@openclaw/nostr 2026.1.29

package/src/nostr-profile.test.ts

@@ -0,0 +1,410 @@
+import { describe, expect, it, vi, beforeEach } from "vitest";
+import { verifyEvent, getPublicKey } from "nostr-tools";
+import {
+  createProfileEvent,
+  profileToContent,
+  contentToProfile,
+  validateProfile,
+  sanitizeProfileForDisplay,
+  type ProfileContent,
+} from "./nostr-profile.js";
+import type { NostrProfile } from "./config-schema.js";
+
+// Test private key (DO NOT use in production - this is a known test key)
+const TEST_HEX_KEY = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
+const TEST_SK = new Uint8Array(
+  TEST_HEX_KEY.match(/.{2}/g)!.map((byte) => parseInt(byte, 16))
+);
+const TEST_PUBKEY = getPublicKey(TEST_SK);
+
+// ============================================================================
+// Profile Content Conversion Tests
+// ============================================================================
+
+describe("profileToContent", () => {
+  it("converts full profile to NIP-01 content format", () => {
+    const profile: NostrProfile = {
+      name: "testuser",
+      displayName: "Test User",
+      about: "A test user for unit testing",
+      picture: "https://example.com/avatar.png",
+      banner: "https://example.com/banner.png",
+      website: "https://example.com",
+      nip05: "testuser@example.com",
+      lud16: "testuser@walletofsatoshi.com",
+    };
+
+    const content = profileToContent(profile);
+
+    expect(content.name).toBe("testuser");
+    expect(content.display_name).toBe("Test User");
+    expect(content.about).toBe("A test user for unit testing");
+    expect(content.picture).toBe("https://example.com/avatar.png");
+    expect(content.banner).toBe("https://example.com/banner.png");
+    expect(content.website).toBe("https://example.com");
+    expect(content.nip05).toBe("testuser@example.com");
+    expect(content.lud16).toBe("testuser@walletofsatoshi.com");
+  });
+
+  it("omits undefined fields from content", () => {
+    const profile: NostrProfile = {
+      name: "minimaluser",
+    };
+
+    const content = profileToContent(profile);
+
+    expect(content.name).toBe("minimaluser");
+    expect("display_name" in content).toBe(false);
+    expect("about" in content).toBe(false);
+    expect("picture" in content).toBe(false);
+  });
+
+  it("handles empty profile", () => {
+    const profile: NostrProfile = {};
+    const content = profileToContent(profile);
+    expect(Object.keys(content)).toHaveLength(0);
+  });
+});
+
+describe("contentToProfile", () => {
+  it("converts NIP-01 content to profile format", () => {
+    const content: ProfileContent = {
+      name: "testuser",
+      display_name: "Test User",
+      about: "A test user",
+      picture: "https://example.com/avatar.png",
+      nip05: "test@example.com",
+    };
+
+    const profile = contentToProfile(content);
+
+    expect(profile.name).toBe("testuser");
+    expect(profile.displayName).toBe("Test User");
+    expect(profile.about).toBe("A test user");
+    expect(profile.picture).toBe("https://example.com/avatar.png");
+    expect(profile.nip05).toBe("test@example.com");
+  });
+
+  it("handles empty content", () => {
+    const content: ProfileContent = {};
+    const profile = contentToProfile(content);
+    expect(Object.keys(profile).filter((k) => profile[k as keyof NostrProfile] !== undefined)).toHaveLength(0);
+  });
+
+  it("round-trips profile data", () => {
+    const original: NostrProfile = {
+      name: "roundtrip",
+      displayName: "Round Trip Test",
+      about: "Testing round-trip conversion",
+    };
+
+    const content = profileToContent(original);
+    const restored = contentToProfile(content);
+
+    expect(restored.name).toBe(original.name);
+    expect(restored.displayName).toBe(original.displayName);
+    expect(restored.about).toBe(original.about);
+  });
+});
+
+// ============================================================================
+// Event Creation Tests
+// ============================================================================
+
+describe("createProfileEvent", () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date("2024-01-15T12:00:00Z"));
+  });
+
+  it("creates a valid kind:0 event", () => {
+    const profile: NostrProfile = {
+      name: "testbot",
+      about: "A test bot",
+    };
+
