Accept Nostr auth

VoidCat/Controllers/UploadController.cs

@@ -7,6 +7,7 @@ using VoidCat.Database;
 using VoidCat.Model;
 using VoidCat.Services.Abstractions;
 using VoidCat.Services.Files;
+using VoidCat.Services.Users;
 using File = VoidCat.Database.File;
 
 namespace VoidCat.Controllers
@@ -21,12 +22,13 @@ namespace VoidCat.Controllers
         private readonly FileInfoManager _fileInfo;
         private readonly IUserUploadsStore _userUploads;
         private readonly IUserStore _userStore;
+        private readonly UserManager _userManager;
         private readonly ITimeSeriesStatsReporter _timeSeriesStats;
         private readonly VoidSettings _settings;
 
         public UploadController(FileStoreFactory storage, IFileMetadataStore metadata, IPaymentStore payment,
             IPaymentFactory paymentFactory, FileInfoManager fileInfo, IUserUploadsStore userUploads,
-            ITimeSeriesStatsReporter timeSeriesStats, IUserStore userStore, VoidSettings settings)
+            ITimeSeriesStatsReporter timeSeriesStats, IUserStore userStore, VoidSettings settings, UserManager userManager)
         {
             _storage = storage;
             _metadata = metadata;
@@ -37,6 +39,7 @@ namespace VoidCat.Controllers
             _timeSeriesStats = timeSeriesStats;
             _userStore = userStore;
             _settings = settings;
+            _userManager = userManager;
         }
 
         /// <summary>
@@ -68,6 +71,13 @@ namespace VoidCat.Controllers
                 }
 
                 var uid = HttpContext.GetUserId();
+                var pubkey = HttpContext.GetPubKey();
+                if (uid == default && !string.IsNullOrEmpty(pubkey))
+                {
+                    var nostrUser = await _userManager.LoginOrRegister(pubkey);
+                    uid = nostrUser.Id;
+                }
+
                 var mime = Request.Headers.GetHeader("V-Content-Type");
                 var filename = Request.Headers.GetHeader("V-Filename");
 

VoidCat/Database/User.cs

@@ -110,5 +110,10 @@ public enum UserAuthType
     /// <summary>
     /// Lightning node challenge
     /// </summary>
-    Lightning = 3
+    Lightning = 3,
+    
+    /// <summary>
+    /// Nostr login
+    /// </summary>
+    Nostr = 4,
 }

VoidCat/Model/Extensions.cs

@@ -29,10 +29,16 @@ public static class Extensions
 
     public static Guid? GetUserId(this HttpContext context)
     {
-        var claimSub = context?.User?.Claims?.FirstOrDefault(a => a.Type == ClaimTypes.NameIdentifier)?.Value;
+        var claimSub = context.User.Claims.FirstOrDefault(a => a.Type == ClaimTypes.NameIdentifier)?.Value;
         return Guid.TryParse(claimSub, out var g) ? g : null;
     }
 
+    public static string? GetPubKey(this HttpContext context)
+    {
+        var claim = context.User.Claims.FirstOrDefault(a => a.Type == ClaimTypes.Name);
+        return claim?.Value;
+    }
+    
     public static IEnumerable<string>? GetUserRoles(this HttpContext context)
     {
         return context?.User?.Claims?.Where(a => a.Type == ClaimTypes.Role)

VoidCat/Model/Roles.cs

@@ -9,4 +9,5 @@ public static class Roles
 public static class Policies
 {
     public const string RequireAdmin = "RequireAdmin";
+    public const string RequireNostr = "RequireNostr";
 }

