From f4e334b5ffcc619a02db8c0eea49dd101400b377 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Mon, 20 Nov 2023 17:57:47 -0600
Subject: [PATCH 1/3] Require POW on signup

---
 src/app.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app.ts b/src/app.ts
index 4cf6afee..776de8de 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -115,7 +115,7 @@ app.post('/oauth/revoke', emptyObjectController);
 app.post('/oauth/authorize', oauthAuthorizeController);
 app.get('/oauth/authorize', oauthController);
 
-app.post('/api/v1/accounts', requireProof(), createAccountController);
+app.post('/api/v1/accounts', requireProof({ pow: 20 }), createAccountController);
 app.get('/api/v1/accounts/verify_credentials', requirePubkey, verifyCredentialsController);
 app.patch(
   '/api/v1/accounts/update_credentials',

From e55ddbd8e644cbfd4509be766ca0ac07741077b0 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Mon, 20 Nov 2023 19:57:03 -0600
Subject: [PATCH 2/3] eventMatchesTemplate: drop `nonce` tags before comparison

---
 src/utils.ts | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/utils.ts b/src/utils.ts
index 11ef0ea5..2b258fc3 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -107,8 +107,22 @@ function dedupeEvents<K extends number>(events: Event<K>[]): Event<K>[] {
   return [...new Map(events.map((event) => [event.id, event])).values()];
 }
 
+/** Return a copy of the event with the given tags removed. */
+function stripTags<E extends EventTemplate>(event: E, tags: string[] = []): E {
+  if (!tags.length) return event;
+  return {
+    ...event,
+    tags: event.tags.filter(([name]) => !tags.includes(name)),
+  };
+}
+
 /** Ensure the template and event match on their shared keys. */
 function eventMatchesTemplate(event: Event, template: EventTemplate): boolean {
+  const whitelist = ['nonce'];
+
+  event = stripTags(event, whitelist);
+  template = stripTags(template, whitelist);
+
   return getEventHash(event) === getEventHash({ pubkey: event.pubkey, ...template });
 }
 

From 595fb2cfc614da79c2b3e5bd51239e7b318a1fc0 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Mon, 20 Nov 2023 21:20:14 -0600
Subject: [PATCH 3/3] eventMatchesTemplate: let the event timestamp be greater
 than the template

---
 src/utils.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/utils.ts b/src/utils.ts
index 2b258fc3..1f10cd3b 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -123,7 +123,15 @@ function eventMatchesTemplate(event: Event, template: EventTemplate): boolean {
   event = stripTags(event, whitelist);
   template = stripTags(template, whitelist);
 
-  return getEventHash(event) === getEventHash({ pubkey: event.pubkey, ...template });
+  if (template.created_at > event.created_at) {
+    return false;
+  }
+
+  return getEventHash(event) === getEventHash({
+    pubkey: event.pubkey,
+    ...template,
+    created_at: event.created_at,
+  });
 }
 
 /** Test whether the value is a Nostr ID. */