fix(nostr): cap profile import relay timers

steipete · steipete · commit 37ccec0dc7f1 · 2026-05-29T18:40:17.000-04:00
diff --git a/extensions/nostr/src/nostr-profile-import.test.ts b/extensions/nostr/src/nostr-profile-import.test.ts
@@ -2,6 +2,7 @@
  * Tests for Nostr Profile Import
  */
 
+import { MAX_TIMER_TIMEOUT_MS } from "openclaw/plugin-sdk/number-runtime";
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import type { NostrProfile } from "./config-schema.js";
 import { importProfileFromRelays, mergeProfiles } from "./nostr-profile-import.js";
@@ -63,6 +64,27 @@ describe("nostr-profile-import", () => {
         limit: 1,
       });
     });
+
+    it("caps oversized relay timeouts and clears pending timeout handles", async () => {
+      vi.useFakeTimers();
+      try {
+        const timeoutSpy = vi.spyOn(globalThis, "setTimeout");
+        const clearSpy = vi.spyOn(globalThis, "clearTimeout");
+
+        await importProfileFromRelays({
+          pubkey: "a".repeat(64),
+          relays: ["wss://relay.example"],
+          timeoutMs: Number.MAX_SAFE_INTEGER,
+        });
+
+        expect(timeoutSpy).toHaveBeenCalledWith(expect.any(Function), MAX_TIMER_TIMEOUT_MS);
+        expect(timeoutSpy).toHaveBeenCalledTimes(2);
+        expect(clearSpy).toHaveBeenCalledTimes(2);
+      } finally {
+        vi.useRealTimers();
+        vi.restoreAllMocks();
+      }
+    });
   });
 
   describe("mergeProfiles", () => {
diff --git a/extensions/nostr/src/nostr-profile-import.ts b/extensions/nostr/src/nostr-profile-import.ts
@@ -6,6 +6,7 @@
  */
 
 import { SimplePool, verifyEvent, type Event } from "nostr-tools";
+import { resolveTimerTimeoutMs } from "openclaw/plugin-sdk/number-runtime";
 import type { NostrProfile } from "./config-schema.js";
 import { validateUrlSafety } from "./nostr-profile-url-safety.js";
 import { contentToProfile, type ProfileContent } from "./nostr-profile.js";
@@ -85,7 +86,8 @@ function sanitizeProfileUrls(profile: NostrProfile): NostrProfile {
 export async function importProfileFromRelays(
   opts: ProfileImportOptions,
 ): Promise<ProfileImportResult> {
-  const { pubkey, relays, timeoutMs = DEFAULT_TIMEOUT_MS } = opts;
+  const { pubkey, relays } = opts;
+  const timeoutMs = resolveTimerTimeoutMs(opts.timeoutMs, DEFAULT_TIMEOUT_MS);
 
   if (!pubkey || !/^[0-9a-fA-F]{64}$/.test(pubkey)) {
     return {
@@ -105,14 +107,21 @@ export async function importProfileFromRelays(
 
   const pool = new SimplePool();
   const relaysQueried: string[] = [];
+  const timers: Array<ReturnType<typeof setTimeout>> = [];
+  const scheduleTimeout = (callback: () => void) => {
+    const timer = setTimeout(callback, timeoutMs);
+    timer.unref?.();
+    timers.push(timer);
+    return timer;
+  };
 
   try {
     // Query all relays for kind:0 events from this pubkey
     const events: Array<{ event: Event; relay: string }> = [];
 
     // Create timeout promise
     const timeoutPromise = new Promise<void>((resolve) => {
-      setTimeout(resolve, timeoutMs);
+      scheduleTimeout(resolve);
     });
 
     // Create subscription promise
@@ -147,14 +156,17 @@ export async function importProfileFromRelays(
         });
 
         // Clean up subscription after timeout
-        setTimeout(() => {
+        scheduleTimeout(() => {
           sub.close();
-        }, timeoutMs);
+        });
       }
     });
 
     // Wait for either all relays to respond or timeout
     await Promise.race([subscriptionPromise, timeoutPromise]);
+    for (const timer of timers.splice(0)) {
+      clearTimeout(timer);
+    }
 
     // No events found
     if (events.length === 0) {
@@ -223,6 +235,9 @@ export async function importProfileFromRelays(
       sourceRelay: bestEvent.relay,
     };
   } finally {
+    for (const timer of timers) {
+      clearTimeout(timer);
+    }
     pool.close(relays);
   }
 }