VoidCat/Services/NostrAuth.cs

@@ -0,0 +1,91 @@
+using System.Security.Claims;
+using System.Text;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Options;
+using Newtonsoft.Json;
+using Nostr.Client.Json;
+using Nostr.Client.Messages;
+
+namespace VoidCat.Services;
+
+public static class NostrAuth
+{
+    public const string Scheme = "Nostr";
+}
+
+public class NostrAuthOptions : AuthenticationSchemeOptions
+{
+}
+
+public class NostrAuthHandler : AuthenticationHandler<NostrAuthOptions>
+{
+    public NostrAuthHandler(IOptionsMonitor<NostrAuthOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) :
+        base(options, logger, encoder, clock)
+    {
+    }
+
+    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        var auth = Request.Headers.Authorization.FirstOrDefault()?.Trim();
+        if (string.IsNullOrEmpty(auth))
+        {
+            return AuthenticateResult.Fail("Missing Authorization header");
+        }
+
+        if (!auth.StartsWith(NostrAuth.Scheme))
+        {
+            return AuthenticateResult.Fail("Invalid auth scheme");
+        }
+
+        var token = auth[6..];
+        var bToken = Convert.FromBase64String(token);
+        if (string.IsNullOrEmpty(token) || bToken.Length == 0 || bToken[0] != '{')
+        {
+            return AuthenticateResult.Fail("Invalid token");
+        }
+
+        var ev = JsonConvert.DeserializeObject<NostrEvent>(Encoding.UTF8.GetString(bToken), NostrSerializer.Settings);
+        if (ev == default)
+        {
+            return AuthenticateResult.Fail("Invalid nostr event");
+        }
+
+        if (!ev.IsSignatureValid())
+        {
+            return AuthenticateResult.Fail("Invalid nostr event, invalid sig");
+        }
+
+        if (ev.Kind != (NostrKind)27_235)
+        {
+            return AuthenticateResult.Fail("Invalid nostr event, wrong kind");
+        }
+
+        var diffTime = Math.Abs((ev.CreatedAt!.Value - DateTime.UtcNow).TotalSeconds);
+        if (diffTime > 60d)
+        {
+            return AuthenticateResult.Fail("Invalid nostr event, timestamp out of range");
+        }
+
+        var urlTag = ev.Tags!.FirstOrDefault(a => a.TagIdentifier == "u");
+        var methodTag = ev.Tags!.FirstOrDefault(a => a.TagIdentifier == "method");
+        if (string.IsNullOrEmpty(urlTag?.AdditionalData[0] as string) ||
+            !new Uri((urlTag.AdditionalData[0] as string)!).AbsolutePath.Equals(Request.Path, StringComparison.InvariantCultureIgnoreCase))
+        {
+            return AuthenticateResult.Fail("Invalid nostr event, url tag invalid");
+        }
+
+        if (string.IsNullOrEmpty(methodTag?.AdditionalData[0] as string) ||
+            !((methodTag.AdditionalData[0] as string)?.Equals(Request.Method, StringComparison.InvariantCultureIgnoreCase) ?? false))
+        {
+            return AuthenticateResult.Fail("Invalid nostr event, method tag invalid");
+        }
+
+        var principal = new ClaimsIdentity(new[]
+        {
+            new Claim(ClaimTypes.Name, ev.Pubkey!)
+        });
+
+        return AuthenticateResult.Success(new(new ClaimsPrincipal(new[] {principal}), Scheme.Name));
+    }
+}

VoidCat/Services/Users/NostrProfileService.cs

@@ -0,0 +1,42 @@
+using Newtonsoft.Json;
+using Nostr.Client.Json;
+using Nostr.Client.Messages;
+using Nostr.Client.Messages.Metadata;
+using VoidCat.Model;
+
+namespace VoidCat.Services.Users;
+
+public class NostrProfileService
+{
+    private readonly HttpClient _client;
+    private readonly VoidSettings _settings;
+
+    public NostrProfileService(HttpClient client, VoidSettings settings)
+    {
+        _client = client;
+        _settings = settings;
+        _client.Timeout = TimeSpan.FromSeconds(5);
+    }
+
+    public async Task<NostrMetadata?> FetchProfile(string pubkey)
+    {
+        try
+        {
+            var req = await _client.GetAsync($"https://api.snort.social/api/v1/raw/p/{pubkey}");
+            if (req.IsSuccessStatusCode)
+            {
+                var ev = JsonConvert.DeserializeObject<NostrEvent>(await req.Content.ReadAsStringAsync(), NostrSerializer.Settings);
+                if (ev != default)
+                {
+                    return JsonConvert.DeserializeObject<NostrMetadata>(ev.Content!, NostrSerializer.Settings);
+                }
+            }
+        }
+        catch (Exception ex)
+        {
+            // ignored
+        }
+
+        return default;
+    }
+}

VoidCat/Services/Users/UserManager.cs

@@ -10,13 +10,15 @@ public class UserManager
     private readonly IUserStore _store;
     private readonly IEmailVerification _emailVerification;
     private readonly OAuthFactory _oAuthFactory;
+    private readonly NostrProfileService _nostrProfile;
     private static bool _checkFirstRegister;
 
-    public UserManager(IUserStore store, IEmailVerification emailVerification, OAuthFactory oAuthFactory)
+    public UserManager(IUserStore store, IEmailVerification emailVerification, OAuthFactory oAuthFactory, NostrProfileService nostrProfile)
     {
         _store = store;
         _emailVerification = emailVerification;
         _oAuthFactory = oAuthFactory;
+        _nostrProfile = nostrProfile;
     }
 
     /// <summary>
@@ -108,6 +110,42 @@ public class UserManager
         return user;
     }
 
