javascript-solid-server 0.0.177 → 0.0.178

package/src/auth/nostr.js

@@ -7,13 +7,26 @@
  *
  * Authorization header format: "Nostr <base64-encoded-event>"
  *
- * The authenticated identity is returned as a did:nostr URI:
- *   did:nostr:<64-char-hex-pubkey>
+ * Identity resolution chain (after a successful Schnorr verification):
+ *
+ *   1. Look up the Nostr pubkey in the resource owner's WebID profile
+ *      as a CID v1 verificationMethod referenced from `authentication`.
+ *      Match by f-form Multikey or by JsonWebKey x/y coordinates. If
+ *      found, authenticate as the WebID. (#399 — pairs with the
+ *      LWS10-CID verifier.)
+ *   2. Resolve via the existing did:nostr DID-document path
+ *      (nostr.social `.well-known` + bidirectional alsoKnownAs).
+ *      If found, authenticate as the WebID it points to.
+ *   3. Otherwise return `did:nostr:<64-char-hex-pubkey>` as the
+ *      agent identity (the original behavior).
  */
 
 import { verifyEvent, getEventHash } from '../nostr/event.js';
+import { secp256k1 } from '@noble/curves/secp256k1';
 import crypto from 'crypto';
 import { resolveDidNostrToWebId } from './did-nostr.js';
+import { fetchCidDocument } from './cid-doc-fetch.js';
+import { normalizeControllers } from './lws-cid.js';
 
 // NIP-98 event kind (references RFC 7235)
 const HTTP_AUTH_KIND = 27235;
@@ -21,6 +34,15 @@ const HTTP_AUTH_KIND = 27235;
 // Timestamp tolerance in seconds
 const TIMESTAMP_TOLERANCE = 60;
 
+// Multicodec varint for secp256k1-pub: 0xe7 0x01 → "e701" hex.
+// Used to decode f-form Multikey verificationMethod values back into
+// the 32-byte x-only Nostr pubkey.
+const MULTICODEC_SECP256K1_PUB_HEX = 'e701';
+
+// Profile-fetch body-size cap. Matches the LWS-CID verifier; both
+// callers go through the shared fetchCidDocument helper.
+const MAX_PROFILE_BYTES = 256 * 1024;
+
 /**
  * Check if request has Nostr authentication
  * Supports both "Nostr <token>" and "Basic <base64(nostr:token)>" formats
@@ -155,9 +177,30 @@ export async function verifyNostrAuth(request) {
     return { webId: null, error: 'Event timestamp outside acceptable window (±60s)' };
   }
 
-  // Build full URL for validation
-  const protocol = request.protocol || 'http';
-  const host = request.headers.host || request.hostname;
+  // Build full URL for validation. Behind a reverse proxy the public-
+  // facing URL is what the client signed, but request.headers.host /
+  // request.protocol carry the internal upstream values. Honor the
+  // forwarded headers (matching the conventions in src/ap/* and the
+  // LWS-CID verifier) so a NIP-98 sig for the public URL still
+  // matches in proxied deployments. Proto is lowercased + allowlisted
+  // to avoid casing-mismatches from misconfigured proxies.
+  const protoRaw = firstHeaderValue(request.headers['x-forwarded-proto'])
+                || request.protocol
+                || 'http';
+  const protoLower = protoRaw.toLowerCase();
+  const protocol = (protoLower === 'http' || protoLower === 'https') ? protoLower : 'http';
+  const host = firstHeaderValue(request.headers['x-forwarded-host'])
+            || firstHeaderValue(request.headers.host)
+            || request.hostname;
+  // Reject URL-meaningful characters in the host before interpolation
+  // — same defense as in getPodOwnerWebId. Otherwise a Host like
+  // `example.com@attacker.com` would produce a fullUrl that parses
+  // with attacker.com as the hostname, which a sophisticated client
+  // could try to align with a NIP-98 `u` tag for an external
+  // resource.
+  if (host && /[@/\s?#\\]/.test(host)) {
+    return { webId: null, error: 'Host header contains invalid characters' };
+  }
   const fullUrl = `${protocol}://${host}${request.url}`;
 
   // Validate URL tag matches request URL
@@ -229,9 +272,19 @@ export async function verifyNostrAuth(request) {
     return { webId: null, error: 'Invalid Schnorr signature' };
   }
 
