Add APISigner and AdminSigner classes, implement NostrSigner interface

2024-02-12 11:52:05 -06:00 · 2024-02-12 11:52:05 -06:00 · 59d53c4a2f
parent 1e3f637358
commit 59d53c4a2f
9 changed files with 146 additions and 133 deletions
--- a/scripts/admin.ts
+++ b/scripts/admin.ts
@ -1,5 +1,5 @@
 import * as pipeline from '@/pipeline.ts';
-import { signAdminEvent } from '@/sign.ts';
+import { AdminSigner } from '@/signers/AdminSigner.ts';
 import { type EventStub } from '@/utils/api.ts';
 import { nostrNow } from '@/utils.ts';
@ -12,7 +12,9 @@ switch (Deno.args[0]) {
 }
 async function publish(t: EventStub) {
-  const event = await signAdminEvent({
+  const signer = new AdminSigner();
  const event = await signer.signEvent({
    content: '',
    created_at: nostrNow(),
    tags: [],
--- a/src/db/users.ts
+++ b/src/db/users.ts
@ -1,7 +1,7 @@
 import { Conf } from '@/config.ts';
 import { Debug, type NostrFilter } from '@/deps.ts';
 import * as pipeline from '@/pipeline.ts';
-import { signAdminEvent } from '@/sign.ts';
+import { AdminSigner } from '@/signers/AdminSigner.ts';
 import { eventsDB } from '@/storages.ts';
 const debug = Debug('ditto:users');
@ -15,8 +15,9 @@ interface User {
 function buildUserEvent(user: User) {
  const { origin, host } = Conf.url;
  const signer = new AdminSigner();
-  return signAdminEvent({
+  return signer.signEvent({
    kind: 30361,
    tags: [
      ['d', user.pubkey],
--- a/src/deps.ts
+++ b/src/deps.ts
@ -81,6 +81,7 @@ export * as Comlink from 'npm:comlink@^4.4.1';
 export { EventEmitter } from 'npm:tseep@^1.1.3';
 export { default as stringifyStable } from 'npm:fast-stable-stringify@^1.0.0';
 export { default as Debug } from 'https://gitlab.com/soapbox-pub/stickynotes/-/raw/v0.2.0/debug.ts';
 export { Stickynotes } from 'https://gitlab.com/soapbox-pub/stickynotes/-/raw/v0.2.0/mod.ts';
 export {
  LNURL,
  type LNURLDetails,
--- a/src/middleware/auth98.ts
+++ b/src/middleware/auth98.ts
@ -7,7 +7,7 @@ import {
  validateAuthEvent,
 } from '@/utils/nip98.ts';
 import { localRequest } from '@/utils/api.ts';
-import { signEvent } from '@/sign.ts';
+import { APISigner } from '@/signers/APISigner.ts';
 import { findUser, User } from '@/db/users.ts';
 /**
@ -91,7 +91,7 @@ function withProof(
 async function obtainProof(c: AppContext, opts?: ParseAuthRequestOpts) {
  const req = localRequest(c);
  const reqEvent = await buildAuthEventTemplate(req, opts);
-  const resEvent = await signEvent(reqEvent, c, opts);
+  const resEvent = await new APISigner(c).signEvent(reqEvent);
  const result = await validateAuthEvent(req, resEvent, opts);
  if (result.success) {
--- a/src/pipeline.ts
+++ b/src/pipeline.ts
@ -15,7 +15,7 @@ import { eventAge, isRelay, nostrDate, nostrNow, Time } from '@/utils.ts';
 import { fetchWorker } from '@/workers/fetch.ts';
 import { TrendsWorker } from '@/workers/trends.ts';
 import { verifyEventWorker } from '@/workers/verify.ts';
-import { signAdminEvent } from '@/sign.ts';
+import { AdminSigner } from '@/signers/AdminSigner.ts';
 import { lnurlCache } from '@/utils/lnurl.ts';
 const debug = Debug('ditto:pipeline');
@ -194,7 +194,9 @@ async function payZap(event: DittoEvent, signal: AbortSignal) {
      { fetch: fetchWorker, signal },
    );
-    const nwcRequestEvent = await signAdminEvent({
+    const signer = new AdminSigner();
    const nwcRequestEvent = await signer.signEvent({
      kind: 23194,
      content: await encryptAdmin(
        event.pubkey,
--- a/src/sign.ts
+++ b/src/sign.ts
@ -1,121 +0,0 @@
 import { type AppContext } from '@/app.ts';
 import { Conf } from '@/config.ts';
 import { decryptAdmin, encryptAdmin } from '@/crypto.ts';
 import { Debug, type EventTemplate, finalizeEvent, HTTPException, type NostrEvent } from '@/deps.ts';
 import { connectResponseSchema } from '@/schemas/nostr.ts';
 import { jsonSchema } from '@/schema.ts';
 import { Sub } from '@/subs.ts';
 import { eventMatchesTemplate } from '@/utils.ts';
 import { createAdminEvent } from '@/utils/api.ts';
 const debug = Debug('ditto:sign');
 interface SignEventOpts {
  /** Target proof-of-work difficulty for the signed event. */
  pow?: number;
 }
 /**
 * Sign Nostr event using the app context.
