javascript-solid-server 0.0.57 → 0.0.59

package/.claude/settings.local.json

@@ -207,7 +207,13 @@
       "WebFetch(domain:solid-chat.com)",
       "WebFetch(domain:developer.chrome.com)",
       "WebFetch(domain:css-tricks.com)",
-      "Bash(node bin/jss.js:*)"
+      "Bash(node bin/jss.js:*)",
+      "WebFetch(domain:nostr.social)",
+      "Bash(xargs curl -s)",
+      "Bash(ssh phone:*)",
+      "Bash(dig:*)",
+      "WebFetch(domain:fonstr.com)",
+      "Bash(node -e \"import\\(''nostr-tools''\\).then\\(m => console.log\\(Object.keys\\(m\\).join\\(''\\\\n''\\)\\)\\)\":*)"
     ]
   }
 }

package/README.md

@@ -6,7 +6,7 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.57)
+### Implemented (v0.0.59)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -24,11 +24,12 @@ A minimal, fast, JSON-LD native Solid server.
 - **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, RS256/ES256, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
-- **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures
+- **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures, did:nostr → WebID resolution
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Turtle <-> JSON-LD conversion, including HTML data islands
 - **CORS Support** - Full cross-origin resource sharing
 - **Git HTTP Backend** - Clone and push to containers via `git` protocol
+- **Nostr Relay** - Integrated NIP-01 relay on the same port (`wss://your.pod/relay`)
 - **Invite-Only Registration** - CLI-managed invite codes for controlled signups
 - **Storage Quotas** - Per-user storage limits with CLI management
 - **Security** - Blocks access to dotfiles (`.git/`, `.env`, etc.) except Solid-specific ones
@@ -103,6 +104,9 @@ jss --help             # Show help
 | `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
 | `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
 | `--git` | Enable Git HTTP backend | false |
+| `--nostr` | Enable Nostr relay | false |
+| `--nostr-path <path>` | Nostr relay WebSocket path | /relay |
+| `--nostr-max-events <n>` | Max events in relay memory | 1000 |
 | `--invite-only` | Require invite code for registration | false |
 | `--default-quota <size>` | Default storage quota per pod (e.g., 50MB) | 50MB |
 | `-q, --quiet` | Suppress logs | false |
@@ -119,6 +123,7 @@ export JSS_CONNEG=true
 export JSS_SUBDOMAINS=true
 export JSS_BASE_DOMAIN=example.com
 export JSS_MASHLIB=true
+export JSS_NOSTR=true
 export JSS_INVITE_ONLY=true
 export JSS_DEFAULT_QUOTA=100MB
 jss start
@@ -387,6 +392,35 @@ git add .acl && git commit -m "Add ACL"
 
 See [git-credential-nostr](https://github.com/JavaScriptSolidServer/git-credential-nostr) for more details.
 
+### Linking Nostr to WebID (did:nostr)
+
+Bridge your Nostr identity to a Solid WebID for seamless authentication:
+
+**Step 1:** Add your WebID to your Nostr profile (kind 0 event):
+```json
+{
+  "name": "alice",
+  "alsoKnownAs": ["https://solid.social/alice/profile/card#me"]
+}
+```
+
+**Step 2:** Add the did:nostr link to your WebID profile:
+```json
+{
+  "@id": "#me",
+  "owl:sameAs": "did:nostr:<your-64-char-hex-pubkey>"
+}
+```
+
+**How it works:**
+1. NIP-98 signature is verified (existing flow)
+2. DID document is fetched from `nostr.social/.well-known/did/nostr/<pubkey>.json`
+3. `alsoKnownAs` is checked for a WebID URL
+4. WebID profile is fetched and `owl:sameAs` verified
+5. If bidirectional link exists → authenticated as WebID
+
+This enables Nostr users to access their Solid pods using existing NIP-07 browser extensions.
+
 ## Invite-Only Registration
 
