Merge remote-tracking branch 'origin/main' into push

deno.json

@@ -15,14 +15,22 @@
     "admin:event": "deno run -A scripts/admin-event.ts",
     "admin:role": "deno run -A scripts/admin-role.ts",
     "setup": "deno run -A scripts/setup.ts",
+    "setup:kind0": "deno run -A scripts/setup-kind0.ts",
     "stats:recompute": "deno run -A scripts/stats-recompute.ts",
     "soapbox": "curl -O https://dl.soapbox.pub/main/soapbox.zip && mkdir -p public && mv soapbox.zip public/ && cd public/ && unzip -o soapbox.zip && rm soapbox.zip",
     "trends": "deno run -A scripts/trends.ts",
     "clean:deps": "deno cache --reload src/app.ts",
     "db:populate-search": "deno run -A scripts/db-populate-search.ts"
   },
-  "unstable": ["cron", "ffi", "kv", "worker-options"],
-  "exclude": ["./public"],
+  "unstable": [
+    "cron",
+    "ffi",
+    "kv",
+    "worker-options"
+  ],
+  "exclude": [
+    "./public"
+  ],
   "imports": {
     "@/": "./src/",
     "@b-fuze/deno-dom": "jsr:@b-fuze/deno-dom@^0.1.47",
@@ -67,10 +75,10 @@
     "linkify-string": "npm:linkify-string@^4.1.1",
     "linkifyjs": "npm:linkifyjs@^4.1.1",
     "lru-cache": "npm:lru-cache@^10.2.2",
-    "nostr-relaypool": "npm:nostr-relaypool2@0.6.34",
     "nostr-tools": "npm:nostr-tools@2.5.1",
     "nostr-wasm": "npm:nostr-wasm@^0.1.0",
     "path-to-regexp": "npm:path-to-regexp@^7.1.0",
+    "png-to-ico": "npm:png-to-ico@^2.1.8",
     "postgres": "https://gitlab.com/soapbox-pub/postgres.js/-/raw/e79d7d2039446fbf7a37d4eca0d17e94a94b8b53/deno/mod.js",
     "prom-client": "npm:prom-client@^15.1.2",
     "question-deno": "https://raw.githubusercontent.com/ocpu/question-deno/10022b8e52555335aa510adb08b0a300df3cf904/mod.ts",
@@ -82,14 +90,24 @@
     "~/fixtures/": "./fixtures/"
   },
   "lint": {
-    "include": ["src/", "scripts/"],
+    "include": [
+      "src/",
+      "scripts/"
+    ],
     "rules": {
-      "tags": ["recommended"],
-      "exclude": ["no-explicit-any"]
+      "tags": [
+        "recommended"
+      ],
+      "exclude": [
+        "no-explicit-any"
+      ]
     }
   },
   "fmt": {
-    "include": ["src/", "scripts/"],
+    "include": [
+      "src/",
+      "scripts/"
+    ],
     "useTabs": false,
     "lineWidth": 120,
     "indentWidth": 2,