+    const event = createProfileEvent(TEST_SK, profile);
+
+    expect(event.kind).toBe(0);
+    expect(event.pubkey).toBe(TEST_PUBKEY);
+    expect(event.tags).toEqual([]);
+    expect(event.id).toMatch(/^[0-9a-f]{64}$/);
+    expect(event.sig).toMatch(/^[0-9a-f]{128}$/);
+  });
+
+  it("includes profile content as JSON in event content", () => {
+    const profile: NostrProfile = {
+      name: "jsontest",
+      displayName: "JSON Test User",
+      about: "Testing JSON serialization",
+    };
+
+    const event = createProfileEvent(TEST_SK, profile);
+    const parsedContent = JSON.parse(event.content) as ProfileContent;
+
+    expect(parsedContent.name).toBe("jsontest");
+    expect(parsedContent.display_name).toBe("JSON Test User");
+    expect(parsedContent.about).toBe("Testing JSON serialization");
+  });
+
+  it("produces a verifiable signature", () => {
+    const profile: NostrProfile = { name: "signaturetest" };
+    const event = createProfileEvent(TEST_SK, profile);
+
+    expect(verifyEvent(event)).toBe(true);
+  });
+
+  it("uses current timestamp when no lastPublishedAt provided", () => {
+    const profile: NostrProfile = { name: "timestamptest" };
+    const event = createProfileEvent(TEST_SK, profile);
+
+    const expectedTimestamp = Math.floor(Date.now() / 1000);
+    expect(event.created_at).toBe(expectedTimestamp);
+  });
+
+  it("ensures monotonic timestamp when lastPublishedAt is in the future", () => {
+    // Current time is 2024-01-15T12:00:00Z = 1705320000
+    const futureTimestamp = 1705320000 + 3600; // 1 hour in the future
+    const profile: NostrProfile = { name: "monotonictest" };
+
+    const event = createProfileEvent(TEST_SK, profile, futureTimestamp);
+
+    expect(event.created_at).toBe(futureTimestamp + 1);
+  });
+
+  it("uses current time when lastPublishedAt is in the past", () => {
+    const pastTimestamp = 1705320000 - 3600; // 1 hour in the past
+    const profile: NostrProfile = { name: "pasttest" };
+
+    const event = createProfileEvent(TEST_SK, profile, pastTimestamp);
+
+    const expectedTimestamp = Math.floor(Date.now() / 1000);
+    expect(event.created_at).toBe(expectedTimestamp);
+  });
+
+  vi.useRealTimers();
+});
+
+// ============================================================================
+// Profile Validation Tests
+// ============================================================================
+
+describe("validateProfile", () => {
+  it("validates a correct profile", () => {
+    const profile = {
+      name: "validuser",
+      about: "A valid user",
+      picture: "https://example.com/pic.png",
+    };
+
+    const result = validateProfile(profile);
+
+    expect(result.valid).toBe(true);
+    expect(result.profile).toBeDefined();
+    expect(result.errors).toBeUndefined();
+  });
+
+  it("rejects profile with invalid URL", () => {
+    const profile = {
+      name: "invalidurl",
+      picture: "http://insecure.example.com/pic.png", // HTTP not HTTPS
+    };
+
+    const result = validateProfile(profile);
+
+    expect(result.valid).toBe(false);
+    expect(result.errors).toBeDefined();
+    expect(result.errors!.some((e) => e.includes("https://"))).toBe(true);
+  });
+
+  it("rejects profile with javascript: URL", () => {
+    const profile = {
+      name: "xssattempt",
+      picture: "javascript:alert('xss')",
+    };
+
+    const result = validateProfile(profile);
+
+    expect(result.valid).toBe(false);
+  });
+
+  it("rejects profile with data: URL", () => {
+    const profile = {
+      name: "dataurl",
+      picture: "data:image/png;base64,abc123",
+    };
+
+    const result = validateProfile(profile);
+
+    expect(result.valid).toBe(false);
+  });
+
+  it("rejects name exceeding 256 characters", () => {
+    const profile = {
+      name: "a".repeat(257),
+    };
+
+    const result = validateProfile(profile);
+
+    expect(result.valid).toBe(false);
+    expect(result.errors!.some((e) => e.includes("256"))).toBe(true);
+  });
+
+  it("rejects about exceeding 2000 characters", () => {
+    const profile = {
+      about: "a".repeat(2001),
+    };
+
+    const result = validateProfile(profile);
+
+    expect(result.valid).toBe(false);
+    expect(result.errors!.some((e) => e.includes("2000"))).toBe(true);
+  });
+
+  it("accepts empty profile", () => {
+    const result = validateProfile({});
+    expect(result.valid).toBe(true);