 Control who can create accounts by requiring invite codes:
@@ -735,7 +769,8 @@ src/
 │   ├── middleware.js     # Auth hook
 │   ├── token.js          # Simple token auth
 │   ├── solid-oidc.js     # DPoP verification
-│   └── nostr.js          # NIP-98 Nostr authentication
+│   ├── nostr.js          # NIP-98 Nostr authentication
+│   └── did-nostr.js      # did:nostr → WebID resolution
 ├── wac/
 │   ├── parser.js         # ACL parsing
 │   └── checker.js        # Permission checking

package/bin/jss.js

@@ -59,6 +59,10 @@ program
   .option('--mashlib-version <version>', 'Mashlib version for CDN mode (default: 2.0.0)')
   .option('--git', 'Enable Git HTTP backend (clone/push support)')
   .option('--no-git', 'Disable Git HTTP backend')
+  .option('--nostr', 'Enable Nostr relay')
+  .option('--no-nostr', 'Disable Nostr relay')
+  .option('--nostr-path <path>', 'Nostr relay WebSocket path (default: /relay)')
+  .option('--nostr-max-events <n>', 'Max events in relay memory (default: 1000)', parseInt)
   .option('--invite-only', 'Require invite code for registration')
   .option('--no-invite-only', 'Allow open registration')
   .option('-q, --quiet', 'Suppress log output')
@@ -103,6 +107,9 @@ program
         mashlibCdn: config.mashlibCdn,
         mashlibVersion: config.mashlibVersion,
         git: config.git,
+        nostr: config.nostr,
+        nostrPath: config.nostrPath,
+        nostrMaxEvents: config.nostrMaxEvents,
         inviteOnly: config.inviteOnly,
       });
 
@@ -123,6 +130,7 @@ program
           console.log(`  Mashlib: local (data browser enabled)`);
         }
         if (config.git) console.log('  Git: enabled (clone/push support)');
+        if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
         if (config.inviteOnly) console.log('  Registration: invite-only');
         console.log('\n  Press Ctrl+C to stop\n');
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.57",
+  "version": "0.0.59",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/did-nostr.js