deno.lock

@@ -97,12 +97,12 @@
       "npm:lint-staged": "npm:lint-staged@15.2.2",
       "npm:lru-cache@^10.2.0": "npm:lru-cache@10.2.2",
       "npm:lru-cache@^10.2.2": "npm:lru-cache@10.2.2",
-      "npm:nostr-relaypool2@0.6.34": "npm:nostr-relaypool2@0.6.34",
       "npm:nostr-tools@2.5.1": "npm:nostr-tools@2.5.1",
       "npm:nostr-tools@^2.5.0": "npm:nostr-tools@2.5.1",
       "npm:nostr-tools@^2.7.0": "npm:nostr-tools@2.7.0",
       "npm:nostr-wasm@^0.1.0": "npm:nostr-wasm@0.1.0",
       "npm:path-to-regexp@^7.1.0": "npm:path-to-regexp@7.1.0",
+      "npm:png-to-ico@^2.1.8": "npm:png-to-ico@2.1.8",
       "npm:postgres@3.4.4": "npm:postgres@3.4.4",
       "npm:prom-client@^15.1.2": "npm:prom-client@15.1.2",
       "npm:tldts@^6.0.14": "npm:tldts@6.1.18",
@@ -582,10 +582,6 @@
         "integrity": "sha512-RQgQ4uQ+pLbqXfOmieB91ejmLwvSgv9nLx6sT6sD83s7umBypgg+OIBOBbEUiJXrfpnp9j0mRhYYdzp9uqq3lA==",
         "dependencies": {}
       },
-      "@noble/ciphers@0.2.0": {
-        "integrity": "sha512-6YBxJDAapHSdd3bLDv6x2wRPwq4QFMUaB3HvljNBUTThDd12eSm7/3F+2lnfzx2jvM+S6Nsy0jEt9QbPqSwqRw==",
-        "dependencies": {}
-      },
       "@noble/ciphers@0.5.3": {
         "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w==",
         "dependencies": {}
@@ -672,6 +668,10 @@
           "@types/trusted-types": "@types/trusted-types@2.0.7"
         }
       },
+      "@types/node@17.0.45": {
+        "integrity": "sha512-w+tIMs3rq2afQdsPJlODhoUEKzFP1ayaoyl1CcnwtIlsVe7K7bA1NGm4s3PraqTLlXnbIN84zuBlxBWo1u9BLw==",
+        "dependencies": {}
+      },
       "@types/node@18.16.19": {
         "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA==",
         "dependencies": {}
@@ -983,12 +983,6 @@
           "jsdom": "jsdom@24.0.0"
         }
       },
-      "isomorphic-ws@5.0.0_ws@8.17.0": {
-        "integrity": "sha512-muId7Zzn9ywDsyXgTIafTry2sV3nySZeUDe6YedVd1Hvuuep5AsIlqK+XefWpYTyJG5e503F2xIuT2lcU6rCSw==",
-        "dependencies": {
-          "ws": "ws@8.17.0"
-        }
-      },
       "jsdom@24.0.0": {
         "integrity": "sha512-UDS2NayCvmXSXVP6mpTj+73JnNQadZlr9N68189xib2tx5Mls7swlTNao26IoHv46BZJFvXygyRtyXd1feAk1A==",
         "dependencies": {
@@ -1131,6 +1125,10 @@
         "integrity": "sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==",
         "dependencies": {}
       },
+      "minimist@1.2.8": {
+        "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+        "dependencies": {}
+      },
       "ms@2.1.2": {
         "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
         "dependencies": {}
@@ -1145,25 +1143,6 @@
           "whatwg-url": "whatwg-url@5.0.0"
         }
       },
-      "nostr-relaypool2@0.6.34": {
