2026-02-17 15:03:34 +00:00
|
|
|
/// Tor v3 onion hostname is 56 base32 chars (a-z, 2-7). Reject invalid formats.
|
|
|
|
|
fn validate_onion(onion: &str) -> Result<()> {
|
|
|
|
|
let host = onion.trim_end_matches(".onion");
|
|
|
|
|
if host.len() != 56 {
|
|
|
|
|
anyhow::bail!(
|
|
|
|
|
"Invalid onion address (expected 56 chars, got {}). The peer may have wrong data - try removing and re-adding via Discover.",
|
|
|
|
|
host.len()
|
|
|
|
|
);
|
|
|
|
|
}
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let valid = host
|
|
|
|
|
.chars()
|
|
|
|
|
.all(|c| c.is_ascii_lowercase() || ('2'..='7').contains(&c));
|
2026-02-17 15:03:34 +00:00
|
|
|
if !valid {
|
|
|
|
|
anyhow::bail!("Invalid onion address: must be 56 base32 chars (a-z, 2-7)");
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-20 09:04:43 +00:00
|
|
|
/// Send an encrypted message to a peer over Tor.
|
|
|
|
|
/// The message is encrypted with ChaCha20-Poly1305 using an X25519 shared secret
|
|
|
|
|
/// derived from both nodes' ed25519 keys.
|
|
|
|
|
pub async fn send_to_peer(
|
|
|
|
|
onion: &str,
|
2026-04-19 01:36:04 -04:00
|
|
|
fips_npub: Option<&str>,
|
2026-03-20 09:04:43 +00:00
|
|
|
from_pubkey: &str,
|
|
|
|
|
message: &str,
|
|
|
|
|
signing_key: Option<&ed25519_dalek::SigningKey>,
|
|
|
|
|
recipient_pubkey: Option<&str>,
|
2026-04-12 12:11:00 -04:00
|
|
|
from_name: Option<&str>,
|
2026-03-20 09:04:43 +00:00
|
|
|
) -> Result<()> {
|
2026-02-17 15:03:34 +00:00
|
|
|
validate_onion(onion)?;
|
|
|
|
|
|
2026-03-20 09:04:43 +00:00
|
|
|
// Encrypt message if we have both keys
|
|
|
|
|
let (payload_message, encrypted) = match (signing_key, recipient_pubkey) {
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
(Some(sk), Some(rpk)) => match encrypt_for_peer(sk, rpk, message) {
|
|
|
|
|
Ok(enc) => (enc, true),
|
|
|
|
|
Err(e) => {
|
|
|
|
|
tracing::warn!("Encryption failed, sending plaintext: {}", e);
|
|
|
|
|
(message.to_string(), false)
|
2026-03-20 09:04:43 +00:00
|
|
|
}
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
},
|
2026-03-20 09:04:43 +00:00
|
|
|
_ => (message.to_string(), false),
|
|
|
|
|
};
|
|
|
|
|
|
2026-04-12 12:11:00 -04:00
|
|
|
let mut body = serde_json::json!({
|
2026-02-17 15:03:34 +00:00
|
|
|
"from_pubkey": from_pubkey,
|
2026-03-20 09:04:43 +00:00
|
|
|
"message": payload_message,
|
2026-02-17 15:03:34 +00:00
|
|
|
"timestamp": chrono::Utc::now().to_rfc3339(),
|
2026-03-20 09:04:43 +00:00
|
|
|
"encrypted": encrypted,
|
feat(wallet,content,seed): Fedimint dual-ecash, paid content streaming, seed ceremony
- Fedimint ecash alongside Cashu: fedimint-clientd (fmcd) HTTP bridge,
fedimint_client, fedimint RPC, wallet wiring
- Paid peer content: content invoices + streaming content server + content RPCs
- Seed-phrase ceremony/reveal RPCs and CLI ceremony tool
- LND wallet, mesh status/messaging, app-stack (netbird HTTPS), and
decoupled-update wiring; Fedimint Client core app in catalog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 19:21:07 -04:00
|
|
|
// Unique per-message id so receivers can dedup reliably even across
|
|
|
|
|
// slow-Tor retries/redeliveries (#31). Old receivers ignore it.
|
|
|
|
|
"msg_id": uuid::Uuid::new_v4().to_string(),
|
2026-02-17 15:03:34 +00:00
|
|
|
});
|
2026-04-12 12:11:00 -04:00
|
|
|
if let Some(name) = from_name {
|
|
|
|
|
body["from_name"] = serde_json::Value::String(name.to_string());
|
|
|
|
|
}
|
2026-02-17 15:03:34 +00:00
|
|
|
|
2026-04-28 15:00:58 -04:00
|
|
|
let (resp, transport) =
|
|
|
|
|
crate::fips::dial::PeerRequest::new(fips_npub, onion, "/archipelago/node-message")
|
|
|
|
|
.service(crate::settings::transport::PeerService::Messaging)
|
|
|
|
|
.timeout(std::time::Duration::from_secs(60))
|
|
|
|
|
.send_json(&body)
|
|
|
|
|
.await
|
|
|
|
|
.map_err(|e| {
|
|
|
|
|
let msg = e.to_string();
|
|
|
|
|
if msg.contains("connection refused") || msg.contains("Connection refused") {
|
|
|
|
|
anyhow::anyhow!(
|
|
|
|
|
"Peer unreachable. Check Tor (127.0.0.1:9050) and FIPS daemon status."
|
|
|
|
|
)
|
|
|
|
|
} else if msg.contains("timeout") || msg.contains("timed out") {
|
|
|
|
|
anyhow::anyhow!("Connection timed out. The peer may be offline.")
|
|
|
|
|
} else {
|
|
|
|
|
anyhow::anyhow!("Failed to send: {}", msg)
|
|
|
|
|
}
|
|
|
|
|
})?;
|
2026-02-17 15:03:34 +00:00
|
|
|
|
|
|
|
|
if !resp.status().is_success() {
|
|
|
|
|
anyhow::bail!(
|
2026-04-19 01:36:04 -04:00
|
|
|
"Peer returned {} {} (via {}). The peer may need /archipelago/ in its nginx config.",
|
2026-02-17 15:03:34 +00:00
|
|
|
resp.status().as_u16(),
|
2026-04-19 01:36:04 -04:00
|
|
|
resp.status().canonical_reason().unwrap_or(""),
|
|
|
|
|
transport,
|
2026-02-17 15:03:34 +00:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-19 01:36:04 -04:00
|
|
|
/// Check if a peer is reachable (ping). FIPS is preferred when an npub
|
|
|
|
|
/// is known, Tor is the fallback.
|
|
|
|
|
pub async fn check_peer_reachable(onion: &str, fips_npub: Option<&str>) -> Result<bool> {
|
2026-03-06 03:26:56 +00:00
|
|
|
validate_onion(onion)?;
|
2026-04-19 01:36:04 -04:00
|
|
|
match crate::fips::dial::PeerRequest::new(fips_npub, onion, "/health")
|
2026-04-19 01:44:41 -04:00
|
|
|
.service(crate::settings::transport::PeerService::Messaging)
|
2026-02-17 15:03:34 +00:00
|
|
|
.timeout(std::time::Duration::from_secs(30))
|
2026-04-19 01:36:04 -04:00
|
|
|
.send_get()
|
|
|
|
|
.await
|
|
|
|
|
{
|
|
|
|
|
Ok((resp, _)) => Ok(resp.status().is_success()),
|
2026-02-17 15:03:34 +00:00
|
|
|
Err(_) => Ok(false),
|
|
|
|
|
}
|
|
|
|
|
}
|