@@ -0,0 +1,205 @@
+/**
+ * DID:nostr Resolution
+ *
+ * Resolves did:nostr:<pubkey> to a Solid WebID by:
+ * 1. Fetching DID document from nostr.social
+ * 2. Extracting alsoKnownAs WebID
+ * 3. Verifying bidirectional link (WebID links back to did:nostr)
+ */
+
+// Default DID resolver endpoint
+const DEFAULT_DID_RESOLVER = 'https://nostr.social/.well-known/did/nostr';
+
+// Cache for resolved DIDs (pubkey -> webId or null)
+const cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * Fetch with timeout
+ */
+async function fetchWithTimeout(url, options = {}, timeout = 5000) {
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeout);
+  try {
+    const response = await fetch(url, { ...options, signal: controller.signal });
+    clearTimeout(id);
+    return response;
+  } catch (err) {
+    clearTimeout(id);
+    throw err;
+  }
+}
+
+/**
+ * Resolve did:nostr pubkey to WebID via DID document
+ * @param {string} pubkey - 64-char hex Nostr pubkey
+ * @param {string} resolverUrl - DID resolver base URL
+ * @returns {Promise<string|null>} WebID URL or null
+ */
+export async function resolveDidNostrToWebId(pubkey, resolverUrl = DEFAULT_DID_RESOLVER) {
+  if (!pubkey || pubkey.length !== 64) {
+    return null;
+  }
+
+  // Check cache
+  const cacheKey = pubkey.toLowerCase();
+  const cached = cache.get(cacheKey);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.webId;
+  }
+
+  try {
+    // Fetch DID document
+    const didUrl = `${resolverUrl}/${pubkey}.json`;
+    const didRes = await fetchWithTimeout(didUrl, {
+      headers: { 'Accept': 'application/did+json, application/json' }
+    });
+
+    if (!didRes.ok) {
+      cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+      return null;
+    }
+
+    const didDoc = await didRes.json();
+
+    // Extract WebID from alsoKnownAs (array) or profile.webid or profile.sameAs
+    let webId = null;
+
+    if (Array.isArray(didDoc.alsoKnownAs) && didDoc.alsoKnownAs.length > 0) {
+      // Find first HTTP(S) URL that looks like a WebID
+      webId = didDoc.alsoKnownAs.find(aka =>
+        typeof aka === 'string' && aka.startsWith('https://'));
+    }
+
+    // Fallback to profile fields
+    if (!webId && didDoc.profile) {
+      webId = didDoc.profile.webid || didDoc.profile.sameAs;
+    }
+
+    if (!webId) {
+      cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+      return null;
+    }
+
+    // Verify bidirectional link - WebID must link back to did:nostr
+    const verified = await verifyWebIdBacklink(webId, pubkey);
+
+    if (verified) {
+      cache.set(cacheKey, { webId, timestamp: Date.now() });
+      return webId;
+    }
+
+    cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+    return null;
+
+  } catch (err) {
+    // Network error or timeout - don't cache failures
+    console.error(`DID resolution error for ${pubkey}:`, err.message);
+    return null;
+  }
+}
+
+/**
+ * Verify WebID profile links back to did:nostr
+ * @param {string} webId - WebID URL
+ * @param {string} pubkey - Nostr pubkey
+ * @returns {Promise<boolean>}
+ */
+async function verifyWebIdBacklink(webId, pubkey) {
+  try {
+    const expectedDid = `did:nostr:${pubkey.toLowerCase()}`;
+
+    // Fetch WebID profile
+    const res = await fetchWithTimeout(webId, {
+      headers: { 'Accept': 'application/ld+json, application/json, text/html' }
+    });
+
+    if (!res.ok) {
+      return false;
+    }
+
+    const contentType = res.headers.get('content-type') || '';
+    const text = await res.text();
+
+    // Handle HTML with JSON-LD data island
+    if (contentType.includes('text/html')) {
+      const jsonLdMatch = text.match(/<script\s+type=["']application\/ld\+json["']\s*>([\s\S]*?)<\/script>/i);
+      if (jsonLdMatch) {
+        try {
+          const jsonLd = JSON.parse(jsonLdMatch[1]);
+          return checkSameAsLink(jsonLd, expectedDid);
+        } catch {
+          return false;
+        }
+      }
+      return false;
+    }
+
+    // Handle JSON-LD directly
+    if (contentType.includes('json')) {
+      try {
+        const jsonLd = JSON.parse(text);
+        return checkSameAsLink(jsonLd, expectedDid);
+      } catch {
+        return false;
+      }
+    }
+
+    return false;
+
+  } catch (err) {
+    console.error(`WebID backlink verification error for ${webId}:`, err.message);
+    return false;
+  }
+}
+
+/**
+ * Check if JSON-LD contains sameAs/owl:sameAs link to expected DID
+ * @param {object} jsonLd - Parsed JSON-LD
+ * @param {string} expectedDid - Expected did:nostr:pubkey
+ * @returns {boolean}
+ */
+function checkSameAsLink(jsonLd, expectedDid) {
+  // Check various sameAs fields
+  const sameAsFields = [
+    jsonLd['owl:sameAs'],
+    jsonLd['sameAs'],
+    jsonLd['schema:sameAs'],
+    jsonLd['http://www.w3.org/2002/07/owl#sameAs']
+  ];
+
+  for (const field of sameAsFields) {
+    if (!field) continue;
+
+    // Handle string value
+    if (typeof field === 'string' && field.toLowerCase() === expectedDid) {
+      return true;
+    }
+
+    // Handle object with @id
+    if (field && typeof field === 'object' && field['@id']?.toLowerCase() === expectedDid) {
+      return true;
+    }
+
+    // Handle array
+    if (Array.isArray(field)) {
+      for (const item of field) {
+        if (typeof item === 'string' && item.toLowerCase() === expectedDid) {
+          return true;
+        }
+        if (item && typeof item === 'object' && item['@id']?.toLowerCase() === expectedDid) {
+          return true;
+        }
+      }
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Clear the resolution cache (for testing)
+ */
+export function clearCache() {
+  cache.clear();
+}

package/src/auth/nostr.js

@@ -13,6 +13,7 @@
 
 import { verifyEvent } from 'nostr-tools';
 import crypto from 'crypto';
+import { resolveDidNostrToWebId } from './did-nostr.js';
 
