@nostrify/nostrify 0.46.4

package/NConnectSigner.ts

@@ -0,0 +1,189 @@
+// deno-lint-ignore-file require-await
+
+import { z } from 'zod';
+
+import { NostrConnectRequest, NostrConnectResponse, NostrEvent, NostrSigner, NRelay } from '@nostrify/types';
+
+import { NSchema as n } from './NSchema';
+
+/** Options for `NConnectSigner`. */
+export interface NConnectSignerOpts {
+  /** Relay to facilitate connection. */
+  relay: NRelay;
+  /** Remote pubkey to sign as. */
+  pubkey: string;
+  /** Local signer to sign the request events. */
+  signer: NostrSigner;
+  /** Timeout for requests. */
+  timeout?: number;
+  /** Encryption to use when encrypting local messages. Decryption is automatic. */
+  encryption?: 'nip04' | 'nip44';
+}
+
+/** [NIP-46](https://github.com/nostr-protocol/nips/blob/master/46.md) remote signer through a relay. */
+export class NConnectSigner implements NostrSigner {
+  private relay: NRelay;
+  private pubkey: string;
+  private signer: NostrSigner;
+  private timeout?: number;
+  private encryption: 'nip04' | 'nip44';
+
+  constructor(
+    { relay, pubkey, signer, timeout, encryption = 'nip44' }: NConnectSignerOpts,
+  ) {
+    this.relay = relay;
+    this.pubkey = pubkey;
+    this.signer = signer;
+    this.timeout = timeout;
+    this.encryption = encryption;
+  }
+
+  async getPublicKey(): Promise<string> {
+    return this.cmd('get_public_key', []);
+  }
+
+  async signEvent(
+    event: Omit<NostrEvent, 'id' | 'pubkey' | 'sig'>,
+  ): Promise<NostrEvent> {
+    const result = await this.cmd('sign_event', [JSON.stringify(event)]);
+    return n.json().pipe(n.event()).parse(result);
+  }
+
+  async getRelays(): Promise<
+    Record<string, { read: boolean; write: boolean }>
+  > {
+    const result = await this.cmd('get_relays', []);
+
+    // @ts-expect-error This should be fine.
+    return n
+      .json()
+      .pipe(
+        z.record(
+          z.string(),
+          z.object({ read: z.boolean(), write: z.boolean() }),
+        ),
+      )
+      .parse(result);
+  }
+
+  readonly nip04 = {
+    encrypt: async (pubkey: string, plaintext: string): Promise<string> => {
+      return this.cmd('nip04_encrypt', [pubkey, plaintext]);
+    },
+
+    decrypt: async (pubkey: string, ciphertext: string): Promise<string> => {
+      return this.cmd('nip04_decrypt', [pubkey, ciphertext]);
+    },
+  };
+
+  readonly nip44 = {
+    encrypt: async (pubkey: string, plaintext: string): Promise<string> => {
+      return this.cmd('nip44_encrypt', [pubkey, plaintext]);
+    },
+
+    decrypt: async (pubkey: string, ciphertext: string): Promise<string> => {
+      return this.cmd('nip44_decrypt', [pubkey, ciphertext]);
+    },
+  };
+
+  /** Send a `connect` command to the relay. It should respond with `ack`. */
+  async connect(secret?: string): Promise<string> {
+    const params: string[] = [this.pubkey];
+
+    if (secret) {
+      params.push(secret);
+    }
+
+    return this.cmd('connect', params);
+  }
+
+  /** Send a `ping` command to the signer. It should respond with `pong`. */
+  async ping(): Promise<string> {
+    return this.cmd('ping', []);
+  }
+
+  /** High-level RPC method. Returns the string result, or throws on error. */
+  private async cmd(method: string, params: string[]): Promise<string> {
+    const signal = typeof this.timeout === 'number' ? AbortSignal.timeout(this.timeout) : undefined;
+
+    const { result, error } = await this.send(
+      { id: crypto.randomUUID(), method, params },
+      { signal },
+    );
+
+    if (error) {
+      throw new Error(error);
+    }
+
+    return result;
+  }
+
+  /** Low-level send method. Deals directly with connect request/response. */
+  private async send(
+    request: NostrConnectRequest,
+    opts: { signal?: AbortSignal } = {},
+  ): Promise<NostrConnectResponse> {
+    const { signal } = opts;
+
+    const event = await this.signer.signEvent({
+      kind: 24133,
+      content: await this.encrypt(this.pubkey, JSON.stringify(request)),
+      created_at: Math.floor(Date.now() / 1000),
+      tags: [['p', this.pubkey]],
+    });
+
+    const local = await this.signer.getPublicKey();
+
+    const req = this.relay.req(
+      [{ kinds: [24133], authors: [this.pubkey], '#p': [local] }],
+      { signal },
+    );
+
+    // Ensure the REQ is opened before sending the EVENT
+    const promise = new Promise<NostrConnectResponse>((resolve, reject) => {
+      (async () => {
+        try {
+          for await (const msg of req) {
+            if (msg[0] === 'CLOSED') throw new Error('Subscription closed');
+            if (msg[0] === 'EVENT') {
+              const event = msg[2];
+              const decrypted = await this.decrypt(this.pubkey, event.content);
+              const response = n.json().pipe(n.connectResponse()).parse(
+                decrypted,
+              );
+              if (response.id === request.id) {
+                resolve(response);
+                return;
+              }
+            }
+          }
+        } catch (error) {
+          reject(error);
+        }
+      })();
+    });
+
+    await this.relay.event(event, { signal });
+    return promise;
+  }
+
+  /** Local encrypt depending on settings. */
+  private async encrypt(pubkey: string, plaintext: string): Promise<string> {
+    switch (this.encryption) {
+      case 'nip04':
+        return this.signer.nip04!.encrypt(pubkey, plaintext);
+      case 'nip44':
+        return this.signer.nip44!.encrypt(pubkey, plaintext);
+    }
+  }
+
+  /** Local decrypt depending on settings. */
+  private async decrypt(pubkey: string, ciphertext: string): Promise<string> {
+    switch (this.encryption) {
+      case 'nip04':
+        return this.signer.nip04!.decrypt(pubkey, ciphertext);
+      case 'nip44':
+        return this.signer.nip44!.decrypt(pubkey, ciphertext);
+    }
+  }
+}

