@openclaw/nostr 2026.2.12 → 2026.2.14

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 2026.2.14
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.2.13
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.2.6-3
 
 ### Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/nostr",
-  "version": "2026.2.12",
+  "version": "2026.2.14",
   "description": "OpenClaw Nostr channel plugin for NIP-04 encrypted DMs",
   "type": "module",
   "dependencies": {

package/src/nostr-profile-http.test.ts

@@ -29,12 +29,21 @@ import { importProfileFromRelays } from "./nostr-profile-import.js";
 // Test Helpers
 // ============================================================================
 
-function createMockRequest(method: string, url: string, body?: unknown): IncomingMessage {
+function createMockRequest(
+  method: string,
+  url: string,
+  body?: unknown,
+  opts?: { headers?: Record<string, string>; remoteAddress?: string },
+): IncomingMessage {
   const socket = new Socket();
+  Object.defineProperty(socket, "remoteAddress", {
+    value: opts?.remoteAddress ?? "127.0.0.1",
+    configurable: true,
+  });
   const req = new IncomingMessage(socket);
   req.method = method;
   req.url = url;
-  req.headers = { host: "localhost:3000" };
+  req.headers = { host: "localhost:3000", ...(opts?.headers ?? {}) };
 
   if (body) {
     const bodyStr = JSON.stringify(body);
@@ -206,6 +215,36 @@ describe("nostr-profile-http", () => {
       expect(ctx.updateConfigProfile).toHaveBeenCalled();
     });
 
+    it("rejects profile mutation from non-loopback remote address", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest(
+        "PUT",
+        "/api/channels/nostr/default/profile",
+        { name: "attacker" },
+        { remoteAddress: "198.51.100.10" },
+      );
+      const res = createMockResponse();
+
+      await handler(req, res);
+      expect(res._getStatusCode()).toBe(403);
+    });
+
+    it("rejects cross-origin profile mutation attempts", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest(
+        "PUT",
+        "/api/channels/nostr/default/profile",
+        { name: "attacker" },
+        { headers: { origin: "https://evil.example" } },
+      );
+      const res = createMockResponse();
+
+      await handler(req, res);
+      expect(res._getStatusCode()).toBe(403);
+    });
+
     it("rejects private IP in picture URL (SSRF protection)", async () => {
       const ctx = createMockContext();
       const handler = createNostrProfileHttpHandler(ctx);
@@ -327,6 +366,36 @@ describe("nostr-profile-http", () => {
       expect(data.saved).toBe(false); // autoMerge not requested
     });
 
+    it("rejects import mutation from non-loopback remote address", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest(
+        "POST",
+        "/api/channels/nostr/default/profile/import",
+        {},
+        { remoteAddress: "203.0.113.10" },
+      );
+      const res = createMockResponse();
+
+      await handler(req, res);
+      expect(res._getStatusCode()).toBe(403);
+    });
+
+    it("rejects cross-origin import mutation attempts", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest(
+        "POST",
+        "/api/channels/nostr/default/profile/import",
+        {},
+        { headers: { origin: "https://evil.example" } },
+      );
+      const res = createMockResponse();
+
+      await handler(req, res);
+      expect(res._getStatusCode()).toBe(403);
+    });
+
     it("auto-merges when requested", async () => {
       const ctx = createMockContext({
         getConfigProfile: vi.fn().mockReturnValue({ about: "local bio" }),

package/src/nostr-profile-http.ts

@@ -8,6 +8,7 @@
  */
 
 import type { IncomingMessage, ServerResponse } from "node:http";
+import { readJsonBodyWithLimit, requestBodyErrorToText } from "openclaw/plugin-sdk";
 import { z } from "zod";
 import { publishNostrProfile, getNostrProfileState } from "./channel.js";
 import { NostrProfileSchema, type NostrProfile } from "./config-schema.js";
@@ -234,54 +235,24 @@ async function readJsonBody(
   maxBytes = 64 * 1024,
   timeoutMs = 30_000,
 ): Promise<unknown> {
-  return new Promise((resolve, reject) => {
-    let done = false;
-    const finish = (fn: () => void) => {
-      if (done) {
-        return;
-      }
-      done = true;
-      clearTimeout(timer);
-      fn();
-    };
-
-    const timer = setTimeout(() => {
-      finish(() => {
-        const err = new Error("Request body timeout");
-        req.destroy(err);
-        reject(err);
-      });
-    }, timeoutMs);
-
-    const chunks: Buffer[] = [];
-    let totalBytes = 0;
-
-    req.on("data", (chunk: Buffer) => {
-      totalBytes += chunk.length;
-      if (totalBytes > maxBytes) {
-        finish(() => {
-          reject(new Error("Request body too large"));
-          req.destroy();
-        });
-        return;
-      }
-      chunks.push(chunk);
-    });
-
-    req.on("end", () => {
-      finish(() => {
-        try {
-          const body = Buffer.concat(chunks).toString("utf-8");
-          resolve(body ? JSON.parse(body) : {});
-        } catch {
-          reject(new Error("Invalid JSON"));
-        }
-      });
-    });
-
-    req.on("error", (err) => finish(() => reject(err)));
-    req.on("close", () => finish(() => reject(new Error("Connection closed"))));
+  const result = await readJsonBodyWithLimit(req, {
+    maxBytes,
+    timeoutMs,
+    emptyObjectOnEmpty: true,
   });
+  if (result.ok) {
+    return result.value;
+  }
+  if (result.code === "PAYLOAD_TOO_LARGE") {
+    throw new Error("Request body too large");
+  }
+  if (result.code === "REQUEST_BODY_TIMEOUT") {
+    throw new Error(requestBodyErrorToText("REQUEST_BODY_TIMEOUT"));
+  }
+  if (result.code === "CONNECTION_CLOSED") {
+    throw new Error(requestBodyErrorToText("CONNECTION_CLOSED"));
+  }
+  throw new Error(result.code === "INVALID_JSON" ? "Invalid JSON" : result.error);
 }
 
 function parseAccountIdFromPath(pathname: string): string | null {
@@ -290,6 +261,73 @@ function parseAccountIdFromPath(pathname: string): string | null {
   return match?.[1] ?? null;
 }
 