+    /// <summary>
+    /// Login or Register with nostr pubkey
+    /// </summary>
+    /// <param name="pubkey">Hex public key</param>
+    /// <returns></returns>
+    /// <exception cref="InvalidOperationException"></exception>
+    public async ValueTask<User> LoginOrRegister(string pubkey)
+    {
+        var uid = await _store.LookupUser(pubkey);
+        if (uid.HasValue)
+        {
+            var existingUser = await _store.Get(uid.Value);
+            if (existingUser?.AuthType == UserAuthType.Nostr)
+            {
+                return existingUser;
+            }
+
+            throw new InvalidOperationException("Auth failure, user type does not match!");
+        }
+
+        var profile = await _nostrProfile.FetchProfile(pubkey);
+        var newUser = new User
+        {
+            Id = Guid.NewGuid(),
+            AuthType = UserAuthType.Nostr,
+            Created = DateTime.UtcNow,
+            Avatar = profile?.Picture,
+            DisplayName = profile?.Name ?? "Nostrich",
+            Email = pubkey,
+            Flags = UserFlags.EmailVerified // always mark as email verififed
+        };
+
+        await SetupNewUser(newUser);
+        return newUser;
+    }
+
     private async Task SetupNewUser(User newUser)
     {
         // automatically set first user to admin
@@ -127,8 +165,11 @@ public class UserManager
         }
 
         await _store.Add(newUser);
+        if (!newUser.Flags.HasFlag(UserFlags.EmailVerified))
+        {
             await _emailVerification.SendNewCode(newUser);
         }
+    }
 
     private async Task HandleLogin(User user)
     {

VoidCat/Services/Users/UsersStartup.cs

@@ -10,6 +10,7 @@ public static class UsersStartup
     {
         services.AddTransient<UserManager>();
         services.AddTransient<OAuthFactory>();
+        services.AddTransient<NostrProfileService>();
         
         if (settings.HasDiscord())
         {

VoidCat/VoidCat.csproj

@@ -39,6 +39,7 @@
 		</PackageReference>
 		<PackageReference Include="NBitcoin" Version="7.0.25" />
 		<PackageReference Include="nClam" Version="7.0.0" />
+		<PackageReference Include="Nostr.Client" Version="1.4.3" />
 		<PackageReference Include="Npgsql" Version="7.0.2" />
 		<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="7.0.1" />
 		<PackageReference Include="prometheus-net.AspNetCore" Version="8.0.0" />

VoidCat/VoidStartup.cs

@@ -1,6 +1,9 @@
 using System.Reflection;
+using System.Security.Claims;
 using System.Text;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
 using Microsoft.AspNetCore.HttpLogging;
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.OpenApi.Models;
@@ -133,7 +136,12 @@ public static class VoidStartup
 
         services.AddHealthChecks();
 
-        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+        services.AddTransient<NostrAuthHandler>();
+        services.AddAuthentication(o =>
+            {
+                o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
+                o.AddScheme<NostrAuthHandler>(NostrAuth.Scheme, "Nostr");
+            })
             .AddJwtBearer(options =>
             {
                 options.TokenValidationParameters = new()
@@ -147,7 +155,15 @@ public static class VoidStartup
                 };
             });
 
-        services.AddAuthorization((opt) => { opt.AddPolicy(Policies.RequireAdmin, (auth) => { auth.RequireRole(Roles.Admin); }); });
+        services.AddAuthorization((opt) =>
+        {
+            opt.AddPolicy(Policies.RequireNostr, new AuthorizationPolicy(new[]
+            {
+                new ClaimsAuthorizationRequirement(ClaimTypes.Name, null)
+            }, new[] {NostrAuth.Scheme}));
+
+            opt.AddPolicy(Policies.RequireAdmin, auth => { auth.RequireRole(Roles.Admin); });
+        });
 
         services.AddTransient<RazorPartialToStringRenderer>();
         services.AddAnalytics(voidSettings);

VoidCat/spa/src/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@void-cat/api",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "void.cat API package",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

VoidCat/spa/src/api/src/api.ts

@@ -16,10 +16,12 @@ import { XHRUploader } from "./xhr-uploader";
 export class VoidApi {
     readonly #uri: string
     readonly #auth?: string
+    readonly #scheme?: string
 
-    constructor(uri: string, auth?: string) {
+    constructor(uri: string, auth?: string, scheme?: string) {
         this.#uri = uri;
         this.#auth = auth;
+        this.#scheme = scheme;
     }
 
     async #req<T>(method: string, url: string, body?: object): Promise<T> {
@@ -27,7 +29,7 @@ export class VoidApi {
             "Accept": "application/json"
         };
         if (this.#auth) {
-            headers["Authorization"] = `Bearer ${this.#auth}`;
+            headers["Authorization"] = `${this.#scheme ?? "Bearer"} ${this.#auth}`;
         }
         if (body) {
             headers["Content-Type"] = "application/json";

VoidCat/spa/src/api/tsconfig.json

@@ -1,11 +1,11 @@
 {
   "compilerOptions": {
     "baseUrl": "src",
-    "target": "ES2020",
+    "target": "ESNext",
-    "moduleResolution": "node",
+    "moduleResolution": "NodeNext",
     "esModuleInterop": true,
     "noImplicitOverride": true,
-    "module": "CommonJS",
+    "module": "NodeNext",
     "strict": true,
     "declaration": true,
     "declarationMap": true,
@@ -14,5 +14,6 @@
     "skipLibCheck": true,
     "allowJs": true
   },
+  "include": ["./src/**/*.ts"],
   "files": ["./src/index.ts"]
 }