javascript-solid-server 0.0.178 → 0.0.180

package/src/auth/nostr-keys.js

@@ -0,0 +1,112 @@
+/**
+ * Shared Nostr-key encoding helpers.
+ *
+ * Lives in its own module so both the NIP-98 verifier
+ * (`src/auth/nostr.js`) and the well-known DID-doc publisher
+ * (`src/idp/well-known-did-nostr.js`) can use it without forming a
+ * circular import.
+ */
+
+import { secp256k1 } from '@noble/curves/secp256k1';
+
+/** Multicodec varint for secp256k1-pub: 0xe7 0x01 → "e701" hex. */
+const MULTICODEC_SECP256K1_PUB_HEX = 'e701';
+
+/**
+ * Validate a secp256k1 JWK as a Nostr key and return its x-only
+ * pubkey hex. Returns `null` if the JWK isn't a Nostr-shaped key
+ * or its `y` doesn't match the BIP-340 canonical (even-y) point
+ * for the declared `x`.
+ *
+ * Why y matters: every secp256k1 x has TWO valid points (positive
+ * and negative y). Nostr uses x-only pubkeys, which by BIP-340
+ * convention always pick the even-y point. A profile that declares
+ * a JWK with the right x but the wrong y is NOT the user's Nostr
+ * key — accepting it would let an attacker plant a JWK at someone
+ * else's WebID and have the indexer publish it as theirs.
+ *
+ * The verifier in src/auth/nostr.js (jwkMatchesNostrPubkey) does
+ * the same check. Keeping the indexer in sync prevents the
+ * "indexed but verifier rejects" inconsistency that would surface
+ * as a 401 on a key the well-known endpoint had advertised.
+ */
+export function pubkeyFromValidatedJwk(jwk) {
+  if (!jwk || typeof jwk !== 'object') return null;
+  if (jwk.kty !== 'EC') return null;
+  if (jwk.crv !== 'secp256k1' && jwk.crv !== 'P-256K') return null;
+  if (typeof jwk.x !== 'string' || typeof jwk.y !== 'string') return null;
+  let xHex;
+  try {
+    xHex = Buffer.from(jwk.x.replace(/-/g, '+').replace(/_/g, '/'), 'base64')
+      .toString('hex').toLowerCase();
+  } catch { return null; }
+  if (!/^[0-9a-f]{64}$/.test(xHex)) return null;
+  let canonicalY;
+  try {
+    // Compressed SEC1 encoding for the EVEN-y point at this x.
+    const point = secp256k1.ProjectivePoint.fromHex('02' + xHex);
+    canonicalY = point.toAffine().y.toString(16).padStart(64, '0');
+  } catch { return null; }
+  let jwkYHex;
+  try {
+    jwkYHex = Buffer.from(jwk.y.replace(/-/g, '+').replace(/_/g, '/'), 'base64')
+      .toString('hex').toLowerCase();
+  } catch { return null; }
+  if (jwkYHex !== canonicalY) return null;
+  return xHex;
+}
+
+/**
+ * Decode an f-form Multikey for secp256k1-pub back into the 32-byte
+ * x-only pubkey hex. Returns null if the input isn't this shape.
+ *
+ * The f-form recipe (per CCG community#254 / did:nostr): multibase
+ * `f` (base16-lower) + multicodec `e701` + parity byte (`02`/`03`)
+ * + 32-byte xonly pubkey.
+ */
+export function decodeFFormSecp256k1(mb) {
+  if (typeof mb !== 'string' || !mb.startsWith('f')) return null;
+  const hex = mb.slice(1).toLowerCase();
+  if (!/^[0-9a-f]+$/.test(hex)) return null;
+  if (!hex.startsWith(MULTICODEC_SECP256K1_PUB_HEX)) return null;
+  const rest = hex.slice(MULTICODEC_SECP256K1_PUB_HEX.length);
+  // Expect parity byte (02/03) + 32-byte xonly = 66 hex chars.
+  if (rest.length !== 66) return null;
+  const parity = rest.slice(0, 2);
+  if (parity !== '02' && parity !== '03') return null;
+  return rest.slice(2);
+}
+
+/**
+ * Enumerate every Nostr pubkey declared in a profile's
+ * `verificationMethod` entries. Matches both encodings:
+ *   - f-form Multikey (`publicKeyMultibase`)
+ *   - JsonWebKey (`kty: EC, crv: secp256k1`) — derives x as the pubkey
+ *
+ * Returns `[ { pubkey, vm } ]` — the VM is returned alongside so
+ * callers can do further checks (`controller`, `authentication`
+ * membership, etc.) without re-parsing.
+ */
+export function extractNostrPubkeysFromProfile(profile) {
+  if (!profile || typeof profile !== 'object') return [];
+  const out = [];
+  const raw = profile.verificationMethod;
+  const vms = raw === undefined || raw === null ? []
+            : Array.isArray(raw) ? raw : [raw];
+  for (const vm of vms) {
+    if (!vm || typeof vm !== 'object') continue;
+    if (typeof vm.publicKeyMultibase === 'string') {
+      const xonly = decodeFFormSecp256k1(vm.publicKeyMultibase);
+      if (xonly) out.push({ pubkey: xonly, vm });
+    } else if (vm.publicKeyJwk && typeof vm.publicKeyJwk === 'object') {
+      // Require y to match the BIP-340 canonical point — the same
+      // check the NIP-98 verifier applies. Without this, the indexer
+      // could publish a JWK that the verifier will then reject,
+      // surfacing as a 401 on a key the well-known endpoint had
+      // advertised as authentic.
+      const xonly = pubkeyFromValidatedJwk(vm.publicKeyJwk);
+      if (xonly) out.push({ pubkey: xonly, vm });
+    }
+  }
+  return out;
+}