+function isLoopbackRemoteAddress(remoteAddress: string | undefined): boolean {
+  if (!remoteAddress) {
+    return false;
+  }
+
+  const ipLower = remoteAddress.toLowerCase().replace(/^\[|\]$/g, "");
+
+  // IPv6 loopback
+  if (ipLower === "::1") {
+    return true;
+  }
+
+  // IPv4 loopback (127.0.0.0/8)
+  if (ipLower === "127.0.0.1" || ipLower.startsWith("127.")) {
+    return true;
+  }
+
+  // IPv4-mapped IPv6
+  const v4Mapped = ipLower.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+  if (v4Mapped) {
+    return isLoopbackRemoteAddress(v4Mapped[1]);
+  }
+
+  return false;
+}
+
+function isLoopbackOriginLike(value: string): boolean {
+  try {
+    const url = new URL(value);
+    const hostname = url.hostname.toLowerCase();
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+  } catch {
+    return false;
+  }
+}
+
+function enforceLoopbackMutationGuards(
+  ctx: NostrProfileHttpContext,
+  req: IncomingMessage,
+  res: ServerResponse,
+): boolean {
+  // Mutation endpoints are local-control-plane only.
+  const remoteAddress = req.socket.remoteAddress;
+  if (!isLoopbackRemoteAddress(remoteAddress)) {
+    ctx.log?.warn?.(`Rejected mutation from non-loopback remoteAddress=${String(remoteAddress)}`);
+    sendJson(res, 403, { ok: false, error: "Forbidden" });
+    return false;
+  }
+
+  // CSRF guard: browsers send Origin/Referer on cross-site requests.
+  const origin = req.headers.origin;
+  if (typeof origin === "string" && !isLoopbackOriginLike(origin)) {
+    ctx.log?.warn?.(`Rejected mutation with non-loopback origin=${origin}`);
+    sendJson(res, 403, { ok: false, error: "Forbidden" });
+    return false;
+  }
+
+  const referer = req.headers.referer ?? req.headers.referrer;
+  if (typeof referer === "string" && !isLoopbackOriginLike(referer)) {
+    ctx.log?.warn?.(`Rejected mutation with non-loopback referer=${referer}`);
+    sendJson(res, 403, { ok: false, error: "Forbidden" });
+    return false;
+  }
+
+  return true;
+}
+
 // ============================================================================
 // HTTP Handler
 // ============================================================================
@@ -372,6 +410,10 @@ async function handleUpdateProfile(
   req: IncomingMessage,
   res: ServerResponse,
 ): Promise<true> {
+  if (!enforceLoopbackMutationGuards(ctx, req, res)) {
+    return true;
+  }
+
   // Rate limiting
   if (!checkRateLimit(accountId)) {
     sendJson(res, 429, { ok: false, error: "Rate limit exceeded (5 requests/minute)" });
@@ -471,6 +513,10 @@ async function handleImportProfile(
   req: IncomingMessage,
   res: ServerResponse,
 ): Promise<true> {
+  if (!enforceLoopbackMutationGuards(ctx, req, res)) {
+    return true;
+  }
+
   // Get account info
   const accountInfo = ctx.getAccountInfo(accountId);
   if (!accountInfo) {

package/src/nostr-profile.fuzz.test.ts

@@ -98,7 +98,10 @@ describe("profile unicode attacks", () => {
     });
 
     it("handles excessive combining characters (Zalgo text)", () => {
-      const zalgo = "t̷̢̧̨̡̛̛̛͎̩̝̪̲̲̞̠̹̗̩͓̬̱̪̦͙̬̲̤͙̱̫̝̪̱̫̯̬̭̠̖̲̥̖̫̫̤͇̪̣̫̪̖̱̯̣͎̯̲̱̤̪̣̖̲̪̯͓̖̤̫̫̲̱̲̫̲̖̫̪̯̱̱̪̖̯e̶̡̧̨̧̛̛̛̖̪̯̱̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪s̶̨̧̛̛̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯t";
+      // Keep the source small (faster transforms) while still exercising
+      // "lots of combining marks" behavior.
+      const marks = "\u0301\u0300\u0336\u034f\u035c\u0360";
+      const zalgo = `t${marks.repeat(256)}e${marks.repeat(256)}s${marks.repeat(256)}t`;
       const profile: NostrProfile = {
         name: zalgo.slice(0, 256), // Truncate to fit limit
       };
@@ -453,7 +456,7 @@ describe("event creation edge cases", () => {
 
     // Create events in quick succession
     let lastTimestamp = 0;
-    for (let i = 0; i < 100; i++) {
+    for (let i = 0; i < 25; i++) {
       const event = createProfileEvent(TEST_SK, profile, lastTimestamp);
       expect(event.created_at).toBeGreaterThan(lastTimestamp);
       lastTimestamp = event.created_at;