Bump CACHEBUST to v8 for backend and frontend rebuilds; update Nginx and NostrAuthGuard to handle X-Forwarded-Prefix for NIP-98 compliance

2026-02-13 20:20:32 +00:00
parent dea2d2e768
commit abb83fe164
5 changed files with 27 additions and 10 deletions
--- a/src/services/auth.service.ts
+++ b/src/services/auth.service.ts
@@ -119,18 +119,22 @@ class AuthService {
   * Signs a kind-27235 event and sends it as the Authorization header.
   */
  async createNostrSession(_request: NostrSessionRequest): Promise<NostrSessionResponse> {
-    const url = `${apiConfig.baseURL}/auth/nostr/session`
+    const relativeUrl = `${apiConfig.baseURL}/auth/nostr/session`
    const method = 'POST'

+    // NIP-98 requires an absolute URL in the event tag so it matches
+    // what the backend reconstructs from Host / X-Forwarded-Proto.
+    const absoluteUrl = new URL(relativeUrl, window.location.origin).toString()
+
    // Create NIP-98 auth header — no body is sent
-    const authHeader = await createNip98AuthHeader(url, method)
+    const authHeader = await createNip98AuthHeader(absoluteUrl, method)

    // Send the request without a body.
    // We use axios({ method }) instead of axios.post(url, data) to
    // guarantee no Content-Type or body is serialized.
    const response = await axios<NostrSessionResponse>({
      method: 'POST',
-      url,
+      url: absoluteUrl,
      headers: { Authorization: authHeader },
      timeout: apiConfig.timeout,
    })
--- a/src/services/nip98.service.ts
+++ b/src/services/nip98.service.ts
@@ -67,15 +67,19 @@ class Nip98Service {
   */
  async createSession(signer: any, pubkey: string): Promise<boolean> {
    try {
-      const url = `${indeehubApiConfig.baseURL}/auth/nostr/session`
+      const relativeUrl = `${indeehubApiConfig.baseURL}/auth/nostr/session`
      const now = Math.floor(Date.now() / 1000)

+      // NIP-98 requires an absolute URL in the event tag so it matches
+      // what the backend reconstructs from Host / X-Forwarded-Proto.
+      const absoluteUrl = new URL(relativeUrl, window.location.origin).toString()
+
      // Build the NIP-98 event
      const event = {
        kind: 27235,
        created_at: now,
        tags: [
-          ['u', url],
+          ['u', absoluteUrl],
          ['method', 'POST'],
        ],
        content: '',
@@ -98,7 +102,7 @@ class Nip98Service {
      // Send to backend — no body to avoid NIP-98 payload mismatch
      const response = await axios({
        method: 'POST',
-        url,
+        url: absoluteUrl,
        headers: {
          Authorization: `Nostr ${encodedEvent}`,
        },