package/src/auth/nostr.js

@@ -14,10 +14,14 @@
  *      Match by f-form Multikey or by JsonWebKey x/y coordinates. If
  *      found, authenticate as the WebID. (#399 — pairs with the
  *      LWS10-CID verifier.)
- *   2. Resolve via the existing did:nostr DID-document path
+ *   2. (IdP-only) Look up the pubkey in the local in-process index
+ *      built from `<DATA_ROOT>/.idp/accounts/_webid_index.json`.
+ *      No HTTP, no SSRF surface — direct function call. Catches
+ *      same-pod users without a third-party round-trip. (#407)
+ *   3. Resolve via the external did:nostr DID-document path
  *      (nostr.social `.well-known` + bidirectional alsoKnownAs).
- *      If found, authenticate as the WebID it points to.
- *   3. Otherwise return `did:nostr:<64-char-hex-pubkey>` as the
+ *      Used for cross-pod identities; SSRF + redirect hardened.
+ *   4. Otherwise return `did:nostr:<64-char-hex-pubkey>` as the
  *      agent identity (the original behavior).
  */
 
@@ -25,8 +29,14 @@ import { verifyEvent, getEventHash } from '../nostr/event.js';
 import { secp256k1 } from '@noble/curves/secp256k1';
 import crypto from 'crypto';
 import { resolveDidNostrToWebId } from './did-nostr.js';
+// resolveDidNostrLocally is loaded lazily (inside the idpEnabled
+// branch) so non-IdP deployments don't pay the IdP/accounts module
+// startup cost (bcryptjs, oidc-provider helpers, etc.) just by
+// importing the NIP-98 verifier.
 import { fetchCidDocument } from './cid-doc-fetch.js';
-import { normalizeControllers } from './lws-cid.js';
+import { normalizeControllers } from './lws-cid.js'; // shared JSON-LD controller helper
+import { decodeFFormSecp256k1, extractNostrPubkeysFromProfile } from './nostr-keys.js'; // re-exported for back-compat
+export { extractNostrPubkeysFromProfile };
 
 // NIP-98 event kind (references RFC 7235)
 const HTTP_AUTH_KIND = 27235;
@@ -34,11 +44,6 @@ const HTTP_AUTH_KIND = 27235;
 // Timestamp tolerance in seconds
 const TIMESTAMP_TOLERANCE = 60;
 
