nostr-auth-middleware 0.2.7

package/dist/src/config/index.js

@@ -0,0 +1,148 @@
+import { createLogger } from '../utils/logger.js';
+import { generateKeyPair } from '../utils/crypto.utils.js';
+import { createClient } from '@supabase/supabase-js';
+import { writeFileSync, readFileSync } from 'fs';
+import { resolve } from 'path';
+import dotenv from 'dotenv';
+const logger = createLogger('Config');
+// Initialize config with default values
+export const config = {
+    // Server config
+    port: parseInt(process.env.PORT || '3002'),
+    nodeEnv: process.env.NODE_ENV || 'development',
+    corsOrigins: process.env.CORS_ORIGINS?.split(',') || '*',
+    security: {
+        trustedProxies: process.env.TRUSTED_PROXIES?.split(',') || false,
+        allowedIPs: process.env.ALLOWED_IPS?.split(',') || [],
+        apiKeys: process.env.API_KEYS?.split(',') || [],
+        rateLimitWindowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || '900000'),
+        rateLimitMaxRequests: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '100'),
+    },
+    // Supabase config
+    supabaseUrl: process.env.SUPABASE_URL,
+    supabaseKey: process.env.SUPABASE_KEY,
+    // Nostr config
+    nostrRelays: process.env.NOSTR_RELAYS?.split(',') || [
+        'wss://relay.maiqr.app',
+        'wss://relay.damus.io',
+        'wss://relay.nostr.band'
+    ],
+    privateKey: process.env.SERVER_PRIVATE_KEY,
+    keyManagementMode: process.env.KEY_MANAGEMENT_MODE || 'development',
+    // Auth config
+    jwtSecret: process.env.JWT_SECRET || 'maiqr_nostr_auth_secret_key_2024',
+    jwtExpiresIn: '1h',
+    testMode: process.env.TEST_MODE === 'true',
+    // Optional configs
+    eventTimeoutMs: 5000,
+    challengePrefix: 'nostr:auth:'
+};
+export async function loadConfig(envPath) {
+    // Load environment variables
+    if (envPath) {
+        dotenv.config({ path: envPath });
+    }
+    else {
+        dotenv.config();
+    }
+    const loadedConfig = {
+        // Server config
+        port: parseInt(process.env.PORT || '3002'),
+        nodeEnv: process.env.NODE_ENV || 'development',
+        corsOrigins: process.env.CORS_ORIGINS?.split(',') || '*',
+        security: {
+            trustedProxies: process.env.TRUSTED_PROXIES?.split(',') || false,
+            allowedIPs: process.env.ALLOWED_IPS?.split(',') || [],
+            apiKeys: process.env.API_KEYS?.split(',') || [],
+            rateLimitWindowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || '900000'),
+            rateLimitMaxRequests: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '100'),
+        },
+        // Supabase config
+        supabaseUrl: process.env.SUPABASE_URL,
+        supabaseKey: process.env.SUPABASE_KEY,
+        // Nostr config
+        nostrRelays: process.env.NOSTR_RELAYS?.split(',') || [
+            'wss://relay.maiqr.app',
+            'wss://relay.damus.io',
+            'wss://relay.nostr.band'
+        ],
+        privateKey: process.env.SERVER_PRIVATE_KEY,
+        publicKey: process.env.SERVER_PUBLIC_KEY,
+        keyManagementMode: process.env.KEY_MANAGEMENT_MODE,
+        // Auth config
+        jwtSecret: process.env.JWT_SECRET,
