npm - signet-login - Versions diffs - 0.4.0 → 0.5.0 - Mend

signet-login 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/modal.js +82 -1
package/dist/signers.d.ts +22 -0
package/dist/signers.js +67 -0
package/dist/signet-login.iife.js +43 -32
package/dist/signet-login.js +6 -0
package/dist/types.d.ts +1 -1
package/package.json +1 -1

package/dist/modal.js CHANGED Viewed

@@ -5,7 +5,7 @@
  * top-layer placement, theme-aware colours, no third-party UI deps.
  */
 import { DEFAULTS } from './types.js';
-import { hasNip07, createNip07Signer, createBunkerSigner, EphemeralSigner } from './signers.js';
+import { hasNip07, createNip07Signer, createBunkerSigner, EphemeralSigner, createLocalSignerFromNsec } from './signers.js';
 import { waitForAuthResponse } from 'signet-verify';
 import { schnorr } from '@noble/curves/secp256k1';
 import { bytesToHex } from '@noble/hashes/utils';
@@ -69,6 +69,7 @@ function renderPicker(refs, appName, theme) {
       <button data-choice="redirect" style="${buttonStyle(dark)}"><span style="font-size:1.2rem;">🪪</span><span><strong>Sign in with Signet</strong><br><span style="font-size:0.8rem;color:${muted};">Open Signet on this device</span></span></button>
       <button data-choice="qr" style="${buttonStyle(dark)}"><span style="font-size:1.2rem;">📱</span><span><strong>Signet on another device</strong><br><span style="font-size:0.8rem;color:${muted};">Scan QR with your phone</span></span></button>
       <button data-choice="bunker" style="${buttonStyle(dark)}"><span style="font-size:1.2rem;">🔑</span><span><strong>Paste bunker URI</strong><br><span style="font-size:0.8rem;color:${muted};">For NIP-46 power users</span></span></button>
+      <button data-choice="nsec" style="${buttonStyle(dark)}"><span style="font-size:1.2rem;">⚠️</span><span><strong>Paste private key</strong><br><span style="font-size:0.8rem;color:${muted};">In-memory only — risky, last resort</span></span></button>
     </div>
     <button data-choice="cancel" style="background:none;border:0;color:${muted};padding:12px;cursor:pointer;font-size:0.85rem;margin-top:8px;">Cancel</button>
   `;
@@ -308,6 +309,63 @@ async function runBunkerFlow(refs, opts) {
         });
     });
 }
+// ── Paste nsec (in-memory only) ───────────────────────────────────────────────
+async function runNsecFlow(refs, opts) {
+    const dark = isDarkMode(opts.theme);
+    const muted = dark ? '#888' : '#666';
+    const inputBg = dark ? '#0f0f1f' : '#f5f5f8';
+    const inputFg = dark ? '#e0e0e0' : '#1a1a2e';
+    void opts;
+    refs.dialog.innerHTML = `
+    <h2 style="margin:0 0 8px;font-size:1.2rem;">Paste private key</h2>
+    <p style="margin:0 0 12px;color:#d04848;font-size:0.85rem;font-weight:600;">⚠️ Last-resort method — only paste keys you can afford to lose.</p>
+    <p style="margin:0 0 16px;color:${muted};font-size:0.8rem;line-height:1.4;">Held in memory for this session only. Cleared on page reload. Prefer a browser extension or bunker URI for any key with real value.</p>
+    <textarea id="signet-login-nsec-input" placeholder="nsec1..." rows="2" autocomplete="off" autocapitalize="off" autocorrect="off" spellcheck="false" style="width:100%;background:${inputBg};color:${inputFg};border:1px solid ${dark ? '#3a3a4e' : '#d0d0d0'};border-radius:8px;padding:10px;font-size:0.85rem;font-family:ui-monospace,monospace;box-sizing:border-box;resize:vertical;margin-bottom:12px;-webkit-text-security:disc;text-security:disc;"></textarea>
+    <p id="signet-login-nsec-status" style="margin:0 0 12px;color:${muted};font-size:0.85rem;min-height:1.2em;"></p>
+    <div style="display:flex;gap:8px;justify-content:space-between;">
+      <button data-action="back" style="${buttonStyle(dark)}width:auto;flex:0 0 auto;padding:8px 16px;">← Back</button>
+      <button data-action="connect" style="${buttonStyle(dark, true)}width:auto;flex:1;padding:8px 16px;text-align:center;">Sign in</button>
+    </div>
+  `;
+    return new Promise(resolve => {
+        let settled = false;
+        const settle = (v) => {
+            if (settled)
+                return;
+            settled = true;
+            resolve(v);
+        };
+        const input = refs.dialog.querySelector('#signet-login-nsec-input');
+        const status = refs.dialog.querySelector('#signet-login-nsec-status');
+        const connectBtn = refs.dialog.querySelector('[data-action="connect"]');
+        refs.dialog.querySelector('[data-action="back"]')?.addEventListener('click', () => {
+            if (input)
+                input.value = '';
+            settle(null);
+        });
+        connectBtn?.addEventListener('click', () => {
+            const value = input?.value ?? '';
+            if (!value.trim()) {
+                if (status)
+                    status.textContent = 'Please paste an nsec.';
+                return;
+            }
+            try {
+                const signer = createLocalSignerFromNsec(value);
+                // Wipe the textarea ASAP — the key is now in the signer.
+                if (input)
+                    input.value = '';
+                settle(signer);
+            }
+            catch (err) {
+                if (status) {
+                    status.textContent = `✗ ${err instanceof Error ? err.message : String(err)}`;
+                    status.style.color = '#d04848';
+                }
+            }
+        });
+    });
+}
 function resolveOptions(opts) {
     const challenge = opts.challenge ?? generateChallenge();
     if (!/^[0-9a-f]{64}$/i.test(challenge))
@@ -425,6 +483,29 @@ export async function showLoginModal(opts) {
                     authEvent,
                 };
             }
+            if (choice === 'nsec') {
+                const signer = await runNsecFlow(refs, resolved);
+                if (!signer) {
+                    if (resolved.preferredMethod)
+                        return null;
+                    continue;
+                }
+                const authEvent = await signer.signEvent({
+                    kind: 21236,
+                    content: '',
+                    tags: [
+                        ['challenge', resolved.challenge],
+                        ['origin', resolved.origin],
+                        ['app', resolved.appName],
+                    ],
+                });
+                return {
+                    pubkey: signer.pubkey,
+                    method: 'nsec',
+                    signer,
+                    authEvent,
+                };
+            }
             // Unknown choice — restart picker
         }
     }