-        "integrity": "sha512-e3FDh9w/wQkY513mvoJps1Hc/Y5wiWXeBM6MD+YKSyAg+px+/8uHSSHAuHhlavw7oOEOvEsIGlMDMc57DG3MOA==",
-        "dependencies": {
-          "isomorphic-ws": "isomorphic-ws@5.0.0_ws@8.17.0",
-          "nostr-tools": "nostr-tools@1.17.0",
-          "safe-stable-stringify": "safe-stable-stringify@2.4.3"
-        }
-      },
-      "nostr-tools@1.17.0": {
-        "integrity": "sha512-LZmR8GEWKZeElbFV5Xte75dOeE9EFUW/QLI1Ncn3JKn0kFddDKEfBbFN8Mu4TMs+L4HR/WTPha2l+PPuRnJcMw==",
-        "dependencies": {
-          "@noble/ciphers": "@noble/ciphers@0.2.0",
-          "@noble/curves": "@noble/curves@1.1.0",
-          "@noble/hashes": "@noble/hashes@1.3.1",
-          "@scure/base": "@scure/base@1.1.1",
-          "@scure/bip32": "@scure/bip32@1.3.1",
-          "@scure/bip39": "@scure/bip39@1.2.1"
-        }
-      },
       "nostr-tools@2.5.1": {
         "integrity": "sha512-bpkhGGAhdiCN0irfV+xoH3YP5CQeOXyXzUq7SYeM6D56xwTXZCPEmBlUGqFVfQidvRsoVeVxeAiOXW2c2HxoRQ==",
         "dependencies": {
@@ -1240,6 +1219,18 @@
         "integrity": "sha512-eG2dWTVw5bzqGRztnHExczNxt5VGsE6OwTeCG3fdUf9KBsZzO3R5OIIIzWR+iZA0NtZ+RDVdaoE2dK1cn6jH4g==",
         "dependencies": {}
       },
+      "png-to-ico@2.1.8": {
+        "integrity": "sha512-Nf+IIn/cZ/DIZVdGveJp86NG5uNib1ZXMiDd/8x32HCTeKSvgpyg6D/6tUBn1QO/zybzoMK0/mc3QRgAyXdv9w==",
+        "dependencies": {
+          "@types/node": "@types/node@17.0.45",
+          "minimist": "minimist@1.2.8",
+          "pngjs": "pngjs@6.0.0"
+        }
+      },
+      "pngjs@6.0.0": {
+        "integrity": "sha512-TRzzuFRRmEoSW/p1KVAmiOgPco2Irlah+bGFCeNfJXxxYGwSw7YwAOAcd7X28K/m5bjBWKsC29KyoMfHbypayg==",
+        "dependencies": {}
+      },
       "postgres@3.4.4": {
         "integrity": "sha512-IbyN+9KslkqcXa8AO9fxpk97PA4pzewvpi2B3Dwy9u4zpV32QicaEdgmF3eSQUzdRk7ttDHQejNgAEr4XoeH4A==",
         "dependencies": {}
@@ -1282,10 +1273,6 @@
         "integrity": "sha512-APM0Gt1KoXBz0iIkkdB/kfvGOwC4UuJFeG/c+yV7wSc7q96cG/kJ0HiYCnzivD9SB53cLV1MlHFNfOuPaadYSw==",
         "dependencies": {}
       },
-      "safe-stable-stringify@2.4.3": {
-        "integrity": "sha512-e2bDA2WJT0wxseVd4lsDP4+3ONX6HpMXQa1ZhFQ7SU+GjvORCmShbCMltrtIDfkYhVHrOcPtj+KhmDBdPdZD1g==",
-        "dependencies": {}
-      },
       "safer-buffer@2.1.2": {
         "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
         "dependencies": {}
@@ -2162,10 +2149,10 @@
       "npm:linkify-string@^4.1.1",
       "npm:linkifyjs@^4.1.1",
       "npm:lru-cache@^10.2.2",
-      "npm:nostr-relaypool2@0.6.34",
       "npm:nostr-tools@2.5.1",
       "npm:nostr-wasm@^0.1.0",
       "npm:path-to-regexp@^7.1.0",
+      "npm:png-to-ico@^2.1.8",
       "npm:prom-client@^15.1.2",
       "npm:tldts@^6.0.14",
       "npm:tseep@^1.2.1",