+        jwtExpiresIn: process.env.JWT_EXPIRES_IN || '24h',
+        testMode: process.env.NODE_ENV !== 'production',
+        // Optional configs
+        eventTimeoutMs: parseInt(process.env.EVENT_TIMEOUT_MS || '5000'),
+        challengePrefix: process.env.CHALLENGE_PREFIX || 'nostr:auth:'
+    };
+    // Try to load keys from environment
+    if (process.env.SERVER_PRIVATE_KEY) {
+        const keyPair = await generateKeyPair();
+        loadedConfig.privateKey = process.env.SERVER_PRIVATE_KEY;
+        loadedConfig.publicKey = keyPair.publicKey;
+        logger.info('Loaded server keys from environment');
+        return loadedConfig;
+    }
+    // If in production, try to load from Supabase
+    if (!loadedConfig.testMode && loadedConfig.supabaseUrl && loadedConfig.supabaseKey) {
+        const supabase = createClient(loadedConfig.supabaseUrl, loadedConfig.supabaseKey);
+        try {
+            const { data, error } = await supabase
+                .from('server_keys')
+                .select('private_key, public_key')
+                .single();
+            if (error)
+                throw error;
+            if (data) {
+                loadedConfig.privateKey = data.private_key;
+                loadedConfig.publicKey = data.public_key;
+                logger.info('Loaded server keys from Supabase');
+                return loadedConfig;
+            }
+        }
+        catch (error) {
+            logger.warn('Failed to load keys from Supabase:', error);
+        }
+    }
+    // Generate new keys if none exist
+    logger.warn('No server keys found - generating new keypair');
+    const keyPair = await generateKeyPair();
+    loadedConfig.privateKey = Buffer.from(keyPair.privateKey).toString('hex');
+    loadedConfig.publicKey = keyPair.publicKey;
+    // Save to .env file in development
+    if (loadedConfig.testMode) {
+        try {
+            const envPath = resolve(process.cwd(), '.env');
+            const envContent = readFileSync(envPath, 'utf8');
+            const updatedContent = envContent
+                .replace(/^SERVER_PRIVATE_KEY=.*$/m, `SERVER_PRIVATE_KEY=${loadedConfig.privateKey}`)
+                .replace(/^SERVER_PUBLIC_KEY=.*$/m, `SERVER_PUBLIC_KEY=${loadedConfig.publicKey}`);
+            writeFileSync(envPath, updatedContent);
+            logger.info('Saved new server keys to .env file');
+        }
+        catch (error) {
+            logger.warn('Failed to save keys to .env file:', error);
+        }
+    }
+    // Save to Supabase in production
+    else if (loadedConfig.supabaseUrl && loadedConfig.supabaseKey) {
+        const supabase = createClient(loadedConfig.supabaseUrl, loadedConfig.supabaseKey);
+        try {
+            const { error } = await supabase
+                .from('server_keys')
+                .upsert({
+                private_key: loadedConfig.privateKey,
+                public_key: loadedConfig.publicKey
+            });
+            if (error)
+                throw error;
+            logger.info('Saved new server keys to Supabase');
+        }
+        catch (error) {
+            logger.warn('Failed to save keys to Supabase:', error);
+        }
+    }
+    return loadedConfig;
+}