package/dist/signers.d.ts CHANGED Viewed

@@ -65,6 +65,28 @@ export declare function createBunkerSigner(input: {
 }): Promise<BunkerSignerImpl>;
 /** Generate a 32-byte secret key. */
 export declare function generateSecretKey(): Uint8Array;
+/**
+ * Holds a 32-byte private key in memory, signs locally with schnorr, exposes
+ * NIP-44 via nostr-tools. The key is never persisted by this signer — the SDK
+ * will not call any storage write for an nsec session, so reloads land back
+ * on the picker. The consumer must surface the security trade-off in the UI.
+ */
+export declare class LocalSigner implements SignetSigner {
+    readonly pubkey: string;
+    private readonly privkey;
+    readonly method: "nsec";
+    readonly capabilities: SignerCapabilities;
+    readonly nip44: SignetSigner['nip44'];
+    constructor(pubkey: string, privkey: Uint8Array);
+    signEvent(template: EventTemplate): Promise<NostrEvent>;
+    close(): Promise<void>;
+}
+/**
+ * Decode a bech32 nsec into a LocalSigner. Accepts either the `nsec1...`
+ * prefix or a raw 64-char hex private key for power-user paste paths.
+ * Throws on any malformed input — caller surfaces the error to the user.
+ */
+export declare function createLocalSignerFromNsec(input: string): LocalSigner;
 /**
  * Auth-only signer returned by the redirect/QR flow before Option B is built.
  * Holds the signed challenge but cannot sign further events.

