nostr-bbs-core 3.0.0-rc7

Shared Nostr protocol primitives for the nostr-bbs forum (client + workers)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339

//! NIP-46 / generic Signer trait for nostr-bbs.
//!
//! Abstracts over different key management backends:
//! - [`PrfSigner`]: wraps a local [`Keypair`] (WebAuthn PRF-derived key)
//! - `Nip07Signer` (forum-client crate): delegates to window.nostr via WASM
//!
//! The trait is `Send + Sync` on native (for tests) and plain on WASM where
//! single-threaded execution is guaranteed.

use async_trait::async_trait;
use thiserror::Error;

use crate::event::{sign_event, NostrEvent, PubkeyMismatch, UnsignedEvent};
use crate::keys::Keypair;
use crate::nip04::{nip04_decrypt as nip04_dec, nip04_encrypt as nip04_enc};
use crate::nip44::{decrypt as nip44_dec, encrypt as nip44_enc};

// ── Error ─────────────────────────────────────────────────────────────────────

/// Errors from the [`Signer`] trait.
#[derive(Debug, Error)]
pub enum SignerError {
    /// The signer could not produce a valid Schnorr signature.
    #[error("signing failed: {0}")]
    SigningFailed(String),

    /// The signed event's pubkey does not match the signer's public key.
    #[error("pubkey mismatch: expected {expected}, got {actual}")]
    PubkeyMismatch {
        /// The signer's own pubkey.
        expected: String,
        /// The pubkey embedded in the UnsignedEvent.
        actual: String,
    },

    /// The underlying key is unavailable or inaccessible (e.g. NIP-07 extension
    /// not installed, or user rejected the signing prompt).
    #[error("key unavailable: {0}")]
    KeyUnavailable(String),

    /// General purpose signing backend error.
    #[error("backend error: {0}")]
    Backend(String),

    /// Encryption failed.
    #[error("encryption failed: {0}")]
    EncryptionFailed(String),

    /// Decryption failed.
    #[error("decryption failed: {0}")]
    DecryptionFailed(String),

    /// Signer is not available (e.g. NIP-07 extension not installed).
    #[error("signer not available")]
    Unavailable,
}

impl From<PubkeyMismatch> for SignerError {
    fn from(e: PubkeyMismatch) -> Self {
        SignerError::PubkeyMismatch {
            expected: e.derived_pubkey,
            actual: e.event_pubkey,
        }
    }
}

// ── Signer trait ──────────────────────────────────────────────────────────────

/// Abstract interface for signing Nostr events.
///
/// Implementations can be synchronous wrappers (PRF-derived key) or async
/// bridges to browser extensions (NIP-07). The `async_trait` macro erases the
/// difference so callers can always `await` the sign call.
#[async_trait(?Send)]
pub trait Signer {
    /// Return the x-only public key (64-char hex) this signer controls.
    fn public_key(&self) -> &str;

    /// Sign an unsigned event, returning a fully signed [`NostrEvent`].
    ///
    /// The `unsigned.pubkey` field MUST match `self.public_key()`. If it does
    /// not, implementations SHOULD return [`SignerError::PubkeyMismatch`].
    async fn sign_event(&self, unsigned: UnsignedEvent) -> Result<NostrEvent, SignerError>;

    /// NIP-44 encrypt plaintext to a recipient (ChaCha20-Poly1305).
    async fn nip44_encrypt(
        &self,
        recipient_pubkey_hex: &str,
        plaintext: &str,
    ) -> Result<String, SignerError>;

    /// NIP-44 decrypt ciphertext from a sender (ChaCha20-Poly1305).
    async fn nip44_decrypt(
        &self,
        sender_pubkey_hex: &str,
        ciphertext: &str,
    ) -> Result<String, SignerError>;

    /// NIP-04 encrypt plaintext to a recipient (AES-256-CBC).
    async fn nip04_encrypt(
        &self,
        recipient_pubkey_hex: &str,
        plaintext: &str,
    ) -> Result<String, SignerError>;

    /// NIP-04 decrypt ciphertext from a sender (AES-256-CBC).
    async fn nip04_decrypt(
        &self,
        sender_pubkey_hex: &str,
        ciphertext: &str,
    ) -> Result<String, SignerError>;
}