package/dist/src/config.js

@@ -0,0 +1,60 @@
+import dotenv from 'dotenv';
+import { createLogger } from './utils/logger.js';
+import { hexToBytes } from '@noble/hashes/utils';
+import { getPublicKey } from './utils/crypto.utils.js';
+dotenv.config();
+const logger = createLogger('Config');
+function getEnvWithWarning(key) {
+    const value = process.env[key];
+    if (!value) {
+        logger.warn(`Missing environment variable: ${key} - Some features may be limited`);
+    }
+    return value;
+}
+function validatePrivateKey(key) {
+    if (!key) {
+        throw new Error('SERVER_PRIVATE_KEY is required');
+    }
+    try {
+        // Validate key format
+        if (!/^[0-9a-f]{64}$/.test(key)) {
+            throw new Error('SERVER_PRIVATE_KEY must be a 64-character hex string');
+        }
+        // Test key derivation
+        const privateKeyBytes = hexToBytes(key);
+        const pubkey = getPublicKey(privateKeyBytes);
+        logger.info('Server keys validated. Public key:', pubkey);
+        return key;
+    }
+    catch (error) {
+        logger.error('Invalid SERVER_PRIVATE_KEY:', error);
+        throw error;
+    }
+}
+export const config = {
+    // Server config
+    port: parseInt(process.env.PORT || '3002', 10),
+    nodeEnv: process.env.NODE_ENV || 'development',
+    // CORS
+    corsOrigins: process.env.CORS_ORIGINS?.split(',') || '*',
+    // Nostr config
+    nostrRelays: process.env.NOSTR_RELAYS?.split(',') || [
+        'wss://relay.damus.io',
+        'wss://relay.nostr.band'
+    ],
+    // Supabase config - optional for testing
+    supabaseUrl: getEnvWithWarning('SUPABASE_URL'),
+    supabaseKey: getEnvWithWarning('SUPABASE_KEY'),
+    // JWT config - optional for testing
+    jwtSecret: getEnvWithWarning('JWT_SECRET'),
+    jwtExpiresIn: process.env.JWT_EXPIRES_IN || '24h',
+    // Key Management Mode
+    keyManagementMode: (process.env.KEY_MANAGEMENT_MODE === 'production' ? 'production' : 'development'),
+    // Server key pair - required and validated
+    privateKey: validatePrivateKey(process.env.SERVER_PRIVATE_KEY),
+    publicKey: process.env.SERVER_PUBLIC_KEY,
+    // Testing mode - disables Supabase and JWT requirements
+    testMode: process.env.TEST_MODE === 'true',
+    // Logging
+    logLevel: process.env.LOG_LEVEL || 'info'
+};

package/dist/src/index.js

@@ -0,0 +1,39 @@
+/**
+ * Main exports for the Nostr Auth Middleware package
+ * @module @maiqr/nostr-auth-enroll
+ */
+// Core middleware
+import { NostrAuthMiddleware } from './middleware/nostr-auth.middleware.js';
+// Re-export middleware
+export { NostrAuthMiddleware };
+// Crypto utilities
+export { generateChallenge, generateEventHash, getPublicKey, verifySignature } from './utils/crypto.utils.js';
+// Services
+export { NostrService } from './services/nostr.service.js';
+// Validators
+export { NostrEventValidator } from './validators/event.validator.js';
+// Configuration
+export { config } from './config.js';
+/**
+ * Create and configure a new Nostr Auth Middleware instance
+ * @param config Configuration options for the middleware
+ * @returns Configured NostrAuthMiddleware instance
+ *
+ * @example
+ * ```typescript
+ * import { createNostrAuth } from '@maiqr/nostr-auth-enroll';
+ *
+ * const nostrAuth = createNostrAuth({
+ *   supabaseUrl: process.env.SUPABASE_URL,
+ *   supabaseKey: process.env.SUPABASE_KEY,
+ *   privateKey: process.env.SERVER_PRIVATE_KEY
+ * });
+ *
+ * app.use('/auth/nostr', nostrAuth.router);
+ * ```
+ */
+export const createNostrAuth = (config) => {
+    return new NostrAuthMiddleware(config);
+};
+// Default export for CommonJS compatibility
+export default NostrAuthMiddleware;

