Merge branch 'sign-pow' into 'main'

NIP-46: Request proof-of-work difficulty when signing events

See merge request soapbox-pub/ditto!58

src/controllers/api/streaming.ts

@@ -28,8 +28,8 @@ const streamSchema = z.enum([
 type Stream = z.infer<typeof streamSchema>;
 
 const streamingController: AppController = (c) => {
-  const upgrade = c.req.headers.get('upgrade');
-  const token = c.req.headers.get('sec-websocket-protocol');
+  const upgrade = c.req.header('upgrade');
+  const token = c.req.header('sec-websocket-protocol');
   const stream = streamSchema.optional().catch(undefined).parse(c.req.query('stream'));
 
   if (upgrade?.toLowerCase() !== 'websocket') {

src/controllers/nostr/relay.ts

@@ -117,7 +117,7 @@ function prepareFilters(filters: ClientREQ[2][]): Filter[] {
 }
 
 const relayController: AppController = (c) => {
-  const upgrade = c.req.headers.get('upgrade');
+  const upgrade = c.req.header('upgrade');
 
   if (upgrade?.toLowerCase() !== 'websocket') {
     return c.text('Please use a Nostr client to connect.', 400);

src/deps.ts

@@ -6,8 +6,8 @@ export {
   Hono,
   HTTPException,
   type MiddlewareHandler,
-} from 'https://deno.land/x/hono@v3.7.5/mod.ts';
-export { cors, logger, serveStatic } from 'https://deno.land/x/hono@v3.7.5/middleware.ts';
+} from 'https://deno.land/x/hono@v3.10.1/mod.ts';
+export { cors, logger, serveStatic } from 'https://deno.land/x/hono@v3.10.1/middleware.ts';
 export { z } from 'https://deno.land/x/zod@v3.21.4/mod.ts';
 export { Author, RelayPool } from 'https://dev.jspm.io/nostr-relaypool@0.6.28';
 export {
@@ -25,8 +25,9 @@ export {
   nip19,
   nip21,
   type UnsignedEvent,
+  type VerifiedEvent,
   verifySignature,
-} from 'npm:nostr-tools@^1.14.0';
+} from 'npm:nostr-tools@^1.17.0';
 export { findReplyTag } from 'https://gitlab.com/soapbox-pub/mostr/-/raw/c67064aee5ade5e01597c6d23e22e53c628ef0e2/src/nostr/tags.ts';
 export { parseFormData } from 'npm:formdata-helper@^0.3.0';
 // @deno-types="npm:@types/lodash@4.14.194"

src/middleware/auth19.ts

@@ -6,7 +6,7 @@ const BEARER_REGEX = new RegExp(`^Bearer (${nip19.BECH32_REGEX.source})$`);
 
 /** NIP-19 auth middleware. */
 const auth19: AppMiddleware = async (c, next) => {
-  const authHeader = c.req.headers.get('authorization');
+  const authHeader = c.req.header('authorization');
   const match = authHeader?.match(BEARER_REGEX);
 
   if (match) {

src/middleware/auth98.ts

@@ -91,7 +91,7 @@ function withProof(
 async function obtainProof(c: AppContext, opts?: ParseAuthRequestOpts) {
   const req = localRequest(c);
   const reqEvent = await buildAuthEventTemplate(req, opts);
-  const resEvent = await signEvent(reqEvent, c);
+  const resEvent = await signEvent(reqEvent, c, opts);
   const result = await validateAuthEvent(req, resEvent, opts);
 
   if (result.success) {

src/sign.ts

@@ -8,22 +8,31 @@ import { Sub } from '@/subs.ts';
 import { eventMatchesTemplate, Time } from '@/utils.ts';
 import { createAdminEvent } from '@/utils/web.ts';
 
+interface SignEventOpts {
+  /** Target proof-of-work difficulty for the signed event. */
+  pow?: number;
+}
+
 /**
  * Sign Nostr event using the app context.
  *
  * - If a secret key is provided, it will be used to sign the event.
  * - If `X-Nostr-Sign` is passed, it will use NIP-46 to sign the event.
  */
-async function signEvent<K extends number = number>(event: EventTemplate<K>, c: AppContext): Promise<Event<K>> {
+async function signEvent<K extends number = number>(
+  event: EventTemplate<K>,
+  c: AppContext,
+  opts: SignEventOpts = {},
+): Promise<Event<K>> {
   const seckey = c.get('seckey');
-  const header = c.req.headers.get('x-nostr-sign');
+  const header = c.req.header('x-nostr-sign');
 
   if (seckey) {
     return finishEvent(event, seckey);
   }
 
   if (header) {
-    return await signNostrConnect(event, c);
+    return await signNostrConnect(event, c, opts);
   }
 
   throw new HTTPException(400, {
@@ -32,7 +41,11 @@ async function signEvent<K extends number = number>(event: EventTemplate<K>, c:
 }
 
 /** Sign event with NIP-46, waiting in the background for the signed event. */
-async function signNostrConnect<K extends number = number>(event: EventTemplate<K>, c: AppContext): Promise<Event<K>> {
+async function signNostrConnect<K extends number = number>(
+  event: EventTemplate<K>,
+  c: AppContext,
+  opts: SignEventOpts = {},
+): Promise<Event<K>> {
   const pubkey = c.get('pubkey');
 
   if (!pubkey) {
@@ -48,7 +61,9 @@ async function signNostrConnect<K extends number = number>(event: EventTemplate<
       JSON.stringify({
         id: messageId,
         method: 'sign_event',
-        params: [event],
+        params: [event, {
+          pow: opts.pow,
+        }],
       }),
     ),
     tags: [['p', pubkey]],

src/utils/nip98.ts

@@ -1,4 +1,4 @@
-import { type Event, type EventTemplate, nip13 } from '@/deps.ts';
+import { type Event, type EventTemplate, nip13, type VerifiedEvent } from '@/deps.ts';
 import { decode64Schema, jsonSchema } from '@/schema.ts';
 import { signedEventSchema } from '@/schemas/nostr.ts';
 import { eventAge, findTag, nostrNow, sha256 } from '@/utils.ts';
@@ -32,7 +32,7 @@ function validateAuthEvent(req: Request, event: Event, opts: ParseAuthRequestOpt
   const { maxAge = Time.minutes(1), validatePayload = true, pow = 0 } = opts;
 
   const schema = signedEventSchema
-    .refine((event): event is Event<27235> => event.kind === 27235, 'Event must be kind 27235')
+    .refine((event): event is VerifiedEvent<27235> => event.kind === 27235, 'Event must be kind 27235')
     .refine((event) => eventAge(event) < maxAge, 'Event expired')
     .refine((event) => tagValue(event, 'method') === req.method, 'Event method does not match HTTP request method')
     .refine((event) => tagValue(event, 'u') === req.url, 'Event URL does not match request URL')