+  });
+
+  it("rejects null input", () => {
+    const result = validateProfile(null);
+    expect(result.valid).toBe(false);
+  });
+
+  it("rejects non-object input", () => {
+    const result = validateProfile("not an object");
+    expect(result.valid).toBe(false);
+  });
+});
+
+// ============================================================================
+// Sanitization Tests
+// ============================================================================
+
+describe("sanitizeProfileForDisplay", () => {
+  it("escapes HTML in name field", () => {
+    const profile: NostrProfile = {
+      name: "<script>alert('xss')</script>",
+    };
+
+    const sanitized = sanitizeProfileForDisplay(profile);
+
+    expect(sanitized.name).toBe("&lt;script&gt;alert(&#039;xss&#039;)&lt;/script&gt;");
+  });
+
+  it("escapes HTML in about field", () => {
+    const profile: NostrProfile = {
+      about: 'Check out <img src="x" onerror="alert(1)">',
+    };
+
+    const sanitized = sanitizeProfileForDisplay(profile);
+
+    expect(sanitized.about).toBe(
+      'Check out &lt;img src=&quot;x&quot; onerror=&quot;alert(1)&quot;&gt;'
+    );
+  });
+
+  it("preserves URLs without modification", () => {
+    const profile: NostrProfile = {
+      picture: "https://example.com/pic.png",
+      website: "https://example.com",
+    };
+
+    const sanitized = sanitizeProfileForDisplay(profile);
+
+    expect(sanitized.picture).toBe("https://example.com/pic.png");
+    expect(sanitized.website).toBe("https://example.com");
+  });
+
+  it("handles undefined fields", () => {
+    const profile: NostrProfile = {
+      name: "test",
+    };
+
+    const sanitized = sanitizeProfileForDisplay(profile);
+
+    expect(sanitized.name).toBe("test");
+    expect(sanitized.about).toBeUndefined();
+    expect(sanitized.picture).toBeUndefined();
+  });
+
+  it("escapes ampersands", () => {
+    const profile: NostrProfile = {
+      name: "Tom & Jerry",
+    };
+
+    const sanitized = sanitizeProfileForDisplay(profile);
+
+    expect(sanitized.name).toBe("Tom &amp; Jerry");
+  });
+
+  it("escapes quotes", () => {
+    const profile: NostrProfile = {
+      about: 'Say "hello" to everyone',
+    };
+
+    const sanitized = sanitizeProfileForDisplay(profile);
+
+    expect(sanitized.about).toBe("Say &quot;hello&quot; to everyone");
+  });
+});
+
+// ============================================================================
+// Edge Cases
+// ============================================================================
+
+describe("edge cases", () => {
+  it("handles emoji in profile fields", () => {
+    const profile: NostrProfile = {
+      name: "🤖 Bot",
+      about: "I am a 🤖 robot! 🎉",
+    };
+
+    const content = profileToContent(profile);
+    expect(content.name).toBe("🤖 Bot");
+    expect(content.about).toBe("I am a 🤖 robot! 🎉");
+
+    const event = createProfileEvent(TEST_SK, profile);
+    const parsed = JSON.parse(event.content) as ProfileContent;
+    expect(parsed.name).toBe("🤖 Bot");
+  });
+
+  it("handles unicode in profile fields", () => {
+    const profile: NostrProfile = {
+      name: "日本語ユーザー",
+      about: "Привет мир! 你好世界!",
+    };
+
+    const content = profileToContent(profile);
+    expect(content.name).toBe("日本語ユーザー");
+
+    const event = createProfileEvent(TEST_SK, profile);
+    expect(verifyEvent(event)).toBe(true);
+  });
+
+  it("handles newlines in about field", () => {
+    const profile: NostrProfile = {
+      about: "Line 1\nLine 2\nLine 3",
+    };
+
+    const content = profileToContent(profile);
+    expect(content.about).toBe("Line 1\nLine 2\nLine 3");
+
+    const event = createProfileEvent(TEST_SK, profile);
+    const parsed = JSON.parse(event.content) as ProfileContent;
+    expect(parsed.about).toBe("Line 1\nLine 2\nLine 3");
+  });
+
+  it("handles maximum length fields", () => {
+    const profile: NostrProfile = {
+      name: "a".repeat(256),
+      about: "b".repeat(2000),
+    };
+
+    const result = validateProfile(profile);
+    expect(result.valid).toBe(true);
+
+    const event = createProfileEvent(TEST_SK, profile);
+    expect(verifyEvent(event)).toBe(true);
+  });
+});

package/src/nostr-profile.ts

@@ -0,0 +1,242 @@
+/**
+ * Nostr Profile Management (NIP-01 kind:0)
+ *
+ * Profile events are "replaceable" - the latest created_at wins.