package/dist/signers.js CHANGED Viewed

@@ -6,6 +6,9 @@
  *   EphemeralSigner   — auth-only fallback when only the redirect signature is available
  */
 import { BunkerSigner, parseBunkerInput } from 'nostr-tools/nip46';
+import { finalizeEvent, getPublicKey } from 'nostr-tools/pure';
+import { decode as nip19Decode } from 'nostr-tools/nip19';
+import { encrypt as nip44Encrypt, decrypt as nip44Decrypt, getConversationKey } from 'nostr-tools/nip44';
 /** Returns true if a NIP-07 extension is present on the page. */
 export function hasNip07() {
     return typeof window !== 'undefined' && !!window.nostr && typeof window.nostr.signEvent === 'function';
@@ -106,6 +109,70 @@ export function generateSecretKey() {
     crypto.getRandomValues(sk);
     return sk;
 }
+// ── nsec (local privkey, in-memory only) ─────────────────────────────────────
+/**
+ * Holds a 32-byte private key in memory, signs locally with schnorr, exposes
+ * NIP-44 via nostr-tools. The key is never persisted by this signer — the SDK
+ * will not call any storage write for an nsec session, so reloads land back
+ * on the picker. The consumer must surface the security trade-off in the UI.
+ */
+export class LocalSigner {
+    constructor(pubkey, privkey) {
+        this.pubkey = pubkey;
+        this.privkey = privkey;
+        this.method = 'nsec';
+        this.capabilities = { canSignEvents: true, hasNip44: true };
+        this.nip44 = {
+            encrypt: async (peer, pt) => nip44Encrypt(pt, getConversationKey(this.privkey, peer)),
+            decrypt: async (peer, ct) => nip44Decrypt(ct, getConversationKey(this.privkey, peer)),
+        };
+    }
+    async signEvent(template) {
+        const filled = {
+            kind: template.kind,
+            content: template.content,
+            created_at: template.created_at ?? Math.floor(Date.now() / 1000),
+            tags: template.tags ?? [],
+        };
+        return finalizeEvent(filled, this.privkey);
+    }
+    async close() {
+        // Best-effort wipe — the engine may already have copies in CoW pages, but
+        // zeroing here at least gives a consistent shape with bunker.close().
+        this.privkey.fill(0);
+    }
+}
+/**
+ * Decode a bech32 nsec into a LocalSigner. Accepts either the `nsec1...`
+ * prefix or a raw 64-char hex private key for power-user paste paths.
+ * Throws on any malformed input — caller surfaces the error to the user.
+ */
+export function createLocalSignerFromNsec(input) {
+    const trimmed = input.trim();
+    if (!trimmed)
+        throw new Error('empty-nsec');
+    let sk;
+    if (trimmed.startsWith('nsec1')) {
+        const decoded = nip19Decode(trimmed);
+        if (decoded.type !== 'nsec')
+            throw new Error('not-an-nsec');
+        sk = decoded.data;
+    }
+    else if (/^[0-9a-f]{64}$/i.test(trimmed)) {
+        sk = new Uint8Array(32);
+        for (let i = 0; i < 32; i++)
+            sk[i] = parseInt(trimmed.slice(i * 2, i * 2 + 2), 16);
+    }
+    else {
+        throw new Error('invalid-nsec-format');
+    }
+    if (sk.length !== 32)
+        throw new Error('invalid-nsec-length');
+    const pubkey = getPublicKey(sk);
+    if (!/^[0-9a-f]{64}$/i.test(pubkey))
+        throw new Error('invalid-pubkey-from-nsec');
+    return new LocalSigner(pubkey.toLowerCase(), sk);
+}
 // ── Ephemeral (redirect-only) ─────────────────────────────────────────────────
 /**
  * Auth-only signer returned by the redirect/QR flow before Option B is built.