scripts/setup-kind0.ts

@@ -0,0 +1,70 @@
+import { AdminSigner } from '@/signers/AdminSigner.ts';
+import { Command } from 'commander';
+import { NostrEvent } from 'nostr-tools';
+import { nostrNow } from '@/utils.ts';
+import { Buffer } from 'node:buffer';
+import { Conf } from '@/config.ts';
+import pngToIco from 'png-to-ico';
+import { Storages } from '@/storages.ts';
+
+function die(code: number, ...args: any[]) {
+  console.error(...args);
+  Deno.exit(code);
+}
+
+if (import.meta.main) {
+  const kind0 = new Command()
+    .name('setup:kind0')
+    .description('Set up / change the kind 0 for a Ditto instance.')
+    .version('0.1.0')
+    .showHelpAfterError();
+
+  kind0
+    .argument('<name>', 'The name of the Ditto instance. Can just be your hostname.')
+    .option(
+      '-l --lightning <lud16 address>',
+      'Lightning address for the server. Can just be your own lightning address.',
+    )
+    .option('-a --about <string>', 'About text. This shows up whenever a description for your server is needed.')
+    .option('-i --image <string>', 'Image URL to use for OpenGraph previews and favicon.')
+    .action(async (name, args) => {
+      const { lightning, about, image } = args;
+      const content: Record<string, string | boolean> = {};
+      if (!name || !name.trim()) die(1, 'You must atleast supply a name!');
+      content.bot = true;
+      content.about = about;
+      content.lud16 = lightning;
+      content.name = name;
+      content.picture = image;
+      content.website = Conf.localDomain;
+
+      const signer = new AdminSigner();
+      const bare: Omit<NostrEvent, 'id' | 'sig' | 'pubkey'> = {
+        created_at: nostrNow(),
+        kind: 0,
+        tags: [],
+        content: JSON.stringify(content),
+      };
+      const signed = await signer.signEvent(bare);
+      if (image) {
+        try {
+          await fetch(image)
+            .then((res) => {
+              if (!res.ok) throw new Error('Error attempting to fetch favicon.');
+              if (res.headers.get('content-type') !== 'image/png') throw new Error('Non-png images are not supported!');
+              return res.blob();
+            })
+            .then(async (blob) =>
+              await pngToIco(Buffer.from(await blob.arrayBuffer()))
+                .then(async (buf) => await Deno.writeFile('./public/favicon.ico', buf))
+            );
+        } catch (e) {
+          die(1, `Error generating favicon from url ${image}: "${e}". Please check this or try again without --image.`);
+        }
+      }
+      console.log({ content, signed });
+      await Storages.db().then((store) => store.event(signed));
+    });
+
+  await kind0.parseAsync();
+}

src/controllers/api/oauth.ts

@@ -1,14 +1,14 @@
 import { NConnectSigner, NSchema as n, NSecSigner } from '@nostrify/nostrify';
-import { bech32 } from '@scure/base';
 import { escape } from 'entities';
-import { generateSecretKey, getPublicKey } from 'nostr-tools';
+import { generateSecretKey } from 'nostr-tools';
 import { z } from 'zod';
 
 import { AppController } from '@/app.ts';
 import { Conf } from '@/config.ts';
+import { Storages } from '@/storages.ts';
 import { nostrNow } from '@/utils.ts';
 import { parseBody } from '@/utils/api.ts';
-import { Storages } from '@/storages.ts';
+import { encryptSecretKey, generateToken } from '@/utils/auth.ts';
 
 const passwordGrantSchema = z.object({
   grant_type: z.literal('password'),
@@ -82,38 +82,30 @@ async function getToken(
   { pubkey, secret, relays = [] }: { pubkey: string; secret?: string; relays?: string[] },
 ): Promise<`token1${string}`> {
   const kysely = await Storages.kysely();
-  const token = generateToken();
+  const { token, hash } = await generateToken();
 
-  const serverSeckey = generateSecretKey();
-  const serverPubkey = getPublicKey(serverSeckey);
+  const nip46Seckey = generateSecretKey();
 
   const signer = new NConnectSigner({
     pubkey,
-    signer: new NSecSigner(serverSeckey),
+    signer: new NSecSigner(nip46Seckey),
     relay: await Storages.pubsub(), // TODO: Use the relays from the request.
     timeout: 60_000,
   });
 
   await signer.connect(secret);
 