 // NIP-98 event kind (references RFC 7235)
 const HTTP_AUTH_KIND = 27235;
@@ -186,11 +187,9 @@ export async function verifyNostrAuth(request) {
 
   // Validate method tag matches request method
   // For git clients: allow '*' as wildcard method
+  // If method tag is missing, infer from HTTP request (lenient mode)
   const eventMethod = getTagValue(event, 'method');
-  if (!eventMethod) {
-    return { webId: null, error: 'Missing method tag in event' };
-  }
-  if (eventMethod !== '*' && eventMethod.toUpperCase() !== request.method.toUpperCase()) {
+  if (eventMethod && eventMethod !== '*' && eventMethod.toUpperCase() !== request.method.toUpperCase()) {
     return { webId: null, error: `Method mismatch: expected ${request.method}, got ${eventMethod}` };
   }
 
@@ -217,13 +216,34 @@ export async function verifyNostrAuth(request) {
     return { webId: null, error: 'Invalid or missing pubkey' };
   }
 
+  // Compute event id if missing (lenient mode for nosdav compatibility)
+  if (!event.id) {
+    const serialized = JSON.stringify([
+      0,
+      event.pubkey,
+      event.created_at,
+      event.kind,
+      event.tags,
+      event.content
+    ]);
+    event.id = crypto.createHash('sha256').update(serialized).digest('hex');
+  }
+
   // Verify Schnorr signature
   const isValid = verifyEvent(event);
   if (!isValid) {
     return { webId: null, error: 'Invalid Schnorr signature' };
   }
 
-  // Return did:nostr as the agent identifier
+  // Try to resolve did:nostr to a linked WebID
+  // This checks if the pubkey has an alsoKnownAs pointing to a WebID
+  // and verifies the WebID links back to did:nostr (bidirectional)
+  const resolvedWebId = await resolveDidNostrToWebId(event.pubkey);
+  if (resolvedWebId) {
+    return { webId: resolvedWebId, error: null };
+  }
+
+  // Fall back to did:nostr as the agent identifier
   const didNostr = pubkeyToDidNostr(event.pubkey);
 
   return { webId: didNostr, error: null };

package/src/config.js

@@ -45,6 +45,11 @@ export const defaults = {
   // Git HTTP backend
   git: false,
 
+  // Nostr relay
+  nostr: false,
+  nostrPath: '/relay',
+  nostrMaxEvents: 1000,
+
   // Invite-only registration
   inviteOnly: false,
 
@@ -81,6 +86,9 @@ const envMap = {
   JSS_MASHLIB_CDN: 'mashlibCdn',
   JSS_MASHLIB_VERSION: 'mashlibVersion',
   JSS_GIT: 'git',
+  JSS_NOSTR: 'nostr',
+  JSS_NOSTR_PATH: 'nostrPath',
+  JSS_NOSTR_MAX_EVENTS: 'nostrMaxEvents',
   JSS_INVITE_ONLY: 'inviteOnly',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
 };
@@ -109,7 +117,7 @@ function parseEnvValue(value, key) {
   if (value.toLowerCase() === 'false') return false;
 
   // Numeric values for known numeric keys
-  if (key === 'port' && !isNaN(value)) {
+  if ((key === 'port' || key === 'nostrMaxEvents') && !isNaN(value)) {
     return parseInt(value, 10);
   }
 