-  // Try to resolve did:nostr to a linked WebID
-  // This checks if the pubkey has an alsoKnownAs pointing to a WebID
-  // and verifies the WebID links back to did:nostr (bidirectional)
+  // First lookup: the resource's owner WebID profile. If the pod owner
+  // declared this pubkey as a verificationMethod (CID v1 / LWS-CID
+  // shape — produced by the doctor's B.2 path), authenticate as the
+  // WebID. This is profile-only (no DID-doc fetch) and works for any
+  // user who's added a Nostr VM to their profile — see #386 / #399.
+  const vmWebId = await tryResolveViaCidVerificationMethod(request, event.pubkey);
+  if (vmWebId) {
+    return { webId: vmWebId, error: null };
+  }
+
+  // Second lookup: existing did:nostr DID-document resolver. Fetches
+  // an external DID doc (e.g. nostr.social/.well-known/...) and checks
+  // bidirectional alsoKnownAs ↔ WebID linking.
   const resolvedWebId = await resolveDidNostrToWebId(event.pubkey);
   if (resolvedWebId) {
     return { webId: resolvedWebId, error: null };
@@ -243,6 +296,342 @@ export async function verifyNostrAuth(request) {
   return { webId: didNostr, error: null };
 }
 
+/**
+ * Attempt to upgrade a verified Nostr pubkey to a WebID by looking it
+ * up in the resource owner's CID document (= WebID profile).
+ *
+ * Returns the WebID if:
+ *   - the pod-owner WebID can be derived from the request
+ *   - the profile fetches cleanly (passes SSRF guard, JSON-LD)
+ *   - one of its `verificationMethod` entries carries this pubkey
+ *     (either as f-form Multikey or as a secp256k1 JsonWebKey)
+ *   - that VM is referenced from `authentication`
+ *
+ * Returns null in any other case — the caller falls back to the
+ * existing DID-doc / did:nostr-identity paths.
+ */
+async function tryResolveViaCidVerificationMethod(request, pubkeyHex) {
+  const ownerWebId = getPodOwnerWebId(request);
+  if (!ownerWebId) return null;
+  const docUrl = stripHash(ownerWebId);
+
+  // SSRF guard. The owner WebID is derived from server-side request
+  // data, so it shouldn't be attacker-controllable, but route through
+  // the same defense-in-depth as the LWS-CID verifier — including
+  // manual redirect handling with same-origin enforcement, and a
+  // body-size cap to deflect oversized-payload DoS.
+  let profile;
+  try {
+    profile = await fetchProfileSafely(docUrl);
+  } catch {
+    return null;
+  }
+  if (!profile || typeof profile !== 'object' || Array.isArray(profile)) return null;
+
+  // Subject-identity check (mirrors lws-cid.js). The CID document we
+  // just fetched MUST identify itself as the WebID we computed from
+  // the request — otherwise a profile hosted at the expected URL
+  // could declare a different `@id` and trick us into authenticating
+  // as that other identity using a sibling VM. We always return the
+  // computed ownerWebId (never the profile's declared subject) so a
+  // relative-IRI or mismatched `@id` can't substitute identity.
+  const subject = absolutize(profile['@id'] || profile.id, docUrl);
+  if (!subject || subject !== ownerWebId) return null;
+
+  const vm = findNostrVmInProfile(profile, pubkeyHex, docUrl);
+  if (!vm) return null;
+  if (!isInProofPurpose(profile, 'authentication', vm.id, docUrl)) return null;
+
+  // Controller consistency: the VM's `controller` MUST be in the
+  // profile's expected controller set (declared `controller`, with
+  // @id fallback). Without this, a profile with a Nostr-keyed VM
+  // controlled by some unrelated identity could still upgrade us to
+  // the WebID — a key-binding the actual subject never asserted.
+  // Mirrors the lws-cid.js check using the same normalizer.
+  const expectedCtrls = normalizeControllers(profile.controller ?? profile['@id'] ?? profile.id, docUrl);
+  if (expectedCtrls.length === 0) return null;
+  const vmCtrls = normalizeControllers(vm.controller, docUrl);
+  if (!vmCtrls.some((c) => expectedCtrls.includes(c))) return null;
+
+  return ownerWebId;
+}
+
+/**