package/dist/src/middleware/nostr-auth.middleware.js

@@ -0,0 +1,120 @@
+import { Router } from 'express';
+import { NostrService } from '../services/nostr.service.js';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('NostrAuthMiddleware');
+export class NostrAuthMiddleware {
+    constructor(config) {
+        this.config = config;
+        this.router = Router();
+        this.nostrService = new NostrService(config);
+        this.setupRoutes();
+    }
+    setupRoutes() {
+        this.router.post('/challenge', this.handleChallenge.bind(this));
+        this.router.post('/verify', this.handleVerify.bind(this));
+        this.router.post('/enroll', this.handleEnroll.bind(this));
+        this.router.post('/enroll/verify', this.handleVerifyEnrollment.bind(this));
+        this.router.get('/profile/:pubkey', this.handleProfileFetch.bind(this));
+    }
+    async handleChallenge(req, res, next) {
+        try {
+            const { pubkey } = req.body;
+            if (!pubkey) {
+                res.status(400).json({ error: 'Missing pubkey' });
+                return;
+            }
+            logger.info('Creating challenge for pubkey:', pubkey);
+            const challenge = await this.nostrService.createChallenge(pubkey);
+            logger.info('Challenge created:', challenge);
+            // Format response to match test expectations
+            res.json({
+                event: challenge.event,
+                challengeId: challenge.id
+            });
+        }
+        catch (error) {
+            logger.error('Failed to create challenge:', error);
+            res.status(500).json({ error: 'Failed to create challenge' });
+        }
+    }
+    async handleVerify(req, res, next) {
+        try {
+            const { challengeId, signedEvent } = req.body;
+            if (!challengeId || !signedEvent) {
+                res.status(400).json({ error: 'Missing challengeId or signedEvent' });
+                return;
+            }
+            logger.info('Verifying challenge:', challengeId);
+            const result = await this.nostrService.verifyChallenge(challengeId, signedEvent);
+            if (result.success) {
+                res.json({
+                    success: true,
+                    token: result.token,
+                    profile: result.profile
+                });
+            }
+            else {
+                res.status(401).json({ error: 'Invalid signature' });
+            }
+        }
+        catch (error) {
+            logger.error('Failed to verify challenge:', error);
+            res.status(500).json({ error: 'Failed to verify challenge' });
+        }
+    }
+    async handleEnroll(req, res, next) {
+        try {
+            const { pubkey } = req.body;
+            if (!pubkey) {
+                res.status(400).json({ error: 'Missing pubkey' });
+                return;
+            }
+            logger.info('Starting enrollment for pubkey:', pubkey);
+            const enrollment = await this.nostrService.startEnrollment(pubkey);
+            logger.info('Enrollment started:', enrollment);
+            res.json({ enrollment });
+        }
+        catch (error) {
+            logger.error('Failed to start enrollment:', error);
+            res.status(500).json({ error: 'Failed to start enrollment' });
+        }
+    }
+    async handleVerifyEnrollment(req, res, next) {
+        try {
+            const { signedEvent } = req.body;
+            if (!signedEvent) {
+                res.status(400).json({ error: 'Missing signedEvent' });
+                return;
+            }
+            logger.info('Verifying enrollment:', signedEvent);
+            const result = await this.nostrService.verifyEnrollment(signedEvent);
+            if (!result.success) {
+                res.status(401).json({ error: result.message });
+                return;
+            }
+            res.json(result);
+        }
+        catch (error) {
+            logger.error('Failed to verify enrollment:', error);
+            res.status(500).json({ error: 'Failed to verify enrollment' });
+        }
+    }
+    async handleProfileFetch(req, res, next) {
+        try {
+            const { pubkey } = req.params;
+            if (!pubkey) {
+                res.status(400).json({ error: 'Public key is required' });
+                return;
+            }
+            const profile = await this.nostrService.fetchProfile(pubkey);
+            res.json(profile);
+        }
+        catch (error) {
+            logger.error('Profile fetch failed:', error);
+            res.status(500).json({ error: 'Failed to fetch profile' });
+        }
+    }
+    getRouter() {
+        return this.router;
+    }
+}