 *
 * - If a secret key is provided, it will be used to sign the event.
 * - If `X-Nostr-Sign` is passed, it will use NIP-46 to sign the event.
 */
 async function signEvent(
  event: EventTemplate,
  c: AppContext,
  opts: SignEventOpts = {},
 ): Promise<NostrEvent> {
  const seckey = c.get('seckey');
  const header = c.req.header('x-nostr-sign');
  if (seckey) {
    debug(`Signing Event<${event.kind}> with secret key`);
    return finalizeEvent(event, seckey);
  }
  if (header) {
    debug(`Signing Event<${event.kind}> with NIP-46`);
    return await signNostrConnect(event, c, opts);
  }
  throw new HTTPException(400, {
    res: c.json({ id: 'ditto.sign', error: 'Unable to sign event' }, 400),
  });
 }
 /** Sign event with NIP-46, waiting in the background for the signed event. */
 async function signNostrConnect(
  event: EventTemplate,
  c: AppContext,
  opts: SignEventOpts = {},
 ): Promise<NostrEvent> {
  const pubkey = c.get('pubkey');
  if (!pubkey) {
    throw new HTTPException(401, { message: 'Missing pubkey' });
  }
  const messageId = crypto.randomUUID();
  createAdminEvent({
    kind: 24133,
    content: await encryptAdmin(
      pubkey,
      JSON.stringify({
        id: messageId,
        method: 'sign_event',
        params: [event, {
          pow: opts.pow,
        }],
      }),
    ),
    tags: [['p', pubkey]],
  }, c);
  return awaitSignedEvent(pubkey, messageId, event, c);
 }
 /** Wait for signed event to be sent through Nostr relay. */
 async function awaitSignedEvent(
  pubkey: string,
  messageId: string,
  template: EventTemplate,
  c: AppContext,
 ): Promise<NostrEvent> {
  const sub = Sub.sub(messageId, '1', [{ kinds: [24133], authors: [pubkey], '#p': [Conf.pubkey] }]);
  function close(): void {
    Sub.close(messageId);
    c.req.raw.signal.removeEventListener('abort', close);
  }
  c.req.raw.signal.addEventListener('abort', close);
  for await (const event of sub) {
    const decrypted = await decryptAdmin(event.pubkey, event.content);
    const result = jsonSchema
      .pipe(connectResponseSchema)
      .refine((msg) => msg.id === messageId, 'Message ID mismatch')
      .refine((msg) => eventMatchesTemplate(msg.result, template), 'Event template mismatch')
      .safeParse(decrypted);
    if (result.success) {
      close();
      return result.data.result;
    }
  }
  throw new HTTPException(408, {
    res: c.json({ id: 'ditto.timeout', error: 'Signing timeout' }),
  });
 }
 /** Sign event as the Ditto server. */
 // deno-lint-ignore require-await
 async function signAdminEvent(event: EventTemplate): Promise<NostrEvent> {
  return finalizeEvent(event, Conf.seckey);
 }
 export { signAdminEvent, signEvent };
--- a/src/signers/APISigner.ts
+++ b/src/signers/APISigner.ts
@ -0,0 +1,114 @@
 import { type AppContext } from '@/app.ts';
 import { Conf } from '@/config.ts';
 import { decryptAdmin, encryptAdmin } from '@/crypto.ts';
 import { HTTPException, type NostrEvent, type NostrSigner, NSecSigner, Stickynotes } from '@/deps.ts';
 import { connectResponseSchema } from '@/schemas/nostr.ts';
 import { jsonSchema } from '@/schema.ts';
 import { Sub } from '@/subs.ts';
 import { eventMatchesTemplate } from '@/utils.ts';
 import { createAdminEvent } from '@/utils/api.ts';
 /**
 * Sign Nostr event using the app context.
 *
 * - If a secret key is provided, it will be used to sign the event.
 * - If `X-Nostr-Sign` is passed, it will use NIP-46 to sign the event.
