Make @ditto/auth and @ditto/storages packages

2025-12-06 11:29:46 +00:00 · 2025-02-17 20:51:34 -06:00 · 2025-02-17 20:51:34 -06:00 · d1f8e3b92c
commit d1f8e3b92c
parent 5210275d23
23 changed files with 158 additions and 16 deletions
--- a/deno.json
+++ b/deno.json
@ -2,6 +2,7 @@
  "version": "1.1.0",
  "workspace": [
    "./packages/api",
+    "./packages/auth",
    "./packages/conf",
    "./packages/db",
    "./packages/ditto",
@ -10,6 +11,7 @@
    "./packages/policies",
    "./packages/ratelimiter",
    "./packages/signers",
+    "./packages/storages",
    "./packages/translators",
    "./packages/uploaders",
    "./packages/utils"
--- a/packages/api/DittoMiddleware.ts
+++ b/packages/api/DittoMiddleware.ts
@ -0,0 +1,5 @@
+import type { MiddlewareHandler } from '@hono/hono';
+import type { DittoEnv } from './DittoEnv.ts';
+
+// deno-lint-ignore ban-types
+export type DittoMiddleware<T extends {}> = MiddlewareHandler<DittoEnv & { Variables: T }>;
--- a/packages/api/deno.json
+++ b/packages/api/deno.json
@ -4,6 +4,8 @@
  "exports": {
    ".": "./mod.ts",
    "./middleware": "./middleware/mod.ts",
+    "./routes": "./routes/mod.ts",
+    "./schema": "./schema.ts",
    "./views": "./views/mod.ts"
  }
 }
--- a/packages/api/middleware/mod.ts
+++ b/packages/api/middleware/mod.ts
@ -0,0 +1 @@
+export { userMiddleware } from './userMiddleware.ts';
--- a/packages/api/middleware/userMiddleware.ts
+++ b/packages/api/middleware/userMiddleware.ts
@ -0,0 +1,92 @@
+import { aesDecrypt, getTokenHash } from '@ditto/auth';
+import { ConnectSigner, ReadOnlySigner } from '@ditto/signers';
+import { HTTPException } from '@hono/hono/http-exception';
+import { type NostrSigner, NSecSigner, type NStore } from '@nostrify/nostrify';
+import { nip19 } from 'nostr-tools';
+
+import type { DittoMiddleware } from '../DittoMiddleware.ts';
+
+interface User {
+  signer: NostrSigner;
+  store: NStore;
+}
+
+interface UserMiddlewareOpts {
+  /** Returns a 401 response if no user can be determined. */
+  required?: boolean;
+  /** Whether the user must prove themselves with a NIP-98 auth challenge. */
+  privileged: boolean;
+}
+
+// @ts-ignore The types are right.
+export function userMiddleware(opts: { privileged: boolean; required: true }): DittoMiddleware<{ user: User }>;
+export function userMiddleware(opts: { privileged: true; required?: boolean }): DittoMiddleware<{ user: User }>;
+export function userMiddleware(opts: { privileged: false; required?: boolean }): DittoMiddleware<{ user?: User }>;
+export function userMiddleware(opts: { privileged?: boolean; required?: boolean }): DittoMiddleware<{ user?: User }> {
+  /** We only accept "Bearer" type. */
+  const BEARER_REGEX = new RegExp(`^Bearer (${nip19.BECH32_REGEX.source})$`);
+
+  return async (c, next) => {
+    const { conf, db, store } = c.var;
+
+    const header = c.req.header('authorization');
+    const match = header?.match(BEARER_REGEX);
+
+    let signer: NostrSigner | undefined;
+
+    if (match) {
+      const [_, bech32] = match;
+
+      if (bech32.startsWith('token1')) {
+        try {
+          const tokenHash = await getTokenHash(bech32 as `token1${string}`);
+
+          const { pubkey: userPubkey, bunker_pubkey: bunkerPubkey, nip46_sk_enc, nip46_relays } = await db.kysely
+            .selectFrom('auth_tokens')
+            .select(['pubkey', 'bunker_pubkey', 'nip46_sk_enc', 'nip46_relays'])
+            .where('token_hash', '=', tokenHash)
+            .executeTakeFirstOrThrow();
+
+          const nep46Seckey = await aesDecrypt(conf.seckey, nip46_sk_enc);
+
+          signer = new ConnectSigner({
+            bunkerPubkey,
+            userPubkey,
+            signer: new NSecSigner(nep46Seckey),
+            relays: nip46_relays,
+            relay: store,
+          });
+        } catch {
+          throw new HTTPException(401);
+        }
+      } else {
+        try {
+          const decoded = nip19.decode(bech32!);
+
+          switch (decoded.type) {
+            case 'npub':
+              signer = new ReadOnlySigner(decoded.data);
+              break;
+            case 'nprofile':
+              signer = new ReadOnlySigner(decoded.data.pubkey);
+              break;
+            case 'nsec':
+              signer = new NSecSigner(decoded.data);
+              break;
+          }
+        } catch {
+          throw new HTTPException(401);
+        }
+      }
+    }
+
+    if (signer) {
+      const user: User = { signer, store };
+      c.set('user', user);
+    } else {
+      throw new HTTPException(401);
+    }
+
+    await next();
+  };
+}
--- a/packages/api/routes/mod.ts
+++ b/packages/api/routes/mod.ts
@ -0,0 +1 @@
+export { timelinesRoute } from './timelinesRoute.ts';
--- a/packages/api/routes/timelinesRoute.ts
+++ b/packages/api/routes/timelinesRoute.ts
@ -1,4 +1,6 @@
 import { DittoRoute } from '@ditto/api';
+import { userMiddleware } from '@ditto/api/middleware';
+import { booleanParamSchema, languageSchema } from '@ditto/api/schema';
 import { z } from 'zod';