-// Multicodec varint for secp256k1-pub: 0xe7 0x01 → "e701" hex.
-// Used to decode f-form Multikey verificationMethod values back into
-// the 32-byte x-only Nostr pubkey.
-const MULTICODEC_SECP256K1_PUB_HEX = 'e701';
-
 // Profile-fetch body-size cap. Matches the LWS-CID verifier; both
 // callers go through the shared fetchCidDocument helper.
 const MAX_PROFILE_BYTES = 256 * 1024;
@@ -282,9 +287,30 @@ export async function verifyNostrAuth(request) {
     return { webId: vmWebId, error: null };
   }
 
-  // Second lookup: existing did:nostr DID-document resolver. Fetches
-  // an external DID doc (e.g. nostr.social/.well-known/...) and checks
-  // bidirectional alsoKnownAs ↔ WebID linking.
+  // Second lookup: in-process local DID resolution (#407). Fast path
+  // — direct function call into the local account index, no HTTP
+  // fetch, no SSRF surface from request-controlled headers. Catches
+  // any user who's published a Nostr Multikey VM into their profile
+  // on this same pod.
+  //
+  // Gated on idpEnabled because the index reads from
+  // <DATA_ROOT>/.idp/accounts which only exists when the IdP layer
+  // is in use. On non-IdP deployments the local resolver has nothing
+  // to find and would just spin disk on every request.
+  if (request.idpEnabled) {
+    // Dynamic import: only load the IdP-accounts stack when IdP is
+    // actually enabled. Cached after first load (ESM module caching).
+    const { resolveDidNostrLocally } = await import('../idp/well-known-did-nostr.js');
+    const localWebId = await resolveDidNostrLocally(event.pubkey);
+    if (localWebId) {
+      return { webId: localWebId, error: null };
+    }
+  }
+
+  // Third lookup: external did:nostr DID-document resolver. Fetches
+  // a DID doc from the configured external resolver (nostr.social) and
+  // checks bidirectional alsoKnownAs ↔ WebID linking. Used only for
+  // cross-pod identities (the local case is handled above).
   const resolvedWebId = await resolveDidNostrToWebId(event.pubkey);
   if (resolvedWebId) {
     return { webId: resolvedWebId, error: null };
@@ -503,6 +529,68 @@ function firstHeaderValue(v) {
   return first || null;
 }
 
+/**
+ * Confirm that a verified Nostr pubkey is declared as a CID
+ * verificationMethod referenced from `authentication` in the given
+ * WebID's profile. Used by the Schnorr-login IdP path (#403): once
+ * the signature is verified and the user has typed their username,
+ * the IdP layer can derive the candidate WebID and ask this whether
+ * the verified pubkey actually belongs to that WebID.
+ *
+ * Mirrors the same controller-consistency / subject-identity /
+ * authentication-membership checks as the resource-side path
+ * (tryResolveViaCidVerificationMethod) so the two paths apply the
+ * same key-binding semantics.
+ *
+ * Returns true on match, false on any failure (fetch, VM not in
+ * authentication, subject mismatch, controller mismatch, bad input).
+ *
+ * @param {string} webId - canonical fragment-bearing WebID URI (e.g.
+ *   `https://alice.example.com/profile/card.jsonld#me`). The profile's
+ *   own `@id` must match this exactly after absolutization.
+ * @param {string} pubkeyHex - 32-byte x-only Nostr pubkey hex
+ * @returns {Promise<boolean>}
+ */
+export async function verifyNostrPubkeyAgainstWebId(webId, pubkeyHex) {
+  if (typeof webId !== 'string' || !webId) return false;
+  if (typeof pubkeyHex !== 'string' || !/^[0-9a-f]{64}$/i.test(pubkeyHex)) return false;
+  const docUrl = stripHash(webId);
+  let profile;
+  try {
+    profile = await fetchCidDocument(docUrl);
+  } catch {
+    return false;
+  }
+  if (!profile || typeof profile !== 'object' || Array.isArray(profile)) return false;
+
+  // Confirm the profile actually identifies itself as the WebID we're
+  // asking about — otherwise a profile hosted at the WebID's URL could
+  // declare a different fragment as its subject and trick us. Both
+  // sides absolutized so a relative @id (e.g. "#me") resolves against
+  // docUrl and a webId without fragment (which the docstring no longer
+  // permits, but be defensive) doesn't accidentally match a fragment
+  // form.
+  const subject = absolutize(profile['@id'] || profile.id, docUrl);
+  const expectedSubject = absolutize(webId, docUrl);
+  if (!subject || subject !== expectedSubject) return false;
+
+  const vm = findNostrVmInProfile(profile, pubkeyHex.toLowerCase(), docUrl);
+  if (!vm) return false;
+  if (!isInProofPurpose(profile, 'authentication', vm.id, docUrl)) return false;
+
+  // Controller consistency: the VM's `controller` MUST be in the
+  // profile's expected controller set (declared `controller`, with
+  // @id fallback). Without this, a profile with a Nostr-keyed VM
+  // controlled by some unrelated identity would pass — a binding the
+  // actual subject never asserted. Mirrors the resource-path check.
+  const expectedCtrls = normalizeControllers(profile.controller ?? profile['@id'] ?? profile.id, docUrl);
+  if (expectedCtrls.length === 0) return false;
+  const vmCtrls = normalizeControllers(vm.controller, docUrl);
+  if (!vmCtrls.some((c) => expectedCtrls.includes(c))) return false;
+
+  return true;
+}
+
 /**
  * Find a verificationMethod whose key material matches the Nostr
  * x-only pubkey hex. Two encodings supported:
@@ -537,23 +625,6 @@ function findNostrVmInProfile(profile, pubkeyHex, baseUrl) {
   return null;
 }
 
