feat(relay): gate REQ/COUNT/NEG-OPEN for configured kinds behind NIP-42 AUTH

[Thunder-Blaze]

Issue

• Fixes Auth on DMs Req #228

Description

Resolves the above Issue by implementing read-side NIP-42 authentication to secure DMs. This addresses current structural limitations where AUTH is exclusively on the write-path and wildcard filters bypass validation.

• By Default restrictedReadKinds = "" — zero behavior change for existing operators. Turn it on to lock down DM reads.

Key Changes:

• New Configuration: Introduces relay.auth.restrictedReadKinds (an opt-in list of kinds requiring read AUTH) and restrictReadToInvolvedPubkey (ensures the authed pubkey is present in the filter's authors or #p tags).
• Validation Gate: Intercepts REQ, COUNT, and NEG-OPEN requests. Unauthenticated or unauthorized queries for restricted kinds trigger an AUTH challenge and are safely closed.
• Safe Defaults: Strictly opt-in (defaults to disabled).

Important

Security Enhancements: Closes the omitted-kinds bypass loophole (wildcard filters are automatically treated as restricted) and strictly "fails closed" (blocks requests) if read-auth is enabled but the auth service is unconfigured.

Config

• Example of auth config in strfry.conf:

  auth {
      enabled = true
      serviceUrl = "wss://relay.example"
      restrictedReadKinds = "4,1059"
      restrictReadToInvolvedPubkey = true
  }
  

Testing