 import type { NostrFilter } from '@nostrify/nostrify';
@ -11,10 +13,9 @@ const homeQuerySchema = z.object({
 });

 route.get('/home', async (c) => {
-  c.req.valid('json');
  const { user, pagination } = c.var;

-  const pubkey = await user!.signer.getPublicKey()!;
+  const pubkey = await user.signer.getPublicKey()!;
  const result = homeQuerySchema.safeParse(c.req.query());

  if (!result.success) {
@ -123,4 +124,4 @@ async function renderStatuses(c: AppContext, filters: NostrFilter[]) {
  return paginated(c, events, statuses);
 }

-export { hashtagTimelineController, homeTimelineController, publicTimelineController, suggestedTimelineController };
+export { route as timelinesRoute };
--- a/packages/api/schema.test.ts
+++ b/packages/api/schema.test.ts
@ -0,0 +1,13 @@
+import { assertEquals, assertThrows } from '@std/assert';
+
+import { booleanParamSchema } from './schema.ts';
+
+Deno.test('booleanParamSchema', () => {
+  assertEquals(booleanParamSchema.parse('true'), true);
+  assertEquals(booleanParamSchema.parse('false'), false);
+
+  assertThrows(() => booleanParamSchema.parse('invalid'));
+  assertThrows(() => booleanParamSchema.parse('undefined'));
+
+  assertEquals(booleanParamSchema.optional().parse(undefined), undefined);
+});
--- a/packages/api/schema.ts
+++ b/packages/api/schema.ts
@ -0,0 +1,11 @@
+import ISO6391 from 'iso-639-1';
+import { z } from 'zod';
+
+/** https://github.com/colinhacks/zod/issues/1630#issuecomment-1365983831 */
+export const booleanParamSchema = z.enum(['true', 'false']).transform((value) => value === 'true');
+
+/** Value is a ISO-639-1 language code. */
+export const languageSchema = z.string().refine(
+  (val) => ISO6391.validate(val),
+  { message: 'Not a valid language in ISO-639-1 format' },
+);
--- a/packages/utils/aes.bench.ts
+++ b/packages/utils/aes.bench.ts
--- a/packages/utils/aes.test.ts
+++ b/packages/utils/aes.test.ts
--- a/packages/utils/aes.ts
+++ b/packages/utils/aes.ts
--- a/packages/auth/deno.json
+++ b/packages/auth/deno.json
@ -0,0 +1,6 @@
+{
+  "name": "@ditto/auth",
+  "exports": {
+    ".": "./mod.ts"
+  }
+}
--- a/packages/auth/mod.ts
+++ b/packages/auth/mod.ts
@ -0,0 +1,2 @@
+export { aesDecrypt, aesEncrypt } from './aes.ts';
+export { generateToken, getTokenHash } from './token.ts';
--- a/packages/auth/token.bench.ts
+++ b/packages/auth/token.bench.ts
@ -1,4 +1,4 @@
-import { generateToken, getTokenHash } from './auth.ts';
+import { generateToken, getTokenHash } from './token.ts';

 Deno.bench('generateToken', async () => {
  await generateToken();
--- a/packages/auth/token.test.ts
+++ b/packages/auth/token.test.ts
@ -1,7 +1,7 @@
 import { assertEquals } from '@std/assert';
 import { decodeHex, encodeHex } from '@std/encoding/hex';

-import { generateToken, getTokenHash } from './auth.ts';
+import { generateToken, getTokenHash } from './token.ts';