+ * Derive the pod-owner WebID URL from a Fastify request.
+ *
+ * JSS supports four pod-addressing modes (see src/idp/interactions.js
+ * around the createPod path for the canonical list):
+ *
+ *   - **Single-user mode** — `request.singleUser` is true. The pod
+ *     either lives at the host root (WebID
+ *     `https://host/profile/card.jsonld#me`) or, when
+ *     `request.singleUserName` is set, at `/<name>/profile/card.jsonld#me`.
+ *   - **Subdomain mode** — `subdomainsEnabled` is true, request hits a
+ *     subdomain like `alice.example.com`. WebID is at the subdomain
+ *     root: `https://alice.example.com/profile/card.jsonld#me`.
+ *   - **Path mode** — the JSS default (`subdomainsEnabled` off). Pod
+ *     is at the first URL path segment:
+ *     `https://example.com/alice/foo` → WebID
+ *     `https://example.com/alice/profile/card.jsonld#me`.
+ *   - **Path-mode-on-base** — subdomains are enabled but the request
+ *     hits the base domain with a path. The internal canonical form
+ *     rewrites this to the subdomain shape (per buildResourceUrl).
+ *
+ * Returns null when no pod name can be derived; the caller falls back
+ * to the existing did:nostr DID-doc resolver / did:nostr identity.
+ */
+function getPodOwnerWebId(request) {
+  const headers = request.headers || {};
+  // Lowercase + allowlist the protocol. Some proxies send
+  // `X-Forwarded-Proto: HTTPS` (or other casings); without
+  // normalization the constructed ownerWebId would carry that
+  // casing and the subject-identity check would reject the match
+  // against a profile @id that uses lowercase `https://`.
+  const protoRaw = firstHeaderValue(headers['x-forwarded-proto'])
+                 || request.protocol
+                 || 'https';
+  const protoLower = protoRaw.toLowerCase();
+  const proto = (protoLower === 'http' || protoLower === 'https') ? protoLower : 'https';
+  // The Host header / x-forwarded-host can carry a port and may be an
+  // IPv6 literal (`[::1]:3000`). For all WebID construction we use
+  // `hostNoPort` — the URL parser's port-stripped hostname (still
+  // bracketed for IPv6 here; we bail out on IPv6 below). This
+  // matches what JSS itself stores: subdomain mode derives from
+  // `baseDomain` (no port), and src/handlers/container.js builds
+  // path-mode WebIDs from `request.hostname` (port-stripped). Using
+  // a port-bearing host here would compute a WebID that doesn't
+  // match the stored profile @id, so the subject-identity check
+  // would reject otherwise-valid requests on non-default ports.
+  const hostRaw = firstHeaderValue(headers['x-forwarded-host'])
+                || firstHeaderValue(headers.host)
+                || request.hostname;
+  if (!hostRaw) return null;
+  // Reject host strings that carry URL-special characters before we
+  // hand them to the URL parser. Without this, a Host like
+  // `example.com@attacker.com` would parse as userinfo + attacker.com
+  // and steer the computed owner WebID at the attacker's domain.
+  // A well-formed Host header carries hostname[:port][[]] only —
+  // reject any other URL-meaningful character (`@`, `/`, `?`, `#`,
+  // whitespace, query/fragment delimiters).
+  if (/[@/\s?#\\]/.test(hostRaw)) return null;
+  // `request.hostname` is port-stripped per Fastify but doesn't survive
+  // x-forwarded-host parsing. Round-trip through URL semantics so
+  // IPv6 brackets and ports are handled by the parser, not split(':').
+  let hostNoPort;
+  try { hostNoPort = new URL(`${proto}://${hostRaw}`).hostname; }
+  catch { return null; }
+  // Detect IPv6 literal hosts and bail early. URL.hostname keeps
+  // brackets for IPv6 (verified Node v24.5.0:
+  //   new URL('https://[2001:db8::1]:8443/x').hostname === '[2001:db8::1]'
+  // per WHATWG URL §host serializing rule). Continuing into the
+  // URL-construction branches with a bracket-less form would yield a
+  // malformed string like `https://2001:db8::1/...` — invalid, would