package/src/nostr/relay.js

@@ -0,0 +1,283 @@
+/**
+ * Nostr Relay Module
+ *
+ * Lightweight Nostr relay (NIP-01) integrated into JSS.
+ * Based on Fonstr (https://github.com/nostrapps/fonstr)
+ *
+ * Usage: jss start --nostr
+ * Endpoint: wss://your.pod/relay
+ */
+
+import { validateEvent, verifyEvent } from 'nostr-tools';
+import websocket from '@fastify/websocket';
+
+// Default max events to prevent memory exhaustion
+const DEFAULT_MAX_EVENTS = 1000;
+// Rate limiting: max events per socket per minute
+const DEFAULT_RATE_LIMIT = 60;
+const RATE_WINDOW_MS = 60000;
+
+/**
+ * Check if event passes filter (NIP-01)
+ */
+function eventPassesFilter(event, filter) {
+  if (filter.ids && !filter.ids.includes(event.id)) {
+    return false;
+  }
+
+  if (filter.authors && !filter.authors.includes(event.pubkey)) {
+    return false;
+  }
+
+  if (filter.kinds && !filter.kinds.includes(event.kind)) {
+    return false;
+  }
+
+  if (filter.since && event.created_at < filter.since) {
+    return false;
+  }
+
+  if (filter.until && event.created_at > filter.until) {
+    return false;
+  }
+
+  // Tag filters (#e, #p, etc.)
+  for (const [key, values] of Object.entries(filter)) {
+    if (key.startsWith('#') && key.length === 2) {
+      const tagName = key[1];
+      const eventTagValues = event.tags
+        .filter(tag => tag[0] === tagName)
+        .map(tag => tag[1]);
+
+      if (!values.some(v => eventTagValues.includes(v))) {
+        return false;
+      }
+    }
+  }
+
+  return true;
+}
+
+/**
+ * Event kind helpers (NIP-01, NIP-16)
+ */
+function isReplaceableKind(kind) {
+  return (kind >= 10000 && kind < 20000) || kind === 0 || kind === 3;
+}
+
+function isEphemeralKind(kind) {
+  return kind >= 20000 && kind < 30000;
+}
+
+function isParameterizedReplaceable(kind) {
+  return kind >= 30000 && kind < 40000;
+}
+
+function getDTagValue(tags) {
+  for (const tag of tags) {
+    if (tag[0] === 'd') {
+      return tag[1];
+    }
+  }
+  return null;
+}
+
+/**
+ * Register Nostr relay routes on Fastify instance
+ *
+ * @param {object} fastify - Fastify instance
+ * @param {object} options - Options
+ * @param {string} options.path - WebSocket path (default: '/relay')
+ * @param {number} options.maxEvents - Max events in memory (default: 1000)
+ */
+export async function registerNostrRelay(fastify, options = {}) {
+  const path = options.path || '/relay';
+  const maxEvents = options.maxEvents || DEFAULT_MAX_EVENTS;
+
+  // In-memory storage
+  const events = [];
+  const subscribers = new Map();
+  const rateLimits = new Map(); // socket -> { count, resetTime }
+
+  /**
+   * Check rate limit for socket
+   */
+  function checkRateLimit(socket) {
+    const now = Date.now();
+    let limit = rateLimits.get(socket);
+
+    if (!limit || now > limit.resetTime) {
+      limit = { count: 0, resetTime: now + RATE_WINDOW_MS };
+      rateLimits.set(socket, limit);
+    }
+
+    limit.count++;
+    return limit.count <= DEFAULT_RATE_LIMIT;
+  }
+
+  /**
+   * Process incoming message
+   */
+  async function processMessage(type, value, rest, socket) {
+    switch (type) {
+      case 'EVENT': {
+        // Rate limit check
+        if (!checkRateLimit(socket)) {
+          socket.send(JSON.stringify(['OK', value?.id || '', false, 'rate-limited: too many events']));
+          return;
+        }
+
+        const event = value;
+        const isValid = validateEvent(event) && verifyEvent(event);
+
+        if (!isValid) {
+          socket.send(JSON.stringify(['OK', event?.id || '', false, 'invalid: bad signature or format']));
+          return;
+        }
+
+        // Handle different event kinds
+        if (isEphemeralKind(event.kind)) {
+          // Ephemeral: don't store, just broadcast
+        } else if (isReplaceableKind(event.kind) || isParameterizedReplaceable(event.kind)) {
+          // Replaceable: find and update existing
+          let indexToReplace = -1;
+          for (let i = 0; i < events.length; i++) {
+            if (events[i].pubkey === event.pubkey && events[i].kind === event.kind) {
+              if (isParameterizedReplaceable(event.kind)) {
