Web API interface

First implementation of the Web API interface, which can be used to
manage pubkey to APNS token relationships.

src/api_server/nip98_auth.rs

@@ -0,0 +1,129 @@
+use base64::prelude::*;
+use serde_json::Value;
+use nostr::bitcoin::hashes::sha256::Hash as Sha256Hash;
+use nostr::bitcoin::hashes::Hash;
+use nostr::util::hex;
+use nostr::Timestamp;
+use nostr;
+
+pub async fn nip98_verify_auth_header(
+    auth_header: String,
+    url: &str,
+    method: &str,
+    body: Option<&[u8]>
+) -> Result<nostr::PublicKey, String> {
+    if auth_header.is_empty() {
+        return Err("Nostr authorization header missing".to_string());
+    }
+
+    let auth_header_parts: Vec<&str> = auth_header.split_whitespace().collect();
+    if auth_header_parts.len() != 2 {
+        return Err("Nostr authorization header does not have 2 parts".to_string());
+    }
+
+    if auth_header_parts[0] != "Nostr" {
+        return Err("Nostr authorization header does not start with `Nostr`".to_string());
+    }
+
+    let base64_encoded_note = auth_header_parts[1];
+    if base64_encoded_note.is_empty() {
+        return Err("Nostr authorization header does not have a base64 encoded note".to_string());
+    }
+
+    let decoded_note_json = BASE64_STANDARD.decode(base64_encoded_note.as_bytes())
+        .map_err(|_| format!("Failed to decode base64 encoded note from Nostr authorization header"))?;
+    
+    let note_value: Value = serde_json::from_slice(&decoded_note_json)
+        .map_err(|_| format!("Could not parse JSON note from authorization header"))?;
+    
+    let note: nostr::Event = nostr::Event::from_value(note_value)
+        .map_err(|_| format!("Could not parse Nostr note from JSON"))?;
+
+    if note.kind != nostr::Kind::HttpAuth {
+        return Err("Nostr note kind in authorization header is incorrect".to_string());
+    }
+    
+    let authorized_url = note.get_tag_content(nostr::TagKind::SingleLetter(nostr::SingleLetterTag::lowercase(nostr::Alphabet::U)))
+        .ok_or_else(|| "Missing 'u' tag from Nostr authorization header".to_string())?;
+
+    let authorized_method = note.get_tag_content(nostr::TagKind::Method)
+        .ok_or_else(|| "Missing 'method' tag from Nostr authorization header".to_string())?;
+
+    if authorized_url != url || authorized_method != method {
+        return Err(format!(
+            "Auth note url and/or method does not match request. Auth note url: {}; Request url: {}; Auth note method: {}; Request method: {}",
+            authorized_url, url, authorized_method, method
+        ));
+    }
+
+    let current_time: nostr::Timestamp = nostr::Timestamp::now();
+    let note_created_at: nostr::Timestamp = note.created_at();
+    let time_delta = TimeDelta::subtracting(current_time, note_created_at);
+    if (time_delta.negative && time_delta.delta_abs_seconds > 30) || (!time_delta.negative && time_delta.delta_abs_seconds > 60) {
+        return Err(format!(
+            "Auth note is too old. Current time: {}; Note created at: {}; Time delta: {} seconds",
+            current_time, note_created_at, time_delta
+        ));
+    }
+
+    if let Some(body_data) = body {
+        let authorized_content_hash_bytes: Vec<u8> = hex::decode(
+            note.get_tag_content(nostr::TagKind::Payload)
+                .ok_or("Missing 'payload' tag from Nostr authorization header")?
+        )
+        .map_err(|_| format!("Failed to decode hex encoded payload from Nostr authorization header"))?;
+
+        let authorized_content_hash: Sha256Hash = Sha256Hash::from_slice(&authorized_content_hash_bytes)
+            .map_err(|_| format!("Failed to convert hex encoded payload to Sha256Hash"))?;
+            
+        let body_hash = Sha256Hash::hash(body_data);
+        if authorized_content_hash != body_hash {
+            return Err("Auth note payload hash does not match request body hash".to_string());
+        }
+    } else {
+        let authorized_content_hash_string = note.get_tag_content(nostr::TagKind::Payload);
+        if authorized_content_hash_string.is_some() {
+            return Err("Auth note has payload tag but request has no body".to_string());
+        }
+    }
+
+    // Verify both the Event ID and the cryptographic signature
+    if note.verify().is_err() {
+        return Err("Auth note id or signature is invalid".to_string());
+    }
+    
+    Ok(note.pubkey)
+}
+
+struct TimeDelta {
+    delta_abs_seconds: u64,
+    negative: bool
+}
+
+impl TimeDelta {
+    /// Safely calculate the difference between two timestamps in seconds
+    /// This function is safer against overflows than subtracting the timestamps directly
+    fn subtracting(t1: Timestamp, t2: Timestamp) -> TimeDelta {
+        if t1 > t2 {
+            TimeDelta {
+                delta_abs_seconds: (t1 - t2).as_u64(),
+                negative: false
+            }
+        } else {
+            TimeDelta {
+                delta_abs_seconds: (t2 - t1).as_u64(),
+                negative: true
+            }
+        }
+    }
+}
+
+impl std::fmt::Display for TimeDelta {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        if self.negative {
+            write!(f, "-{}", self.delta_abs_seconds)
+        } else {
+            write!(f, "{}", self.delta_abs_seconds)
+        }
+    }
+}