package/dist/src/middleware/security.middleware.js

@@ -0,0 +1,55 @@
+import rateLimit from 'express-rate-limit';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('SecurityMiddleware');
+// API Key validation
+export const validateApiKey = (req, res, next) => {
+    const apiKey = req.header('X-API-Key');
+    const validApiKeys = process.env.API_KEYS?.split(',') || [];
+    if (!apiKey || !validApiKeys.includes(apiKey)) {
+        logger.warn(`Invalid API key attempt from IP: ${req.ip}`);
+        return res.status(401).json({ error: 'Invalid API key' });
+    }
+    next();
+};
+// IP whitelist middleware
+export const ipWhitelist = (req, res, next) => {
+    const allowedIPs = process.env.ALLOWED_IPS?.split(',').filter(Boolean) || [];
+    // If no IPs are specified, allow all
+    if (allowedIPs.length === 0) {
+        return next();
+    }
+    const clientIP = req.ip;
+    if (!clientIP || !allowedIPs.includes(clientIP)) {
+        logger.warn(`Blocked request from unauthorized IP: ${clientIP || 'unknown'}`);
+        return res.status(403).json({ error: 'Access denied' });
+    }
+    next();
+};
+// Rate limiting configuration
+export const rateLimiter = rateLimit({
+    windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || '900000'), // Default 15 minutes
+    max: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '100'), // Default 100 requests per window
+    message: { error: 'Too many requests, please try again later' },
+    standardHeaders: true,
+    legacyHeaders: false,
+    handler: (req, res) => {
+        logger.warn(`Rate limit exceeded for IP: ${req.ip}`);
+        res.status(429).json({ error: 'Too many requests, please try again later' });
+    },
+});
+// Security headers middleware
+export const securityHeaders = (req, res, next) => {
+    // Strict Transport Security
+    res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+    // Content Security Policy
+    res.setHeader('Content-Security-Policy', "default-src 'self'");
+    // XSS Protection
+    res.setHeader('X-XSS-Protection', '1; mode=block');
+    // No Sniff
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    // Referrer Policy
+    res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+    // Frame Options
+    res.setHeader('X-Frame-Options', 'DENY');
+    next();
+};

package/dist/src/server.js

@@ -0,0 +1,67 @@
+import express from 'express';
+import cors from 'cors';
+import helmet from 'helmet';
+import { createLogger } from './utils/logger.js';
+import { NostrAuthMiddleware } from './middleware/nostr-auth.middleware.js';
+import { validateApiKey, ipWhitelist, rateLimiter, securityHeaders } from './middleware/security.middleware.js';
+import { config } from './config/index.js';
+const logger = createLogger('Server');
+const app = express();
+const PORT = process.env.PORT || 3002;
+// Trust proxy if behind a reverse proxy
+app.set('trust proxy', config.security?.trustedProxies || false);
+// Security Middleware
+app.use(helmet());
+app.use(securityHeaders);
+app.use(ipWhitelist);
+app.use(rateLimiter);
+// CORS configuration
+app.use(cors({
+    origin: config.corsOrigins || '*',
+    methods: ['GET', 'POST', 'OPTIONS'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key'],
+    credentials: true
+}));
+app.use(express.json());
+// Request logging
+app.use((req, res, next) => {
+    logger.info(`${req.method} ${req.url} from ${req.ip}`);
+    next();
+});
+// Health check endpoint (no API key required)
+app.get('/health', (req, res) => {
+    res.json({ status: 'ok', timestamp: new Date().toISOString() });
+});
+// Initialize Nostr auth middleware
+const nostrAuth = new NostrAuthMiddleware({
+    port: config.port,
+    nodeEnv: config.nodeEnv,
+    corsOrigins: config.corsOrigins,
+    nostrRelays: config.nostrRelays ?? [
+        'wss://relay.maiqr.app',
+        'wss://relay.damus.io',
+        'wss://relay.nostr.band'
+    ],
+    eventTimeoutMs: 5000,
+    challengePrefix: 'nostr:auth:',
+    supabaseUrl: config.supabaseUrl,
+    supabaseKey: config.supabaseKey,
+    jwtSecret: config.jwtSecret,
+    testMode: config.testMode,
+    privateKey: config.privateKey,
+    publicKey: config.publicKey,
+    keyManagementMode: config.keyManagementMode
+});
+// Mount Nostr auth routes with API key validation
+app.use('/auth/nostr', validateApiKey, nostrAuth.getRouter());
+// Error handling
+app.use((err, req, res, next) => {
+    logger.error('Unhandled error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+});
+// Start server
+app.listen(PORT, () => {
+    logger.info(`Nostr Auth Middleware running on port ${PORT}`);
+    logger.info(`Connected to Supabase at ${config.supabaseUrl}`);
+    logger.info(`Using Nostr relays: ${config.nostrRelays?.join(', ') ?? 'default relays'}`);
+});