+                const dTagValue = getDTagValue(event.tags);
+                const existingDTagValue = getDTagValue(events[i].tags);
+                if (dTagValue === existingDTagValue) {
+                  indexToReplace = i;
+                  break;
+                }
+              } else {
+                indexToReplace = i;
+                break;
+              }
+            }
+          }
+
+          if (indexToReplace !== -1) {
+            events[indexToReplace] = event;
+          } else {
+            if (events.length >= maxEvents) {
+              events.shift();
+            }
+            events.push(event);
+          }
+        } else {
+          // Regular event
+          if (events.length >= maxEvents) {
+            events.shift();
+          }
+          events.push(event);
+        }
+
+        // Broadcast to matching subscribers
+        subscribers.forEach((filters, subscriber) => {
+          filters.forEach(filter => {
+            if (eventPassesFilter(event, filter)) {
+              try {
+                subscriber.send(JSON.stringify(['EVENT', filter.subscription_id, event]));
+              } catch (e) {
+                // Socket closed, will be cleaned up
+              }
+            }
+          });
+        });
+
+        socket.send(JSON.stringify(['OK', event.id, true, '']));
+        break;
+      }
+
+      case 'REQ': {
+        const subscriptionId = value;
+        const filters = rest.map(filter => ({ ...filter, subscription_id: subscriptionId }));
+        subscribers.set(socket, filters);
+
+        // Send matching historical events
+        filters.forEach(filter => {
+          const matchingEvents = events.filter(event => eventPassesFilter(event, filter));
+          const limited = filter.limit ? matchingEvents.slice(-filter.limit) : matchingEvents;
+          limited.forEach(event => {
+            socket.send(JSON.stringify(['EVENT', filter.subscription_id, event]));
+          });
+        });
+
+        socket.send(JSON.stringify(['EOSE', subscriptionId]));
+        break;
+      }
+
+      case 'CLOSE': {
+        const subId = value;
+        if (subscribers.has(socket)) {
+          const updatedFilters = subscribers.get(socket).filter(
+            filter => filter.subscription_id !== subId
+          );
+          if (updatedFilters.length === 0) {
+            subscribers.delete(socket);
+          } else {
+            subscribers.set(socket, updatedFilters);
+          }
+        }
+        break;
+      }
+
+      default:
+        socket.send(JSON.stringify(['NOTICE', `Unknown message type: ${type}`]));
+    }
+  }
+
+  // Register websocket plugin if not already registered
+  if (!fastify.websocketServer) {
+    await fastify.register(websocket);
+  }
+
+  // Register WebSocket route for Nostr relay
+  fastify.get(path, { websocket: true }, (connection, request) => {
+    const socket = connection.socket;
+
+    socket.on('message', async (data) => {
+      try {
+        const message = JSON.parse(data.toString());
+        const [type, value, ...rest] = message;
+        await processMessage(type, value, rest, socket);
+      } catch (e) {
+        socket.send(JSON.stringify(['NOTICE', `Error: ${e.message}`]));
+      }
+    });
+
+    socket.on('close', () => {
+      subscribers.delete(socket);
+      rateLimits.delete(socket);
+    });
+
+    socket.on('error', () => {
+      subscribers.delete(socket);
+      rateLimits.delete(socket);
+    });
+  });
+
+  // NIP-11: Relay Information Document at /relay/info
+  fastify.get(path + '/info', (request, reply) => {
+    const relayInfo = {
+      name: 'JSS Nostr Relay',
+      description: 'Nostr relay integrated with JavaScript Solid Server',
+      pubkey: '',
+      contact: '',
+      supported_nips: [1, 11, 16],
+      software: 'https://github.com/JavaScriptSolidServer/JavaScriptSolidServer',
+      version: '0.0.1'
+    };
+
+    return reply
+      .header('Access-Control-Allow-Origin', '*')
+      .header('Content-Type', 'application/json')
+      .send(relayInfo);
+  });
+
+  return {
+    getEventCount: () => events.length,
+    getSubscriberCount: () => subscribers.size
+  };
+}