package/NIP05.test.ts

@@ -0,0 +1,67 @@
+import { assertEquals, assertRejects } from '@std/assert';
+import { returnsNext, stub } from '@std/testing/mock';
+
+import { NIP05 } from './NIP05.ts';
+
+Deno.test('NIP05.lookup', async () => {
+  const { default: nostrJson } = await import('../../fixtures/nostr.json', { with: { type: 'json' } });
+
+  const fetch = stub(
+    globalThis,
+    'fetch',
+    returnsNext([
+      Promise.resolve(new Response(JSON.stringify(nostrJson))),
+    ]),
+  );
+
+  const result = await NIP05.lookup('alex_at_gleasonator.com@mostr.pub', { fetch });
+
+  const expected = {
+    pubkey: '79c2cae114ea28a981e7559b4fe7854a473521a8d22a66bbab9fa248eb820ff6',
+    relays: ['wss://relay.mostr.pub'],
+  };
+
+  assertEquals(result, expected);
+  fetch.restore();
+});
+
+// https://github.com/nostrability/nostrability/issues/143#issuecomment-2565772246
+Deno.test('NIP05.lookup with invalid values but valid profile pointer', async () => {
+  const { default: nostrJson } = await import('../../fixtures/lncal.json', { with: { type: 'json' } });
+
+  const fetch = stub(
+    globalThis,
+    'fetch',
+    returnsNext([
+      Promise.resolve(new Response(JSON.stringify(nostrJson))),
+    ]),
+  );
+
+  const result = await NIP05.lookup('elsat@lncal.com', { fetch });
+
+  const expected = {
+    pubkey: '17538dc2a62769d09443f18c37cbe358fab5bbf981173542aa7c5ff171ed77c4',
+    relays: undefined,
+  };
+
+  assertEquals(result, expected);
+  fetch.restore();
+});
+
+Deno.test('NIP05.lookup with invalid document', () => {
+  const fetch = stub(
+    globalThis,
+    'fetch',
+    returnsNext([
+      Promise.resolve(new Response(JSON.stringify({ names: 'yolo' }))),
+      Promise.resolve(new Response(JSON.stringify({}))),
+      Promise.resolve(new Response(JSON.stringify([]))),
+    ]),
+  );
+
+  assertRejects(() => NIP05.lookup('alex@gleasonator.dev', { fetch }));
+  assertRejects(() => NIP05.lookup('alex@gleasonator.dev', { fetch }));
+  assertRejects(() => NIP05.lookup('alex@gleasonator.dev', { fetch }));
+
+  fetch.restore();
+});

