fix: wss enforcement, payload limits, backoff jitter, rate limiter cleanup

Warn on non-wss:// relay URLs. Set maxPayload 65536 on WebSocket servers.
Replace fixed reconnect delay with exponential backoff and jitter.
Add cleanup method to rate limiter with counter-based periodic invocation.
Fix queue splice-during-iteration with reverse for loop.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

src/core/client.ts

@@ -63,6 +63,11 @@ export class NostrWSClient {
 
     try {
       const url = this.relayUrls[0]; // For now just use first relay
+
+      if (url.startsWith('ws://') && !url.includes('localhost') && !url.includes('127.0.0.1')) {
+        console.warn('[nostr-websocket] WARNING: Connecting over plaintext ws:// — messages are not encrypted');
+      }
+
       this.ws = new WebSocket(url);
 
       await new Promise<void>((resolve, reject) => {
@@ -164,17 +169,22 @@ export class NostrWSClient {
       this.connectionState = ConnectionState.RECONNECTING;
       this.reconnectAttempts++;
 
-      const delay = this.options.retryDelay || 1000;
+      const baseDelay = this.options.retryDelay || 1000;
+      const maxDelay = 30000; // 30 second cap
+      const delay = Math.min(baseDelay * Math.pow(2, this.reconnectAttempts), maxDelay);
+      const jitter = delay * 0.1 * Math.random(); // 10% jitter
+      const totalDelay = delay + jitter;
+
       this.logger.info(
-        { attempt: this.reconnectAttempts, maxAttempts: this.options.retryAttempts },
-        `Reconnecting in ${delay}ms`
+        { attempt: this.reconnectAttempts, maxAttempts: this.options.retryAttempts, delay: Math.round(totalDelay) },
+        `Reconnecting in ${Math.round(totalDelay)}ms`
       );
 
       this.reconnectTimeout = setTimeout(() => {
         this.connect().catch(error => {
           this.logger.error({ error }, 'Reconnection failed');
         });
-      }, delay);
+      }, totalDelay);
     } else {
       this.logger.warn('Max reconnection attempts reached');
       this.connectionState = ConnectionState.FAILED;

src/core/nostr-server.ts

@@ -20,9 +20,10 @@ export class NostrWSServer {
    * @param {NostrWSServerOptions} options - Server configuration options
    */
   constructor(options: NostrWSServerOptions) {
-    this.server = new WebSocketServer({ 
+    this.server = new WebSocketServer({
       port: options.port,
-      host: options.host
+      host: options.host,
+      maxPayload: options.maxPayload || 65536, // 64KB default
     });
 
     /**

src/core/queue.ts

@@ -104,19 +104,19 @@ export class MessageQueue {
       this.processing = false;
     }
 
-    // Clean up stale messages
+    // Clean up stale messages (reverse iteration to avoid index mutation bug)
     if (this.options.staleTimeout) {
       const now = Date.now();
       const staleTimeout = this.options.staleTimeout;
-      this.queue.forEach((message, index) => {
-        if (now - message.queuedAt > staleTimeout) {
+      for (let i = this.queue.length - 1; i >= 0; i--) {
+        if (now - this.queue[i].queuedAt > staleTimeout) {
           this.logger.warn(
-            { message },
+            { message: this.queue[i] },
             'Message is stale, removing from queue'
           );
-          this.queue.splice(index, 1);
+          this.queue.splice(i, 1);
         }
-      });
+      }
     }
   }
 

src/core/server.ts

@@ -34,7 +34,8 @@ export class NostrWSServer {
 
     this.wss = new WebSocketServer({
       port: this.options.port,
-      host: this.options.host
+      host: this.options.host,
+      maxPayload: this.options.maxPayload || 65536, // 64KB default
     });
 
     this.setupServer();

src/transport/websocket.ts

@@ -24,6 +24,10 @@ export class WebSocketTransport extends BaseTransport {
     }
 
     try {
+      if (endpoint.startsWith('ws://') && !endpoint.includes('localhost') && !endpoint.includes('127.0.0.1')) {
+        console.warn('[nostr-websocket] WARNING: Connecting over plaintext ws:// — messages are not encrypted');
+      }
+
       const ws = new WebSocket(endpoint);
 
       ws.on('open', () => {

src/utils/rate-limiter.ts

@@ -203,6 +203,7 @@ export function createConnectionRateLimiter(
 export class RateLimiterImpl implements RateLimiter {
   private clients: Map<string, ClientState> = new Map();
   private config: Required<RateLimitConfig>;
+  private checkCount = 0;
 
   constructor(config: RateLimitConfig) {
     this.config = {
@@ -222,6 +223,12 @@ export class RateLimiterImpl implements RateLimiter {
   }
 
   public async shouldLimit(clientId: string, message: NostrWSMessage): Promise<boolean> {
+    // Periodically clean up stale client entries to prevent memory leaks
+    this.checkCount++;
+    if (this.checkCount % 100 === 0) {
+      this.cleanup();
+    }
+
     const now = Date.now();
     const state = this.getClientState(clientId);
 
@@ -268,4 +275,29 @@ export class RateLimiterImpl implements RateLimiter {
     const state = this.getClientState(clientId);
     return !!state.blockedUntil && state.blockedUntil > Date.now();
   }
+
+  /**
+   * Remove stale client entries to prevent memory leaks
+   */
+  private cleanup(): void {
+    const now = Date.now();
+    for (const [key, state] of this.clients) {
+      // Remove if blocked period has expired and no recent requests
+      const cutoff = now - this.config.windowMs - this.config.blockDurationMs;
+
+      // Check if all request arrays are empty or stale
+      let hasRecentActivity = false;
+      for (const [, timestamps] of state.requests) {
+        if (timestamps.length > 0 && timestamps[timestamps.length - 1] > cutoff) {
+          hasRecentActivity = true;
+          break;
+        }
+      }
+
+      // Also keep if still actively blocked
+      if (!hasRecentActivity && (!state.blockedUntil || state.blockedUntil < now)) {
+        this.clients.delete(key);
+      }
+    }
+  }
 }