package/src/server.js

@@ -11,6 +11,7 @@ import { notificationsPlugin } from './notifications/index.js';
 import { idpPlugin } from './idp/index.js';
 import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
 import { AccessMode } from './wac/parser.js';
+import { registerNostrRelay } from './nostr/relay.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -27,6 +28,9 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
  * @param {boolean} options.subdomains - Enable subdomain-based pods for XSS protection (default false)
  * @param {string} options.baseDomain - Base domain for subdomain pods (e.g., "example.com")
  * @param {boolean} options.git - Enable Git HTTP backend for clone/push (default false)
+ * @param {boolean} options.nostr - Enable Nostr relay (default false)
+ * @param {string} options.nostrPath - Nostr relay WebSocket path (default '/relay')
+ * @param {number} options.nostrMaxEvents - Max events in relay memory (default 1000)
  */
 export function createServer(options = {}) {
   // Content negotiation is OFF by default - we're a JSON-LD native server
@@ -46,6 +50,10 @@ export function createServer(options = {}) {
   const mashlibVersion = options.mashlibVersion ?? '2.0.0';
   // Git HTTP backend is OFF by default - enables clone/push via git protocol
   const gitEnabled = options.git ?? false;
+  // Nostr relay is OFF by default
+  const nostrEnabled = options.nostr ?? false;
+  const nostrPath = options.nostrPath ?? '/relay';
+  const nostrMaxEvents = options.nostrMaxEvents ?? 1000;
   // Invite-only registration is OFF by default - open registration
   const inviteOnly = options.inviteOnly ?? false;
   // Default storage quota per pod (50MB default, 0 = unlimited)
@@ -134,6 +142,16 @@ export function createServer(options = {}) {
     fastify.register(idpPlugin, { issuer: idpIssuer, inviteOnly });
   }
 
+  // Register Nostr relay if enabled
+  if (nostrEnabled) {
+    fastify.register(async (instance) => {
+      await registerNostrRelay(instance, {
+        path: nostrPath,
+        maxEvents: nostrMaxEvents
+      });
+    });
+  }
+
   // Register rate limiting plugin
   // Protects against brute force attacks and resource exhaustion
   fastify.register(rateLimit, {
@@ -219,13 +237,14 @@ export function createServer(options = {}) {
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, and git
+    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, nostr, and git
     const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
     if (request.url === '/.pods' ||
         request.url === '/.notifications' ||
         request.method === 'OPTIONS' ||
         request.url.startsWith('/idp/') ||
         request.url.startsWith('/.well-known/') ||
+        (nostrEnabled && request.url.startsWith(nostrPath)) ||
         (gitEnabled && isGitRequest(request.url)) ||
         mashlibPaths.some(p => request.url === p || request.url.startsWith(p + '.'))) {
       return;