+ * This module handles profile event creation and publishing.
+ */
+
+import { finalizeEvent, SimplePool, type Event } from "nostr-tools";
+import { type NostrProfile, NostrProfileSchema } from "./config-schema.js";
+
+// ============================================================================
+// Types
+// ============================================================================
+
+/** Result of a profile publish attempt */
+export interface ProfilePublishResult {
+  /** Event ID of the published profile */
+  eventId: string;
+  /** Relays that successfully received the event */
+  successes: string[];
+  /** Relays that failed with their error messages */
+  failures: Array<{ relay: string; error: string }>;
+  /** Unix timestamp when the event was created */
+  createdAt: number;
+}
+
+/** NIP-01 profile content (JSON inside kind:0 event) */
+export interface ProfileContent {
+  name?: string;
+  display_name?: string;
+  about?: string;
+  picture?: string;
+  banner?: string;
+  website?: string;
+  nip05?: string;
+  lud16?: string;
+}
+
+// ============================================================================
+// Profile Content Conversion
+// ============================================================================
+
+/**
+ * Convert our config profile schema to NIP-01 content format.
+ * Strips undefined fields and validates URLs.
+ */
+export function profileToContent(profile: NostrProfile): ProfileContent {
+  const validated = NostrProfileSchema.parse(profile);
+
+  const content: ProfileContent = {};
+
+  if (validated.name !== undefined) content.name = validated.name;
+  if (validated.displayName !== undefined) content.display_name = validated.displayName;
+  if (validated.about !== undefined) content.about = validated.about;
+  if (validated.picture !== undefined) content.picture = validated.picture;
+  if (validated.banner !== undefined) content.banner = validated.banner;
+  if (validated.website !== undefined) content.website = validated.website;
+  if (validated.nip05 !== undefined) content.nip05 = validated.nip05;
+  if (validated.lud16 !== undefined) content.lud16 = validated.lud16;
+
+  return content;
+}
+
+/**
+ * Convert NIP-01 content format back to our config profile schema.
+ * Useful for importing existing profiles from relays.
+ */
+export function contentToProfile(content: ProfileContent): NostrProfile {
+  const profile: NostrProfile = {};
+
+  if (content.name !== undefined) profile.name = content.name;
+  if (content.display_name !== undefined) profile.displayName = content.display_name;
+  if (content.about !== undefined) profile.about = content.about;
+  if (content.picture !== undefined) profile.picture = content.picture;
+  if (content.banner !== undefined) profile.banner = content.banner;
+  if (content.website !== undefined) profile.website = content.website;
+  if (content.nip05 !== undefined) profile.nip05 = content.nip05;
+  if (content.lud16 !== undefined) profile.lud16 = content.lud16;
+
+  return profile;
+}
+
+// ============================================================================
+// Event Creation
+// ============================================================================
+
+/**
+ * Create a signed kind:0 profile event.