+  // throw at parse time and could pollute the shared CID-profile
+  // cache with a failure entry under that bogus key.
+  //
+  // Solid deployments on raw IPv6 literals are effectively
+  // non-existent; cleanly skipping the VM-lookup upgrade for them
+  // (caller falls back to the existing did:nostr resolver) is the
+  // right behavior. JSS itself has a parallel limitation in
+  // src/handlers/container.js — fixing IPv6 needs to happen at that
+  // pod-creation layer first.
+  const isIpv6 = hostNoPort.startsWith('[') && hostNoPort.endsWith(']');
+  if (isIpv6) return null;
+
+  // Single-user deployment. The pod is either at the host root or
+  // mounted under `/<singleUserName>/`; both shapes are supported.
+  // Use the port-stripped form to match what JSS itself stores in
+  // the profile @id at pod-creation time (src/handlers/container.js
+  // builds with `request.hostname`, port-stripped). Otherwise a
+  // request arriving on a non-default port would compute a WebID
+  // the subject-identity check rejects.
+  if (request.singleUser) {
+    const name = request.singleUserName;
+    return name
+      ? `${proto}://${hostNoPort}/${name}/profile/card.jsonld#me`
+      : `${proto}://${hostNoPort}/profile/card.jsonld#me`;
+  }
+
+  // Subdomain mode (request already on a pod's subdomain).
+  if (request.subdomainsEnabled && request.podName && request.baseDomain) {
+    return `${proto}://${request.podName}.${request.baseDomain}/profile/card.jsonld#me`;
+  }
+
+  // Subdomain-enabled deployment, request landed on the base domain
+  // with a path (e.g. https://example.com/alice/...). The canonical
+  // form is the subdomain — match the rewriting buildResourceUrl does.
+  if (request.subdomainsEnabled && request.baseDomain && hostNoPort === request.baseDomain) {
+    const m = (request.url || '').match(/^\/([^/?#]+)/);
+    if (m && !m[1].startsWith('.') && !m[1].includes('.')) {
+      return `${proto}://${m[1]}.${request.baseDomain}/profile/card.jsonld#me`;
+    }
+    return null;
+  }
+
+  // Path mode (JSS default): pod is the first URL segment. Match
+  // src/handlers/container.js which builds path-mode WebIDs from
+  // `request.hostname` (port-stripped), so the computed ownerWebId
+  // equals the @id JSS itself wrote at pod-creation time.
+  const m = (request.url || '').match(/^\/([^/?#]+)/);
+  if (m && !m[1].startsWith('.') && !m[1].includes('.')) {
+    return `${proto}://${hostNoPort}/${m[1]}/profile/card.jsonld#me`;
+  }
+  return null;
+}
+
+/**
+ * Fetch a CID document (= WebID profile). Delegates to the shared
+ * fetcher in src/auth/cid-doc-fetch.js so SSRF / redirect / body-cap
+ * defenses don't drift between this and the LWS-CID verifier.
+ *
+ * Throws on any failure; the caller treats throw-as-null.
+ *
+ * KNOWN GAP (#381): the underlying validateExternalUrl currently
+ * fail-opens when DNS returns no A/AAAA records. Fix belongs in the
+ * shared util so every caller benefits at once.
+ */
+async function fetchProfileSafely(docUrl) {
+  return fetchCidDocument(docUrl, { maxBytes: MAX_PROFILE_BYTES });
+}
+
+function firstHeaderValue(v) {
+  if (!v) return null;
+  // Fastify/Node header values can be string or string[].
+  const s = Array.isArray(v) ? v[0] : v;
+  if (typeof s !== 'string') return null;
+  const first = s.split(',')[0].trim();
+  return first || null;
+}
+
+/**
+ * Find a verificationMethod whose key material matches the Nostr
+ * x-only pubkey hex. Two encodings supported:
+ *   - f-form Multikey:  publicKeyMultibase = "f" + "e701" + parity + xonly
+ *   - JsonWebKey:       publicKeyJwk.x = base64url(xonly)  (kty:EC, crv:secp256k1)
+ *
+ * Returns the entry (object form) on match, normalized so .id is the
+ * absolute IRI. Returns null on no match.
+ */
+function findNostrVmInProfile(profile, pubkeyHex, baseUrl) {
+  const target = pubkeyHex.toLowerCase();
+  const targetB64u = hexToBase64url(target);
+  const vms = asArray(profile.verificationMethod);
+  for (const vm of vms) {