 */
 export class APISigner implements NostrSigner {
  #c: AppContext;
  #console = new Stickynotes('ditto:sign');
  constructor(c: AppContext) {
    this.#c = c;
  }
  // deno-lint-ignore require-await
  async getPublicKey(): Promise<string> {
    const pubkey = this.#c.get('pubkey');
    if (pubkey) {
      return pubkey;
    } else {
      throw new HTTPException(401, { message: 'Missing pubkey' });
    }
  }
  async signEvent(event: Omit<NostrEvent, 'id' | 'pubkey' | 'sig'>): Promise<NostrEvent> {
    const seckey = this.#c.get('seckey');
    const header = this.#c.req.header('x-nostr-sign');
    if (seckey) {
      this.#console.debug(`Signing Event<${event.kind}> with secret key`);
      return new NSecSigner(seckey).signEvent(event);
    }
    if (header) {
      this.#console.debug(`Signing Event<${event.kind}> with NIP-46`);
      return await this.#signNostrConnect(event);
    }
    throw new HTTPException(400, {
      res: this.#c.json({ id: 'ditto.sign', error: 'Unable to sign event' }, 400),
    });
  }
  /** Sign event with NIP-46, waiting in the background for the signed event. */
  async #signNostrConnect(event: Omit<NostrEvent, 'id' | 'pubkey' | 'sig'>): Promise<NostrEvent> {
    const pubkey = this.#c.get('pubkey');
    if (!pubkey) {
      throw new HTTPException(401, { message: 'Missing pubkey' });
    }
    const messageId = crypto.randomUUID();
    createAdminEvent({
      kind: 24133,
      content: await encryptAdmin(
        pubkey,
        JSON.stringify({
          id: messageId,
          method: 'sign_event',
          params: [event],
        }),
      ),
      tags: [['p', pubkey]],
    }, this.#c);
    return this.#awaitSignedEvent(pubkey, messageId, event);
  }
  /** Wait for signed event to be sent through Nostr relay. */
  async #awaitSignedEvent(
    pubkey: string,
    messageId: string,
    template: Omit<NostrEvent, 'id' | 'pubkey' | 'sig'>,
  ): Promise<NostrEvent> {
    const sub = Sub.sub(messageId, '1', [{ kinds: [24133], authors: [pubkey], '#p': [Conf.pubkey] }]);
    const close = (): void => {
      Sub.close(messageId);
      this.#c.req.raw.signal.removeEventListener('abort', close);
    };
    this.#c.req.raw.signal.addEventListener('abort', close);
    for await (const event of sub) {
      const decrypted = await decryptAdmin(event.pubkey, event.content);
      const result = jsonSchema
        .pipe(connectResponseSchema)
        .refine((msg) => msg.id === messageId, 'Message ID mismatch')
        .refine((msg) => eventMatchesTemplate(msg.result, template), 'Event template mismatch')
        .safeParse(decrypted);
      if (result.success) {
        close();
        return result.data.result;
      }
    }
    throw new HTTPException(408, {
      res: this.#c.json({ id: 'ditto.timeout', error: 'Signing timeout' }),
    });
  }
 }
--- a/src/signers/AdminSigner.ts
+++ b/src/signers/AdminSigner.ts
@ -0,0 +1,9 @@
 import { Conf } from '@/config.ts';
 import { NSecSigner } from '@/deps.ts';
 /** Sign events as the Ditto server. */
 export class AdminSigner extends NSecSigner {
  constructor() {
    super(Conf.seckey);
  }
 }
--- a/src/utils/api.ts
+++ b/src/utils/api.ts
@ -12,7 +12,8 @@ import {
  z,
 } from '@/deps.ts';
 import * as pipeline from '@/pipeline.ts';
-import { signAdminEvent, signEvent } from '@/sign.ts';
+import { AdminSigner } from '@/signers/AdminSigner.ts';
 import { APISigner } from '@/signers/APISigner.ts';
 import { eventsDB } from '@/storages.ts';
 import { nostrNow } from '@/utils.ts';
@ -29,12 +30,14 @@ async function createEvent(t: EventStub, c: AppContext): Promise<NostrEvent> {
    throw new HTTPException(401);
  }
-  const event = await signEvent({
+  const signer = new APISigner(c);
  const event = await signer.signEvent({
    content: '',
    created_at: nostrNow(),
    tags: [],
    ...t,
-  }, c);
+  });
  return publishEvent(event, c);
 }
@ -70,7 +73,9 @@ function updateListEvent(
 /** Publish an admin event through the pipeline. */
 async function createAdminEvent(t: EventStub, c: AppContext): Promise<NostrEvent> {
-  const event = await signAdminEvent({
+  const signer = new AdminSigner();
  const event = await signer.signEvent({
    content: '',
    created_at: nostrNow(),
    tags: [],