 Deno.test('generateToken', async () => {
  const sk = decodeHex('a0968751df8fd42f362213f08751911672f2a037113b392403bbb7dd31b71c95');
--- a/packages/auth/token.ts
+++ b/packages/auth/token.ts
--- a/packages/ditto/schema.ts
+++ b/packages/ditto/schema.ts
@ -1,5 +1,5 @@
-import ISO6391, { LanguageCode } from 'iso-639-1';
 import { NSchema as n } from '@nostrify/nostrify';
+import ISO6391, { LanguageCode } from 'iso-639-1';
 import { z } from 'zod';

 /** Validates individual items in an array, dropping any that aren't valid. */
--- a/packages/ditto/storages/UserStore.test.ts
+++ b/packages/ditto/storages/UserStore.test.ts
@ -1,7 +1,7 @@
 import { MockRelay } from '@nostrify/nostrify/test';
-
 import { assertEquals } from '@std/assert';
-import { UserStore } from '@/storages/UserStore.ts';
+
+import { UserStore } from './UserStore.ts';

 import userBlack from '~/fixtures/events/kind-0-black.json' with { type: 'json' };
 import userMe from '~/fixtures/events/event-0-makes-repost-with-quote-repost.json' with { type: 'json' };
@ -23,7 +23,7 @@ Deno.test('query events of users that are not muted', async () => {
  await store.event(userMeCopy);
  await store.event(event1authorUserMeCopy);

-  assertEquals(await store.query([{ kinds: [1] }], { limit: 1 }), []);
+  assertEquals(await store.query([{ kinds: [1], limit: 1 }]), []);
 });

 Deno.test('user never muted anyone', async () => {
@ -37,5 +37,5 @@ Deno.test('user never muted anyone', async () => {
  await store.event(userBlackCopy);
  await store.event(userMeCopy);

-  assertEquals(await store.query([{ kinds: [0], authors: [userMeCopy.pubkey] }], { limit: 1 }), [userMeCopy]);
+  assertEquals(await store.query([{ kinds: [0], authors: [userMeCopy.pubkey], limit: 1 }]), [userMeCopy]);
 });
--- a/packages/ditto/storages/UserStore.ts
+++ b/packages/ditto/storages/UserStore.ts
@ -1,10 +1,8 @@
+import { getTagSet } from '@ditto/utils/tags';
 import { NostrEvent, NostrFilter, NStore } from '@nostrify/nostrify';

-import { DittoEvent } from '@/interfaces/DittoEvent.ts';
-import { getTagSet } from '../../utils/tags.ts';
-
 export class UserStore implements NStore {
-  private promise: Promise<DittoEvent[]> | undefined;
+  private promise: Promise<NostrEvent[]> | undefined;

  constructor(private pubkey: string, private store: NStore) {}

@ -16,7 +14,7 @@ export class UserStore implements NStore {
   * Query events that `pubkey` did not mute
   * https://github.com/nostr-protocol/nips/blob/master/51.md#standard-lists
   */
-  async query(filters: NostrFilter[], opts: { signal?: AbortSignal; limit?: number } = {}): Promise<DittoEvent[]> {
+  async query(filters: NostrFilter[], opts: { signal?: AbortSignal } = {}): Promise<NostrEvent[]> {
    const events = await this.store.query(filters, opts);
    const pubkeys = await this.getMutedPubkeys();

@ -25,7 +23,7 @@ export class UserStore implements NStore {
    });
  }

-  private async getMuteList(): Promise<DittoEvent | undefined> {
+  private async getMuteList(): Promise<NostrEvent | undefined> {
    if (!this.promise) {
      this.promise = this.store.query([{ authors: [this.pubkey], kinds: [10000], limit: 1 }]);
    }
--- a/packages/storages/deno.json
+++ b/packages/storages/deno.json
@ -0,0 +1,6 @@
+{
+  "name": "@ditto/storages",
+  "exports": {
+    ".": "./mod.ts"
+  }
+}
--- a/packages/storages/mod.ts
+++ b/packages/storages/mod.ts
@ -0,0 +1 @@
+export { UserStore } from './UserStore.ts';
--- a/packages/utils/deno.json
+++ b/packages/utils/deno.json
@ -1,6 +1,7 @@
 {
  "name": "@ditto/utils",
  "exports": {
+    "./auth": "./auth.ts",
    "./tags": "./tags.ts"
  }
 }
				`@ -0,0 +1 @@`
				`export { userMiddleware } from './userMiddleware.ts';`
				`@ -0,0 +1 @@`
				`export { timelinesRoute } from './timelinesRoute.ts';`