package/NIP05.ts

@@ -0,0 +1,52 @@
+import { NProfilePointer } from '@nostrify/types';
+
+import { NSchema as n, z } from './NSchema';
+
+interface LookupOpts {
+  fetch?: typeof fetch;
+  signal?: AbortSignal;
+}
+
+export class NIP05 {
+  /** NIP-05 value regex. */
+  static regex(): RegExp {
+    return /^(?:([\w.+-]+)@)?([\w.-]+)$/;
+  }
+
+  /** Nostr pubkey with relays object. */
+  private static profilePointerSchema(): z.ZodType<NProfilePointer> {
+    // @ts-expect-error This should be fine.
+    return z.object({
+      pubkey: n.id(),
+      relays: n.relayUrl().array().optional(),
+    });
+  }
+
+  /** Resolve NIP-05 name to a profile pointer. */
+  static async lookup(
+    nip05: string,
+    opts?: LookupOpts,
+  ): Promise<NProfilePointer> {
+    const { fetch = globalThis.fetch.bind(globalThis), signal } = opts ?? {};
+
+    const match = nip05.match(NIP05.regex());
+    if (!match) throw new Error(`NIP-05: invalid name ${nip05}`);
+
+    const [_, name = '_', domain] = match;
+
+    const url = new URL('/.well-known/nostr.json', `https://${domain}/`);
+    url.searchParams.set('name', name);
+
+    const response = await fetch(url, { signal });
+    const json = await response.json();
+
+    try {
+      const pubkey = json.names[name];
+      const relays = json.relays?.[pubkey];
+
+      return NIP05.profilePointerSchema().parse({ pubkey, relays });
+    } catch {
+      throw new Error(`NIP-05: no match for ${nip05}`);
+    }
+  }
+}

package/NIP50.test.ts

@@ -0,0 +1,58 @@
+import { assertEquals } from '@std/assert';
+
+import { NIP50 } from './NIP50.ts';
+
+Deno.test('NIP50.parseInput', () => {
+  assertEquals(NIP50.parseInput(''), []);
+  assertEquals(NIP50.parseInput(' '), []);
+  assertEquals(NIP50.parseInput('hello'), ['hello']);
+  assertEquals(NIP50.parseInput('hello world'), ['hello', 'world']);
+  assertEquals(NIP50.parseInput('hello  "world"'), ['hello', 'world']);
+
+  assertEquals(
+    NIP50.parseInput('hello "world" "hello world"'),
+    ['hello', 'world', 'hello world'],
+  );
+
+  assertEquals(
+    NIP50.parseInput('domain:gleasonator.dev'),
+    [{ key: 'domain', value: 'gleasonator.dev' }],
+  );
+
+  assertEquals(
+    NIP50.parseInput('domain: yolo'),
+    ['domain:', 'yolo'],
+  );
+
+  assertEquals(
+    NIP50.parseInput('domain:localhost:8000'),
+    [{ key: 'domain', value: 'localhost:8000' }],
+  );
+
+  assertEquals(
+    NIP50.parseInput('name:John "New York" age:30 hobbies:programming'),
+    [
+      { key: 'name', value: 'John' },
+      'New York',
+      { key: 'age', value: '30' },
+      { key: 'hobbies', value: 'programming' },
+    ],
+  );
+});
+
+Deno.test('NIP50.parseInput with negated token', () => {
+  assertEquals(
+    NIP50.parseInput('-reply:true'),
+    [{ key: '-reply', value: 'true' }],
+  );
+
+  assertEquals(
+    NIP50.parseInput('hello -reply:true'),
+    ['hello', { key: '-reply', value: 'true' }],
+  );
+
+  assertEquals(
+    NIP50.parseInput('-media:true -reply:true'),
+    [{ key: '-media', value: 'true' }, { key: '-reply', value: 'true' }],
+  );
+});

package/NIP50.ts

@@ -0,0 +1,24 @@
+type SearchToken = string | { key: string; value: string };
+
+/** [NIP-50](https://github.com/nostr-protocol/nips/blob/master/50.md) search functionality. */
+export class NIP50 {
+  static parseInput(input: string): SearchToken[] {
+    const regex = /(\B-\w+:[^\s"]+)|(\b\w+:[^\s"]+)|(".*?")|(\S+)/g;
+
+    const tokens: SearchToken[] = [];
+    let match: RegExpExecArray | null;
+
+    while ((match = regex.exec(input)) !== null) {
+      if (match[1] || match[2]) {
+        const [key, ...values] = (match[1] || match[2]).split(':');
+        tokens.push({ key, value: values.join(':') });
+      } else if (match[3]) {
+        tokens.push(match[3].replace(/"/g, ''));
+      } else if (match[4]) {
+        tokens.push(match[4]);
+      }
+    }
+
+    return tokens;
+  }
+}