// ── PrfSigner ─────────────────────────────────────────────────────────────────

/// A [`Signer`] backed by a locally held [`Keypair`] (e.g. derived from a
/// WebAuthn PRF output via HKDF).
///
/// This is the default signer for passkey-authenticated sessions. The private
/// key lives only in memory and is zeroized on drop via the [`Keypair`]
/// implementation.
pub struct PrfSigner {
    keypair: Keypair,
    pubkey_hex: String,
}

impl PrfSigner {
    /// Create a `PrfSigner` from an existing keypair.
    pub fn new(keypair: Keypair) -> Self {
        let pubkey_hex = keypair.public.to_hex();
        Self {
            keypair,
            pubkey_hex,
        }
    }

    /// Return a reference to the underlying [`Keypair`].
    pub fn keypair(&self) -> &Keypair {
        &self.keypair
    }
}

#[async_trait(?Send)]
impl Signer for PrfSigner {
    fn public_key(&self) -> &str {
        &self.pubkey_hex
    }

    async fn sign_event(&self, unsigned: UnsignedEvent) -> Result<NostrEvent, SignerError> {
        // Build the k256 signing key from raw bytes
        let sk_bytes = self.keypair.secret.as_bytes();
        let signing_key = k256::schnorr::SigningKey::from_bytes(sk_bytes)
            .map_err(|e| SignerError::SigningFailed(e.to_string()))?;

        sign_event(unsigned, &signing_key).map_err(SignerError::from)
    }

    async fn nip44_encrypt(
        &self,
        recipient_pubkey_hex: &str,
        plaintext: &str,
    ) -> Result<String, SignerError> {
        let pk = parse_pk32(recipient_pubkey_hex)?;
        nip44_enc(self.keypair.secret.as_bytes(), &pk, plaintext)
            .map_err(|e| SignerError::EncryptionFailed(e.to_string()))
    }

    async fn nip44_decrypt(
        &self,
        sender_pubkey_hex: &str,
        ciphertext: &str,
    ) -> Result<String, SignerError> {
        let pk = parse_pk32(sender_pubkey_hex)?;
        nip44_dec(self.keypair.secret.as_bytes(), &pk, ciphertext)
            .map_err(|e| SignerError::DecryptionFailed(e.to_string()))
    }

    async fn nip04_encrypt(
        &self,
        recipient_pubkey_hex: &str,
        plaintext: &str,
    ) -> Result<String, SignerError> {
        nip04_enc(
            self.keypair.secret.as_bytes(),
            recipient_pubkey_hex,
            plaintext,
        )
        .map_err(|e| SignerError::EncryptionFailed(e.to_string()))
    }

    async fn nip04_decrypt(
        &self,
        sender_pubkey_hex: &str,
        ciphertext: &str,
    ) -> Result<String, SignerError> {
        nip04_dec(
            self.keypair.secret.as_bytes(),
            sender_pubkey_hex,
            ciphertext,
        )
        .map_err(|e| SignerError::DecryptionFailed(e.to_string()))
    }
}

fn parse_pk32(hex_str: &str) -> Result<[u8; 32], SignerError> {
    let bytes = hex::decode(hex_str)
        .map_err(|e| SignerError::Backend(format!("pubkey hex decode: {e}")))?;
    if bytes.len() != 32 {
        return Err(SignerError::Backend(format!(
            "expected 32-byte pubkey, got {}",
            bytes.len()
        )));
    }
    let mut arr = [0u8; 32];
    arr.copy_from_slice(&bytes);
    Ok(arr)
}

// ── Tests ─────────────────────────────────────────────────────────────────────

#[cfg(test)]
mod tests {
    use super::*;

    use crate::keys::generate_keypair;

    #[allow(dead_code)]
    fn make_prf_signer() -> (PrfSigner, String) {
        let kp = generate_keypair().unwrap();
        let pk = kp.public.to_hex();
        (PrfSigner::new(kp), pk)
    }

    #[test]
    fn prf_signer_public_key_matches_keypair() {
        let kp = generate_keypair().unwrap();
        let expected_pk = kp.public.to_hex();
        let signer = PrfSigner::new(kp);
        assert_eq!(signer.public_key(), expected_pk);
    }