-  await kysely.insertInto('nip46_tokens').values({
-    api_token: token,
-    user_pubkey: pubkey,
-    server_seckey: serverSeckey,
-    server_pubkey: serverPubkey,
-    relays: JSON.stringify(relays),
-    connected_at: new Date(),
+  await kysely.insertInto('auth_tokens').values({
+    token_hash: hash,
+    pubkey,
+    nip46_sk_enc: await encryptSecretKey(Conf.seckey, nip46Seckey),
+    nip46_relays: relays,
+    created_at: new Date(),
   }).execute();
 
   return token;
 }
 
-/** Generate a bech32 token for the API. */
-function generateToken(): `token1${string}` {
-  const words = bech32.toWords(generateSecretKey());
-  return bech32.encode('token', words);
-}
-
 /** Display the OAuth form. */
 const oauthController: AppController = (c) => {
   const encodedUri = c.req.query('redirect_uri');

src/controllers/api/streaming.ts

@@ -14,6 +14,7 @@ import { MuteListPolicy } from '@/policies/MuteListPolicy.ts';
 import { getFeedPubkeys } from '@/queries.ts';
 import { hydrateEvents } from '@/storages/hydrate.ts';
 import { Storages } from '@/storages.ts';
+import { getTokenHash } from '@/utils/auth.ts';
 import { bech32ToPubkey, Time } from '@/utils.ts';
 import { renderReblog, renderStatus } from '@/views/mastodon/statuses.ts';
 import { renderNotification } from '@/views/mastodon/notifications.ts';
@@ -233,14 +234,15 @@ async function topicToFilter(
 async function getTokenPubkey(token: string): Promise<string | undefined> {
   if (token.startsWith('token1')) {
     const kysely = await Storages.kysely();
+    const tokenHash = await getTokenHash(token as `token1${string}`);
 
-    const { user_pubkey } = await kysely
-      .selectFrom('nip46_tokens')
-      .select(['user_pubkey', 'server_seckey', 'relays'])
-      .where('api_token', '=', token)
+    const { pubkey } = await kysely
+      .selectFrom('auth_tokens')
+      .select('pubkey')
+      .where('token_hash', '=', tokenHash)
       .executeTakeFirstOrThrow();
 
-    return user_pubkey;
+    return pubkey;
   } else {
     return bech32ToPubkey(token);
   }

src/db/DittoTables.ts

@@ -4,7 +4,7 @@ import { NPostgresSchema } from '@nostrify/db';
 
 export interface DittoTables extends NPostgresSchema {
   nostr_events: NostrEventsRow;
-  nip46_tokens: NIP46TokenRow;
+  auth_tokens: AuthTokenRow;
   author_stats: AuthorStatsRow;
   event_stats: EventStatsRow;
   pubkey_domains: PubkeyDomainRow;
@@ -34,13 +34,12 @@ interface EventStatsRow {
   zaps_amount: number;
 }
 
-interface NIP46TokenRow {
-  api_token: string;
-  user_pubkey: string;
-  server_seckey: Uint8Array;
-  server_pubkey: string;
-  relays: string;
-  connected_at: Date;
+interface AuthTokenRow {
+  token_hash: Uint8Array;
+  pubkey: string;
+  nip46_sk_enc: Uint8Array;
+  nip46_relays: string[];
+  created_at: Date;
 }
 
