lfg2025/archy
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/core/archipelago/src/api/rpc/peers.rs
Dorian 6656d2f1d9 fix: implement 22 security pentest remediation fixes 
Server-side session management with SHA-256 hashed tokens and HttpOnly
cookies. Auth middleware gating all RPC/WS/proxy routes with method
allowlist. Login rate limiting (5/60s per IP). CORS restricted to
config origin. Docker registry allowlist. App ID and path validation.
P2P message sanitization (HTML + log injection). Onion address and
known-peer validation. Nginx security headers (CSP, X-Frame-Options,
etc.) and AIUI proxy auth. Systemd hardening (non-root, NoNewPrivileges,
ProtectSystem).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 03:26:56 +00:00

111 lines
4.2 KiB
Rust
Raw Blame History

use super::RpcHandler;
use crate::{node_message, nostr_discovery, peers};
use crate::peers::KnownPeer;
use anyhow::Result;
impl RpcHandler {
pub(super) async fn handle_node_add_peer(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let onion = params
.get("onion")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing onion"))?;
let pubkey = params
.get("pubkey")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing pubkey"))?;
let name = params.get("name").and_then(|v| v.as_str()).map(String::from);
let peer = KnownPeer {
onion: onion.to_string(),
pubkey: pubkey.to_string(),
name,
added_at: Some(chrono::Utc::now().to_rfc3339()),
};
let peers = peers::add_peer(&self.config.data_dir, peer).await?;
Ok(serde_json::json!({ "peers": peers }))
}
pub(super) async fn handle_node_list_peers(&self) -> Result<serde_json::Value> {
let peers = peers::load_peers(&self.config.data_dir).await?;
Ok(serde_json::json!({ "peers": peers }))
}
pub(super) async fn handle_node_remove_peer(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let pubkey = params
.get("pubkey")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing pubkey"))?;
let peers = peers::remove_peer(&self.config.data_dir, pubkey).await?;
Ok(serde_json::json!({ "peers": peers }))
}
pub(super) async fn handle_node_send_message(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let onion = params
.get("onion")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing onion"))?;
let message = params
.get("message")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing message"))?;
// Validate onion is a known peer to prevent SSRF to arbitrary Tor destinations
let known_peers = peers::load_peers(&self.config.data_dir).await?;
let is_known = known_peers.iter().any(|p| {
p.onion == onion || p.onion == format!("{}.onion", onion)
|| format!("{}.onion", p.onion) == onion
});
if !is_known {
return Err(anyhow::anyhow!(
"Onion address not in known peers list. Add the peer first."
));
}
let (data, _) = self.state_manager.get_snapshot().await;
let pubkey = data.server_info.pubkey.clone();
node_message::send_to_peer(onion, &pubkey, message).await?;
Ok(serde_json::json!({ "ok": true, "sent_to": onion }))
}
pub(super) async fn handle_node_check_peer(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let onion = params
.get("onion")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing onion"))?;
let reachable = node_message::check_peer_reachable(onion).await.unwrap_or(false);
Ok(serde_json::json!({ "onion": onion, "reachable": reachable }))
}
pub(super) async fn handle_node_messages_received(&self) -> Result<serde_json::Value> {
let messages = node_message::get_received();
Ok(serde_json::json!({ "messages": messages }))
}
pub(super) async fn handle_node_nostr_discover(&self) -> Result<serde_json::Value> {
let identity_dir = self.config.data_dir.join("identity");
let nodes = nostr_discovery::discover_archipelago_nodes(
&identity_dir,
&self.config.nostr_relays,
self.config.nostr_tor_proxy.as_deref(),
)
.await?;
Ok(serde_json::json!({ "nodes": nodes }))
}
}
Reference in New Issue View Git Blame Copy Permalink