+ *
+ * @param sk - Private key as Uint8Array (32 bytes)
+ * @param profile - Profile data to include
+ * @param lastPublishedAt - Previous profile timestamp (for monotonic guarantee)
+ * @returns Signed Nostr event
+ */
+export function createProfileEvent(
+  sk: Uint8Array,
+  profile: NostrProfile,
+  lastPublishedAt?: number
+): Event {
+  const content = profileToContent(profile);
+  const contentJson = JSON.stringify(content);
+
+  // Ensure monotonic timestamp (new event > previous)
+  const now = Math.floor(Date.now() / 1000);
+  const createdAt = lastPublishedAt !== undefined ? Math.max(now, lastPublishedAt + 1) : now;
+
+  const event = finalizeEvent(
+    {
+      kind: 0,
+      content: contentJson,
+      tags: [],
+      created_at: createdAt,
+    },
+    sk
+  );
+
+  return event;
+}
+
+// ============================================================================
+// Profile Publishing
+// ============================================================================
+
+/** Per-relay publish timeout (ms) */
+const RELAY_PUBLISH_TIMEOUT_MS = 5000;
+
+/**
+ * Publish a profile event to multiple relays.
+ *
+ * Best-effort: publishes to all relays in parallel, reports per-relay results.
+ * Does NOT retry automatically - caller should handle retries if needed.
+ *
+ * @param pool - SimplePool instance for relay connections
+ * @param relays - Array of relay WebSocket URLs
+ * @param event - Signed profile event (kind:0)
+ * @returns Publish results with successes and failures
+ */
+export async function publishProfileEvent(
+  pool: SimplePool,
+  relays: string[],
+  event: Event
+): Promise<ProfilePublishResult> {
+  const successes: string[] = [];
+  const failures: Array<{ relay: string; error: string }> = [];
+
+  // Publish to each relay in parallel with timeout
+  const publishPromises = relays.map(async (relay) => {
+    try {
+      const timeoutPromise = new Promise<never>((_, reject) => {
+        setTimeout(() => reject(new Error("timeout")), RELAY_PUBLISH_TIMEOUT_MS);
+      });
+
+      await Promise.race([pool.publish([relay], event), timeoutPromise]);
+
+      successes.push(relay);
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : String(err);
+      failures.push({ relay, error: errorMessage });
+    }
+  });
+
+  await Promise.all(publishPromises);
+
+  return {
+    eventId: event.id,
+    successes,
+    failures,
+    createdAt: event.created_at,
+  };
+}
+
+/**
+ * Create and publish a profile event in one call.
+ *
+ * @param pool - SimplePool instance
+ * @param sk - Private key as Uint8Array
+ * @param relays - Array of relay URLs
+ * @param profile - Profile data
+ * @param lastPublishedAt - Previous timestamp for monotonic ordering
+ * @returns Publish results
+ */
+export async function publishProfile(
+  pool: SimplePool,
+  sk: Uint8Array,
+  relays: string[],
+  profile: NostrProfile,
+  lastPublishedAt?: number
+): Promise<ProfilePublishResult> {
+  const event = createProfileEvent(sk, profile, lastPublishedAt);
+  return publishProfileEvent(pool, relays, event);
+}
+
+// ============================================================================
+// Profile Validation Helpers
+// ============================================================================
+
+/**
+ * Validate a profile without throwing (returns result object).
+ */
+export function validateProfile(profile: unknown): {
+  valid: boolean;
+  profile?: NostrProfile;
+  errors?: string[];
+} {
+  const result = NostrProfileSchema.safeParse(profile);
+
+  if (result.success) {
+    return { valid: true, profile: result.data };
+  }
+
+  return {
+    valid: false,
+    errors: result.error.issues.map((e) => `${e.path.join(".")}: ${e.message}`),
+  };
+}
+
+/**
+ * Sanitize profile text fields to prevent XSS when displaying in UI.
+ * Escapes HTML special characters.
+ */
+export function sanitizeProfileForDisplay(profile: NostrProfile): NostrProfile {
+  const escapeHtml = (str: string | undefined): string | undefined => {
+    if (str === undefined) return undefined;
+    return str
+      .replace(/&/g, "&amp;")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;")
+      .replace(/"/g, "&quot;")
+      .replace(/'/g, "&#039;");
+  };
+
+  return {
+    name: escapeHtml(profile.name),
+    displayName: escapeHtml(profile.displayName),
+    about: escapeHtml(profile.about),
+    picture: profile.picture, // URLs already validated by schema
+    banner: profile.banner,
+    website: profile.website,
+    nip05: escapeHtml(profile.nip05),
+    lud16: escapeHtml(profile.lud16),
+  };
+}