package/test/did-nostr.test.js

@@ -0,0 +1,179 @@
+/**
+ * Tests for did:nostr to WebID resolution
+ */
+
+import { describe, it, before, after, mock } from 'node:test';
+import assert from 'node:assert';
+import { generateSecretKey, getPublicKey, finalizeEvent } from 'nostr-tools';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getBaseUrl,
+  assertStatus
+} from './helpers.js';
+
+// Import the module under test
+import { resolveDidNostrToWebId, clearCache } from '../src/auth/did-nostr.js';
+
+describe('DID:nostr Resolution', () => {
+  describe('Unit Tests', () => {
+    before(() => {
+      clearCache();
+    });
+
+    it('should return null for invalid pubkey', async () => {
+      const result = await resolveDidNostrToWebId('invalid');
+      assert.strictEqual(result, null);
+    });
+
+    it('should return null for empty pubkey', async () => {
+      const result = await resolveDidNostrToWebId('');
+      assert.strictEqual(result, null);
+    });
+
+    it('should return null for null pubkey', async () => {
+      const result = await resolveDidNostrToWebId(null);
+      assert.strictEqual(result, null);
+    });
+
+    it('should return null for pubkey with wrong length', async () => {
+      const result = await resolveDidNostrToWebId('abcd1234');
+      assert.strictEqual(result, null);
+    });
+
+    it('should handle non-existent DID gracefully', async () => {
+      // Use a random pubkey that won't exist
+      const sk = generateSecretKey();
+      const pubkey = getPublicKey(sk);
+
+      // This will hit nostr.social and get 404
+      const result = await resolveDidNostrToWebId(pubkey);
+      assert.strictEqual(result, null);
+    });
+  });
+
+  describe('checkSameAsLink Function', () => {
+    // We need to test the internal checkSameAsLink function
+    // Since it's not exported, we test it indirectly through WebID verification
+
+    it('should recognize owl:sameAs string value', async () => {
+      // This test verifies the format we expect in WebID profiles
+      const profile = {
+        '@id': '#me',
+        'owl:sameAs': 'did:nostr:abcd1234'
+      };
+
+      // The profile should have the correct structure
+      assert.strictEqual(profile['owl:sameAs'], 'did:nostr:abcd1234');
+    });
+
+    it('should recognize sameAs as @id object', async () => {
+      const profile = {
+        '@id': '#me',
+        'owl:sameAs': { '@id': 'did:nostr:abcd1234' }
+      };
+
+      assert.strictEqual(profile['owl:sameAs']['@id'], 'did:nostr:abcd1234');
+    });
+  });
+
+  describe('Nostr Auth with DID Resolution', () => {
+    before(async () => {
+      await startTestServer();
+    });
+
+    after(async () => {
+      await stopTestServer();
+      clearCache();
+    });
+
+    it('should create a pod for DID testing', async () => {
+      const result = await createTestPod('nostrtest');
+      assert.ok(result.webId, 'Should have webId');
+      assert.ok(result.token, 'Should have token');
+    });
+
+    it('should accept valid NIP-98 auth header', async () => {
+      // Generate a Nostr keypair
+      const sk = generateSecretKey();
+      const pubkey = getPublicKey(sk);
+
+      // Create the pod for this pubkey
+      const podName = pubkey.substring(0, 16);
+      await createTestPod(podName);
+
+      // Create a NIP-98 event
+      const baseUrl = getBaseUrl();
+      const event = finalizeEvent({
+        kind: 27235,
+        created_at: Math.floor(Date.now() / 1000),
+        tags: [
+          ['u', `${baseUrl}/${podName}/public/`],
+          ['method', 'GET']
+        ],
+        content: ''
+      }, sk);
+
+      // Encode as base64
+      const token = Buffer.from(JSON.stringify(event)).toString('base64');
+
+      // Make request with Nostr auth
+      const res = await fetch(`${baseUrl}/${podName}/public/`, {
+        headers: {
+          'Authorization': `Nostr ${token}`
+        }
+      });
+
+      // Should succeed (200) - the Nostr auth should work
+      // Even without DID resolution, did:nostr:<pubkey> is accepted
+      assertStatus(res, 200);
+    });
+
+    it('should return did:nostr when no WebID linked', async () => {
+      const sk = generateSecretKey();
+      const pubkey = getPublicKey(sk);
+
+      // Try to resolve - should return null since no alsoKnownAs
+      const result = await resolveDidNostrToWebId(pubkey);
+      assert.strictEqual(result, null, 'Should return null when no WebID linked');
+    });
+  });
+
+  describe('Real DID Document Fetch', () => {
+    before(() => {
+      clearCache();
+    });
+
+    it('should fetch DID document from nostr.social', async () => {
+      // Use a known pubkey that exists on nostr.social
+      // fiatjaf's pubkey
+      const pubkey = '3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d';
+
+      // This should not throw, just return null if no WebID linked
+      const result = await resolveDidNostrToWebId(pubkey);
+
+      // fiatjaf likely doesn't have a WebID linked, so expect null
+      // But the fetch itself should work without error
+      assert.strictEqual(result, null, 'Should return null when no bidirectional link');
+    });
+
+    it('should cache DID resolution results', async () => {
+      const pubkey = '3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d';
+
+      // First call
+      const start1 = Date.now();
+      await resolveDidNostrToWebId(pubkey);
+      const time1 = Date.now() - start1;
+
+      // Second call should be cached (much faster)
+      const start2 = Date.now();
+      await resolveDidNostrToWebId(pubkey);
+      const time2 = Date.now() - start2;
+
+      // Cached call should be < 5ms typically
+      assert.ok(time2 < time1 || time2 < 10, `Cached call should be fast. First: ${time1}ms, Second: ${time2}ms`);
+    });
+  });
+});