package/NIP98.test.ts

@@ -0,0 +1,181 @@
+import { assertEquals, assertRejects } from '@std/assert';
+import { generateSecretKey } from 'nostr-tools';
+import { ZodError } from 'zod';
+
+import { NIP98 } from './NIP98.ts';
+import { NSecSigner } from './NSecSigner.ts';
+import { N64 } from './utils/mod.ts';
+
+Deno.test('NIP98.template', async () => {
+  const request = new Request('https://example.com');
+  const event = await NIP98.template(request);
+
+  assertEquals(event.kind, 27235);
+  assertEquals(event.tags, [
+    ['method', 'GET'],
+    ['u', 'https://example.com/'],
+  ]);
+});
+
+Deno.test('NIP98.template with payload', async () => {
+  const request = new Request('https://example.com', {
+    method: 'POST',
+    body: 'Hello, world!',
+  });
+  const event = await NIP98.template(request);
+
+  assertEquals(event.kind, 27235);
+  assertEquals(event.tags, [
+    ['method', 'POST'],
+    ['u', 'https://example.com/'],
+    ['payload', '315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3'],
+  ]);
+});
+
+Deno.test('NIP98.verify', async () => {
+  const signer = new NSecSigner(generateSecretKey());
+  const request = new Request('https://example.com');
+
+  const t = await NIP98.template(request);
+  const event = await signer.signEvent(t);
+
+  request.headers.set('authorization', `Nostr ${N64.encodeEvent(event)}`);
+
+  const proof = await NIP98.verify(request);
+
+  assertEquals(proof, event);
+  assertEquals(proof.pubkey, await signer.getPublicKey());
+});
+
+Deno.test('NIP98.verify fails with missing header', async () => {
+  const request = new Request('https://example.com');
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    Error,
+    'Missing Nostr authorization header',
+  );
+});
+
+Deno.test('NIP98.verify fails with missing token', async () => {
+  const request = new Request('https://example.com');
+  request.headers.set('authorization', 'Nostr');
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    Error,
+    'Missing Nostr authorization token',
+  );
+});
+
+Deno.test('NIP98.verify fails with invalid token', async () => {
+  const request = new Request('https://example.com');
+  request.headers.set('authorization', 'Nostr invalid');
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    ZodError,
+  );
+});
+
+Deno.test('NIP98.verify fails with invalid event', async () => {
+  const signer = new NSecSigner(generateSecretKey());
+  const request = new Request('https://example.com');
+
+  const t = await NIP98.template(request);
+  const event = await signer.signEvent(t);
+
+  event.sig = 'invalid';
+
+  request.headers.set('authorization', `Nostr ${N64.encodeEvent(event)}`);
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    Error,
+    'Event signature is invalid',
+  );
+});
+
+Deno.test('NIP98.verify fails with wrong event kind', async () => {
+  const signer = new NSecSigner(generateSecretKey());
+  const request = new Request('https://example.com');
+
+  const t = await NIP98.template(request);
+  const event = await signer.signEvent({ ...t, kind: 1 });
+
+  request.headers.set('authorization', `Nostr ${N64.encodeEvent(event)}`);
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    Error,
+    'Event must be kind 27235',
+  );
+});
+
+Deno.test('NIP98.verify fails with wrong request URL', async () => {
+  const signer = new NSecSigner(generateSecretKey());
+  const request = new Request('https://example.com');
+
+  const t = await NIP98.template(request);
+  const event = await signer.signEvent({ ...t, tags: [['u', 'https://example.org/']] });
+
+  request.headers.set('authorization', `Nostr ${N64.encodeEvent(event)}`);
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    Error,
+    'Event URL does not match request URL',
+  );
+});
+
+Deno.test('NIP98.verify fails with wrong request method', async () => {
+  const signer = new NSecSigner(generateSecretKey());
+  const request = new Request('https://example.com');
+
+  const t = await NIP98.template(request);
+  const event = await signer.signEvent({ ...t, tags: [['u', 'https://example.com/'], ['method', 'POST']] });
+
+  request.headers.set('authorization', `Nostr ${N64.encodeEvent(event)}`);
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    Error,
+    'Event method does not match HTTP request method',
+  );
+});
+
+Deno.test('NIP98.verify fails with expired event', async () => {
+  const signer = new NSecSigner(generateSecretKey());
+  const request = new Request('https://example.com');
+
+  const t = await NIP98.template(request);
+  const event = await signer.signEvent({ ...t, created_at: 0 });
+
+  request.headers.set('authorization', `Nostr ${N64.encodeEvent(event)}`);
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    Error,
+    'Event expired',
+  );
+});
+
+Deno.test('NIP98.verify fails with invalid payload', async () => {
+  const signer = new NSecSigner(generateSecretKey());
+  const request = new Request('https://example.com', {
+    method: 'POST',
+    body: 'Hello, world!',
+  });
+
+  const t = await NIP98.template(request);
+  const tags = t.tags.filter(([name]) => name !== 'payload');
+  const event = await signer.signEvent({ ...t, tags: [...tags, ['payload', 'invalid']] });
+
+  request.headers.set('authorization', `Nostr ${N64.encodeEvent(event)}`);
+
+  await assertRejects(
+    () => NIP98.verify(request),
+    Error,
+    'Event payload does not match request body',
+  );
+});