 interface PubkeyDomainRow {

src/db/migrations/037_auth_tokens.ts

@@ -0,0 +1,62 @@
+import { Kysely, sql } from 'kysely';
+
+import { encryptSecretKey, getTokenHash } from '@/utils/auth.ts';
+import { Conf } from '@/config.ts';
+
+interface DB {
+  nip46_tokens: {
+    api_token: `token1${string}`;
+    user_pubkey: string;
+    server_seckey: Uint8Array;
+    server_pubkey: string;
+    relays: string;
+    connected_at: Date;
+  };
+  auth_tokens: {
+    token_hash: Uint8Array;
+    pubkey: string;
+    nip46_sk_enc: Uint8Array;
+    nip46_relays: string[];
+    created_at: Date;
+  };
+}
+
+export async function up(db: Kysely<DB>): Promise<void> {
+  await db.schema
+    .createTable('auth_tokens')
+    .addColumn('token_hash', 'bytea', (col) => col.primaryKey())
+    .addColumn('pubkey', 'char(64)', (col) => col.notNull())
+    .addColumn('nip46_sk_enc', 'bytea', (col) => col.notNull())
+    .addColumn('nip46_relays', 'jsonb', (col) => col.defaultTo('[]'))
+    .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql`CURRENT_TIMESTAMP`))
+    .execute();
+
+  // There are probably not that many tokens in the database yet, so this should be fine.
+  const tokens = await db.selectFrom('nip46_tokens').selectAll().execute();
+
+  for (const token of tokens) {
+    await db.insertInto('auth_tokens').values({
+      token_hash: await getTokenHash(token.api_token),
+      pubkey: token.user_pubkey,
+      nip46_sk_enc: await encryptSecretKey(Conf.seckey, token.server_seckey),
+      nip46_relays: JSON.parse(token.relays),
+      created_at: token.connected_at,
+    }).execute();
+  }
+
+  await db.schema.dropTable('nip46_tokens').execute();
+}
+
+export async function down(db: Kysely<DB>): Promise<void> {
+  await db.schema.dropTable('auth_tokens').execute();
+
+  await db.schema
+    .createTable('nip46_tokens')
+    .addColumn('api_token', 'text', (col) => col.primaryKey().unique().notNull())
+    .addColumn('user_pubkey', 'text', (col) => col.notNull())
+    .addColumn('server_seckey', 'bytea', (col) => col.notNull())
+    .addColumn('server_pubkey', 'text', (col) => col.notNull())
+    .addColumn('relays', 'text', (col) => col.defaultTo('[]'))
+    .addColumn('connected_at', 'timestamp', (col) => col.defaultTo(sql`CURRENT_TIMESTAMP`))
+    .execute();
+}

src/middleware/signerMiddleware.ts

@@ -3,9 +3,11 @@ import { NSecSigner } from '@nostrify/nostrify';
 import { nip19 } from 'nostr-tools';
 
 import { AppMiddleware } from '@/app.ts';
+import { Conf } from '@/config.ts';
 import { ConnectSigner } from '@/signers/ConnectSigner.ts';
 import { ReadOnlySigner } from '@/signers/ReadOnlySigner.ts';
 import { Storages } from '@/storages.ts';
+import { decryptSecretKey, getTokenHash } from '@/utils/auth.ts';
 
 /** We only accept "Bearer" type. */
 const BEARER_REGEX = new RegExp(`^Bearer (${nip19.BECH32_REGEX.source})$`);
@@ -21,14 +23,17 @@ export const signerMiddleware: AppMiddleware = async (c, next) => {
     if (bech32.startsWith('token1')) {
       try {
         const kysely = await Storages.kysely();
+        const tokenHash = await getTokenHash(bech32 as `token1${string}`);
 
-        const { user_pubkey, server_seckey, relays } = await kysely
-          .selectFrom('nip46_tokens')
-          .select(['user_pubkey', 'server_seckey', 'relays'])
-          .where('api_token', '=', bech32)
+        const { pubkey, nip46_sk_enc, nip46_relays } = await kysely
+          .selectFrom('auth_tokens')
+          .select(['pubkey', 'nip46_sk_enc', 'nip46_relays'])
+          .where('token_hash', '=', tokenHash)
           .executeTakeFirstOrThrow();
 
-        c.set('signer', new ConnectSigner(user_pubkey, new NSecSigner(server_seckey), JSON.parse(relays)));
+        const nep46Seckey = await decryptSecretKey(Conf.seckey, nip46_sk_enc);
+
+        c.set('signer', new ConnectSigner(pubkey, new NSecSigner(nep46Seckey), nip46_relays));
       } catch {
         throw new HTTPException(401);
       }

src/utils.ts

@@ -64,20 +64,6 @@ function findTag(tags: string[][], name: string): string[] | undefined {
   return tags.find((tag) => tag[0] === name);
 }
 
-/**
- * Get sha256 hash (hex) of some text.
- * https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest#converting_a_digest_to_a_hex_string
- */
-async function sha256(message: string): Promise<string> {
-  const msgUint8 = new TextEncoder().encode(message);
-  const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-  const hashHex = hashArray
-    .map((b) => b.toString(16).padStart(2, '0'))
-    .join('');
-  return hashHex;
-}
-
 /** Test whether the value is a Nostr ID. */
 function isNostrId(value: unknown): boolean {
   return n.id().safeParse(value).success;
@@ -88,6 +74,6 @@ function isURL(value: unknown): boolean {
   return z.string().url().safeParse(value).success;
 }
 