+    if (!vm || typeof vm !== 'object') continue;
+    const vmId = vm.id || vm['@id'];
+    if (typeof vmId !== 'string') continue;
+
+    if (typeof vm.publicKeyMultibase === 'string') {
+      const xonly = decodeFFormSecp256k1(vm.publicKeyMultibase);
+      if (xonly === target) return { ...vm, id: absolutize(vmId, baseUrl) };
+    }
+    if (vm.publicKeyJwk && typeof vm.publicKeyJwk === 'object') {
+      const jwk = vm.publicKeyJwk;
+      if (jwk.kty === 'EC' && (jwk.crv === 'secp256k1' || jwk.crv === 'P-256K')) {
+        if (jwkMatchesNostrPubkey(jwk, target, targetB64u)) {
+          return { ...vm, id: absolutize(vmId, baseUrl) };
+        }
+      }
+    }
+  }
+  return null;
+}
+
+/**
+ * Decode an f-form Multikey for secp256k1-pub back into the 32-byte
+ * x-only pubkey hex. Returns null if the input isn't this shape.
+ */
+function decodeFFormSecp256k1(mb) {
+  if (typeof mb !== 'string' || !mb.startsWith('f')) return null;
+  const hex = mb.slice(1).toLowerCase();
+  if (!/^[0-9a-f]+$/.test(hex)) return null;
+  if (!hex.startsWith(MULTICODEC_SECP256K1_PUB_HEX)) return null;
+  const rest = hex.slice(MULTICODEC_SECP256K1_PUB_HEX.length);
+  // Expect parity byte (02/03) + 32-byte xonly = 66 hex chars.
+  if (rest.length !== 66) return null;
+  const parity = rest.slice(0, 2);
+  if (parity !== '02' && parity !== '03') return null;
+  return rest.slice(2);
+}
+
+function hexToBase64url(hex) {
+  return Buffer.from(hex, 'hex').toString('base64')
+    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+/**
+ * Does the JWK encode the given Nostr x-only pubkey?
+ *
+ * EC keys are (x, y) pairs — two distinct valid points share the same
+ * x with opposite y parities. Matching on x alone would let an
+ * attacker craft a JWK with the target x and a wrong y, which we'd
+ * then accept as the user's Nostr key. So we also derive the
+ * BIP-340-canonical y (even-parity) for the target x and require the
+ * JWK's y to match.
+ *
+ * Returns false if the JWK's coordinates aren't on-curve, can't be
+ * decoded, or don't match the BIP-340 canonical point for `targetHex`.
+ */
+function jwkMatchesNostrPubkey(jwk, targetHex, targetB64u) {
+  if (typeof jwk.x !== 'string' || typeof jwk.y !== 'string') return false;
+  if (jwk.x !== targetB64u) return false;
+  // Decompress the BIP-340 even-y point for the target x. Then compare
+  // the JWK's declared y against this canonical y.
+  let canonicalY;
+  try {
+    // Compressed SEC1 point, even-y prefix (0x02) || x.
+    const compressed = '02' + targetHex;
+    const point = secp256k1.ProjectivePoint.fromHex(compressed);
+    const affine = point.toAffine();
+    canonicalY = affine.y.toString(16).padStart(64, '0');
+  } catch {
+    return false;
+  }
+  let jwkYHex;
+  try {
+    jwkYHex = Buffer.from(jwk.y.replace(/-/g, '+').replace(/_/g, '/'), 'base64')
+      .toString('hex').toLowerCase();
+  } catch {
+    return false;
+  }
+  return jwkYHex === canonicalY;
+}
+
+function isInProofPurpose(profile, predicate, vmId, baseUrl) {
+  const entries = asArray(profile[predicate]);
+  if (entries.length === 0) return false;
+  for (const ent of entries) {
+    if (typeof ent === 'string') {
+      if (absolutize(ent, baseUrl) === vmId) return true;
+    } else if (ent && typeof ent === 'object') {
+      const id = ent['@id'] ?? ent.id;
+      if (id && absolutize(id, baseUrl) === vmId) return true;
+    }
+  }
+  return false;
+}
+
+function asArray(v) {
+  if (v === undefined || v === null) return [];
+  return Array.isArray(v) ? v : [v];
+}
+
+function absolutize(u, base) {
+  if (!u) return u;
+  try { return new URL(u, base).toString(); } catch { return u; }
+}
+
+function stripHash(u) {
+  if (typeof u !== 'string') return u;
+  try {
+    const url = new URL(u);
+    url.hash = '';
+    return url.toString();
+  } catch {
+    return u.split('#')[0];
+  }
+}
+
 /**
  * Get Nostr pubkey from request if authenticated via NIP-98
  * @param {object} request - Fastify request object