package/NIP98.ts

@@ -0,0 +1,97 @@
+import { NostrEvent } from '@nostrify/types';
+import { encodeHex } from '@std/encoding/hex';
+import { verifyEvent as _verifyEvent } from 'nostr-tools';
+
+import { N64 } from './utils/N64';
+
+/** [NIP-98](https://github.com/nostr-protocol/nips/blob/master/98.md) HTTP auth. */
+export class NIP98 {
+  /** Generate an auth event template from a Request. */
+  static async template(
+    request: Request,
+    opts?: { validatePayload?: boolean },
+  ): Promise<Omit<NostrEvent, 'id' | 'pubkey' | 'sig'>> {
+    const {
+      validatePayload = ['POST', 'PUT', 'PATCH'].includes(request.method),
+    } = opts ?? {};
+    const { method, url } = request;
+
+    const tags = [
+      ['method', method],
+      ['u', url],
+    ];
+
+    if (validatePayload) {
+      const buffer = await request.clone().arrayBuffer();
+      const digest = await crypto.subtle.digest('SHA-256', buffer);
+
+      tags.push(['payload', encodeHex(digest)]);
+    }
+
+    return {
+      kind: 27235,
+      content: '',
+      tags,
+      created_at: Math.floor(Date.now() / 1000),
+    };
+  }
+
+  /** Compare the auth event with the request, throwing a human-readable error if validation fails. */
+  static async verify(
+    request: Request,
+    opts?: {
+      maxAge?: number;
+      validatePayload?: boolean;
+      verifyEvent?: (event: NostrEvent) => boolean;
+    },
+  ): Promise<NostrEvent> {
+    const {
+      maxAge = 60_000,
+      validatePayload = ['POST', 'PUT', 'PATCH'].includes(request.method),
+      verifyEvent = _verifyEvent,
+    } = opts ?? {};
+
+    const header = request.headers.get('authorization');
+    if (!header) {
+      throw new Error('Missing Nostr authorization header');
+    }
+
+    const token = header.match(/^Nostr (.+)$/)?.[1];
+    if (!token) {
+      throw new Error('Missing Nostr authorization token');
+    }
+
+    const event = N64.decodeEvent(token);
+    if (!verifyEvent(event)) {
+      throw new Error('Event signature is invalid');
+    }
+
+    const age = Date.now() - (event.created_at * 1_000);
+    const u = event.tags.find(([name]) => name === 'u')?.[1];
+    const method = event.tags.find(([name]) => name === 'method')?.[1];
+    const payload = event.tags.find(([name]) => name === 'payload')?.[1];
+
+    if (event.kind !== 27235) {
+      throw new Error('Event must be kind 27235');
+    }
+    if (u !== request.url) {
+      throw new Error('Event URL does not match request URL');
+    }
+    if (method !== request.method) {
+      throw new Error('Event method does not match HTTP request method');
+    }
+    if (age >= maxAge) {
+      throw new Error('Event expired');
+    }
+    if (validatePayload && payload !== undefined) {
+      const buffer = await request.clone().arrayBuffer();
+      const digest = await crypto.subtle.digest('SHA-256', buffer);
+
+      if (encodeHex(digest) !== payload) {
+        throw new Error('Event payload does not match request body');
+      }
+    }
+
+    return event;
+  }
+}