-/**
- * Decode an f-form Multikey for secp256k1-pub back into the 32-byte
- * x-only pubkey hex. Returns null if the input isn't this shape.
- */
-function decodeFFormSecp256k1(mb) {
-  if (typeof mb !== 'string' || !mb.startsWith('f')) return null;
-  const hex = mb.slice(1).toLowerCase();
-  if (!/^[0-9a-f]+$/.test(hex)) return null;
-  if (!hex.startsWith(MULTICODEC_SECP256K1_PUB_HEX)) return null;
-  const rest = hex.slice(MULTICODEC_SECP256K1_PUB_HEX.length);
-  // Expect parity byte (02/03) + 32-byte xonly = 66 hex chars.
-  if (rest.length !== 66) return null;
-  const parity = rest.slice(0, 2);
-  if (parity !== '02' && parity !== '03') return null;
-  return rest.slice(2);
-}
-
 function hexToBase64url(hex) {
   return Buffer.from(hex, 'hex').toString('base64')
     .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');

package/src/idp/interactions.js

@@ -3,12 +3,12 @@
  * Handles the user-facing parts of the authentication flow
  */
 
-import { authenticate, findById, findByWebId, createAccount, updateLastLogin, setPasskeyPromptDismissed } from './accounts.js';
+import { authenticate, findById, findByUsername, findByWebId, createAccount, updateLastLogin, setPasskeyPromptDismissed } from './accounts.js';
 import { loginPage, consentPage, errorPage, registerPage, passkeyPromptPage } from './views.js';
 import * as storage from '../storage/filesystem.js';
 import { createPodStructure } from '../handlers/container.js';
 import { validateInvite } from './invites.js';
-import { verifyNostrAuth } from '../auth/nostr.js';
+import { verifyNostrAuth, getNostrPubkey, verifyNostrPubkeyAgainstWebId } from '../auth/nostr.js';
 
 // Security: Maximum body size for IdP form submissions (1MB)
 const MAX_BODY_SIZE = 1024 * 1024;
@@ -658,6 +658,41 @@ export async function handlePasskeySkip(request, reply, provider) {
   }
 }
 