-export { bech32ToPubkey, eventAge, findTag, isNostrId, isURL, type Nip05, nostrDate, nostrNow, parseNip05, sha256 };
+export { bech32ToPubkey, eventAge, findTag, isNostrId, isURL, type Nip05, nostrDate, nostrNow, parseNip05 };
 
 export { Time } from '@/utils/time.ts';

src/utils/auth.bench.ts

@@ -0,0 +1,28 @@
+import { generateSecretKey } from 'nostr-tools';
+
+import { decryptSecretKey, encryptSecretKey, generateToken, getTokenHash } from '@/utils/auth.ts';
+
+Deno.bench('generateToken', async () => {
+  await generateToken();
+});
+
+Deno.bench('getTokenHash', async (b) => {
+  const { token } = await generateToken();
+  b.start();
+  await getTokenHash(token);
+});
+
+Deno.bench('encryptSecretKey', async (b) => {
+  const sk = generateSecretKey();
+  const decrypted = generateSecretKey();
+  b.start();
+  await encryptSecretKey(sk, decrypted);
+});
+
+Deno.bench('decryptSecretKey', async (b) => {
+  const sk = generateSecretKey();
+  const decrypted = generateSecretKey();
+  const encrypted = await encryptSecretKey(sk, decrypted);
+  b.start();
+  await decryptSecretKey(sk, encrypted);
+});

src/utils/auth.test.ts

@@ -0,0 +1,29 @@
+import { assertEquals } from '@std/assert';
+import { decodeHex, encodeHex } from '@std/encoding/hex';
+import { generateSecretKey } from 'nostr-tools';
+
+import { decryptSecretKey, encryptSecretKey, generateToken, getTokenHash } from '@/utils/auth.ts';
+
+Deno.test('generateToken', async () => {
+  const sk = decodeHex('a0968751df8fd42f362213f08751911672f2a037113b392403bbb7dd31b71c95');
+
+  const { token, hash } = await generateToken(sk);
+
+  assertEquals(token, 'token15ztgw5wl3l2z7d3zz0cgw5v3zee09gphzyanjfqrhwma6vdhrj2sauwknd');
+  assertEquals(encodeHex(hash), 'ab4c4ead4d1c72a38fffd45b999937b7e3f25f867b19aaf252df858e77b66a8a');
+});
+
+Deno.test('getTokenHash', async () => {
+  const hash = await getTokenHash('token15ztgw5wl3l2z7d3zz0cgw5v3zee09gphzyanjfqrhwma6vdhrj2sauwknd');
+  assertEquals(encodeHex(hash), 'ab4c4ead4d1c72a38fffd45b999937b7e3f25f867b19aaf252df858e77b66a8a');
+});
+
+Deno.test('encryptSecretKey & decryptSecretKey', async () => {
+  const sk = generateSecretKey();
+  const data = generateSecretKey();
+
+  const encrypted = await encryptSecretKey(sk, data);
+  const decrypted = await decryptSecretKey(sk, encrypted);
+
+  assertEquals(encodeHex(decrypted), encodeHex(data));
+});

