fix: silently wait for auth instead of sending NOTICE

After sending AUTH challenge, return nil instead of error to avoid
sending NOTICE messages to clients. Add explicit checks in handleEvent
and handleReq to silently ignore requests when auth is required but
client hasn't authenticated yet. This follows NIP-42 spec more closely.

1 files changed, 9 insertions, 1 deletions

diff --git a/internal/handler/websocket/handler.go b/internal/handler/websocket/handler.go
index c8fb6cc..581c434 100644
--- a/internal/handler/websocket/handler.go
+++ b/internal/handler/websocket/handler.go
@@ -177,7 +177,7 @@ func (h *Handler) requireAuth(ctx context.Context, conn *websocket.Conn, isWrite
                         *authChallenge = challenge
                         h.sendAuthChallenge(ctx, conn, challenge)
                 }
-                return fmt.Errorf("restricted: authentication required")
+                return nil
         }
 
         if len(allowedPubkeys) > 0 {
@@ -205,6 +205,10 @@ func (h *Handler) handleEvent(ctx context.Context, conn *websocket.Conn, raw []j
                 return err
         }
 
+        if *authenticatedPubkey == "" && h.authConfig != nil && h.authConfig.WriteEnabled {
+                return nil
+        }
+
         var event nostr.Event
         if err := json.Unmarshal(raw[1], &event); err != nil {
                 return fmt.Errorf("invalid event: %w", err)
@@ -263,6 +267,10 @@ func (h *Handler) handleReq(ctx context.Context, conn *websocket.Conn, raw []jso
                 return err
         }
 
+        if *authenticatedPubkey == "" && h.authConfig != nil && h.authConfig.ReadEnabled {
+                return nil
+        }
+
         var subID string
         if err := json.Unmarshal(raw[1], &subID); err != nil {
                 return fmt.Errorf("invalid subscription ID")