+/**
+ * Pull the optional `username` field out of a schnorr-login POST.
+ *
+ * JSS registers a wildcard parseAs:'buffer' content-type parser
+ * (src/server.js), so request.body for application/x-www-form-urlencoded
+ * arrives as a Buffer that needs string-decode + URLSearchParams. JSON
+ * and already-parsed object bodies are also accepted for flexibility.
+ *
+ * Returns either:
+ *   - { tooLarge: true } if the body exceeds MAX_BODY_SIZE (matching
+ *     handleLogin / handleRegisterPost — caller emits 413).
+ *   - { username: string } otherwise, possibly empty.
+ */
+function parseUsernameField(request) {
+  const body = request.body;
+  if (!body) return { username: '' };
+  const ct = (request.headers?.['content-type'] || '').toLowerCase();
+  if (Buffer.isBuffer(body) && body.length > MAX_BODY_SIZE) return { tooLarge: true };
+  if (typeof body === 'string' && body.length > MAX_BODY_SIZE) return { tooLarge: true };
+
+  let bag = {};
+  if (Buffer.isBuffer(body) || typeof body === 'string') {
+    const s = Buffer.isBuffer(body) ? body.toString() : body;
+    if (ct.includes('application/json')) {
+      try { bag = JSON.parse(s); } catch { bag = {}; }
+    } else {
+      try { bag = Object.fromEntries(new URLSearchParams(s).entries()); }
+      catch { bag = {}; }
+    }
+  } else if (typeof body === 'object') {
+    bag = body;
+  }
+  return { username: (bag.username || '').toString().trim() };
+}
+
 /**
  * Handle POST /idp/interaction/:uid/schnorr-login
  * Authenticates user via Schnorr signature (NIP-98)
@@ -689,16 +724,43 @@ export async function handleSchnorrLogin(request, reply, provider) {
     const identity = authResult.webId;
     request.log.info({ identity, uid }, 'Schnorr auth verified');
 
-    // Try to find an existing account linked to this identity
+    // Try to find an existing account linked to this identity. The
+    // primary path: identity is already a WebID (e.g. resolved via the
+    // existing did:nostr DID-doc resolver) and an account exists for it.
     let account = await findByWebId(identity);
 
     if (!account) {
-      // No account linked to this did:nostr
-      // For now, return error - user needs to link their did:nostr to an account
-      // Future: could auto-create account or prompt for linking
+      // Fallback: if the user typed a username on the login form, check
+      // whether the verified Nostr pubkey is declared as a CID
+      // verificationMethod referenced from `authentication` in that
+      // user's WebID profile (#400's IdP-side parallel — #403). The
+      // signature has already been verified above, so this is just
+      // "does this verified pubkey belong to the typed user".
+      const parsed = parseUsernameField(request);
+      if (parsed.tooLarge) {
+        return reply.code(413).type('application/json').send({
+          success: false,
+          error: 'Request body exceeds maximum size.',
+        });
+      }
+      const typedUsername = parsed.username;
+      if (typedUsername) {
+        const candidate = await findByUsername(typedUsername);
+        if (candidate?.webId) {
+          const pubkey = await getNostrPubkey(request);
+          if (pubkey && await verifyNostrPubkeyAgainstWebId(candidate.webId, pubkey)) {
+            account = candidate;
+            request.log.info({ accountId: account.id, webId: candidate.webId, uid },
+              'Schnorr login resolved via typed username + profile VM');
+          }
+        }
+      }
+    }
+
+    if (!account) {
       return reply.code(403).type('application/json').send({
         success: false,
-        error: 'No account linked to this identity. Please register or link your Schnorr key to an existing account.'
+        error: 'No account linked to this identity. Type your username and add a Schnorr verificationMethod to your WebID profile (or link via did:nostr DID document).'
       });
     }
 

package/src/idp/views.js

@@ -381,12 +381,21 @@ export function loginPage(uid, clientId, error = null, passkeyEnabled = true, sc
         // Sign with NIP-07 extension
         const signedEvent = await window.nostr.signEvent(event);
 
+        // Read the typed username so the server can resolve which
+        // account this Nostr key belongs to, in case the existing
+        // did:nostr DID-doc resolver doesn't have a binding yet.
+        // The signature is verified BEFORE the username is consulted —
+        // typing someone else's username doesn't grant access.
+        const typedUsername = (document.getElementById('username')?.value || '').trim();
+
         // Send to server
         const response = await fetch(authUrl, {
           method: 'POST',
           headers: {
-            'Authorization': 'Nostr ' + btoa(JSON.stringify(signedEvent))
-          }
+            'Authorization': 'Nostr ' + btoa(JSON.stringify(signedEvent)),
+            'Content-Type': 'application/x-www-form-urlencoded'
+          },
+          body: typedUsername ? 'username=' + encodeURIComponent(typedUsername) : ''
         });
 
         const result = await response.json();