src/utils/auth.ts

@@ -0,0 +1,54 @@
+import { bech32 } from '@scure/base';
+import { generateSecretKey } from 'nostr-tools';
+
+/**
+ * Generate an auth token for the API.
+ *
+ * Returns a bech32 encoded API token and the SHA-256 hash of the bytes.
+ * The token should be presented to the user, but only the hash should be stored in the database.
+ */
+export async function generateToken(sk = generateSecretKey()): Promise<{ token: `token1${string}`; hash: Uint8Array }> {
+  const words = bech32.toWords(sk);
+  const token = bech32.encode('token', words);
+
+  const buffer = await crypto.subtle.digest('SHA-256', sk);
+  const hash = new Uint8Array(buffer);
+
+  return { token, hash };
+}
+
+/**
+ * Get the SHA-256 hash of an API token.
+ * First decodes from bech32 then hashes the bytes.
+ * Used to identify the user in the database by the hash of their token.
+ */
+export async function getTokenHash(token: `token1${string}`): Promise<Uint8Array> {
+  const { bytes: sk } = bech32.decodeToBytes(token);
+  const buffer = await crypto.subtle.digest('SHA-256', sk);
+
+  return new Uint8Array(buffer);
+}
+
+/**
+ * Encrypt a secret key with AES-GCM.
+ * This function is used to store the secret key in the database.
+ */
+export async function encryptSecretKey(sk: Uint8Array, decrypted: Uint8Array): Promise<Uint8Array> {
+  const secretKey = await crypto.subtle.importKey('raw', sk, { name: 'AES-GCM' }, false, ['encrypt']);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const buffer = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, secretKey, decrypted);
+
+  return new Uint8Array([...iv, ...new Uint8Array(buffer)]);
+}
+
+/**
+ * Decrypt a secret key with AES-GCM.
+ * This function is used to retrieve the secret key from the database.
+ */
+export async function decryptSecretKey(sk: Uint8Array, encrypted: Uint8Array): Promise<Uint8Array> {
+  const secretKey = await crypto.subtle.importKey('raw', sk, { name: 'AES-GCM' }, false, ['decrypt']);
+  const iv = encrypted.slice(0, 12);
+  const buffer = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, secretKey, encrypted.slice(12));
+
+  return new Uint8Array(buffer);
+}

src/utils/nip98.ts

@@ -1,9 +1,10 @@
 import { NostrEvent, NSchema as n } from '@nostrify/nostrify';
+import { encodeHex } from '@std/encoding/hex';
 import { EventTemplate, nip13 } from 'nostr-tools';
 
 import { decode64Schema } from '@/schema.ts';
 import { signedEventSchema } from '@/schemas/nostr.ts';
-import { eventAge, findTag, nostrNow, sha256 } from '@/utils.ts';
+import { eventAge, findTag, nostrNow } from '@/utils.ts';
 import { Time } from '@/utils/time.ts';
 
 /** Decode a Nostr event from a base64 encoded string. */
@@ -41,11 +42,10 @@ function validateAuthEvent(req: Request, event: NostrEvent, opts: ParseAuthReque
     .refine((event) => pow ? nip13.getPow(event.id) >= pow : true, 'Insufficient proof of work')
     .refine(validateBody, 'Event payload does not match request body');
 
-  function validateBody(event: NostrEvent) {
+  async function validateBody(event: NostrEvent): Promise<boolean> {
     if (!validatePayload) return true;
-    return req.clone().text()
-      .then(sha256)
-      .then((hash) => hash === tagValue(event, 'payload'));
+    const payload = await getPayload(req);
+    return payload === tagValue(event, 'payload');
   }
 
   return schema.safeParseAsync(event);
@@ -62,7 +62,7 @@ async function buildAuthEventTemplate(req: Request, opts: ParseAuthRequestOpts =
   ];
 
   if (validatePayload) {
-    const payload = await req.clone().text().then(sha256);
+    const payload = await getPayload(req);
     tags.push(['payload', payload]);
   }
 
@@ -74,6 +74,14 @@ async function buildAuthEventTemplate(req: Request, opts: ParseAuthRequestOpts =
   };
 }
 
+/** Get a SHA-256 hash of the request body encoded as a hex string. */
+async function getPayload(req: Request): Promise<string> {
+  const text = await req.clone().text();
+  const bytes = new TextEncoder().encode(text);
+  const buffer = await crypto.subtle.digest('SHA-256', bytes);
+  return encodeHex(buffer);
+}
+
 /** Get the value for the first matching tag name in the event. */
 function tagValue(event: NostrEvent, tagName: string): string | undefined {
   return findTag(event.tags, tagName)?.[1];