    #[test]
    fn signer_error_from_pubkey_mismatch() {
        let mismatch = PubkeyMismatch {
            derived_pubkey: "aa".repeat(32),
            event_pubkey: "bb".repeat(32),
        };
        let err = SignerError::from(mismatch);
        assert!(matches!(err, SignerError::PubkeyMismatch { .. }));
    }

    #[test]
    fn nip44_roundtrip_via_signer() {
        let kp_a = generate_keypair().unwrap();
        let kp_b = generate_keypair().unwrap();
        let pk_a = kp_a.public.to_hex();
        let pk_b = kp_b.public.to_hex();
        let signer_a = PrfSigner::new(kp_a);
        let signer_b = PrfSigner::new(kp_b);

        let ct = block_on(signer_a.nip44_encrypt(&pk_b, "nip44 test")).unwrap();
        let pt = block_on(signer_b.nip44_decrypt(&pk_a, &ct)).unwrap();
        assert_eq!(pt, "nip44 test");
    }

    #[test]
    fn nip04_roundtrip_via_signer() {
        let kp_a = generate_keypair().unwrap();
        let kp_b = generate_keypair().unwrap();
        let pk_a = kp_a.public.to_hex();
        let pk_b = kp_b.public.to_hex();
        let signer_a = PrfSigner::new(kp_a);
        let signer_b = PrfSigner::new(kp_b);

        let ct = block_on(signer_a.nip04_encrypt(&pk_b, "nip04 test")).unwrap();
        assert!(ct.contains("?iv="), "NIP-04 must have ?iv= separator");
        let pt = block_on(signer_b.nip04_decrypt(&pk_a, &ct)).unwrap();
        assert_eq!(pt, "nip04 test");
    }

    /// Minimal synchronous executor: polls a future until Ready.
    ///
    /// All [`Signer`] implementations in this crate (and in the
    /// forum-client crate) resolve to `Ready` on the first poll because no
    /// I/O is involved — sign + encrypt operations are pure CPU. To avoid
    /// the previous `Poll::Pending => panic!` (audit H14), we spin-poll a
    /// bounded number of iterations and then return a sentinel via `Err`
    /// surfacing as a [`SignerError::Backend`]. In practice the loop never
    /// runs more than once.
    ///
    /// This helper is `#[cfg(test)]` only, so the bounded spin is
    /// acceptable — it is never reached from production code paths.
    fn block_on<F>(f: F) -> F::Output
    where
        F: std::future::Future,
        F::Output: BlockOnSentinel,
    {
        use std::task::{Context, Poll, RawWaker, RawWakerVTable, Waker};
        fn noop_clone(p: *const ()) -> RawWaker {
            RawWaker::new(p, &VTAB)
        }
        fn noop(_: *const ()) {}
        static VTAB: RawWakerVTable = RawWakerVTable::new(noop_clone, noop, noop, noop);
        let waker = unsafe { Waker::from_raw(RawWaker::new(std::ptr::null(), &VTAB)) };
        let mut cx = Context::from_waker(&waker);
        let mut pinned = Box::pin(f);
        const MAX_SPINS: usize = 64;
        for _ in 0..MAX_SPINS {
            match pinned.as_mut().poll(&mut cx) {
                Poll::Ready(v) => return v,
                Poll::Pending => continue,
            }
        }
        // Should never happen for the I/O-free Signer impls in this crate,
        // but if it does we surface the error rather than panic so the test
        // run reports the failure cleanly.
        F::Output::from_pending_timeout()
    }

    /// Allows `block_on` to construct a sentinel for the very rare case
    /// that a future never resolves within the spin budget. Implementations
    /// exist for the concrete `Result<T, SignerError>` types used by
    /// `Signer` and for `String` (used by the encrypt/decrypt return types).
    trait BlockOnSentinel {
        fn from_pending_timeout() -> Self;
    }

    impl<T, E> BlockOnSentinel for Result<T, E>
    where
        E: From<SignerError>,
    {
        fn from_pending_timeout() -> Self {
            Err(
                SignerError::Backend("block_on: future did not resolve within spin budget".into())
                    .into(),
            )
        }
    }
}