From ce02f7d56cecf52c6e4852878a9374597370bc5c Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Sat, 13 May 2023 20:16:44 -0500
Subject: [PATCH] Update streaming comments

---
 src/controllers/api/streaming.ts |  1 +
 src/sign.ts                      | 13 +++++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/controllers/api/streaming.ts b/src/controllers/api/streaming.ts
index 5f54ba0..5934592 100644
--- a/src/controllers/api/streaming.ts
+++ b/src/controllers/api/streaming.ts
@@ -24,6 +24,7 @@ const streamingController: AppController = (c) => {
   socket.addEventListener('close', () => console.log('websocket: connection closed'));
   socket.addEventListener('message', (e) => console.log('websocket message: ', e.data));
 
+  // FIXME: Only do this for nostr.sign events.
   signStreams.set(token, socket);
 
   return response;
diff --git a/src/sign.ts b/src/sign.ts
index 1dc6baa..5e5dc7e 100644
--- a/src/sign.ts
+++ b/src/sign.ts
@@ -4,6 +4,8 @@ import { getEventHash, getPublicKey, getSignature, HTTPException } from '@/deps.
 import type { Event, EventTemplate, SignedEvent } from '@/event.ts';
 
 /** Map of OAuth tokens to WebSocket signing streams. */
+// FIXME: People can eavesdrop on other people's signing streams.
+// TODO: Add a secret to the Authorization header.
 export const signStreams = new Map<string, WebSocket>();
 
 /** Get signing WebSocket from app context. */
@@ -12,12 +14,17 @@ function getSignStream(c: AppContext): WebSocket | undefined {
   return token ? signStreams.get(token) : undefined;
 }
 
-/** Sign Nostr event using the app context. */
+/**
+ * Sign Nostr event using the app context.
+ *
+ * - If a secret key is provided, it will be used to sign the event.
+ * - If a signing WebSocket is provided, it will be used to sign the event.
+ */
 async function signEvent<K extends number = number>(event: EventTemplate<K>, c: AppContext): Promise<SignedEvent<K>> {
   const seckey = c.get('seckey');
   const stream = getSignStream(c);
 
-  if (stream) {
+  if (!seckey && stream) {
     try {
       return await new Promise<SignedEvent<K>>((resolve, reject) => {
         stream.addEventListener('message', (e) => {
@@ -36,8 +43,6 @@ async function signEvent<K extends number = number>(event: EventTemplate<K>, c:
     }
   }
 
-  // Ditto only supports publishing events with a private key (for now).
-  // TODO: Let the client sign events through a websocket.
   if (!seckey) {
     throw new HTTPException(400, {
       res: c.json({ id: 'ditto.private_key', error: 'No private key' }, 400),