From 759022d3ffd85df31ab7b85091eba198e17795ba Mon Sep 17 00:00:00 2001
From: f321x <f321x@tutamail.com>
Date: Wed, 14 May 2025 11:28:11 +0200
Subject: [PATCH] fix: verify author pubkey of psbt nostr events

Checks if the pubkey of the author sending the psbt cosigning
request is in our list of cosigner pubkeys to prevent accepting
"fake" requests from other pubkeys.
---
 electrum/plugins/psbt_nostr/psbt_nostr.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/electrum/plugins/psbt_nostr/psbt_nostr.py b/electrum/plugins/psbt_nostr/psbt_nostr.py
index 0be6ab995..ea53c1a9d 100644
--- a/electrum/plugins/psbt_nostr/psbt_nostr.py
+++ b/electrum/plugins/psbt_nostr/psbt_nostr.py
@@ -193,6 +193,9 @@ class CosignerWallet(Logger):
                 if event.id in self.known_events:
                     self.logger.info(f'known event {event.id} {util.age(event.created_at)}')
                     continue
+                if not any(event.pubkey == pubkey for _, pubkey in self.cosigner_list):
+                    self.logger.warning(f"got event from unknown author: {event.pubkey}")
+                    continue
                 if event.created_at > now() + self.KEEP_DELAY:
                     # might be malicious
                     continue